Spanish organic law on data protection (Organic Law 3/2018) makes several specifications regarding various opening clauses of the GDPR. Those are for instance data subject rights, rules on the mandatory appointment of a DPO, child’s consent and information duties. Beyond adapting the Spanish legal system to the GDPR, Spain’s organic law on data protection provides additional rules for digital rights of citizens and employees: e.g. rights to internet access, digital education and digital disconnection in the workplace.
With Organic Law 3/2018, Spain has made some considerable derogations from the GDPR, which should definitely be taken into account.
In the following, you will find the additions and derogations to the GDPR on the most important topics of personal data protection for companies. If topics are not linked, there are no derogating or specifying provisions in the national data-protection law.
- Specific data protection law and official guidelines
- Substantive and territorial scope
- Legal principles (no regulations deviating from the GDPR)
- Legal basis
- Sensitive data
- Informing requirements
- Online data protection (new regulation by ePrivacy Regulation remains to be seen)
- Automated decision-making
- Rights of data subjects
- Processing on behalf of a controller
- Records of processing activities
- Data security
- Data breaches
- Data protection impact assessment (DPIA)
- Data protection officer
- Certification (no regulations deviating from the GDPR)
- Data transfer (no regulations deviating from the GDPR)
- Supervisory authorities
- Sanctions and penalties
- Data protection for employees
- Archiving, scientific and historical research