Download Cross-Border Transfer Of Personal Data PDF

TitleCross-Border Transfer Of Personal Data
File Size2.7 MB
Total Pages201
Table of Contents
                            _Spanish DP Introduction - BCN ABA June 2017
EU Commission_Guide to the EU-US Privacy Shield
Spanish DP Law_English
Document Text Contents
Page 1


Albert Agustinoy

Miquel Peguera

Under Spanish Act no. 15/1999, dated December 13, on personal data

protection (Spanish Data Protection Act, “SDPA”) and related regulations, the

processing of personal data1 entails the obligation for the data controller (i.e.

the company that has the power to decide about the purposes of the data

processing, regardless of whether such company is incorporated or not and, if

so, the particular form of incorporation that has been chosen2) to comply with

certain requirements, as summarized below:

a) Notification of the creation of personal data files to the Spanish Data Protection

Agency (the “Agency”)

The data controller must notify to the Agency the creation of any file containing

personal data (the notification is about the structure of the file, its uses and

purposes, not of the personal data contained in the file). Data controllers may

submit a standardized notification to the Agency (the so-called “NOTA” form),

which must be completed for each data file and it shall be updated in the event

that any changes affecting the content of the registration take place.

Notifications should be submitted to the Agency before a data file is created or

modified, however in practice it is usual that data controllers notify them

afterwards without consequences (even if this is a breach of the legal


1 In this respect, and as long as personal data is defined by SDPA as any data relating to identified or
identifiable individuals, information belonging to legal entities does not fall within the scope of SDPA and,
therefore, the obligations detailed in this Memorandum have not to be complied with when dealing with
this kind of data. In addition, please note that the name and surname, position and professional address,
e-mail address and telephone and fax numbers of individuals working for said entities is not considered
by SDPA as personal data.

2 Thus, under Spanish data protection regulations, a Branch is fully and direct responsible of complying
with the obligations detailed in this Memorandum.

Page 2

Page 2

b) Consent requirements

Affected individuals (i.e. the Company’s employees and providers3) have to be

informed and consent the processing of their personal data before it takes place.

Consent may be obtained by electronic or traditional means. It is advisable to

keep evidences that prove that each affected individual has consented and,

when dealing with electronic means, it must also authenticate the identity of

the individual providing such consent.

Under SDPA, affected individuals have to be particularly informed about:

i) the company responsible of the file containing personal data;

ii) purposes of the data processing;

iii) the basic rights set forth by law and the way that can be exercised; and,

iv) third parties that may receive the personal data processed and purposes

of such communication of data, if applicable.

It must be noted that Article 19 of Spanish Royal Decree no. 1720/2009

considers that no communication to a third party takes place whenever a

merger, spin-off, global assignment of assets and liabilities, contribution or

transfer of business or branch of business or any other corporate restructuring

operation of a similar nature is executed, as from a data protection point of

view it is deemed that any such operations result only in a modification of the

identity of the data controller.

Thus, where a company globally assigns its assets and liabilities to another, no

consent under SDPA (see section iv above) should be obtained from affected

individuals. Note however, that affected individuals should be provided with the

information specified in sections i to iv above and, in particular, about the

identity of the new data controller processing their personal data.

3 Further analysis should be carried out to verify whether there are other affected individuals apart from
the previously mentioned.

Page 100

protection as a consequence of actions by U.S. national intelligence authorities, in particular as a consequence of
the collection and/or access to personal data that is not limited to what is strictly necessary and proportionate. In
this respect, the Commission will take into account the extent to which the relevant information can be obtained
from other sources, including through reports from self-certified U.S. companies as allowed under the USA

(153) The Working Party on the Protection of Individuals with regard to the Processing of Personal Data established
under Article 29 of Directive 95/46/EC published its opinion on the level of protection provided by the EU-U.S.
Privacy Shield (208), which has been taken into account in the preparation of this Decision.

(154) The European Parliament adopted a resolution on transatlantic data flows (209).

(155) The measures provided for in this Decision are in accordance with the opinion of the Committee established
under Article 31(1) of Directive 95/46/EC,


1. For the purposes of Article 25(2) of Directive 95/46/EC, the United States ensures an adequate level of protection
for personal data transferred from the Union to organisations in the United States under the EU-U.S. Privacy Shield.

2. The EU-U.S. Privacy Shield is constituted by the Principles issued by the U.S. Department of Commerce on 7 July
2016 as set out in Annex II and the official representations and commitments contained in the documents listed in
Annexes I, III to VII.

3. For the purpose of paragraph 1, personal data are transferred under the EU-U.S. Privacy Shield where they are
transferred from the Union to organisations in the United States that are included in the ‘Privacy Shield List’, maintained
and made publicly available by the U.S. Department of Commerce, in accordance with Sections I and III of the
Principles set out in Annex II.

This Decision does not affect the application of the provisions of Directive 95/46/EC other than Article 25(1) that
pertain to the processing of personal data within the Member States, in particular Article 4 thereof.

Whenever the competent authorities in Member States exercise their powers pursuant to Article 28(3) of Directive
95/46/EC leading to the suspension or definitive ban of data flows to an organisation in the United States that is
included in the Privacy Shield List in accordance with Sections I and III of the Principles set out in Annex II in order to
protect individuals with regard to the processing of their personal data, the Member State concerned shall inform the
Commission without delay.

