Avoiding the wave of data protection fines

In April 2008, a new regulation
developing Organic Law 15/1999 that
implemented the EU´s Data Protection
Directive, came into force, updating spain´s
own existing data protection regulation
(LOPD), and bringing stringent new rules
affecting the way that businesses manage
their data, says Marta Plana at Osborne
Clarke in Barcelona, increasingly regarded
as the technology capital of Spain.

Marta Plana

'The new Regulations were intended to
bring domestic coherence to the EU Directive
and greater precision to the existing data
protection rules. The result however, is that
Spain now has more comprehensive
legislation and one of the most restrictive on
data protection within Europe.'

Under the new rules, data processing
encompasses among other things the
collection, recording, storage, adaptation,
modification and blocking and cancellation
of personal data. Regulatory oversight and
enforcement of the regime is handled by the
Spanish Data Protection Authority (Agencia
Española de Proteccion de Datos – AEPD).

La transposición de la
directiva europea sobre
protección de datos,
actualizando la
legislación que existí­a
en España sobre este
tema, ha traí­do nuevas
normas, más estrictas,
que afectan a la
manera que tienen las
empresas de controlar
sus datos, opina Marta
Plana, de Osborne
Clarke en Barcelona. El
resultado es que quizá
España tiene ahora la
regulación más
completa y restrictiva
sobre protección de
datos que existe en

An administrative controller is obliged to
communicate to the AEPD the creation of any
personal data files – held in computer or
paper format – including the controller's own
details, the database location and content, its
purpose, the potential for transfer to third
parties and a description of the security level
applicable to the file, explains Plana.

'An important change is that personal data
held on business contacts – for example,
contact persons at clients or suppliers – are
excluded from the remit of the LOPD so long
as only basic contact details are maintained.
But the AEPD, as an independent and selffinancing
body, is though increasingly
sensitive to data protection infringements.'

In 2007, the Spanish Data Protection
Agency resolved 399 sanction procedures, a
32.5% increase on the previous year, with the
aggregate volume of the fines imposed
€19.6m. 'Businesses need to know that AEPD
inspections are now common and it may
obtain any information it requires to perform
its tasks,' she says.

Non-compliance, she warns, can bring
fines ranging between €600-€800,000
calculated according to the volume and
severity of infringement.

'Companies need to understand and
inform their employees about the risks that
could be incurred by simply sending emails
or storing information. It is vital for
organizations to take data protection seriously
– and for people to know how their
information is being processed.'