Legal basis

No. The GDPR establishes that consent must consist of a clear declaration or affirmative act, which reflects a free, specific, informed and unequivocal manifestation of the interested party's will who accepts the processing of personal data that affects them. Therefore, silence, checked boxes or inaction (such as tacit consent) do not constitute valid consent under the GDPR.

Accordingly, data processing initiated before 25 May 2018 based on tacit consent had to comply, before that date, with the requirements of the GDPR. This can be done by obtaining new consent with the requirements established by the GDPR or through any other of the legal bases established by the GDPR.

Before commencing a particular processing operation and in relation to a specific purpose, a legal basis must be established. If the data controller chooses consent, he or she must be prepared to cease processing if the data subject revokes consent. The processing may continue to be carried out on another legal basis if the affected persons are informed and the requirements required by the regulations are met.

No, they could only do so if you have previously given consent, which you could revoke at any time, or if a company of which you are a client (or have been in the last year) contacts you to offer you products or services similar to those previously contracted.

In any case, a good solution is to register with one of the existing voluntary advertising exclusion lists such as the Robinson List, managed by the Spanish Association of the Digital Economy (ADIGITAL), or the Stop Publicidad List, managed by the Spanish Association for Digital Privacy. Registration is free and mandatory for companies when launching commercial campaigns.

Yes, but you can object to it. The law that regulates the general electoral regime establishes that the Electoral Census Office is the body responsible for preparing the electoral census. Registration in this census is mandatory and city councils register residents of their municipal area ex officio. The electoral register is updated monthly and the name, surname and address are census data that must be collected.

On the day of the proclamation of candidacies, the representatives of each electoral candidacy can obtain a copy of the electoral register of the corresponding district. They can use it to send electoral propaganda, only during the campaign period. You can object to the inclusion of your data in these copies of the electoral register, to prevent them from sending you electoral propaganda by post.

During the electoral period, political parties may send electoral propaganda by electronic means or electronic messaging systems, provided that they identify the electoral nature of the message and provide a free means to exercise the right of opposition.

For this purpose, political parties can use data obtained from websites and other publicly accessible sources. In any case, current regulations do not allow profiles to be created that take into account special categories of data.

The means or communication services that public administrations can use, whether to interact with citizens or with other public administrations, can be many and of very varied nature. In any case, the channel used must comply with the requirements of data protection regulations.

In these instant messaging services, it is the user themselves who decides to install a particular application, through which they can interact with third parties, including, where appropriate, public authorities.

If the Administration uses WhatsApp groups or another instant messaging service to communicate with citizens, it must have the consent of all members of the group, unless it has another legal basis, and inform them about the processing of data and the consequences that may arise from the use of this channel. To this end, the Administration can provide users with “good use policy clauses”.

For the legal basis of processing to be consent and for that consent to be free, participants must have alternative channels of communication with the Administration for the purposes envisaged; that is to say, the instant messaging service must not be imposed on them as the sole means of communication.

If you would like more details on this matter, you can consult Opinion CNS 13/2018.

Yes, if its installation has been approved with the favourable vote of 3/5 of the owners. The cameras must be in common areas and cannot capture images of the public road. The community, which is responsible for the processing, must include the new processing in its Processing Activities Register and place information posters at the entrances to the property, as well as the rest of the obligations established in the data protection regulations. In particular, it must be remembered that the viewing of images must be restricted to the person or people expressly authorised by the community.

No, the specific regulations only allow hotels, or other establishments that carry out hosting activities, to collect certain data contained in the identity document (DNI, TIE, passport), but not scanning or accessing a digitised copy.  In the case of banks, the regulations for the prevention of money laundering and terrorist financing do provide for the obligation to formally identify natural persons involved in any operation through reliable documents, such as the DNI, TIE or passport.

Without prejudice to this, it is advisable to adopt preventive measures when providing a copy of the DNI, such as providing it in black and white, incorporating watermarks, hiding unnecessary data or providing only the front or back.

No, the publication of the list of candidates admitted and excluded in a selection process must not extend beyond the deadline for filing an administrative or contentious administrative appeal.