Entry into force of the General Data Protection Regulation and the LOPDGDD. Catalan Data Protection Authority

When did the GDPR enter into force?

The General Data Protection Regulation (GDPR) was published in May 2016 and, despite entering into force on 24 May 2016, was applied as from 25 May 2018.

The GDPR is a directly applicable EU regulation that does not require national transposition laws or, in most cases, rules of implementation and application. Thus, controllers and data processors must adapt the processing operations they carry out to the requirements of this Regulation.

Notwithstanding the above, the GDPR provides that Member States may, as far as necessary for coherence and comprehension in certain areas, enact laws that complement the Regulation. In accordance with this provision, a new Organic Law on the Protection of Personal Data (LOPD) has been approved, which includes certain clarifications and development of the GDPR.

Will the Law on the Protection of Personal Data (LOPD) and the Regulation implementing it (RLOPD) be repealed?

Upon entry in force of Organic Law 3/2018, of 5 December, of Personal Data Protection and Guarantee of Digital Rights (LOPDGDD), Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD) is repealed, with the exception of Articles 23 and 24, which will continue to be applicable until replaced, modified or repealed. Moreover, until the transposition into Spanish law of Directive (EU) 2016/680 on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, such processing will continue to be regulated by the LOPD and the provisions that implement it.

The implementing Regulation (RLOPD), approved by Royal Decree 1720/2007, of 21 December, will continue to be fully applicable in all that does not oppose or is incompatible with the GDPR and the LOPDGDD.

How does the GDPR affect the Law of the Catalan Data Protection Authority?

The GDPR explicitly provides for the possibility of a Member State establishing several data protection authorities. In any case, the GDPR does not affect the scope of action of the APDCAT, established by the Statute of Autonomy of Catalonia and Law 32/2010, though this law may need to be adapted to the new Regulation with respect to the functions of supervisory authorities.

Are the the GDPR and the LOPDGDD applicable to processing undertaken in the field of law enforcement and criminal justice?

No. This field is covered by Directive (EU) 2016/680 of the European Parliament and of the Council, of 27 April 2016, on the protection of natural persons with regard to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties and on the free movement of such data, which repeals Council Framework Decision 2008/977/JHA.

Data processing subject to this Directive will continue to be governed by Organic Law 15/1999, of 13 December (LOPD), in particular its Article 22, and its implementing provisions, until the legislation transposing that provided in the aforementioned Directive into Spanish law enters into force (the fourth transitory provision of the LOPDGDD).

European Union Member States were required to transpose this Directive no later than 6 May 2018.