Abstract
This report offers a general overview on Spanish regulations on personal data protection. It not only pays particular attention to the requirements for the electronic processing of personal data, the protection of the personal data of minors, the right to be forgotten, and the processing of personal data of employees, but also looks at the data protection regime in some specific areas, such as the electronic communications sector, digital forensics, and security and national defence.
This report was finalised and sent forward for publication on 17th October 2018.
Access this chapter
Tax calculation will be finalised at checkout
Purchases are for personal use only
Similar content being viewed by others
Notes
- 1.
For more information about this topic, see Martínez Martínez (2009).
- 2.
It’s interesting to take into account this work: López Álvarez (2016).
- 3.
See CC judgement 254/1993 of 20 July; 290/2000 of 30 November; and 292/2000 of 30 November. For more information on this, see, inter alia, Conde Ortiz (2005).
- 4.
Royal Decree 428/1993 of 26 March, which approves the statute of the SDPA.
- 5.
Currently registered codes are available at https://www.agpd.es/portalwebAGPD/canaldocumentacion/codigos_tipo/index-ides-idphp.php. (Last accessed date 12 Feb 2018).
- 6.
For information on this subject, see Andreu Martínez (2013).
- 7.
The application of the doctrine of the European Court of Justice in its judgement of 13 May 2014 (CJEU 2014\85) by Spanish courts is particularly relevant. See, inter alia. Corvo López (2017), pp. 175–245.
- 8.
Another topic that may be of interest is Data protection in the area of job search processes. On this subject see García Coca (2016).
- 9.
With regard to Instruction 1/2006, the Legal Report 0019/2007 and Legal Report 0212/2007 of the SDPA specify that the reproduction of images in real time, even if they are not recorded, constitutes an act of data processing which lies within the scope of application of Instruction 1/2006 and the OLPPD.
- 10.
The proportionality principle is observed if: (a) the measure is susceptible of achieving its purpose (judgement of suitability); (b) there is no other more moderate measure that may achieve its purpose with the same effectiveness (judgement of necessity); (c) the measure is balanced (judgement of strict proportionality) [e.g. CC judgements 10/2000 of 10 July and 39/2016 of 3 March].
- 11.
Right recognized in Art. 4.2 e) of the SWR.
- 12.
The SDPA had previously issued its Report 193/2008 on the possibility of using GPS systems to control the activity of workers. The report insists that the file generated must be included in the General Registry of Data Protection of the SDPA.
- 13.
- 14.
This law has not been repealed, in spite of the fact that the judgement from the Court of Justice of the European Union of 8 April 2014 (CJEU 2014\104), Digital Rights Ireland Ltd v. Minister for Communications, Marine and Natural Resources, with case no. C-293/12 and C-594/12, declared Directive 2006/24/EC of the European Parliament and the Council of 15 March 2006, on the retention of data generated or processed in connection with the provision of publicly available electronic communications services to be invalid, because it considered that it represented “a wide-ranging and particularly serious interference” with the fundamental rights to respect for privacy and the protection of personal data.
- 15.
- 16.
This law does not apply to the provision of instant messaging services, according to Report 0343/2013 of the SDPA.
- 17.
The transfer of these data is referred to in Art. 7 of Law 25/2007.
- 18.
Art. 11.2 of the OLPPD specifies the cases in which consent from the data subject is not necessary.
- 19.
See Art. 12 of the OLPPD.
- 20.
A personal data breach is interpreted as a security breach that leads to the accidental or unlawful destruction, loss, alteration, revelation of or unauthorized access to personal data transmitted, stored or processed in any other way with regard to the provision of publicly available electronic communications services.
- 21.
This provision ultimately specifies that the OLPPD and ROLPPD are applicable. Therefore, the penalty regime established in it is also applicable.
- 22.
CC judgement 145/2014 of 22 September is particularly significant here.
- 23.
