When August was about to start, the Royal Decree-law 5/2018, of 27th July, on urgent measures for the adaptation to the Spanish law of the European Union regulations on data protection (“Royal Decree-law”) was published in the Official Estate Bulletin. This law is motivated by the delay in the approval of the new organic law on data protection, which is currently subject to parliamentary discussion, regulates certain matters which, as its explanatory memorandum states, “do not admit delay” and are not subject to the qualified majorities for approval of Spanish organic laws.
The Royal Decree-law is rather brief. It has 14 sections, divided in three chapters, with the following main content:
1.- Chapter I (Sections 1 and 2): Identification of the staff qualified for the exercise of the powers of investigation attributed to the supervisory authority by the Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Accordingly, the regime applicable to supervisory authority personnel of other member states that participate in joint research activities is specified. Section 1 of the Royal Decree-law expressly notes that “the Spanish Data Protection Agency investigative activity will be developed by the agency public servants or by outside staff expressly authorised by its Director”.
2.- Chapter II (Sections 3 to 6): Regulation of the sanctioning regime set forth by the GDPR for its correct application in accordance to Spanish law.
Although there are no variations in the definition of the conducts that are deemed infringements according to the GDPR (in other words, no detailed catalogue of infringements has been included), there are other key aspects such as:
· Responsible Subjects. In addition to the controller and the data processor, the following subjects may be responsible of infringements: representatives of the controllers and processors not established in the EU, accreditation bodies and entities certified for the supervision of codes of conduct. Data protection officers are expressly excluded from the sanctioning regime.
· Limitation period of the actions. They are established at three years for the infractions included in sections 83.5 and 83.6 GDPR, and two years for the ones described in section 83.4 GDPR. The limitation period is interrupted by the initiation of a sanctioning proceedings.
· Limitation period of the sanctions. The Royal Decree-Law sets three tiers that coincide with those set by the Organic Law 15/1999 (the Spanish Data Protection Act in force at the time of the passing of the GDPR).
· The Sanctions of an amount equal to or less than EUR 40,000 prescribe after one year.
· The Sanctions of an amount between EUR 40,001 and EUR 300,000 prescribe after two years.
· The Sanctions over EUR 300,001 prescribe after three years.
We would like to draw attention over the fact that, in order not to generate discrepancies in the application of the GDPR among the Member States, all other European supervisory authorities should follow the same criteria.
3. - Chapter III (Sections 7 to 14): Regulation of the applicable procedure in case of GDPR violations.
As it happens with the previous regulation, two different kinds of proceedings are identified:
· Those in which data subjects file a claim due to the lack of response to a request of the rights established in sections 15 to 22 (the former proceedings for the protection of rights).
As a special feature of this kind of proceedings in relation with the proceedings described below, the Royal Decree-Law foresees that the Spanish Data Protection Agency (“AEPD”) will dispose of 6 months from the acceptance for processing in order to decide on the matter. After this period, the Royal Decree-Law sets that the claim will be deemed granted, which entails a clear detriment to the data controller since, in case of inactivity by the AEPD, the petition will be automatically granted.
· Those which consist of the determination of the existence of a possible infraction of the GDPR (former sanctioning proceedings). This proceedings will begin by an AEPD decision, either acting on his own initiative, after a claim filed before it, or due to a remission by another supervisory authority of the claim brought before the latter.
Consecutively we summarize the proceedings to be followed by the AEPD when it receives a claim, with special attention to the terms set by the Royal Decree-law for each formality, with which the AEPD will have to comply from now on:
a) When a claim is submitted to the AEPD, said Agency will verify whether it falls under its jurisdiction as well as the national or cross-border nature of the possible infringement. If the AEPD finds it is not competent, it will refrain ex officio and forward the claim to the competent authorities.
b) If the AEPD considers it is competent to examine the claim, it will decide whether it shall be admitted, being able to reject it in the following scenarios:
· The claim is not about data protection matters (for example it refers to civil contracting or to aspects clearly excluded from the scope of application of the GDPR).
· The claim is unfounded.
· The claim is abusive. It remains to be seen the AEPD’s interpretation of this point, but it may lead to the withholding of consumer claims or claims filed by employees against the data controller/processor when it is clear that the invasion of privacy is insignificant and the claim is being used as a pressure mechanism or Is due to a dispute between the parties alien to data protection.
