|
|
|
|
#SomosRyC
News on the recent approved Data Protection Act
21 de Enero de 2019
Index
1.- Does the new Organic Data Protection Act replace the General Data Protection Regulation?
2.- What aspects does the new standard regulate?
3.- Is the LOPD repealed?
4.- Does Organic Act 3/2018 apply to contact persons and to individual professionals or entrepreneurs?
5.- What about deceased persons?
6.- What developments are included with regard to video monitoring?
7.- Will the regional data protection authorities continue to exist?
8.- Who is obliged to appoint a Data Protection Officer or DPO pursuant to Spanish data protection legislation?
9.- If I receive a notice from the Spanish Data Protection Agency, how should I calculate the deadlines provided under the data protection regulations? With regard to the exercise of their rights by data subjects, is there any difference as to the calculation of deadlines?
10.- Will an authorization by the Spanish Data Protection Agency be required to carry out international data transfers?
11.- Should I block personal data when someone exercises the new right of deletion?
12.- Is whistle blowing expressly regulated?
13.- Should I amend my existing contracts with data processors to adapt them to the new regulation?
14.- What specific requirements need to be met in relation to anonymization of data in medical and health care research?
15.- What are the powers and authorities of control authorities and what developments have been introduced in the penalty regime under Organic Act 3/2018?
· The Spanish Data Protection Agency and the Autonomic Authorities (Title VII)
· Proceedings in the event of a breach of data protection regulations (Title VIII)
· The penalty regime (Title IX)
16.- What digital rights does Organic Act 3/2018 provide for?
1.- Does the new Organic Data Protection Act replace the General Data Protection Regulation?
Organic Act 3/2018, of 5 December, on the Protection of Personal Data and the guarantee of digital rights ("Organic Act 3/2018" or "LOPDGDD"), does not replace or supersede Regulation (EU) 679/2016, known as the "General Data Protection Regulation" or "GDPR". It is also not a transposition into Spanish law of said Community standard (a regulation, unlike a directive, is directly applicable).
According to Recital (10) of the General Data Protection Regulation:
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’). To that extent, this Regulation does not exclude Member State law that sets out the circumstances for specific processing situations, including determining more precisely the conditions under which the processing of personal data is lawful."
Organic Act 3/2018 is approved, within the limits established by the General Data Protection Regulation, to regulate certain issues reserved for national legislation or to complete aspects of the Community standard. For example, section 8 of the General Data Protection Regulation, dedicated to the consent of children to the processing of their personal data, sets the age of 16 years to validly give consent. It however allows member states to establish a younger age, provided this is not below 13 years old. Exercising this prerogative, Organic Act 3/2018 provides in section 7 that "the processing of personal data of a child may only be based on his/her consent when he/she is over 14 years of age". Accordingly, the provision established by Royal Decree 1720/2007 applicable to date in Spain is maintained.
The rest of the Member States have also approved national laws, or are in the process of approving them.
2.- What aspects does the new standard regulate?
Organic Act 3/2018 was published in the Official Gazette of 6 December 2018, and entered into force the following day, i.e. on 7 December 2018.
The new law consists of 97 articles, distributed in 10 titles, plus a Preamble and the usual additional, transitional and final provisions.
Title I, very short, is dedicated to general aspects (scope of application, purpose of the Act, data of deceased persons).
Title II, under the heading "Data Protection Principles", does not include relevant developments as compared to the provisions of the General Data Protection Regulation. Perhaps the most significant development in this set of articles is the fixing of 14 as the age for consenting to the processing of personal data without the assistance of a parent or guardian. In previous versions of the standard, it had been proposed to lower the requirement to 13 years of age. Title III regulates the rights of the data subjects. It also does not add any aspects of interest with respect to the RGPD.
Probably the most relevant provisions are those on privacy, set out as from Title IV. Title IV contains provisions on specific types of data processing including, among others, video monitoring; the so-called “credit blacklists"; internal complaints systems and the Mail Preference Service lists or "Robinson lists". Title V refers to the specific obligations of the controller and the processor. It contains, for example, provisions regarding the Data Protection Officer, the notion of data "blocking" not provided for in the GDPR, the obligation of certain public authorities and agencies to publish on their respective website a record of processing activities, and certain specifications of the data processing contract. International data transfers and control authorities are each dedicated a separate Title (Title VI and Title VII, respectively). Titles VIII and IX develop the penalty regime.
The last title (Title X) includes a "charter of digital rights", so that its content does not relate to data protection (except for certain specific articles), nor does it supplement the basic European standard on this subject, the General Data Protection Regulation.
