GDPR Guide to National Implementation: Spain
24 min read
In this chapter:
Q1/ Applicable legislation
(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?
New legislation has been passed.
(b) Relevant legislation includes:
- Organic Law 3/2018, of 5 December, on the Protection
of Personal Data and Guarantee of Digital Rights
(“Ley Orgánica 3/2018, de 5 de diciembre, de Protección
de Datos Personales y garantía de los derechos digitales”)
(the “Data Protection Act”)
Date in force: 7 December 2018
- Date in force: 7 December 2018
- Link: In Spanish:
(c) What is the status of national pre-GDPR data protection law?
The main pre-GDPR legislation has essentially been repealed. There are, however, some exceptions:
- provisions of the former data protection law (Organic Law 15/1999) that implemented Art. 13 of the Directive will remain in force unless expressly modified, replaced or repealed; and
- processing activities subject to Directive (EU) 2016/680 continue to be governed by the aforementioned former data protection law until this directive is transposed into Spanish law.
Q2/ Personal data of deceased persons
Does national law make specific rules regarding the processing of personal data of deceased persons?
The following persons are authorised to exercise the rights of access and, where appropriate, of rectification and erasure with respect to the personal data of a deceased person:
- relatives or other persons similarly connected to the deceased person, as well as their legal successors (unless expressly prohibited by the deceased person or as established by law);
- persons or institutions designated by the deceased person for this purpose, in accordance with the instructions received from the deceased person;
- if the deceased person is a minor, his or her legal representatives or, within the framework of its competence, the Public Prosecutor, who may act ex officio or at the request of any interested party; and
- if the deceased person was disabled, those who have been designated to carry out support functions, insofar as such exercise falls within the scope of said support functions.
Further, there are also specific rules regarding access to the personal data of deceased persons managed by information society service providers, including profiles on social networks. The aforementioned persons and institutions, together with testamentary executors designated by the deceased person for this purpose, may access said personal data and give instructions on their use, destination or erasure.
Q3/ Legal bases for processing
(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?
There are no specific rules governing this issue.
(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?
Processing personal data can only be based on performance of a task carried out in the public interest if it falls within the powers granted by Spanish law.
In addition, the Data Protection Act contains the concept of “corporate contact details” (i.e., personal data relating to the position of a person within an organisation). Such data can be used on the basis of a legitimate interest if it meets the following requirements:
- data that permit location of the individual in his professional capacity; and
- the purpose of the processing must be to maintain a relationship with the organisation in which the data subject provides his services.
Public bodies are expressly authorised to process “corporate contact details” if such processing is necessary for the exercise of their powers or if necessary to comply with a legal obligation.
(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?
Processing of personal data can only be based on the exercise of official authority vested in the controller if it falls within the powers granted by Spanish law.
(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?
There are no specific additional criteria governing this issue. However, processing personal data for a purpose which is not compatible with the purpose for which the personal data were initially collected is considered a serious infringement under the Data Protection Act, where consent to the new purpose has not been obtained, and there is no other valid legal basis for the processing.
Q4/ Consent of children
At what age can a child give their consent to processing in relation to ISS?
14 years of age.
Q5/ Processing of sensitive personal data
(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?
The following sensitive personal data cannot be processed even if the data subject’s consent has been obtained:
- personal data revealing racial or ethnic origin;
- personal data revealing political opinions;
- personal data revealing religious or philosophical beliefs;
- personal data revealing trade union membership; and
- personal data concerning sex life or sexual orientation.
Note that this rule is aimed at preventing unlawful discrimination. Consequently, in such cases, the data subject’s consent alone will not be sufficient to permit the processing where the main purpose is identifying the data subject’s ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin. This does not prevent processing such data on the other grounds contained in Art. 9(2) GDPR.
b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:
(i) Employment, social security and/or social protection law
There are no specific rules on processing this category of data.
(ii) Substantial public interest
The Spanish Data Protection Act provides that the processing of health data and genetic data, in accordance with specific requirements of various pieces of Spanish legislation relating to the regulation of general public health, occupational risk prevention, clinical records, health professionals, insurance and reinsurance, is permitted on grounds of substantial public interest.
