Logo Guide to Business in Spain

2 Defining regulatory principles

2.4 Personal data protection

Another aspect that may have e-commerce implications is the possible processing of any personal data in transactions of this nature.

At present, the applicable legislation on these matters in Spain, as in the rest of the European Union, is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), known as GDPR.

In the framework of the GDPR, which is directly applicable in Spain since 25th May 2018, the Constitutional Law on the Protection of Personal Data and guarantee of digital rights (LOPD-gdd) has been passed, repealing the previous Constitutional Law 15/1999, of 13 December, on Personal Data Protection. The LOPD-gdd regulates some aspects of the processing of an individual’s personal data within the margins that the GDPR allows to the EU Member States.

The GDPR applies to “personal data,” meaning any information concerning identified or unidentified individuals. Accordingly, it does not apply to data concerning legal entities; however, as opposed to the previous legislation in Spain, it applies to data concerning individual entrepreneurs or individuals being the contact person of a legal entity where the personal data is used.

Personal data protection legislation revolves around the following principles:

  • The data controller has to rely on one of the legal bases envisaged in article 6 of the GDPR in order to be able to process personal data.
  • The processing of specially protected data (i.e., data referring to ideology, labor union membership, religion, beliefs, ethnicity, health, and sex life) is prohibited other than in certain circumstances set out in article 9.2 of the GDPR.
  • The data subject must be informed of a number of matters in relation to the envisaged processing of his or her personal data.
  • Personal data may only be processed where they are adequate, relevant and not excessive in relation to the purpose for which they have been obtained.
  • Personal data may only be disclosed if a legal basis applies.
  • When the communication is addressed to a third party classified by the Law as a data processor, which provides a service entailing access to such data, prior consent by the data subject is not required, but the relationship must be regulated in a contract for services that includes a number of provisions established in article 28 of the GDPR (data processing agreement).
  • There is recognition of data subjects’ rights of access, rectification, erasure, restriction of processing, portability, and objection and the right not to be subject to a decision based solely on automated processing, including profiling, which has legal consequences for them.
  • Sanctions for infringement of GDPR may consist of fines of up to €20,000,00 or 4% of the global annual turnover of the group during the previous fiscal year.

It should also be noted that international transfers of personal data are subject to limitations and the obligation to ensure an equivalent level of security as that inside the EU, and therefore it is necessary to use one of the methods listed in the GDPR including, in some cases, the prior authorization of the Director of the Spanish Data Protection Agency.

In relation to penalties, worthy of note is the power of the Spanish Data Protection Agency not to commence, in certain exceptional cases, disciplinary proceedings and, instead, require the party responsible for the offense to evidence that it has taken the corrective measures applicable in each case.

The GDPR bases its regulatory structure on the “accountability”, which implies the obligation for the data controller to assess the processing that it carries out and the risks attached thereto, adopting the security measures that are more accurate for each case. This principle is closely related to the concept "Privacy by Design and by Default", which places data controllers under the obligation to assess such processing risks and to implement appropriate technical and organizational measures, not only during processing, but also from the design stage of the processing, and to ensure that by default, only the data necessary for the specific purposes of the processing are processed.