Data Protection in Spain

From GDPRhub
Revision as of 12:25, 13 July 2022 by Fm (talk | contribs)
Data Protection in Spain
Es.png
Data Protection Authorities: AEPD (Spain), APDCAT (Catalonia), DBEB/AVPD (Basque Country), CTPDA (Andalusia), CGPJ
National Implementation Law (Original): Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales
English Translation of National Implementation Law: [n/a English Translation]
Official Language(s): Spanish; Regional: Basque, Catalan, Galician
National Legislation Database(s): https://www.boe.es/
English Legislation Database(s): n/a
National Decision Database(s): http://www.poderjudicial.es/search/index.jsp

The current Spanish Data Protection Act is the Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) (Organic Law 3/2018 regarding the Protection of Personal Data and guarantees of digital rights).

The AEPD (Agencia Española de Protección de Datos) is the Data Protection Authority competent for the privat sector and partially for the public sector in Spain.

There are three other independent regional data protection authorities in Spain for the public sector: the Catalan Data Protection Authority (Autoritat Catalana de Protecció de Dades or unofficially Autoridad Catalana de Protección de Datos), the Basque Data Protection Authority (Datuak Babesteko Euskal Bulegoa or Agencia Vasca de Protección de Datos) and the Andalusian Data Protection Authority (Consejo de Transparencia y Protección de Datos de Andalucía).


Legislation

History

The right to data protection is constitutionally enshrined in art. 18.4 of the Spanish Constitution: "The law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights".

Subsequently, the Spanish Constitutional Court, in Judgements 292/2000 and 254/1993, confirmed it as an autonomous right, independent of the rights to intimacy [privacy], honour and image, conferring it a broader sphere, not only in terms of the legal object protected, but also because it attributes subjects a range of powers, since the right to data protection guarantees the power to control their data.

Spain is a party to the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108), drawn up in Strasbourg. It was signed on 28 January 1981 and ratified by Spain on the 31 January 1984, entering into force on 1 October 1985.

The first data protection law was Ley Orgánica 5/1992, de 29 de octubre, de regulación del tratamiento automatizado de los datos de carácter personal (Organic Law 5/1992 of 29 October 1992 on the Regulation of the Automated Processing of Personal Data) (LORTAD), which defined the basic principles and recognised the legal protection of the constitutional right. Its late drafting was positive as it was able to pick up aspects from other countries, although it contemplated several exceptions.

Following Directive 95/46/EC, the Ley Orgánica de Protección de Datos de Carácter Personal (Organic Law on Data Protection) (LOPD) was enacted in 1999, which has been fully applicable until the entry into force of the GDPR. In 2018 the new Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales came into force and three years later the Ley Orgánica 7/2021, de 26 de mayo, de protección de datos personales tratados para fines de prevención, detección, investigación y enjuiciamiento de infracciones penales y de ejecución de sanciones penales (Organic Law 7/2021 of 26 May on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties), that transposes Directive 2016/680.

National constitutional protections

Art. 18.4 of the Spanish Constitution states: "The law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights".

This article is found in Section I of Chapter II of Title I of the Constitution, which confers reinforced constitutional prerogatives on it, such as the need for its content to be developed by Organic Law (Article 81 of the Constitution), and citizens may seek summary and preferential judicial protection without the need for it to have been developed legislatively, as well as binding all public authorities (Art. 53 of the Constitution).

National GDPR implementation law

In Spain the GDPR is developed by the Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).

Age of consent

Article 7(2) LOPDGDD states that the minimum age for consent in Spain is 14 years.

Freedom of Speech

You can help us fill this section!

Employment context

You can help us fill this section!

Research

You can help us fill this section!

Other relevant national provisions and laws

You can help us fill this section!

National ePrivacy Law

The ePrivacy Directive was transposed by the Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI) (Law 34/2002 of 11 July 2002 on information society services and electronic commerce).

Frequent references in data protection are made to Article 21 of the LSSI. It regulates sending commercial messages through electronic means and establishes, as a general rule, that consent is necessary for such messages.

Article 22.2 of the LSSI establishes the rules for cookies and comparable technologies. Cookies and similar technologies need consent in order to be installed, except for cookies that are strictly necessary for providing explicitely requested information society services.

Data Protection Authorities

There various different data protection authorities in Spain, being the Agencía Española de Protección de Datos (AEPD) the most prominent one.

Agencia Española de Protección de Datos - AEPD

The Spanish Data Protection Agency (Agencia Española de Protección de Datos) is the data protection authority competent for the privat sector and partially the public sector in Spain.

→ Details see AEPD (Spain)

Autoritat Catalana de Protecció de Dades - APDCAT

For the the public sector of Catalonia competence lies with the Catalan Data Protection Authority (Autoritat Catalana de Protección de Dades).

→ Details see APDCAT (Catalonia)

Datuak Babesteko Euskal Bulegoa | Agencia Vasca de Protección de Datos - DBEB/AVPD

For the the public sector of the Basque Country competence lies with the Basque Data Protection Authority (Datuak Babesteko Euskal Bulegoa | Agencia Vasca de Protección de Datos).

→ Details see DBEB/AVPD (Basque Country)

Consejo de Transparencia y Protección de Datos de Andalucía - CTPDA

For the the public sector of Andalusia competence lies with the Transparency and Data Protection Council of Andalusia (Consejo de Transparencia y Protección de Datos de Andalucía).

→ Details see CTPDA (Andalusia)

Dirección de Supervisión y Control de Protección de Datos del Consejo General del Poder Judicial - CGPJ

For the processing of personal data for jurisdictional purposes the Directorate of Supervision and Data Protection of the General Board of the Judicial Power (Dirección de Supervisión y Control de Protección de Datos del Consejo General del Poder Judicial) is competent.[1]

The use of personal data in the context of courts is regulated in Article 236 bis - decies of the Organic Law of the Judicial Power (Ley Orgánica del Poder Judicial).

Judicial protection

Contra las resoluciones que ponen fin a la vía administrativa (48.6 LOPDGDD), se podrá interponer (Art. 123 de la 39/2015), potestativamente, recurso de reposición ante la Directora de la Agencia Española de Protección de Datos en el plazo de un mes a contar desde el día siguiente a la notificación de esta resolución o directamente recurso contencioso administrativo ante la Sala de lo Contencioso-administrativo de la Audiencia Nacional (Art. 25 y DA4º. 5 Ley 29/1998) en el plazo de dos meses a contar desde el día siguiente a la notificación de este acto, según lo previsto en el artículo 46.1 de la referida Ley.

Constitutional Court

El Tribunal Constitucional puede actuar en amparo para la tutela del derecho de protección de datos contenido en el art. 18.4 CE