GDPR Implementation Spain

This guide was published by White & Case with the collaboration of ECIJA.

Q1/ Applicable legislation

(a) Have the requirements of the GDPR been addressed by introducing a new law, or by updating existing legislation?

New legislation has been passed.

(b) Relevant legislation includes:

  • Organic Law 3/2018, of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (“Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales”) (the “Data Protection Act”) Date in force: 7 December 2018
    • Date in force: 7 December 2018
    • Link: In Spanish: see here

(c) What is the status of national pre-GDPR data protection law?

The main pre-GDPR legislation has essentially been repealed. There are, however, some exceptions:

  • provisions of the former data protection law (Organic Law 15/1999) that implemented Art. 13 of the Directive will remain in force unless expressly modified, replaced or repealed; and
  • processing activities subject to Directive (EU) 2016/680 continue to be governed by the aforementioned former data protection law until this directive is transposed into Spanish law.

Q2/ Personal data of deceased persons

Does national law make specific rules regarding the processing of personal data of deceased persons?

The following persons are authorised to exercise the rights of access and, where appropriate, of rectification and erasure with respect to the personal data of a deceased person:

  • relatives or other persons similarly connected to the deceased person, as well as their legal successors (unless expressly prohibited by the deceased person or as established by law);
  • persons or institutions designated by the deceased person for this purpose, in accordance with the instructions received from the deceased person;
  • if the deceased person is a minor, his or her legal representatives or, within the framework of its competence, the Public Prosecutor, who may act ex officio or at the request of any interested party; and
  • if the deceased person was disabled, those who have been designated to carry out support functions, insofar as such exercise falls within the scope of said support functions.

Further, there are also specific rules regarding access to the personal data of deceased persons managed by information society service providers, including profiles on social networks. The aforementioned persons and institutions, together with testamentary executors designated by the deceased person for this purpose, may access said personal data and give instructions on their use, destination or erasure.

Q3/ Legal bases for processing

(a) Does national law make specific rules regarding the processing of personal data in compliance with a legal obligation?

There are no specific rules governing this issue.

(b) Does national law make specific rules regarding the processing of personal data for the performance of tasks carried out in the public interest?

Processing personal data can only be based on performance of a task carried out in the public interest if it falls within the powers granted by Spanish law.

In addition, the Data Protection Act contains the concept of “corporate contact details” (i.e., personal data relating to the position of a person within an organisation). Such data can be used on the basis of a legitimate interest if it meets the following requirements:

  • data that permit location of the individual in his professional capacity; and
  • the purpose of the processing must be to maintain a relationship with the organisation in which the data subject provides his services.

Public bodies are expressly authorised to process “corporate contact details” if such processing is necessary for the exercise of their powers or if necessary to comply with a legal obligation.

(c) Does national law make specific rules regarding the processing of personal data in the exercise of official authority vested in the controller?

Processing of personal data can only be based on the exercise of official authority vested in the controller if it falls within the powers granted by Spanish law.

(d) Does national law contain criteria in addition to those listed in the GDPR, to determine whether processing for a new purpose is compatible with the purpose for which the personal data were initially collected?

There are no specific additional criteria governing this issue. However, processing personal data for a purpose which is not compatible with the purpose for which the personal data were initially collected is considered a serious infringement under the Data Protection Act, where consent to the new purpose has not been obtained, and there is no other valid legal basis for the processing.

Q4/ Consent of children

At what age can a child give their consent to processing in relation to ISS?

14 years of age.

Q5/ Processing of sensitive personal data

(a) Are there any sensitive personal data which cannot be processed on the basis of a data subject’s consent?

The following sensitive personal data cannot be processed even if the data subject’s consent has been obtained:

  • personal data revealing racial or ethnic origin;
  • personal data revealing political opinions;
  • personal data revealing religious or philosophical beliefs;
  • personal data revealing trade union membership; and
  • personal data concerning sex life or sexual orientation.

Note that this rule is aimed at preventing unlawful discrimination. Consequently, in such cases, the data subject’s consent alone will not be sufficient to permit the processing where the main purpose is identifying the data subject’s ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin. This does not prevent processing such data on the other grounds contained in Art. 9(2) GDPR.

b) Does national law contain any specific requirements regarding the processing of sensitive personal data in respect of the following:

(i) Employment, social security and/or social protection law

There are no specific rules on processing this category of data.

(ii) Substantial public interest

The Spanish Data Protection Act provides that the processing of health data and genetic data, in accordance with specific requirements of various pieces of Spanish legislation relating to the regulation of general public health, occupational risk prevention, clinical records, health professionals, insurance and reinsurance, is permitted on grounds of substantial public interest.

(iii) Preventative or occupational medicine; employee working capacity, medical diagnosis, provision of health or social care, or management of health or social care systems or services

Processing of health data and genetic data will be covered by Arts. 9(2)(g)-(j) GDPR where such processing is regulated by relevant legislation relating to health and patient rights.

(iv) Public interest in the area of public health

See Q5(b)(iii). Further, health authorities and public institutions with public health monitoring powers may carry out scientific research without the data subject’s consent in situations of exceptional relevance and seriousness for public health.

(v) Archiving purposes, scientific or historical research purposes or statistical purposes

See Q5(b)(iii). Further, health authorities and public bodies with public health monitoring powers may carry out scientific research without the data subject’s consent in situations of exceptional importance and seriousness for public health. Note that the Spanish Data Protection Act specifies that sensitive personal data covered by Arts. 9 & 10 GDPR may only be collected in the context of government statistical purposes with the data subject’s prior express consent.

(c) Has national law introduced any further conditions and/ or limitations with regard to the processing of genetic data, biometric data, or health data?

The Data Protection Act includes specific rules for the processing of health data collected for research purposes, including the following:

  • it is lawful and compatible to reuse personal data for the purposes of health and biomedical research where consent was obtained for a specific purpose and the data is used for purposes or research areas which are related to the initial purpose. In such a case, data protection information must be provided via the relevant websites (including, where applicable, the promoter’s), and the data subjects must be informed by electronic means of the existence of such information;
  • it is lawful to use pseudonymised data for health research and, in particular, biomedical research;
  • where personal data is processed for the purposes of health research, and, in particular, biomedical research, the data subject’s rights to access, rectification, limitation to processing and to object to processing will be limited where:
    • the aforementioned rights are exercised directly with the researchers or research centres that use anonymised or pseudonymised data;
    • the exercise of such rights relates to the results of the research; and
    • the research is carried out in the public interest related to the security of the State, defence, public safety or other important goals of general public interest;
  • where the processing is carried out for the purposes of public health, and, in particular, biomedical research, the following applies:
    • an Impact Assessment must be conducted;
    • the scientific research must follow quality norms and, where applicable, international guidelines on good clinical practice;
    • measures must be implemented to guarantee that researchers do not have access to the data subject’s identification data; and
    • a legal representative in the EU must be appointed if the promoter of the clinical study is not established in the EU;
  • the use of pseudonymised personal data for public health research, and, in particular, biomedical research, must previously be submitted to the research entity’s ethics committee (or to the DPO where there is no ethics committee).

Research ethics committees (in the field of health, biomedical or medicine) have one year from the date the Data Protection Act entered into force (i.e., until December 2019) to appoint a DPO as a member of the committee (or if there is no DPO, a GDPR expert) when their research activities involve processing personal data, pseudonymised data or anonymised data.

Keep reading full article.



Linked partners


Carlos Pérez

view profile