Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in International/EU Privacy

Spain’s Parliament Modifies DPA Penalty Authority As DPA’s Enforcement Efforts Scrutinized

This report comes to us from Gonzalo Gallego a partner in the Hogan Lovells privacy practice resident in Madrid: 

Spain has a new penalty regime for violations of privacy, with many minimum and maximum fines lowered. This is viewed as a business-friendly development  at a time when the Spanish Data Protection Agency (“SPDA” or “Agency”) has earned a reputation as one of the more enforcement-oriented DPAs in the EU, and when one of its high-visibility enforcement efforts is under scrutiny.  This new regime entered into force on 6 March 2011 and is applicable to all data controllers and data processors processing personal data under the Spanish laws.

The modifications were announced just as Europe’s highest court is set to rule on the propriety of the SPDA ordering Google to remove links to web content that allegedly infringed the privacy of individuals, which Google has challenged as a violation of free expression.

These are the main modifications in the penalties now available to the SPDA under Spanish law:

  • As an alternative to fines, the SPDA may simply warn businesses experiencing a breach and give a period of time to resolve the problem. If the problem is not solved, the Agency may then impose fines. This is an exceptional measure which applied by the Agency on a discretional basis. Warnings are not applicable in case of very serious breaches of the law or in case the offender has been warned or punished before.
  • Transfers of personal data to data processors, without a proper data processor agreement in place as required by law is classified as a minor infringement of the law. 
  • Disclosure of sensitive personal data is regarded as a serious infringement. Thus, when the data disclosed involves information subject to special protection (e.g. health, ideology, sex behaviour, etc.), the serious infringement finding will be triggered. Before the reform, any disclosure of personal data was regarded a very serious infringement.

The new law also specifies that in setting fines, the DPA may take into account the volume of the business of the offender, the relationship between the activity of the offender and the processing of personal data, or the measures implemented by the offender in order to avoid or solve the breach.

The amount of fines in case of infringement is modified as follows:

  • Minor infringement: from € 601.01 – € 60,101.01 before the reform, to € 900 – € 40,000, after the reform.
  • Serious infringement: from € 60,101.01 – € 300,000 before the reform, to € 40,000 – € 300,000, after the reform.
  • Very serious infringement, remain unchanged and fines are in the range of € 300,000 – € 600,000. 

The reform  is intended to give the Spanish Data Protection Agency felxibility to better adapt fines to the circumstances of the breach and the offender.