· There are no reasonable grounds for suspecting any infringement.
· The Controller or the processor, after a request from the AEPD, have adopted sufficient corrective measures and one of the following circumstances concur:
i) No damage has been caused to the data subject.
ii) The right of the data subject is fully guaranteed through the adoption of the measures.
This last possibility is heir of the formal warning foreseen by prior Spanish regulations, although the conditions for its application are not as strict (for example, it is no longer necessary for the entity benefiting from not to have been penalized before). This will allow the AEPD to archive claims under appropriate circumstances, due to the little importance of the infringement. Furthermore, section 9.4 of the Royal Decree-law establishes that the AEPD may forward the filed claim to the data controller or processor in order for the latter to give response to it within one month.
The drafting of said subsection four is unclear. In a first paragraph foresees that the possibility of forwarding the claim will apply exclusively to data controllers and processors which have designated a data protection officer, or to the body commissioned with the compliance of codes of conduct, where there has been an adhesion to out-of-court conflict resolution mechanisms. However, the next paragraph states that the same possibility will apply to entities that do not meet the requirements described above.
It should be noted that in prior versions of the project for the new organic data protection law, this possibility was foreseen for data controllers and processors with a data protection officer, which was an important incentive for naming one. Nevertheless, with the passing of the Royal Decree-law, any company may receive the same treatment and it is foreseeable that this formality will become a mere filing of allegations by the defendant, rather than a way to solve claims prior to the beginning of AEPD proceedings.
In any case, the decision on the admission for processing of the claim must take place within three months from the filing before the AEPD. In the absence of a decision by the AEPD in this regard, it should be understood that the procedure will continue, that is, that the claim has been admitted.
c) Once a claim has been admitted, the AEPD may carry out an investigative activity for a maximum of 12 months from the date of such admission. It is unclear how that period will be counted where no decision has been adopted (in which case, as stated above, it should be understood that the proceedings are to be resumed). It would be reasonable to take the day in which the three months from the filing of the claim have passed as starting point for this twelve-month term.
d) During the preliminary proceedings, the AEPD may take “provisional measures” such as the blocking of the data or the obligation to attend immediately to the requested right.
e) Once the investigation phase has concluded, the AEPD shall decide if a sanctioning proceedings is to be initiated. According to section 9 of the Royal Decree-law, “the proceedings will last a maximum of 9 months, to be counted from the date of the decision to initiate or, where appropriate, the project of the decision to initiate. The passing of that period shall result in the expiry of the procedure and the filing of the proceedings”.
The sudden publication of the Royal Decree-law 5/2018, with the content described above, gives grounds to expect that the first fines imposed by the AEPD due to infringements of the General Data Protection Regulation will be known from September. In this regard, it is likely that investigations to companies located in Spain derived from the filing of claims before other European supervisory authorities will also take place during said month.
Finally, it should be noted that there are relevant issues regulated by additional, final and transitional provisions of the Royal Decree:
· The second additional provision maintains the AEPD obligation concerning the publishing of its decisions.
· The first transitional provision expressly foresees that the sanctioning proceedings that were initiated before the entry into force of the Royal Decree-law, and have therefore been developed under the previous data protection regulations, will still be processed under such previous regulations unless the new regime includes provisions more favourable to the data subject (but not to the data controller or processor).
· The second transitional provision answers the queries concerning the need to urgently modify the data processing agreements signed pursuant to article 12 of the Organic Law 15/1999. Therefore, any such agreements signed before 25 May 2018 will remain valid until their expiration date or, where there is no expiration date, until 25 May 2022.
This Royal Decree-law, published in the Official State Bulletin of 30 July 2018, will be in force until the new organic law on data protection is passed.
More Information:
· Draft law for the modification of the Spanish Data Protection Act (ES) [2].
· Interview with Mar España [3], Director of the AEPD (ES).
The AEPD has updated its video surveillance guide [4] by publishing a document analysing the requirements for the use of cameras and the recording of images and sounds, in light of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (“GDPR”).
Besides exposing the most relevant formal obligations regarding the use of security cameras, the new guide dedicates specific sections to the use of these devices with other purposes such as: traffic regulation, medical purposes, scientific research, image capturing in education centres, use by private detectives, etc. Additionally, it includes mentions to “emergent technologies”, including on-board cameras and the increasingly prominent drones.
