Organic Law on Protection of Personal Data and Guarantee of Digital Rights
   HOME

TheInfoList



OR:

The Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights (Spanish: Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales) is an organic law approved by the
Cortes Generales The Cortes Generales (; en, Spanish Parliament, lit=General Courts) are the bicameral legislative chambers of Spain, consisting of the Congress of Deputies (the lower house), and the Senate (the upper house). The Congress of Deputies meet ...
that has the goal of adapting the Spanish domestic law on the General Data Protection Regulation. This organic law repeals the previous Organic Law 15/1999 on Personal Data Protection, although it still remains in force for certain activities.One of these is the fourteenth additional provision. Multiple rules remain in place as long as they are not expressly modified, replaced or repealed. These rules include those issued in application of Article 13 of Directive 95/46 / EC of the European Parliament, the Council of October 24, 1995 relating to the protection of individuals with regard to the processing of personal data and the free circulation of these data, which had entered into force prior to May 25, 2018, and articles 23 and 24 of Organic Law 15/1999 of December 13 on Protection of Personal Data. Fourth transitory provision. A variety of other rules will not be subject to the aforementioned law and will continue to be governed by the Organic Law 15/1999. These include treatments subject to Directive (EU) 2016/680 of the European Parliament and of the Council, of April 27, 2016, relative to the protection of individuals in what regarding the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, and the free circulation of such data, article 22 and its application provisions, and what was repealed by Decision 2008 / 977 / JAI of the Council. This law came into effect on December 7, 2018.


Structure

The law consists of ninety-seven articles structured in ten headings, twenty-two additional provisions, six transitory provisions, a repeal provision, and sixteen final provisions.


Heading I

It relates to the general provisions of the law. According to the first article, the organic law has two purposes. The first is to adapt the Spanish law from what is contained in the General Data Protection Regulation and "guarantee that the digital rights of the citizen conform with the mandate established in article 18.4 of the Constitution."


Heading II

It relates to the principles of personal data protection. These include accuracy, confidentiality, consent, and the processing of special data such as that of criminals and minors. A minor has to be fourteen years of age before they can give consent.


Heading III

Heading III declares the personal data protection and processing rights that entities have. These are, in conformation with European regulations, the following: access, correction, deletion, opposition, the right to restriction of processing, and the right to portability. Compared to previous regulation, the rights to limitation of processing and the right to portability of data are a change.


Heading IV

In Heading IV provisions for specific treatments are included. These rules should be followed when a responsible party intends to process a specific data set. This title includes the regulation related to the inclusion and processing of data by credit reporting agencies, known popularly as "defaulter lists." In recognition of the legality of data processing for credit reporting purposes, this process is subject to certain precautions. Article 20 indicates that only data relating to "debts that are confirmed and overdue, whose existence or amount hasn't been the object of an administrative or judicial claim by the debtor, and that aren't being resolved by alternative agreement between the two parties." Through this same process, the creditor is required to inform the other party of what personal data might be given to the appropriate entities if they break their contract. This must be communicated before the contract is signed. The entities that possess the data will be able to process and hold it during the time the contract is unfulfilled. This can occur for up to five years after the contract has been broken, until the data must be deleted. The sixth additional provision of the law prohibits the inclusion of data in these files when the principal amount (without interest or penalties) is less than 50 euros, but the
government A government is the system or group of people governing an organized community, generally a state. In the case of its broad associative definition, government normally consists of legislature, executive, and judiciary. Government is ...
is able to change the principal amount with a
Royal Decree A decree is a legal proclamation, usually issued by a head of state (such as the president of a republic or a monarch), according to certain procedures (usually established in a constitution). It has the force of law. The particular term used for ...
.


Heading V

Heading V refers to those responsible and in charge of the processing of data. In contrast with the previous model based on compliance management, the current model established by the laws and regulations is one of active responsibility. Those responsible must evaluate a priori the data they wish to process and then adopt the necessary security measures for the processing to occur. There are also provisions related to the figure of the Data Protection Officer(DPO).


Heading VI

Heading VI regulates the international transfer of data.


