On 10th November 2017, the Council of Ministers passed the Personal Data Protection Draft Act (Draft) seeking to conform Spanish law to the GDPR. The Draft will bring important changes to the regulation of privacy laws in Spain.
Below, we have detailed some key issues from the Draft (which may be further modified during its parliamentary approval).
The Draft states 3 cases where a data controller will not be liable for data inaccuracies, provided that the controller has taken reasonable measures to erase or rectify the inaccurate data: (1) where data has been obtained directly from the data subject; (2) where data has been obtained by an intermediary to transfer them to the controller; or (3) where data has been received from another controller as a result of the exercise of a portability right. In this respect, the earlier version of the Draft just stated a "presumption of accuracy" for those cases where the personal data was obtained directly from the data subject. Stating two new exceptions prevents the controller from having to take measures that may be out of his/her control (eg, when processing personal data obtained from an insurance broker).
Data subject's consent
The consent given for each purpose of processing must now appear in a "specific and unambiguous way." In addition, there is no longer an obligation to specifically include a checkbox for any processing purpose that is unrelated to the contract's performance.
The Draft now prohibits conditioning the contract's performance on the consent to processing personal data for purposes unrelated to the contract. In this respect, the GDPR also stated that when assessing whether consent is freely given, the conditioning of the contact's performance on the consent to processing unnecessary personal data is relevant.
The Draft foresees a transitional provision that means it would not be necessary to obtain consent from data subjects who had already provided consent prior to the application of the GDPR, as long as such consent meets the requirements of the GDPR.
Special data categories: insurance contracts
Performance of every kind of insurance contract may now be a legal basis for the processing of health data, according to the Draft.
The new wording of the portability right article directly refers to the GDPR.
Lawfulness of specific processing operations
Some specific processing is now presumably lawful. In particular: processing of contact details and data of individual entrepreneurs, fraud information sharing systems, and processing related to specific corporate restructuring. In the absence of further clarity, it seems that these instances of processing will be lawful, as they remain consistent with the purposes for which their lawfulness was considered.
The Draft clarifies that video surveillance of employees is subject to its legal framework and its intrinsic limits. It also states that the images recorded by video surveillance systems will keep their evidential value if they capture a criminal offense ‒ regardless of whether the employees were notified about the existence of said systems. This updates the legislation to reflect the most recent Spanish labor case law.
Data controllers’ obligations with regard to the Mail Preference Systems (MPS or Robinson Lists) may now be accomplished by using the Spanish DPA's central list of multiple systems which gather individual's opt out preferences. This applies to obligations such as: (i) the information about the existence of this system that must be provided to the data subjects; and (ii) the prior consultation the data controller must carry out before sending commercial communications (in order to exclude those data subjects subscribed to this system). By centralising the information sources that the controller must use to comply with said obligations this will simplify the process.
Both internal and external personnel can access the data contained in whistleblowing hotline systems. This change allows for the outsourcing of these systems. The Draft retains the possibility for these systems to handle anonymous complaints. It also increases the scope of subjects that must be protected by identity preservation measures. Now, the identity of all those affected by the system's information must be protected.
Processing of personal data carried out by Public Administrations for the purpose of archiving is now lawful. This provision can be qualified by the historic heritage and archive system legislation.
The Draft considers regular data transfers to third countries that do not ensure an adequate level of data protection as a risk that must be taken into account when implementing technical and organizational measures to guarantee that the processing complies with the legislation.
Contrary to the GDPR, prior authorization for some cases of data transfer remains mandatory. This includes when: (i) the data transfer is based on the use of standard data protection clauses different from those adopted by the Commission (Article 46.2 c) GDPR) or adopted by a supervisory authority and approved by the Commission (Article 46.2 d) GDPR); and (ii) the data transfer is carried out by some of the data controllers or processors indicated in Article 77.1 of the Draft (mainly public sector bodies) and is based on non-legal international agreements with public authorities or bodies from third countries. There is also now a maximum term of one year for the prior authorization procedure.
The Draft changes the blocking obligation exceptions. It restricts the SDPA's ability to state exceptions to those cases where the mere storage of the personal data could result in a high risk to the data subject's rights or a disproportionate cost for the data controller.
There is a new exception concerning unfinished corporate restructuring. In these cases, the transferee entity should immediately erase the personal data without blocking it.
Data Protection Officers (DPO)
The Draft qualifies the list of entities that must have a DPO.
Network operators and other electronic communications services providers must now have a DPO only whenever they process large-scale personal data regularly and systematically.
Information society services providers must now have a DPO only whenever they undertake large-scale profiling of the service's users.
Entities dedicated to commercial reports regarding legal persons no longer need a DPO. It remains mandatory for those issuing commercial reports regarding natural persons.
Codes of conduct
Entities monitoring compliance with a code of conduct may now be asked to verify whether a specific processing operation complies with its provisions. A similar system exists in the field of self-regulated advertising.
Pre-existing Data processing agreements (in force at 25 May 2018)
The Draft foresees a transitional provision that pre-existing data processing agreements will remain valid until their expiration date or, in the case of an indefinite term, until four years after 25 May 2018.