Avoiding the wave of data protection fines

In April 2008, a new regulation
developing Organic Law 15/1999 that
implemented the EU´s Data Protection
Directive, came into force, updating spain´s
own existing data protection regulation
(LOPD), and bringing stringent new rules
affecting the way that businesses manage
their data, says Marta Plana at Osborne
Clarke in Barcelona, increasingly regarded
as the technology capital of Spain.

Marta Plana

'The new Regulations were intended to
bring domestic coherence to the EU Directive
and greater precision to the existing data
protection rules. The result however, is that
Spain now has more comprehensive
legislation and one of the most restrictive on
data protection within Europe.'

Under the new rules, data processing
encompasses among other things the
collection, recording, storage, adaptation,
modification and blocking and cancellation
of personal data. Regulatory oversight and
enforcement of the regime is handled by the
Spanish Data Protection Authority (Agencia
Española de Proteccion de Datos – AEPD).

La transposición de la
directiva europea sobre
protección de datos,
actualizando la
legislación que existí­a
en España sobre este
tema, ha traí­do nuevas
normas, más estrictas,
que afectan a la
manera que tienen las
empresas de controlar
sus datos, opina Marta
Plana, de Osborne
Clarke en Barcelona. El
resultado es que quizá
España tiene ahora la
regulación más
completa y restrictiva
sobre protección de
datos que existe en

An administrative controller is obliged to
communicate to the AEPD the creation of any
personal data files – held in computer or
paper format – including the controller's own
details, the database location and content, its
purpose, the potential for transfer to third
parties and a description of the security level
applicable to the file, explains Plana.

'An important change is that personal data
held on business contacts – for example,
contact persons at clients or suppliers – are
excluded from the remit of the LOPD so long
as only basic contact details are maintained.
But the AEPD, as an independent and selffinancing
body, is though increasingly
sensitive to data protection infringements.'

In 2007, the Spanish Data Protection
Agency resolved 399 sanction procedures, a
32.5% increase on the previous year, with the
aggregate volume of the fines imposed
€19.6m. 'Businesses need to know that AEPD
inspections are now common and it may
obtain any information it requires to perform
its tasks,' she says.

Non-compliance, she warns, can bring
fines ranging between €600-€800,000
calculated according to the volume and
severity of infringement.

'Companies need to understand and
inform their employees about the risks that
could be incurred by simply sending emails
or storing information. It is vital for
organizations to take data protection seriously
– and for people to know how their
information is being processed.'

Avoiding the wave of data protection fines



Iberian Lawyer, is a monthly digital magazine, published by LC Publishing, available in Spanish and English. It represents the main source of information in the legal business sector in Spain and Portugal. The digital magazine – and its portal – address to the protagonists of law firms and in-house lawyers. The magazine is available for free on the website and on Google Play and App Store.

In every issue of the magazine, you will find rankings of lawyers, special report on trends, interviews, information about deals and their advisors.

For further information, please visit the Group’s website www.lcpublishinggroup.com

Iberian Legal Group, S.L.
Registered office: C/ Ríos Rosas 44A - 2 G,H 28003 Madrid España

Copyright 2023 © All rights Reserved. Design by Origami Creative Studio


Share on linkedin
Share on twitter
Share on facebook
Share on whatsapp
Share on email
Share on telegram