Since May 25, 2018, radical changes to data privacy laws in the European Union have come into effect. The General Data Protection Regulation ("GDPR") has impacted businesses, regardless of whether they have a corporate presence in the EU or use EU-based assets to process data (which was the former test for EU data protection rules application). If a business offers goods or services to EU-based customers or monitors their behavior, they potentially are within the scope of the GDPR (please see below for more details).

The extra-territorial reach means that in practice, many businesses operating internationally need to adopt European data privacy standards, which are becoming the default global standards. The increased sanctions under the GDPR (up to 4% of global revenue or EUR 20 million, whichever is higher), together with general public expectations about data privacy, mean that compliance with data privacy laws cannot be treated as a minor regulatory issue. Potential fines and other penalties under the GDPR will put data privacy and cybersecurity at the same level as antitrust or anti-bribery and corruption programs on the corporate compliance agenda. This will require board-level awareness and leadership and the combined input from a range of professionals including legal, IT, finance, procurement and vendor management and HR.

The GDPR is directly effective in all EU Member States without the need for further national legislation. However, the GDPR has specific areas in which the Member States are either permitted or required to enact national legislation to give effect to its provisions, for example, in relation to the procedure for imposing an administrative fine; the processing of special categories of personal data; the age of consent for processing personal data in the context of online services; and the restrictions and limitations on the application and exercise of data subject rights. 

In Spain, the GDPR is complemented by Basic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (“Spanish Data Protection Act”).

The GDPR regulates the processing of personal data which is defined as information relating to an individual who can be identified, either directly or indirectly, in particular by reference to an identifier such as a name, ID number, location data, online identifiers or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. The GDPR does not apply however to fully anonymized or aggregated data where a living individual cannot be identified.

“Special categories of personal data” attract a greater level of protection under the GDPR. Special categories of personal data cover any data revealing a data subject's:

• Racial or ethnic origin, political opinions, religious or philosophical beliefs, 
• Trade union membership,
• Data concerning health, sex life or sexual orientation,
• Genetic data, biometric data for the purpose of uniquely identifying a natural person.

Data relating to criminal convictions or offenses are subject to specific protection under the GDPR and may only be processed under the control of official authority or where authorized by Member State law providing for appropriate safeguards for the rights and freedoms of data subjects.

For detailed information on how this aspect of GDPR is enacted in Spain please contact Uría Menéndez directly.

The GDPR’s obligations primarily apply to data controllers, defined as any natural person, corporate entity or other legal person, public authority, agency or other body that determines the purposes and means of data processing (alone or together with others). It also provides for certain direct obligations on data processors which are any natural person, corporate entity or other legal person, public authority, agency or other body that processes personal data on behalf of the data controller. 

The GDPR applies to:

• The processing of personal data in the context of the activities of a data controller’s or data processor’s establishment in the EU (i.e. implying the effective and real exercise of activity through stable arrangements), regardless of whether the data is processed in the EU or not or regardless of whether the data relates to EU residents or not. 
• The processing of personal data of persons within the EU by data controllers or data processors who are established outside the EU, where the processing is related to: 
  • the offering of goods or services to such data subjects in the EU (irrespective of whether payment is required); or 
  • the monitoring of the behavior of such data subjects as far as the behavior takes place in the EU.

Under the GDPR, a data controller must comply with the following principles under Article 5: 

• Lawfulness, Fairness and Transparency – the data shall be processed lawfully (i.e. based on one of the six specified legal bases), fairly and in a transparent manner (e.g. pursuant to a privacy policy that meets the requirements of the GDPR) in relation to the data subject;
• Purpose Limitation – the data
  • shall be collected for specified, explicit and legitimate purposes; 
  • shall not be further processed in a manner incompatible with those purposes.
• Data Minimization – the data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed or are further processed;
• Accuracy – the data shall be accurate and, where necessary, kept up to date;
• Storage Limitation – the data shall be kept in a form which permits identification of data subjects for no longer than is necessary for the purpose for which the personal data is processed; 
• Integrity and Confidentiality – the data shall be processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental, loss, destruction or damage, using appropriate technical or organizational measures; and 
• Accountability – The data controller shall be responsible for and be able to demonstrate compliance with the above principles.

