Spain
The Spanish DP Law, therefore, extends the scope of DPO requirements beyond the parameters established in the GDPR, outlining a more detailed and nuanced set of criteria applicable to specific sectors and contexts. Records of processing activities GDPR, in its article 30, stipulates that “Each controller and, where applicable, the controller's representative, shall maintain a record of processing activities under its responsibility”, however, it would not apply to “an enterprise or an organization employing fewer than 250 persons unless the processing it carries out is likely to result in a risk to the rights and freedoms of data subjects, the processing is not occasional, or the processing includes special categories of data”. The legal framework in Spain, as articulated in the Spanish DP Law, introduces an additional requirement for certain organizations or entities. According to this provision, such entities —primarily public authorities or bodies— are obliged to publicly disclose and publish a comprehensive inventory of their data processing activities. This disclosure must be easily accessible through electronic means, encompassing all the details specified in Article 30 of the GDPR. In essence, the Spanish DP Law extends beyond the GDPR by specifically stipulating the obligation for certain entities to proactively share and maintain a transparent record of their data processing endeavors, thereby fostering greater accountability and accessibility.
Usually, these organizations will be public or administrative. Among the organizations listed, we can mention: Courts of Justice The National Bank of Spain (“Banco de España”) Public universities Parliamentary groups Public bodies and public law entities. State Administration Requirements for Data Processing 5.1. Data storage and retention timelines Under Article 5(1)(e) of the GDPR, personal data must be retained only for as long as necessary for the purposes for which they were collected. Once that period ends, data should be deleted or anonymized, unless continued retention is legally justified. The Spanish DP Law introduces an additional requirement known as the “blocking” obligation, set out in Article 32 of the Spanish DP Law. When data are no longer necessary for their original purpose but must be retained to comply with legal obligations (such as for liability or audit purposes), they must not be deleted immediately but blocked; that is, stored in a way that restricts their processing and access exclusively for those legal purposes.
https://lopez-iborabogados.com/en/
Made with FlippingBook - PDF hosting