The protection of natural persons in relation to the processing of personal data is a fundamental right that allows people to ensure the control over their personal data, use and destination to avoid the illicit traffic or abusive use of them that can affect the dignity and rights of those subjects concerned. Thus, this right is designed as a faculty to oppose that certain personal data are used for other purposes than those that justified their collection.

With the aim of promoting a more uniform regulation of this fundamental right, the European Parliament and the Council approved in April 2016 the Regulation (EU) 2016/679 (GDPR) related to the protection of natural persons with regard to the processing of personal data and the free movement of such data, which will be applicable as of 25 May 2018.

In this regard, after the publication of the Anteproyecto de Ley (APLOPD) in June 2017, the Government published in November 2017 the Proyecto de Ley Orgánica de Protección de Datos, which will repeal the current LOPD and will adapt the Spanish legal system to the GDPR, introducing amendments and enhancements in the regulatory framework of this fundamental right.

The technical note prepared by the Management Solutions’ R&D department summarises the content of this Proyecto de Ley Orgánica.

Executive Summary

The main aspects of the GDPR addressed in this Proyecto de Ley are: principles, rights, treatments, controllers and processors of the treatment, international transfers of data, authorities, procedure in case of infringement and penalties regime.

Area of application

The PLOPD applies to the processing of totally or partially automated personal data, as well as to the non-automated processing of personal data included or intended to be included in a filing system.

Main content

  • General provisions: scope of application, exceptions, and data of deceased persons.
  • Principles of data protection: general principles (e.g. accuracy, confidentiality, consent).
  • Right of natural persons: transparency and information of the subjects concerned, exercise of rights (e.g. access, erasure).
  • Provision applicable for particular treatments: credit information, video surveillance, publicity exclusion, etc.
  • Controllers and processors of data: obligations, activities recording, Data Protection Officer, etc.
  • International transfers of data: transfer regime and certain cases (e.g. approval by the AEPD).
  • Data protection authorities: AEPD (i.e. faculties and powers) and regional authorities.
  • Procedure in case of infringement of the data protection legislation: regime, procedure and terms.
  • Penalty regime: responsible authorities, infringement (small, severe and very severe infringement), and penalties.

Download the technical note by clicking here (only in spanish).