To be processed lawfully, the GDPR requires that personal data processing are based on one of the specified legal bases, which include the following:

1. Consent

Personal data may be processed based on the data subject’s specific, freely given and informed consent.

• such consent must be provided by way of “a statement or by a clear affirmative action”(pre-ticked boxes and implied consent fall short of the standard);
• Data subjects have the right to withdraw their consent at any time and in an easy manner.

The controller is under an obligation to demonstrate the data subject’s consent where the processing is based on consent.  

Consent from a child in relation to online services will only be valid if authorized by a parent or guardian. According to Article 8 of the GDPR, a child can consent from 16 years old, though the Member States may reduce this age to 13 years old. In this context, Spain has reduced the age to consent to 14 years old.

2. Legitimate Interests

A data controller may process personal data based on its legitimate interests or those of a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.  

The data controller must, however, inform the data subject of the particular legitimate interest pursued and the data subject has the right to object to the legitimate interest-based processing on grounds particular to his or her situation (see Right of Objection below). 

Public authorities may not rely on this legal basis in the performance of their tasks.

3. Contractual Necessity

Personal data may be processed where it is necessary for the performance of a contract to which the data subject is a party or in order to take steps at the request of the data subject prior to entering a contract. The processing must, however, be necessary to contract performance rather than merely facilitative. 

4. Legal Obligations

A data controller may process personal data where it is necessary to comply with a legal obligation to which it is subject. 

5. Vital Interest of the Data Subject

The data controller may process personal data where it is necessary to protect the vital interests of the data subject or another natural person. 

6. Public Interest or in the exercise of Official Authority

The data controller may process personal data where it is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller. 

Special Categories of Personal Data

The processing of special categories of personal data is prohibited, except where it relies on one of the exceptions set out in Article 9:

1. The data subject has given explicit consent;
2. Processing is necessary for compliance with obligations or exercising rights underemployment and social security and social protection laws, as set out in EU or Member State law or a collective agreement pursuant to Member State law providing for appropriate safeguards for the rights and freedoms of data subjects;
3. Processing is necessary to protect the vital interest of the data subject or another natural person where the data subject is physically or legally incapable of giving consent;
4. Processing is carried out in the course of its legitimate activities with appropriate safeguards by a political, philosophical, religious or trade union foundation, association or not-for-profit body and relates to the personal data of its members, former members and persons in regular contact only which are not disclosed outside without consent;
5. The personal data processed are manifestly made public by the data subject;
6. Processing is necessary for the establishment, exercise or defense of a legal claim or whenever courts are acting in their judicial capacity;
7. Processing is necessary for reasons of substantial public interest on the basis of EU or Member State law which is proportionate, respect the essence of the right to data protection and provides for suitable and specific measures to safeguard the rights and interests of the data subjects;
8. Processing is necessary for the purposes of preventative or occupational medicine, medical diagnosis, provision of health or social care or treatment or management of health or social care systems and services on the basis of EU or Member State law or pursuant to a contract with a health professional;
9. Processing is necessary for reasons of public interest in the area of public health on the basis of EU or Member State law;
10. Processing is necessary for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes on the basis of EU or Member State law.

Member States may have further conditions with regard to the processing of genetic data, biometric data or data concerning health.

Please note that, in line with GDPR principles, the Spanish Data Protection Act establishes that, in order to avoid discrimination, the sole consent may not be sufficient if the main purpose of processing is identifying the data subject’s ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin.

Please note that in Spain, the processing of health and genetic data under letters g), h), i) and j) of Article 9(2) GDPR is only permitted under a set of laws listed in the Spanish Data Protection Act, and specific rules apply for the processing of personal data for health research, such as for use of pseudonymized data or the re‑use of personal data.

In addition to these special categories of data mentioned in Article 9, Member States may also further determine the specific conditions for the processing of a national identification number or any other identifier of general application.

For detailed information on how this aspect of GDPR is enacted in Spain please contact Uría Menéndez directly.

Risk-Based Approach 

Data controllers must also have “appropriate technical and organizational measures” in place to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR, taking a risk-based approach (Article 24). This requires that the controller takes account of the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons. The measures must be reviewed and updated where necessary and shall include the implementation of appropriate data protection policies. 