3.- Is the LOPD repealed?
Organic Act 3/2018 formally repeals Organic Act 15/1999 of 13 December, known as LOPD, as well as Royal Decree-Law 5/2018, approved as an urgent measure a few months ago, and as many provisions of equal or lower rank as may contradict, oppose or prove incompatible with the provisions of the General Data Protection Regulation. Notwithstanding the above, articles 23 and 24 of the LOPD remain in force insofar as not expressly amended, replaced or repealed. The above-mentioned articles regulate certain limitations and exceptions (quite logically, on the other hand) to the exercise of rights in relation to public files (Public Treasure, Police, etc.).
4.- Does Organic Act 3/2018 apply to contact persons and to individual professionals or entrepreneurs?
Unlike the provisions of Royal Decree 1720/2007 of 21 December, approving the Implementing Regulation of Organic Act 15/1999 of 13 December, on the protection of personal data ("RLOPD"), the General Data Protection Regulation does not exclude from its scope these categories of personal data. Organic Act 3/2018 may therefore not provide otherwise, but it does contain a presumption that its processing is carried out on the basis of legitimate interest provided that the following requirements are met (article 19 of Organic Act 3/2018):
· That the processing is limited to the contact data necessary for the professional location of the service (i.e. the processing of non-professional data is excluded from this presumption).
· That the purpose of the processing is to maintain relations with the legal entity in which the data subject provides its services, or, in the case of individual professionals and entrepreneurs, with them in such professional condition. Therefore, the presumption that there is a legitimate interest in the processing of these data only affects "B2B" relations.
The above presumption may be rebutted, and in no event implies that the provisions of articles 12, 13 and 14 of the GDPR, in relation to transparency and information, need not be complied with. It is therefore appropriate to review any contracts, data collection forms of supplier and client legal entities and other documents.
Lastly, we should recall that the sending of commercial communications by electronic means is governed by the provisions of Act 34/2002 of 11 July, on the Information Society Services and e-Commerce (LSSICE), which is the special law applicable in these cases.
According to the LSSICE, as has shown in several legal reports by the Spanish Data Protection Agency, the sending of commercial communications by electronic means requires the express authorization of the recipient of the communication. Exceptionally, customers may be sent, without an express prior authorization, commercial communications related to the products and services purchased by them, provided that, at the time of the collecting the data, they have been given the option to object to receiving such information (i.e. they have been provided with a tick box or a similar mechanism to express such objection).
The LSSICE does not permit the delivery of communications based on a legitimate interest (as it does not regulate or refer to this concept). Therefore, the presumption contained in section 19 of Organic Act 3/2018 does not allow commercial communications to be sent by electronic means (mainly e-mail and SMS) without the user's authorization or non-objection.
5.- What about deceased persons?
Recital (27) of the General Data Protection Regulation provides that: "This Regulation does not apply to [...] deceased persons. Member States may provide for rules regarding the processing of personal data of deceased persons." Thus, Organic Act 3/2018 devotes two articles to deceased persons: article 3 and article 96 ("Right to the digital will").
Article 3 includes in its first section a provision similar to that contained in the RLOPD, which allows relatives of the deceased person (in particular the "persons linked to the deceased by family or factual links, as well as his/her heirs") to request access to, correction or deletion of, the personal data of such deceased person. The possibility is however provided for the deceased person to have prohibited the exercise of the rights of rectification or deletion by a third party, by expressing what could be termed as the "digital last will". Under no circumstances is it permitted to limit access to personal data by the heirs.
Article 96, included in the charter of digital rights under the heading "digital will and testament", actually adds little to the provisions of the preceding article. It remains to be seen which mechanisms or facilities data controllers shall make available to the data subjects (mainly social networks and e-mail service providers) to express their last will in relation to their personal data.
6.- What developments are included with regard to video monitoring?
In fact, no relevant developments are included as compared with the provisions of instruction 1/2006 and the legal reports of the AEPD existing prior to the General Data Protection Regulation. We should point out that our data control authority had issued a complete guide on video monitoring, which was adapted to the GDPR prior to the adoption of Organic Act 3/2018. The main AEPD publications on video monitoring are available through the following link.
Pursuant to article 22 of Organic Act 3/2018, images may be collected for the purpose of preserving the security of property, persons and facilities. As a general rule, the collection of images of public spaces is prohibited to private entities, but it is admitted where strictly necessary to meet the objective of maintaining safety and security.