Regarding security cameras, the AEPD clarifies in this guide the legitimate basis for the subsequent data processing, indicating that it could be based on the protection of a public interest and/or the compliance with different rules, such as Act 5/2014, on private security. The Agency highlights that, even though the obligation to register data files has disappeared, a record of processing activities associated to the camera shall be kept. To that extent, the AEPD provides a simple template to ease compliance with this obligation (page 12).
It should be pointed out that the AEPD specifies that the determining factor to decide if a privacy impact assessment is needed is the carrying out of a large-scale processing. That could be the case for cameras located in public areas of certain dimensions such as public squares or streets, or in large shopping centres. On the contrary, we understand that the privacy impact assessment would not be needed where the cameras are located in establishments that are small or that do not receive a large influx of visitors.
On the other hand, the guide includes a link to a new template of informative poster [5] to adequately comply with the data controllers’ obligations of transparency and information, that maintains the design of that approved by the instruction 1/2006, with small variations regarding the text to be included.
Finally, and as a curiosity, in this document the AEPD clarifies that the installation of false cameras does not require compliance with the GDPR, since no data processing would be taking place.
More Information: Guide on the use of video cameras for security and other purposes (ES) [6]
Last 4 June the AEPD celebrated its X Open Session in the Canal Theatres (Madrid). The presentations, which can watched on video [7] at the AEPD website, reviewed of the main practical implications of the GDPR within a few weeks of the start of its effective implementation.
It should be emphasized, due to its importance for all the organizations that have a corporate website, the analysis on the impact of the new European regulations in the use of data storage and recovering devices (cookies and analogue technologies).
It is expected that current regulations on the use of such devices, set by Spanish Law 34/2002 on Information Society Services and Electronic Commerce (“LSSI [8]”), will be modified at European level in the same way as data protection regulations have been. While the ePrivacy draft regulation [9] still follows the normal legislative procedures, the entry into force of the GDPR requires slight adjustments to the notices used to date on websites. At this point, it should be clarified that the AEPD understands that, when it comes to cookies, the LSSI prevails over the GDPR since it is special law (i.e.: a more specific regulation of the matter). However, the references made by the LSSI to Act 15/1999, on personal data protection (“LOPD”), shall be understood as references to the GDPR since the entry into force of the latter.
Some of the issues discussed during the aforementioned Open Session are the following:
· As in other occasions, the need to avoid vague or confusing expressions (such as “improving navigation” or “creating a better user experience”) and, consequently, to report in a transparent manner on all the purposes of cookies (in particular whether browsing habits are to be monitored and/or profiling is to take place), was emphasized.
· The AEPD stated that the option described in its first guide on the use of cookies, prior to the GDPR, by which user consent could be inferred from such user resuming their browsing activity after being provided sufficient information, is still valid provided that mechanisms to reinforce the user’s decision making on cookies are implemented.
· However, the options proposed to ease such decision making require the user to carry out actions more complex than mere browsing (while, at the same time, oblige website administrators to display the relevant information on cookies in formats that could harden browsing and hinder website usage). Thus, two different options involving positive actions by the user were presented:
· Inclusion in the first layer of: a button (or similar mechanism) to accept all the cookies, another one to reject them and a third one to set them up (this last button also could be a link in the first layer redirecting to a configuration panel in which the user could choose between enabling cookies gradually, or not at all).
· Inclusion of a button to accept all the cookies and another one to set them up, specifying in the first layer that the option of configure the cookies also allows to reject them.
In the open session, the AEPD announced the publication of a new guide on the use of cookies, even though the date on which this document will be available has not been disclosed.
More information: The GDPR and the Law on Information Society Services and Electronic Commerce (ES) [10].
On 19 June 2018, the AEPD published a guide for the management and notification of data breaches. The document has been elaborated in collaboration with the ISMS forum [11], the National Cryptology Centre [12] and INCIBE [13], and its objective is to offer data controllers both preventive advice to prevent data breaches, as well as the protocols to be followed once they become aware of such an incident.
Section 4 GDPR defines the concept of personal data breach as “a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed”. One of the main novelties of the new Community regulations is that controllers who become aware of having suffered a breach of this nature are obliged to report that fact to the AEPD and, under some circumstances, to data subjects. Until the entry into force of the GDPR, this notification obligation was limited exclusively to providers of publicly available electronic communications services and trust service providers (Regulation EU 611/2013 [14]).
