Organic Law 3/2018 (Spain)

    Overview

    Spain's Ley Orgánica 3/2018, (Organic Law 3/2018 regarding the Protection of Personal Data and guarantees of digital rights) is a comprehensive law that aims to adapt Spanish legislation to the European Union's General Data Protection Regulation (GDPR). It supports the fundamental right of individuals to data protection as stated in the Spanish Constitution and provides additional guarantees for digital rights, covering both data privacy and the protection of digital rights in the modern context.

     

    Regulation Summary

    Timeline
    • Enacted: December 5, 2018
    • Effective: December 7, 2018
    What Businesses Are Affected
    • All entities processing personal data within Spain.
    • Businesses outside Spain targeting Spanish residents or monitoring their behavior.
    • Both private and public sectors.
    Exemptions
    • Processing for personal or household activities.
    • Certain journalistic, academic, artistic, or literary purposes, as outlined in the law.
    • Processing for national security or defense purposes.
    Responsibilities for Businesses
    • Conduct data protection impact assessments for high-risk processing activities.
    • Maintain detailed records of processing activities.
    • Notify the Spanish Data Protection Agency (AEPD) of data breaches within 72 hours.
    • Appoint a Data Protection Officer (DPO) if required and inform the AEPD within 10 days of appointment or removal.
    • Obtain explicit consent for data processing, clearly specifying each purpose.
    • Respond to data subjects' requests within one month, extendable to three months in complex cases.
    • Monitor and update employee data processing practices to respect their privacy rights.
    Specific Responsibilities for Website Owners
    • Display clear and accessible privacy policies.
    • Implement mechanisms for obtaining valid consent, including cookie banners.
    • Provide tools for exercising data subject rights, such as access and erasure.
    Additional Requirements
    • Digital Rights: Explicit recognition of rights such as digital disconnection and online privacy.
    • Mandatory DPOs: Data Protection Officers must be appointed for certain entities, such as public authorities or organizations conducting high-risk processing.
    Data Subject Rights
    • Access, rectify, erase, and restrict the processing of their personal data.
    • Data portability and objection to processing.
    Enforcement
    • Supervisory Authority: The Spanish Data Protection Agency (AEPD).
    • Penalties: Fines up to €20 million or 4% of annual global turnover, whichever is higher.
    • The AEPD can issue warnings, require remediation, and suspend processing activities.
    illustration of contact means

    Questions?

    If you would like to learn more, our compliance experts are happy to support you.

    Leave us a Message
    support@clym.io
    +1 980 446 8535 +1 866 275 2596