By José-Luis Piñar Mañas
New Regulation on Data Protection Plan
In December 2007, the Spanish government approved an important regulation developing the Spanish Data Protection Act of 1999.
The new rule, preparation of which began in 2003, makes it possible to interpret the more difficult or far-removed aspects of the Act, and provides greater legal security for a regulatory framework that requires the utmost clarity and certainty. It contains important novelties, such as the incorporation of a long list of definitions and concepts, the regulation of non-automated files, the establishment of special guarantees for the processing of data of minors, the detailed regulation of codes of conduct as a mechanism of self-regulation, the relations between data controller and data processor, or the simplification of notifications of files (considering that in Spain it is necessary to give notice of all data files, there being no exceptions provided, although there is no authorisation procedure prior to the processing). In addition, the regulation interprets the 1999 Act in a manner that is more in keeping with Directive 95/46/EC on data protection. In this respect, it should especially be noted that it accepts Binding Corporate Rules (BCR) as an instrument that allows the international transfer of data to be considered guaranteed. This serves to consolidate a position that the Spanish Data Protection Agency began adopting three years ago.
On the other hand, there is a detailed regulation of the safety measures that should be adopted by data controllers. These are high level, medium or basic measures depending on the nature of the data being processed.
The new regulation will be enforced at the end of April.
José-Luis Piñar Mañas, Ph.D. is an attorney at Piñar Mañas & Asociados Law Firm. He also is the former Director of the Spanish Agency for Data Protection and former Vice-Chairman of the Article 29 Working Party and President of the Ibero-American Network of Data Protection. He can be reached at email@example.com.