The first Code of Conduct under the GDPR has been approved by the Spanish DPA.

The Spanish Agency for Data Protection (AEPD), in enforcing the General Data Protection Regulation and the Data Protection Law and guarantee of digital rights, has approved the first code of conduct based on the provisions of articles 40 and 41 of the GDPR and 38 of the DPA 2018. The Code of Conduct for Data Processing in Advertising Activity has been presented by the Association for the Self-regulation of Commercial Communication (Autocontrol), whose main purpose is the establishment of an out-of-court system to process claims about data protection and advertising, quickly, easily, effectively and free for consumers. 

This first code of conduct under the GDPR approved by the Spanish DPA, governs the processing of personal data for advertising purposes.

The GDPR establishes that the supervisory authorities will promote the development of codes of conduct aimed at contributing to the correct application of the regulation, taking into account the specific characteristics of the different sectors and the specific needs of micro, small and medium-sized enterprises .This code, presented by Autocontrol applies to data processing for advertising purposes carried out by its member entities. This includes sending commercial communications, promotions carried out in order to collect personal data to use for advertising purposes, use of cookies and equivalent technologies for the management of advertising spaces or conducting behavioral advertising, and also profiling for advertising purposes.

Autocontrol, the independent self-regulatory body of the advertising industry in Spain, established in 1995 as a non-profit association, is made up of advertisers, advertising agencies, the media and professional associations, with the objective to work towards responsible advertising. The code recently presented by this organisation will apply to member entities established in Spanish territory or to data processing activities that affect data subjects residing in Spain, as long as the data processing is related to the offer of goods and services in Spain or to the monitoring of their behaviour in Spain. 

The code outlines information to be communicated to data subjects when their personal data is collected.

According to this code, the data subject may exercise the right of access, right to rectification, right to erasure, right to object, right to restriction of processing and, where appropriate, the right to data portability regarding the treatment of the data. The data controller must inform the data subject of the processing of their personal data, providing specific information, outlined in articles 13 and 14 of the GDPR, depending on whether they obtained the data from the concerned party or from a different source. In addition, data controllers must inform the concerned parties about their right to object to the use of their personal data for direct marketing purposes, at the time the data is collected. The use of cookies or similar tools by the data controllers will be subject to the provisions of the Information Society Services Law, which is the national law implementing the ePrivacy Directive, or regulations that replace it. 

According to the code, there will be an Advertising Jury which will act on behalf of the Spanish DPA in matters concerning advertising and marketing. 

Autocontrol has also implemented an extrajudicial resolution system to resolve disputes that arise between its data controllers and their data subjects, due to data processing carried out in advertising. With respect to the functions and powers of the Spanish DPA as supervisory authority, the Advertising Jury will act as a supervisory body of this Code. When the Advertising Jury, in resolving a claim, declares a breach of the code, it will rule on the sanctions that, where appropriate, should be imposed in accordance with the provisions of the regulations.

Annually, the Secretariat of the Advertising Jury will prepare a statistical report for each member entity with the relevant data regarding the respective entity’s activity, including both data related to mediations and the decisions of the Advertising Jury. The Secretariat of the Advertising Jury will also prepare an annual collective statistical report to be presented to the Spanish DPA.

Autocontrol has this Code of Conduct in the section for codes of conduct of its website where it can be downloaded free of charge by any user.

Do you process data for advertising and marketing purposes? Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling personal data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services and also compliance with the Spanish data protection national law including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance. Contact us today.