Spain has a new penalty regime for violations of privacy, with many minimum and maximum fines lowered. This is viewed as a business-friendly development at a time when the Spanish Data Protection Agency (“SPDA” or “Agency”) has earned a reputation as one of the more enforcement-oriented DPAs in the EU, and when one of its high-visibility enforcement efforts is under scrutiny. This new regime entered into force on 6 March 2011 and is applicable to all data controllers and data processors processing personal data under the Spanish laws. The new law also specifies that in setting fines, the DPA may take into account the volume of the business of the offender, the relationship between the activity of the offender and the processing of personal data, or the measures implemented by the offender in order to avoid or solve the breach.
The reform is intended to give the Spanish Data Protection Agency flexibility to better adapt fines to the circumstances of the breach and the offender.
Read more