The Spanish Sustainable Economy Act has recently been approved, introducing multiple changes into Spanish legislation. The new Act is extensive and complex – amending several pieces of legislation with different subject matter. The final text includes amendments to the sanctions regime under the Spanish Data Protection Act (Organic Law 15/1999, of December 13, on protection of personal data).

We have summarised below the key amendments made by the Sustainable Economy Act to the Spanish Data Protection Act.

In particular, the Sustainable Economy Act modifies sections 43 to 49 of the Spanish Data Protection Act, as a result of which the following reforms will be made:

  • New circumstances may be considered 'minor' infringements:
    • Not submitting to the Spanish Data Protection Agency the notifications required under the Spanish Data Protection Act or its Secondary Regulations.
    • Transferring personal data to a data processor without complying with the formal requirements of the Spanish Data Protection Act (i.e. entering to a data processing agreement).
  • Certain formerly 'minor' infringements are now deemed serious, namely:
    • Violating the confidentiality of personal data (Article 10 of the Spanish Data Protection Act)
    • Not facilitating the exercise of a data subject's rights of access, rectification, cancellation or opposition.
  • Formerly 'very serious' infringements have been downgraded to 'severe' infringements (e.g. illegitimate personal data assignments).
  • The levels of fine to be imposed have been modified as follows:
    • Fines for minor infringements shall range between 900 and 40,000 Euros.
    • Fines for serious infringements shall range between 40,001 and 300,000 Euros.
    • Fines for very serious infringements shall range between 300,001 and 600,000 Euros.
  • New circumstances in which sanctions can be reduced have been added, including where the infringing entity has diligently corrected the situation that led to breach.
  • The Spanish Data Protection Agency can now avoid initiating sanction proceedings by warning data protection violators in the first instance and giving them the possibility to correct the circumstances that led to the breach within a certain period of time, should the following requirements be met:
    • The infringements are not deemed 'very serious'.
    • The infringing entity has not been previously sanctioned or warned.
    • The circumstances that led to the breach are clearly within the scope of those circumstances in which the sanctions can be lessened.
  • The circumstances in which the Spanish Data Protection Agency can seize data files for failure to comply with data protection regulations have been extended to include serious infringements. Previously this power was only available to the Agency for very serious infringements.