Regulation (EU) 2016/679 of the European Parliament and the European Council, of April 27, 2016, on Processing of Personal Data (hereinafter, "European Regulation") which came into force on May 25, 2016 will be mandatory from next May 25, 2018.    

In Spain, the Congress of Deputies is processing a new Organic Law on Protection of Personal Data which is expected to be approved and come into force before May 25, 2018, and will repeal the current Spanish Organic Law 15/1999, of December 13 on Protection of Personal Data.

This new regulatory framework will also repeal those provisions contained in the Spanish Royal Decree 1720/2007 of December 21 approving the Regulation for the development of the Organic Law 15/1999, which contradict it, oppose it, or are incompatible with it.

This new regulatory framework for the protection of personal data significantly modifies the current regulatory framework in Spain (and also in Europe). It introduces a set of new obligations to be fulfilled by companies when processing personal data in order not to infringe the law which could be punished with new and serious economic sanctions.

In effect, this European Regulation designs a new regime on infractions and sanctions that exponentially raises the economic fines imposed so far in Spain.                                   

Therefore, infractions may be sanctioned with fines of up to € 10,000,000 (or up to 2% of the total annual turnover of the Company in the previous year, if this amount exceeds € 10,000,000), and, the most serious infractions with fines of up to € 20,000,000 (or up to 4% of the total annual turnover of the Company in  the previous year, if this amount exceeds € 20,000,000).

For all these reasons, all Companies must adapt their operation to this new regulatory framework (including those companies that were already adapted to the regulatory framework so far in force).

Among the new obligations introduced, special attention should be paid to the following ones:

• Both the Data Controller and the Data Processor must carry out an analysis of the risks involved in their data processing for the rights and freedoms of individuals, in order to be able to determine the most suitable technical and organizational measures to guarantee a level of security appropriate to the risk.

Therefore, the new regulatory framework no longer provides for an explicit and exhaustive list of security measures whose adoption holds the Data Controller and the Data Processor harmless, but establishes an obligation to adopt in each particular case all those specific measures (whichever they are) necessary to avoid information leaks or losses, or unauthorized access.

• Those Data Controller dealing with certain circumstances (for example, special categories of data on a large scale), must carry out a Data Protection Impact Assessment. Depending on the result of such assessment, it may be deemed necessary to consult the Spanish Data Protection Agency.
• Both Data Controllers and Data Processors must keep a Record of Processing Activities when they meet certain requirements. This obligation replaces the current duty of Data Controllers for registering the files with the Registry of the Spanish Data Protection Agency.
• Data Controllers must notify certain violations of personal data to the Spanish Data Protection Agency within a maximum period of 72 hours.
• In certain circumstances (for example, where the core activities of the Controller or the Processor consist of processing operations which require regular and systematic monitoring of Data Subjects on a large scale) Data Controllers and Data Processors must appoint a Data Protection Officer (DPO).

The DPO will be the interlocutor between the Company and the Spanish Data Protection Agency, and its designation must be notified to the Data Protection Agency.

• New rights are granted to Data Subjects in addition to the current rights of access, rectification, cancellation and objection (such as, for example, the right to erasure -or "right to be forgotten "-, and the right to portability).
• The tacit consent by the Data Subject to enable the processing of certain personal data, or to authorize certain data transfers to third parties no longer exists.
• Genetic data and biometric data intended to unambiguously identify a natural person are now in the category of "special" or "sensitive" data. 
• The obligation to inform the Data Subject is now regulated under new terms, increasing the number of aspects the Data Subject must be informed about, and also offering the possibility of providing such information to the Data Subject in two different phases (at least in the case of the new Spanish regulation).
• Data processing for surveillance purposes is regulated in detail.
• The provisions and clauses that must be included in Data Processing Agreements and Contracts of Services to prevent access to personal data by third parties from being considered as an unauthorized transfer of personal data are considerably broadened.

All companies must take precautions to adapt their operation to this new regulatory framework for the protection of personal data before its entry into force, scheduled for May 25, 2018.