Spain
Scope of Application 3.1. Legislative Scope The Spanish DP Law applies within the territorial scope of Spain and governs processing activities carried out by entities established in Spain or, in certain cases, by entities not established in Spain when specific conditions under the GDPR or Spanish law are met. In contrast, the GDPR has a broader scope, applying across all EU Member States, and under Article 3(2), also to certain controllers or processors outside the EU that target individuals in the EU. 3.2 Statutory exemptions While the GDPR outlines general exemptions in Article 2(2) and Article 23, the Spanish DP Law provides additional clarifications in certain contexts. These include certain exemptions applicable to the use of video surveillance systems, which are regulated under Article 22 of Spanish DP Law. This provision allows the processing of images by public or private entities for security purposes and modulates the application of some GDPR obligations, such as the duty to inform data subjects (which may be fulfilled by visible signage). It also defines specific data retention periods and excludes domestic use of home cameras from the GDPR's scope when operated by individuals.
2.3.
Upcoming
or
proposed
legislation (if applicable) While no formal
legislative amendments to the Spanish DP Law are currently under parliamentary consideration, significant regulatory developments at the EU level are expected to affect the Spanish data protection framework. Most notably, the European Union Artificial Intelligence Act (AI Act) was adopted in 2024 and entered into force on 1 August 2024. Its provisions will become applicable gradually between 2025 and 2026. The AI Act introduces obligations for AI systems that process personal data, including systems classified as high-risk or prohibited. It reinforces the application of GDPR principles – such as data minimization and data protection by design and by default – throughout the entire lifecycle of an AI system. As stated in Recital 69 of the AI Act, these obligations may include measures such as anonymisation, encryption, and the use of privacy-preserving technologies that allow algorithms to be trained without transmitting or copying raw data. The Spanish Data Protection Agency (AEPD) is expected to play a key role in overseeing compliance with these provisions, particularly when AI systems involve the processing of personal data. As a result, future regulatory adjustments or guidance at the national level are likely to ensure full alignment between the AI Act and the Spanish DP Law.
https://lopez-iborabogados.com/en/
Made with FlippingBook - PDF hosting