Sanctions and penalties under Spanish data protection law

Articles 71 to 74 Organic Law 3/2018 establish classes of infringements, which are distinguished as very serious, serious and minor infringements. A statute of limitations of three, two and one year(s) applies respectively.

Examples of serious infringements are: processing of minors’ data without their or their guardians’ consent, impeding data subjects’ rights, failure to cooperate with the competent authorities, failure to appoint a DPO.

Examples of minor infringements are: failure to publish the joint controllership agreement, filing of incomplete records of processing, failure to publish the contact data of the DPO or communicate it to the AEPD.

Art. 76 (2) Organic Law 3/2018 introduces additional criteria to the GDPR’s list of administrative fines, which determine the amount of the respective fines. These include: whether the controller, processor, EU representative, or certification/accreditation entity benefited from the infringement, whether the infringement was ongoing, or whether an infringement, which cannot be attributed to the absorbing entity, occurred before a takeover.

Pursuant to Art. 76 (4) Organic Law 3/2018, the fined organisation’s identity will be published if it is a legal person, the fine is greater than €1,000,000 and the AEPD is the competent authority in the proceedings.