As we did last year, we summarize below the top five 2021 milestones on data protection in Spain. We focus mainly on decisions, guidelines, and legal reports issued by the Spanish Data Protection Agency (AEPD), trying to gain a bit of distance from huge news at EU level (such as the upcoming gamechangers: Digital Service Act package, AI Act, etc.).
1-Awakening of the AEPD’s GDPR sanctioning powers (the threat of million-euro fines becomes a reality)
Since the GDPR became applicable, the AEPD had kept a low profile with regard to fines. This abruptly came to an end in 2021 with the two famous million-euro fines imposed on financial entities. The AEPD followed this trail throughout 2021 issuing a fine of EUR 8.15 MM to a telecom operator due to unlawful marketing practices entailing undue controller-processor relations and international data transfers; a fine of EUR 3.15 MM (although early-paid) to a supermarket for installing a facial recognition system; a fine of EUR 3 MM to a financial entity for lack of legal basis in relation to lack of transparency regarding its profiling practices; fines of EUR 1.5 MM to energy companies for breaching the privacy by design principle and lack of transparency; and a fine of EUR 1 MM to a debt database arising from the purpose limitation principle in relation to other Art. 5 GDPR principles.
2-New (or updated) guidance of the AEPD
The AEPD updated its Guidelines on Personal Data Breach Notification and Risk Management and Impact Assessment in the Processing of Personal Data (links to last English versions included). It also published guidance on 10 Misunderstandings Related to Anonymization; Roadmap to ensure compliance with data protection regulation; and Audit Requirements for Personal Data Processing Activities involving AI.
3-Guidance on data protection in the context of employment relations
This may be the most interesting guidance published by the AEPD in 2021 (which very well deserves its own post if not just a separate section). The AEPD addresses many relevant topics regarding the employment context – including, among others: the general disregard to consent as a legal basis, processing activities in recruitment practices (e.g. collaboration between companies, data retention in case of a rejected applicants, interviews, etc.); time keeping; whistleblowing schemes; productivity registries data sharing; employment monitoring (geolocation, video surveillance, etc.); data sharing with trade union and employees’ representatives; health and risk prevention processing activities; etc. Sadly, it is published only in Spanish.
4-Legal reports
The AEPD has published a total of 35 legal reports in 2021 related to diverse matters such as data sharing with public bodies under regulated scenarios (including the Bank of Spain; police; Ministry of Education; etc.); the qualification of postal services and collective investment institutions (and related entities) as controllers/processors; access to clinical records; the scope of the right to be forgotten; the use of facial recognition to comply with AML obligations; consideration of IMEI and MAC numbers as personal data, etc.
Among these, the unfavourable report on the approval of the draft Code of Conduct for the information intermediary sector issued by the AEPD (only available in Spanish) is particularly interesting. Here, the AEPD questioned both the lawfulness of “positive” solvency databases (or “good payers databases”) and the processing of personal data obtained from publicly available sources.
5-New data breach notification form
The AEPD updated in mid-2021 the form for data controllers to comply with their obligation to notify data breaches. This new system simplifies the notification of personal data breaches by guiding controllers through specific questions, so that they are aware of the points they need to address in the breach notification. You can access the breach notification section through the AEPD's website.
What should we expect for this year?
Our bets focus on topics such challenges arising from artificial intelligence, the digital marketing world (specifically regarding the upcoming cookie-less world and use of similar tracking technologies), the monetization of data (can you buy things with your data? why not?) and, of course, with some luck we will be able to meet the new director of our AEPD.
In addition, regulations and acts within the EU framework (among others, Artificial Intelligence, the Digital Services Act, the Digital Markets Act), and future set up of the international data transfer framework (new SCC, privacy shield?), will have a direct impact on the Spanish data protection environment.
What are your bets? 2022 promises to be an interesting (if not challenging) year!
Best wishes for the new year!
Authored by Santiago de Ampuero, Clara Lázaro and Graciela Martín.
