Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights.
Reference: BOE-A-2018-16673
ORIGINAL TEXT
FELIPE VI
KING OF SPAIN
All those who were present saw and understood.
Know: That the Cortes Generales have approved and I have come to sanction the following organic law.
INDEX
Preamble.
Title I. General provisions.
Article 1. Object of the law.
Article 2. Scope of application of titles I to IX and of articles 89 to 94.
Article 3. Data of the deceased persons.
Title II. Data protection principles.
Article 4. Accuracy of the data.
Article 5. Duty of confidentiality.
Article 6. Treatment based on the consent of the affected party.
Article 7. Consent of minors.
Article 8. Data processing due to legal obligation, public interest or exercise of public powers.
Article 9. Special categories of data.
Article 10. Processing of data of a criminal nature.
Title III. People rights.
Chapter I. Transparency and information.
Article 11. Transparency and information to the affected party.
Chapter II. Exercise of rights.
Article 12. General provisions on the exercise of rights.
Article 13. Right of access.
Article 14. Right of rectification.
Article 15. Right of deletion.
Article 16. Right to limitation of treatment.
Article 17. Right to portability.
Article 18. Right of opposition.
Title IV. Provisions applicable to specific treatments.
Article 19. Treatment of contact data, individual entrepreneurs and liberal professionals.
Article 20. Credit information systems.
Article 21. Treatments related to the performance of certain commercial operations.
Article 22. Treatment for video surveillance purposes.
Article 23. Advertising exclusion systems.
Article 24. Information systems for internal complaints.
Article 25. Data processing in the field of the public statistical function.
Article 26. Processing of data for archival purposes in the public interest by Public Administrations.
Article 27. Processing of data related to infractions and administrative sanctions.
Title V. Responsible and in charge of the treatment.
Chapter I. General provisions. Active liability measures.
Article 28. General obligations of the person in charge and in charge of the treatment.
Article 29. Assumptions of joint responsibility in the treatment.
Article 30. Representatives of those responsible or in charge of the treatment not established in the European Union.
Article 31. Registration of treatment activities.
Article 32. Blocking of data.
Chapter II. In charge of the treatment.
Article 33. In charge of the treatment.
Chapter III. Data protection officer.
Article 34. Appointment of a data protection officer.
Article 35. Qualification of the data protection officer.
Article 36. Position of the data protection officer.
Article 37. Intervention of the data protection officer in the event of a claim before the data protection authorities.
Chapter IV. Codes of conduct and certification.
Article 38. Codes of conduct.
Article 39. Accreditation of certification institutions.
Title VI. International data transfers.
Article 40. Regime of international data transfers.
Article 41. Cases of adoption by the Spanish Agency for Data Protection.
Article 42. Cases subject to prior authorization from the data protection authorities.
Article 43. Cases submitted to prior information to the competent data protection authority.
Title VII. Data protection authorities.
Chapter I. The Spanish Agency for Data Protection.
Section 1. General provisions.
Article 44. General provisions.
Article 45. Legal regime.
Article 46. Economic, budgetary and personnel regime.
Article 47. Functions and powers of the Spanish Agency for Data Protection.
Article 48. The Presidency of the Spanish Agency for Data Protection.
Article 49. Advisory Council of the Spanish Agency for Data Protection.
Article 50. Advertising.
Section 2. Investigation powers and preventive audit plans.
Article 51. Scope and competent personnel.
Article 52. Duty of collaboration.
Article 53. Scope of the investigation activity.
Article 54. Audit plans.
Section 3. Other powers of the Spanish Data Protection Agency.
Article 55. Regulatory powers. Circulars of the Spanish Agency for Data Protection.
Article 56. External action.
Chapter II. Autonomous data protection authorities.
Section 1. General provisions.
Article 57. Autonomous data protection authorities.
Article 58. Institutional cooperation.
Article 59. Treatments contrary to Regulation (EU) 2016/679.
Section 2. Coordination within the framework of the procedures established in Regulation (EU) 2016/679.
Article 60. Coordination in case of issuance of opinion by the European Data Protection Committee.
Article 61. Intervention in case of cross-border processing.
Article 62. Coordination in case of conflict resolution by the European Data Protection Committee.
Title VIII. Procedures in case of possible violation of data protection regulations.
Article 63. Legal regime.
Article 64. Form of initiation of the procedure and duration.
Article 65. Admission of claims for processing.
Article 66. Determination of the territorial scope.
Article 67. Previous investigation actions.
Article 68. Agreement to initiate the procedure for the exercise of the sanctioning power.
Article 69. Provisional measures and guarantee of rights.
Title IX. Sanctions regime.
Article 70. Responsible parties.
Article 71. Infractions.
Article 72. Violations considered very serious.
Article 73. Violations considered serious.
Article 74. Infractions considered minor.
Article 75. Interruption of the prescription of the offense.
Article 76. Sanctions and corrective measures.
Article 77. Regime applicable to certain categories of responsible or in charge of the treatment.
Article 78. Prescription of sanctions.
Title X. Guarantee of digital rights.
Article 79. Rights in the Digital Age.
Article 80. Right to Internet neutrality.
Article 81. Right of universal access to the Internet.
Article 82. Right to digital security.
Article 83. Right to digital education.
Article 84. Protection of minors on the Internet.
Article 85. Right to rectification on the Internet.
Article 86. Right to update information in digital media.
Article 87. Right to privacy and use of digital devices in the workplace.
Article 88. Right to digital disconnection in the workplace.
Article 89. Right to privacy against the use of video surveillance and sound recording devices in the workplace.
Article 90. Right to privacy when using geolocation systems in the workplace.
Article 91. Digital rights in collective bargaining.
Article 92. Data protection of minors on the Internet.
Article 93. Right to be forgotten in Internet searches.
Article 94. Right to be forgotten in social network services and equivalent services.
Article 95. Right to portability in social network services and equivalent services.
Article 96. Right to a digital will.
Article 97. Policies to promote digital rights.
First additional provision. Security measures in the field of the public sector.
Second additional provision. Data protection and transparency and access to public information.
Third additional provision. Computation of terms.
Fourth additional provision. Procedure in relation to the powers attributed to the Spanish Agency for Data Protection by other laws.
Fifth additional provision. Judicial authorization in relation to decisions of the European Commission regarding international data transfer.
Sixth additional provision. Incorporation of debts to credit information systems.
Seventh additional provision. Identification of those interested in notifications through announcements and publications of administrative acts.
Eighth additional provision. Verification power of the Public Administrations.
Ninth additional provision. Processing of personal data in relation to the notification of security incidents.
Tenth additional provision. Data communications by the subjects listed in article 77.1.
Eleventh additional provision. Privacy in electronic communications.
Twelfth additional provision. Specific provisions applicable to the processing of public sector personnel records.
Thirteenth additional provision. International transfers of tax data.
Fourteenth additional provision. Rules issued pursuant to article 13 of Directive 95/46 / EC.
Fifteenth additional provision. Information request by the National Securities Market Commission.
Sixteenth additional provision. Aggressive practices regarding data protection.
Seventeenth additional provision. Health data treatment.
Eighteenth additional provision. Security criteria.
Additional provision nineteenth. Rights of minors before the Internet.
Additional provision twentieth. Specialties of the legal regime of the Spanish Agency for Data Protection.
Twenty-first additional provision. Digital education.
Twenty-second additional provision. Access to public and ecclesiastical archives.
First transitory provision. Statute of the Spanish Agency for Data Protection.
Second transitory provision. Standard codes registered with the data protection authorities in accordance with Organic Law 15/1999, of December 13.
Third transitory provision. Transitional regime of the procedures.
Fourth transitory provision. Treatments subject to Directive (EU) 2016/680.
Fifth transitory provision. Treatment manager contracts.
Sixth transitory provision. Reuse for health and biomedical research purposes of personal data collected prior to the entry into force of this law.
Sole repealing provision. Regulatory repeal.
First final provision. Nature of the present law.
Second final provision. Competency title.
Third final provision. Modification of Organic Law 5/1985, of June 19, of the General Electoral Regime.
Fourth final provision. Modification of Organic Law 6/1985, of July 1, of the Judicial Power.
Fifth final provision. Modification of Law 14/1986, of April 25, General Health.
Sixth final provision. Modification of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction.
Seventh final provision. Modification of Law 1/2000, of January 7, on Civil Procedure.
Eighth final provision. Modification of Organic Law 6/2001, of December 21, on Universities.
Ninth final provision. Modification of Law 41/2002, of November 14, regulating basic patient autonomy and rights and obligations regarding information and clinical documentation.
Tenth final provision. Modification of Organic Law 2/2006, of May 3, on Education.
Eleventh final provision. Modification of Law 19/2013, of December 9, on transparency, access to public information and good governance.
Twelfth final provision. Modification of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.
Thirteenth final provision. Modification of the consolidated text of the Workers' Statute Law.
Fourteenth final provision. Modification of the consolidated text of the Law of the Basic Statute of the Public Employee.
Fifteenth final provision. Regulatory development.
Sixteenth final provision. Entry into force.
PREAMBLE
I
The protection of natural persons in relation to the processing of personal data is a fundamental right protected by article 18.4 of the Spanish Constitution. In this way, our Constitution was a pioneer in the recognition of the fundamental right to the protection of personal data when it established that “the law shall limit the use of information technology to guarantee the honor and personal and family privacy of citizens and the full exercise of Your rights". It thus echoed the work carried out since the late 1960s in the Council of Europe and the few legal provisions adopted in neighboring countries.
The Constitutional Court indicated in its Sentence 94/1998, of May 4, that we are faced with a fundamental right to data protection by which the person is guaranteed control over their data, any personal data, and their use and destination, to avoid illicit trafficking of the same or harmful to the dignity and rights of those affected; In this way, the right to data protection is configured as a faculty of the citizen to oppose the use of certain personal data for purposes other than the one that justified its collection. For its part, in Judgment 292/2000, of November 30,
At the legislative level, the realization and development of the fundamental right of protection of natural persons in relation to the processing of personal data took place in its origins through the approval of Organic Law 5/1992, of October 29, regulating automated processing of personal data, known as LORTAD. Organic Law 5/1992 was replaced by Organic Law 15/1999, of December 5, on the protection of personal data, in order to transpose Directive 95/46 / CE of the European Parliament and of the Council, of October 24, 1995, on the protection of natural persons with regard to the processing of personal data and the free circulation of these data.
On the other hand, it is also included in article 8 of the Charter of Fundamental Rights of the European Union and in article 16.1 of the Treaty on the Functioning of the European Union. Previously, at European level, the aforementioned Directive 95/46 / EC had been adopted, the purpose of which was to ensure that the guarantee of the right to protection of personal data does not constitute an obstacle to the free movement of data within the Union , thus establishing a common space of guarantee of the right that, at the same time, ensures that in the event of international transfer of data, its treatment in the destination country is protected by adequate safeguards to those provided for in the directive itself.
II
In the last years of the past decade, the drive to achieve a more uniform regulation of the fundamental right to data protection in the framework of an increasingly globalized society intensified. Thus, proposals for the reform of the current framework were adopted in different international instances. And within this framework, the Commission launched on November 4, 2010 its Communication entitled "A global approach to the protection of personal data in the European Union", which constitutes the germ of the subsequent reform of the framework of the European Union. At the same time, the Court of Justice of the Union has been adopting over the last few years a case law that is fundamental in its interpretation.
The latest milestone in this evolution took place with the adoption of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of their data. personal data and the free circulation of these data and repealing Directive 95/46 / EC (General Data Protection Regulation), as well as Directive (EU) 2016/680 of the European Parliament and of the Council, of 27 of April 2016, regarding the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions,and the free circulation of said data and by which the Framework Decision 2008/977 / JHA of the Council is repealed.
III
The General Data Protection Regulation aims with its direct effectiveness to overcome the obstacles that prevented the harmonizing purpose of Directive 95/46 / EC of the European Parliament and of the Council, of October 24, 1995, on the protection of natural persons with regard to the processing of personal data and the free circulation of such data. The transposition of the directive by the Member States has resulted in a regulatory mosaic with irregular profiles throughout the European Union, which, ultimately, has led to appreciable differences in the protection of citizens' rights.
Likewise, new circumstances are addressed, mainly the increase in cross-border flows of personal data as a consequence of the operation of the internal market, the challenges posed by rapid technological evolution and globalization, which has made personal data the fundamental resource of the society of the information. The centrality of personal information has positive aspects, because it allows new and better services, products or scientific findings. But it also has risks, since information about individuals multiplies exponentially, is more accessible, by more actors, and is increasingly easier to process while it is more difficult to control its destination and use.
The General Data Protection Regulation supposes the revision of the legal bases of the European data protection model beyond a mere update of the current regulations. It proceeds to reinforce legal certainty and transparency while allowing its rules to be specified or restricted by the law of the Member States to the extent necessary for reasons of coherence and so that national provisions are understandable to their addressees. Thus, the General Data Protection Regulation contains a good number of authorizations, if not impositions, to the Member States, in order to regulate certain matters, even allowing in its recital 8, and unlike what constitutes a general principle of the Right to the European Union that, when its standards need to be specified,
At this point, it must be emphasized that any intervention of internal law in the areas concerned by European regulations is not excluded. On the contrary, such intervention may be appropriate, even necessary, both for the purification of the national order and for the development or complement of the regulation in question. Thus, the principle of legal certainty, in its positive aspect, obliges the Member States to integrate the European legal system internally in a sufficiently clear and public way to allow its full knowledge both by legal operators and by the citizens themselves. , whereas, in its negative aspect, it implies the obligation for such States to eliminate situations of uncertainty derived from the existence of norms in national law incompatible with the European one. From this second aspect follows the consequent obligation to purge the legal system. Ultimately, the principle of legal certainty requires that internal regulations that are incompatible with European Union law be definitively eliminated "through internal mandatory provisions that have the same legal value as the internal provisions that must be modified" (Sentences of the Court of Justice of February 23, 2006, Commission vs. Spain; of July 13, 2000, Commission vs. France; and of October 15, 1986, Commission vs. Italy). Lastly, regulations, despite their characteristic of direct applicability, in practice may require other complementary internal rules to make their application fully effective. In this sense,
The adaptation to the General Data Protection Regulation, which will be applicable as of May 25, 2018, as established in article 99, requires, in short, the drafting of a new organic law to replace the current one. In this work, the principles of good regulation have been preserved, as it is a necessary norm for the adaptation of the Spanish legal system to the aforementioned European provision and proportional to this objective, its ultimate reason being to seek legal certainty.
