Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

Key tendencies identified in the Spanish Data Protection Authority memoranda of 2020

published on 28 May 2021 | reading time approx. 3 minutes

Every year, the Spanish Data Protection Agency draws up an annual data protection memorandum containing information on the main activities carried out by the mentioned agency, as well as some data on its functioning.

The following are some of the most relevant facts and figures included in the aforementioned annual report.

1. Court confirmed resolutions of the Spanish Data Protection Agency (AEPD)

To what extent were the resolutions of the AEPD ratified or revoked by the Courts?

During 2020, the Chamber of Contentious-Administrative Proceedings of the National High Court (Audiencia Nacional) issued 77 resolutions, of which:

49 appeals against the resolutions of the AEPD were dismissed (63%).
7 appeals against the resolutions of the AEPD were dismissed at the preliminary examination stage (10%).
10 appeals were partially upheld (13%).
11 appeals requesting the annulment of the resolutions of the AEPD were fully upheld (14%).

On the other hand, the Spanish Supreme Court issued 18 judgments, of which the Court upheld the AEPD’s decision in 17, constituting a significant support of 94% of the decisions towards the Agency.

2. ACTIVITIES WHICH GENERATED THE HIGHEST NUMBER OF COMPLAINTS

The most frequent complaints filed by citizens in 2020 were related to the following activities: Internet services (16%); undue inclusion in credit reporting registers for defaulting debtors (15%); video surveillance (12%); advertisement (except spam) (7%); debt collection (6%).

3. SANCTIONING RESOLUTIONS

In 2020 the Agency issued 393 sanctioning resolutions (16% more than the previous year), even though only 172 resolutions imposed an economic penalty (163 official written warnings and 58 dismissed proceedings).

The activities that have been subject to most sanctioning procedures are: video surveillance (24%); Internet services (19%); Public Administrations (10%) and telecommunications sector (7%).

The industries with the highest overall amount of fines are the financial institutions/creditors (5,045,000 euros) and the telecommunications sector (1,009,000 euros). Both sectors accumulated 76% of the overall amount of penalties, which in 2020 amounted to €8,018,800, covering an increase of 27% compared to 2019.

4. DATA BREACH NOTIFICATIONS

The AEPD managed 1,370 notifications between the period of January 1st, 2020 and December 31st, 2020.

Only 81 were referred to the Deputy Director for Data Inspection, as they required an in-depth investigation.

As for the type of data breaches notified, the AEPD highlights the ones related to ransomware.

5. IMPACT ASSESSMENTS AND PRIOR CONSULTATIONS

Regarding the analysis of prior consultations in relation to the Data Protection Impact Assessments, up to November 30, 2020, a total of 12 prior consultation requests have been sent and managed by the AEPD. The AEPD highlights that the number of prior consultations received, and the quality of the assessments carried out, evidences that both the application of Article 35 "Data Protection Impact Assessment" and 36 "Prior Consultation" GDPR, requires a better understanding amongst the data controllers.

6. APPROVAL OF CODES OF CONDUCT

The actions carried out during 2020, in relation to the different projects of codes of conduct that were presented, determined the cancellation of the following (former) standard codes of conduct that were not adapted to the GDPR, in accordance with the Second Transitory Provision of the Spanish data protection act (LOPDGDD):

National Association of Lending Institutions (ASNEF).
General Council of Odontology and Stomatology Associations of Spain.
Professional Association of Pharmacists of the province of Barcelona.
National Federation of Private Clinics.
Real Estate Management Association

The approval, on October 9th, 2020, of the "Code of conduct of data processing in the advertising activity", whose main promoter is the Association For Self-regulation of commercial communications "Autocontrol", whom have been accredited as the supervisory body of the code by the Advertising Board. The main feature of this code is that it incorporates an alternative dispute resolution system for data protection disputes arising in connection to the field of advertising.

7. APPOINTMENT OF DATA PROTECTION OFFICERS

In the Annual Report of the AEPD, the Agency refers to the scarce amount of Data Protection Officers (DPOs) placed within the Local Administration, where only 3,334 city councils, local entities and associated bodies have notified their DPOs. Although this represents an increase of 25% with respect to the same date of the previous year, this figure is still far from the total number of data controllers included in the local administration in Spain and who must have a DPO.