In January2008 Royal Decree 1720/2007 made changes to Spain’s data protection laws. One area covered is when a provider of marketing services can and cannot hide behind its client and claim to be a mere “data processor”. Phil Lee reports on this and clear lessons for UK marketers.
Topic: Privacy
Who: Spanish Data Protection Agency / Royal Decree 1720 / 2007
When: Legislation in force 19 April 2008; Legislation passed 21 December 2007
Where: Madrid
Law stated as at: 13 March 2008
What happened:
On 19 April 2008, Spanish legislation (Royal Decree 1720/2007) brings into force new data protection regulations (the "Regulations"). The Regulations aim to build upon, clarify and expand existing primary data protection legislation in Spain (Personal Data Protection Organic Law 15/1999) and not to replace the current data protection regime.
The Regulations bring in a raft of clarifications and new data protection requirements, many of which will have a wide impact on companies doing business in Spain. In particular, some of these new Regulations are specifically aimed at advertising and marketing services.
Key issues addressed by the new Regulations relevant to the marketing and advertising sector include:
- Data processing by advertising and marketing agencies. The Regulations clarify when advertising or marketing agencies that process personal data for client promotions will be data controllers (rather than data processors). The significance of this distinction is that, under data protection law, data controllers bear legal compliance risk (including compliance risk for misuse of data by their data processors). Broadly speaking, if the marketing agency has any degree of freedom as to who will be targeted by a particular promotion (i.e. if the targets are not determined purely by the client), the marketing agency will be a data controller in respect of that personal data – even though it is conducting the promotion on behalf of the client. This includes where the marketing agency decides jointly with the data controller who the targets will be, in which case the marketing agency and the client will be joint data controllers and each subject to legal compliance risk.
- Data cleansing and data sharing. The new Regulations put on an express legislative footing the requirement to cleanse target databases against external marketing suppression ("opt out") lists (so-called "Robinson lists"). Individuals who have opted out of marketing by registering on a Robinson list must not be contacted for any marketing purposes.
In addition, where two entities share or compare marketing databases, the new Regulations clarify that this will be a disclosure of personal data requiring notification to, and consent from, the data subjects concerned.
- Clarification as to whether a subcontractor is a "data processor" or a "data controller". It has long been established that a party that processes personal data on behalf of, and under the instruction of, a data controller will be a data processor. What has been less clear under Spanish law is the circumstances in which the data processor may itself outsource data processing to a subcontractor. The new Regulations clarify that this will only be permitted where either: (a) the data controller has authorised the outsourcing to a named subcontractor (e.g. in its contract with the head data processor); or (b) certain other requirements are met (including that the data controller's contract with the head data processor permits subcontracting, that the subcontractor acts in accordance with the data controller's instructions, and that the head data processor and subcontractor enter into a data processing contract on the same terms as the head data processing contract). If these requirements are not met, the subcontractor will be deemed a data controller, and subject to the compliance risks and obligations that this entails under Spanish law. From a marketing perspective, the significance of this is that if a marketing agency engages a third party to perform data processing activities in connection with a client marketing campaign, disclosure of personal information to that third party may be an unauthorised disclosure in breach of Spanish data protection legislation unless the above outsourcing requirements are met.
- Child consent. The Regulations expressly clarify that parental or guardian consent will always be required when collecting or processing personal data relating to children under 14 years old. Children aged 14 or over are generally deemed able to give consent to processing of their personal information, except in specified circumstances where Spanish data protection law still requires parental or guardian consent. The Regulations also require the data controller to put in place procedures to verify children's ages and the authenticity of any parental or guardian consent – although how, exactly, this is achieved is another matter entirely.
Why this matters:
These new Regulations will have a significant impact on Spanish businesses, including Spanish marketers and advertisers. The above points are not by any means exhaustive but instead serve as a snapshot of some of the key clarifications and changes introduced – the Regulations also introduce rules concerning data exports outside of the European Economic Area, limitations on the validity of consent acquired as part of a contractual relationship and various security requirements for the storage and processing of personal data.
Data protection often attracts criticism for being a vague and imprecise law and, in this regard, the clarifications provided by the new Regulations must be welcomed. It remains to be seen whether, going forward, some of the clarifications and changes introduced by the Regulations will be adopted in other European jurisdictions. If they are, they may necessitate businesses to undertake serious re-evaluations of their data protection policies and procedures on a pan-European basis.
UK law already makes many marketing agencies "data controllers"
Having said this, there is a question whether the Regulations clarifying when a marketing agency will be a data controller as opposed to a data processor would have any material impact in the UK.
This is because, under the existing UK definitions of data controller and data processor, it may well be strongly arguable already that if an agency has any degree of latitude in how and to whom marketing communications are targeted, it will automatically, whatever is stated in its contract with the client, be a data controller, with all the additional obligations that entails. Food for thought, here, for many a UK marketing agency one suspects!