The LOPDGDD, Personal Privacy Protection in Spain

Spain’s Organic Law 3/2018 of December 5, on the Protection of Personal Data and Guarantee of Digital Rights or the LOPDGDD for short, is a data privacy law that was recently passed in 2018. The LOPDGDD was passed for the purposes of implementing the General Data Protection Regulation or GDPR into Spanish law, Spain is one of the many nations that make up the European Union. To this point, the LOPDGDD and the EU’s GDPR law established the legal grounds upon which personal data may be collected, processed, used, transferred, or disclosed within the country of Spain, and also outlines the obligations that data controllers and processors within the country have with respect to achieving and maintaining compliance with both laws.

What are the differences between the LOPDGDD and the EU’s GDPR law?

The provisions of the LOPDGDD and the EU’s GDPR law are largely the same, though the two pieces of legislation do vary a bit in terms of the obligations of data controllers and processors and the rights of data subjects respectively. For instance, while the EU’s GPDR law does not require data controllers or processors to appoint a data protection officer or DPO, the provisions of the LOPDGDD do mandate such an appointment. As such, some of the companies that are required to appoint a DPO under the LOPDGDD include but are not limited to:

• Professional associations and general councils of professionals;
• Educational institutions;
• Entities that operate electronic communications networks and offer electronic communication services, which process personal data on a large scale;
• Information society services providers carrying out data subjects’ profiling activities on a large scale;
• Banks, credit unions, and the Official Credit Institute;
• Credit institutions;
• Insurance companies;
• Investment services companies;
• Energy and natural gas distributors and marketers;
• Entities in charge of creditworthiness data files and in charge of fraud prevention data files;
• Entities carrying out advertising and commercial research activities based on the data subjects’ preferences or carrying out profiling for marketing purposes;
• Entities in the health sector.

Moreover, Spain’s LOPDGDD and the EU’s GDPR law also vary as it pertains to the age at which children can consent to the collection or processing of their personal data. While many other member states within the EU establish this age at 18, the LOPDGDD sets this age at 14. Alternatively, the LOPDGDD also varies from the EU’s GDPR law with respect to regulations concerning the processing of special categories of personal data. Under the LOPDGDD, the consent of data subjects is “sufficient for processing data where the main purpose is to identify that individual’s ideology, trade union membership, religion, sexual orientation, beliefs, or racial or ethnic origin. This is to prevent discrimination. Consequently, additional grounds are needed in order to process this type of personal data.”

What are the rights of Spanish citizens under the LOPDGDD?

Under the LOPDGDD, the rights of Spanish citizens are the same as those that are offered to citizens of other EU member states. These rights include the following:

• The right to be informed.
• The right to access.
• The right to rectification.
• The right to erasure.
• The to object or opt-out.
• The right to data portability.
• The right to not be subject to automated decision-making.

In terms of the enforcement of the LOPDGDD, the provisions set forth in the law are enforced by the Spanish data protection authority or AEPD for short. As such, “the LOPDGDD classifies data protection infringements as minor, serious, or very serious, and specifies the statutory limitation period that is one, two, and three years, respectively.” However, while the AEPD does determine the scale and scope of offenses as it pertains to violations of the law, the punishments that can be levied against data controllers and processors should they violate the LOPDGDD remain unchanged when compared to the EU’s GDPR law. These punishments can be as high as fines of up to 4% of a particular business’s or organization’s global revenue for a given fiscal year, among various others.

Through the facilitation of the EU’s GDPR law, member states within the EU have been able to effectively guarantee the data privacy rights of their respective citizens. What’s more, through provisions within the General Data Protection Regulation that allow for member states to pass their own legislation to both implement and supplement the provisions set forth in the law, citizens of these member states are provided with what is arguably the most stringent form of data protection that currently exists in our world today. As such, Spanish citizens have the peace of mind that their privacy cannot be infringed upon without the prospect of legal consequences.