Spain
3.3 Territorial and extra-territorial application Article 3(2) of the GDPR establishes that controllers or processors not established in the European Union (EU) may still be subject to its provisions in certain circumstances. Specifically, the GDPR applies to the processing of personal data of individuals located in the EU where the processing is related to: the offering of goods or services to such data subjects in the EU, regardless of whether payment is required; or the monitoring of their behavior, insofar as that behavior takes place within the EU. This means that entities located outside the EU
Additionally, Article 23 of the Spanish DP Law establishes systems of advertising exclusion, allowing the processing of data for the purpose of avoiding the sending of commercial communications to individuals who have exercised their right to object. These systems operate without requiring prior consent from the data subject, provided that their objection is respected, in accordance with Article 21 of the GDPR. Furthermore, Article 23 of the GDPR permits Member States to restrict the scope of certain data subject rights when such limitations are necessary and proportionate to safeguard national security, criminal investigations, or other important public interests. The Spanish DP Law incorporates such limitations where appropriate under Spanish law.
https://lopez-iborabogados.com/en/
Made with FlippingBook - PDF hosting