Start of main content

New obligations for companies deriving from the publication of the new Organic Law on Data Protection and Guarantee of Digital Rights

| Publications | Privacy, IT & Digital Business

The new Organic Law on the Protection of Personal Data and Guarantees of Digital Rights has been published, which definitively repeals the old Organic Law on Data Protection (until now only partially repealed by the Community Regulation)

Having repealed the old Organic Law on Data Protection (LOPD), the new Spanish law, together with the General Regulation on Data Protection (RGPD), represents a paradigm shift in this area and requires obligated companies to be proactive and genuinely responsible.

With the entry into force of the RGPD, most of the companies undertook the work of adapting privacy policies, general conditions, contracts for treatment, security measures, securing the rights of those affected, reviewing consents, drafting the register of treatment activities, preparing impact assessments, amongst others.

However, now with the new Organic Law on the Protection of Personal Data and Guarantees of Digital Rights (LOPDGDD), a further revision of the same is required as there are aspects to modify and update.

Some of the important updates that are included are, apart from those already known:

  • The sanctioning regime, which in the new LOPDGDDD is specified in minor, serious and very serious infringements, with sanctions that can reach 4% of the world turnover or 20 million €. The director of the Spanish Data Protection Agency has already reported that there has been a considerable increase in complaints and that the first sanction will be published in a few weeks. We are waiting attentively for al lof this all of this.
  • The international data transfer regime, in relation to which we recommend that each company re-analyses its data flows if it has international activity (providers or customers outside the country) and, in any case, if it has systems in the cloud.
  • The considerable extension, with respect to the RGPD, of the cases in which a company is obliged to appoint Data Protection Delegate (DPD – DPO in its English abbreviation) to the following sectors or groups, amongst others:

1. Entities operating networks and providing communications services;

2. Web owners - information society service providers, in specific cases;

3. Entities for the organisation, supervision and solvency of credit institutions;

4. Financial credit establishments;

5. Insurance and reinsurance companies;

6. Distributors and traders of electricity and mains gas;

7. Asset solvency file entities;

8. Entities carrying out advertising and commercial prospecting activities;

9. Health centres, among others.

Finally, it should be pointed out that the new standard includes a wide range of digital rights, some of which are directly applicable to labour relations.

For further information, please contact:

Belén Arribas Sánchez

Download the PDF file here



End of main content