This includes files stored outside the device in the cloud, or through any other system that provides services to the user, such as a bank, a medical centre, etc., and which must be accessed from the seized device that was used by the subject under investigation.
- 24.
The Supreme Court judgement of 10 March 2016, for example, highlights this aspect very clearly (RJ 2016\1114).
While assessing the proportionality of the measure of confiscation and exam of the computing devices, the special nature of technological crimes must be taken under consideration. [Supreme Court judgement of 9 December 2015 (RJ 2015\5420)].
- 25.
For more information, see De Miguel Asensio (2015), pp. 355–359.
- 26.
The installation of cameras must be authorized by the corresponding administrative authorities. The public must be informed about the installation of fixed cameras, and the image and sound captured by any of the devices established by the law must be destroyed within a month after they were obtained, except in the case in which they are related to serious or very serious criminal or administrative infractions against public security, to an ongoing police investigation or to ongoing legal proceedings. Recordings that captured the commission of acts that could represent criminal offences must be brought under judicial control immediately.
- 27.
“The Spanish DPA fines Facebook for violating data protection regulations”, available on http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2017/notas_prensa/news/2017_09_11-ides-idphp.php.
- 28.
For more information, see De Miguel Asensio (2015), pp. 359 and following.
References
Andreu Martínez MB (2013) La protección de datos personales de los menores de edad, 1st edn. Aranzadi, Cizur Menor
Aragonés Salvat J (2016) GDPR (General Data Protection Regulation): el nuevo Reglamento Europeo de Protección de Datos, 1st edn. Ateneu Privacy Consulting, Tortosa (Tarragona)
Conde Ortiz C (2005) La protección de datos personales: un derecho autónomo con base en los conceptos de intimidad y privacidad. Dykinson, Madrid
Corvo López FM (2017) El «derecho al olvido»: de la STJCE de 13 de mayo de 2014 al Reglamento general de protección de datos (Reglamento (UE) 2016/679 del Parlamento europeo y del Consejo de 27 de abril de 2016). Revista de Direito Intelectual 2017(1):175–245
Dávara Rodríguez MÁ (2000) La protección de datos personales en el sector de las telecomunicaciones. Universidad Pontificia de Comillas, Fundación Airtel, Madrid
De Miguel Asensio PA (2015) Derecho Privado de Internet, 5th edn, Civitas. Thomson Reuters, Cizur Menor
García Coca O (2016) La protección de datos de carácter personal en los procesos de búsqueda de empleo, 1st edn. Laborum, Murcia
López Álvarez LF (2016) Protección de datos personales: adaptaciones necesarias al nuevo Reglamento europeo. Francis Lefebvre, Madrid
Martínez Martínez R (coord) (2009) Proteccion de datos: comentarios a la LOPD y su Reglamento de Desarrollo. Tirant lo Blanch, Valencia
Piñar Mañas JL (dir) (2016) Reglamento general de protección de datos: hacia un nuevo modelo europeo de privacidad. Reus, Madrid
Quesada Rodríguez A (2015) Protección de datos y telecomunicaciones convergentes. Agencia Española de Protección de Datos, Agencia Estatal Boletín Oficial del Estado, Madrid
Author information
Authors and Affiliations
Corresponding author
Editor information
Editors and Affiliations
Rights and permissions
Copyright information
© 2020 Springer Nature Switzerland AG
About this chapter
Cite this chapter
Corvo López, F.M. (2020). Data Protection in the Internet: National Report Spain. In: Moura Vicente, D., de Vasconcelos Casimiro, S. (eds) Data Protection in the Internet. Ius Comparatum - Global Studies in Comparative Law, vol 38. Springer, Cham. https://doi.org/10.1007/978-3-030-28049-9_15
Download citation
DOI: https://doi.org/10.1007/978-3-030-28049-9_15
Published:
Publisher Name: Springer, Cham
Print ISBN: 978-3-030-28048-2
Online ISBN: 978-3-030-28049-9
eBook Packages: Law and CriminologyLaw and Criminology (R0)