Data protection in Spain: challenges ahead
22 July 2010
This article was first published in Data
Protection Law & Policy in July
2010
In June this year the Spanish Data Protection Authority (“DPA”)
published its 2009 Annual Report (the “report”).
2009 was a remarkable year for the Spanish DPA. While the
organisation of the successful 31st International Conference of
Data Protection and Privacy Authorities may have been its most
widely known achievement, there was much more to 2009 than
that.
The report provides a detailed account of the prolific
activities of the Spanish DPA in 2009 and the developments in the
privacy arena in Spain. It also identifies what it considers to be
the main challenges to privacy and, therefore, the areas that will
be high on its agenda in the months to come.
The objective of this article is to offer a snapshot of the
report in order to assist data controllers subject to the Spanish
data protection regime to align their compliance strategies
accordingly.
2009 in figures
Total amount: 24,872,979.72 Euros (+13%)
Number of enforcement decisions taken: 709 (621 resulted
fines)
Main areas of infringement: data sharing, consent,
telecommunications and implementation of security measures.
Fines by sector (top 4): telecommunications, video surveillance,
the financial sector and e-marketing.
Number of complaints received: 4,136.
By sector (top 5): telecommunications, financial sector, video
surveillance, public sector and e-marketing.
Investigations by sector (top 3): telecommunications, video
surveillance and the financial sector.
Decisions on the protection of individuals’ rights: 1,947.
Helpline queries: 97.223 (+33%)
Key issues that data controllers cannot afford to
ignore:
- Individuals are increasingly aware of their rights, of data
protection legislation and of the role of the Spanish DPA.
- Some of the main areas of concern for individuals are: the use
of CCTV; marketing (i.e. how to stop unsolicited publicity and how
to sign up to Robinson lists); the removal of individuals’ personal
data from debtors lists and the access to their clinical
history.
- In 2009 there was a 200% increase in requests from individuals
to have their personal data removed from websites, especially those
available through on-line search engines.
- The Spanish DPA has published many guidelines and reports and
we highlight the launch of EVALUA, a tool for data controllers to
self-assess their level of compliance with data protection
requirements.
- There has been a considerable increase (25%) in the number of
requests for authorisation to carry out international transfers of
data (166), and of those granted (128).
- The Registry of the Spanish DPA currently has 37,613
registrations of data processing for the purposes of video
surveillance, 22,346 of them were registered in 2009.
- The Spanish DPA identifies the following factors and issues as
the current main challenges to individuals’ privacy:
- the Internet
- the processing of personal data of minors
- video surveillance
- privacy at work
- international data flows
On-line privacy
The Spanish DPA acknowledges that the Internet as we know it would
not exist without advertising which is based on an in depth
knowledge of individuals’ habits.
The “price” for free on-line services is often the individual’s
authorisation for companies to establish browsing profiles, analyse
communications and send marketing communications.
The Spanish DPA has stated that “new ways” must be found to
protect individuals’ privacy in this online environment and to
achieve data protection compliance, and encourages data controllers
to adopt pro-active initiatives; mere reaction to the Spanish DPA’s
enforcement action will not suffice.
In our view, the Spanish DPA is inviting data controllers to get
in touch to discuss the challenges of adjusting their data
protection compliance strategies to the use of new
technologies.
This has been the approach taken with search engines and social
networking sites such as Tuenti and Facebook, which have had
regular discussion with the Spanish DPA on some matters that are
very relevant to their business models. Special attention has been
given to the need to improve the content of privacy policies so
that they provide individuals with information that is clear,
accessible and easy to understand.
Processing minors’ personal data
In Spain the processing of personal data of children under 14
years of age requires the consent of their parents or
guardians.
The Spanish DPA considers compliance with this obligation to be
a priority and has worked together with on-line service providers
to adjust their practices to the legal requirements by using
measures such as the analysis of the profiles of users who appear
to be under 14 or other systems of age verification.
The report also includes a recommendation that the current
legislation on the electronic DNI (the Spanish ID Card) is modified
so that it allows minors to authenticate themselves
electronically.
Video surveillance
The increase of video surveillance in our day-to-day lives
coincides with a massive increase in complaints and fines related
to this matter. The number of enforcement actions in this area may
diminish due to the approval of the Law 25/2009, which relaxes the
requirements for the installation and use of cameras for the
purposes of video surveillance.
In 2009 the Spanish DPA carried out an investigation into the
use of cameras which disseminated images on the Internet. The main
risk posed by the use of this type of technology is directly
related to the failure of data controllers to put in place
appropriate security measures to limit the access to the live
images. The main recommendations arising from the investigation
were that data controllers must:
- establish security measures to limit access to the images and
train those who do have access to them;
- obtain the consent of employees to the dissemination of their
images for the promotion of their employers;
- inform employees if their images are accessed remotely on-line
by their employers in order to control their activity; and
- avoid close-up shots of individuals when panoramic images (e.g.
landscapes) are taken.
Privacy at work
In 2009 the Spanish DPA published a Guide to the processing of
personal data in the context of the employment relationship. The
report identifies the main areas of compliance covered by the Guide
including the need to distinguish between the processing of
personal data for purposes related to employment and those which
are not; the processing of sensitive data and the implementation of
controls by the employer which require the processing of biometric
data or video surveillance.
International data flows
The 25% rise in the number of authorisations granted by the
Spanish DPA reflects an increase in the efforts of data controllers
to put measures in place to legitimise the international transfer
of personal data.
In the main, data importers are based in the US, followed by
South American countries. In Asia most of the transfers are to
India.
One of these authorisations has been granted on the basis of BCR
and the Spanish DPA has taken part in the analysis of 10 BCR led by
other European Data Protection Authorities.
According to the Spanish DPA, these facts and figures (i)
confirm an increase in the number of companies that outsource their
processing operations outside the EEA and the application of more
flexible solutions (i.e. BCR); and (ii) recognise the need to
approve binding data protection standards on an international
basis.
Conclusion
The report provides a wealth of information that cannot be
ignored by data controllers.
In a nutshell, the main points to take away are that:
- the level of awareness of individuals on privacy matters is
increasing;
- the Spanish DPA is active in providing useful guidelines to
individuals and data controllers and in exercising its enforcement
powers; and
- data controllers must be extremely cautious when processing the
personal data of minors, using CCTV systems, publishing personal
data on the Internet and processing employees’ personal data
(especially when establishing control systems).
For more information, please contact Nuria Pastor.