(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services
Processing of health data and genetic data will be covered by Arts. 9(2)(g)-(j) GDPR where such processing is regulated by relevant legislation relating to health and patient rights.
(iv) Public interest in the area of public health
See Q5(b)(iii). Further, health authorities and public institutions with public health monitoring powers may carry out scientific research without the data subject’s consent in situations of exceptional relevance and seriousness for public health.
(v) Archiving purposes, scientific or historical research purposes or statistical purposes
See Q5(b)(iii). Further, health authorities and public bodies with public health monitoring powers may carry out scientific research without the data subject’s consent in situations of exceptional importance and seriousness for public health. Note that the Spanish Data Protection Act specifies that sensitive personal data covered by Arts. 9 & 10 GDPR may only be collected in the context of government statistical purposes with the data subject’s prior express consent.
(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?
The Data Protection Act includes specific rules for the processing of health data collected for research purposes, including the following:
- it is lawful and compatible to reuse personal data for the purposes of health and biomedical research where consent was obtained for a specific purpose and the data is used for purposes or research areas which are related to the initial purpose. In such a case, data protection information must be provided via the relevant websites (including, where applicable, the promoter’s), and the data subjects must be informed by electronic means of the existence of such information;
- it is lawful to use pseudonymised data for health research and, in particular, biomedical research;
- where personal data is processed for the purposes of health research, and, in particular, biomedical research, the data subject’s rights to access, rectification, limitation to processing and to object to processing will be limited where:
- the aforementioned rights are exercised directly with the researchers or research centres that use anonymised or pseudonymised data;
- the exercise of such rights relates to the results of the research; and
- the research is carried out in the public interest related to the security of the State, defence, public safety or other important goals of general public interest;
- where the processing is carried out for the purposes of public health, and, in particular, biomedical research, the following applies:
- an Impact Assessment must be conducted;
- the scientific research must follow quality norms and, where applicable, international guidelines on good clinical practice;
- measures must be implemented to guarantee that researchers do not have access to the data subject’s identification data; and
- a legal representative in the EU must be appointed if the promoter of the clinical study is not established in the EU;
- the use of pseudonymised personal data for public health research, and, in particular, biomedical research, must previously be submitted to the research entity’s ethics committee (or to the DPO where there is no ethics committee).
Research ethics committees (in the field of health, biomedical or medicine) have one year from the date the Data Protection Act entered into force (i.e., until December 2019) to appoint a DPO as a member of the committee (or if there is no DPO, a GDPR expert) when their research activities involve processing personal data, pseudonymised data or anonymised data.
Q6/ Data relating to criminal offences or convictions
Under what conditions does national law permit the processing of personal data relating to criminal convictions?
The processing of personal data relating to convictions and criminal offences, as well as precautionary and security procedures and measures, for purposes other than the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, may only be carried out in the following situations:
- when authorised by EU Law, the Data Protection Act or other Spanish legislation; or
- by lawyers and solicitors who collect the information provided by their clients for the performance of their duties.
(a) Does national law specify exemptions to a data subject’s right to erasure?
Where data subject is exercising his or her right to object to the processing of their data for direct marketing purposes, the controller may retain the necessary identification data of the data subject in order to prevent such processing in the future.
(b) Does national law specify exemptions to a data subject’s right to be provided information under Art. 14 GDPR where the personal data has not been obtained from the data subject?
There are no specific exemptions to the right to be provided information.
(c) Does national law specify exemptions to a data subject’s right to not be subject to a decision based solely on automated processing, including profiling?
There are no specific exemptions to the right to not be subject to automated individual decision-making.
Q8/ Restrictions on data subjects’ rights
Aside from the exemptions noted in Q7, does national law contain any other restrictions on the rights of data subjects under Chapter III GDPR?
Authoritative bodies producing official statistics may refuse a data subject’s request to exercise his or her rights under Arts. 15-22 GDPR, provided that the data are subject to statistical confidentiality in accordance with national or regional legislation.
As noted above, there may be restrictions in the context of processing personal data for the purposes of health research (see Q5(c)).
