New Spanish Law Alters DPA Sanctions Regime; Allows Lower Fines, Resolution Short of Fines
MADRID—The Spanish Data Protection Authority’s (AEPD) process for levying fines for violations of the country’s framework data protection statute will soon take on a more businesses-friendly hue, under a new law approved Feb. 15 by Parliament.
The new law will take effect upon its imminent publication in Spain’s national register (Boletín Oficial del Estado).
Among the provisions in the Sustainable Economy Act—an omnibus measure aimed at modernizing the Spanish economy through emphasis on business, financial, and environmental measures—are changes that lower many of the minimum and maximum fines available where the AEPD finds violations of the framework Organic Data Protection Act (Law 15/1999) (LOPD).
The new law also clarifies whether certain infractions should be categorized as “minor,” “serious,” or “very serious” under the three-tiered system used by the DPA to assess sanctions and provides specific factors on a breach of the law that the AEPD must consider before assessing a fine.
The law requires the AEPD to recognize certain mitigating factors in the sanctions process—such as not holding an acquiring corporation fully liable for infractions of another firm it acquires—and creates the possibility for resolution of cases short of levying fines in certain exceptional circumstances.
The data protection law changes are in Final Provision 58 of the new law, which was introduced as an amendment at the behest of the Senate Economy and Taxation Committee…