Skip to main content

Highlights of the new Spanish Data Protection Act (Organic Law 3/2018)

Nuria Pastor


United Kingdom

The new Spanish Data Protection Act (Organic Law 3/2018) has been published and is in force as from the 7th December 2018 ("Spanish DPA").

The new Spanish Data Protection Act (Organic Law 3/2018) has published and is in force as from the 7th December 2018 ("Spanish DPA").

We include the 7 highlights of the requirements, additional to the EU General Data Protection Regulation ("GDPR"), that apply to companies operating in Spain.

1. The controller may not be responsible for inaccuracy of data

In some scenarios, the controller will not be responsible for the inaccuracy of data (provided it has taken all reasonable measures to ensure deletion or rectification without delay).

2. Whistleblowing

The Spanish DPA allows both anonymous and non-anonymous reporting from employees regarding whistleblowing reporting systems.

There several provisions regarding whistleblowing, including the obligation for controllers to inform its employees about the existence of the whistleblowing systems; a restriction of the access to the data contained in whistleblowing systems to (a)persons who carry out internal control and compliance functions, or (b) persons the controller designates for that purpose, among some exceptions.

It also sets out a maximum retention period of 3 months for any data collected in the context of whistleblowing.

3. Legitimate interests

Slightly shifting from its historical approach, Spanish privacy law now allows the processing of data on the grounds of legitimate interest in some instances, including for the processing of employee data.

4. Criminal records

 It is still the case under this new regulation that companies may not process criminal record data unless specifically permitted by a sector law.

5. DPO's

There are several provisions around Data Protection Officers ("DPOs"), including provisions regarding DPOs' liability and the need to register DPOs with the Data Protection Authority ("AEPD") within 10 days of their appointment.  Moreover, the Spanish DPA provides a list of types of companies who are required to have a DPO. 

6. Rights of the deceased

Whereas the Spanish DPA explicitly states that it does not apply to deceased persons, it does recognize individuals have the right to digital testament. Moreover, the heirs of the deceased are entitled to exercise the rights of access, erasure and rectification of data unless the deceased person would have prohibited it or this is not in line with applicable law.

7. Processing for health and biomedical research

These provisions should help clarify some of the debates that are currently taking place in the health sector. The Spanish DPA covers several aspects of health related processing and clinical research, including provisions on the repurposing of personal data for research purposes and the criteria for effective pseudonymisation.

Overall, the Spanish DPA is an eclectic mix between provisions that rein the GDPR back to Spain's traditional stance on some specific aspects and new provisions that incorporate both the historical AEPD guidance and case law as well as address some of the new challenges that companies are facing, especially in the health sector. How this law will be interpreted jointly with the GDPR remains to be seen.

If you would like to receive a full comparison between the provisions of the GDPR and the Spanish DPA, please contact us.

Sign up to our email digest

Click to subscribe or manage your email preferences.


Areas of Expertise


Related Work Areas