Q9/ Joint controllership
Does national law provide rules or guidance on the apportionment of responsibility between joint controllers?
Generally, the apportionment of liability between joint controllers will be determined in accordance with the activities that each joint controller carries out.
In addition to the contract between controller and processor, are there any pieces of legislation which govern processing by a processor?
The legislation on public procurement defines the conditions under which a contractor carries out the processing of personal data, expressly stating that such processing is to comply with the data protection regulations.
Q11/ Impact Assessments
Are there any circumstances in which national law requires an Impact Assessment to be carried out, where the GDPR would not otherwise require such an assessment?
Impact Assessments are required in the case of processing activities carried out for public health research purposes, in particular in the biomedical field.
Q12/ Prior authorisation and public interest
Are there any circumstances in which national law requires controllers to consult with, or obtain prior authorisation from, the DPA in relation to processing for the performance of a task carried out by the controller in the public interest (including processing in relation to social protection and public health)?
Prior authorisation from the DPA is only required in accordance with the provisions of the GDPR.
(a) Does national law require controllers to appoint a DPO in circumstances other than those in Art. 37(1) GDPR?
DPOs are mandatory in the following additional circumstances:
- professional associations and their general councils;
- educational centres, as well as public and private universities;
- entities that operate networks and provide electronic communications services where they regularly and systematically process personal data on a large scale;
- society information service providers when they elaborate or create profiles of users of the service on a large scale;
- credit institutions and related organisations;
- insurance and reinsurance entities;
- certain investment services companies;
- distributors and marketers of electric power and natural gas;
- entities responsible for assessing asset and credit solvency or for the management and prevention of fraud, including certain entities engaged in the prevention of money laundering and financing of terrorism;
- entities engaged in advertising activities and commercial research where they carry out processing activities based on preferences of data subjects or processing activities which involve the profiling of data subjects;
- most health centres that are legally required to keep medical records of patients;
- entities whose purpose includes the issuance of commercial reports which may concern natural persons;
- gaming operators whose activity is carried out electronically, telemetrically and interactively, in accordance with the gaming regulations;
- private security companies; and
- sports federations processing the data of minors.
(b) Does national law impose secrecy and confidentiality obligations on DPOs and if so, in what circumstances do they apply?
Even though this duty of secrecy and confidentiality is not expressly provided for DPOs, the Data Protection Act imposes a general duty of confidentiality on controllers, data processors and all persons involved in any stage of the processing activities.
Q14/ International data transfers
(a) Does national law make specific rules about transfers of personal data from public registers?
Data transfers from public registers are not subject to specific rules.
(b) Does national law restrict the transfer of specific categories of personal data to third countries?
Certain applicable sectorial regulations may impose additional restrictions on data transfers beyond those set out in the GDPR, such as regulations that govern the banking sector.
(a) Details of the DPA(s).
- Name of DPA: Agencia Española de Protección de Datos
- Address: C/Jorge Juan 6, 28001 Madrid, Spain
- Website: aepd.es
(b) If more than one national DPA has been established, what is the rationale behind multiple DPAs?
There are regional DPAs in Catalonia and the Basque Country with powers to supervise public entities or persons within their respective territory.
(c) How does national law ensure consistent application of the GDPR by the various DPAs in accordance with Art. 63 GDPR?
The Data Protection Act provides that there will be bi-annual cooperation meetings between the national DPA and the regional DPAs. Further, the national DPA or the regional DPAs may request meetings to ensure consistent application of the GDPR.
The powers limited exclusively to the national DPA are as follows:
- representing Spain internationally before other States and international organisations; and
- enforcing international treaties on personal data protection to which Spain is subject.
The national DPA will keep the regional DPAs informed about decisions taken to implement such international treaties within their corresponding areas of competence.
(d) Does national law grant the relevant DPA additional powers beyond those set out in Art. 58 GDPR?
