Skip to main content
  • Areas
  • Offices
  • Team
  • Talent
Site: English

Garrigues

ELIGE TU PAÍS / ESCOLHA O SEU PAIS / CHOOSE YOUR COUNTRY / WYBIERZ SWÓJ KRAJ / 选择您的国家

Close
  • Garrigues Facebook
  • Garrigues LinkedIn
  • Garrigues Twitter
  • Youtube
Menu

Main menu

  • About Garrigues
    • About Garrigues
    • Corporate governance
    • Strategic vision
    • Professional Ethics
    • Our history
    • Awards
    • G-advisory
  • Practice Areas More

    Areas and industries

    Practice areas

    • Accounting Law
    • Administrative Law
    • Banking and Finance
    • Corporate Law and Commercial Contracts
    • Criminal Law
    • E.U. & Antitrust
    • Environmental
    • Human Capital Services
    • Intellectual Property
    • Labor and Employment Law
    • Litigation and Arbitration
    • Mergers & Acquisitions
    • Planning and Zoning
    • Real Estate
    • Restructuring and Insolvency
    • Securities Markets
    • Startups & Open innovation
    • Tax

    Industries

    • Agribusiness
    • Automotive
    • Corporate Governance and Corporate Responsibility
    • Energy
    • Family Business
    • Fashion Law
    • Financial Institutions
    • Insurance
    • Life Sciences and Healthcare
    • Private Equity
    • Real Estate
    • Smart Cities
    • Sports & Entertainment
    • Technology & Outsourcing
    • Telecommunications & Media
    • Tourism and Hotels
    • Transport & Shipping
  • Locations More

    America

    • ChileSantiago de Chile
    • ColombiaBogota
    • United StatesNew York
    • MexicoMexico City
    • PeruLima

    Africa

    • MoroccoCasablanca

    Asia

    • ChinaBeijing
    • Shanghai

    Europe

    Spain

    • A Coruña
    • Alicante
    • Barcelona
    • Bilbao
    • Las Palmas de Gran Canaria
    • Madrid
    • Malaga
    • Murcia
    • Oviedo
    • Palma de Mallorca
    • Pamplona
    • San Sebastian
    • Sta. Cruz de Tenerife
    • Seville
    • Valencia
    • Valladolid
    • Vigo
    • Zaragoza
    • BelgiumBrussels
    • United KingdomLondon
    • PolandWarsaw
    • PortugalLisbon
    • Oporto

    Desks

    • Asia-Pacific Desk
    • Brazilian Desk
    • French Desk
    • German Desk
    • Indian Desk
    • Italian Desk
    • US Desk
  • Team More
    • A
    • B
    • C
    • D
    • E
    • F
    • G
    • H
    • I
    • J
    • K
    • L
    • M
    • N
    • O
    • P
    • Q
    • R
    • S
    • T
    • U
    • V
    • W
    • X
    • Y
    • Z

    Search a lawyer

  • Commitment
    • Garrigues and society
    • Diversity and equality
    • Environment
    • Education and research
    • Garrigues Sustainable
    • Innovation
    • Integrated Report
  • Garrigues news room
    • News
    • Legislative developments
    • Garrigues Op Ed
    • Garrigues Digital
    • Specials
    • Guides
    • Blogs
    • Contacts
  • Calendar of events
  • Work with us More

    Work with us

    • Join Garrigues
    • About us
    • Brochures and videos
    • Employment forums and presentations
    • FAQ
    • Selection process
    • Send your cv

You are here

Home

Hubs

  • CleanTech
  • e-Sports
  • FashionTech
  • FinTech
  • Industry 4.0
  • MediaTech
  • Platforms

Services

  • Antitrust
  • Cybersecurity
  • Data protection & Privacy
  • e-Commerce
  • e-Identity
  • Fintech Diaries
  • Intellectual property
  • IT & Cloud Solutions
  • Labor
  • Litigation and Arbitration
  • Media
  • On-line Reputation
  • Tax
  • Our services
  • Digital team
  • Contact
  • FinTech
  • Industry 4.0
11-06-2019

From blockchain to cybersecurity: six code sets in the royal decree law increasing the government’s powers to control the internet

Submitted by GarriguesAdmin5 on Mon, 11/11/2019 - 09:31

Alejandro Padín, partner in the Corporate Law and Commercial Contracts Department at Garrigues.