The maximum period during which images may be stored is one month from collection (save where necessary to prove the commission of an illegal act or an act that threatens security), and the blocking obligation under article 32 of Organic Act 3/2018 does not apply.
The reporting duty may be fulfilled by the new information posters (which serve to provide a first layer of information and which may include links to web pages or connection codes). The model is available through the following link.
In addition, the data controller shall keep all the information provided for in the General Data Regulation available to the data subjects.
In addition to the above, we should mention that Title X deals with the recording of images and sounds in the workplace and provides, in summary, as follows:
· The possibility is foreseen to use video monitoring systems in the work environment with the specific purpose of exercising the control functions provided under section 20.3 of the Workers' Statute. No authorization of the workers or their representatives is required, but both must be expressly, clearly and concisely informed of the installation of any such devices. As already established by case law, this duty shall be deemed fulfilled in scenarios of recording of blatantly unlawful actions, if at least one distinct notice exists approved by the Spanish Data Protection Agency.
· It is prohibited to install cameras in rest or recreation areas, i.e. not only in changing rooms and toilets, but also in canteens and similar facilities.
· The recording of sounds is even more restricted, since it is only permitted in the event of a relevant risk to "the security of facilities, property and people" and always respecting the principle of proportionality."
7.- Will the regional data protection authorities continue to exist?
Yes. Article 57 of Organic Act 3/2018 provides that:
“1. The autonomous data protection authorities may exercise the functions and powers provided for in articles 57 and 58 of Regulation (EU) 2016/679, in accordance with the regulations of the autonomous community, when they refer to:
a) the processing of data where the controllers are public bodies of the relevant Autonomous Community or of the Local Entities included in its territorial area or entities providing services through any means of direct or indirect management.
b) the processing of data by individuals or legal entities for the exercise of public functions in matters falling within the competence of the relevant Autonomic or Local Administration.
c) data processing expressly provided, as appropriate, under the respective Autonomy Statutes."
8.- Who is obliged to appoint a Data Protection Officer or DPO pursuant to Spanish data protection legislation?
In addition to those that meet the requirements provided for in article 37 of the General Data Protection Regulation, the following data controller and data processor entities must appoint a DPO, pursuant section 34 of Organic Act 3/2018:
· Professional associations and their general councils;
· Educational institutions providing education at any of the levels provided for in the law regulating the right to education, as well as public and private universities;
· Entities that operate networks and provide electronic communication services as provided under their specific legislation, when they regularly and systematically process personal data on a large scale;
· Information society service providers when developing profiles of service users on a large scale;
· The entities included in article 1 of Act 10/2014, of 26 June, on the management, supervision and solvency of credit institutions;
· Financial and credit institutions;
· Insurance and reinsurance entities;
· Investment services companies, regulated by the legislation of the Securities Market;
· Electric power and/or natural gas distributors and retailers;
· Entities responsible for common files for assessing of credit worthiness and solvency or common files for the management and prevention of fraud, including those responsible for files regulated by the legislation on the prevention of money laundering and the financing of terrorism.
· Entities developing advertising and marketing activities, including commercial and market research activities, when they carry out any data processing based on the preferences of the data subjects or carry out activities entailing the profiling of data subjects.
· Health care centers legally obliged to maintain medical records of patients. Exceptions are health professionals who, while legally obliged to keep the medical records of patients, carry out their activity on an individual, not institutional capacity.
· Entities having as one of their purposes the issuance of commercial reports that they may refer to natural persons;
· Operators developing the game activity through electronic, computer, telematic and interactive channels, in accordance with the rules regulating the game;
· Private security companies.
· Sports federations when processing data for minors;
Data controllers and data processors shall report, within 10 days, the appointment of the DPO to the Spanish Data Protection Agency, which has just made available to users of its Website an access to the register (link).
9.- If I receive a notice from the Spanish Data Protection Agency, how should I calculate the deadlines provided under the data protection regulations? With regard to the exercise of their rights by data subjects, is there any difference as to the calculation of deadlines?
Additional provision three of Organic Act 3/2018 provides the following rules to avoid any doubt as to the calculation of time periods under the General Data Protection Regulation and the Act itself:
| Time frames indicated in days |
Only business days shall be included in the calculation, excluding Saturdays, Sundays and public holidays. |
| Time frames indicated in weeks |
The time frame shall end on the same day of the week when the act determining the start of the period took place, in the maturity week. |
| Time frames fixed in months or years |
The deadline shall expire on the same day of the month when the act determining the start of the period took place, in the month or year of maturity (if no equivalent day exists, it shall end on the last day of the month). |
With regard to the exercise of rights by data subjects, we should recall that all rights must be made effective within one month from receiving the request (except where, in the light of the complexity of the request or the number of requests received, an extension may be exceptionally granted). Therefore, and in accordance with the provisions set out above, the deadline for responding to the request of a data subject shall end on the same day of the month when such request is received in the following month.