The Data Protection Act expands the scope of the investigative powers set out in the GDPR, providing that the DPA has the following powers:
- the DPA may set out preventive audit plans on processing activities carried out in specific sectors and, where appropriate, it may adopt mandatory guidelines to be followed by controllers and processors in the relevant sector; and
- the DPA has regulatory powers to issue instructions determining the criteria to be followed in the application and interpretation of the GDPR and the Data Protection Act. These instructions will become mandatory once published in the State Official Journal.
(e) What national appeals process exists to enable parties to challenge the decisions of the DPA?
Decisions issued by the DPA may be appealed to the Administrative Litigation Chamber of the National High Court.
(f) Have specific national rules been adopted regarding the DPA’s power to obtain information from controllers or processors that are subject to obligations of professional secrecy (or equivalent)?
There are no specific rules on this issue.
Q16/ Claims by not-for-profit bodies
Does national law specify any not-for-profit bodies that are entitled to bring claims on behalf of individuals without the specific mandate of those individuals?
There are no not-for-profit bodies that are specifically mandated to bring such claims.
However, without prejudice to the data subjects’ individual entitlement to lodge a claim, Spanish law permits legally constituted associations of consumers and users to bring claims for breach of the rights and interests of their members.
Q17/ Administrative fines, penalties and sanctions
(a) Does national law lay down rules on whether and to what extent administrative fines may be imposed on public authorities for breaches of the GDPR?
The DPA may issue warnings to public authorities, which would include, where appropriate, measures to be adopted by the entity in order to stop or correct the effects of the infringement.
Further, the DPA may suggest initiating disciplinary actions where applicable. Where infringements have been committed by the public authority’s management, and there is evidence that technical reports or recommendations were not followed, the warning will also include a reprimand to be published in the Official Journal. The relevant DPA may also publish the warning.
(b) Does national law impose penalties/sanctions in addition to those set out in the GDPR, for breaches of the GDPR not subject to administrative fines (e.g., criminal penalties)?
According to the Criminal Act, punishment of imprisonment for one to four years and/or a daily fine for a duration ranging between 12 and 14 months will be imposed on any person who commits the following acts in order to discover the secrets or breach the privacy of another, without the latter’s consent:
- seizing their papers, letters, email messages or any other documents or personal belongings;
- intercepting their telecommunications; or
- using technical devices to listen to, transmit, record or reproduce sound or images, or any other communication signal.
Q18/ Freedom of expression and information
(a) What (if anything) does national law do to balance the provisions of the GDPR against the right to freedom of expression and information?
The Data Protection Act includes an additional chapter entitled “Safeguards in Digital Rights”, which expands on the following rights:
- the right to freedom of expression and information, particularly with regard to:
- the universal right to freedom of expression on the internet; and
- the adoption of adequate protocols by social media (and equivalent services) to allow for the exercise of the right to rectification;
- the right to have the information on digital media updated; and
- the right to be forgotten in the context of search engines and social media.
(b) What derogations have been introduced by national law concerning the processing of personal data for the purpose of academic, artistic or literary expression?
There are no specific provisions governing this issue.
Q19/ National identification numbers
Does national law stipulate specific conditions for the processing of a national identification number, and if so, what are the conditions?
A national identification number may be processed, under certain conditions, in the context of official announcements and publications of administrative acts.
Q20/ Processing in the context of employment
(a) For what purposes can employees’ personal data in the employment context be processed under national law?
The following rules apply to the processing of employee data:
- employers may gain access to the contents of digital devices provided to employees in order to control compliance with labour or statutory obligations and to guarantee the integrity of such devices;
- employers may process images obtained from CCTV in order to verify compliance by workers with their obligations and duties, provided the processing is carried out lawfully and within legally defined limits; and
- employers may process personal data which stems from systems recording sound in the workplace when doing so is relevant to assess the security of the premises, goods/ property and persons, provided that such processing is carried out in accordance with the principles of proportionality, minimum intervention and guarantees provided by law; and
- employers may process data obtained from geolocation systems in order to verify compliance by workers with their obligations and duties, provided that these duties are carried out lawfully and within legally defined limits.
(b) Does national law provide safeguards for employees’ dignity, legitimate interests, and fundamental rights?