The term within which the AEPD is to be notified is short (without undue delay and, where feasible, not later than 72 hours after having become aware of the breach). Furthermore, according to the guidelines by the Article 29 Working Party (EN [15]), where a processor suffers a data breach, the controller should be considered as “aware” once the processor has informed it of the breach. Thus, it is especially relevant that controllers and processors rely on politics and protocols to manage this kind of incidents before they occur.
Data breach notification is not mandatory where it does not constitute a risk for the rights and freedoms of data subjects. Moreover, if the violation entails a high risk for the rights and freedoms of data subjects, the obligation to notify the AEPD will also be extended to said individuals. This last notification shall be drafted with clear and simple language, in a concise and transparent manner.
The document published by the AEPD tackles the management of security breaches from four main fronts: (i) detection and identification of security breaches; (ii) elaboration of an action plan in case of an incident; (iii) guidelines to carry out a precise analysis of the breach; (iv) the response process to the breach and timely notifications.
In this last regard, is important to highlight the indicative methodology included in the attachments to illustrate the decision making process concerning the necessity to notify the breaches (or not). The model case-scenarios takes into account three parameters: the volume of affected data, the nature of such data and the particular impact or exposition. Although nothing prevents data controllers and processors from using a different methodology to evaluate the severity of the incidents, the criteria laid out by the AEPD allows to discern its view on what particular incidents should be notified in any case.
More information: Guide on the management and notification of data breaches [16]
The survey, resulting from the collaboration between the AEPD and the Spanish Confederation of Small and Medium Enterprises (CEPYME [17]), shows that only the 63% of Spanish SMEs, that is, a little over half of them, are aware of the new Community regulations. For that reason, the organising entities understand that additional efforts are required to disseminate the existence and content of the GDPR.
Interestingly enough, despite of the lack of awareness of the new regulations, the survey shows that 8 out of 10 SMEs consider that the entry into force of the GDPR is a positive development, whereas 9 out of 10 consider it to be better than prior regulations on the matter.
In terms of the particular implementation steps, the results are unequal:
· More than 80% of SMEs notified data files before the AEPD in due course and already have a security document, apart from counting with expert advice on data protection (or having manifested the intention of contracting it in the short term).
· Other actions such as the inclusion of informative clauses in forms and contracts have been carried out by most SMEs, but without reaching 70’% of them.
· Lastly, less than 40% of SMEs has planned the response or attended to data subject requests for the exercise of rights, or have visited the AEPD website.
In sight of the results, the AEPD and the CEPYME have agreed to continue carrying out formative and awareness activities through the appropriate organizations and industry associations.
More information: Survey on the degree of preparation of Spanish companies pursuant to the General Data Protection Regulation [18].
Links
[1] https://www.boe.es/diario_boe/txt.php?id=BOE-A-2018-10751
[2] http://www.congreso.es/public_oficiales/L12/CONG/BOCG/A/BOCG-12-A-13-1.PDF
[3] https://confilegal.com/20180122-mar-espana-los-dpo-podran-resolver-en-un-mes-las-reclamaciones-y-evitar-nuestro-procedimiento-sancionador/
[4] https://www.prevent.es/Documentacion/guia_videovigilancia.pdf
[5] https://www.aepd.es/media/fichas/cartel-videovigilancia.pdf
[6] https://www.aepd.es/media/guias/guia-videovigilancia.pdf
[7] https://sslwebcast.com/aepd/2018/
[8] https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758
[9] https://eur-lex.europa.eu/legal-content/ES/TXT/?uri=CELEX%3A52017PC0010
[10] https://www.aepd.es/agencia/transparencia/jornadas/common/10-sesion/4-jesus-rubi.pdf
[11] https://www.ismsforum.es/
[12] https://www.ccn.cni.es/
[13] https://www.incibe.es/
[14] https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32017R1962&from=ES
[15] https://iapp.org/media/pdf/resource_center/WP29-Breach-notification_02-2018.pdf
[16] https://www.aepd.es/media/guias/guia-brechas-seguridad.pdf
[17] http://www.cepyme.es/
[18] https://www.aepd.es/media/estudios/estudio-proteccion-de-datos-aepd-cepyme.pdf
[19] https://www.linkedin.com/company/ram-n-y-cajal-abogados
[20] https://twitter.com/RamonyCajalAbog
[21] https://www.ramonycajalabogados.com/es/search
