Spain —regardless of their location or nationality— must comply with the GDPR when they target individuals in the EU market. For example, a company based in the United States or China processing personal data of individuals residing in Spain would be subject to the GDPR under these conditions. Although the Spanish DP Law does not have an extraterritorial effect, it complements the GDPR within Spanish jurisdiction. Furthermore, Article 70.1(c) of the Spanish DP Law confirms that representatives of controllers or processors not established in the EU are subject to the sanctioning regime under both the GDPR and the Spanish DP Law, when acting within Spanish territory or when designated as local representatives under Article 27 of the GDPR. 4.1. Key stakeholders Data Protection Officer (DPO) In Article 37, the GDPR broadly outlines the criteria and circumstances for the appointment of a Data Protection Officer (“DPO”) within an organization. Conversely, the Spanish DP Law delves deeper by enumerating a specific list of organizations that are obliged to designate a DPO, surpassing the general guidelines provided by the GDPR. This expanded list —set out in Annex I of the Spanish DP Law— includes entities such as professional associations and their overarching councils, educational institutions, Legislative Framework
In Article 37, the GDPR broadly outlines the criteria and circumstances for the appointment of a Data Protection Officer (“DPO”) within an organization. Conversely, the Spanish DP Law delves deeper by enumerating a specific list of organizations that are obliged to designate a DPO, surpassing the general guidelines provided by the GDPR. This expanded list includes entities such as professional associations and their overarching councils, educational institutions, providers of information society services, as well as insurance and financial services entities, among others.
https://lopez-iborabogados.com/en/
Made with FlippingBook - PDF hosting