New Royal Decree-Law on Data Protection in Spain
A new Royal Decree-Law on Data Protection has been approved in Spain as part of the GDPR adaptation process. A Royal Decree-Law is a legal rule having the force of a law in the Spanish legal system. This is an important regulatory measure for Privacy in the country since currently, GDPR coexists with the previous and still applicable national data protection law (“Ley Orgánica de Protección de Datos” – “LOPD”); both laws are valid but they contradict each other at some points, which results in difficult situations to resolve, even though GDPR prevails over LOPD in the event of a conflict between them.
The Royal Decree-Law (“RDL 5/2018”) does not cover the whole GDPR; it only standardises the following subjects:
- Chapter I. Investigatory powers of the national supervisory authority (“Agencia Española de Protección de Datos” – “AEPD”) and the rules related to joint operations of supervisory authorities.
- Chapter II. Conditions for imposing administrative fines, especially:
-Subjects responsible for infraction: controllers, processors, representatives in the EU of non-EU controllers and processors, certification entities and entities supervising codes of conduct. It states that the data protection officer shall not be responsible.
– Limitation periods for infractions: three years for infringements of article 83.5 and 83.6 GDPR (20.000.000 EUR / 4% of the total worldwide annual turnover of the preceding financial year) and two years for infringement of article 85.4 GDPR (10.000.000 EUR / 2% of the total worldwide annual turnover of the preceding financial year).
-Limitation periods for paying fines (one year up to €40 000, two years from €40 001 to €300 000, three years over that amount).
- Chapter III. Conditions for preliminary investigation.
-Procedures where data subjects rights are involved (Articles 15-22 GDPR) shall be settled in six months; the principle of Positive Administrative Silence applies here.
-Procedures related to GDPR infraction shall be settled in nine months.
Provisions that may conflict with the terms of the new RDL 5/2018 are declared no longer in force (especially, articles of LOPD related to investigatory powers and the rules for imposing fines and penalties).
The Royal Decree-Law will be in force until the new Spanish Data Protection Act is declared, which is expected to happen at the end of 2018 or the beginning of 2019. In this regard, it is relevant to note that privacy is a constitutional right in Spain, which means that the new Spanish Data Protection Act requires special majorities inside the Parliament and a lengthy passing process.