Join our community for free to access exclusive whitepapers, reports, and regulatory information.
By signing up you agree to OneTrust DataGuidance's Terms and Conditions and Privacy Policy.
Already have an account? Log in
Already have an account? Log In
In only five years, the Spanish data protection act, the Organic Law 3/2018 of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) (LOPDGDD), has undergone four amendments and has been subject to two appeals of unconstitutionality.
In this Insight article, María Luisa González Tapia, from Ramón y Cajal Abogados, delves into the recent amendments introduced in the Spanish data protection regulations and explores the key modifications made to the LOPDGDD.
Sima_ha / Signature collection / istockphoto.comThe most recent amendment was introduced through the Final Provision Nine of Act 11/2023, of May 8, on the transposition of European Union Directives on the accessibility of certain products and services, migration of highly qualified people, taxation and digitization of notarial and registry actions; and which modifies Act 12/2011, of May 27, on civil liability for nuclear damage or damage caused by radioactive materials (only available in Spanish here) (Act 11/2023). Act 11/2023 primarily focuses on the organizational and operational aspects of the Spanish data protection authority (AEPD).
Additionally, the opportunity has been taken to align the LOPDGDD with the corrections to the General Data Protection Regulation (GDPR), published in the Official Journal of the European Union on March 4, 2021.
The 2021 correction of errors in the GDPR impacted several recitals and articles, requiring an adaptation of the LOPDGDD to ensure alignment. One significant modification relates to the concept of warnings. Previously, in Spain, warnings were regarded as non-financial sanctions. However, following the amendment, warnings will now serve as corrective measures wielded by the supervisory authority in cases of non-compliance. This entails that a warning will no longer lead to a sanctioning procedure, but rather a distinct process administered by the AEPD, which requires proper regulation.
To understand these changes, it is important to note that, as indicated in the AEPD's latest Report of Activities (only available in Spanish here), a total of 15,128 claims were filed in 2022. This represents a 9% increase compared to 2021 and a substantial 47% increase compared to 2020. If cross-border cases from other European supervisory authorities and cases where the AEPD act ex officio are included, the figure rises to 15,822. Despite the mounting workload, there has not been a corresponding increase in personnel and resources, a situation that the President of the AEPD has repeatedly highlighted.
Therefore, it is not surprising that with Act 11/2023, the deadlines for the various inspection and control activities conducted by the AEPD have been extended, and the option of conducting online inspections has been introduced. The primary changes in this regard are as follows:
Articles 64 and 67 of LOPDGDD have been modified. Article 64 pertains to the initiation and duration of procedures conducted before the AEPD, while article 67 establishes the regulations for inspection activities. The following amendments have been introduced:
Article 65 of LOPDGDD, which deals with the admission of claims filed by data subjects has also been amended. This article includes a provision that enables the AEPD to request the controller, processor, or designated Data Protection Officer (DPO) to provide a defense before admitting a claim filed by a data subject.
With the modification introduced, the AEPD now has the authority to reject a claim, even if a violation of the GDPR is proved, if the controller or processor can demonstrate that they have implemented appropriate measures to comply with the relevant regulations. This provision aims to prevent the initiation of sanctioning proceedings for minor infringements.
Article 53.bis has been introduced to enable inspections conducted digitally.
Previously, inspections conducted by the AEPD required two inspectors to physically visit the facilities of the controller or the processor, regardless of their location within Spanish national territory. It is worth mentioning that the regional authorities in Spain (such as Andalusia, the Basque Country, and Catalonia) only have jurisdiction over public administrations within their respective jurisdictions, and not over processing activities of private entities.
The introduction of online inspections will allow the AEPD to monitor a larger number of companies, thereby reducing the costs and resource allocation associated with such activities. It is important to note that the utilization of these systems will require the consent of the entity being inspected, both in terms of their usage and the proposed date and time by the authority.
Furthermore, a 23rd additional provision is added to the LOPDGDD with the purpose of regulating the establishment of claim templates that data subjects must use mandatorily. This mechanism is implemented to facilitate the analysis of claims and potentially enable the automatic archiving of unfounded claims.
In addition to the abovementioned changes, Act 11/2023 also includes a modification to Article 48.2 of the LOPDGDD, which expressly addresses cases of absence, vacancy, or illness of the individual holding the presidency of the AEPD. To fully understand this amendment, it is necessary to provide context regarding the current president of the AEPD, Mar España. Despite her mandate originally scheduled to end in 2019, Mar has had her term extended due to various circumstances. Having assumed her position in 2015, the appointment of a new president was halted in February by the Spanish Supreme Court amid a politically charged controversy. The court suspended the appointment, deeming it premature as it was decided prior to the completion of the selection process and potentially infringing upon the rights of other candidates.
In conclusion, the amendments introduced by Act 11/2023 in the Spanish data protection regulations do not impose new obligations on data controllers and processors, nor do they necessitate changes to already implemented privacy policies.
The analyzed modifications primarily focus on operational aspects and aim to optimize the resources of the AEPD, enabling the Spanish authority to handle the workload resulting from the initial five years of GDPR implementation. Additionally, it is anticipated that these reforms will lead to a reduction in the number of sanctioning procedures pursued before the AEPD, which will be reserved for more severe violations.
María Luisa González Tapia Senior Associate
[email protected]
Ramón y Cajal Abogados, Madrid
