Spain adopts urgent measures to fill the gap between GDPR and pending national legislation detailing domestic derogations

By Guadalupe Sampedro, Carolina Munoz, Ester Vidal

08-2018

On 27 July, two months after the General Data Protection Regulation (EU/2016/679), the "GDPR") came into force, the Spanish government passed Royal Decree-law 5/2018 which brought in urgent measures for the adaptation of Spanish law in line with EU regulation with regards to data protection.

The Spanish government has decided to pass this Royal Decree-law as an interim measure which is permitted by the GDPR. Although the GDPR directly applies across the EU and its provisions prevail over national law, Member States retain the ability to introduce their own national legislation based on certain derogations provided for by the GDPR. These derogations include national security, prevention and detection of crime, and also apply in certain other important situations – the so-called ‘opening clauses'.

In addition, this Royal Decree-law is necessary in the absence of the new Spanish Data Protection Act, which is still making its way through the Spanish Parliament and has yet to be approved.

The Spanish legislator has made use of the abovementioned opening clauses and introduced a number of key provisions in Royal Decree—law that are relevant for the private sector:

  • Chapter I identifies the competent staff who are able to exercise the investigatory powers granted to them by the supervisory authorities in article 58.1 GDPR;
  • Chapter II sets out the sanctions regime established in the GDPR. It should be noted that any fines imposed by a supervisory authority will lapse after 1-3 years, depending on the quantity of the fine imposed;
  • Chapter III details the regulation for procedures in the event that there is a breach of data protection regulation. It is important to highlight that the Spanish Data Protection Agency may reject a claim if a data controller or processor has adopted corrective measures to remedy a data protection breach and either no harm has been caused to the data subject, or the rights of the data subject have been guaranteed as a result of the implementation of the corrective measures;
  • Any processing contracts which have been entered into before 25 May 2018 under the old legislation will remain in force until their termination date, and if there is no such termination date, until 25 May 2022. However, within this time period, either party can ask to modify the contract so that it conforms with Article 28 GDPR. This provision is also contained in the new draft Spanish Data Protection Act.


For further information, read the new Spanish Royal Decree-law here (in Spanish).