January 15, 2008

SPAIN BROADENS ITS

DATA PROTECTION REGULATION

Confirming widespread rumors that had been circulating in Madrid for weeks, the Government of Spain just before Christmas approved its new General Data Protection Regulation (GDPR) that increases the scope of data protection in Spain.

This release was something of a surprise. The GDPR had been considered in various versions over the past three years, and most observers had thought that it would not be released before the government was dissolved in advance of the March 9, 2008 elections. Nevertheless, a public debate between the Socialist and the Popular parties on the unjustified delay in the approval finally triggered its release, on December 21, 2007, although it will not enter into force until three months after its publication in the National Official Bulletin.

The GDPR covers a much broader number of topics than did the earlier regime. Many, but not all, of the rules simply codify earlier unwritten policies. However, certain aspects of the new rules are more difficult to comply with than those in the previous regime—already one of the world’s most demanding and most rigorously enforced.

Paper files (non-electronic databases): Although paper-based files have been formally subject to Spanish data protection rules since the end of October 2007, the specific requirements governing how this major expansion should be carried out were not in place. The GDPR sets out these rules in great detail. Even more importantly, companies are granted a sunrise period to adapt to the new regime (a minimum of one year, with longer periods of up to two years in the case of the most demanding requirements, like encryption in the case of transfers of health information). Storage sites that contain paper files shall be locked to prevent unauthorized access.

Minors: Traditionally, Spain permitted minors to grant their consent for the processing of their personal information if they show good reasoning and personal “maturity.” Under the GDPR, such “maturity tests” apply only to children who are already 14 or older. Personal information regarding people younger than 14 can be collected and processed only with the consent of their parents/guardians, much like the United States Children’s Online Privacy Protection Act rule that applies to information collected online from children under the age of 13. New mechanisms for the verification of age and consent will be put in place.

Information regarding families: Before the GDPR, it was acceptable to collect information about an individual on the basis of his/her personal consent, even if this information allowed the data controller to make assumptions about the rest of his or her family. Under the GDPR, this is no longer possible, except when the members of the family to which this “overflow” data refer have also consented to the collection and processing of the information.

Marketing: The company sponsoring a marketing campaign (i.e., the one that ultimately benefits from the marketing, not the one designing or delivering the advertisements) will now be responsible for verifying that
(i) the data used to contact the recipient have been collected and processed adequately by the sponsor in accordance to the Spanish data protection laws; and (ii) the outsourcing companies in charge of handling the data do so appropriately (in terms of security procedures and of holding the right authorizations from the sponsor). The GDPR also introduces an onerous new requirement to obtain the express consent of the data subject for “data append” combinations of databases by different data controllers for marketing purposes. Exclusion lists (registries along the lines of do-not-contact lists) shall be made more readily available by companies than before, and campaign promoters must check them before sending new messages.

International data transfers: The GDPR regulates Corporate Binding Rules in greater detail. For example, the public must be informed on the petitions for approval of international transfers of data, which leaves the intended transferors open to public scrutiny (for example by competitors).

Bad debts and credit reporting databases: The GDPR heavily amends the previous regime in these areas. It reinforces protection of debtors by requiring that contracts contain far more specific information regarding the purposes for which the information shall be collected, processed and transferred; expanding liabilities for data controllers who use inaccurate information; obliging data controllers to delete records on debts after they have been paid; and generally banning the recording of information on non-performing loans before the debtor has been properly informed. Furthermore, starting on the effective date of the GDPR such recording of information shall be linked to a claim (before a court of justice or otherwise).

National Health Card: Transfers of health data between hospitals and other medical centers where the National Health card is used are exempt from the general rules that require the data subject’s consent.

Effective Date

Except for certain provisions subject to a sunrise period, the GDPR will go into effect three months after its official publication, which is likely to occur shortly, placing the effective date in mid to late April.