Employees have the right to privacy in their use of digital devices made available by the employer, or where CCTV and geolocation services are being used. Further, employees (and where applicable, workers’ representatives) must be informed of the processing activities before such activities are implemented, and the given notice must be clear and concise. Processing activities must be proportionate to their purpose.
Q21/ Other material derogations
Are there any other material derogations from, or additions to, the GDPR under national law?
There are no other material derogations.
Q22/ Current legal challenges
Are there any current legal challenges (e.g., court cases or regulatory appeals) regarding the validity or operation of the national GDPR implementation law (e.g., claims that the law incorrectly applies the GDPR; claims that the law is incompatible with constitutional principles; etc.)?
A constitutional challenge has been filed regarding a provision in the Data Protection Act which entitles political parties to use publicly available information from websites and other public sources for political activities during electoral campaigns. In May 2019, the Spanish Constitutional Court declared such provision unconstitutional.
Has the local DPA issued any material fines or taken any material enforcement action to date for breaches of the GDPR?
The DPA has mainly issued warnings so far. However, it has recently issued an administrative fine of €250,000 for infringement of Art. 5(1)(a) GDPR.
Q24/ Regulatory Guidance
Has the DPA issued any significant guidance on the application of the GDPR or national implementation law?
The DPA has issued the following guidance on the application of the GDPR and/or GDPR implementation law:
- guidance for controllers (see here (in Spanish));
- guidelines on the preparation of data processing contracts (see here (in Spanish));
- guidance on personal data breach management and notification (see here (in English)); and
- guidance on risk analysis (see here (in Spanish)).
Carlos Pérez Sanz
With a professional background of more than 20 years in advising leading Spanish and international companies on matters related to information technology, telecommunications, intellectual property, privacy law and compliance regulations, Carlos Pérez Sanz developed most of his career in Landwell – PwC Tax & Legal Services, which he joined in 1998. At PwC, he was a partner and the Head of the Information Technology Department of the firm in Spain. Carlos Pérez Sanz holds an LL.B. from Universidad de Barcelona, an M.B.A. from ESADE in Barcelona and is an associated professor at the same university for its Intellectual Property and Information Society Masters programme. In addition, he holds the International CISA Certification as a qualified information technology systems’ auditor by ISACA (Information Systems Audit and Control Association).
Pia Lestrade Dahms
Pia Lestrade Dahms holds a Masters Degree in Intellectual Property and Information Technology from Spain, as well as a Bachelor of Arts and Juris Doctor from the United States. She works at Ecija on international data protection projects, and serves as the Barcelona Office IP/IT/Privacy Knowledge Management Professional. She is also the Knowledge Liaison with the law firm’s other offices.
Prior to joining Ecija, Pia interned at Allen & Overy, Chaumet International (LVMH Group) and the US Department of Justice (EOIR Immigration Court).
She has volunteered at technologyrelated conferences organised by the French Member of Parliament who represented French citizens living in North America. She also volunteered at the first edition of the Startup Europe Awards by providing analysis on the French startup landscape.
Currently, she acts as the Young Privacy Professional Leader to the International Association of Privacy Professionals (IAPP)’s Barcelona Chapter.
Alejandro Calvo Schwarzwälder
Alejandro Calvo Schwarzwälder holds an LL.B. (2013) and an LL.M. in Legal Practice (2015) from the University of Barcelona, as well as an LL.M. in Legal Sciences (2017) from the University Pompeu Fabra. Under the latter, he successfully participated in the CIEL Graduate Exchange Programme at the University College Dublin, being awarded the certificate of European Master in Comparative, International and European Law. He speaks English, German, Spanish and Catalan.
Prior to joining Ecija, Alejandro worked as an intern at Monereo Meyer Marinel‑lo Abogados, an international law firm with a particular focus on providing legal advice to German clients. His main fields of work are corporate/ commercial law and data protection.
- Foreword and issue-by-issue comparison
- Country-by-country guides:
Our Global Data, Privacy & Cybersecurity Practice »
GDPR Handbook: Unlocking the EU General Data Protection Regulation »
This publication is provided for your convenience and does not constitute legal advice. This publication is protected by copyright.
© 2019 White & Case LLP