Posted on February 29, 2012 by HL Chronicle of Data Protection

Spanish Supreme Court Annuls Limitation on Processing of Personal Data

This blog post was provided by Belén Gámez in our Madrid office

We previously reported that back in November, the Court of Justice of the European Union ("CJEU") declared that Spain's refusal to permit the "legitimate interest" justification for the processing of personal data -- instead, requiring data subjects' consent as the way of carrying out the majority of the data processing in Spain -- violated section 7.f of the European Data Protection Directive 95/46/EC.  In a ruling made public on February 13, the Spanish Supreme Court incorporated the CJEU's ruling into Spanish law.

As expected, following the CJEU decision, the Spanish Supreme Court annulled article 10.2(b) of the Royal Decree 1720/2007 developing the Spanish Data Protection Law ("DPL").  Article 10.2(b) imposed additional requirements above those required by Article 7.f of the Data Protection Directive when a data controller wished to process personal data in pursuit of its "legitimate interests."

Although the Spanish Supreme Court annulled article 10.2(b), it did not address article 6 of the DPL, which establishes the same requirements as article 10.2(b).  This is because the Spanish Supreme Court is not entitled to declare the nullity of a law (article 10.2(b) was incorporated into a Royal Decree).  Hence, the Spanish Parliament must now modify article 6 of the DPL in accordance with the CJEU's and the Supreme Court's decisions.

It is clear that this modification will have significant consequences for the ways in which companies process personal data in Spain since, until today, the Spanish data protection framework was organized around obtaining data subject consent.  The Spanish Data Protection Agency has not yet made public its opinion regarding this important development.
Tags: , , , ,
Posted on December 1, 2011 by Gonzalo Gallego

Ground breaking modification of the Spanish laws

By Pablo Rivas in our Madrid Office

A decision last week by the Court of Justice of the European Union ("ECJ") introduces an important change to the Spanish data protection framework.  Prior to the decision, Spain did not recognize the "legitimate interest" justification for the processing of personal data; "legitimate interest" was only applicable for the processing of data collected from public sources or where the "legitimate interest" was specifically provided for in Spanish or European Community law. As a result, companies had to rely on data subjects' consent as the way of carrying out the majority of the data processing in Spain.

The ECJ’s ruling may change this, although the actual impact of the decision is unclear. The ECJ concluded that the "legitimate interest" justification for the processing of personal data as set forth in the Data Protection Directive also should be available in Spain.  However, the Spanish Data Protection Agency ("SDPA") issued a press release following the decision which stated that companies may not carry out processing of data exclusively based on their "legitimate interest," but will be required to balance both their "legitimate interest" and fundamental rights and freedoms of the data subjects involved in the data processing.

Based on the press release, it appears that the SDPA, at least at the beginning, will adopt a restrictive approach with respect the application of the "legitimate interest" justification, although it also is likely that the SDPA will have to revise some of its criteria for evaluating matters such as whistleblowing or geolocation services in which the Working Party 29 advocates for applying the "legitimate interest." We will keep you posted on developments.    

The Ruling of the ECJ is published in English and can be found HERE

Tags: , , , , , ,