The Senate of Spain approved, on 21 November 2018, the Draft Organic Law on the Protection of Personal Data and the Guarantee of Digital Rights (‘the Draft Organic Law’), which seeks to implement the General Data Protection Regulation (Regulation (EU) 2016/679) (‘GDPR’). The Draft Organic Law lays down, among other things, provisions in relation to special categories of data, obligations for data controllers and processors as well as digital and data subject rights.
Laura Vivet, Senior Director at Ankura Consulting Group, LLC, told DataGuidance, “The Draft Organic Law goes way beyond the GDPR, including not only the enhancement of certain rights such as the security of electronic communications, rectification and the right to be forgotten on the internet and social networks, but also the addition of other digital rights. [Moreover,] the right to privacy and use of digital devices in the workplace establishes that a company’s access to the devices should be strictly limited to information necessary to protect the assets and ensure compliance with labour or regulatory obligations. Companies are also required to develop a policy for the use of electronic devices in the workspace and clearly disclose the scope and limits to employees, including the definition of retention periods.”
Furthermore, the Draft Organic Law complements the provisions of the GDPR on the appointment of data protection officers, by making it obligatory for certain organisations such as financial credit institutions, insurance and reinsurance entities as well as investment service providers. Additionally, it provides for the establishment of advertising exclusion systems to address individuals’ rights to opt-out from direct marketing communications, which will include persons that have opted-out of receiving direct marketing communications and which must be consulted by businesses engaging in such activities. The Draft Organic Law also stipulates the creation of internal complaint information systems through which employees may bring to the attention of their employers acts or conduct that are contrary to general or sectoral legislation.
There are some concerns around the overarching approach of the Draft Organic Law
Vivet noted, “The preamble of the Draft Organic Law explains that the establishment of [the complaint information systems] is in the public interest, [as opposed] to complying with a legal obligation, such as under the Spanish Criminal Code. It also confirms the requirement of providing clear and complete information regarding whistleblowing schemes to everyone in advance, including to third parties contracted by the company, and states that the whistleblower’s identity and the content of complaints should be kept confidential. The Draft Organic Law […] also defines retention periods for the processing of this type of collection, which it sets at a maximum of three months from the time of collection, although information can be kept anonymised for a longer period of time for accountability purposes.”
In addition, the Draft Organic Law updates various other laws, including Organic Law 5/1985 of 19 June of General Electoral Regime, which it amended to authorise political parties collecting personal data relating to political opinions for the purpose of their ‘political activities’ during the election period.
Vivet concluded, “There are some concerns around the overarching approach of the Draft Organic Law since it contains a number of rights that do not have the status of fundamental, [thus] generating more complexity to the already challenging GDPR framework. [For example,] the information used by political parties can be obtained from the internet and other public sources and will be covered by the public interest if appropriate safeguards are in place, however, the Draft Organic Law fails to define what safeguards should be implemented and what exactly is meant by ‘political activities,’ which is a rather broad and undefined term.”
The Draft Organic Law will come into effect after its publication in the Official State Gazette.
NIKOS PAPAGEORGIOU Privacy Analyst