Royal Decree-Law 5/2018 was published in the Official Spanish Bulletin on Monday and entered into force on Tuesday.
The new law contains "urgent measures" to account for the fact that two separate data protection regimes are currently in force in Spain and addresses conflicts that exist between those frameworks, according to Madrid-based data protection law expert Paloma Bru of Pinsent Masons, the law firm behind Out-Law.com.
On 25 May this year the GDPR took effect. The GDPR has direct effect in each EU member state, although there are aspects of the new Regulation that have to be implemented into national law by those countries.
While the the UK, France, Germany and Ireland are among the EU countries to have implemented national legislation necessary to supplement the GDPR, and the accompanying Law Enforcement Directive that sets rules on the processing of personal data by law enforcement agencies and intelligence services, Spain has yet to do so.
Proposed new national data protection laws have been held up in Spain's parliament. It means that, in addition to the GDPR, Spain's old data protection law from 1999 (the LOPD) remains in force too. The emergency Royal Decree-Law 5/2018 has now introduced some new rules to account for the coexistence of the GDPR and LOPD. It will cease to apply when the proposed new data protection laws in Spain take effect.
One of the secondary provisions introduced applies to data processing agreements. It specifically concerns such agreements entered into prior to the GDPR taking effect on 25 May and which comply with article 12 of the LOPD, which sets rules around third party data processing.
According to the new provisions, those pre-25 May data processing agreements will remain in force until the expiration date stated in the contracts or, where no date is stipulated, until 25 May 2022. During the term of the agreements, however, both the data controller and data processor can demand that their agreement is updated to reflect the new requirements on third party processing set out in article 28 of the GDPR.
The new Royal Decree-Law 5/2018 has repealed some of the provisions of the LOPD which conflicted with those set out in the GDPR in relation to the powers of inspection enjoyed by Spain's data protection authority, La Agencia Española de Protección de Datos (AEPD), and the penalties regime. The law also sets out the process the AEPD must follow in cases of possible infringement of the GDPR.
The new legislation also provides an exemption for data protection officers from the new penalty regime introduced by the GDPR. It confirms, though, that data controllers, data processors, representatives of those data controller and data processors not established in the EU, certification entities and accredited entities for the supervision of codes of conduct are subject to the penalties framework. Under the GDPR, fines of up to 4% of a business' annual global turnover, of €20 million, whichever is highest, could be levied against companies that breach the Regulation.
New limitation periods have, however, been written into the new law to restrict the time after an infringement has occurred that penalties will be able to be imposed.
The AEPD would have up to one year after an infringement has occurred to impose penalties of up to €40,000, two years for penalties exceeding €40,000 but not more than €300,000, and three years where the penalty it wishes to impose exceeds €300,000.