This article was accepted into the corpus but its outbound wikilinks were never NER-processed — typical at the deepest BFS hop or when the run's entity cap was reached. No expansion funnel to show.
| Organic Law on Data Protection | |
|---|---|
| Name | Organic Law on Data Protection |
| Long title | Organic Law on Data Protection and Guarantee of Digital Rights |
| Jurisdiction | Spain |
| Enacted by | Cortes Generales |
| Date enacted | 2018 |
| Status | In force |
Organic Law on Data Protection
The Organic Law on Data Protection is a national statute enacted in Spain to update and align domestic privacy rules with the General Data Protection Regulation and to consolidate digital rights recognized in contemporary European jurisprudence. The law interfaces with institutions such as the Cortes Generales, the Audiencia Nacional, and the Consejo de Estado while intersecting with case law from the Court of Justice of the European Union and guidance from the European Data Protection Board. It has implications for corporate actors including Telefónica, Banco Santander, and multinational firms operating under the OECD regime.
The law was promulgated following deliberations in the Cortes Generales and consultations with bodies like the Agencia Española de Protección de Datos and the Comisión Europea. It updates prior statutes influenced by decisions from the Tribunal Constitucional and legislative frameworks comparable to the Privacy Act 1988 in Australia and the Data Protection Act 1998 in the United Kingdom. Key policymakers included members of Partido Popular, Partido Socialista Obrero Español, and the Unidas Podemos parliamentary groups, reflecting debates analogous to those in the European Parliament and the Council of the European Union.
The statute governs personal data processing involving controllers and processors such as Ayuntamiento de Madrid, Universidad Complutense de Madrid, and private entities like Inditex and BBVA. It aims to implement the General Data Protection Regulation within national competences, protect rights referenced in the Charter of Fundamental Rights of the European Union, and provide remedies consistent with judgments from the European Court of Human Rights and the Court of Justice of the European Union. The law addresses sectors from healthcare providers like Hospital Universitario La Paz to telecommunications companies including Vodafone Spain and platforms akin to Facebook and Google.
The law codifies principles reflected in rulings such as Google Spain SL, Google Inc. v Agencia Española de Protección de Datos and doctrines from the European Data Protection Supervisor. It enumerates rights of data subjects parallel to those in the Charter of Fundamental Rights of the European Union: access, rectification, erasure, restriction, portability, and objection, and incorporates safeguards for special categories of data referenced in the Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data. Protections for minors evoke policy debates involving institutions like UNICEF and regulatory comparisons with the Children's Online Privacy Protection Act.
Controllers and processors including Iberdrola, Repsol, and cloud providers analogous to Amazon Web Services must implement measures such as data protection by design and by default, impact assessments similar to those advocated by the European Commission, and contractual arrangements reflecting standards in ISO/IEC 27001. The statute prescribes notification and recordkeeping duties comparable to practices at European Bank for Reconstruction and Development and sectoral regulators like the Comisión Nacional del Mercado de Valores. Cross-border transfers engage mechanisms discussed in case law like the Schrems II decision and instruments such as standard contractual clauses used by multinationals including Microsoft.
Enforcement is primarily vested in the Agencia Española de Protección de Datos, which coordinates with the European Data Protection Board and national ombuds institutions such as the Defensor del Pueblo. The agency holds investigatory and corrective powers akin to other authorities like the Information Commissioner's Office in the United Kingdom and collaborates with judicial organs including the Audiencia Nacional and Tribunal Supremo for litigated disputes. The law establishes procedures for administrative inquiries following models from the Council of Europe and case precedents from the Court of Justice of the European Union.
The statutory regime provides administrative fines, remedial orders, and injunctive relief applied to entities ranging from local administrations like the Diputación Provincial de Barcelona to multinational corporations such as Apple Inc. and Meta Platforms, Inc.. Penalties reflect tiers inspired by General Data Protection Regulation maximums and jurisprudence from the European Court of Human Rights. Remedies for data subjects include compensation claims in domestic courts, with appellate review routes through the Audiencia Nacional and ultimately the Tribunal Constitucional.
The law has influenced corporate compliance programs at firms like Acciona and Ferrovial and shaped curricula at institutions such as Universidad de Barcelona and ESADE Business School. Critics drawn from legal academics at Universidad Autónoma de Madrid and think tanks like the Real Instituto Elcano argue about enforcement consistency, interaction with digital market actors including Amazon (company), and alignment with international standards set by organizations like the International Association of Privacy Professionals. Supporters cite harmonization benefits for trade partners including members of the European Free Trade Association and convergence with rulings from the Court of Justice of the European Union.
Category:Spanish legislation Category:Privacy law