Heading VII

Principal Article:
Spanish Data Protection Agency The Spanish Data Protection Agency (AEPD, es, Agencia Española de Protección de Datos) is an independent agency of the government of Spain which oversees the compliance with the legal provisions on the protection of personal data. The agency ...
Heading VII deals with the legal status of the Spanish Data Protection Agency as state control authority. Its Second Chapter regulates the power of the data protection authorities that can exist in the autonomous communities whose power is limited to the data processing carried out by the autonomous public sector and the obligation of the control authorities to cooperate with each other. In reality, such data protection authorities only exist in the autonomous communities of
Catalonia Catalonia (; ca, Catalunya ; Aranese Occitan: ''Catalonha'' ; es, Cataluña ) is an autonomous community of Spain, designated as a '' nationality'' by its Statute of Autonomy. Most of the territory (except the Val d'Aran) lies on the nort ...
, Basque Country, and
Andalusia Andalusia (, ; es, Andalucía ) is the southernmost autonomous community in Peninsular Spain. It is the most populous and the second-largest autonomous community in the country. It is officially recognised as a "historical nationality". The t ...
.


Heading VIII

Heading VIII regulates the procedures in the case of a possible violation of data protection regulations.


Heading IX

Heading IX regulates the punishment regime for violations of the law which determines the responsible parties and establishes a catalog of violations classified as very serious, serious, or minor. The law refers to the General Data Protection Regulation with respect to the amount and level of responsibility for the punishments. The statute of limitations for offenses is equally regulated. As an exception, the second paragraph of article 77 of the law provides that when the responsible violators are organizations with constitutional relevance or public administrations, they can only be penalized with a warning. This rules out the possibility of economic punishments for these entities, as was the case with the previous Organic Law 15/1999 of December 13.


Heading X

Heading X of the law recognizes and guarantees a series of rights a series rights that the law refers to as "digital" such as net neutrality and universal access, the right to security and digital education, the right to be forgotten, the right of portability of digital data and the digital will; being equally regulated the right to digital disconnection in the context of labor relations.


Controversies


Collection of personal data by political parties

The third-to-last provision of the law added a new article fifty-eight (a) to the Organic Law of the General Electoral Regime that permitted political parties to collect personal data related to political opinions in the context of their electoral activities. This could occur whenever such activities were carried out with “appropriate guarantees.” This was considered “protected by the public interest.” Similarly, it allowed political parties to “utilize personal data obtained on web pages and other publicly accessible sources to realize political activities during the electoral period” such as sending electoral propaganda electronically or through social media. This article appeared to have protection in the Whereas Clause 56 of the General Data Protection Regulation which provides that “if, in the context of electoral activities, the functioning of the democratic system demands that in a member state that the political parties collect personal data about people's political opinion, the processing of this data can be authorized for reasons of public interest, as long as appropriate guarantees are offered.” This provision caused deep concern in the legal sector because the aforementioned activities didn't require prior consent and apparently would allow the creation of databases of citizens on the basis of their political opinions. This creates profiles of individual people. According to certain sectors, this practice would have legalized the case of
Cambridge Analytica Cambridge Analytica Ltd (CA), previously known as SCL USA, was a British political consulting firm that came to prominence through the Facebook–Cambridge Analytica data scandal. It was started in 2013, as a subsidiary of the private intellig ...
in Spain. The Spanish Data Protection Agency has indicated that they believe the law doesn't permit the creation of ideological databases, nor the distribution of personalized information based on ideological or political profiles. The political party Unidos Podemos announced that it would present an appeal of unconstitutionality against said article on the understanding that it contradicted articles 16 and 18 of the Spanish Constitution. They ultimately never did. The
Spanish Ombudsman The Spanish Ombudsman or Defender of the People ''( Spanish: Defensor del Pueblo)'' is the ombudsman of the Cortes Generales responsible for defending the fundamental rights and public liberties of citizens by supervising the activity of public ...
presented an appeal of unconstitutionality against this provision. Said appeal was admitted for processing on March 12, 2019. On May 22, 2019, the plenary session of the Constitutional Court upheld said appeal and declared the precept unconstitutional and null by a consensus of twelve members.


Notes

{{reflist, group=note


References

2018 in Spain Consumer protection law Data laws of Europe Privacy law Law of Spain