IV
The Internet, on the other hand, has become an omnipresent reality both in our personal and collective lives. A large part of our professional, economic and private activity takes place on the Internet and acquires a fundamental importance both for human communication and for the development of our life in society. Already in the nineties, and aware of the impact that the Internet was going to have on our lives, the pioneers of the Internet proposed to draw up a Declaration of the Rights of Man and of the Citizen on the Internet.
Today we identify quite clearly the risks and opportunities that the world of networks offers citizens. It is the responsibility of the public authorities to promote policies that make the rights of citizenship effective on the Internet, promoting the equality of citizens and the groups in which they belong to make possible the full exercise of fundamental rights in digital reality. The digital transformation of our society is already a reality in our present and future development both socially and economically. In this context, neighboring countries have already approved regulations that reinforce the digital rights of citizens.
The constituents of 1978 already sensed the enormous impact that technological advances would have on our society and, in particular, on the enjoyment of fundamental rights. A desirable future reform of the Constitution should include among its priorities the updating of the Constitution to the digital age and, specifically, raising a new generation of digital rights to constitutional status. But, as long as this challenge is not tackled, the legislator must address the recognition of a digital rights guarantee system that, unequivocally, finds its anchor in the mandate imposed by the fourth section of article 18 of the Spanish Constitution and that, in some cases, they have already been outlined by ordinary, constitutional and European jurisprudence.
V
This organic law consists of ninety-seven articles structured in ten titles, twenty-two additional provisions, six transitory provisions, a repealing provision and sixteen final provisions.
Title I, relative to the general provisions, begins by regulating the object of the organic law, which is, according to what has been indicated, double. Thus, in the first place, it is intended to achieve the adaptation of the Spanish legal system to Regulation (EU) 2016/679 of the European Parliament and the Council, of April 27, 2016, General Data Protection Regulation, and complete its provisions. In turn, it establishes that the fundamental right of natural persons to the protection of personal data, protected by article 18.4 of the Constitution, will be exercised in accordance with the provisions of Regulation (EU) 2016/679 and this organic law . The autonomous communities have powers of normative development and execution of the fundamental right to the protection of personal data in their field of activity and the autonomous data protection authorities that believe they are responsible for helping to guarantee this fundamental right of citizenship. Second, it is also the object of the law to guarantee the digital rights of citizens, under the provisions of article 18.4 of the Constitution.
The new regulation of data referring to deceased persons stands out, since, after excluding their treatment from the scope of the law, it allows persons linked to the deceased for family or de facto reasons or their heirs to request access to the themselves, as well as their rectification or deletion, where appropriate subject to the instructions of the deceased. It also excludes from the scope of application the treatments that are governed by specific provisions, in reference, among others, to the regulations that transpose the aforementioned Directive (EU) 2016/680, providing in the fourth transitory provision the application to these treatments of the Law Organic 15/1999, of December 13, until the aforementioned regulation is approved.
In Title II, "Data protection principles", it is established that for the purposes of Regulation (EU) 2016/679 they will not be attributable to the person responsible for the treatment, provided that he has adopted all reasonable measures so that they are suppressed or rectified without delay, the inaccuracy of the data obtained directly from the affected party, when he has received the data from another person in charge by virtue of the exercise by the affected party of the right to portability, or when the person in charge obtains them from the mediator or intermediary when the rules applicable to the sector of activity to which the data controller belongs, establish the possibility of intervention by an intermediary or mediator or when the data had been obtained from a public registry. The duty of confidentiality is also expressly included,
Possible legal authorizations for processing based on compliance with a legal obligation enforceable by the person responsible are also regulated, in the terms provided in Regulation (EU) 2016/679, when provided for by a European Union law standard or a law, which may determine the general conditions of the treatment and the types of data object of the same as well as the assignments that proceed as a result of compliance with the legal obligation, This is the case, for example, of databases regulated by law and managed by public authorities that respond to specific objectives of risk control and solvency, supervision and inspection of the type of the Central Risk Information Center of the Bank of Spain regulated by Law 44/2002, of November 22, on Reform Measures of the Finance system,or of the data, documents and information of a confidential nature that are held by the General Directorate of Insurance and Pension Funds in accordance with the provisions of Law 20/2015, of July 14, on the organization, supervision and solvency of the insurance and reinsurance entities.
Special conditions may also be imposed on the treatment, such as the adoption of additional security measures or others, when this derives from the exercise of public powers or the fulfillment of a legal obligation and can only be considered based on the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the person in charge, in the terms provided in the European regulation, when it derives from a competence attributed by law. And the prohibition of consenting to treatments with the main purpose of storing identifying information of certain categories of specially protected data is maintained, which does not prevent them from being subject to treatment in the other cases provided for in Regulation (EU) 2016/679 . For example,
Also in relation to the treatment of special categories of data, article 9.2 establishes the principle of reserve of law for its authorization in the cases provided for in Regulation (EU) 2016/679. Said provision not only covers the provisions that may be adopted in the future, but also makes it possible to save the different legal authorizations currently existing, as specifically indicated, with respect to health and insurance legislation, in the seventeenth additional provision. The General Data Protection Regulation does not affect these authorizations, which remain fully valid, even allowing an extensive interpretation of them to be carried out, as happens, in particular, regarding the scope of the consent of the affected party or the use of their data without consent in the field of biomedical research. To this end, section 2 of the seventeenth additional provision introduces a series of provisions aimed at guaranteeing the adequate development of research in health matters, and in particular biomedical, weighing the undoubted benefits that it brings to society with the due guarantees of the fundamental right to data protection.
Title III, dedicated to the rights of individuals, adapts to Spanish law the principle of transparency in the treatment of the European regulation, which regulates the right of those affected to be informed about the treatment and collects the so-called "information by layers" and generally accepted in areas such as video surveillance or the installation of massive data storage devices (such as "cookies"), providing the affected party with basic information, although, indicating an electronic address or other means that allows access in a simple and immediate to the rest of the information.
This Title makes use of the authorization allowed by recital 8 of Regulation (EU) 2016/679 to complement its regime, guaranteeing the adequate systematic structure of the text. Next, the organic law contemplates the rights of access, rectification, deletion, opposition, the right to limit the treatment and the right to portability.
Title IV contains "Provisions applicable to specific treatments", incorporating a series of assumptions that in no case should be considered exhaustive of all lawful treatments. Among them, it is possible to appreciate, in the first place, those with respect to which the legislator establishes a presumption "iuris tantum" of prevalence of the legitimate interest of the person in charge when they are carried out with a series of requirements, which does not exclude the legality of this type of processing when the conditions provided in the text are not strictly met, although in this case the person in charge must carry out the legally required weighting, since the prevalence of their legitimate interest is not presumed. Along with these assumptions, others are collected, such as video surveillance, advertising exclusion files or internal complaint systems in which the legality of the treatment comes from the existence of a public interest, in the terms established in article 6.1.e) of Regulation (EU) 2016/679. Finally, reference is made in this Title to the legality of other treatments regulated in Chapter IX of the regulations, such as those related to the statistical function or for archiving purposes of general interest. In any case, the fact that the legislator refers to the legality of the treatments does not undermine the obligation of those responsible to adopt all the active liability measures established in Chapter IV of the European regulation and in Title V of this organic law . in the terms established in article 6.1.e) of Regulation (EU) 2016/679. Finally, reference is made in this Title to the legality of other treatments regulated in Chapter IX of the regulations, such as those related to the statistical function or for archiving purposes of general interest. In any case, the fact that the legislator refers to the legality of the treatments does not undermine the obligation of those responsible to adopt all the active liability measures established in Chapter IV of the European regulation and in Title V of this organic law . in the terms established in article 6.1.e) of Regulation (EU) 2016/679. Finally, reference is made in this Title to the legality of other treatments regulated in Chapter IX of the regulations, such as those related to the statistical function or for archiving purposes of general interest. In any case, the fact that the legislator refers to the legality of the treatments does not undermine the obligation of those responsible to adopt all the active liability measures established in Chapter IV of the European regulation and in Title V of this organic law .
Title V refers to the person in charge and the person in charge of the treatment. It must be taken into account that the greatest novelty presented by Regulation (EU) 2016/679 is the evolution of a model based, fundamentally, on compliance control to another that rests on the principle of active responsibility, which requires prior assessment by the person in charge or by the person in charge of the treatment of the risk that the processing of personal data could generate in order, based on said assessment, to adopt the appropriate measures. In order to clarify these new features, the organic law maintains the same name as Chapter IV of the Regulation, dividing the articles into four chapters dedicated, respectively, to the general measures of active responsibility, to the regime of the person in charge of the treatment, the figure of the data protection officer and the self-regulation and certification mechanisms. The figure of the data protection delegate acquires an outstanding importance in Regulation (EU) 2016/679 and this is reflected in the organic law, which starts from the principle that it may be mandatory or voluntary, whether or not it is integrated into the organization. of the person in charge or in charge and be both a natural person and a legal person. The appointment of the data protection officer must be communicated to the competent data protection authority. The Spanish Data Protection Agency will maintain a public and updated relationship of the data protection delegates, accessible by anyone. Knowledge in the matter may be accredited through certification schemes. Likewise, it may not be removed, except in cases of intent or gross negligence. It is noteworthy that the data protection officer allows you to configure a means for the amicable resolution of claims, since the interested party may reproduce before him the claim that is not attended by the person in charge or in charge of the treatment.
Title VI, relative to international data transfers, proceeds to the adaptation of the provisions of Regulation (EU) 2016/679 and refers to the specialties related to the procedures through which data protection authorities can approve contractual models or binding corporate rules, cases of authorization of a certain transfer, or prior information.
Title VII is dedicated to data protection authorities, which, following the mandate of Regulation (EU) 2016/679, must be established by national law. Maintaining the scheme that had been collected in its normative antecedents, the organic law regulates the regime of the Spanish Agency for Data Protection and reflects the existence of the regional data protection authorities and the necessary cooperation between the control authorities. The Spanish Agency for Data Protection is configured as an independent administrative authority in accordance with Law 40/2015, of October 1, on the Legal Regime of the Public Sector, which is related to the Government through the Ministry of Justice.
Title VIII regulates the "Procedures in case of possible violation of data protection regulations". Regulation (EU) 2016/679 establishes a new and complex system, evolving towards a "one-stop shop" model in which there is a main supervisory authority and other interested authorities. A cooperation procedure is also established between authorities of the Member States and, in the event of discrepancy, the binding decision of the European Data Protection Committee is provided. Consequently, prior to the processing of any procedure, it will be necessary to determine whether or not the processing is cross-border and, if so, which data protection authority should be considered the main one.
The regulation is limited to defining the legal regime; the initiation of the procedures, being it possible that the Spanish Agency for Data Protection refers the claim to the data protection delegate or to the bodies or entities that are in charge of the extrajudicial resolution of conflicts in accordance with the provisions of a code of conduct; the inadmissibility of the claims; the preliminary investigation actions; provisional measures, among which the order to block the data stands out; and the term for processing the procedures and, where appropriate, their suspension. The specialties of the procedure refer to the regulatory development.
Title IX, which contemplates the sanctioning regime, starts from the fact that Regulation (EU) 2016/679 establishes a system of sanctions or corrective actions that allows a wide margin of appreciation. In this framework, the organic law proceeds to describe the typical behaviors, establishing the distinction between very serious, serious and minor offenses, taking into consideration the differentiation that the General Data Protection Regulation establishes when setting the amount of sanctions. The categorization of offenses is introduced for the sole purpose of determining the statute of limitations, having the description of typical behaviors as the sole object the exemplary enumeration of some of the punishable acts that must be understood to be included within the general types established in European standard.
Regulation (EU) 2016/679 establishes wide margins for determining the amount of penalties. The organic law takes advantage of the residual clause of article 83.2 of the European standard, referring to aggravating or mitigating factors, to clarify that the elements to be taken into account may include those that already appeared in article 45.4 and 5 of Organic Law 15 / 1999, and which are known to legal operators.
Finally, Title X of this law undertakes the task of recognizing and guaranteeing a list of digital rights of citizens in accordance with the mandate established in the Constitution. In particular, the rights and freedoms applicable to the Internet environment are subject to regulation, such as Net neutrality and universal access or the rights to security and digital education, as well as the rights to oblivion, portability and the digital will. The recognition of the right to digital disconnection within the framework of the right to privacy in the use of digital devices in the workplace and the protection of minors on the Internet occupies a relevant place. Finally, the guarantee of freedom of expression and the right to clarify information in digital media is noteworthy.
The additional provisions refer to issues such as security measures in the field of the public sector, data protection and transparency and access to public information, calculation of deadlines, judicial authorization in matters of international data transfers, protection against practices abusive that certain operators may develop, or the processing of health data, among others.
In accordance with the fourteenth additional provision, the regulations regarding exceptions and limitations in the exercise of rights that had entered into force prior to the date of application of the European regulation and in particular articles 23 and 24 of Organic Law 15 / 1999, of December 13, Protection of Personal Data, will remain in force as long as it is not expressly modified, replaced or repealed. The survival of this regulation implies the continuity of the exceptions and limitations that are contained in it until its reform or abrogation takes place, although referring to the rights as regulated in Regulation (EU) 2016/679 and in this organic Law. Thus, for example, by virtue of the aforementioned additional provision,
The transitional provisions are dedicated, among other issues, to the statute of the Spanish Data Protection Agency, the transitional regime of procedures or treatments subject to Directive (EU) 2016/680. A repealing provision is included and, below, the final provisions on the precepts with the character of ordinary law, the competence title and the entry into force are listed.
