Spain – New law implements the GDPR and so much more

Spain has finally passed the Data Protection and Digital Rights Act (the “Digital Law”) to implement the General Data Protection Regulation. It will be published in the Official Gazette in the next few days and enter into force the day after publication. The law makes other significant changes including creating a new digital charter of rights. We consider the implications.

A charter of digital rights
One of the most interesting aspects of the Digital Law is the new charter of digital rights. They include the right to net neutrality, universal access to internet, digital security, digital education and digital wills.

There are also new digital rights for employees. Employees will have a general right to privacy when using digital devices, the right to disconnect from the use of digital tools, the right to privacy against the use of video-surveillance in the workplace and geo-localisation systems. These rights will likely modify the existing employment relationships as well as the collective bargaining agreements. This will have significant implications for employers in Spain who will face additional hurdles when trying to access or monitor emails, as well as having to deal with workers who don’t want to be contactable outside the workplace.

The Digital Law reinforces the rights of citizens in the digital environment by extending the application of their rights and freedoms enshrined in the Spanish Constitution and international treaties.
Children’s consent
Under the GDPR, the age threshold for obtaining parental consent to online services is 16 but Member States can reduce that threshold to 13 years old.

The Digital Law sets the minimum age of consent at 14 years old. Accordingly, processing based on consent for children under 14 will require the consent from the child’s parents or guardians. As opposed to GDPR, the Digital Law’s consent requirements for children do not specifically refer to online services, and thus would in principle apply to all types of processing.

The digital rights introduced by the Digital Law also includes the protection of children on the internet. There is an obligation to ensure the protection of the superior interest of children, particularly the protection of their personal data, when publishing or disseminating them via information society services.

Data subject rights
In addition to the general rights of data subjects set forth by the GDPR, the Digital Law gives new rights of individuals to be de-listed from internet searches and social media, as well as the right to data portability in social media.

This is supplemented by a specific right to “rectification on the internet”, in particular social media providers, and digital and information society services platforms.

Digital wills
The Digital Law introduces a so-called “digital will” under which the heirs of a deceased data subject can exercise the rights of access, deletion or rectification of the data subject’s personal data available online or in a social media account.

Accordingly, the heirs would be allowed to access the messages, pictures or content of the deceased data subject, unless such access was prohibited by this individual when alive.

The Digital Law codifies the restrictions and guidelines from the AEPD (the Spanish Data Protection Authorities). Images collected via video cameras should be generally deleted after a month, unless there are exceptional circumstances.

There are also restrictions and prohibitions to protect the privacy of the employees, especially related to the use of video cameras installed by the employers to monitor their employees, excluding for instance certain areas of the workplace.

For the first time, the Spanish law address the privacy issues associated with whistleblowing and internal complaints procedures. It also allows anonymous reporting which was previously prohibited by the AEPD.

Considering the risks involved both for the whistleblowers and the individuals accused in the event of a data leakage or unauthorised disclosure, companies will be required to pay special attention to the security and confidentiality of the personal data, and implement specific procedures to process and store such data.

Credit Information Systems
The Digital Law contains new controls on the credit information systems, which contain personal data of a defaulting debtors or their solvency. The Digital Law mainly codifies existing practice prior to GDPR, as well as the recommendations and methodology developed by the AEPD.

Companies that want to contact data subjects and process personal data for direct marketing will have to consult a “Robinson list” or Mail Preference Service before doing so.

Thus, data subjects who do not wish to receive direct marketing may sign in such a Robinson list, and consequently avoid the processing of their personal data for direct marketing purposes.

Data Protection Officers
The Digital Law contains a chapter on data protection officers, which includes a lengthy list of organisations and companies that are required to appoint a data protection officers. Accordingly, among others, insurance or reinsurance companies, financial credit institutions, educational institutions, electric and natural gas distributors, and advertising and marketing companies must designate a data protection officer.

The Digital Law allows organisations that are not required to appoint a data protection officers to do so voluntarily, in which case they would be subject to the requirements of GDPR and the Digital Law on data protection officers.

More controversial matters
Some of the other provisions in the Digital Law have generated greater controversy. These include exempting public authorities from fines for failing to comply with the data protection laws, or the amendment of the Spanish Law on the General Electoral System that would allow political parties to collect and process personal data of the citizens (including through different webpages or publicly available sources), such as political opinions, for their electoral campaigns.

Some parliamentary groups have already threatened to file an appeal on this issue with the Spanish Constitutional Court.

Is this the end of the story?
The long-awaited Digital Law has been finally arrived. Organisations collecting and processing personal data in Spain will need to review their compliance programmes in light of these new rules.

The passing of the Digital Law also means there are only a handful of Member States still to adopt laws to implement the GDPR, namely Bulgaria, the Czech Republic, Estonia, Greece, Portugal and Slovenia. An overview of the currents status of these implementing laws is available here.