TRILANTICServicesSectorsPartnersResourcesAbout UsContact Us
Case StudiesTRILANTIC NewsletterFree Trial with your DataCost Savings CalculatorAsk The Experts
Document Library
Industrial Links
Glossary
News ReleasesFeatured Articles
Media KitForthcoming EventsEuropean Data Protection Rules

SPAIN

 

The Spanish Data Protection Agency Website: https://www.agpd.es/portalwebAGPD/canaldocumentacion/

publicaciones/

common/pdfs/AEPD_en.pdf

 

Organic Law 15/1999 of 13 December on the protection of Personal Data: http://docs.google.com/viewer?a=v&q=cache:zI-elRquhi8J:unstats.un.org/unsd/dnss/docViewer.aspx%3FdocID%3D2014+organic+law+15+1999&hl=en&gl=uk&pid=bl&srcid=

ADGEESgNfgwc2P3i8W7sQl-UFoT-BIBGhVS-fUlkvaQTfVrwBkgU9RRhU2qrnKZjwgeLMDA-7K94lh4LRwjncpwNQpZPnx2CXPEgCTo6FyG1no_ClZjpEWwGcrwa

Gb210iWrWUlDe77p&sig=AHIEtbTTobvg3kyWrTn1JGJUUyYmtK7olg

 

The Royal Decree 1720/2007 of 21 December which approves the Regulation implementing Organic Law 15/1999 of 13 December on the protection of Personal Data: https://www.agpd.es/portalwebAGPD/english_resources/common/

reglamentolopd_en.pdf

 

What needs to be done prior to collection?

 

CONTACT THE DATA SUBJECT

 

Article 5 – Right of information in the collection of data

 

  1. Data Subjects from who personal data are requested must previously be informed explicitly, precisely and unequivocally of the following:
    1. The existence of a file or personal data processing operation, the purpose of collecting the data, and the recipients of the information
    2. The obligatory or voluntary nature of the reply to questions put to them
    3. The consequences of obtaining the data or of refusing to provide them
    4. The possibility of exercising rights of access, rectification, erasure and objection
    5. The identity and address of the controller or of his representative, if any

 

Where the controller is not established on the territory of the European Union, and he is using for the processing means situated on Spanish territory, he must, unless these means are being used for transit purposes, designate a representative in Spain, without prejudice to any action which may be taken against the controller himself

 

  1. Where questionnaires or other forms are used for collection, they must contain the warnings set out in the previous paragraph in a clearly legible form

 

  1. The information set out in subparagraphs (b), (c) and (d) of paragraph 1 shall not be required if its content can be clearly deduced from the nature of the personal data requested or the circumstances in which they are obtained

 

  1. Where the personal data have not been obtained from the data subject, he must be informed explicitly, precisely and unequivocally by the controller or his representative within three months from the recording of the data – unless he has been informed previously – of the content of the processing, the origin of the data, and the information set out in (a), (d) and (e) of Paragraph 1 of this Article

 

  1. The provisions of the preceding paragraph shall not apply where explicitly provided for by, when the processing is for historical, statistical or scientific purposes, or when it is not possible to inform the data subject, or where this would involve a disproportionate effort in the view of the Data Protection Agency or the corresponding regional body, in view of the number of data subjects, the age of the data and the possible compensatory measures. The provisions of the preceding paragraph shall also not apply where  the data come from sources accessible to the public and are intended for advertising activity or market research, in which case each communication sent to the data subject shall inform him of the origin of the data, the identity of the controller and the rights of the data subject.

CONTACT THE DATA PROTECTION AGENCY

 

Article 26 – Notification and entry in the register

 

  1. Any person or body creating files of personal data shall first notify the Data Protection Agency.

 

  1. Detailed rules shall be established for the information to be contained in the notification, amongst which must be the name of the controller, the purpose of the file, its location, the type of personal data contained, the security measures, with an indication of whether they are of basic, medium or high level, any transfers intended and, where applicable, intended transfers of data to third countries

 

  1. The Data Protection Agency must be informed of any changes in the purpose of the computer file, the controller and the address of its location

 

  1. The General Data Protection Register shall enter the file the notification meets the requirements. If this is not the case, it may ask for the missing data to be provided or take remedial action.