10.- Will an authorization by the Spanish Data Protection Agency be required to carry out international data transfers?
In this regard, the procedure to be followed is considerably simplified with respect to the regime previously applicable. Authorization by the AEPD is reserved for specific scenarios. By way of example, international data transfers based on the signing of standard contractual clauses approved by the European Commission (which is the mechanism normally used by an entity wishing to share data outside the European Economic Area) do not require authorization.
11.- Should I block personal data when someone exercises the new right of deletion?
The "blocking" of personal data is not defined as such in the General Data Protection Regulation. In Spain, however, we are used to associating this term with the right of cancellation. Under the previous regulation, cancellation of data caused their blocking, and implied the storage of such data so they could be accessible to competent judicial bodies and authorities as necessary.
The blocking provided the data controller with certainty, since it was not required to physically delete the data, but it complicated the regulation of preservation periods. Such periods were required to cover the time frame of active preservation of the data (for example, because they could not be deleted for so long as a statute required their conservation) and the blocking period (during which the data remain in the system, but only accessible under very limited circumstances, prior to their final deletion).
Article 32 of Organic Act 3/2018 retains the notion of data blocking in our legislation. Pursuant to this provision, "the data controller shall be obliged to block data when proceeding with their correction or deletion". Blocking entails adopting technical and organizational measures to prevent the processing of data (including visualization). Data may only be made available to judges, courts, the Public Prosecutor's Office or other competent public bodies, in order to establish liability arising from data processing. Accordingly, data need to be blocked for the limitation period of the relevant infringements.
Section 4 of article 32 provides that, when the system configuration does not permit the blocking of data or this would involve disproportionate efforts, information should be backed up to enable future establishment of the authenticity of data and the absence of any tampering with them.
12.- Is whistle blowing expressly regulated?
Yes, article 24 of the new standard is dedicated to the processing arising from the implementation of whistle-blowing systems, increasingly common within companies. As an important development with respect to the previous regime, section one of this provision expressly acknowledges that complaints may be filed on an anonymous basis.
Article 24 further provides that, as a general rule, data shall be deleted from the system within three months from the entry of such data, save where information should be retained to provide evidence of the operation for crime prevention purposes. Any complaints reported and not dealt with shall be stored on an anonymous basis.
In addition, we should recall that whistle-blowing systems implemented prior to the entry into force of the GDPR need to be reviewed and their operation adapted to the new regulation (for example, as regards information and transparency, legitimate grounds for processing, security measures applied, etc.).
13.- Should I amend my existing contracts with data processors to adapt them to the new regulation?
This is not strictly necessary. Pursuant to the transitional provision number five, data processing contracts entered into prior to 25 May 2018 pursuant to article 12 of the repealed Organic Act 15/1999 (LOPD) shall remain valid until their respective maturity date indicated therein, and if agreed for an indefinite period of time, until 25 May 2022.
14.- What specific requirements need to be met in relation to anonymization of data in medical and health care research?
Organic Act 3/2018 devotes its additional provision 17 to regulating certain aspects relating to the processing of health care data. It would have been more logical to place this content in article 9 of the Act, devoted to special categories of data, or in a separate provision, but forming pat of the main body of the Act. In any event, additional provision 17 provides the following requirements for the anonymization of data in this area:
1st. It is necessary to ensure a technical and functional segregation between the research team and the persons or entity in charge of the anonymization process, and, where appropriate, the custody of the codes or information enabling the reversal of the process.
2nd. Anonymized data may only be accessed by the research team when:
· An express confidentiality and non-identification commitment has been signed;
· Specific security measures have been adopted to ensure re-identification and prevent unauthorized access by third parties.
It is also provided that re-identification shall be possible in the event of real and specific danger to the health or safety of a person or a group of persons, or when required to guarantee their rights or a proper health care.
Organic Act 3/2018 does not include similar provisions for the application of anonymization techniques in relation to data processing in other domains, but we understand that the above regulations may be taken as a reference in other contexts. Thus, for example, the signing of specific commitments by users involved in the processing of anonymized data appears to be a reasonable organisational/legal measure to apply in most cases, as does the segregation of functions between users responsible for the anonymization process and users with access to anonymized data.
