The Legal Service of the Spanish Data Protection Agency has issued a mandatory report on the future royal decree that will regulate the registration, authorization, and use of biocides in Spain, a regulation intended to replace RD 1054/2002. The text directly affects the Official Register of Biocides, safety data sheets, service certificates from annex II, and the exchange of information between autonomous communities and European bodies.
The tension of the report lies at the core of the regulation itself. The processing of personal data is considered unavoidable for controlling the marketing and use of these products, but the Agency warns that this circuit cannot open the door to uses unrelated to registration or to a sanctioning system that violates privacy.
The Agency demands that all data processing be under the GDPR
The report proposes that any data processing derived from the future regulation be subject to the General Data Protection Regulation. The warning extends to all media and procedures involving personal data within the biocide control system.
This includes the Official Register of Biocides, safety data sheets, service certificates provided for in annex II, and also the exchange of information between regional administrations and European bodies. The Agency understands that this data flow is part of the ordinary functioning of the system and cannot be excluded from general protection guarantees.
Furthermore, it calls for an express clause to limit the use of information collected in pest control or disinfection operations. The objective is that this data cannot be used for purposes other than the registration and marketing of biocides.
The project foresees fines of up to 1.2 million and permanent closures
The regulatory draft incorporates a sanctioning regime with high economic and operational impact. The proposal contemplates sanctions of up to 1.2 million euros and the permanent closure of facilities in cases classified as very serious.
This sanctioning scope explains one of the main observations of the legal report. The Agency recalls the judgment of the Court of Justice of the European Union of June 22, 2021, in case C 439/19, to emphasize that concepts such as criminal offenses are autonomous in Union law.
With that reference, the agency suggests that the Government of Spain must exercise extreme caution in the design of sanction registers. The warning focuses on preventing the storage, consultation, or circulation of that data from clashing with the right to privacy of the affected individuals.
The most specific requirement of the report involves normatively safeguarding the destination of information generated in pest control or disinfection tasks, so that it can only be used for the registration and marketing of biocides.