If you will be operating a business in Spain, there is a good chance you will be subject to Spain’s data protection law, known as the “LOPD” for Ley Orgánica de Protección de Datos de Carácter Personal. As with most European countries, personal data protection in Spain is taken very seriously, so it is important that you understand whom these regulations apply to and what your legal obligations are regarding the data security of your customers and employees in Spain.
Data protection in Spain: data controllers and processors
The data protection law in Spain applies to two classes of entities: data controllers and data processors. These can be any natural person, legal person or administrative body that makes decisions on how and why personal data is processed (controllers), or that processes data on behalf of the controller. Data security in Spain is intended to protect data relating to an identifiable natural person that is recorded on some physical medium, such as a server or paper filing system, for later processing and use. The law places restrictions on how this personal data can be collected, recorded, stored, modified, erased, disclosed, etc.
If you are a business owner carrying out commercial activity in this country, you need to be aware of how data protection in Spain affects you and your business. Before you can process any personal data, you need to register with the General Data Protection Registry. Being noncompliant with personal data privacy in Spain can get you into some very hot water, so it’s always a good idea to consult a legal professional and ensure that everything is properly registered and disclosed.
Data privacy in Spain: consent from the data subject
In general, you need to have consent from “subjects” in order to process any personal data belonging to them. This consent does not necessarily have to be express, depending on the circumstances. One common practice on websites which collect user information (for email newsletters, for instance) is to include a provision in their privacy policy stating that using registration forms on the website constitutes consent to have the user’s data processed, and that use of the website constitutes acceptance of the privacy policy. The privacy policy must also describe how the user’s data will be used, for what purposes, and what their rights are if they wish to withdraw their consent.
However, there are some circumstances when data privacy in Spain does not require consent, such as in the case of a public administrative body carrying out its normal functions or an employment contract.
Data protection law: sensitive data security in Spain
Not all types of personal data are considered equally under the LOPD data protection law. For example, some information is classified as “sensitive” data. This includes religion, ideology, trade union membership, racial origin, health data, criminal history, etc. In some cases, processing this sensitive information requires express consent, while in others it can be processed without consent (when necessary to protect the subject’s “vital interests”, for example).
As you can see, there are many nuances and exceptions involved with regulations on data protection in Spain. For that reason, a wise business decision is always to go over these issues with a lawyer.