15.- What are the powers and authorities of control authorities and what developments have been introduced in the penalty regime under Organic Act 3/2018?
We examine below the issues that are probably the most difficult to unify among Member States; those relating to organizational aspects of the control authorities, on the one hand, and the sanctions regime of the standard, on the other hand. It should be borne in mind that each supervisory authority needs to fit into the administrative structure of its respective country and to apply the relevant procedural rules when imposing fines/sanctions.
The titles of Organic Act 3/2018 to which we refer (which, except for articles 52 and 53, and as provided under Final provision One, do not have the nature of organic law by reason of the matter they regulate), are as follows:
· Title VII: Data protection authorities: Articles 44 to 62.
· Title VIII: Procedure in the event of a breach of data protection regulations: Articles 63 to 69.
· Title IX. Penalty system: Articles 70 to 78.
Before moving on to analyze the content of the titles and articles cited above, we should highlight one of the more striking issues on a first reading: the change of terminology, in some cases without any apparent justification. By way of example, we will cite the following instances:
· The "Agency Director" now becomes the "President of the Spanish Data Protection Agency". His/her mandate extends for a further year (five years instead of four), and it is provided that "the legislation regulating the exercise of high-ranking offices in the State General Administration shall apply " (article 48);
· The President of the Spanish Data Protection Agency may issue “circulars”, not "instructions". Article 55 provides that the provisions of the interpretation of the Act and of the GDPR issued by the President shall be referred to as "Circulars of the Spanish Data Protection Agency" and shall be mandatory once published in the State Official Gazette.
· In lieu of disciplinary procedures and protection of rights, Organic Act 3/2018 refers to "procedures in the event of a breach of data protection regulations". For the time being, it appears that the difference between these two types of proceedings will disappear (i.e. there shall be no specific procedure, unless otherwise provided by regulation, enabling the data subjects to seek from the data protection authorities a control or verification of the manner in which a company has acted in relation to a request for the exercise of their rights). Article 69 however provides that the Spanish Data Protection Agency "may, on a motivated basis, grant such interim measures as may be necessary and proportionate to safeguard the fundamental right to data protection", including the "immediate obligation to comply with the right as requested by the data subject". In relation to claims procedures whose processing corresponds to the AEPD, pursuant to article 63 of Organic Act 3/2018, their specific regulations are deferred the provisions of a royal decree pending to be enacted.
The Spanish Data Protection Agency and the Autonomic Authorities (Title VII)
Article 44 of the LOPDPGDD defines the Spanish Data Protection Agency as "an independent administrative authority of nationwide jurisdiction, of those provided for under Act 40/2015, of 1 October, on the Public Sector Legal System, with legal personality and full public and private capacity, which acts in full independence of public authorities in the exercise of its functions".
In detailing its functions, Organic Act 3/2018 refers to articles 57 and 58 of the General Data Protection Regulation, although it devotes specific articles to the scope of investigative powers (article 53), to the development of preventive audit plans in specific sectors, which will give rise to mandatory guidelines (article 54), and regulatory powers to issue, as we have indicated, circulars (article 55).
In addition, pursuant to article 56, the AEPD shall be entitled to hold and exercise the functions related to the State's external action in data protection matters. A confusing addition to this article in the last stage of parliamentary discussion of the Act allows "autonomous communities, through the autonomous data protection authorities", to exercise functions in their capacity as "subjects of external action within their areas of competence", and further enables them to "enter into international administrative agreements for the execution and implementation of an international treaty and non-prescriptive agreements with similar bodies of other subjects of international law, not binding on those subscribing them, on matters of their competence".
The autonomous authorities are regulated by articles 57, 58 and 59. The latter allows to extend the authority of the AEPD to data processing carried out in matters that fall within the competence of the autonomous data protection authorities when a breach of the General Data Protection Regulation is detected. The AEPD may request the autonomous regional authority to take the necessary measures to put an end to the situation. If the autonomous regional authority does not respond to the request, or if the measures adopted fail to cause the cessation of the illegal data processing, then the Spanish Data Protection Agency may exercise any actions before the public law courts (“jurisdiction contencioso-administrativa”).