Likewise, the necessary modifications are introduced to Law 1/2000, of January 7, on Civil Procedure and Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, Organic Law, 6/1985, of July 1, of the Judicial Power, Law 19/2013, of December 9, of transparency, access to public information and good governance, Organic Law 5/1985, of June 19, of the General Electoral Regime, the Law 14/1986, of April 25, General Health, Law 41/2002, of November 14, basic regulator of the autonomy of the patient and rights and obligations regarding information and clinical documentation and Law 39/2015 , of October 1, of the Common Administrative Procedure of Public Administrations.
Finally, and in relation to the guarantee of digital rights, modifications are also made to Organic Law 2/2006, of May 3, on Education, Organic Law 6/2001, of December 21, on Universities, as well as in the Consolidated Text of the Law of the Workers' Statute and in the Consolidated Text of the Law of the Basic Statute of Public Employees.
TITLE I
General disposition
Article 1. Object of the law.
The present organic law aims to:
a) Adapt the Spanish legal system to Regulation (EU) 2016/679 of the European Parliament and the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of their personal data and freedom circulation of these data, and complete its provisions.
The fundamental right of natural persons to the protection of personal data, protected by article 18.4 of the Constitution, will be exercised in accordance with the provisions of Regulation (EU) 2016/679 and this organic law.
b) Guarantee the digital rights of citizens in accordance with the mandate established in article 18.4 of the Constitution.
Article 2. Scope of application of Titles I to IX and Articles 89 to 94.
1. The provisions of Titles I to IX and articles 89 to 94 of this organic law apply to any fully or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included. in a file.
2. This organic law will not apply:
a) To the treatments excluded from the scope of application of the General Data Protection Regulation by its article 2.2, without prejudice to the provisions of sections 3 and 4 of this article.
b) To the data processing of deceased persons, without prejudice to the provisions of article 3.
c) To the treatments subject to the regulations on the protection of classified materials.
3. Treatments to which Regulation (EU) 2016/679 is not directly applicable because it affects activities not included in the scope of application of European Union Law, will be governed by the provisions of its specific legislation, if any, and supplementary by what is established in the aforementioned regulation and in this organic law. In this situation, among others, are the treatments carried out under the organic legislation of the general electoral regime, the treatments carried out in the area of penitentiary institutions and the treatments derived from the Civil Registry, the Property and Mercantile Registries.
4. The data processing carried out on the occasion of the processing by the judicial bodies of the processes of which they are competent, as well as that carried out within the management of the Judicial Office, will be governed by the provisions of Regulation (EU ) 2016/679 and this organic law, without prejudice to the provisions of Organic Law 6/1985, of July 1, of the Judicial Power, which are applicable.
Article 3. Data of the deceased persons.
1. People linked to the deceased for family or de facto reasons as well as their heirs may contact the person in charge or in charge of the treatment in order to request access to their personal data and, where appropriate, its rectification or deletion.
As an exception, the people referred to in the preceding paragraph may not access the data of the deceased, or request its rectification or deletion, when the deceased person has expressly prohibited it or so established by law. Said prohibition will not affect the right of the heirs to access the patrimonial data of the deceased.
2. The persons or institutions that the deceased had expressly designated for this purpose may also request, in accordance with the instructions received, access to his or her personal data and, where appropriate, its rectification or deletion.
By royal decree the requirements and conditions to prove the validity and validity of these mandates and instructions and, where appropriate, their registration will be established.
3. In the event of the death of minors, these powers may also be exercised by their legal representatives or, within the framework of their powers, by the Public Prosecutor, who may act ex officio or at the request of any interested natural or legal person.
In the event of the death of people with disabilities, these powers may also be exercised, in addition to those indicated in the preceding paragraph, by those who have been designated to carry out support functions, if such powers are understood to be included in the support measures provided by the designated one.
TITLE II
Data protection principles
Article 4. Accuracy of the data.
1. In accordance with article 5.1.d) of Regulation (EU) 2016/679, the data will be accurate and, if necessary, updated.
2. For the purposes provided for in article 5.1.d) of Regulation (EU) 2016/679, it will not be attributable to the controller, provided that it has adopted all reasonable measures to eliminate or rectify the inaccuracy without delay. of personal data, with respect to the purposes for which they are processed, when inaccurate data:
a) They had been obtained by the person responsible directly from the affected party.
b) They would have been obtained by the person in charge of a mediator or intermediary in the event that the rules applicable to the sector of activity to which the person responsible for the treatment belongs established the possibility of intervention of an intermediary or mediator who collects the data of the affected for transmission to the person in charge. The mediator or intermediary will assume the responsibilities that may arise in the event of communication to the person responsible for data that do not correspond to those provided by the affected party.
c) They were subjected to treatment by the person in charge for having received them from another person in charge by virtue of the exercise by the affected party of the right to portability in accordance with article 20 of Regulation (EU) 2016/679 and the provisions of this organic law.
d) They were obtained from a public registry by the person in charge.
Article 5. Duty of confidentiality.
1. Those responsible and in charge of data processing, as well as all persons involved in any phase of this, will be subject to the duty of confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.
2. The general obligation indicated in the previous section will be complementary to the duties of professional secrecy in accordance with its applicable regulations.
3. The obligations established in the previous sections will be maintained even when the relationship between the obligor and the person in charge of the treatment has ended.
Article 6. Treatment based on the consent of the affected party.
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the consent of the affected party is understood to be any expression of free, specific, informed and unequivocal will by which he accepts, either by means of a declaration or a clear affirmative action, the processing of personal data concerning you.
2. When it is intended to base the processing of the data on the consent of the affected person for a plurality of purposes, it will be necessary to state specifically and unequivocally that said consent is granted for all of them.
3. The execution of the contract may not be subordinated to the affected party consenting to the processing of personal data for purposes that are not related to the maintenance, development or control of the contractual relationship.
Article 7. Consent of minors.
1. The processing of personal data of a minor may only be based on their consent when they are over fourteen years of age.
Exceptions are cases in which the law requires the assistance of the holders of parental authority or guardianship for the celebration of the act or legal business in which context consent for the treatment is obtained.
2. The treatment of the data of minors under fourteen years of age, based on consent, will only be lawful if that of the holder of parental authority or guardianship, with the scope determined by the holders of parental authority or guardianship.
Article 8. Data processing due to legal obligation, public interest or exercise of public powers.
1. The processing of personal data may only be considered based on compliance with a legal obligation enforceable by the person in charge, under the terms provided in article 6.1.c) of Regulation (EU) 2016/679, when provided for by a rule of law. of the European Union or a rule with the force of law, which may determine the general conditions of the treatment and the types of data object of the same as well as the transfers that proceed as a result of compliance with the legal obligation. Said standard may also impose special conditions on the treatment, such as the adoption of additional security measures or others established in chapter IV of Regulation (EU) 2016/679.
2. The processing of personal data may only be considered based on the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person in charge, in the terms provided in article 6.1 e) of Regulation (EU) 2016/679 , when it derives from a competence attributed by a norm with the force of law.
Article 9. Special categories of data.
1. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid discriminatory situations, the sole consent of the affected party will not be enough to lift the prohibition of data processing whose main purpose is to identify their ideology, union membership, religion, sexual orientation, racial or ethnic beliefs or origin.
The provisions of the preceding paragraph shall not prevent the processing of said data under the other assumptions contemplated in article 9.2 of Regulation (EU) 2016/679, when appropriate.
2. The data processing contemplated in letters g), h) and i) of article 9.2 of Regulation (EU) 2016/679 based on Spanish law must be covered by a norm with the force of law, which may establish additional relative requirements. to your security and confidentiality.
In particular, said rule may cover the processing of data in the field of health when so required by the management of public and private health and social assistance systems and services, or the execution of an insurance contract of which the affected party be part.
Article 10. Processing of data of a criminal nature.
1. The processing of personal data related to convictions and criminal offenses, as well as procedures and related precautionary and security measures, for purposes other than prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, only It may be carried out when it is covered by a rule of Union Law, this organic law or other rules of legal rank.
2. The complete registration of data referring to convictions and criminal offenses, as well as procedures and related precautionary and security measures referred to in article 10 of Regulation (EU) 2016/679, may be carried out in accordance with the provisions of the regulation of the system of administrative records to support the Administration of Justice.
3. Outside of the assumptions indicated in the previous sections, the processing of data referring to convictions and criminal offenses, as well as procedures and related precautionary and security measures will only be possible when they are carried out by lawyers and attorneys and are intended collect the information provided by its clients for the exercise of its functions.
TITLE III
People rights
CHAPTER I
Transparency and information
Article 11. Transparency and information to the affected party.
1. When personal data is obtained from the data subject, the data controller may comply with the duty of information established in article 13 of Regulation (EU) 2016/679 by providing the data subject with the basic information referred to in the following section and indicating an electronic address or other means that allows easy and immediate access to the rest of the information.
2. The basic information referred to in the previous section must contain, at least:
a) The identity of the person responsible for the treatment and their representative, if applicable.
b) The purpose of the treatment.
c) The possibility of exercising the rights established in articles 15 to 22 of Regulation (EU) 2016/679.
If the data obtained from the affected party were to be processed for profiling, the basic information will also include this circumstance. In this case, the affected party must be informed of his right to oppose the adoption of automated individual decisions that produce legal effects on him or significantly affect him in a similar way, when this right concurs in accordance with the provisions of article 22 of the Regulations. (EU) 2016/679.
3. When the personal data have not been obtained from the affected party, the person in charge may comply with the duty of information established in article 14 of Regulation (EU) 2016/679 by providing the person with the basic information indicated in the previous section, indicating an address electronic or other means that allows easy and immediate access to the rest of the information.
In these cases, the basic information will also include:
a) The categories of data being processed.
b) The sources from which the data came.
CHAPTER II
Exercise of rights
Article 12. General provisions on the exercise of rights.
1. The rights recognized in articles 15 to 22 of Regulation (EU) 2016/679, may be exercised directly or through a legal or voluntary representative.
2. The person responsible for the treatment will be obliged to inform the affected party about the means at their disposal to exercise the rights that correspond to them. The means must be easily accessible to the affected person. The exercise of the right may not be denied for the sole reason of choosing the affected by another means.
3. The person in charge may process, on behalf of the person in charge, the requests for exercise made by those affected of their rights if this is established in the contract or legal act that binds them.
4. Proof of compliance with the duty to respond to the request to exercise their rights made by the affected party will fall on the person responsible.
5. When the laws applicable to certain treatments establish a special regime that affects the exercise of the rights provided for in Chapter III of Regulation (EU) 2016/679, the provisions of those laws will apply.
6. In any case, the holders of parental authority may exercise, on behalf of and on behalf of minors under fourteen years of age, the rights of access, rectification, cancellation, opposition or any other rights that may correspond to them in the context of this organic law.
7. The actions carried out by the data controller to attend to requests to exercise these rights will be free, without prejudice to the provisions of articles 12.5 and 15.3 of Regulation (EU) 2016/679 and sections 3 and 4 of article 13 of this organic law.
Article 13. Right of access.
1. The right of access of the affected party will be exercised in accordance with the provisions of article 15 of Regulation (EU) 2016/679.
When the person in charge treats a large amount of data related to the affected person and he exercises his right of access without specifying whether it refers to all or part of the data, the person in charge may request, before providing the information, that the affected person specify the data or treatment activities to which the request refers.
2. The right of access will be understood to be granted if the person responsible for the treatment provides the affected party with a remote, direct and secure access system to personal data that guarantees, on a permanent basis, access to its entirety. For this purpose, the communication by the person in charge to the affected party of the way in which he or she can access said system will be enough to consider the request for the exercise of the right to be addressed.
However, the interested party may request from the person in charge the information referring to the points provided for in article 15.1 of Regulation (EU) 2016/679 that is not included in the remote access system.
3. For the purposes established in article 12.5 of Regulation (EU) 2016/679, the exercise of the right of access may be considered repetitive on more than one occasion during a period of six months, unless there is legitimate cause for it.
4. When the affected party chooses a means other than the one offered that entails a disproportionate cost, the request will be considered excessive, so said affected person will assume the excess costs that their choice entails. In this case, the data controller will only be required to satisfy the right of access without undue delay.
Article 14. Right of rectification.
When exercising the right of rectification recognized in article 16 of Regulation (EU) 2016/679, the affected party must indicate in his request what data he refers to and the correction to be made. It must accompany, when necessary, the supporting documentation of the inaccuracy or incompleteness of the data being processed.
Article 15. Right of deletion.
1. The right of deletion will be exercised in accordance with the provisions of article 17 of Regulation (EU) 2016/679.
2. When the deletion derives from the exercise of the right of opposition in accordance with article 21.2 of Regulation (EU) 2016/679, the person in charge may keep the identifying data of the affected person necessary in order to prevent future processing for direct marketing purposes.
Article 16. Right to limitation of treatment.
1. The right to limit treatment will be exercised in accordance with the provisions of article 18 of Regulation (EU) 2016/679.
2. The fact that the processing of personal data is limited must be clearly stated in the information systems of the person in charge.
Article 17. Right to portability.
The right to portability will be exercised in accordance with the provisions of article 20 of Regulation (EU) 2016/679.
Article 18. Right of opposition.
The right of opposition, as well as the rights related to automated individual decisions, including profiling, will be exercised in accordance with the provisions, respectively, in articles 21 and 22 of Regulation (EU) 2016/679.
TITLE IV
Provisions applicable to specific treatments
Article 19. Treatment of contact data, individual entrepreneurs and liberal professionals.
1. Unless proven otherwise, it will be presumed covered by the provisions of article 6.1.f) of Regulation (EU) 2016/679 the treatment of contact data and, where appropriate, those related to the function or position held by people individuals who provide services in a legal entity provided that the following requirements are met:
a) That the treatment refers only to the data necessary for its professional location.
b) That the purpose of the treatment is only to maintain relationships of any kind with the legal person in which the affected person provides their services.
