fbpx

Free tools and resources for Data Protection Officers!

Tag Archives for " Spain "

Spanish DPA fines company for the cookie policy with 30,000 euros

The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros because users who access the company’s website do not have the ability to configure the cookies that are installed on their computers.

When accessing online the cookie policy of the website, users are informed about what cookies are and what cookies they use (first and third-party). What the company does not provide is a management system or cookie configuration panel that allows the user to delete them in a granular way.

Source: The Spanish Data Protection Authority fined the company Vueling for the cookie policy used on its website with 30,000 euros | European Data Protection Board

Spanish court determines that energy consumption data is personal data

Spain’s Supreme Court has ruled that energy consumption data is protected by the Law on Data Protection as they are data on consumer’s behavior habits such as the hours in which the light is used, the rooms in which it is used or the appliances that are plugged in.

Source: El Tribunal Supremo determina que los datos de consumo energético doméstico son datos personales

European Commission refers Greece and Spain to Court

The European Commission decided to refer Greece and Spain to the Court of Justice of the EU for failing to transpose the EU rules on personal data protection (the Data Protection Law Enforcement Directive, Directive (EU) 2016/680).

In April 2016, the Council and the European Parliament agreed the Directive had to be transposed into national law by 6 May 2018.

Source: Data protection: Commission refers Greece and Spain to Court

Spanish DPA fines soccer league 250K euros

La Liga has been fined 250,000 euros for violating the Spanish Data Protection Agency (AEPD) and the European General Data Protection Regulation (GDPR).

La Liga was using their mobile app to detect the bars that screen football matches without paying by activating the microphone of any user’s mobile so that it can detect sounds that bars emits if a private signal is used. AEPD found that information presented to users was opaque.

Source: Spanish DPA fines soccer league 250K euros

New Spanish Data Protection Act partly nullified by the Constitutional Court

On 22 May 2019 it was disclosed that the Spanish Constitutional Court had decided to nullify indent 2 of the final provision 3 of the new Spanish Data Protection Act, less than six months after becoming effective.

At the same time, article 58 bis of the General Electoral Act, created by the former, is also nullified.

Source: SPAIN: New Data Protection Act (partly) nullified by the Constitutional Court

The Spanish DPA publishes a list of processing operations for which a DPIA is mandatory

After having received the favorable opinion of the European Data Protection Board, the Spanish Data Protection Agency (“AEPD”) released last 6th May a list of processing operations for which it is necessary to carry out a privacy impact assessment.

Although the GDPR establishes criteria that help to identify those processing operations that involve a high risk, the supervisory authorities shall establish and make public a list of the kind of processing operations which are subject to the requirement for a data protection impact assessment. In this context, the AEPD has published a list of processing operations determining that in the majority of cases where the processing meets two or more of the criteria on the list, a PIA will be necessary. The more criteria met by the processing analyzed, the greater the risk involved and the certainty of the need for a PIA.

Full article: The Spanish Data Protection Agency has published a list of processing operations for which a privacy impact assessment is mandatory

Spain: Guide on cyber incidents establishes a “one-stop notification system”

The Government of Spain announced, on 23 January 2019, that it had issued a guide on the notification and management of cyber incidents (‘the Guide’), according to the requirements of Royal Decree-Law 12/2018, of September 7, on the Security of Network and Information Systems.

In particular, the Guide creates a framework for the notification of incidents relating to the security of network and information systems by operators of essential services based on a series of impact criteria, as well as a management scheme on the same.

Source: Spain: Guide on cyber incidents establishes a “one-stop notification system”

In Spain, data breach notifications increase since the entry into application of the GDPR

The Spanish data protection authority – Agencia Española de Protección de Datos or AEPD – has received 418 notifications of data breaches since the entry into application of the GDPR. Of these 418 notifications, only 11 have required additional investigation by the DPA.

In the latest annual report published by AEPD, the DPA reports that complaints had already increased by 37% from 2015-2017, and that in 2017, the authority received around 10 500 complaints.

Source: In Spain, data breach notifications increase since the entry into application of the GDPR

Spain finalises new data protection and digital rights law

A new law on data protection and digital rights has been approved by Spain’s parliament and will come into force in the coming days. The law will complement the General Data Protection Regulation (GDPR).

The new law, the Organic Law on Data Protection and Digital Rights Guarantee (LOPDGDD), was approved by a large majority in the Spanish Senate on 21 November after being nearly two years in development. The Senate did not amend any of the text that was previously approved by the Congress, ending a period of delay in the parliamentary process.

Source: Spain finalises new data protection and digital rights law

New Spanish Data Protection Law raises concerns over the use of sensitive data by political parties

The new Law on Data Protection and Digital Rights (LOPD), recently enacted in Spain, includes a highly controversial provision allowing political parties and organizations to collect and use personal data revealing political views of individuals.

The controversial article was introduced as a last-minute amendment to the bill, which was voted unanimously on October 18 by the House of Representatives (Congreso de los Diputados). By then, the contentious article had largely gone unnoticed by the public opinion. Shortly after that, however, concerns that political parties might get broad leeway to process sensitive personal data were widely reported in the mainstream media. Nonetheless, the Spanish Senate definitively approved the law on November 21 – including the controversial section. The text is expected to be officially published shortly.

Full article: New Spanish Data Protection Law raises concerns over the use of sensitive data by political parties | Center for Internet and Society

>