The General Data Protection Regulation (GDPR) became applicable in Spain starting with 25th of May 2018, as it was the case of all member states of the European Union (EU). This new rule of law replaced the previous legislation on the matter, the Data Protection Directive, and it has the main purpose of protecting the data provided by European citizens and users to companies which request various information from clients.
More importantly, it increases the level of transparency and it also aims at harmonizing European legislations on the data protection regimes. It is important to know that Spain issued a set of guidelines prior to implementing the GDPR law, as an effort to help interested parties, such as organizations and companies, to implement the data proection mechanisms following the regulations of the new legislation and our team of Spanish lawyers can advise on this matter.
Obligations for companies, under the GDPR law in Spain
The GDPR legislation is applicable to all companies in Spain that gather any type of data from users and clients. The legislation distinguishes between various types of data and prescribes different procedures for obtaining such information from Spanish citizens. Companies affected by the GDPR law are required to comply with the following:
- • create records of data processing of their clients, as per Article 30 of the legislation;
- • establish technical and organizational measures in order to ensure a level of security in accordance with the estimated risks;
- • revisit its agreements regarding data processing and ensuring cooperation with the new GDPR rules;
- • the regulation is applicable to both data controllers and data processors.
Transfer of data from Spain outside EU/EEA
Companies gathering personal data in Spain will need to comply with specific regulations concerning the transfer of such information to countries outside EU or the European Economic Area (EEA). For example, under the regulations of the Article 44 of the GDPR law, the transfer of personal data is forbidden outside these regions and businessmen may receive further information on this matter from our team of lawyers in Spain.
An exemption in this sense is granted as long as the respective country located outside EU/EEA can provide sufficient evidence that it has a data protection legislation that can meet the EU standards. More details concerning this matter, as well as an in-depth presentation on the GDPR law, can be provided by our lawyers and investors are invited to contact our law firm in Spain for further advice.