2. The same presumption will operate for the processing of data relating to individual entrepreneurs and liberal professionals, when they refer to them only in that condition and are not processed to establish a relationship with them as natural persons.
3. Those responsible or in charge of the treatment referred to in article 77.1 of this organic law may also process the data mentioned in the two previous sections when this is derived from a legal obligation or is necessary for the exercise of their powers.
Article 20. Credit information systems.
1. Unless proven otherwise, the processing of personal data relating to the breach of monetary, financial or credit obligations by common credit information systems shall be presumed lawful when the following requirements are met:
a) That the data has been provided by the creditor or by whoever acts on their behalf or interest.
b) That the data refer to certain, overdue and enforceable debts, the existence or amount of which has not been the subject of an administrative or judicial claim by the debtor or through an alternative binding dispute resolution procedure between the parties.
c) That the creditor has informed the affected party in the contract or at the time of requesting payment about the possibility of inclusion in said systems, indicating those in which they participate.
The entity that maintains the credit information system with data related to the breach of monetary, financial or credit obligations must notify the affected party of the inclusion of such data and will inform them about the possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679 within thirty days of the notification of the debt to the system, the data remaining blocked during that period.
d) That the data is only kept in the system while the breach persists, with a maximum limit of five years from the expiration date of the monetary, financial or credit obligation.
e) That the data referring to a specific debtor can only be consulted when whoever consults the system maintains a contractual relationship with the affected party that involves the payment of a pecuniary amount or he has requested the conclusion of a contract that involves financing, deferred payment or periodic billing, as happens, among other cases, in those provided for in the legislation of consumer credit contracts and real estate credit contracts.
When the right to limit the processing of the data has been exercised before the system, challenging its accuracy in accordance with the provisions of article 18.1.a) of Regulation (EU) 2016/679, the system will inform those who may consult it in accordance with the previous paragraph about the mere existence of said circumstance, without providing the specific data with respect to which the right had been exercised, as long as it is resolved on the request of the affected party.
f) That, in the event that the request for the conclusion of the contract is denied, or it is not concluded, as a result of the consultation carried out, whoever has consulted the system informs the affected party of the result of said consultation.
2. The entities that maintain the system and the creditors, with respect to the processing of data referring to their debtors, will have the status of joint controllers of the data processing, the provisions of article 26 of Regulation (EU) 2016 / being applicable. 679.
It will be up to the creditor to ensure that the requirements for inclusion in the debt system are met, responding to its non-existence or inaccuracy.
3. The presumption referred to in section 1 of this article does not cover the cases in which the credit information was associated by the entity that maintained the system with additional information to those contemplated in said section, related to the debtor and obtained from other sources, in order to carry out a profiling of the same, in particular through the application of credit rating techniques.
Article 21. Treatments related to the performance of certain commercial operations.
1. Unless proven otherwise, the processing of data, including its prior communication, that may derive from the development of any operation of structural modification of companies or the contribution or transfer of business or branch of business activity will be presumed lawful, always that the treatments were necessary for the successful end of the operation and guarantee, where appropriate, the continuity in the provision of services.
2. In the event that the operation is not concluded, the transferee entity must immediately proceed to delete the data, without applying the blocking obligation provided for in this organic law.
Article 22. Treatment for video surveillance purposes.
1. Natural or legal persons, public or private, may carry out image processing through camera or video camera systems in order to preserve the safety of people and property, as well as their facilities.
2. Images of public roads may only be captured to the extent that it is essential for the purpose mentioned in the previous section.
However, it will be possible to capture the public road in a greater extension when necessary to guarantee the security of strategic goods or facilities or infrastructure related to transport, without in any case involving the capture of images of the interior of a home private.
3. The data will be deleted within a maximum period of one month from its capture, except when they have to be kept to prove the commission of acts that threaten the integrity of people, property or facilities. In this case, the images must be made available to the competent authority within a maximum period of seventy-two hours from when the existence of the recording became known.
The blocking obligation provided for in article 32 of this organic law will not apply to these treatments.
4. The duty of information provided for in article 12 of Regulation (EU) 2016/679 will be understood to have been fulfilled by placing an information device in a sufficiently visible place identifying, at least, the existence of the treatment, the identity of the person in charge and the possibility to exercise the rights provided for in articles 15 to 22 of Regulation (EU) 2016/679. A connection code or internet address to this information may also be included in the information device.
In any case, the data controller must keep the information referred to in the aforementioned regulation available to those affected.
5. Under article 2.2.c) of Regulation (EU) 2016/679, the treatment by a natural person of images that only capture the interior of their own home is considered excluded from its scope of application.
This exclusion does not cover the treatment carried out by a private security entity that had been hired to monitor a home and had access to the images.
6. The processing of personal data from the images and sounds obtained through the use of cameras and video cameras by the Security Forces and Bodies and by the competent bodies for surveillance and control in prisons and for control, regulation, surveillance and discipline of traffic, will be governed by the transposition legislation of Directive (EU) 2016/680, when the treatment has the purpose of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, including protection and prevention against threats to public safety. Outside of these assumptions, said treatment will be governed by its specific legislation and additionally by Regulation (EU) 2016/679 and this organic law.
7. What is regulated in this article is understood without prejudice to the provisions of Law 5/2014, of April 4, on Private Security and its development provisions.
8. The treatment by the employer of data obtained through camera or video camera systems is subject to the provisions of article 89 of this organic law.
Article 23. Advertising exclusion systems.
1. The processing of personal data aimed at preventing the sending of commercial communications to those who have expressed their refusal or opposition to receive them will be lawful.
For this purpose, information systems, general or sectorial, may be created, in which only the essential data to identify those affected will be included. These systems may also include preferential services, through which those affected limit the receipt of commercial communications to those from certain companies.
2. The entities responsible for the advertising exclusion systems will inform the competent control authority of their creation, their general or sectoral nature, as well as the way in which those affected can join them and, where appropriate, assert their preferences. .
The competent control authority will publish in its electronic headquarters a list of the systems of this nature that were communicated to it, incorporating the information mentioned in the previous paragraph. For this purpose, the competent control authority to which the creation of the system has been communicated will inform the other control authorities for its publication by all of them.
3. When an affected party expresses to a person in charge his wish that his data not be processed for the sending of commercial communications, he must inform him of the existing advertising exclusion systems, being able to refer to the information published by the competent control authority.
4. Those who intend to carry out direct marketing communications must first consult the advertising exclusion systems that could affect their performance, excluding from the processing the data of those affected who have expressed their opposition or refusal to it. For these purposes, to consider the above obligation fulfilled, it will be sufficient to consult the exclusion systems included in the list published by the competent control authority.
It will not be necessary to carry out the consultation referred to in the previous paragraph when the affected party has given, in accordance with the provisions of this organic law, their consent to receive the communication to whoever intends to carry it out.
Article 24. Information systems for internal complaints.
1. The creation and maintenance of information systems through which a private law entity can be made known, even anonymously, the commission within it or in the actions of third parties who contract with it, of acts or conducts that could be contrary to the general or sectoral regulations that are applicable. Employees and third parties must be informed about the existence of these information systems.
2. Access to the data contained in these systems will be limited exclusively to those who, whether or not within the entity, carry out the internal control and compliance functions, or to those in charge of the treatment who are eventually designated for this purpose. However, its access by other people, or even its communication to third parties, will be lawful when it is necessary for the adoption of disciplinary measures or for the processing of legal procedures that, where appropriate, proceed.
Without prejudice to the notification to the competent authority of acts constituting a criminal or administrative offense, only when the adoption of disciplinary measures against a worker could proceed, said access will be allowed to personnel with functions of management and control of human resources.
3. The necessary measures must be adopted to preserve the identity and guarantee the confidentiality of the data corresponding to the persons affected by the information provided, especially that of the person who had made the facts known to the entity, in the event that it had been identified.
4. The data of the person making the communication and of the employees and third parties must be kept in the complaints system only for the time necessary to decide on the appropriateness of initiating an investigation into the reported events.
In any case, after three months from the introduction of the data, it must be deleted from the complaints system, unless the purpose of the conservation is to leave evidence of the operation of the model for the prevention of the commission of crimes by the legal entity. Complaints that have not been processed may only be recorded in an anonymized manner, without the blocking obligation set forth in article 32 of this organic law being applicable.
After the period mentioned in the previous paragraph has elapsed, the data may continue to be processed, by the corresponding body, in accordance with section 2 of this article, the investigation of the reported events, not being kept in the internal complaints information system itself.
5. The principles of the previous sections will be applicable to the internal complaint systems that could be created in the Public Administrations.
Article 25. Data processing in the field of the public statistical function.
1. The processing of personal data carried out by the bodies that have attributed the powers related to the exercise of the public statistical function will be subject to the provisions of their specific legislation, as well as in Regulation (EU) 2016/679 and in the present organic law.
2. The communication of the data to the competent bodies in statistical matters will only be understood to be covered by article 6.1 e) of Regulation (EU) 2016/679 in cases where the statistics for which the information is required is required by a European Union law standard or is included in the statutory programming instruments provided for.
In accordance with the provisions of article 11.2 of Law 12/1989, of May 9, on the Public Statistical Function, they will be strictly voluntary and, consequently, only the data from those affected may be collected with the prior express consent of those affected. referred to in articles 9 and 10 of Regulation (EU) 2016/679.
3. The competent bodies for the exercise of the public statistical function may deny requests for the exercise by those affected of the rights established in articles 15 to 22 of Regulation (EU) 2016/679 when the data is protected by the guarantees of the statistical secrecy provided for in state or regional legislation.
Article 26. Processing of data for archival purposes in the public interest by Public Administrations.
The treatment by the Public Administrations of data for archiving purposes in the public interest will be lawful, which will be subject to the provisions of Regulation (EU) 2016/679 and this organic law with the specialties derived from the provisions of the Law 16/1985, of June 25, on Spanish Historical Heritage, in Royal Decree 1708/2011, of November 18, which establishes the Spanish Archives System and regulates the Archives System of the General Administration of the State and its Public Bodies and their access regime, as well as the autonomous legislation that results from application.
Article 27. Processing of data related to infractions and administrative sanctions.
1. For the purposes of article 86 of Regulation (EU) 2016/679, the processing of data related to infractions and administrative sanctions, including the maintenance of records related to them, will require:
a) That those responsible for said processing are the competent bodies for the instruction of the sanctioning procedure, for the declaration of the infractions or the imposition of the sanctions.
b) That the treatment is limited to the data strictly necessary for the purpose pursued by it.
2. When any of the conditions set forth in the previous section is not met, the processing of data referring to infractions and administrative sanctions must have the consent of the interested party or be authorized by a rule with the force of law, in which they will be regulated , where appropriate, additional guarantees for the rights and freedoms of those affected.
3. Outside of the assumptions indicated in the previous sections, the processing of data referring to infractions and administrative sanctions will only be possible when they are carried out by lawyers and solicitors and their purpose is to collect the information provided by their clients for the exercise of their functions.
TITLE V
Responsible and in charge of the treatment
CHAPTER I
General disposition. Active liability measures
Article 28. General obligations of the person in charge and in charge of the treatment.
1. Those responsible and those in charge, taking into account the elements listed in articles 24 and 25 of Regulation (EU) 2016/679, will determine the appropriate technical and organizational measures that must be applied in order to guarantee and prove that the treatment is in accordance with the aforementioned regulation, with this organic law, its implementing regulations and the applicable sectorial legislation. In particular, they will assess whether it is appropriate to carry out the impact assessment on data protection and the prior consultation referred to in Section 3 of Chapter IV of the aforementioned regulation.
2. In order to adopt the measures referred to in the previous section, those responsible and in charge of the treatment will take into account, in particular, the greater risks that could arise in the following cases:
a) When the treatment could generate situations of discrimination, usurpation of identity or fraud, financial losses, damage to reputation, loss of confidentiality of data subject to professional secrecy, unauthorized reversal of the pseudonymization or any other economic, moral or social damage meaningful to those affected.
b) When the treatment could deprive those affected of their rights and freedoms or could prevent them from exercising control over their personal data.
c) When the non-merely incidental or accessory treatment of the special categories of data referred to in articles 9 and 10 of Regulation (EU) 2016/679 and 9 and 10 of this organic law or of data related to the commission of administrative offenses.
d) When the treatment involves an evaluation of personal aspects of those affected in order to create or use personal profiles of them, in particular through the analysis or prediction of aspects related to their performance at work, their economic situation, their health, your personal preferences or interests, your reliability or behavior, your financial solvency, your location or your movements.
e) When the data processing of affected groups in a situation of special vulnerability is carried out and, in particular, of minors and people with disabilities.
f) When there is a massive treatment that involves a large number of those affected or involves the collection of a large amount of personal data.
g) When personal data are to be transferred, on a regular basis, to third States or international organizations for which an adequate level of protection has not been declared.
h) Any others that, in the opinion of the person in charge or the person in charge, could be relevant and in particular those provided for in codes of conduct and standards defined by certification schemes.
Article 29. Assumptions of joint responsibility in the treatment.
The determination of the responsibilities referred to in article 26.1 of Regulation (EU) 2016/679 will be carried out taking into account the activities that each of the joint controllers of the treatment actually carry out.
Article 30. Representatives of those responsible or in charge of the treatment not established in the European Union.
1. In the cases in which Regulation (EU) 2016/679 is applicable to a person in charge of the treatment not established in the European Union by virtue of the provisions of its article 3.2 and the treatment refers to affected persons who are in Spain, the Spanish Agency for Data Protection or, where appropriate, the regional data protection authorities may impose on the representative, jointly and severally with the person in charge or in charge of the treatment, the measures established in Regulation (EU) 2016/679.
Said requirement shall be understood without prejudice to the responsibility that may correspond to the person in charge or the person in charge of the treatment and of the exercise by the representative of the repetition action against whoever proceeds.
2. Likewise, in the event of demand for liability in the terms provided in article 82 of Regulation (EU) 2016/679, those responsible, managers and representatives will be jointly and severally liable for the damages caused.
