While the new Organic Law on the Protection of Personal Data is enacted, the Spanish government adopted in July a decree-law to adapt the current Organic Law 15/1999, of December 13, on the Protection of Personal Data to the General Data Protection Regulation.

Why a decree-law to amend the Spanish data protection law?

The procedure to amend the Organic Law 15/1999, of December 13, on the Protection of Personal Data began in 2016 when the government ordered a study on changes required to adapt it to the EU General Data Protection Regulation. The study was carried out during the first months of 2017 and during the summer the Department of Justice published the draft law that the Council of Ministers approved Nov. 10, 2017, and submitted to the Congress.

Since then, the Congress has been processing the draft law and, according to recent news, the new Organic Law on the Protection of Personal Data might be passed before the end of 2018.

The Royal Decree-Law 5/2018, of July 27, of urgent measures to adapt the Spanish legislation to the European Union law on data protection was published in Official Gazette number 183 July 30, 2018. The main reason to adopt this royal decree-law is to enable the Spanish data protection authority to carry out administrative proceedings according to the GDPR. As an urgent measure the government is entitled to adopt a royal decree-law. In particular, Article 86 of the Spanish Constitution points out that “[i]n case of extraordinary and urgent need, the Government may issue temporary legislative provisions which shall take the form of decree-laws.”

In any case, and as stated in its introduction, the decree-law only includes “issues whose immediate incorporation into domestic law is essential for the proper application in Spain of the General Data Protection Regulation.”

Provisions on power of investigation and sanctions

The decree-law comprises fourteen articles structured in three chapters. The first chapter (Articles 1 and 2) is dedicated to the powers of investigation according to the GDPR. The second chapter (Articles 3-6) is dedicated to the sanctions regime. And the third chapter (articles 7-14) is dedicated to the sanctioning proceeding.

Article 1 of the decree-law states that the Spanish data protection authority may carry out investigations through its officials or by external officials who are expressly authorized by its director. Any official, when carrying out an investigation, shall be considered as a law enforcement agent and obliged to keep confidentiality on information which has come to their knowledge in the course of the exercise of this power. Article 2 states that the official carrying out an investigation may “collect the information required to fulfill their duties, perform inspections, require the exhibition or sending of documents and necessary data, examine them in the place where they are deposited or where the data processings are carried out, obtain a copy of them, inspect the physical and logical equipment and require the execution of treatments and programs or procedures of management and support of the treatment subject to investigation.” Finally, this article also mentions that investigations, when carried out in domiciles, must comply with the rule of law.

Following the GDPR, Article 3 of the decree-law lists subjects that may be liable in the case of an infringement. These subjects are data controllers, data processors, representatives of controllers or processors not established in the European Union, certification bodies and accredited bodies that monitor compliance with codes of conduct. This article clarifies that the sanctioning regime is not applicable to the data protection officer.

Articles 4, 5 and 6 of the decree-law are dedicated, respectively, to infractions, according to Article 83.4, 5 and 6 of the GDPR, prescription of the infractions, and prescription of the sanctions. Article 6 provides that sanctions up to 40,000 euros will prescribe in a year, sanctions between 40,001 and 300,000 euros will prescribe in two years, and sanctions higher than 300,000 euros will prescribe in three years.

The proceedings in case of potential infringement of the legislation on data protection are set forth in Articles 7-14 of the decree-law. After stating, in Article 7, that sanctioning proceedings shall be carried out following the GDPR, Article 8 does regulate who the proceeding shall start in each case. In case of the potential infraction of the legislation on data protection, the proceeding may start ex officio or through a claim.

According to Article 9 of the decree-law, the Spanish DPA shall evaluate all claims submitted to determine if a claim is admissible or not.

The territorial scope of the Spanish DPA's power is included in Article 10. This article follows Article 60 of the GDPR, which is dedicated to the cooperation between the lead supervisory authority and the other supervisory authorities concerned. Respectively, Articles 11-13 are dedicated to previous investigation actions, to initiate the procedure for the exercise of the sanctioning power and precautionary measures during the performance of the previous investigation actions or when a procedure for the exercise of sanctioning power has been initiated.

Finally, Article 14 of the decree-law states that this chapter is applicable as well to the proceedings in which the Spanish DPA is competent under other laws. For example, the proceeding will be applicable in cases of spam, prohibited under the e-commerce law.

Additional provisions on several issues

The decree-law includes several provisions as well on publication of resolutions of the Spanish data protection authority, agreements or contracts with processors, and legislation repeal, among others.

The Spanish DPA will publish, on its website, resolutions of its director declaring that a request of rights (Articles 15-22 of the GDPR) is appropriated or not; that end a claim procedure; that archive the previous investigation actions; that sanction with a warning to public administrations under the jurisdiction of the Spanish DPA; or that impose precautionary measures or other measures under its statute.

Any agreement or contract agreed and signed before May 25, 2018, under Article 12 of the Organic Law 15/1999 shall be in force to the expiration date and in case that would be indefinite, shall be in force until May 25, 2022. During these terms, any party is entitled to adapt the contract according to the requirements of Article 28 of the GDPR.

With regard to the legislation repeal, the decree-law indicates that any law or regulation that opposes it is repealed. Articles 40 (Spanish DPA´s power of inspection), 43 (responsibility), 44 (types of infringement), 45 (penalties), 47 (statutory limitation), 48 (penalty procedure) and 49 (power to immobilize files), of the Organic Law 15/1999 are repealed.

Decree-law to adopt the NIS Directive into the Spanish law

The Spanish Government also adopted a decree-law to adopt into the Spanish law the Directive (EU) 2016/1148 of the European Parliament and of the Council of July 6, 2016, concerning measures for a high common level of security of network and information systems across the Union.

The Decree-Law 12/2018, of September 7, on the network and information systems security was published in Official Gazette number 218 on September 8, 2018, and entered into force the next day. It is important to consider that Article 25 of the Directive (EU) 2016/1148 indicated that “Member States shall adopt and publish, by 9 May 2018, the laws, regulations and administrative provisions necessary to comply with this Directive.” Therefore, it was necessary to adopt the required legislation immediately.

According to Article 1 of the decree-law its purpose is to regulate the security of the networks and information systems used for the provision of essential services and digital services, to establish an incident notification system, and to establish an institutional framework for the application of the decree-law and the coordination between competent authorities and with the relevant cooperation bodies in the European Union.

The decree-law includes the relevant definitions, the procedure and criteria for identifying essential services and the operators that provide them and their obligations. As well, the decree-law develops the strategic and institutional framework. It also provides the sanctions for the infringement of the obligations, which could be up to 1 million euros.

Following the text of the Directive (EU) 2016/1148, the decree-law imposes security obligations to essential services and digital services providers. In particular operators of essential services shall have to notify the competent authority of incidents that would have a significant disruptive effect in those services. Later, further regulation may also impose an obligation to notify incidents that might impact networks and information systems used to provide essential services.

The Spanish National Cybersecurity Institute (in Spanish, Instituto Nacional de Ciberseguridad, INCIBE), a subsidiary of the Secretary of State for Digital Progress, has been appointed as the Computer Emergency Response Team for citizens and corporations in Spain under the Directive (EU) 2016/1148.

photo credit: Contando Estrelas España, España, España via photopin (license)