The IAPP: International Association of Privacy Professionals, reports on Spain’s new GDPR implementation law, which provides clarity to some gray areas.

Highlights include:

  • the data processor may address a data subject’s rights on behalf of the controller if this is provided in the contract or other legal instrument that binds controller and processor.
  • requests from a data subject are excessive, because of their repetitive character, when submitted “more than once during a period of six months, unless there is a legitimate reason.”
  • when an individual objects to its processing of his or her information for direct marketing, the controller may keep the necessary identification data of the affected person in order to prevent future processing for direct marketing purposes.
  • additional cases in which it is mandatory to designate a data protection officer (DPO) include: public and private universities; information society service providers when developing large-scale profiles of service users; and operators that develop game activity through electronic, computer, telematic and interactive channels.

More details here, via the IAPP.