Privacy by Design and Privacy by Default

The GDPR also introduces new concepts of ‘privacy by design’ and ‘privacy by default’ under Article 25. This requires that a controller shall implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to:

• the amount of personal data collected;
• the extent of their processing; and 
• the period of their storage and their accessibility. 

The GDPR requires that “appropriate technical and organizational measures” are in place to protect the security of personal data and that personal data not be retained for longer than is necessary for the purpose or purposes for which the data are processed.

Article 32 provides some detail on the standards that controllers and processors should take account of in determining appropriate security measures against unauthorized or unlawful processing, accidental damage, destruction or loss of data. The data controller must take into account:

• the state of the art; 
• the cost of implementing the measures; 
• the nature, scope, context and purposes of processing; and
• the risk of varying likelihood and severity for rights and freedoms of the data subject posed by the processing, in particular, those presented against unauthorized or unlawful processing, accidental damage, destruction or loss of data.

The GDPR notably states that pseudonymization and encryption be considered where appropriate and that controllers maintain system resilience and security testing, backup, recovery and continuity measures.

Data controllers and data processors must ensure all of their employees comply with the security measures in place and not process personal data other than on the instructions of the controller.

Personal data may not be kept for longer than is necessary for the specified purpose or purposes for which it was collected and a data retention procedure or policy should be implemented in this respect. 

Please note that according to the Spanish Data Protection Act, when rectifying or erasing any personal data, controllers must block such (rectified or erased) personal data. Blocking personal data constitutes a preliminary phase of data erasure and means keeping the personal data under the necessary security measures to prevent all kinds of processing activities (including viewing) with the only exception of making it available to law enforcement authorities, upon their request. Controllers must block such personal data for the limitation period of any applicable legal action; once the period has expired the data must be destroyed.

Under the GDPR, data subjects have enhanced rights in relation to their personal data, most of which only apply in specific circumstances. 

The data controller shall provide information on action taken on a request within one month of receipt, which period may be extended by two further months where necessary, taking account of the complexity and number of requests and provided that the controller informs the data subject of such extension within one month of the request. 

Where requests are manifestly unfounded or excessive, in particular, because of their repetitive character, the data controller may charge a “reasonable fee based on administrative costs” or refuse the request.

Right of Access 

The data subject can ask a data controller for a copy of his or her personal data being processed by the data controller. 

Right of Rectification 

The data subject has the right to obtain from the controller without undue delay the rectification of inaccurate personal data concerning him or her and to have incomplete personal data completed.

Right of Erasure

In certain circumstances, the data subject has the right to obtain from the controller the erasure of personal data concerning him or her without undue delay.

Right of Restriction of Processing

The data subject has the right to obtain from the controller restriction (i.e. suspension) of the processing in certain circumstances such as where the accuracy of the data is being contested, the processing is unlawful or the data subject has objected to the processing. 

Right to Data Portability

The right to data portability of personal data is the right to receive the personal data provided by the data subject to the controller (on the basis of consent or contractual necessity) in a structured, commonly used and machine-readable format and to transmit those data to another controller.

Right to Object

The data subject has the right to object, on grounds relating to his or her particular situation, to the processing of the personal data based on the performance of a task carried out in the public interest or for the legitimate interests of the controller or a third party.

The controller must no longer process the personal data unless the controller demonstrates compelling legitimate grounds for the processing which override the interests, rights and freedoms of the data subject or for the establishment, exercise or defense of legal claims. 

Where personal data is processed for direct marketing purposes, the data subject has the right to object to the processing of his personal data at any time.

Automated Decisions with Legal or Significant Effects

Data subjects have a right not to be subject to automated decision-making in respect of the personal data, including profiling, with no human intervention where such decision produces legal effects concerning the data subject or similarly significantly affects him or her (e.g. creditworthiness check or e-recruitment). This does not apply where explicit consent is provided, the processing is authorized by EU or Member State law or the processing is necessary for the purposes of entering into or performing a contract with the data subject. 

Pursuant to Article 23 of the GDPR, these data subject rights may be subject to limitations or restrictions as prescribed by Member State law where necessary and proportionate to safeguard various matters specified in Article 23 ranging from issues of national security to the enforcement of civil law claims.

In Spain, according to article 3 of the Spanish Data Protection Act, personal data of a deceased person may be accessed by their family members or other related (or authorized) persons unless the deceased person had expressly prohibited so.

