Data protection: a new penalty regime in spain?

Categorization of infringements and associated penalties

The data protection regulations establish three kinds of infringements and associated penalties: minor, serious and very serious. The amendments mainly affect the ranges of the minor and serious penalties and the (re)categorization of certain infringements:

• The penalties are now as follows: (i) minor infringements: between Euro 900 and 40,000 (formerly, between approx. Euro 600 and 60,100); (ii) serious infringements: between Euro 40,001 and 300,000 (formerly, between approx. Euro 60,100 and 300,500); and (iii) very serious infringements: between Euro 300,001 and 600,000 (formerly, between approx. Euro 300,500 and 601,012.10).
• Certain infringements have been re-categorized: for example, illegal C2C assignments of non-sensitive personal data are now deemed serious infringements (formerly, very serious) and C2P assignments without the prescribed processing agreement are now deemed a minor infringement (formerly, very serious for the controller and serious for the processor). Further, the technical wording used to define certain infringements has been clarified but there has been no real change in practice: for instance, the lack of consent -where required- for the processing of non-sensitive data is and will still be a serious infringement and the lack of a database registration is and will still be a minor infringement.

New criteria used to determine the penalty:

– within the range corresponding to the actual infringement (criteria 1)

The data protection regulations also include now, among the various existing criteria used to determine the penalty within the relevant range, some additional factors, being the most relevant the evidence of the implementation of adequate data protection procedures before the infringement was committed, when the infringement is the result of a malfunction in these procedures not attributable to the offender's lack of diligence.

– within the range corresponding to the category of infringements immediately lower than the actual infringement

The existing criteria that the DPA may use to fix the penalty within the range corresponding to the category of infringements immediately below the actual infringement also comprises (in addition to the existence of various of the criteria 1, as amended) the following: that the offender duly remedied the infringement, that the data subject's behaviour induced the infringement, that the offender spontaneously acknowledged its responsibility, or that the infringement was only attributable to the absorbed company in a merger.

A warning and a specific remedy period will be available before starting penalty proceedings

In case of minor or serious infringements and provided that the offender has not previously been sanctioned or warned over prior alleged infringements, the DPA may, instead of starting immediate penalty proceedings, warn the offender so that it can evidence within a specific period of time that it has adopted the relevant corrective measures. Otherwise, the penalty proceedings would start.

Administrative order to stop the processing

In addition to the relevant sanctions, the DPA's faculty to order a controller to cease a processing that may damage the data protection rights or other fundamental rights of the data subject (and to eventually immobilise the database), which already applies to very serious infringements, will also apply to serious infringements.