Guide to Business in Spain logo

2.4 Personal data protection

Another aspect that may have e-commerce implications is the possible processing of any personal data in transactions of this nature.

At present, the applicable legislation on these matters in Spain, as in the rest of the European Union, is the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), known as GDPR.

In the framework of the GDPR, which is directly applicable in Spain since 25th May 2018, the Constitutional Law on the Protection of Personal Data and guarantee of digital rights (LOPD-gdd) has been passed, repealing the previous Constitutional Law 15/1999, of 13 December, on Personal Data Protection. The LOPD-gdd regulates some aspects of the processing of an individual’s personal data within the margins that the GDPR allows to the EU Member States.

The GDPR applies to “personal data,” meaning any information concerning identified or unidentified individuals. Accordingly, it does not apply to data concerning legal entities; however, as opposed to the previous legislation in Spain, it applies to data concerning individual entrepreneurs or individuals being the contact person of a legal entity where the personal data is used.

Personal data protection legislation revolves around the following principles:

  • The data controller has to rely on one of the legal basis established in the GDPR in order to be able to process personal data.
  • The processing of specially protected data (i.e., data referring to ideology, labor union membership, religion, beliefs, ethnicity, health, and sex life) is subject to very strict limitations or, in some cases, prohibitions.
  • The data subject must be informed of a number of matters in relation to the envisaged processing of his or her personal data.
  • Personal data may only be processed where they are adequate, relevant and not excessive in relation to the purpose for which they have been obtained.
  • Personal data may only be disclosed if a legal basis applies.
  • When the communication is addressed to a third party classified by the Law as a data processor, which provides a service entailing access to such data, prior consent by the data subject is not required, but the relationship must be regulated in a contract for services that includes a number of provisions established by the GDPR.
  • Data subjects are granted the rights of access, rectification, cancellation, and opposition to the processing of their personal data, as well as other new rights such as portability or limitation of the processing.
  • Sanctions for infringement of GDPR may consist of fines of up to €20,000,000 or 4% of the global annual turnover of the group during the previous fiscal year.

It should also be noted that international transfers of personal data are subject to limitations and the obligation to ensure an equivalent level of security as that inside the EU, and therefore it is necessary to use one of the methods listed in the GDPR including, in some cases, the prior authorization of the Director of the Spanish Data Protection Agency.

In relation to penalties, worthy of note is the power of the Spanish Data Protection Agency not to commence, in certain exceptional cases, disciplinary proceedings and, instead, require the party responsible for the offense to evidence that it has taken the corrective measures applicable in each case.

The GDPR bases its regulatory structure on the “accountability”, which implies the obligation for the data controller to assess the processing that it carries out and the risks attached thereto, adopting the security measures that are more accurate for each case.