Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

A brief overview of the data privacy culture in Spain

published on 28 July 2021 | reading time approx. 5 minutes

For the past two years, the Spanish Data Protection Authority (hereinafter, the “AEPD” or the “Agency”, indistinctly) has not only increased their sanctioning activity by 16% in 2020, but also the amount of fines imposed, as evinced by the million-euro head-liner fines of 2021. Notwithstanding, the continuous commitment to improve corporate compliance of the (EU) Regulation 679/2016 (“GDPR”), these fines are expected to increase gradually in the upcoming years, as it appears that there is a vast oversight on the importance of implementing an integrated culture of GDPR compliance and awareness in Spanish corporations.

The expectations of compliance since 2018 have yet to be met, even when considering the “grace” period given after the GDPR entry into force. As according to the 2019 study of the Capgemini Research Institute, the average GDPR compliance status situates Spain amongst one of the countries with the least corporate and institutional compliance in terms of Data Protection (Capgemini Research Institution, 2019, p. 5, available at this link).

One of the most relevant facts regarding the majority of the sanctions issued by the Agency is the recurrent infraction of the general principles relating to the processing of personal data, being particularly significant the violations on the principle of lawfulness of processing. From a general overview of the latest fines imposed, we can subtract that corporations are struggling to understand and apply the essential principles of the GDPR’s, as well as certain difficulties to implement company-wide GDPR compliance programs.

A common infraction amongst small and medium enterprises is related to the (unlawful) storage, consultation and usage of personal data of former clients or databases, where there is no legal foundation for the continued data processing activity under article 6 GDPR. In this regard, in 2019 a large insurance company was sanctioned by the Agency for (erroneously) charging an insurance fee of a former client, which contractual relationship with the insurer had finalized 2 years earlier (AEPD Resolution no. PS/00123/2021).

In another similar case, the AEPD sanctioned a company which had sent commercial information/advertisement through WhatsApp offering their services to a list of former clients; which data base –furthermore— had been sold as part of the goodwill in the sale of a dental clinic (AEPD Resolution no. PS/00066/2021).

More recently, and for the purpose of direct marketing, a credit institution was sanctioned under the violation of article 6.1 GDPR, whereas the bank had sent both information on the contracted services by the client, as well as commercial advertisement, however, regarding the latter, the client had already exercised its right to object (AEPD Resolution no. PS/00259/2020).

Considering that the violation of the general principles and guarantees is considered a severe infringement under the Spanish Data Protection Act, and notwithstanding the costs of the potential fines, corporations ought to assess their privacy needs and available resources. Equally, to generate a compliance culture within the company, the data protection programme should be viewed as cross sectional to all business operations, rather than an individual, independent or separate element thereof.

Written by the Spanish Data Protection Team

DATA PROTECTION BITES

Our newsletter aims at collecting updates, news and insights on data protection matters worldwide,

with a special focus on the GDPR.

Read all releases »

CONTACT

Contact Person Picture

Jorge Cabet

Abogado, Data Protection Department Spain

Senior Associate

+34 91 5359 977

Invia richiesta

RÖDL & PARTNER SPAIN

Discover more about our offices in Spain. Read more »