Spain sets out hefty fines under the EU Data Governance Act and amends its data protection laws, Ceyhun Pehlivan, Elena Valín

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

Spain has recently passed a law (Law 11/2023) that amends both the E-Commerce Act and the Data Protection Act to implement the provisions of the EU’s Data Governance Act (DGA) and revise the statutory time limits for data protection proceedings, respectively.

Data Governance Act

The DGA aims to make more data available and facilitate data sharing across sectors and EU countries in order to enable businesses to develop innovative products and services. It sets out the conditions for the re-use of public sector data and regulates the provision of data intermediation services and data altruism organisations, among others.

The DGA does not provide for sanctions and requires Member States to set out “effective, proportionate, and dissuasive” penalties by 24 September 2023.

Spanish E-Commerce Act amended to set out fines under the DGA

The Spanish E-Commerce Act has been amended to set out penalties for infringements of the DGA in Spain. The fines amount up to EUR 600,000 in case of very serious infringements, such as a significant or repeated failure to meet the conditions for providing data intermediation services.

The Spanish Ministry of Economic Affairs and Digital Transformation is designated as the competent authority to enforce and monitor compliance with the DGA in Spain. The Ministry will also manage the national register of data altruism organisations.

AEPD time limits revised under Data Protection Act

The enacted law also amends the time limits for the Spanish Data Protection Agency (AEPD) to conduct investigations and issue decisions under the Spanish Data Protection Act.

In a previous post, we have discussed that AEPD is one of the most active data protection regulators across the EU, so these new time limits may be particularly relevant for companies dealing with the AEPD.

In particular, the time limit for the AEPD to issue reprimands has been shortened from 9 to 6 months. Conversely, the maximum duration to complete sanctioning proceedings has been extended from 9 to 12 months. Similarly, the AEPD will need to finalise its investigations within 18 months, as opposed to the 12 month limit in the past. AEPD will also be entitled to carry out investigations online.

Finally, the AEPD is empowered to issue forms that must be used by data subjects when submitting data protection complaints.

Application

These amendments are applicable as of 10 May 2023.

Accordingly, organisations should review their practices relating to the reuse of data under the DGA.

They should also take into account the new time limits when dealing with AEPD proceedings.

If you'd like to hear more, let us know.

{

A key pillar of the European strategy for data, the Data Governance Act seeks to increase trust in data sharing, strengthen mechanisms to increase data availability and overcome technical obstacles to the reuse of data.

https://digital-strategy.ec.europa.eu/en/policies/data-governance-act