The Spanish Data Protection Agency ( SDPA) has published a briefing note on the conclusions of the VI Hispano-Portuguese Meeting of Data Protection Authorities which took place on 17 January 2006. The note can be summed up as follows:

  • The Spanish and Portuguese data protection authorities will carry out joint preventative inspections in entities operating in both countries;
  • The aim is to help entities meet data protection regulations by improving their procedures for dealing with personal data;
  • The principal matters discussed were: the use of personal data in medical trials; the Sarbanes-Oxley Act; and electronic administration schemes.

Data protection in medical trials

During the meeting, the authorities analysed their respective legislation concerning medical trials, examining the problems that may arise when dealing with personal data in medical research trials. They agreed upon:

  • The need to supplement security procedures in the health sector regarding medical trials with data protection measures;
  • The lack of clear definition of the responsibilities held by subjects participating in pharmaceutical investigations and medical trials, when dealing with personal data;
  • The importance of adding a clause when seeking the consent of the participant notifying who will be responsible for dealing with the data, and that the data may be conceded or communicated and transferred internationally to third parties;
  • The inadequacy of merely substituting personal data with codes.

Sarbanes-Oxley Act

Furthermore, the authorities considered the Sarbanes-Oxley Act of 2002: USA federal legislation to re-enforce financial market security. This legislation affects all companies listed in the American stock market, including those overseas, and introduces a means for employees to denounce co-workers potentially in breach of company policy via a mailbox (whistle-blowing schemes). The authorities signalled that:

  • Its application could violate several legal data protection principles;
  • The legislation cannot enable the treatment of specially protected data and therefore should be limited to activities relating to the financial and accounting sectors.

Electronic administration

The authorities also expounded their respective measures for the implementation of electronic administration. In particular, Spain's electronic identification card project (in which SDPA is a participant) and Portugal's scheme to employ the citizen's card as ID in Portugal (with the intervention of the Portuguese Data Protection Authority) were discussed.


After mentioning whistle-blowing schemes in the briefing note on the conclusions of the VI Hispano-Portuguese Meeting of Data Protection Authorities (which took place 17 January 2006), the SDPA has issued a notice, dated February 8 2006, echoing the recently released Article 29 Data Protection Working Party’s opinion 1/2006 on the application of EU data protection rules to internal whistle-blowing schemes. Apart from reproducing certain elements of the Working Party’s guidance, the SDPA underlines the fact that in order to comply with the Data Protection Directive whistle-blowing schemes must be based on:

  • the existence of a law; or
  • a legitimate interest for the attainment of an activity.

Besides, in the opinion of the SDPA this processing of data would be necessary for the execution of a contract between the employee and the company.

Although the information is brief, it reflects the stance that the SDPA is adopting vis-a-vis whistle-blowing schemes.