Key differences between Spanish Data Protection Law and GDPR
Spanish Data Protection Law (hereinafter, LOPD 2018) came into force on December 6th and Aphaia has analysed it in order to highlight how it differs from the GDPR, whilst identifying the main provisions made for how GDPR applies in Spain.
Deceased persons
While GDPR states that it does not apply to the personal data of deceased persons, LOPD 2018 entitles heirs and relatives to exercise all the applicable rights under GDPR, unless specifically restricted by the data subject or Law.
Liability for inaccurate data
LOPD does not make the controller responsible for inaccurate data according to Article 5.2 GDPR when it has been collected directly from the data subject, an intermediary where applicable, another controller via the right to data portability or a public register.
Children’s data
Based on Article 8.1 GDPR provision, LOPD 2018 deems as lawful the processing of personal data of a child without the consent or authorisation by the holder of parental responsibility over the child, where the child is at least 14 years old.
Public interest as a lawful basis for processing
Any data processing based on public interest shall be by virtue of Law.
Special categories of personal data
According to LOPD 2018, the sole data subject’s consent will not be enough to process data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or sexual orientation.
Furthermore, LOPD 2018 limits the mandatory information to be provided to the data subject at the moment of collecting the data, establishes a six-month timeframe as the reference period for considering as excessive a request and states that the retention period for data derived from CCTV systems will be one month.