For detailed information on how this aspect of GDPR is enacted in Spain please contact Uría Menéndez directly.

The GDPR also restricts the transfer of personal data to a country outside the European Economic Area ("EEA") unless certain conditions or safeguards are in place. 

Transfer to Adequate Countries Outside the EEA

Transfers of data to a third country or international organization are permitted where the European Commission has taken an adequacy decision under Article 45 of the GDPR that there is an adequate level of protection of personal data in that country or organization.

The existing list of countries that have been approved by the EU Commission will remain in force. Transfers of personal data to the following countries can take place without too much concern:

• Andorra
• Argentina
• Canada (partial adequacy decision for personal data transferred to recipients subject to the Canadian Personal Information Protection and Electronic Documents Act 2000) 
• Faroe Islands
• Guernsey
• Israel
• Japan
• Jersey
• New Zealand
• Republic of Korea
• Switzerland
• The Isle of Man
• United Kingdom
• Uruguay

While the Privacy Shield was a partial adequacy decision covering transfers toward organizations that complied with the Privacy Shield Principles in the United States, it has been invalidated by the decision of the European Court of Justice in case C-311/18 dated 16 July 2020 ("Schrems II decision") and is not applicable anymore.

Transfer to Non-Adequate Countries

Where the country to which the personal data will be transferred does not appear on an approved list of countries (such as the U.S.), the transfer of personal data can still take place only if the controller or processor has provided appropriate safeguards, and on condition that enforceable data subject rights and effective legal remedies are available. 

The appropriate safeguards may be provided for by:

• a legally binding and enforceable instrument between public authorities or bodies; 
• binding corporate rules in accordance with Article 47; 
• so-called standard contractual clauses adopted by the European Commission or the supervisory authority, which incorporate the EU standards into the contract;
• an approved code of conduct pursuant to Article 40 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; or
• an approved certification mechanism pursuant to Article 42 together with binding and enforceable commitments of the controller or processor in the third country to apply the appropriate safeguards; 
• binding corporate rules pursuant to Article 47.

The standard contractual clauses are the most used appropriate safeguard mechanism. However, according to the Schrems II decision, controllers relying on standard contractual clauses or BCRs are required to verify, on a case-by-case basis and, where appropriate, in collaboration with the recipient of the data in the third country, if the law of the third country ensures a level of protection of the personal data transferred that is essentially equivalent to that guaranteed in the European Economic Area. Where necessary, supplementary measures (i.e. legal, technical or organizational measures) have to be implemented to ensure such an essentially equivalent level of protection.

The GDPR also provides for derogations to the prohibition of personal data transfers, for instance where the data subject has explicitly consented to the transfer, after having been informed of the possible risks due to the absence of an adequacy decision.

The GDPR introduces a compulsory requirement for controllers to report data breaches to the competent national supervisory authority(ies) (please see below) without undue delay and, where feasible, within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to data subjects.  

A risk assessment will, therefore, need to be taken by the controller in evaluating whether the obligation to report arises. Where a breach poses a high risk to data subjects, the GDPR also requires that the controller communicate the breach to the affected data subjects without undue delay. Regardless of whether notification to the regulator is made or not, controllers must document all personal data breaches, comprising the facts, its effects and remedial action taken. 

Where a processor has suffered a personal data breach, the processor must notify the controller “without undue delay” after becoming aware of the breach.

Providers of publicly available electronic communications services in public communications networks in the EU are subject to a mandatory reporting obligation in accordance with EU Regulation No 611/2013.

Supervisory Authority

Article 55 provides that each national supervisory authority has the competence to act in relation to matters in its territory. In Spain, the supervisory authority is the Agencia Española de Protección de Datos ("AEPD"): www.aped.es. 

Lead Supervisory Authority

In circumstances where a controller or a processor is engaged in “cross-border processing” (being the processing of personal data which takes place in the context of activities of establishments of that controller or processor in more than one Member State or processing which substantially affects or is likely to substantially affect data subjects in more than one Member State), then the supervisory authority of the main or single establishment of the controller or processor shall have the competence to act in respect of such cross-border processing.

Tasks and Powers of a Supervisory Authority

The GDPR provides for enhanced, wide-ranging powers of enforcement to supervisory authorities, who may impose substantial fines for breaches of the GDPR. 