 

  1. If one month has passed since submitting the application for entry without the Data Protection Agency responding, the computer file shall, for all accounts and purposes, be considered entered in the Register

 

What needs to be done prior to shipping?

 

Article 33 – International Movement of Data – General Rule

 

  1. There may be no temporary or permanent transfers of personal data which have been processed or which were collected for the purpose of such processing to countries which do not provide a level of protection comparable to that provided by this Law, except where, in addition to complying with this Law, prior authorisation is obtained from the Director of the Data Protection Agency, who may grant it only if adequate guarantees are obtained

 

  1. The adequacy of the level of protection afforded by the country of destination shall be assessed by the Data Protection Agency in the light of all the circumstances surrounding the data transfer or category of data transfer. Particular consideration shall be given to the nature of the data, the purpose and duration of the proposed processing operation or operations, the country of origin and country of final destination, the rules of law, both general and sectoral,  force in the third country in question, the content of the reports by the Commission of the European Union, and the professional rules and security measures in force in those countries

 

Article 34 – Derogations from General Rule

 

The provisions of the preceding paragraph shall not apply where:

 

(a)     The international transfer of personal data is the result of applying treaties or agreements to which Spain is a party

(b)     The transfer serves the purpose of offering or requesting international judicial aid

(c)     The transfer is necessary for medical prevention or diagnosis, the provision of health aid or medical treatment, or the management of health services

(d)     Where the transfer of data is related to money transfers in accordance with the relevant legislation

(e)     The data subject has given his unambiguous consent to the proposed transfer

(f)      The transfer is necessary for the performance of a contract between the data subject and the controller or the adoption of precontractual measures taken at the data subject’s request

(g)     The transfer is necessary for the conclusion or performance of a contract concluded, or to be concluded, in the interest of the data subject, between the controller and a third party

(h)     The transfer is necessary or legally required to safeguard a public interest. A transfer requested by a tax or customs authority for the performance of its task shall be considered as meeting this condition

(i)      The transfer is necessary for the recognition, exercise or defence of a right in legal proceedings

(j)      The transfer takes place at the request of a person with a legitimate interest, from a public register, and the request complies with the purpose of the register

(k)     The transfer takes place to a Member State of the European Union or a country h the Commission of the European Communities, in the exercise of its powers, has declared to ensure an adequate level of protection

 

What are the sanctions for non-compliance?

 

Article 45 – Penalties

 

  1. Minor infringements shall be punished by a fine of Ptas 100 000[1] to 10 000 000[2]

 

  1. Serious infringements shall be punished by a fine of Ptas 10 000 000[3] to 50 000 000[4]

 

  1. Very serious infringements shall be punished by a fine of Ptas 50 000 000[5] to 100 000 000[6]

 

[NOTE: See Article 44 for what is classed as a minor infringement, what is classed as a serious infringement and what is classed as a very serious infringement]

 

  1. The amount of the penalties shall be graded taking account the nature of the personal rights involved, the volume of the processing operations carried out, the profits gained, the degree of intentionality, repetition, the damage caused to the data subjects and to third parties, and any other considerations of relevance in determining the degree of illegality and culpability of the specific infringement

 

  1. If, in the light of the circumstances, there is a qualified diminution of the culpability of the offender or of the illegality of the action, the body applying the penalties shall determine the amount of the penalty by applying the scale for the category of penalties immediately below that for the actual case in question

 

  1. In no case shall a penalty be imposed which is higher than that laid down in the Law for the category covering the infringement to be punished

 

  1. The Government shall regularly update the amount of penalties in accordance with changes in the price indices

 

 

Please refer to the Spanish Data Protection Agency Website for further information on the Statute.


 

[1] Spain has now joined the Euro – Ptas 100 000 = EUR 600

[2] Ptas 10 000 000 = EUR 60,100

[3] As Above

[4] Ptas 50 000 000 = EUR 300,500

[5] As Above

[6] Pts 100 000 000 = EUR 600,000
© TRILANTIC - All rights reserved. | Disclaimer | Client Login