Header graphic for print
HL Chronicle of Data Protection Privacy & Information Security News & Trends
Posted in Cybersecurity & Data Breaches

Ground breaking modification of the Spanish laws

By Pablo Rivas in our Madrid Office

A decision last week by the Court of Justice of the European Union (“ECJ”) introduces an important change to the Spanish data protection framework.  Prior to the decision, Spain did not recognize the “legitimate interest” justification for the processing of personal data; “legitimate interest” was only applicable for the processing of data collected from public sources or where the “legitimate interest” was specifically provided for in Spanish or European Community law. As a result, companies had to rely on data subjects’ consent as the way of carrying out the majority of the data processing in Spain.

The ECJ’s ruling may change this, although the actual impact of the decision is unclear. The ECJ concluded that the “legitimate interest” justification for the processing of personal data as set forth in the Data Protection Directive also should be available in Spain.  However, the Spanish Data Protection Agency (“SDPA”) issued a press release following the decision which stated that companies may not carry out processing of data exclusively based on their “legitimate interest,” but will be required to balance both their “legitimate interest” and fundamental rights and freedoms of the data subjects involved in the data processing.

Based on the press release, it appears that the SDPA, at least at the beginning, will adopt a restrictive approach with respect the application of the “legitimate interest” justification, although it also is likely that the SDPA will have to revise some of its criteria for evaluating matters such as whistleblowing or geolocation services in which the Working Party 29 advocates for applying the “legitimate interest.” We will keep you posted on developments.

The Ruling of the ECJ is published in English and can be found HERE