Article 31. Registration of treatment activities.
1. Those responsible and in charge of the treatment or, where appropriate, their representatives must maintain the register of treatment activities referred to in article 30 of Regulation (EU) 2016/679, unless the exception provided for in their section 5.
The registry, which may be organized around structured data sets, must specify, according to its purposes, the processing activities carried out and the other circumstances established in the aforementioned regulation.
When the person in charge or the person in charge of the treatment has appointed a data protection delegate, they must notify him of any addition, modification or exclusion in the content of the register.
2. The subjects listed in article 77.1 of this organic law will make public an inventory of their treatment activities accessible by electronic means, which will contain the information established in article 30 of Regulation (EU) 2016/679 and its legal basis.
Article 32. Blocking of data.
1. The data controller will be obliged to block the data when it is rectified or deleted.
2. The blocking of the data consists of the identification and reservation of the same, adopting technical and organizational measures, to prevent its treatment, including its visualization, except for making the data available to the judges and courts, the Public Prosecutor's Office or the competent Public Administrations, in particular the data protection authorities, for the requirement of possible responsibilities derived from the treatment and only for the limitation period of the same.
After this period, the data must be destroyed.
3. The blocked data may not be processed for any purpose other than that indicated in the previous section.
4. When, for the fulfillment of this obligation, the configuration of the information system does not allow blocking or an adaptation that implies a disproportionate effort is required, a safe copy of the information will be carried out so that digital evidence is recorded, or other nature, which allows to prove the authenticity of the same, the date of the blockade and the non-manipulation of the data during it.
5. The Spanish Agency for Data Protection and the regional data protection authorities, within the scope of their respective competences, may set exceptions to the blocking obligation established in this article, in the cases in which, taking into account the nature of the data or the fact that they refer to a particularly high number of affected parties, their mere conservation, even blocked, could generate a high risk for the rights of those affected, as well as in those cases in which the conservation of the blocked data could imply a disproportionate cost for the person responsible for the treatment.
CHAPTER II
In charge of the treatment
Article 33. In charge of the treatment.
1. Access by a person in charge of processing to personal data that is necessary for the provision of a service to the person in charge will not be considered communication of data provided that the provisions of Regulation (EU) 2016/679, in the present organic law and its implementing regulations.
2. The person in charge of the treatment and not the person in charge will be considered to be responsible for the treatment and not that of the person in charge who, in his own name and without stating that he acts on behalf of another, establishes relations with those affected even when there is a contract or legal act with the content established in the article 28.3 of Regulation (EU) 2016/679. This provision will not be applicable to treatment orders carried out within the framework of public sector procurement legislation.
The person in charge of the treatment will also be considered the person in charge of the treatment and used the data for their own purposes.
3. The person in charge of the treatment will determine if, when the provision of the services of the person in charge ends, the personal data should be destroyed, returned to the person in charge or delivered, where appropriate, to a new manager.
The destruction of the data will not proceed when there is a legal provision that requires its conservation, in which case it must be returned to the person in charge, who will guarantee its conservation as long as such obligation persists.
4. The person in charge of the treatment may keep, duly blocked, the data as long as responsibilities may arise from their relationship with the person responsible for the treatment.
5. In the field of the public sector, the powers of a person in charge of the treatment may be attributed to a certain body of the General State Administration, the Administration of the autonomous communities, the Entities that make up the Local Administration or the Bodies linked or dependent on the same through the adoption of a regulatory norm of said competences, which must incorporate the content required by article 28.3 of Regulation (EU) 2016/679.
CHAPTER III
Data protection officer
Article 34. Appointment of a data protection officer.
1. Those responsible and in charge of the treatment must designate a data protection delegate in the cases provided for in article 37.1 of Regulation (EU) 2016/679 and, in any case, in the case of the following entities:
a) Professional associations and their general councils.
b) Educational centers that offer education at any of the levels established in the legislation regulating the right to education, as well as public and private universities.
c) Entities that operate networks and provide electronic communications services in accordance with the provisions of their specific legislation, when they regularly and systematically process personal data on a large scale.
d) The service providers of the information society when they elaborate on a large scale profiles of the users of the service.
e) The entities included in article 1 of Law 10/2014, of June 26, on the management, supervision and solvency of credit institutions.
f) Financial credit institutions.
g) Insurance and reinsurance entities.
h) Investment services companies, regulated by the Securities Market legislation.
i) Electric power distributors and marketers and natural gas distributors and marketers.
j) The entities responsible for common files for the evaluation of the capital and credit solvency or the common files for the management and prevention of fraud, including those responsible for the files regulated by the legislation on the prevention of money laundering and the financing of terrorism.
k) Entities that carry out advertising and commercial prospecting activities, including commercial and market research, when they carry out treatments based on the preferences of those affected or carry out activities that imply the elaboration of profiles thereof.
l) The health centers legally obliged to maintain the medical records of patients.
Health professionals who, even though they are legally obliged to maintain the medical records of patients, carry out their activity on an individual basis are excepted.
m) Entities that have as one of their objects the issuance of commercial reports that may refer to individuals.
n) Operators who develop gambling activity through electronic, computer, telematic and interactive channels, in accordance with the gambling regulation regulations.
ñ) Private security companies.
o) Sports federations when they process data of minors.
2. Those responsible or those in charge of the treatment not included in the previous paragraph may voluntarily designate a data protection delegate, who will be subject to the regime established in Regulation (EU) 2016/679 and in this organic law.
3. Those responsible and in charge of the treatment will communicate within ten days to the Spanish Agency for Data Protection or, where appropriate, to the regional data protection authorities, the appointments, appointments and dismissals of the protection delegates of data both in the cases in which they are required to be appointed as in the case in which it is voluntary.
4. The Spanish Agency for Data Protection and the regional data protection authorities will maintain, within the scope of their respective powers, an updated list of data protection delegates that will be accessible by electronic means.
5. In compliance with the obligations of this article, those responsible and in charge of the treatment may establish the full or part-time dedication of the delegate, among other criteria, depending on the volume of the treatments, the special category of the data processed or the risks to the rights or freedoms of the interested parties.
Article 35. Qualification of the data protection officer.
Compliance with the requirements established in article 37.5 of Regulation (EU) 2016/679 for the appointment of the data protection delegate, be it a natural or legal person, may be demonstrated, among other means, through voluntary certification mechanisms that will have particularly taking into account the obtaining of a university degree that accredits specialized knowledge in the law and practice in the field of data protection.
Article 36. Position of the data protection officer.
1. The data protection delegate will act as the interlocutor of the person in charge or in charge of the treatment before the Spanish Agency for Data Protection and the regional data protection authorities. The delegate may inspect the procedures related to the purpose of this organic law and issue recommendations within the scope of his / her powers.
2. In the case of a natural person integrated in the organization of the person in charge or in charge of the treatment, the data protection delegate may not be removed or sanctioned by the person in charge or the person in charge for performing his functions unless he incurred intent or gross negligence in your exercise. The independence of the data protection officer within the organization will be guaranteed, and any conflict of interest must be avoided.
3. In the exercise of their functions, the data protection officer will have access to personal data and treatment processes, and the person in charge or the person in charge of the treatment cannot oppose to this access the existence of any duty of confidentiality or secrecy, including the provided for in article 5 of this organic law.
4. When the data protection officer appreciates the existence of a relevant data protection violation, he / she will document it and immediately communicate it to the administration and management bodies of the person in charge or the person in charge of the treatment.
Article 37. Intervention of the data protection officer in the event of a claim before the data protection authorities.
1. When the person in charge or the person in charge of the treatment has appointed a data protection delegate, the affected party may, prior to filing a claim against them before the Spanish Data Protection Agency or, where appropriate, before the authorities regional data protection authorities, contact the data protection officer of the entity against which the claim is made.
In this case, the data protection officer will inform the affected party of the decision that has been adopted within a maximum period of two months from the receipt of the claim.
2. When the affected party files a claim with the Spanish Data Protection Agency or, where appropriate, with the regional data protection authorities, they may send the claim to the data protection delegate in order for the latter to respond in the within one month.
If after this period the data protection officer has not communicated to the competent data protection authority the response given to the claim, said authority will continue the procedure in accordance with the provisions of Title VIII of this organic law and its regulations. developmental.
3. The procedure before the Spanish Agency for Data Protection will be established in Title VIII of this organic law and its implementing regulations. Likewise, the autonomous communities will regulate the corresponding procedure before their autonomous data protection authorities.
CHAPTER IV
Codes of conduct and certification
Article 38. Codes of conduct.
1. The codes of conduct regulated by section 5 of Chapter IV of Regulation (EU) 2016/679 will be binding for those who adhere to them.
Said codes may be equipped with mechanisms for extrajudicial conflict resolution.
2. Said codes may be promoted, in addition to the associations and bodies referred to in article 40.2 of Regulation (EU) 2016/679, by companies or groups of companies as well as by the managers or managers referred to in the Article 77.1 of this organic law.
Likewise, they may be promoted by the bodies or entities that assume the functions of supervision and extrajudicial resolution of conflicts referred to in article 41 of Regulation (EU) 2016/679.
Those responsible or in charge of the treatment that adhere to the code of conduct are obliged to submit to the supervisory body or entity the claims that were formulated by those affected in relation to the data processing included in its scope of application in case they consider that It is not appropriate to attend to what is requested in the claim, without prejudice to the provisions of article 37 of this organic law. In addition, without prejudice to the powers attributed by Regulation (EU) 2016/679 to the data protection authorities, they may voluntarily and before carrying out the treatment, submit to the said supervisory body or entity the verification of the conformity of the same with the matters subject to the code of conduct.
In the event that the supervisory body or entity rejects or rejects the claim, or if the person in charge or in charge of the treatment does not submit the claim to its decision, the affected party may formulate it before the Spanish Agency for Data Protection or, where appropriate, the regional data protection authorities.
The competent data protection authority will verify that the bodies or entities that promote the codes of conduct have endowed these codes with supervisory bodies that meet the requirements established in article 41.2 of Regulation (EU) 2016/679.
3. The codes of conduct will be approved by the Spanish Data Protection Agency or, where appropriate, by the competent regional data protection authority.
4. The Spanish Data Protection Agency or, where appropriate, the regional data protection authorities will submit the draft codes to the consistency mechanism mentioned in article 63 of Regulation (EU) 2016/679 in the cases in which this proceed according to its article 40.7. The procedure will be suspended as long as the European Data Protection Committee does not issue the opinion referred to in articles 64.1.b) and 65.1.c) of the aforementioned regulation.
When it is an autonomous data protection authority that submits the draft code to the coherence mechanism, the provisions of article 60 of this organic law will be followed.
5. The Spanish Data Protection Agency and the regional data protection authorities will keep records of the codes of conduct approved by them, which will be interconnected with each other and coordinated with the record managed by the European Data Protection Committee in accordance with Article 40.11 of the aforementioned regulation.
The registry will be accessible through electronic means.
6. By royal decree the content of the registry and the specialties of the procedure for the approval of the codes of conduct will be established.
Article 39. Accreditation of certification institutions.
Without prejudice to the functions and accreditation powers of the competent control authority by virtue of articles 57 and 58 of Regulation (EU) 2016/679, the accreditation of the certification institutions referred to in article 43.1 of the aforementioned regulation It may be carried out by the National Accreditation Entity (ENAC), which will notify the Spanish Agency for Data Protection and the data protection authorities of the autonomous communities of the concessions, denials or revocation of accreditations, as well as their motivation. .
TITLE VI
International data transfers
Article 40. Regime of international data transfers.
International data transfers will be governed by the provisions of Regulation (EU) 2016/679, in this organic law and its implementing regulations approved by the Government, and in the circulars of the Spanish Agency for Data Protection and the Autonomous data protection authorities, within the scope of their respective competences.
In any case, the provisions contained in said regulations, in particular those that regulate the principles of data protection, will be applied to the treatments in which the transfer itself consists.
Article 41. Cases of adoption by the Spanish Agency for Data Protection.
1. The Spanish Agency for Data Protection and the regional data protection authorities may adopt, in accordance with the provisions of article 46.2.c) of Regulation (EU) 2016/679, standard contractual clauses for carrying out international transfers of data, which will be previously submitted to the opinion of the European Data Protection Committee provided for in article 64 of the aforementioned regulation.
2. The Spanish Agency for Data Protection and the regional data protection authorities may approve binding corporate regulations in accordance with the provisions of article 47 of Regulation (EU) 2016/679.
The procedure will begin at the request of an entity located in Spain and will last a maximum of nine months. It will be suspended as a result of the referral of the file to the European Data Protection Committee to issue the opinion referred to in article 64.1.f) of Regulation (EU) 2016/679, and will continue after notification to the Spanish Agency for Data Protection or the competent regional data protection authority.
Article 42. Cases subject to prior authorization from the data protection authorities.
1. International data transfers to countries or international organizations that do not have an appropriate decision approved by the Commission or that do not rely on any of the guarantees provided in the previous article and in article 46.2 of Regulation (EU) 2016 / 679, will require prior authorization from the Spanish Data Protection Agency or, where appropriate, regional data protection authorities, which may be granted in the following cases:
a) When the transfer is intended to be based on the provision of adequate guarantees based on contractual clauses that do not correspond to the standard clauses provided for in article 46.2, letters c) and d), of Regulation (EU) 2016/679.
b) When the transfer is carried out by any of the managers or managers referred to in article 77.1 of this organic law and is based on provisions incorporated into non-normative international agreements with other authorities or public bodies of third States, which incorporate effective and enforceable rights for those affected, including memoranda of understanding.
The procedure will have a maximum duration of six months.
2. The authorization will be subject to the issuance by the European Data Protection Committee of the opinion referred to in articles 64.1.e), 64.1.f) and 65.1.c) of Regulation (EU) 2016/679. The referral of the file to the aforementioned committee will imply the suspension of the procedure until the opinion is notified to the Spanish Agency for Data Protection or, through it, to the competent control authority, where appropriate.
Article 43. Cases submitted to prior information to the competent data protection authority.