The new Royal Decree Law 14/2019 of October 31, 2019 adopting urgent measures for reasons of public security in matters concerning digital government, public procurement and telecommunications introduces important new provisions on data protection, blockchain technology or cybersecurity, among others.

Summarized below is a selection of the most prominent measures in the royal decree law approved by the government’s council of ministers’ meeting on Thursday October 31, published in the Official State Gazette on November 5 and in force since November 6, 2019.

1. Location of personal data and digital identification systems: Where citizens interact with the government electronically, the systems used to collect, store, process and manage personal data must be kept in the EU. If they also involve the special categories of data described in article 9 of the General Data Protection Regulation (GDPR), they must be located in Spain. An exception is allowed where has been an adequacy decision by the European Commission for international data transfers.

This point may clash with the GDPR which provides other mechanisms for international transfers, although this restriction appears to be linked to national security.

2. Blockchain technology: The use of blockchain based identification systems is forbidden in citizen government exchanges until technology of this type has been legislated. It has however been specified that in any central government legislation to be adopted on this subject the central government administration must act as an intermediate authority to safeguard public security. It is interesting to see how the first reference to blockchain and DLTs (Distributed Ledger Technologies) to appear in primary legislation is actually made to restrict its use (for the time being) for these aims.

3. Data protection: Data disclosure is allowed between all public authorities, and the intended recipients are forbidden from using those data for purposes other than those specified for the disclosure. Determining whether data are used for those other purposes is left to the decision of the central government administration, where it is the disclosing authority.

Nothing is mentioned about the information to be provided to the data subject on the disclosures that is required in the GDPR, so that obligation must be met.

4. Public procurement: Obligations concerning the contents of contracts are specified, such as an express agreement for data protection to be governed by European and Spanish law. Where the contract implies a data disclosure by a public authority to the contractor, the purpose of that disclosure must be specified. Rules are set out on the contents of contract documents in public procurement procedures, which expressly mention intellectual property and data protection among the elements to be included.

The rules on “data disclosure” must be interpreted, in most cases, as the “processing of data by the contractor on behalf of the contracting authority” (known as data processor). For these purposes, a number of items that must appear in the data processor’s agreement have been added to those specified in article 28 of the GDPR.

5. Telecommunications: The General Telecommunications Law amendment enabling the government to take control of electronic communications services is a minor amendment. That law already allowed the government to take on management of electronic communications services and operation of networks for reasons of national security, and also allowed the government to take control of those services and networks following a report from the Spanish Markets and Competition Commission. The amendment only removes the need for this report in order to take control (no report was required for taking on management) where justifiable by reasons of national security.

Also, any public authorities installing or operating electronic communications networks under self-provision mechanisms are required to inform the ministry of economy and finance of any project of this type.

The government's power to close down infringing activities before opening a penalty procedure and without a prior hearing had already been authorized in the General Telecommunications Law, although now the new law has added a new scenario concerning the existence of an immediate and serious threat to public policy, public security or national security. All the other scenarios have been kept or their wording has been changed slightly.

6. Administration of cybersecurity: Royal Decree 12/2018, transposing the NIS Directive (on security of network and information systems) has been amended to fill a space left by the original legislation, the assignment of technical coordination for cyber incidents affecting public authorities at the National Cryptology Center (CCN, attached to the Central Intelligence Center -CNI-).

 

Services:

Cybersecurity, Data protection & Privacy, e-Identity

Share

  • Share in Facebook, Open in new window
  • Share in Twitter, Open in new window
  • Share in LinkedIn, Open in new window

Share

  • Share in Facebook, Open in new window
  • Share in Twitter, Open in new window
  • Share in LinkedIn, Open in new window

Related news

Cybersecurity in essential services: NIS Directive still to be transposed
Cybersecurity
FinTech
Industry 4.0
GDPR: most SMEs will be unable to avoid the requirement of an RPA for some types of processing
Data protection & Privacy
+1
Cybersecurity
  • Follow us
  • Follow us
  • Follow us
  • Follow us
  • About Garrigues
    • Corporate governance
    • Strategic vision
    • Professional ethics
    • Our history
    • Awards and rankings
  • Team
    • Search team
  • Extranet and online tools
  • Join us
    • Send your CV

Contact:

  • [email protected]
  • Tel: +34 91 514 52 00

Contact form

 

©2023 J&A Garrigues, S.L.P. All rights reserved

  • LEGAL TERMS & CONDITIONS
  • COOKIES POLICY
  • PRIVACY POLICY
  • SECURITY POLICY
  • RSS