April 2016



After over four years of legislative process and long and complex negotiations, the European Parliament has approved on 14 April 2016 the final and expected text of the European Data Protection Regulation (the “Regulation”). This Regulation renews and supersedes the European Union (EU) regulatory framework regarding data protection and it will be directly applicable in all EU Member States whilst not requiring the transposition into national legislation.

The Regulation repeals and replaces Directive 95/46/CE and it does represent a step forward as regards the protection of EU citizens’ personal data, strengthening the right to data protection as an essential cornerstone of the European safeguards and freedoms. Likewise, the harmonisation of this issue becomes a reality throughout the territory of the EU by means of a single rule and it is directly applicable in all Member States, with the dual purpose of achieving a coherent level of protection in the whole territory, as well as avoiding regulatory divergences obstructing free movement of data.

The Regulation was part of the so called “legislative data protection package”, that also included the Police and judicial cooperation European data protection Directive, that has been approved along with the Regulation on 14 April 2016.

When will the Regulation enter into force?

The Regulation will enter into force 20 days after its publication in the Official Journal of the European Union, however its provisions will be directly applicable to businesses, citizens and public authorities two years after this date.

Does this mean that Spanish companies do not have to do anything within two years?

No. The Regulation imposes numerous fledging obligations to companies whose implementation could not be completed —reasonably— within a short period of time, yet it will require significant organizational, technical, economic and human efforts. It must be borne in mind that, in general, the Regulation introduces major commitments to companies to ensure data protection through the accountability principle, a governing principle that has to be implemented and permeate all the activities of the organization.
Thus, companies’ adjustment to the new data protection applicable regime will require, necessarily, the commitment of its managing bodies and the whole organization, as well as the direct involvement in its implementation of different inside roles —and probably outside— of each organization. Therefore, the proper (and full) implementation of the obligations of the Regulation advises organizations to become familiar with the Regulation’s content and to start drafting plans for its implementation at the very time it is adopted.

It should be clarified that the current legal Spanish framework —mainly the Basic Law 15/1999, of 13 December, on Personal Data Protection (DP Act) and Royal Decree 1720/2007, approving the regulations for the development of the DP Act— is still in force until its derogation is determined, therefore the progressive implementation of the obligations of the Regulation within the two years period will not exempt companies to comply with the current domestic legislation.

Does this mean that Spanish companies do not have to do anything within two years?

Without prejudice many of the principles and obligations that the Regulation establishes are already applicable according to the DP Act and its developing regulation, it is also true that the Regulation introduces subsequent changes to the current applicable regime in Spain. Among the novelties, we mention the following:

Widening of the territorial scope

In addition to its natural applicability to data processing carried out in the context of activities of data controllers and data administrators established in the EU, the Regulation will also be directly applicable to non-European institutions processing data of subjects established in the EU in connection with (i) offering goods and services; or (ii) control of its behaviour (i.e., tracking via cookies).


Reinforced conditions to obtain consent

Requirements and conditions are generally reinforced to obtain consent from data subjects (mainly, its unequivocal, free and revocable nature and the requirement of a statement or a clear affirmative action). Specific conditions are also set to obtain consent of minors, as well as consent in connection with the offering of information society services, that could not be offered to minors under age 16 without parent consent unless national laws apply a lower age (that, in any case, shall not be less than 13 years).


New rights of the citizens

In addition to the traditional rights of access, rectification, cancellation and opposition, new rights are being recognised (i.e., right to data portability) and specific rights are regulated such as the right to be forgotten or the right of the restriction on processing (including into right of cancellation —now named right to erasure—) and the right to oppose to profiling activities (covered by the right of opposition).


Strengthening of the information right

The information that has to be provided regarding processing of data is broader than the one provided in the DP Act. This information shall be proportionate in combination with harmonised icons for all EU Member States.


Accountability principle

A “proactive responsibility” (known as “accountability”) obligation is imposed, requiring organizations to establish measures guaranteeing and enabling to demonstrate the compliance with the Regulation (that is, data protection policies not only have to exist, but also have to be adapted to the organizational circumstances, implemented and work in practice). Developing this general principle, the Regulation establishes the organization obligation to bear in mind data protection from the time they start developing their processes, products and services (privacy by design) and by default only the minimum required data needed to obtain the legitimate aim pursued would be object of data processing (privacy by default).


Internal record of processing activities

Whereas the existing normative framework requires the registration of organizations’ databases in the Spanish Data Protection Agency, the Regulation focuses in internal recording obligations. Thus, unless some of the exceptions provided in the Regulation would apply (i.e., it is a company with more than 250 workers), companies should keep and internal and written record of the processing activities carried out. The information that has to be filed is similar to the one currently registered in the Spanish Data Protection Agency by a database declaration through the official form (“NOTA” form).


Security breach notifications to the Supervisory Authority (and, as the case may be, to the individuals)

Unless some exception shall be applicable, in the event of a security breach in an organization, it has to be notified by the organization to the relevant Supervisory Authority without undue delay and, where feasible, not later than 72 hours after having become aware of it. That is, without a doubt, one of the new obligations of the Regulation causing uncertainty and concerns to companies. In certain occasions, the individuals also shall be notified. Besides, data processors shall notify the controllers   —without undue delay— their security breaches.


Privacy Impact Assessments or PIAs

Organizations have the obligation to carry out prior impact assessments where processing operations may present specific risks to the rights and freedoms of data subjects. In fact, the Regulation expressly states some situations in which that assessment is mandatory. If the result of the assessment is a high risk, the Supervisory Authority has to be consulted before carrying out the data processing.


Data Protection Officer (DPO)

In line with the current trend on other provisions that establish specific characters and roles to ensure normative compliance within the companies (compliance officers), the Regulation introduces the mandatory character of the “data protection officer” or DPO. Thus, companies are obliged to designate a DPO (either internally or outsourcing it) when (i) the core activities of the controller consist on processing operations which require regular and systematic monitoring of data subjects carried out on a large scale; or (ii) the core activities of the controller consist on processing operations on a large scale of special categories of personal data (i.e., health data). With regard to Public Administrations, designation of a DPO is mandatory in any case. The Regulation sets the specific tasks, qualities and safeguards of this figure.

In any case, in the light of the new and numerous obligations to organizations provided in the Regulation, the designation of a DPO is highly recommended even to those organizations in which that designation is not mandatory.


Current concerns are specifically being faced

Profiling and big data activities, pseudominising of data or data processing in the labour environment have been regulated and have special provisions in the Regulation.


Supervisory Authority competences and new penalty system

The Regulation introduces the one stop shop principle that, under certain circumstances, allows the Supervisory Authority of the main establishment of the controller or processor to be competent supervisory authority in transnational data processing and assume coordination competences in penalty proceedings. However, this principle does not exclude completely the competence of the domestic Supervisory Authorities regarding data processing carried out in their own territories.

Penalties are increased when compared to the bands determined in the DP Act and they can range (i) up to 10,000,000 euros or up to 2% of the annual turnover worldwide; or (ii) up to 20,000,000 euros or up to 4% of the annual turnover worldwide. Likewise, it is acknowledged the possibility of data subjects to delegate the possibility of filing data protection claims in their behalf to associations and other non-profit institutions.


UM data protection and IT Team:

Leticia López-Lapuente

Counsel. Madrid office
leticia.lopez-lapuente@uria.com /

Reyes Bermejo Bosch

Senior Associate. Madrid and Valencia offices
reyes.bermejo@uria.com /


 back to top

The information contained in this Newsletter is of a general nature and does not constitute legal advice