The tasks of a supervisory authority are set out in Article 57 of the GDPR and include, among others:

• monitoring and enforcing the application of the GDPR; 
• promoting awareness;
• handling complaints; 
• conducting investigations;
• cooperating with other supervisory authorities;
• administrative tasks such as drawing up codes of conduct, reviewing certifications and approving standard contractual clauses for transfers of personal data outside the EEA. 

The powers of a supervisory authority are set out in Article 58 and include, among others:

• ordering the production of information from controllers and processors;
• conducting investigations in the form of audits including onsite investigations;
• issuing warnings, reprimands, enforcement orders, 
• ordering the suspension or ban of non-compliant processing activities;
• the imposition of administrative fines; and
• advising, for example in relation to high-risk processing or issuing opinions.

Administrative Fines

The imposition of administrative fines by a supervisory authority is subject to appropriate procedural safeguards in accordance with Union or Member State law and therefore the mechanism and procedure for imposing a fine may vary from Member State to Member State.

For detailed information on how this aspect of GDPR is enacted in Spain please contact Uría Menéndez directly.

The level of administrative fines is set out in Article 83 together with examples of aggravating and mitigating factors in determining whether to impose a fine and if so, the level of such fine. In each case, the supervisory authority is to ensure that the imposition of fines is effective, proportionate and dissuasive. The amount of a fine depends on the nature of the infringement in question with the applicable thresholds being up to:

• 2% of the total global annual turnover of an undertaking for the preceding financial year or EUR 10,000,000, whichever is higher; or
• 4% of the total global annual turnover of an undertaking for the preceding financial year or EUR 20,000,000, whichever is higher.

Direct marketing to individuals is currently regulated at a Member State level under national legislation that gives effect to the e-Privacy Directive ("Directive 2002/58/EC"). 

The use of publicly available electronic communications services to send unsolicited communications or to make unsolicited calls for the purpose of direct marketing is restricted. Generally, such communications by electronic means require consent or are subject to a right to opt-out.

In Spain, according to Articles 19 to 22 of Law 34/2002 of 11 July, on information society services and e‑commerce, direct marketing by electronic means require, as a general rule, the prior written consent of the recipient (opt-in). Exceptionally, if the recipient already has a relationship with the sender, companies are allowed to send commercial communications, provided that they relate to products or services similar to those previously acquired and the recipients are given the option to oppose (opt-out) both when the contact details are collected and every time they are communicated for commercial purposes.

In January 2017, the European Commission published its proposal for an e-Privacy Regulation, which will replace and modernize the existing e-Privacy Directive and should particularize and complement the GDPR as its lex specialis on the protection of privacy and confidentiality of electronic communications. On February 10, 2021, the Council of the European Union finally agreed on a draft text of the e-Privacy Regulation, along with a mandate for its Presidency to start negotiations with the European Parliament in order to reach a consensus thereon. The 1st political trilogue concerning the ePrivacy regulation took place on 20 May 2021, under the Portuguese Presidency. The e-Privacy scope of application is set to have a broader reach than the GDPR, as inter alia concerns EU end-users – to whom electronic communications data (including both the content and metadata thereof) refer – regardless of whether they are natural or legal persons.

For detailed information on how this aspect of GDPR is enacted in Spain please contact Uría Menéndez directly.

The Spanish Data Protection Authority ("AEPD") regularly adopts guidelines, recommendations, legal reports and other documents regarding the implementation of data protection regulations in Spain, such as the Guidelines on the use of Cookies, July 2020, in line with the European Data Protection Board guidelines; the Code of Conduct for marketing activities of Autocontrol (the self‑regulatory and supervision body of the marketing industry in Spain), October 2020, although binding only for those parties that adhere to it, e.g. advertisers and marketing agencies, the AEPD will apply the Code’s criteria as a standard for all data processing obligations for marketing purposes; or the Legal Report 148/2019, December 2020 on conservation periods and blocking of personal data.

Additionally, it should be noted that the Spanish Government made available for public consultation (until January 20, 2021) the Chart of Digital Rights. Although, the chart is not intended to be of direct regulatory nature or to regulate new rights (rather specify or supplement existing rights with regards to the digital environment), future legislative proposals may genuinely create new rights in Spain based on the Chart of Digital Rights.