In Short

The Situation: Spain approved emergency legislation regarding data protection that mainly focuses on regulating inspection and sanctioning procedures.

The Purpose: The purpose of this legislation is to allow for the correct enforcement of the General Data Protection Regulation ("GDPR") provisions in Spain.

Looking Ahead: This new legislation will be in force until the Organic Law on Data Protection ("Organic Law") is enacted.

The Council of Ministers approved a Royal Decree-Law this summer that adapts Spanish Law to ensure the application of GDPR in Spain. The Royal Decree-Law was necessary because the Organic Law that must incorporate the changes introduced by the GDPR into the Spanish legislation has not yet passed parliamentary procedure. An organic law is intended to regulate areas of law related to fundamental rights in Spain and, unlike ordinary laws, must be passed by an absolute majority of the Congress of Deputies and not merely a majority of those voting.

The fundamental right of privacy for Spain's citizens was unprotected without national legislation to allow for the effective application of the GDPR (although GDPR has been directly applicable in Spain since May 25). Adopting this legal standard covered the legal void—mostly related to procedural issues for the investigation phase and the sanctioning procedure—caused by the delay in the enactment of the Organic Law.

The regulations in the Royal Decree-Law pertain to the inspection, sanctioning regime, and instruction procedure relevant for the protection of personal data. In this sense, the Royal Decree-Law establishes guidelines for Spanish Data Protection Agency personnel, or external public personnel, to carry out the inspections in the manner outlined by the GDPR.

The novel sanctioning regime of the GDPR is adopted under the Royal Decree-Law, and the Royal Decree-Law replaces the type of violations in Organic Law 15/1999, which is still in effect. However, the Royal Decree-Law maintains the duration of sanctioning procedures as defined by the current regime (six months, although they may include preliminary investigation actions for a maximum period of 12 months).

Under the Royal Decree-Law, the limitation period for infringements established in sections 5 and 6 of Article 83 GDPR will be three years, while infringements established in Article 83.4 GDPR shall lapse after two years. Moreover, limitation periods for sanctions remain unchanged from the terms established by Organic Law 15/1999 (a period of one year for fines lower than €40,000, two years for fines between €40,001 and €300,000, and three years for fines above €300,001).

Moreover, the Royal Decree-Law creates a procedure for cooperation between the EU Member States (including the participation of all relevant authorities) for the cross-border processing of personal data. The Royal Decree-Law establishes that, when supervisory authorities are working jointly, the personnel of the supervisory authorities cooperating with the Spanish Data Protection Agency will be subject to the Spanish procedural rules and will act under the orientation and in the presence of the Spanish Data Protection Agency.

The validity of certain data processing agreements is also regulated in the Royal Decree-Law. All data processing agreements that were formalized prior to May 25, 2018, in accordance with the provisions of Organic Law 15/1999, will be valid until the contract is terminated. Open-ended contracts will have to be adapted in accordance with Article 28 GDPR before May 25, 2022. In any event, regardless of this exception, one party could request the other party modify the contract to be in compliance with Article 28 GDPR at any time.

The approved Royal Decree-Law will be valid only until the Organic Law is approved and replaces the Royal Decree-Law. However, after comparing the wording of the Royal Decree-Law and the draft text of the new Organic Law, no substantial changes are expected in the issues already regulated by the Royal Decree-Law.

Key Takeaway

Although the GDPR is directly applicable in Spain, it is necessary to regulate some aspects not reserved to Organic Law to ensure correct enforcement of the GDPR. The Royal Decree-Law will only be in force until the new Organic Law is approved, however, the provisions included in this emergency legislation will likely remain unchanged in the new Organic Law.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.