Spain’s new data protection law

single.php

Posted and filed under General Articles of Interest, Legal Issues in Spain.

Spanish Solutions work closely with our data protection partner, Audidat.

We are happy to recommend them to any small or medium sized business in Spain who are wondering exactly what these new laws mean to them. Why do you need data protection consultants here in Spain?

On Dec 6, 2018, the Organic Law 3/2018, was published by the Official Gazette of Spain. The law exists to aid the protection of personal data in Spain and the guarantee of digital rights. The date is significant as in Spain this is the Constitution Day and marks the anniversary of a referendum held in Spain on Dec. 6, 1978.

So far so good.

As a company who regularly communicates with past and present clients we were concerned that we may be testing the law but really, with the help of a good data protection company, it’s possible to follow the law and still stay in touch with our clients. It is not meant to stop this sort of communication.

This new law has a double objective. Firstly, it adapts the Spanish legal system to the GDPR (General Data Protection Regulation) which is European wide and second provides certain specifications and restrictions.

A few points:

Data processing in Spain, related to the carrying out of certain commercial transactions (such as the work of Spanish Solutions) is lawful. In the absence of proof to the contrary, if a company has proof that a client contacted them about a service, (like in the bank) assuming the data processing is necessary for the successful outcome of the transaction, it is legal.

If there was a mistake – for example, we sent an email to the wrong account (we entered it incorrectly for example), the controller or marketeer may not be responsible for inaccurate data.

Once the marketing company has taken all reasonable measures to ensure deletion or rectification without delay, there is no fine or prosecution coming. That’s why we tell our clients and email subscribers especially, if you are receiving the emails and you just don’t want to, we will unsubscribe you. We ́ll miss you though.

Spain has, among EU countries, some of the strictest legislation on personal data protection. Still are they protecting the people from an imaginary ghost while ignoring some obvious elephants in the room?

We now have a national data protection agency, AEPD or the Agencia Española de Protección de Datos. Its job is the enforcement agency with the authority to hear complaints on personal data protection issues in Spain. It is serious stuff – they have imposed huge fines on those deemed to have infringed data protection rights. Fines of 90,000 euro are not unheard of! You can see why we took the law so seriously.

 

Spain passed a Royal Decree, the Information Society Services act and e-Commerce which regulates the use of ‘cookies’ by websites in Spain. Yet, it is still possible to legally buy peoples “movement data”. Major retailers in Spain are buying your records to find out how long you spend in their store, what you buy, where you went after leaving the store etc. Worse, we believe, (it’s impossible to know for sure), they can then buy your credit card data – and match your purchases to your behaviour. The things that are going on that we don’t understand!

There was a big case; Google v Spain, as heard in 2012 at the European Courts of Justice. An action was brought against Google by a Spanish resident Mario Costeja Gonzalez. He filed a complaint with the AEPD, the Spanish data protection agency claiming that his right to privacy had been violated by Google’s search engine. They made notice of his bankruptcy easily accessible to the public and refused to remove his data. The ECJ ruled that he does have a right to request that Google, should remove links to private information when asked to do so by the relevant person.

This ‘Right to be Forgotten’ case was seen as a major win for those thinking corporations that deal in mining personal data have gone too far.

So far the data protection law in Spain sounds relatively ok, however…
An amendment to the law was approved late last year in Spain’s upper house of parliament. Passed by the political parties it allows the same political parties to “use personal data obtained from web pages like Facebook and other publicly accessible sources, to carry out political activities”.

Remember the name Cambridge Analytica? It’s the now defunct British data consultancy which was accused of having harvested the data of millions of Facebook users without their permission. They “allegedly” used this data to elect a president in the USA and helped to have, what many consider a detrimental referendum, passed in the UK. The law now in Spain stipulates that people who do not wish to receive targeted adverts from political parties can and must be provided with a simple and free way to express their opposition.

The problem is, does anyone actually read the terms and conditions when Google/Instagram or Linkedin ask us to “click to allow”? We are giving our freedom over to these companies.

Legally, under the EU’s General Data Protection Regulation, collection of political data on Social Media could be authorised as long as some appropriate guarantees are given. This is not good. Is political data just politics or what does it cover? What is not political?

In the meantime, if you don’t want to hear more from us, please unsubscribe to our newsletter. While you are getting our blogs, you’ll read about tax, legal issues for expats, Brexit problems and solutions, rental contracts and everything that we think you need to enjoy living in Spain.

Get in touch for anything you need.

Ian Comaskey

Leave a Reply

Your email address will not be published. Required fields are marked *

*

*

*

Looking for a solution?

Feel free to get in touch with any enquiries and one of our friendly members of staff will get back to you as soon as possible.

Form loading.