Spain - The obligation for data controllers to register files containing personal data will disappear in Spain with the new GDPR

Spain - The obligation for data controllers to register files containing personal data will disappear in Spain with the new GDPR's Tags

Tags related to this article

Spain - The obligation for data controllers to register files containing personal data will disappear in Spain with the new GDPR

Published 11 abril 2017

In its blog the Spanish Data Protection Agency has officially declared that the obligation for data controllers to register files containing personal data will disappear in Spain with introduction of the new European General Data Protection Regulation ("GDPR") in 2018.

From the first data protection act introduced in Spain in 1992 to the current Spanish Data Protection Act, the first obligation for data controllers has always been to register the files containing personal data within their control with the Registry of the Spanish Data Protection Agency. The information to be provided for the registration of any files containing personal data was: (i) a description of the data processed; (ii) the purpose of the processing of such data; (iii) the data owners; (iv) the security measures to be applied to the files; (v) if data is manually or automatically stored in the file; (vi) the possibility of such data being assigned to third parties; or (vii) the details expected international data transfers outside the EU.

Since 2006 it has been possible to register files electronically through the NOTA form which resulted in an exponential growth of the number of registrations. There was also large growth in 2008 when the regulation implementing the Spanish Data Protection Act came into force. Nowadays the Registry of the Spanish Data Protection Agency has a growth of 9% with an average of 2.754 registrations every day. During the early years of this obligation to register files containing personal data, the main registration made by data controllers was the initial registration of the files, however, during recent years, the main registrations have been modifications to existing files with a view to keeping these files up to date.

The obligation to register files with the Registry of the Spanish Data Protection Agency will disappear in May 2018 with the application of the GDPR, and from that point the data controller will then be obliged to maintain a record of processing activities for which they are responsible, but it won't be necessary to communicate this record to the Spanish Data Protection Agency.

Article 30 of the GDPR describes the information that must be recorded by data controllers in respect of files processed by them, which in the main correspond with the information that data controllers must currently communicate to the Spanish Data Protection Agency when registering files. Therefore, Spanish data controllers with registered files are already part of the way there in respect of their compliance with Article 30 of the GDPR due to the work already done in the past to communicate the description of the files for their registration.

A link to the Spanish Data Protection Agency's blog is available here (Spanish).

Key Contacts

< Back to articles