A New Regulatory Framework on Personal Data Protection Comes on the Scene with New Obligations for Companies

Carlos Fábrega's picture
Published: 14/05/18 - Country: Spain


Regulation (EU) 2016/679 of the European Parliament and the European Council, of April 27, 2016, on Processing of Personal Data (hereinafter, "European Regulation") which came into force on May 25, 2016 will be mandatory from next May 25, 2018.    

In Spain, the Congress of Deputies is processing a new Organic Law on Protection of Personal Data which is expected to be approved and come into force before May 25, 2018, and will repeal the current Spanish Organic Law 15/1999, of December 13 on Protection of Personal Data.

This new regulatory framework will also repeal those provisions contained in the Spanish Royal Decree 1720/2007 of December 21 approving the Regulation for the development of the Organic Law 15/1999, which contradict it, oppose it, or are incompatible with it.

This new regulatory framework for the protection of personal data significantly modifies the current regulatory framework in Spain (and also in Europe). It introduces a set of new obligations to be fulfilled by companies when processing personal data in order not to infringe the law which could be punished with new and serious economic sanctions.

In effect, this European Regulation designs a new regime on infractions and sanctions that exponentially raises the economic fines imposed so far in Spain.                                   

Therefore, infractions may be sanctioned with fines of up to € 10,000,000 (or up to 2% of the total annual turnover of the Company in the previous year, if this amount exceeds € 10,000,000), and, the most serious infractions with fines of up to € 20,000,000 (or up to 4% of the total annual turnover of the Company in  the previous year, if this amount exceeds € 20,000,000).

For all these reasons, all Companies must adapt their operation to this new regulatory framework (including those companies that were already adapted to the regulatory framework so far in force).

Among the new obligations introduced, special attention should be paid to the following ones:

  • Both the Data Controller and the Data Processor must carry out an analysis of the risks involved in their data processing for the rights and freedoms of individuals, in order to be able to determine the most suitable technical and organizational measures to guarantee a level of security appropriate to the risk.

Therefore, the new regulatory framework no longer provides for an explicit and exhaustive list of security measures whose adoption holds the Data Controller and the Data Processor harmless, but establishes an obligation to adopt in each particular case all those specific measures (whichever they are) necessary to avoid information leaks or losses, or unauthorized access.

  • Those Data Controller dealing with certain circumstances (for example, special categories of data on a large scale), must carry out a Data Protection Impact Assessment. Depending on the result of such assessment, it may be deemed necessary to consult the Spanish Data Protection Agency.
  • Both Data Controllers and Data Processors must keep a Record of Processing Activities when they meet certain requirements. This obligation replaces the current duty of Data Controllers for registering the files with the Registry of the Spanish Data Protection Agency.
  • Data Controllers must notify certain violations of personal data to the Spanish Data Protection Agency within a maximum period of 72 hours.
  • In certain circumstances (for example, where the core activities of the Controller or the Processor consist of processing operations which require regular and systematic monitoring of Data Subjects on a large scale) Data Controllers and Data Processors must appoint a Data Protection Officer (DPO).

The DPO will be the interlocutor between the Company and the Spanish Data Protection Agency, and its designation must be notified to the Data Protection Agency.

  • New rights are granted to Data Subjects in addition to the current rights of access, rectification, cancellation and objection (such as, for example, the right to erasure -or "right to be forgotten "-, and the right to portability).
  • The tacit consent by the Data Subject to enable the processing of certain personal data, or to authorize certain data transfers to third parties no longer exists.
  • Genetic data and biometric data intended to unambiguously identify a natural person are now in the category of "special" or "sensitive" data. 
  • The obligation to inform the Data Subject is now regulated under new terms, increasing the number of aspects the Data Subject must be informed about, and also offering the possibility of providing such information to the Data Subject in two different phases (at least in the case of the new Spanish regulation).
  • Data processing for surveillance purposes is regulated in detail.
  • The provisions and clauses that must be included in Data Processing Agreements and Contracts of Services to prevent access to personal data by third parties from being considered as an unauthorized transfer of personal data are considerably broadened.

All companies must take precautions to adapt their operation to this new regulatory framework for the protection of personal data before its entry into force, scheduled for May 25, 2018.

Subscribe to The Journal

* indicates required
Areas of Interest

Pragma International will use the information you provide on this form to be in touch with you and to provide updates and marketing. Please let us know all the ways you would like to hear from us:

You can change your mind at any time by clicking the unsubscribe link in the footer of any email you receive from us, or by contacting us at info@pragma.international. We will treat your information with respect. For more information about our privacy practices please visit our website. By clicking below, you agree that we may process your information in accordance with these terms.

We use Mailchimp as our marketing platform. By clicking below to subscribe, you acknowledge that your information will be transferred to Mailchimp for processing. Learn more about Mailchimp's privacy practices here.

Article Rating: 
Average: 4.3 (6 votes)
Total reads: 1,277
Carlos Fábrega's picture

Mr. Fábrega is characterized by being a highly specialized lawyer, specifically in the areas of Commercial Distribution and Protection of Personal Data. This important degree of specialization has allowed him to master these subjects in depth and to intervene in them at any stage or moment, from different perspectives and perspectives, and providing all kinds of advice related to them.

He conceives the exercise of his profession from the absolute implication, making his own the problems that the client moves him.

He likes to know in depth the assumptions of fact in which the request for advice is contextualized, and to deepen in the real needs of the client, to give a service as adapted as possible to their needs, always emphasizing the quality and usefulness of the service.


Advice to companies and public companies, mainly in the accomplishment of the following works:

  • Advice on procedures for obtaining municipal licenses for works and activities.
  • Drafting of reports on the legal urban planning of farms.
  • Conduct internal audits of private entities on compliance with security policy: security measures in the automated and non-automated processing of personal information.
  • Advice to complaints for not having attended the rights of access, rectification, cancellation