1. The Commission will continuously monitor the functioning of the EU-U.S. Privacy Shield with a view to assessing
whether the United States continues to ensure an adequate level of protection of personal data transferred thereunder
from the Union to organisations in the United States.

1.8.2016 L 207/35 Official Journal of the European Union EN

(208) Opinion 01/2016 on the EU-U.S. Privacy Shield draft adequacy decision, adopted on 13 April 2016.
(209) European Parliament resolution of 26 May 2016 on transatlantic data flows ((2016/2727(RSP)).

Page 101

2. The Member States and the Commission shall inform each other of cases where it appears that the government
bodies in the United States with the statutory power to enforce compliance with the Principles set out in Annex II fail to
provide effective detection and supervision mechanisms enabling infringements of the Principles to be identified and
punished in practice.

3. The Member States and the Commission shall inform each other of any indications that the interferences by U.S.
public authorities responsible for national security, law enforcement or other public interests with the right of
individuals to the protection of their personal data go beyond what is strictly necessary, and/or that there is no effective
legal protection against such interferences.

4. Within one year from the date of the notification of this Decision to the Member States and on a yearly basis
thereafter, the Commission will evaluate the finding in Article 1(1) on the basis of all available information, including
the information received as part of the Annual Joint Review referred to in Annexes I, II and VI.

5. The Commission will report any pertinent findings to the Committee established under Article 31 of Directive

6. The Commission will present draft measures in accordance with the procedure referred to in Article 31(2) of
Directive 95/46/EC with a view to suspending, amending or repealing this Decision or limiting its scope, among others,
where there are indications:

— that the U.S. public authorities do not comply with the representations and commitments contained in the
documents annexed to this Decision, including as regards the conditions and limitations for access by U.S. public
authorities for law enforcement, national security and other public interest purposes to personal data transferred
under the EU-U.S. Privacy Shield,

— of a systematic failure to effectively address complaints by EU data subjects, or

— of a systematic failure by the Privacy Shield Ombudsperson to provide timely and appropriate responses to requests
from EU data subjects as required by Section 4(e) of Annex III.

The Commission will also present such draft measures if the lack of cooperation of the bodies involved in ensuring the
functioning of the EU-U.S. Privacy Shield in the United States prevents the Commission from determining whether the
finding in Article 1(1) is affected.

Member States shall take all the measures necessary to comply with this Decision.

This Decision is addressed to the Member States.

Done at Brussels, 12 July 2016.


1.8.2016 L 207/36 Official Journal of the European Union EN

Page 200


Article 24.3, second paragraph, of Law 30/1995 of 8 November, on the Regulation and
Supervision of Private Insurances, is amended as follows:

"Insurance bodies may create joint files containing personal data for the
settlement of accident claims and for actuarial statistical collaboration aimed at
establishing rates of premiums and the selection of risks, and for drawing up
studies on insurance techniques. The transfer of data to such files shall not require
the prior consent of the data subject, but the possible transfer of his personal data
for the purposes indicated must be communicated to the data subject, together
with an explicit indication of the data controller, so that the rights of access,
rectification and cancellation laid down by law may be exercised.
Joint files may also be created without the consent of the data subject for the
purpose of preventing insurance fraud. However, it will be necessary in such
cases to make known to the data subject, when the data are first introduced, who
is responsible for the file and the ways in which the rights of access, rectification
and cancellation may be exercised.
In all cases, data relating to health may be subjected to processing only with the
explicit consent of the data subject."

First transitional provision. Processing operations under international agreements

The Data Protection Agency shall be the body responsible for the protection of natural
persons as regards the processing of personal data, with respect to the processing
operations set up under any international agreement to which Spain is a signatory and
which assigns this power to a national supervisory authority, unless a different authority
is set up for this task in implementation of the agreement.

Second transitional provision. Use of the publicity register

The procedures for drawing up the publicity register, for objecting to being entered in it,
for making it available to requesters, and for monitoring the lists disseminated, shall be
governed by regulation. The regulation shall lay down the time limits for implementation
of the publicity register.

Third transitional provision. Continuation in force of existing rules

Until such time as the arrangements set out in first final provision of this Law come into
force, the existing regulatory rules shall continue in force with their own ranking, and in
particular Royal Decrees 428/1993 of 26 March, 1332/1994 of 20 June, and 994/1999 of
11 June, unless they are in conflict with this Law.

Single repealing provision. Repeal of rules

Organic Law 5/1992 of 29 October regulating the computer processing of personal data is
hereby repealed.

First final provision. Authorisation for regulatory development

The Government shall approve or amend the regulatory provisions necessary for the
application and further development of this Law.

Page 201


Second final provision. Precepts with the character of ordinary law

Titles IV, VI - except for the last indent of paragraph 4 of Article 36 - and VII of this
Law, the fourth additional provision, the first transitional provision, and the first final
provision, shall have the character of ordinary law.

Third final provision. Entry into force

This Law shall enter into force one month after its publication in the Boletín Oficial del

I order all Spaniards, individuals and authorities, to uphold this Organic Law and to
ensure that it is upheld.

Madrid, 13 December 1999.


The Prime Minister

Similer Documents