In line with what was provided to date, the autonomous regional authorities shall have the powers over the following data processing types (Article 57):
a) the processing of data where the controllers are public bodies of the relevant Autonomous Community or of the Local Entities included in its territorial area or entities providing services through any means of direct or indirect management.
b) the processing of data by individuals or legal entities for the exercise of public functions in matters falling within the competence of the relevant Autonomic or Local Administration.
c) data processing expressly provided, as appropriate, under the respective Autonomy Statutes."
Proceedings in the event of a breach of data protection regulations (Title VIII)
Title VIII is relatively short. It encompasses only seven articles, 63 to 69 both inclusive. The first indicates that these procedures shall be governed by the GDPR, Organic Act 3/2018, by the provisions enacted in implementation thereof, and insofar as they do not contradict them, by the general rules of administrative procedures.
More practical and detailed issues have been left to be developed by the royal decree to be eventually enacted. Certain administrative time frames are however expressly regulated:
· In the proceedings exclusively concerning failure to comply with a request for the exercise of the rights covered by articles 15 to 22 of the GDPR, the deadline to adopt a resolution shall be six months from the date on which the relevant claim was filed, and positive administrative silence shall apply (i.e. upon expiry of said period without an express resolution having been adopted, the data subject may deem its request as approved).
· In proceedings whose purpose is to establish an infringement of data protection regulations, the maximum duration of the proceedings shall be nine months from the agreement that started the proceedings. Upon expiry of the period, the proceedings shall be deemed expired and the action shall be deemed dismissed.
The above procedural deadlines shall be automatically suspended when "information, consultation, request for assistance or mandatory opinion" needs to be obtained from a control authority in any member State or from an EU body. Moreover, a final deadline of one year is established for any investigative actions. Also mentioned are some very general aspects of the proceedings.
Other very important issues which have not been left to be developed by implementing regulations are the following:
1. Article 65.3: Admission of claims to proceed.
The Spanish Data Protection Agency may reject a claim when the data controller or processor (only them, not any other subjects liable to sanctions) have, following a warning issued by the AEPD, adopted corrective measures to end the breach and any of the following circumstances apply:
a. No harm has been caused to the data subject in the event of any infringements of article 74 (minor infringements).
b. The right of the affected data subject is fully guaranteed by implementing the measures.
2. Article 65.4: If the claim is filed prior to its reporting to the data protection officer or to the supervisory body under the applicable Codes of conduct, then the AEPD may proceed with such reporting before resolving on its admission to proceed, for the purposes of articles 37 and 38.2 of Organic Act 3/2018.
The penalty regime (Title IX)
The provisions contained in the new Organic Act 3/2018 are the second time Spanish regulations are brought in line with the GDPR. Last summer, Royal Decree-Law 5/2018 of 27 July was passed, on urgent measures for the adaptation of Spanish legislation to the European Union's data protection regulations. This royal decree merely adapted the penalty regime, on the understanding that this matter was not reserved to an organic law. The use of the legislative mechanism of a royal decree was motivated by the uncertainty in relation to the passing of the Act, which was then being discussed in parliament, and whose successive drafts had been continuously delayed owing to other priorities in the legislative agenda. The text approved by the Government finally entered into force and was applied for little more than four months.
Focusing on Organic Act 3/2018, one of the first issues that strikes the reader is that Title IX expands the scope of the subjects potentially liable to sanctions. Under the preceding regulatory framework, only the data controller and the data processor could be held liable for breaches of the LOPD. Under article 70 of the new standard, however, the following are subject to the penalty regime:
· The data controller;
· The data processor;
· The representatives of the data controller and of the data processor under an obligation to appoint a DPO;
· Certification entities.
· The accredited codes of conduct monitoring entities;
Data protection officers are expressly excluded from being considered subject to liability.
As a logical result of the above, certain offenses are listed which may only be committed by some of the above-mentioned subjects. For example, the infringement consisting in "obtaining accreditation as a certification body by submitting inaccurate information on the fulfilment of the requirements of Article 43 of Regulation (EU) 2016/679", may obviously be attributed only to certification entities.
One of the most important novelties with respect to the GDPR, which only distinguishes two kinds of penalties, consists in the categorization of offenses as minor, serious and very serious, each of which with different limitation periods (a year, two years and three years, respectively). Let us recall that the GDPR distinguishes between:
· Conducts liable to be punished by administrative fines up to 10 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year (section 83.4).
· Conducts liable to be punished by administrative fines up to 20 000 000 EUR, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year (section 83.5).