Those responsible for the treatment must inform the Spanish Agency for Data Protection or, where appropriate, the regional data protection authorities, of any international transfer of data that they intend to carry out on the basis of their need for purposes related to compelling legitimate interests pursued by them and the concurrence of the rest of the requirements set forth in the last paragraph of article 49.1 of Regulation (EU) 2016/679. Likewise, they will inform those affected of the transfer and of the compelling legitimate interests pursued.
This information must be provided prior to making the transfer.
The provisions of this article will not apply to activities carried out by public authorities in the exercise of their public powers, in accordance with article 49.3 of Regulation (EU) 2016/679.
TITLE VII
Data protection authorities
CHAPTER I
The Spanish Agency for Data Protection
Section 1. General provisions
Article 44. General provisions.
1. The Spanish Agency for Data Protection is an independent administrative authority at the state level, from those provided for in Law 40/2015, of October 1, on the Legal Regime of the Public Sector, with legal personality and full public and private capacity, acting with full independence from the public powers in the exercise of its functions.
Its official name, in accordance with the provisions of article 109.3 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, will be "Spanish Agency for Data Protection, Independent Administrative Authority".
It is related to the Government through the Ministry of Justice.
2. The Spanish Data Protection Agency will have the status of common representative of the data protection authorities of the Kingdom of Spain in the European Data Protection Committee.
3. The Spanish Agency for Data Protection and the General Council of the Judiciary will collaborate for the sake of the proper exercise of the respective competences that Organic Law 6/1985, of July 1, of the Judicial Power, attributes to them in matters of data protection personal in the field of the Administration of Justice.
Article 45. Legal regime.
1. The Spanish Agency for Data Protection is governed by the provisions of Regulation (EU) 2016/679, this organic law and its development provisions.
In addition, insofar as it is compatible with its full independence and without prejudice to the provisions of article 63.2 of this organic law, it will be governed by the rules cited in article 110.1 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector.
2. The Government, at the proposal of the Spanish Agency for Data Protection, will approve its Statute by royal decree.
Article 46. Economic, budgetary and personnel regime.
1. The Spanish Agency for Data Protection will prepare and approve its budget and send it to the Government to be integrated, independently, in the General State Budgets.
2. The regime of modifications and linking of the credits of your budget will be established in the Statute of the Spanish Agency for Data Protection.
It is the responsibility of the Presidency of the Spanish Data Protection Agency to authorize budgetary modifications that imply up to three percent of the initial figure of its total budget of expenses, provided that the appropriations for personnel expenses are not increased. The remaining modifications that do not exceed five percent of the budget will be authorized by the Ministry of Finance and, in other cases, by the Government.
3. The Spanish Agency for Data Protection will count for the fulfillment of its purposes with the allocations that are established with charge to the General State Budgets, the goods and values that constitute its patrimony and the income, ordinary and extraordinary derived from the exercise of its activities, including those derived from the exercise of the powers established in article 58 of Regulation (EU) 2016/679.
4. The positive result of your income will be used by the Spanish Data Protection Agency to allocate your reservations in order to guarantee their full independence.
5. The personnel at the service of the Spanish Data Protection Agency will be civil servants or employees and will be governed by the provisions of the revised text of the Law of the Basic Statute of Public Employees, approved by Royal Legislative Decree 5/2015, of 30 of October, and other regulations governing public officials and, where appropriate, by labor regulations.
6. The Spanish Agency for Data Protection will prepare and approve its list of jobs, within the framework of the criteria established by the Ministry of Finance, respecting the personnel expenditure limit established in the budget. In said list of jobs will include, in any case, those positions that must be performed exclusively by public officials, as they consist of the exercise of functions that involve direct or indirect participation in the exercise of public powers and the safeguarding of the general interests of the State and Public Administrations.
7. Without prejudice to the powers attributed to the Court of Accounts, the economic-financial management of the Spanish Agency for Data Protection will be subject to the control of the General Intervention of the State Administration in the terms established by Law 47/2003, of November 26, General Budget.
Article 47. Functions and powers of the Spanish Agency for Data Protection.
It is the responsibility of the Spanish Data Protection Agency to supervise the application of this organic law and Regulation (EU) 2016/679 and, in particular, to exercise the functions established in article 57 and the powers provided in article 58 of the same regulation, in this organic law and its development provisions.
Likewise, the Spanish Data Protection Agency is responsible for the performance of the functions and powers attributed to it by other laws or regulations of European Union Law.
Article 48. The Presidency of the Spanish Agency for Data Protection.
1. The Presidency of the Spanish Data Protection Agency directs it, holds its representation and issues its resolutions, circulars and guidelines.
2. The Presidency of the Spanish Agency for Data Protection will be assisted by a Deputy to whom he may delegate his functions, with the exception of those related to the procedures regulated by Title VIII of this organic law, and who will replace him in the exercise of the same in the terms provided in the Organic Statute of the Spanish Agency for Data Protection.
Both will exercise their functions with full independence and objectivity and will not be subject to any instruction in their performance. The legislation regulating the exercise of the senior position of the General State Administration will be applicable to them.
3. The Presidency of the Spanish Data Protection Agency and its Deputy shall be appointed by the Government, at the proposal of the Ministry of Justice, from among persons of recognized professional competence, particularly in data protection matters.
Two months before the expiration of the mandate or, in the rest of the causes of cessation, when it has occurred, the Ministry of Justice will order the publication in the Official State Gazette of the public call for candidates.
After evaluating the merit, capacity, competence and suitability of the candidates, the Government will send to the Congress of Deputies a proposal from the Presidency and Deputy accompanied by a supporting report that, after the mandatory hearing of the candidates, must be ratified by the Justice Commission in a public vote by a majority of three-fifths of its members in the first vote or, if this is not reached, by an absolute majority in the second vote, which will take place immediately after the first. In the latter case, the favorable votes must come from Deputies belonging to at least two different parliamentary groups.
4. The Presidency and the Deputy of the Spanish Agency for Data Protection will be appointed by the Council of Ministers by royal decree.
5. The mandate of the Presidency and the Deputy of the Spanish Agency for Data Protection has a duration of five years and can be renewed for another period of the same duration.
The Presidency and the Deputy will only cease before the expiration of their mandate, at their own request or by separation agreed by the Council of Ministers, by:
a) Serious breach of its obligations,
b) supervening incapacity for the exercise of his function,
c) incompatibility, or
d) final conviction for intentional crime.
In the cases provided for in letters a), b) and c), the ratification of the separation by the parliamentary majorities provided for in section 3 of this article will be necessary.
6. The acts and provisions issued by the Presidency of the Spanish Agency for Data Protection put an end to administrative proceedings, being appealable, directly, before the Contentious-Administrative Chamber of the National Court.
Article 49. Advisory Council of the Spanish Agency for Data Protection.
1. The Presidency of the Spanish Data Protection Agency will be advised by an Advisory Council composed of the following members:
a) A Deputy, proposed by the Congress of Deputies.
b) A Senator, proposed by the Senate.
c) A representative appointed by the General Council of the Judiciary.
d) A representative of the General Administration of the State with experience in the matter, proposed by the Minister of Justice.
e) A representative of each Autonomous Community that has created a Data Protection Authority in its territorial scope, proposed in accordance with what is established by the respective Autonomous Community.
f) An expert proposed by the Spanish Federation of Municipalities and Provinces.
g) An expert proposed by the Council of Consumers and Users.
h) Two experts proposed by Business Organizations.
i) A representative of data protection and privacy professionals, proposed by the state-wide association with the largest number of associates.
j) A representative of the agencies or entities for the supervision and extrajudicial resolution of conflicts provided for in Chapter IV of Title V, proposed by the Minister of Justice.
k) An expert, proposed by the Conference of Rectors of Spanish Universities.
l) A representative of the organizations that bring together the General Councils, Superiors and Professional Associations at the state level of the different collegiate professions, proposed by the Minister of Justice.
m) A representative of information security professionals, proposed by the state-level association with the largest number of associates.
n) An expert in transparency and access to public information proposed by the Council for Transparency and Good Governance.
ñ) Two experts proposed by the most representative union organizations.
2. For the purposes of the previous section, the condition of expert will require accrediting specialized knowledge in law and practice in the field of data protection through professional or academic practice.
3. The members of the Advisory Council will be appointed by order of the Minister of Justice, published in the Official State Gazette.
4. The Advisory Council will meet when so ordered by the Presidency of the Spanish Data Protection Agency and, in any case, once a semester.
5. The decisions taken by the Advisory Council will not be binding in any case.
6. In everything not provided for by this organic law, the regime, powers and operation of the Advisory Council will be those established in the Organic Statute of the Spanish Agency for Data Protection.
Article 50. Advertising.
The Spanish Agency for Data Protection will publish the resolutions of its Presidency that declare whether or not the rights recognized in articles 15 to 22 of Regulation (EU) 2016/679 have been addressed, which put an end to the complaint procedures. , those that file the previous investigation actions, those that sanction with warning the entities referred to in article 77.1 of this organic law, those that impose precautionary measures and the others that its Statute provides.
Section 2. Investigation powers and preventive audit plans
Article 51. Scope and competent personnel.
1. The Spanish Agency for Data Protection will carry out its research activity through the actions provided for in Title VIII and preventive audit plans.
2. The investigation activity will be carried out by officials of the Spanish Agency for Data Protection or by officials outside it expressly authorized by its Presidency.
3. In cases of joint investigation actions in accordance with the provisions of article 62 of Regulation (EU) 2016/679, the personnel of the control authorities of other Member States of the European Union who collaborate with the Spanish Agency for the Protection of Data will exercise its powers in accordance with the provisions of this organic law and under the guidance and in the presence of its staff.
4. Officials who carry out investigation activities will be considered agents of the authority in the exercise of their functions, and will be obliged to keep secret the information they learn on the occasion of said exercise, even after having ceased to do so.
Article 52. Duty of collaboration.
1. Public Administrations, including tax and Social Security administrations, and individuals will be obliged to provide the Spanish Data Protection Agency with the data, reports, background information and supporting documents necessary to carry out their research activity.
When the information contains personal data, the communication of said data will be covered by the provisions of article 6.1 c) of Regulation (EU) 2016/679.
2. In the framework of the preliminary investigation actions, when it has not been possible to carry out the identification by other means, the Spanish Agency for Data Protection may collect from the Public Administrations, including tax and Social Security, the information and data that are essential with the sole purpose of achieving the identification of those responsible for the conducts that could constitute an infringement of Regulation (EU) 2016/679 and of this organic law.
In the case of the tax and Social Security Administrations, the information will be limited to that which is necessary to be able to unequivocally identify against whom the action of the Spanish Agency for Data Protection should be directed in the cases of creation of corporate networks that hinder the direct knowledge of the alleged person responsible for the conduct contrary to Regulation (EU) 2016/679 and this organic law.
3. When it has not been possible to carry out the identification by other means, the Spanish Agency for Data Protection may collect from the operators that provide electronic communications services available to the public and from the service providers of the information society the data obtained in their power and that are essential for the identification of the alleged person responsible for the conduct contrary to Regulation (EU) 2016/679 and this organic law when it has been carried out through the use of an information society service or the conducting an electronic communication. For this purpose, the data that the Spanish Data Protection Agency may collect under this section are the following:
a) When the conduct was carried out through the use of a fixed or mobile telephone service:
1. The telephone number of origin of the call in case it had been hidden.
2. The name, identification document number and address of the subscriber or registered user to whom that telephone number corresponds.
3. The mere confirmation that a specific call has been made between two numbers on a certain date and time.
b) When the conduct was carried out through the use of an information society service:
1. The identification of the Internet protocol address from which the conduct was carried out and the date and time of its performance.
2. If the conduct had been carried out by email, the identification of the Internet protocol address from which the email account was created and the date and time it was created.
3. The name, identification document number and address of the subscriber or registered user to whom the Internet Protocol address referred to in the two preceding paragraphs has been assigned.
These data must be transferred, upon a motivated request from the Spanish Data Protection Agency, exclusively within the framework of investigative actions initiated as a result of a complaint filed by an affected party regarding the conduct of a legal person or regarding the use of systems that allow the unrestricted disclosure of personal data. In the rest of the cases, the transfer of these data will require the prior obtaining of judicial authorization granted in accordance with the procedural rules when it is required.
Traffic data that operators were treating with the sole purpose of complying with the obligations set forth in Law 25/2007, of October 18, on the conservation of data relating to electronic communications and to the public communications networks, whose assignment may only take place in accordance with the provisions of it, with prior judicial authorization requested by any of the authorized agents referred to in article 6 of said law.
Article 53. Scope of the investigation activity.
1. Those who carry out the investigation activity may collect the precise information for the fulfillment of their functions, carry out inspections, require the exhibition or dispatch of the necessary documents and data, examine them in the place where they are deposited or where they are kept. carry out the treatments, obtain a copy of them, inspect the physical and logical equipment and require the execution of treatments and treatment management and support programs or procedures subject to investigation.
2. When it is necessary to have access by the personnel carrying out the research activity to the constitutionally protected domicile of the inspected person, it will be necessary to have their consent or to have obtained the corresponding judicial authorization.
3. In the case of judicial bodies or judicial offices, the exercise of the powers of inspection shall be carried out through and through the mediation of the General Council of the Judiciary.
Article 54. Audit plans.
1. The Presidency of the Spanish Data Protection Agency may agree to carry out preventive audit plans, referring to the treatment of a specific sector of activity. Their purpose will be to analyze compliance with the provisions of Regulation (EU) 2016/679 and this organic law, based on conducting research activities on entities belonging to the inspected sector or on those responsible for the audit.
2. As a result of the audit plans, the Presidency of the Spanish Data Protection Agency may issue the general or specific guidelines for a specific person in charge or in charge of the precise treatments to ensure the full adaptation of the sector or person in charge to the Regulation (EU ) 2016/679 and this organic law.
In drawing up these guidelines, the Presidency of the Spanish Data Protection Agency may request the collaboration of the supervisory bodies for codes of conduct and extrajudicial conflict resolution, if any.
