On 6 December the BOE [Official Spanish Government Gazette] published Organic Personal Data Protection and Guarantee of Digital Rights Act, Act No. 3/2018 of 5 December 2018, approved by plenary session of the Senate this past 21 November.

The General Data Protection Regulation (GDPR) does not leave EU Member States much room for manoeuvre, and for that reason the new Act makes constant reference to the Regulation, but it nonetheless contains certain novel provisions discussed here in this post.

Data Protection Officer

In addition to the provisions already set out in the General Data Protection Regulation (GDPR) in this respect, the Act specifies a total of 16 cases in which designation of a DPO is mandatory.

Advertising firms that carry out profiling, operators that offer online gaming, insurance companies, schools, investment service firms that do business in securities markets, financial institutions, and certain energy companies, along with other companies, are all affected by this provision.

Transparency and information

Article 11 of the Act takes what had until now been a recommendation by Spain’s Data Protection Agency and the former Article 29 Data Protection Working Party concerning the layered approach to information and turns it into a mandatory standard.

Accordingly, under this layered information approach, the first layer must necessarily contain, at minimum, the features required in Article 11:

  1. The identity of the data controller and its representative, if any.
  2. The purpose of the processing.
  3. The option of exercising data protection rights.
  4. Where the data are not obtained directly from the owner, the type of data and their source.


The Act keeps the age limit at 14 years and introduces measures aimed at defending minors and their interactions with the digital sphere, for instance, the possibility of intervention by the Public Prosecutor’s Office in cases when images and personal information of minors are disseminated on social networks if doing so represents an unlawful intrusion on their fundamental rights.

Legitimate interest and public interest

The Act expressly sets out certain instances of data processing in which the data controller is presumed to have a legitimate interest or the processing is presumed to be carried out in the public interest.

The former case includes credit information systems, changes to corporate structure or the sale of companies, and contact details of individual business owners and members of the liberal professions, provided that the processing of location and contact data is restricted wholly to the business sphere in relation to providing specialised services.

As far as the public interest is concerned, the Act addresses video surveillance, files regarding advertising opt-outs, and whistleblowing.

The controversy regarding political parties

The final provisions of the new Personal Data Protection and Guarantee of Digital Rights Act amends the Elections Act to allow political parties to gather and use data collected from websites and other publicly accessible sources, including by electronic means, stipulating that election advertising is not to be considered a commercial communication.

Technically, the implicit consideration of websites as being publicly accessible is an important feature, since heretofore the Internet has not enjoyed this status.

System of sanctions

The Act specifies and classifies infringements of data protection categories into the conventional categories of (i) minor, (ii) serious, and (iii) very serious, while maintaining the fines laid down in the GDPR, ranging from a minimum of €10,000,000 or 2 % of total worldwide annual turnover to a maximum of €20,000,000 or 4 % of total worldwide annual turnover.

Access to the second part of this post here

Authors: Ruth Benito y Fernando Díaz

Visit our website: http://www.elzaburu.es/en