Serious offenses according to Organic Act 3/2018 are those contained in section 4 of article 83 of the GDPR, and very serious offenses, those of section 83.5 of the GDPR. This seems logical. The problem is that the new standard considers as minor certain offenses included in both sections of article 83. I.e., a conduct that for the Community legislator could be subject to a higher penalty, our legislator considers it to be minor (and consequently, even if not expressly stated, it should entail a lower fine than those associated with serious and very serious offenses).
Furthermore, for more confusion, articles 72, 73 and 74 of Organic Act 3/2018 do not provide closed lists of offenses. They use an ambiguous formula, which states that minor, serious or very serious offenses shall be as listed in the GDPR, since the organic law may not amend the penalty regime imposed by the Community regulation, and in particular those listed in the relevant article.
Among the offenses listed in our national standard as minor are, for example, the following:
· Incomplete, late or defective notification to the information data protection authority of a personal data breach pursuant to article 33 of Regulation (EU) 2016/679.
· Failure to document a security breach as required under article 33.5 of Regulation (EU) 2016/679.
· Failure to publish the contact details of the data protection officer, or to communicate them to the data protection authority, when the designation is mandatory pursuant to article 37 of Regulation (EU) 2016/679 and article 34 of this organic Act.
· Failure by the certification bodies to inform the data protection authority of the issuance, renewal or withdrawal of a certification, as required by section (1) and (5) of Article 43 of Regulation (EU) 2016/679.
The following conducts are listed as serious offenses:
· The processing of personal data of a child without obtaining his/her consent, when he/she is able to provide it, or that of the holder of parental responsibility or guardian, pursuant to article 8 of Regulation (EU) 2016/679.
· Failure to prove reasonable efforts to verify the validity of the consent of a child or of the holder of parental authority or guardianship over the child, as required under section 8.2 of Regulation (EU) 2016/679.
· Failure to permit the effective participation of the data protection officer in all matters concerning the protection of personal data, failure to support him/her or interfering in the performance of his/her functions;
· The use of a data protection seal or certification which has not been issued by a duly accredited certification body or after the validity of the seal or certification has expired.
By way of example of very serious offences, we mention the following:
· Failure to comply with the requirements of Article 7 of Regulation (EU) 2016/679 for the validity of the consent.
· The use of the data for a purpose not compatible with the purpose for which they were collected, without the consent of the data subject or without a legal basis.
· The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679, without any of the circumstances provided for in said provision and in article 9 of this Organic Act.
· The deliberate reversal of an anonymization procedure to permit data subjects to be re-identified;
The application of this penalty regime, which could generate differences of treatment between entities located in different Member States, thus breaching the principle of disciplinary law requiring any offence to be specifically described in the law (yuppification), will likely not be simple or peaceful.
Furthermore, article 76 on "sanctions and corrective measures", refers to the penalties and graduation criteria provided under article 83 of the GDPR. It is expressly stated that other graduation criteria may also be considered, as the following:
“(a) The continuing nature of the offence.
(b) The fact that the offender's activity is linked the with the processing of personal data;
(c) The profits obtained as a result of the commission of the offence.
(d) The possibility that the conduct of the data subject could have prompted the commission of the offence;
(e) The existence of a merger by absorption process following the commission of the offence, which cannot be attributed to the absorbing entity.
(f) The impact of the offence on the rights of children;
(g) Having a data protection officer, when not mandatory;
(h) The voluntary submission of the data controller or processor to alternative dispute-resolution mechanisms, where disputes arise between them and any data subjects.”
Article 78 provides limitation periods for the penalties, also in three categories, in line with the amounts of the fines provided under the preceding regime:
· Penalties for an amount equal to or lower than EUR 40,000 shall lapse after one year.
· Penalties for amounts between EUR 40,001 and EUR 300,000 shall lapse after two years.
· Penalties for amounts exceeding EUR 300,000 shall lapse after three years.
Nowhere is it indicated that the above-mentioned amounts correspond to minor, serious and very serious offences.
As a curiosity, we will mention that, in addition to the publicity that the AEPD resolutions will continue to receive, the penalties imposed on legal entities for amounts exceeding EUR 1 million shall be published in the State Gazette.
Finally, we refer to article 77 and the specific regime of which various bodies and entities belonging to the General State Administration benefit, such as: constitutional and judicial bodies, independent administrative authorities, the Bank of Spain, public universities, foundations of the public sector, etc.
Where any of the above entities commits a breach of articles 72 to 74, the competent data protection authority shall issue a warning resolution providing any measures it considers appropriate to be taken to ensure that the conduct ceases to its effects are corrected. If the competent authority is the AEPD, it shall publish the relevant resolutions on its website, expressly indicating the identity of the data controller or data processor having committed the infringement.