3. The guidelines will be mandatory for the sector or person in charge to which the audit plan refers.
Section 3. Other powers of the Spanish Data Protection Agency
Article 55. Regulatory powers. Circulars of the Spanish Agency for Data Protection.
1. The Presidency of the Spanish Data Protection Agency may issue provisions that set the criteria to which the action of this authority will respond in the application of the provisions of Regulation (EU) 2016/679 and in this organic law, which They will be called "Circulars of the Spanish Agency for Data Protection".
2. Its preparation will be subject to the procedure established in the Statute of the Spanish Data Protection Agency, which must provide the necessary technical and legal reports and the audience with the interested parties.
3. The circulars will be mandatory once they are published in the Official State Gazette.
Article 56. External action.
1. The Spanish Data Protection Agency is responsible for the ownership and exercise of the functions related to the external action of the State in the field of data protection.
Likewise, the autonomous communities, through the regional data protection authorities, are responsible for exercising the functions as subjects of foreign action within the framework of their powers in accordance with the provisions of Law 2/2014, of March 25 , of the Action and the Foreign Service of the State, as well as to celebrate international administrative agreements in execution and concretion of an international treaty and non-normative agreements with the analogous bodies of other subjects of international law, not legally binding for those who sign them, on matters of its competence within the framework of Law 25/2014, of November 27, on Treaties and other International Agreements.
2. The Spanish Agency for Data Protection is the competent body for the protection of natural persons with regard to the processing of personal data derived from the application of any International Agreement to which the Kingdom of Spain is a party that attributes to an authority national control of this competence and the common representative of the Data Protection authorities in the European Data Protection Committee, in accordance with the provisions of article 68.4 of Regulation (EU) 2016/679.
The Spanish Agency for Data Protection will inform the regional data protection authorities about the decisions taken in the European Data Protection Committee and will seek their opinion when it comes to matters within its competence.
3. Without prejudice to the provisions of section 1, the Spanish Data Protection Agency:
a) Participate in international meetings and forums other than that of the European Union established by common agreement by the independent control authorities in the field of data protection.
b) Participate, as a Spanish authority, in the competent international organizations in the field of data protection, in the committees or working, study and collaboration groups of international organizations that deal with matters that affect the fundamental right to the protection of personal data. and in other international forums or working groups, within the framework of the State's foreign action.
c) It will collaborate with authorities, institutions, agencies and Administrations of other States in order to promote, promote and develop the fundamental right to data protection, particularly in the Ibero-American sphere, being able to sign international administrative and non-normative agreements on the matter.
CHAPTER II
Autonomous data protection authorities
Section 1. General provisions
Article 57. Autonomous data protection authorities.
1. The autonomous authorities for the protection of personal data may exercise the functions and powers established in articles 57 and 58 of Regulation (EU) 2016/679, in accordance with regional regulations, when they refer to:
a) Treatments for which the entities that are members of the public sector of the corresponding Autonomous Community or the Local Entities included in their territorial scope or who provide services through any form of direct or indirect management are responsible.
b) Treatments carried out by natural or legal persons for the exercise of public functions in matters that fall within the competence of the corresponding Autonomous or Local Administration.
c) Treatments that are expressly provided for, where appropriate, in the respective Statutes of Autonomy.
2. The regional data protection authorities may issue, in relation to the treatments subject to their competence, circulars with the scope and effects established for the Spanish Data Protection Agency in article 55 of this organic law.
Article 58. Institutional cooperation.
The Presidency of the Spanish Data Protection Agency will convene, on its own initiative or when requested by another authority, the regional data protection authorities to contribute to the consistent application of Regulation (EU) 2016/679 and of this organic law. . In any case, biannual cooperation meetings will be held.
The Presidency of the Spanish Agency for Data Protection and the regional data protection authorities may request and must mutually exchange the information necessary for the fulfillment of their functions and, in particular, that relating to the activity of the European Data Protection Committee. . Likewise, they may set up working groups to deal with specific matters of common interest.
Article 59. Treatments contrary to Regulation (EU) 2016/679.
When the Presidency of the Spanish Data Protection Agency considers that a treatment carried out in matters that fall within the competence of the regional data protection authorities violates Regulation (EU) 2016/679, it may require them to adopt, within the term of one month, the necessary measures for its cessation.
If the regional authority does not comply with the request or the measures adopted do not suppose the cessation of the illicit treatment, the Spanish Agency for Data Protection may exercise the actions that proceed before the contentious-administrative jurisdiction.
Section 2. Coordination within the framework of the procedures established in Regulation (EU) 2016/679
Article 60. Coordination in case of issuance of opinion by the European Data Protection Committee.
All communications between the European Data Protection Committee and the regional data protection authorities will be carried out through the Spanish Data Protection Agency when they, as competent authorities, must submit their draft decision to the aforementioned committee or request it. the examination of a matter pursuant to the provisions of paragraphs 1 and 2 of Article 64 of Regulation (EU) 2016/679.
In these cases, the Spanish Data Protection Agency will be assisted by a representative of the Autonomous Authority in its intervention before the Committee.
Article 61. Intervention in case of cross-border processing.
1. The regional data protection authorities will hold the status of main control authority or interested in the procedure established by article 60 of Regulation (EU) 2016/679 when it refers to a treatment provided for in article 57 of this organic law that it is carried out by a person in charge of the treatment of those foreseen in article 56 of Regulation (EU) 2016/679, unless it significantly develops treatments of the same nature in the rest of the Spanish territory.
2. In these cases, it will be up to the regional authorities to intervene in the procedures established in article 60 of Regulation (EU) 2016/679, informing the Spanish Data Protection Agency about its development in the cases in which the mechanism of coherence.
Article 62. Coordination in case of conflict resolution by the European Data Protection Committee.
1. All communications between the European Data Protection Committee and the regional data protection authorities will be carried out through the Spanish Data Protection Agency when these, as main authorities, must request the aforementioned Committee to issue a decision binding as provided in article 65 of Regulation (EU) 2016/679.
2. The regional data protection authorities that have the status of non-main interested authority in a procedure of those provided for in article 65 of Regulation (EU) 2016/679 will inform the Spanish Agency for Data Protection when the matter is referred to the European Data Protection Committee, providing the documentation and information necessary for its processing.
The Spanish Agency for Data Protection will be assisted by a representative of the autonomous authority interested in its intervention before the aforementioned committee.
TITLE VIII
Procedures in case of possible violation of data protection regulations
Article 63. Legal regime.
1. The provisions of this Title will be applicable to the procedures processed by the Spanish Agency for Data Protection in the cases in which an affected party claims that their request to exercise the rights recognized in articles 15 to 22 has not been attended. of Regulation (EU) 2016/679, as well as those in which it investigates the existence of a possible infringement of the provisions of the aforementioned regulation and in this organic law.
2. The procedures processed by the Spanish Agency for Data Protection shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in the alternative, by the general rules on administrative procedures.
3. The Government shall regulate by royal decree the procedures processed by the Spanish Agency for Data Protection under this Title, ensuring in any case the rights of defense and hearing of the interested parties.
Article 64. Form of initiation of the procedure and duration.
1. When the procedure refers exclusively to the lack of attention to a request to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, it will be initiated by an agreement of admission for processing, which will be adopted in accordance with to what is established in article 65 of this organic law.
In this case, the term to resolve the procedure will be six months from the date on which the claimant was notified of the admission for processing agreement. After this period, the interested party may consider his claim upheld.
2. When the purpose of the procedure is to determine the possible existence of an infringement of the provisions of Regulation (EU) 2016/679 and in this organic law, it will be initiated by means of a starting agreement adopted on its own initiative or as a consequence of claim.
If the procedure is based on a claim made before the Spanish Data Protection Agency, in advance, it will decide on its admission for processing, in accordance with the provisions of article 65 of this organic law.
When the rules established in Article 60 of Regulation (EU) 2016/679 apply, the procedure will begin by adopting the draft agreement to initiate the sanctioning procedure, of which the interested party will be formally informed for the purposes provided in Article 75 of this organic law.
Once the claim is admitted for processing, as well as in the cases in which the Spanish Data Protection Agency acts on its own initiative, prior to the initiation agreement, there may be a phase of preliminary investigation actions, which will be governed by the provisions of the Article 67 of this organic law.
The procedure will have a maximum duration of nine months from the date of the initiation agreement or, where appropriate, the draft initiation agreement. After this period, its expiration will occur and, consequently, the file of actions.
3. The procedure may also be processed as a result of the communication to the Spanish Agency for Data Protection by the control authority of another Member State of the European Union of the claim made before it, when the Spanish Agency for the Protection of Data had the status of main control authority for the processing of a procedure in accordance with the provisions of articles 56 and 60 of Regulation (EU) 2016/679. In this case, the provisions of section 1 and the first, third, fourth and fifth paragraphs of section 2 shall apply.
4. The processing periods established in this article as well as those for admission to processing regulated by article 65.5 and the duration of the preliminary investigation actions provided for in article 67.2, will be automatically suspended when information, consultation, request for assistance must be collected. or mandatory pronouncement of a body or body of the European Union or of one or more control authorities of the Member States in accordance with the provisions of Regulation (EU) 2016/679, for the time that mediates between the request and the notification of the Statement to the Spanish Data Protection Agency.
Article 65. Admission of claims for processing.
1. When a claim is presented to the Spanish Data Protection Agency, it must evaluate its admissibility for processing, in accordance with the provisions of this article.
2. The Spanish Agency for Data Protection will reject the claims submitted when they do not relate to personal data protection issues, are manifestly unfounded, are abusive or do not provide rational evidence of the existence of an infringement.
3. Likewise, the Spanish Agency for Data Protection may reject the claim when the person in charge or in charge of the treatment, prior warning issued by the Spanish Agency for Data Protection, has adopted the corrective measures aimed at putting an end to the possible breach of the legislation of data protection and any of the following circumstances concur:
a) That no damage has been caused to the affected party in the case of the infractions provided for in article 74 of this organic law.
b) That the right of the affected party is fully guaranteed through the application of the measures.
4. Before deciding on the admission for processing of the claim, the Spanish Agency for Data Protection may send the same to the data protection delegate who, where appropriate, designated the person in charge or in charge of the treatment or to the supervisory body established for the application of codes of conduct for the purposes provided for in articles 37 and 38.2 of this organic law.
The Spanish Agency for Data Protection may also send the claim to the person in charge or in charge of the treatment when a data protection delegate has not been appointed or adhered to extrajudicial conflict resolution mechanisms, in which case the person in charge or manager must respond to the claim within a month.
5. The decision on the admission or inadmissibility for processing, as well as the one that determines, where appropriate, the referral of the claim to the main control authority deemed competent, must be notified to the claimant within three months. If after this period no such notification is produced, it will be understood that the processing of the claim continues in accordance with the provisions of this Title as of the date on which three months have elapsed since the claim was entered in the Spanish Protection Agency. of data.
Article 66. Determination of the territorial scope.
1. Except in the cases referred to in article 64.3 of this organic law, the Spanish Agency for Data Protection must, prior to carrying out any other action, including the admission for processing of a claim or the initiation of previous investigation actions, examine its competence and determine the national or cross-border nature, in any of its modalities, of the procedure to be followed.
2. If the Spanish Data Protection Agency considers that it does not have the status of the main control authority for the processing of the procedure, it will forward, without further processing, the claim made to the main control authority that it considers competent, so that by the same is given the appropriate course. The Spanish Agency for Data Protection will notify this circumstance to whoever, if applicable, has made the claim.
The agreement by which the referral referred to in the previous paragraph is resolved will imply the provisional filing of the procedure, without prejudice to the fact that the Spanish Data Protection Agency may issue the resolution to the referred to in paragraph 8 of article 60 of Regulation (EU) 2016/679.
Article 67. Previous investigation actions.
1. Before the adoption of the agreement to initiate the procedure, and once the claim has been admitted for processing, if any, the Spanish Data Protection Agency may carry out preliminary investigation actions in order to achieve a better determination of the facts. and the circumstances that justify the processing of the procedure.
The Spanish Agency for Data Protection will act in any case when it is necessary to investigate treatments that involve massive traffic of personal data.
2. Preliminary investigation actions shall be subject to the provisions of Section 2 of Chapter I of Title VII of this organic law and may not have a duration of more than twelve months from the date of the agreement for admission to processing or of the date of the agreement by which its initiation is decided when the Spanish Agency for Data Protection acts on its own initiative or as a result of the communication that has been sent by the control authority of another Member State of the European Union, as to article 64.3 of this organic law.
Article 68. Agreement to initiate the procedure for the exercise of the sanctioning power.
1. Once the actions referred to in the preceding article have been concluded, where appropriate, the Presidency of the Spanish Data Protection Agency will be responsible for issuing an agreement to initiate the procedure for the exercise of the sanctioning power, in which the facts will be specified, the identification of the person or entity against which the procedure is directed, the infraction that could have been committed and its possible sanction.
2. When the Spanish Data Protection Agency holds the status of main control authority and the procedure provided for in article 60 of Regulation (EU) 2016/679 must be followed, the draft agreement to initiate the sanctioning procedure will be submitted to the arranged in it.
Article 69. Provisional measures and guarantee of rights.
1. During the preliminary investigation actions or initiation of a procedure for the exercise of the sanctioning power, the Spanish Agency for Data Protection may reasonably agree on the provisional measures necessary and proportionate to safeguard the fundamental right to data protection and , in particular, those provided for in article 66.1 of Regulation (EU) 2016/679, the precautionary blocking of data and the immediate obligation to comply with the requested right.
2. In the cases in which the Spanish Agency for Data Protection considers that the continuation of the processing of personal data, its communication or international transfer will entail a serious impairment of the right to the protection of personal data, it may order those responsible or those in charge of the treatments the blocking of the data and the cessation of its treatment and, in case of breach by these said mandates, proceed to its immobilization.
