New Spanish Data Protection Law: the latest features on the processing of personal and health data

Law 3/2018, on Data Protection and Digital Rights, complementing the EU General Data Protection Regulation (GDPR), comes into force.

Eduard Rodellar

Capsulas Nº 197

Information and consent

Law 3/2018 simplifies the duty of the data controller to provide information to the data subject as regards his/her personal data. The controller is no longer required to provide at first instance all the information set forth in the GDPR.

According to this Law, the controller can provide the data subject with some basic information, provided that the controller facilitates other means (e.g. email or link to the privacy policy) to the data subject through which he/she may easily and immediately access all the information referred to in the GDPR (except for the basic information previously provided).

Also, the Law clarifies under which circumstances may data concerning the contact information and working position of persons working for companies be processed, without obtaining their consent.

In order to process said data without previously obtaining the data subject’s consent, two requirements must be met: (i) the data of any of such person must be processed only to professionally locate him/her, and (ii) the purpose of the processing must only be to maintain the relationship between the controller and the company for which the person provides his/her services.

The same criteria is followed by the Law with respect to the contact information of self-employed or individual business persons.

Health Data and biomedical research

The Law introduces different provisions aimed to ensure the proper development of biomedical research, regulating the specific cases in which it is possible to process health data without necessarily having the data subject’s consent (e.g. to guarantee health quality and safety, or due to pharmacovigilance reasons).

Also, the Law opens the door to the use of ‘big data’ on the healthcare sector, favoring access to the data contained in medical and patient records, as long as there are appropriate guarantees in connection with the fundamental right to data protection. In this regard, the Law sets forth the conditions under which it will be possible to reuse personal data for research purposes. In these cases, it won’t be necessary to obtain an additional consent from the data subject. The consent initially provided by such data subject will be enough, as long as such consent allows the use of personal data for research areas scientifically related to the one of the initial study. Also, in any such case, the duty of the controller to provide information to the data subject, must be complied with.

Finally, the Law specifies the measures that must be taken to use of pseudonymized data, which are also regarded as personal data. In any of these cases, a favorable report from the research ethics committee must be previously obtained. This reinforces the role of such committee in the data protection field.


Uso de cookies

Este sitio web utiliza cookies para que usted tenga la mejor experiencia de usuario. Si continúa navegando está dando su consentimiento para la aceptación de las mencionadas cookies y la aceptación de nuestra política de cookies, pinche el enlace para mayor información. ACEPTAR

Aviso de cookies