16.- What digital rights does Organic Act 3/2018 provide for?
One of the more significant changes introduced to Organic Act 3/2018 during its parliamentary processing is the inclusion of a last title (Title X), which exceeds the limits of data protection and the adaptation of domestic law to the GDPR. Articles 79 to 97, both inclusive, list a number of digital rights that may be classified into four blocks:
· Access to and use of the Internet.
· Rights of children
· Extension of the rights of data subjects
· Rights of workers.
Access to and use of the Internet
The first four articles of Title X (articles 79 to 82) and the last provision (article 97) refer to a number of rights, formulated in a very broad manner, which are joined by an interest in ensuring access to and use of the Internet on an equal footing. Among these we have:
· The right to neutrality of the Internet (article 80).
· The right of universal access to the Internet (article 81).
· The right to security of communications transmitted and received through the Internet (article 82).
Minors
Articles 83, 84 and 92 specifically refer to the digital rights of minors, who for obvious reasons require special protection. In this regard, a reform of curricula and the training of teachers is envisaged to include matters relating to digital competences (article 83) and the obligation is recalled of educational institutions and of any individual or legal entity carrying out activities involving minors to protect the child from the publication of his/her data through the information society services.
Extension of the rights of data subjects
Included in this group are rights that qualify or expand those listed in the GDPR and in the rest of Organic Act 3/2018, supplementing them with guarantees contained in other legal provisions. All of them aim to ensure that the data subject retains control over the information concerning his/her person published on the Internet, primarily through communication media, social networks and equivalent services. The rights contained in this block are as follows:
· The right of rectification on the Internet (article 85), which refers to the right recognized by Organic Act 2/1984, other than the right of rectification in the area of data protection, and which provides that social networks and equivalent services shall establish mechanisms to guarantee the exercise of such rectification right.
· The right to update information on digital media (article 86).
· The right to be forgotten in relation to Internet searches (article 93)
· The right to be forgotten in social networks and equivalent services (article 94)
· The right to digital will (article 96)
· The right to data portability in social networks and equivalent services (article 95).
Digital rights of the worker
Articles 87, 89 and 90 deal with privacy in relation to the use of digital devices, privacy in relation to the use of video monitoring and sound-recording devices, and privacy in relation to the use of geolocation systems. Neither of these provisions prohibits the exercise of control measures by the employer, which are recognized in article 20 of the Workers' Statute. These provisions stress the need to clearly inform the worker of any such checks, as on the other hand, has already been established by Spanish and European case law. We can summarize their contents as follows:
Digital devices (company computers, tablets, smartphones, etc.):
- Employers must establish criteria for the use of such devices that comply with minimum privacy standards in accordance with social uses and with the rights recognized by the law and by the Constitution. Authorized uses need to be clearly explained and guarantees need to be established to preserve the workers' privacy.
- The workers' representatives must be involved in preparing the relevant procedures.
- Most companies have policies in place in relation to the use of the various digital devices they provide. However, not all entities have involved the workers' representatives in drafting such policies and procedures (at the most, they have been informed of the content of the policies). Furthermore, control mechanisms established are often poorly described.
Video monitoring and sound recording (complementary to the provisions of article 22 of Organic Act 3/2018):
- The possibility is foreseen to use video monitoring systems in the work environment with the specific purpose of exercising the control functions provided under section 20.3 of the Workers' Statute. No authorization of the workers or their representatives is required, but both must be expressly, clearly and concisely informed of the installation of any such devices. As already established by case law, this duty shall be deemed fulfilled in scenarios of recording of blatantly unlawful actions, if at least one distinct notice exists approved by the Spanish Data Protection Agency.
- It is expressly prohibited to install cameras in rest or recreation areas, i.e. not only in changing rooms and toilets, but also in canteens and similar facilities.
Geolocation systems:
- The use of these devices shall require the employees and their representatives to be clearly informed of their existence and of the possibility for workers to exercise their rights of access, rectification, limitation of the processing and deletion of their data.
- Furthermore, article 88 provides for the so-called "right to digital disconnection" which shall require employers, pursuant to its third section, to draft an internal policy addressed to workers in which they define the modalities in which this right may be exercised and propose training and awareness-raising measures on the reasonable use of technological tools.
To close this block of provisions, article 91 provides that "collective bargaining agreements may provide additional guarantees of the rights and freedoms related to the processing of workers' personal data and the protection of digital rights in the labor field".
|
|
|
|
