New Data Protection Law Reminder

Following on from when new Data Protection Laws were first reported, this is a reminder that the deadline

Following on from when new Data Protection Laws were first reported, this is a reminder that the deadline for these laws to come into force is now extremely close. After four years of debate, new regulations were approved which means that in line with European Directives, come the 25th May 2018, we say goodbye to the old system and say hello to the General Data Protection Regulation (GDPR). In Spain, this means the Ley Orgánica de Protección de Datos (LOPD) is being replaced by the Reglamento General de Protección de Datos (RGPD).

What Constitutes Personal Data?: This refers to any information related to a natural person or “Data Subject”, that can be used directly or indirectly to identify them. This could be something as simple as their name, a photo, an email address, bank details, medical details, posts on social media, computer IP address etc.

What is the Purpose of these Directives?: The official statement issued by the EU is that, “the EU General Data Protection Regulation (GDPR) replaces the Data Protection Directive 95/46/EC and was designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens data privacy and to reshape the way organizations across the region approach data privacy”. The newly drafted directive includes situations that were not previously contemplated and highlights principles of accountability and transparency.

In other words, the data subject whose information has been collected must know for what purpose this has been done and it must be for a legitimate reason; the information must only be used in the manner in which it was entrusted; it is prohibited to send personal data to countries outside ot the EU if they do not offer the same guarantees.

Who is Obligated to Register?: In Spain the LOPD came into effect in 1999, however, misinterpretations led many to believe these laws only applied to lawyers, doctors and others who receive personal data of a high level but this is not the case, which means, as per directives, the following are also obligated to register:

  • Organizations with physical presence in at least one EU member state
  • Organizations that process or store data on natural persons that reside in the EU
  • Organizations that use third-party services that process or store information on natural persons that reside in the EU

Just to be clear and to avoid further misinterpretations to these new laws, this encompasses ALL businesses, corporations, sole-traders, communities, associations and Public Administration Offices within the EU.

Business Obligations and Overview: 

  • To register at the Spanish Data Protection Authority
  • To have the corresponding Security Documents and Annexes
  • To have informative material available and the corresponding forms
  • To maintain their Security Documents updated at all times and to carry out the obligatory Audits that verify data protection regulations are being fulfilled
  • Data Subjects have the right to know the purpose for and the treatment of their personal data.
  • Data Subjects have the right to access, modify, oppose and cancel their personal information as long as they forward written and clear instructions.
  • They also have the right to transfer their data to another company
  • Persons or companies who have collected data may only use the information for the purpose stated at the start of their agreement.
  • If said persons or companies are in breach of data protection regulations, the damaged party must inform the authorities within 72 hours.
  • Data Protection Officers (DPOs) must be appointed in the case of public authorities, organizations that engage in large scale systematic monitoring or organizations that engage in large scale processing of sensitive personal data. If this is not your case, you are not obligated to engage this type of service.
  • eCommerce businesses and those that have a website must pay special attention to these regulations and update their privacy and third-party policies as well as cookie notices.

Last but not least, Penalties for Non-Compliance:

Any breach of Data Protection Laws will be met with much stiffer fines than before.

Type of Fine Previous Fines (€) Current Fines (€)
Mild 601 – 60.000 900 – 40.000
Serious 60.001 – 300.000 40.001 – 300.000
Very Serious 300.001 – 600.000 300.001 – 600.000

From the 25th May 2018, the maximum fines that can be imposed will be calculated in two tiers:

  1. Up to 2% of annual global turnover of the previous tax year or 10 million euros (whichever is greater)
  2. Up to 4% of annual global turnover of the previous tax year or 20 million euros (whichever is greater)

Factors that will influence any penalties to be incurred for non-fulfillment include:

  • the gravity/ duration of the violation
  • the number of data subjects affected and level of damage suffered by them
  • the intentional character of the infringement
  • any actions taken to mitigate the damage
  • the degree of co-operation with the supervisory authority

It is noteworthy that despite the astronomical potential fines the authorities can be issued, they may choose to issue a warning, a reprimand or a temporary ban on processing instead, however, extraordinary measures may be taken where a monetary fine may be imposed in addition to the reprimand.

To give three examples of consequences, on September 11th 2017, Facebook was issued with a fine of 1.2 million euros by Spain’s Data Protection Authority due to its generic and unclear privacy policy and the fact it is does not adequately collect the consent of its users, which constitutes a serious infringement of data protection policies.

A Spanish school was fined this year the amount of 3.000 euros for not removing images of a minor on a YouTube video that was posted on their official channel.

Given the seriousness of this law, if you are unsure of your obligations and do not know how to proceed to ensure your business complies with General Data Protection Regulations, the best course of action would be to contract the services of a reputable consultancy that deals with these matters. Canary Admin Services can provide contact information for a company that provides such services so you can sleep easy.

About Sabrina L. Williams

Although I was born in the UK, I moved to the Canary Islands, Spain at a young age and I haven't looked back. The Canaries is a fantastic place to live, I mean you can do all types of outdoor activities practically all year round because of the great weather. Horses are my poison but the islands are also a superb spot for water sports so they do attract a lot of attention from people around the world. Anyway, enough about that. Back in 2011, I made one of the biggest, scariest yet best decisions I'd ever made and set-up my own business in the middle of a recession. I love what I do as no two days are the same, plus Spanish law keeps me on my toes as it is constantly changing (often without warning!) so there is always something new to learn. As I've branched out in the world of Administrative Consultancy, I decided to create a blog to discuss topics of interest to others in my industry and my clients, share tips and experiences, to see what new ideas people have for improving their businesses and the like so I hope you'll find the time to join me on this venture...

Leave a Comment