|
|
|
|
#SomosRyC
Legal news on Privacy and New Technologies - First quarter of 2019
26 de Abril de 2019
TABLE OF CONTENTS
1.- “Fingerprinting” study: the Spanish Data Protection Act warns about privacy concerns
2.- Trade Secrets Act approved
3.- The AEPD publishes its guide on personal data breach management and notification in English
4.- The Government approves the creation of the Cyberoperations for the General administration of the state
5.- The AEPD publishes a new legal report on the processing of health data
6.- The AEPD publishes a regulation on the processing of personal data relating to political opinions by political parties
1.- “Fingerprinting” study: the Spanish Data Protection Act warns about privacy concerns
The Spanish Data Protection Agency (“AEPD”) has published its study “Fingerprinting” in which it analyses how these identification techniques work and how they affect the user’s privacy. According to the AEPD “device fingerprinting is the systematic gathering of information on a specific remote device with the aim of identifying, singling out and, thus being able to monitor its user's activity for the purpose of profiling”. Individualizing the terminal means, in opinion of the AEPD, individualizing the person which is using it.
Through the so-called “fingerprinting” techniques, upon accessing a website, the browser executes on the user’s device, and without their knowledge, a series of processes with the aim of gathering sufficiently detailed information to uniquely identify it and then transmits this to the server which stores it for subsequent use.
The use of these techniques may have legitimate purposes. However, they may also be used to monitor users during their web browsing and compile information on their habits and interests without the user being conscious of it.
The guide lines are available in English through the following link.
2.- Trade Secrets Act approved
Business Secrets Act (“LSE” or “The Act”) entered into force on 13 March. The Law, published in the Official State Gazette on 21 February, transposes Directive (EU) 2016/943 on Trade Secrets into Spanish law, albeit with a delay of almost eight months, since the term for implementation expired on 9 June 2018. The Law is structured in twenty-five articles distributed in five chapters, one transitional provision and six final provisions.
Until the approval of the LSE, regulation regarding trade secrets was contained in various legal texts, mainly the Criminal Code and the Spanish Unfair Competition Act. According to the Act, trade secret is understood as “any knowledge or information of a technological, scientific, industrial, financial, organizational or commercial nature that is kept secret, has business value for the very fact that it is secret, and has been the subject of reasonable measures by its owner to keep it secret”.
The LSE also regulates that trade secrets are considered an object of property, establishing its transmissibility as well as the possibility of belonging in co-ownership to several persons. The law established that trade secrets may also be licensed with the objective, material, territorial and temporal scope agreed in each case.
The Act defines different conducts that constitute the violation of trade secrets and regulates various actions in defense of these rights. In addition, the LSE contains procedural aspects in which granting territorial jurisdiction to the Commercial Courts of the defendant´s domicile or, at the plaintiff´s choice, that of the providence where the infringement took place or where its effects occurred.
Finally, it has carried out and amendment of Article 13 of Law 3/1991, of 10 January, on Unfair Competition in which, maintaining the attribution of the character of unfair competition to the violation of business secrets, it specifies that this will be governed by the provisions of the LSE. In this way, the LSE will act as a special law against the provisions of the LCD.
You can get more information through the following link.
3.- The AEPD publishes its guide on personal data breach management and notification in English
The document contains practical criteria on when to report breach management to the control authority based on the analysis of different variables such as the volume of data, categories and approximate number of data subjects or the disclosure to which they are subjected.
The document is available in English at the following link.
4.- The Government approves the creation of the Cyberoperations for the General administration of the state
The cabinet has approved the creation of the centre of operations of cybersecurity as an instrument of the General administration of the state (AGE). The purpose of the operations center of cybersecurity (SOC, English named “Security Operations Center”) is the provision of cybersecurity horizontal services that enhance the ability of surveillance and detection of threats in the daily operations of the information and communications systems of the AGE, as well as improving its ability to respond to any attack.
You can consult the English version of the press release in the following link.
5.- The AEPD publishes a new legal report on the processing of health data
In a legal report published on its website, the AEPD responds to a consultation raised by the National Centre for Epidemiology (CNE) concerning the existing legal basis for the processing of personal health data. In particular, the consultation raises if there is legal authorization by public bodies for the transfer of personal health data without the consent of the interested party or whether, on the contrary, it is necessary to have this consent.
The CNE is a state center belonging to the Carlos III Health Institute (ISCIII) that carries out surveillance tasks for certain diseases subject to compulsory declaration (AIDS, tuberculosis, etc.). In order to identify these pathologies, it needs to use different databases, clinical and administrative, managed by other public bodies.
In opinion of the AEPD, the consent of the affected persons is not necessary for the transfer by the Public Administrations to the CNE of personal data related to health in the case of public health or epidemiological data, for the following reasons.
The health activity is included in the General Health Law (Law 14/1986, of 25 April) which recognizes as a fundamental activity of the health system the carrying out of epidemiological studies in order to more effectively guide the prevention of health risks. On the other hand, the General Public Health (Law 33/2011, of 4 October) establishes in its Title II a series of actions to be carried out by the Health Administrations.
According to article 41 of the aforementioned General Public Health Law, “health authorities may require health services and professionals to provide reports, protocols or other documents for health information purposes...". Therefore, health administrations will not need to obtain the consent of the affected person when this is strictly necessary for the protection of the population's health.
If you want to consult the complete text in Spanish, click on the following link.
6.- The AEPD publishes a regulation on the processing of personal data relating to political opinions by political parties
On March 7 was published the Regulation 1/2019 on the treatment of personal data relating to political opinions and the sending of electoral advertisement by electronic means or messaging systems by political parties, federations, coalitions and groups of voters. The Regulation entered into force on the day following its publication.
The third final provision of the LOPDGDD modified Organic Law 5/1985, of 19 June, on the General Electoral System (“LOREG”), introducing the controversial art. 58 bis with the aim of regulating the compilation and treatment of political opinions by parties as well as the sending of electoral advertisement. As the Agency points out, the restrictive interpretation would be supported by the need for article 58 bis to be interpreted in accordance with those established in the Spanish Constitution, so that it does not violate fundamental rights, such as the right to the protection of personal data recognized in article 18.4, the right to ideological freedom in article 16, the freedom of expression and information in article 20 or the right to political participation in article 23.
Personal data that may be subject to processing
According to the provisions of article 5, “only the political opinions of persons freely expressed by them in the exercise of their right to ideological freedom and freedom of expression recognized in articles 16 and 20 of the Spanish Constitution may be compiled". According to the text, the only sources from which these data can be obtained are web pages and those sources that are publicy accessible, understood as those that can be consulted by anyone.
Warranties
The text sets out a series of specific measures to protect the interests and rights of those concerned. These include the obligation to appoint a Data Protection Officer, the adoption of technical measures such as pseudonymisation, aggregation and anonymization, the obligation to consult the AEPD before processing unless the data controller justifies that he has taken measures to mitigate risk. The request for consultation with the AEPD or, failing that, the submission of such documentation must be made at least 14 weeks before the start of the electoral period.
Duty to provide information
Information should be concise, transparent, intelligible and easily accessible, using clear and simple language. In cases where individual communication to those concerned is impossible or disproportionate, it should be made available in electronic form on the controller´s website and in his accounts on social networks or equivalent services.
The Regulation has introduced in its transitional provision an exception with respect to the electoral processes of April 28 and May 26, setting the deadline at three weeks before the start of the electoral campaign (not 14 weeks).
You can access the provision via the following link.
|
|
|
|
