-DATA PROTECTION AND PRIVACY-
Spain’s Parliament Modifies DPA Penalty Authority As DPA’s Enforcement Efforts Scrutinized
Spain has a new penalty regime for violations of privacy, with many minimum and maximum fines lowered. This is viewed as a business-friendly development at a time when the Spanish Data Protection Agency (“SPDA” or “Agency”) has earned a reputation as one of the more enforcement-oriented DPAs in the EU, and when one of its high-visibility enforcement efforts is under scrutiny. This new regime entered into force on 6 March 2011 and is applicable to all data controllers and data processors processing personal data under the Spanish laws. The new law also specifies that in setting fines, the DPA may take into account the volume of the business of the offender, the relationship between the activity of the offender and the processing of personal data, or the measures implemented by the offender in order to avoid or solve the breach.
The reform is intended to give the Spanish Data Protection Agency flexibility to better adapt fines to the circumstances of the breach and the offender.
Ground Breaking Modification of the Spanish Laws
A decision by the Court of Justice of the European Union (ECJ) introduces an important change to the Spanish data protection framework. In the past, companies had to rely on data subjects’ consent as the way of carrying out the majority of the data processing in Spain because they did not recognize the “legitimate interest” justification for the processing of personal data. The ECJ concluded that the “legitimate interest” justification for the processing of personal data as set forth in the Data Protection Directive also should be available in Spain. However, the Spanish Data Protection Agency (SDPA) stated that companies may not carry out the processing of data exclusively based on their “legitimate interest,” but will be required to balance both their “legitimate interest” and fundamental rights and freedoms of the data subjects involved in the data processing.
Spanish Supreme Court Annuls Limitation on Processing of Personal Data
It was reported in November, the Court of Justice of the European Union (“CJEU”) declared that Spain’s refusal to permit the “legitimate interest” justification for the processing of personal data — instead, requiring data subjects’ consent as the way of carrying out the majority of the data processing in Spain — violated section 7.f of the European Data Protection Directive 95/46/EC. The Spanish Supreme Court has now incorporated the CJEU’s ruling into Spanish law. The Spanish Supreme Court also annulled article 10.2(b) of the Royal Decree developing the Spanish Data Protection Law (“DPL”). This modification will have significant consequences for the ways in which companies process personal data in Spain since, until today, the Spanish data protection framework was organized around obtaining data subject consent.
Privacy laws to be overhauled The European Labor Market Slows Down but Spain’s is ‘Nearing Collapse’, According to FedEE
The Federation of European Employers (FedEE) has reported in the EU27 as a whole the labor market was expanding throughout 2010 but the trend has been downward since Q2 2011 – mainly due to the rise of real earnings relative to production. Spain’s labor market index began 2010 well below the EU-average level and has continued to deteriorate over the entire period.During the last two years the Spanish economy has been characterized by alternating periods of quasi-zero growth and periods of substantial negative growth. This appears to be primarily due to its poorly performing industrial sector leading to a sustained decrease in labor demand.
Robin Chater, secretary-general of the FedEE, said: “Looking at unemployment rates alone can often be highly misleading as there is often a lag between job affordability (real labour costs per unit of output) job creation and the filling of new vacancies. The index shows how these fundamentals come together into a true swing of supply and demand.”
Spain Changes the Paradigm of International Transfers of Personal Data Allowing Spanish Data Processors to be “Exporters” Under the Standard Contractual Clauses for the Transfer of Data
The Spanish Data Protection Authority (SDPA) has established new procedures that allow data processors (not data controllers) based in Spain to obtain authorizations for transferring data processed on behalf of their customers (the data controllers) to sub-processors based in Third Countries that are not deemed to have an adequate level of protection for personal data. In addition, data processors can enter into Standard Contractual Clauses with their sub-processors. Previously in Spain, data controllers had to enter into Standard Contractual Clauses with each of their data processors’ sub-processors in Third Countries and data controllers had to obtain authorizations from the SDPA for such transfers. It is anticipated that the New Processor-Sub-processor Clauses in Spain will be a significant improvement for service providers wanting to contract with sub-processors.