What is personal data?
The 95/46/EC Directive was formally implemented in Spain in November 1999 through the Organic Law 15/1999 (Ley Orgánica 15/1999 de Protección de Datos de Carácter Personal) (LOPD). According to the LOPD, personal data is defined as “any information concerning identified or identifiable natural persons” (cf. article 3.a).
What is sensitive personal data?
According to article 7 of the LOPD, personal data that requires special protection entails information revealing:
- political orientation
- trade union membership
- ethnic origin
- sex life
The processing of personal data relating to political, moral and religious beliefs, as well as trade union membership requires express and written consent of the data subject (cf. Article 7.2 of the LOPD). See conditions for processing personal data
Conditions for processing personal data
The processing of personal data entails any automatic and non-automatic operation and technical process, which allows for the “collection, recording, storage, adaptation, modification, blocking and cancellation” of data (cf. Article 3 c) of the LOPD).
Personal data may be processed only if:
1. The data are adequate, relevant and not excessive in relation to the scope and legitimate purpose for which they were obtained;
2. The purpose of the processing is compatible with the original purpose of the data collection. The further processing of the data for historical, statistical or scientific purposes shall not be considered as incompatible purposes;
3. The personal data is accurate and updated;
4. The personal data is erased if proven to be inaccurate or incomplete;
5. The personal data is erased when they are no longer relevant for the purpose for which they were originally were collected;
6. The personal data is stored in a form that permits the data subject’s rights of access, rectification, cancellation and opposition of the processing (cf. Article 4 of the LOPD).
The LOPD moreover states that any unfair, fraudulent or illicit means of collection of personal data is prohibited (ibid.).
Personal data that requires special protection (i.e. revealing ethnic origin, health and sex life) may be processed and assigned only when there are reasons of general interest, and the processing is provided for by law or the data subject has given his or her explicit consent (cf. Article 7.3 of the LOPD).
Data relating to criminal or administrative violations can only be registered by public authorities and companies. Individuals are forbidden from collecting and processing this kind of information (ibid.).
Files created for the sole purpose of storing personal data revealing ideology, trade union membership, religion, beliefs, racial and ethnic origin or sex life are forbidden (ibid.)
Obligation to notify supervisory authority
Notification to the Spanish Data Protection Authority (AEPD) Agencia Española de Protección de Datos)) is required before the processing of personal data is initiated (cf. Article 26.1 of the LOPD). The General Data Protection Register of the AEPD must approve the notification if it complies with the requirements of the LOPD.
The following information must be included in the notification:
- The name of the controller;
- The purpose and location of the file;
- The type of personal data registered;
- The level of security measures undertaken;
- Any transfers to third countries intended (cf. Article 26.2 of the LOPD).
Moreover, any changes that occur with regard to the purpose of the file, its location and the controller must be reported to the AEPD. Failure to register the processing of personal data in the General Data Protection Register may entail penalties according to the kind of infringements involved. Infringements are classified as minor, serious and very serious and the penalties of the different breaches are set out in the provisions of Title VII of the LOPD.
Unlike many other EU member states who keep registries of data controllers, Spain keeps a register of all databases (files) that contain personal data. Thus, any data controller may have multiple entries in the General Data Protection Registry (Flint and Ramos 2012).
Exemptions from obligation to notify
There are no exemptions from the obligation to notify or register the processing of personal data.
Data Protection Officer
There is no requirement of appointing a data protection officer.
Information revealing personal data is classified in terms of three levels of security measures: basic, medium and high (cf. Article 26.2) The data controller or data processor shall adopt technical and organisational measures that are necessary for ensuring the secure processing of personal data (cf. Article 9 of the LOPD). In particular, they shall prevent the “(…) alteration, loss, unauthorised processing or access” of the data collected (cf. article 9.1 of the LOPD). Moreover, no personal data shall be registered in files that do not comply with rules of security and integrity (cf. article 9.2 of the LOPD). Special measures for data security are required for the processing of sensitive data, as referred to in article 7 of the LOPD. See conditions for processing personal data.
According to article 12.2 of the LOPD, the processing of data on behalf of the data controller shall be made in accordance with instructions of the data controller, be used only for the purpose set out in contract with the data controller, and shall not be communicated to other persons. Additionally, the contract shall follow the security measures, referred to in article 9 of the LOPD.
Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD) (unofficial English translation):
The Spanish Data Protection Agency (Agencia Española de Protección de Datos) (AEPD)):
AEPD’s English resources:
Flint, Jason and Ramos, Diego, 2012. “Data protection in Spain: Overview”. Practical Law. [Online]. Available at: http://uk.practicallaw.com/1-520-8264#, [accessed 17.07.2014].
LOPD. Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD). Agencia Española de Protección de Datos (AEPD). [Online]. Unofficial English translation available at: http://www.agpd.es/portalwebAGPD/english_resources/regulations/common/pdfs/Ley_Orgaica_15-99_ingles.pdf, [accessed 17.07.2014].