2020 data protection greatest hits in Spain

This is the time of the year in which we look back to what has happened during the last 12 months and try to get ready for what is to come. This can be done in many ways, although one of the most common practices is to rely on the “2020 top ten” or “must have” lists carried out on almost every topic (top ten 2020 songs, 2020 movies you should have watched, top ten 2020 comic-books, etc.). Now is the turn to address what has happened in Spain in the field of data protection.

While it might not be as attractive as other “top” lists, we will try to summarize this chaotic year in 8 bullet points addressing different milestones occurred on data protection in Spain.

Quick disclaimer: we will focus only on Spanish specific decisions, guidelines, legal reports, etc. issued or enacted by the Spanish Data Protection Agency (“AEPD”), regional authorities or Spanish courts during 2020. While there have been huge news at an EU level (among others, Schrems II decision and its consequences, the European Data Protection Board new guidelines, etc.), we will try to get you up to date on what has been going on in Spain.

Without further ado, let us review the top 8 most relevant data protection issues in 2020 in Spain:

1.- Covid-19: It has been undoubtedly the star topic of this 2020, also from the data protection angle. The AEPD has issued several resources (reports, FAQs, guidelines, etc.) that have been analysed in various of our posts (most of them in Spanish). Among others:

2.- New guidelines: The AEPD has published various guidelines on different topics. Most relevant ones relate to artificial intelligence and data protection by default. In addition, it is particularly noteworthy that the Cookie Guide published at the end of 2019 was updated in 2020. The AEPD decided to modify it to expressly prohibit the use of the "continue browsing" option as a method for users to accept the installation and use of cookies. You can find more information here.

3.- Biometric data: Both the AEPD and the Catalan Data Protection Authority (“APDCAT”) have set out their vision on biometric data processing in their respective reports (available here and here). While the AEPD seems to question (without being unequivocal) whether the biometric data used for data subjects' authentication (1:1)–and not for identification (1:N)– is considered a special category of personal data within the meaning of Art. 9 GDPR; the APDCAT concludes that biometric data cannot be treated differently on a legal standpoint depending on whether they are used for identification or authentication, as they equally affect unique, non-transferable, unforgettable and unalterable (or stable in the long term) features of the person. Furthermore, the AEPD together with the European Data Protection Supervisor published a list of the most common misconceptions related to the use of biometrics and how they affect data protection, which can be found here.

You can find more information on this subject in the post we published a few months ago (in Spanish).

4.- Legal reports: The AEPD has published a total of 18 legal reports in 2020 related to diverse matters such as facial recognition, retention periods, the application of the GDPR to certain activities (e.g. to private security or the processing of the signal from mobile phones to access their position), the assignment of data, the access to employee productivity lists or the draft bill on distance work, and the draft Organic Law on the comprehensive protection of children and adolescents from violence, among others.

5.- Data retention periods: In line with the above, we would like to make a special mention of AEPD’s legal report about retention periods and blocking of personal data. This report essentially refers to retention periods in the context of information and documents concerning human resources. However, it is useful to understand how the AEPD is interpreting relevant concepts such as the blocking obligation (which is an specific obligation in Spain), or for how long to retain data (including examples of retention periods).

6.- Useful tools: The AEPD has published a cost-free tool to help data controllers decide whether or not to communicate a security breach to data subjects. The “Comunica-Brecha RGPD” tool is available through the AEPD's website and it is aimed at promoting transparency and proactive responsibility among data controllers, and enabling individuals affected by a security breach to know when their rights and freedoms may be at risk.

The APDCAT has also designed two applications to facilitate data protection compliance by administrations and companies. The first one makes it possible to carry out data protection impact assessments (DPIA) and maintain the DPIA catalogue in an easier way. The second is designed to create, maintain and manage the record of processing activities, with the aim of providing support mainly to small entities. Furthermore, the APDCAT has published an exhaustive practical guide on DPIAs, which analyses in detail, among many other things, the security measures that can be implemented in relation to personal data. It also includes a template to carry out the impact assessment. The Guide is available here (in Catalan).

7.- Remote working regulation: The particular situation that we have experienced due to the Covid-19 pandemic throughout this year has brought a new regulation on remote working in Spain through the Royal Decree Law 28/2020. This norm establishes certain rules in the field of data protection regarding privacy and the right to digital disconnection of employees, as well as the obligation of companies to involve workers' representatives in the establishment of internal policies in this regard, among other things.

8.- Sanctions: 2020 has also made its mark in the area of sanctions imposed by the AEPD. Sanctions have increased both in number and in quantity of the fines, addressing many topics (e.g. cookies, transparency, information duties, legal bases, etc.). Particularly, the AEPD has ended 2020 issuing the highest fine yet to one of the most important financial entities in Spain: EUR 5,000,000 fine for non-compliance with articles 13 and 14 GDPR (EUR 2,000,000) and 6 GDPR (EUR 3,000,000).

We will keep an eye on 2021 new challenges.

Happy New Year and best wishes for 2021!

 

 

 

 Authored by  Santiago de Ampuero and Graciela Martín.

Contacts
Gonzalo F. Gallego
Partner
Madrid
Santiago de Ampuero
Senior Associate
Madrid

 

This website is operated by Hogan Lovells International LLP, whose registered office is at Atlantic House, Holborn Viaduct, London, EC1A 2FG. For further details of Hogan Lovells International LLP and the international legal practice that comprises Hogan Lovells International LLP, Hogan Lovells US LLP and their affiliated businesses ("Hogan Lovells"), please see our Legal Notices page. © 2024 Hogan Lovells.

Attorney advertising. Prior results do not guarantee a similar outcome.