As the new General Data Protection Regulation (Regulation EU 2016/679, hereinafter GDPR) will become aplicable on May 25, 2018 the Spanish Ministry of Justice has recently issued a public consultation to adapt the Spanish legislation on Data Protection to the GDPR. Although the new legal text submitted to public consultation is still a preliminary draft of the future Organic Law on the Protection of Personal Data (hereinafter, Preliminary Draft), from Baker McKenzie we have identified the following key points which we understand might be of interest to you:
- Data subject's consent (Article 7 of the Preliminary Draft): When the processing of personal data is based on the data subject's consent for different purposes, the new legal text introduces the obligation to obtain such consent for each of the purposes. Such obligation is not clearly reflected in the GDPR, and it necessarily raises issues about its compliance on a practical level, such as whether several boxes will be needed to cover each purpose, and if so, how should such model be effectively implemented.
- Minors' consent (Article 8 of the Preliminary Draft): The Preliminary Draft develops the competence conferred by Article 8.1 of the GDPR, which on the one hand establishes as a general rule the minimum legal age for giving consent at 16 years old, but on the other hand allows the Member States to lower such minimum legal age to 13 years old. Consequently, the new legal text states that minors aged 13 and over will be allowed to give consent to the processing of their personal data.
- Special categories of data (Article 10 of the Preliminary Draft): The new legal text develops the competence conferred to the Member States by Article 9.2.a) of the GDPR and establishes that obtaining the explicit consent of the data subject is not enough to process certain special categories of personal data, without any reference to other special categories of personal data (such as health data). The Preliminary Draft, therefore, does not specify whether other special categories of data can be processed legitimately on the basis of the data subjects' explicit consent.
- Lawfulness of the processing of personal data (Articles 12-20 of the Preliminary Draft): The processing of personal data set out in articles 12-20 of the new legal text (processing of contact and individual entrepreneurs data, credit information systems, processing of data for video-surveillance purposes, whistleblowing, etc.) could constitute a numerous clausus list of cases in which the processing of personal data may be based on legitimate interest. Apart from these cases, it seems that it will be difficult to allege legitimate interest as the basis for the processing of personal data. In addition, it is worth highlighting the imposition of the obligation for the personal data included in credit information systems to be blocked during the first thirty days so that the data subject can exercise his/her rights. Furthermore, it should be noted that the new legal text includes certain undefined concepts whose interpretation will depend at the end of the Spanish Data Protection Agency's criterion, such as the "minimum essential data for professional location" or "data which are manifestly made public by the data subject".
- Whistleblowing (Article 17 of the Preliminary Draft): The new legal text expressly sets forth the possibility of creating whistleblowing channels in private entities by means of which anonymous complaints can be submitted, which constitutes a change from the criterion previously followed by the Spanish Data Protection Agency, mainly reflected in its legal report 0128/2007.
- Right to data portability (Article 27 of the Preliminary Draft): The new legal text seems to move away from what the Article 29 Working Party established on December 13, 2016, as it does not extend the right to data portability to the data inferred by the data controller from those made available by the data subject. Conversely, the aforementioned Working Party considers that "the data processor must also include the personal data generated and collected from the activities carried out by the users in response to a data portability request".
- Security measures (Article 30 of the Preliminary Draft): The Preliminary Draft follows the criteria set forth by the GDPR, as it does not specify the security measures that must be implemented in each case, and it leaves the determination of such measures to the discretion of data controllers and data processors according to whether they adequate or not to the level of risk of the processing that may be carried out in each situation (in line with the principle of accountability). On the other hand, the new legal text assigns an additional risk for certain processing of personal data to be considered by controllers and processors when adopting such security measures (for example, massive processing that affects a large number of data subjects, processing that affects minors, profiling, etc.). Therefore, the new legal text establishes two requirement levels for determining the adequate technical and organizational measures that should be implemented.
- Representatives of controllers or processors not established in the European Union (Article 32 of the Preliminary Draft): The representative will be jointly liable with the controller or processor in compliance with the GDPR. Data processors (Article 34 of the Preliminary Draft): The new legal text clarifies that the processing carried out by a data processor will still be considered a mere access, and not a disclosure of personal data. Therefore, it may be understood that, in line with the previous legislation, it will not be necessary to inform the data subjects about such access.
- Designation of a Data Protection Officer (DPO) (Article 35 of the Preliminary Draft): The new legal text lists certain cases (in particular, 15 cases) where there is an obligation to appoint a DPO, expanding and detailing the list included in the GDPR. Thus, it should be noted the duty to appoint a DPO for the following entities, among others: professional bodies, entities that operate and provide electronic communications networks and services, information society services providers that collect information from their users, even if a previous registry to use the services is necessary or not, financial institutions, insurance and reinsurance companies, investment services companies, companies that carry out advertising and commercial research activities, healthcare centres that must keep the medical records of patients or those operators who develop gambling activities through electronic, computing or interactive channels. Apart from the list of cases where the designation of the DPO must be complied with, the new legal text sets forth that the DPO of entities that carry out such designation voluntarily will be in any case subject to the regulations provided. The notification to the Spanish Data Protection Agency regarding the designation or termination of the DPO will have to be made within 10 days and the DPO updated registry will be accessible by electronic means. The Preliminary Draft specifies in this Article the cases where the designation of a DPO is mandatory, specifically extending in this matter the GDPR's scope with regard to the entities affected by this obligation.
- Position of the DPO (Article 37 of the Preliminary Draft): Apart from carrying out the role and tasks set forth in the GDPR, the new legal text establishes the specific obligation for the DPO to immediately inform the data controller's board of directors with regard to any relevant breach in terms of data protection, proposing the necessary measures to avoid the continuation of such conduct (Article 37.5 of the Preliminary Draft). This obligation extends the content of the DPO's monitoring function included in the GDPR.
- International transfers of data (Article 43 of the Preliminary Draft): Regarding the regulation of international transfers of personal data, the GDPR established a model where the need to obtain previous authorization from the data protection authorities was removed, unlike the provisions of the Spanish data protection legislation, which requires such authorization. However, the new legal text has maintained the need to obtain an authorization in a series of specific circumstances: (i) when the transfer intends to be based on the adoption of contractual clauses that do not correspond to the standard contractual clauses adopted by the Commission (Article 86.2.d) GDPR), and (ii) when the data transfer is carried out by any of the data controllers or data processors to which Article 77.1 of the Preliminary Draft refers (mainly public sector bodies), and is based on provisions contained in international and not normative agreements with other authorities or public bodies of third States.
- Sanctions system (Title VIII of the Preliminary Draft): The Preliminary Draft tries to complement the sanctions system set forth by the GDPR and to adapt it to the extent possible to the Spanish legal system. The Preliminary Draft defines the traditional distinction between minor, serious and very serious infringements and includes as criteria for the implementation of sanctions, apart from those defined in the GDPR, those set forth in the current Organic Law on the Protection of Personal Data (continuing nature of the infringement, etc.). In relation to the amount of the sanctions, the Preliminary Draft expressly refers to those established in the GDPR. However, to establish the period of the statute of limitations for the sanctions, the Preliminary Draft refers to the amounts set out by the current Organic Law on the Protection of Personal Data. Therefore, although the new legal text contains aspects that may be valued positively (exhaustive list of infringements, additional criteria for the implementation of sanctions, etc.), important gaps regarding the application of the sanctions system remain.