The Spanish data protection and e-commerce legislation has been recently amended in order to, on the one hand, redefine the nature of the process to issue reprimands to data controllers and processors (so that reprimands are removed from the list of sanctions resulting from infringement of the regulations) and, on the other hand, relax the rules governing the Spanish authority’s investigation procedure, enlarging the term for conducting investigation activities and allowing for the authority to operate remotely, among other updates. We summarize the impact of these modifications and how they may affect organizations now that these new provisions have entered into force.

The New Law

A few weeks ago, Law 11/2023 of 8 May 2023 on the transposition of European Union Directives on the accessibility of certain products and services, migration of highly qualified persons, taxation and digitalisation of notarial and registry actions, and amending Law 12/2011 of 27 May on civil liability for nuclear damage or damage caused by radioactive materials (the Law) was published in the Official State Gazette (BOE).

The Law provides, amongst other amendments, for the modification of certain aspects contained in Constitutional Law 3/2018, of 5 December 2018, on the Protection of Personal Data and the guarantee of digital rights (LOPDgdd) and in Law 34/2002, of 11 July 2002, on information society services and electronic commerce (LSSI).

Changes in the Process to Issue Warnings

As part of the sanctions and corrective measures available under the LOPDgdd, the Spanish Data Protection Agency (the AEPD) contemplated the possibility of sanctioning controllers or processors of personal data with a “reprimand” in the event of a breach of the European General Data Protection Regulation (the GDPR).

This warning process has been amended to become a measure of a non-punitive nature, subject to a more agile processing procedure that allows for a quicker response to complaints from the public.

The new regulation stipulates that the AEPD, after hearing the data controller or processor, may issue a reprimand, as well as order the data controller or processor to adopt corrective measures to put an end to the possible breach of the legislation in a certain manner and within the specified period of time. This process will have a maximum duration of six months, after which it will lapse and the proceedings will be closed.

Changes in the Resolution of Investigations

To accommodate the increasing number and complexity of complaints filed with the AEPD, the time limit for sanctioning proceedings has been extended from nine (9) to (12) twelve months, and from twelve (12) to eighteen (18) months for preliminary investigation proceedings. This extension is also intended to facilitate cooperation between data protection authorities in the European Union, as required by the one-stop-shop mechanism.

It also provides for the possibility of conducting investigations remotely, through digital systems. Thus, this would allow the AEPD to contact the investigated party by videoconference or other similar methods, ensuring, however, that the transmission and receipt of documents remains secure.

Changes to the Complaint Procedure

This Law also aims to simplify the process for lodging complaints. It contemplates the possibility for the AEPD to provide complaint forms in all areas in which it has competence. These forms will be mandatory one month after publication, although there is no confirmation of when they will be available yet.

Changes to the AEPD Statute

The Law also regulates the replacement of the Presidency of the AEPD in the event of absence, vacancy or illness, abstention or recusal. At present, the Statute reserves the exercise of the procedures regulated by the LOPDgdd to the Presidency, preventing their delegation and action in cases of possible infringement of data protection regulations in the circumstances previously mentioned. From now on, these functions may be assumed by the person in charge of the management body that carries out inspection functions, as they have the necessary specialisation in the matter.

Changes to the LSSI

Lastly, the LSSI is also amended to incorporate the following provisions:

• The Ministry of Economic Affairs and Digital Transformation will also monitor compliance with European data governance obligations by data brokering service providers and recognised data management organisations for altruistic purposes. To this end, a national register of data management organisations for such purposes will be established.
• Serious infringements, which previously required “habitual” non-compliance by service providers, now require “significant or repeated” non-compliance with the obligations set out in Articles 3 to 12 of Regulation (EU) 2019/1150 and Articles 11, 11(9), 12, 18 to 22, and 31 of Regulation (EU) 2022/868. Failure to comply with the obligations set out in the listed articles, where they do not constitute serious infringements, shall be minor infringements.
• With regard to sanctions, organisations committing the serious infringements provided for in letters n), ñ) and o) of Article 38.3 of the LSSI (which concern the obligations set out in Articles 11, 11(9) and 12 of Regulation (EU) 2022/868) may be sanctioned with the definitive cessation of the data provision activity. This may be applied without prejudice to the applicable financial penalties.
• Amongst the criteria for determining the amount of the sanction, the adoption of measures to mitigate or repair the damage caused by the infringement will be considered.
• Previously, the regulations provided for the possibility of issuing a warning to the responsible person, instead of initiating a sanctioning procedure, when the facts constituted a minor or serious infringement and the competent body had not previously sanctioned or warned the offender. The latter requirement disappears from the current wording, which only requires consideration of the level of seriousness of the infringement.