General Data Protection Regulation: First Guidelines from the Spanish Authority
Blog Intellectual Property Blog

On June 29, 2016, the Spanish Data Protection Agency (the “SDPA”) held its annual conference in Madrid. This event was quite expected, since it was the first time that the SDPA was to publicly define its position regarding the General Data Protection Regulation (the “GDPR”) and the effects it will have in Spain.

As a preliminary -and very relevant- point the SDPA announced its intention to promote the approval by March 2017 of an amended version of the Spanish Data Protection Act (Organic Act no. 15/1999, dated December 13). This reviewed version should align the said Act with the regime set forth by the GDPR. Nonetheless, it would seem –even though no actual confirmation was provided in that respect- that the SDPA would be keen to maintain the original deadline of May 25, 2018 for the full entry into force of the new legal regime in this area.

Apart from that important statement, the SDPA did also provide with some initial guidelines on the application of the GDPR. In this respect, the most relevant statements could be summarized as follow:

• Consent: Under the current Spanish regulations, tacit consent is allowed in some cases. However, under the GDPR, consent must be granted by a clearly affirmative act establishing a freely given, specific, informed and unambiguous indication from the data subject. Therefore, according to the approach announced yesterday by the SDPA any data processing currently based on tacit consent will require collecting data subjects’ consent again, in line with the GDPR, if the controller wishes to continue the processing. The DPA recommends reviewing consents obtained in the past to adjust them to the new regulation, as, once the GDPG becomes applicable, only unequivocal consents will be valid.

• Information: The GDPR will require providing further information to data subjects on data processing, in comparison to current Spanish regulation. However, the DPA understands that it will not be mandatory for data controllers to complete the data processing information already given to data subjects for processing that is already taking place when the GDPR becomes applicable, although it recommends starting a progressive adaptation of informative clauses.

• Data processors: Unlike the regime derived from EU Directive no. 95/46, which generally places compliance obligations only on controllers, the GDRP will impose obligations directly on processors. This means that processors will face penalties for noncompliance where their only liability was mainly of a contractual nature. Also, data processing agreements will have to be reviewed in light of the content required by the GDPR. Particularly, pre-existing agreements that are in force when the GDPR becomes applicable will have to be amended to confirm that their content is compatible with the GDPR requirements and to include the new ones.

• Data protection impact assessment: The DPA recommends starting to prepare the tools, methodologies, work teams and conditions under which data protection impact assessments will be carried out to be in a better position to comply with GDPR once it becomes applicable.

• Prior consultation: The DPA has created the Assessment and Technological Studies Unit (Unidad de Evaluación y Estudios Tecnológicos) to assess the implications of new technologies (e.g., big data, internet of things, drones) on privacy. This unit will be responsible for reviewing data protection impact assessments revealing a high risk when the GDPR applies.

• Security measures: Spanish regulation specifies the minimum security measures that controllers and processors must apply to personal data files. These measures refer to matters such as authentication and identification, security incidents record, labeling, media management, and backup and recovery. According to the DPA, these measures will no longer be binding after the GDPR becomes applicable. Therefore, although the Spanish list of measures may be of illustrative value, they may be considered insufficient, and controllers and processors will have to assess the security measures to implement depending on the specific processing they carry out.

• Data protection officer: The DPA acknowledges that establishing a certificate system for data protection officers as a requirement to render the services would be contrary to the GDPR. However, it recognizes the relevant role certification and qualifications will have in developing professions related to data protection. Therefore, the DPA is considering the possibility of promoting accreditation of certification bodies based on existing standards. This accreditation would be carried out by the Spanish National Accreditation Body (Entidad Nacional de Acreditación), which would verify whether certification bodies comply with certain procedures and requirements.
• Certification: Regarding certification mechanisms to enhance transparency and compliance with the GDPR, the DPA understands that certifications should be granted by specialized bodies accredited by the National Accreditation Body.

As a final remark, the DPA is already preparing tools for small and medium-sized enterprises to help them assess their data processing. It is also developing documents and guidelines on the GDPR, including templates of information clauses.

We will keep you updated on any development that is given in this respect.