3. When a claim has been submitted to the Spanish Data Protection Agency that refers, among other issues, to the lack of attention within the term of the rights established in articles 15 to 22 of Regulation (EU) 2016/679, The Spanish Agency for Data Protection may agree at any time, even prior to the initiation of the procedure for the exercise of the sanctioning power, by means of a reasoned resolution and prior hearing of the person responsible for the treatment, the obligation to comply with the requested right, continuing the procedure regarding the rest of the issues that are the subject of the claim.
TITLE IX
Sanctions regime
Article 70. Responsible parties.
1. They are subject to the sanctioning regime established in Regulation (EU) 2016/679 and in this organic law:
a) Those responsible for the treatments.
b) Those in charge of the treatments.
c) The representatives of those responsible or in charge of the treatments not established in the territory of the European Union.
d) Certification entities.
e) Accredited entities for the supervision of codes of conduct.
2. The sanctioning regime established in this Title will not apply to the data protection officer.
Article 71. Infractions.
The acts and conducts referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this organic law, constitute offenses.
Article 72. Violations considered very serious.
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, infractions that imply a substantial violation of the articles mentioned in it and, in particular, the following are considered very serious and will prescribe after three years:
a) The processing of personal data in violation of the principles and guarantees established in article 5 of Regulation (EU) 2016/679.
b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679.
c) Failure to comply with the requirements of article 7 of Regulation (EU) 2016/679 for the validity of consent.
d) The use of the data for a purpose that is not compatible with the purpose for which they were collected, without the consent of the affected party or with a legal basis for it.
e) The processing of personal data of the categories referred to in article 9 of Regulation (EU) 2016/679, without the occurrence of any of the circumstances provided for in said precept and in article 9 of this organic law.
f) The processing of personal data related to convictions and criminal offenses or related security measures outside the cases allowed by article 10 of Regulation (EU) 2016/679 and in article 10 of this organic law.
g) The processing of personal data related to infractions and administrative sanctions outside the cases allowed by article 27 of this organic law.
h) The omission of the duty to inform the affected party about the processing of their personal data in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679 and 12 of this organic law.
i) Violation of the duty of confidentiality established in article 5 of this organic law.
j) The requirement to pay a fee to provide the data subject with the information referred to in articles 13 and 14 of Regulation (EU) 2016/679 or for meeting the requests for the exercise of rights of those affected under articles 15 to 22 of Regulation (EU) 2016/679, outside of the assumptions established in its article 12.5.
k) The impediment or the obstruction or the repeated failure to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679.
l) The international transfer of personal data to a recipient located in a third country or to an international organization, when the guarantees, requirements or exceptions established in articles 44 to 49 of Regulation (EU) 2016/679 do not meet.
m) Failure to comply with the resolutions issued by the competent data protection authority in exercise of the powers conferred by article 58.2 of Regulation (EU) 2016/679.
n) Failure to comply with the obligation to block the data established in article 32 of this organic law when it is enforceable.
ñ) Failure to facilitate access by the personnel of the competent data protection authority to personal data, information, premises, equipment and means of treatment that are required by the data protection authority for the exercise of its investigative powers.
o) The resistance or obstruction of the exercise of the inspection function by the competent data protection authority.
p) The deliberate reversal of an anonymization procedure in order to allow the re-identification of those affected.
2. The offenses referred to in article 83.6 of Regulation (EU) 2016/679 will have the same consideration and will also prescribe after three years.
Article 73. Violations considered serious.
Based on what is established in article 83.4 of Regulation (EU) 2016/679, infractions that imply a substantial violation of the articles mentioned therein are considered serious and will prescribe after two years:
a) The processing of personal data of a minor without obtaining their consent, when they have the capacity to do so, or that of the holder of their parental authority or guardianship, in accordance with article 8 of Regulation (EU) 2016/679.
b) Failure to prove that reasonable efforts have been made to verify the validity of the consent given by a minor or by the holder of parental authority or guardianship over the same, as required by article 8.2 of Regulation (EU) 2016 / 679.
c) The impediment or the obstruction or the repeated non-attention of the rights of access, rectification, deletion, limitation of the treatment or the portability of the data in treatments in which the identification of the affected is not required, when this, for the exercise of those rights, you have provided additional information that allows your identification.
d) The lack of adoption of those technical and organizational measures that are appropriate to effectively apply the principles of data protection from the design, as well as the failure to integrate the necessary guarantees in the treatment, in the terms required by the article 25 of Regulation (EU) 2016/679.
e) The lack of adoption of the appropriate technical and organizational measures to guarantee that, by default, only the personal data necessary for each of the specific purposes of the treatment will be processed, as required by article 25.2 of the Regulation (EU) 2016/679.
f) The failure to adopt those technical and organizational measures that are appropriate to guarantee a level of security appropriate to the risk of the treatment, in the terms required by article 32.1 of Regulation (EU) 2016/679.
g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with the requirements of article 32.1 of Regulation (EU) 2016/679.
h) Failure to comply with the obligation to appoint a representative of the person in charge or in charge of the treatment not established in the territory of the European Union, in accordance with the provisions of Article 27 of Regulation (EU) 2016/679.
i) The lack of attention by the representative in the Union of the person in charge or the person in charge of the treatment of the requests made by the data protection authority or by those affected.
j) The hiring by the data controller of a data processor who does not offer sufficient guarantees to apply the appropriate technical and organizational measures in accordance with the provisions of Chapter IV of Regulation (EU) 2016/679.
k) Entrust the processing of data to a third party without the prior formalization of a contract or other written legal act with the content required by article 28.3 of Regulation (EU) 2016/679.
l) The hiring by a person in charge of the treatment of other managers without the prior authorization of the person in charge, or without having informed him about the changes produced in the subcontracting when they were legally required.
m) The infringement by a person in charge of the treatment of the provisions of Regulation (EU) 2016/679 and in this organic law, when determining the purposes and means of treatment, in accordance with the provisions of article 28.10 of said regulation.
n) Not having the record of treatment activities established in article 30 of Regulation (EU) 2016/679.
ñ) Not to make available to the data protection authority that has requested it, the record of treatment activities, in accordance with section 4 of article 30 of Regulation (EU) 2016/679.
o) Failure to cooperate with the control authorities in the performance of their functions in the cases not provided for in article 72 of this organic law.
p) The processing of personal data without carrying out a prior assessment of the elements mentioned in article 28 of this organic law.
q) The breach of the duty of the person in charge of the treatment to notify the person in charge of the treatment of the security violations of which he had knowledge.
r) Failure to comply with the duty to notify the data protection authority of a personal data security breach in accordance with the provisions of article 33 of Regulation (EU) 2016/679.
s) Failure to comply with the duty of communication to the affected party of a data security violation in accordance with the provisions of article 34 of Regulation (EU) 2016/679 if the person responsible for the treatment had been required by the protection authority of data to carry out said notification.
t) The processing of personal data without having carried out the evaluation of the impact of the processing operations on the protection of personal data in the cases in which it is required.
u) The processing of personal data without having previously consulted the data protection authority in cases where such consultation is mandatory in accordance with article 36 of Regulation (EU) 2016/679 or when the law establishes the obligation to carry out that query.
v) Failure to comply with the obligation to appoint a data protection officer when his appointment is required in accordance with article 37 of Regulation (EU) 2016/679 and article 34 of this organic law.
w) Not allowing the effective participation of the data protection officer in all matters related to the protection of personal data, not supporting it or interfering in the performance of its functions.
x) The use of a seal or certification regarding data protection that has not been granted by a duly accredited certification body or in the event that its validity has expired.
y) Obtain accreditation as a certification body by presenting inaccurate information on compliance with the requirements of article 43 of Regulation (EU) 2016/679.
z) The performance of functions that Regulation (EU) 2016/679 reserves to certification bodies, without having been duly accredited in accordance with the provisions of article 39 of this organic law.
aa) Non-compliance by a certification body of the principles and duties to which it is subject as provided in articles 42 and 43 of Regulation (EU) 2016/679.
ab) The performance of functions that article 41 of Regulation (EU) 2016/679 reserves to the supervisory bodies of codes of conduct without having been previously accredited by the competent data protection authority.
ac) Failure to adopt by the accredited supervisory bodies of a code of conduct of the appropriate measures in the event of a violation of the code, as required by article 41.4 of Regulation (EU) 2016/679.
Article 74. Infractions considered minor.
The remaining infringements of a merely formal nature of the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 are considered minor and will prescribe a year, and in particular, the following:
a) Failure to comply with the principle of information transparency or the data subject's right to information for not providing all the information required by articles 13 and 14 of Regulation (EU) 2016/679.
b) The requirement to pay a fee to provide the data subject with the information required by articles 13 and 14 of Regulation (EU) 2016/679 or to meet the requests for the exercise of rights of those affected provided for in articles 15 to 22 of the Regulation (EU) 2016/679, when its article 12.5 so permits, if its amount exceeds the amount of the costs incurred to provide the information or perform the requested action.
c) Failure to respond to requests to exercise the rights established in articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions of article 72.1.k) of this organic law are applicable.
d) Failure to comply with the rights of access, rectification, deletion, limitation of the treatment or the portability of the data in treatments in which the identification of the affected is not required, when the latter, for the exercise of those rights, has provided additional information that allows their identification, unless the provisions of article 73 c) of this organic law are applicable.
e) Failure to comply with the notification obligation regarding the rectification or deletion of personal data or the limitation of the treatment required by article 19 of Regulation (EU) 2016/679.
f) Failure to comply with the obligation to inform the affected party, when requested to do so, of the recipients to whom the rectified, deleted personal data has been communicated or for which the treatment has been limited.
g) Failure to comply with the obligation to delete data referring to a deceased person when this is required in accordance with article 3 of this organic law.
h) The lack of formalization by the joint controllers of the agreement that determines the respective obligations, functions and responsibilities with respect to the processing of personal data and their relationships with those affected referred to in article 26 of Regulation (EU) 2016/679 or the inaccuracy in their determination.
i) Failure to make available to those affected the essential aspects of the agreement formalized between the joint controllers, as required by article 26.2 of Regulation (EU) 2016/679.
j) Failure to comply with the obligation of the person in charge of the treatment to inform the person in charge of the treatment about the possible infringement by an instruction received from him of the provisions of Regulation (EU) 2016/679 or of this organic law, in accordance with required by article 28.3 of the aforementioned regulation.
k) Failure by the person in charge of the stipulations imposed in the contract or legal act that regulates the treatment or the instructions of the person responsible for the treatment, unless he is legally obliged to do so in accordance with Regulation (EU) 2016/679 and this organic law or in the cases in which it is necessary to avoid the infringement of the legislation on data protection and the person in charge or the person in charge of the treatment has been warned of this.
l) Have a register of processing activities that does not include all the information required by article 30 of Regulation (EU) 2016/679.
m) Incomplete, late or defective notification to the data protection authority of the information related to a personal data security breach in accordance with the provisions of Article 33 of Regulation (EU) 2016/679.
n) Failure to comply with the obligation to document any security violation, required by article 33.5 of Regulation (EU) 2016/679.
ñ) Failure to comply with the duty to notify the affected party of a data security violation that entails a high risk to the rights and freedoms of those affected, as required by article 34 of Regulation (EU) 2016/679, Unless the provisions of article 73 s) of this organic law are applicable.
o) Provide inaccurate information to the Data Protection Authority, in the cases in which the data controller must submit a prior consultation, in accordance with article 36 of Regulation (EU) 2016/679.
p) Not publishing the contact details of the data protection officer, or not communicating them to the data protection authority, when their appointment is required in accordance with article 37 of Regulation (EU) 2016/679 and article 34 of this organic law.
q) Non-compliance by the certification bodies of the obligation to inform the data protection authority of the issuance, renewal or withdrawal of a certification, as required by paragraphs 1 and 5 of Article 43 of Regulation (EU) 2016/679.
r) Failure by accredited supervisory bodies of a code of conduct of the obligation to inform the data protection authorities about the measures that are appropriate in case of violation of the code, as required by article 41.4 of the Regulation (EU) 2016/679.
Article 75. Interruption of the prescription of the offense.
The prescription will be interrupted by the initiation, with the knowledge of the interested party, of the sanctioning procedure, restarting the limitation period if the sanctioning file is paralyzed for more than six months for reasons not attributable to the alleged offender.
When the Spanish Data Protection Agency holds the status of main control authority and the procedure provided for in article 60 of Regulation (EU) 2016/679 must be followed, the prescription will interrupt the formal knowledge by the interested party of the draft initiation agreement that be submitted to the interested control authorities.
Article 76. Sanctions and corrective measures.
1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 will be applied taking into account the graduation criteria established in section 2 of said article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the offender's activity with the processing of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the commission of the offense.
e) The existence of a merger process by absorption subsequent to the commission of the offense, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested party.
3. It will be possible, complementary or alternatively, the adoption, when appropriate, of the remaining corrective measures referred to in article 83.2 of Regulation (EU) 2016/679.
4. The information that identifies the offender, the offense committed and the amount of the sanction imposed when the competent authority is the Spanish Agency for Data Protection, the sanction exceeds one million euros, will be published in the Official State Gazette. euros and the offender is a legal person.
When the competent authority to impose the sanction is an autonomous data protection authority, its applicable regulations will be followed.
Article 77. Regime applicable to certain categories of responsible or in charge of the treatment.
1. The regime established in this article will apply to the treatments for which they are responsible or in charge:
a) The constitutional bodies or those with constitutional relevance and the institutions of the autonomous communities analogous to them.
b) The jurisdictional bodies.
c) The General State Administration, the Administrations of the autonomous communities and the entities that make up the Local Administration.
d) Public bodies and public law entities linked or dependent on Public Administrations.
e) The independent administrative authorities.
f) The Bank of Spain.
g) Public law corporations when the purposes of the treatment are related to the exercise of public law powers.
h) Public sector foundations.
i) Public Universities.
j) Consortia.
k) The parliamentary groups of the Cortes Generales and the Autonomous Legislative Assemblies, as well as the political groups of the Local Corporations.
2. When those responsible or those in charge listed in section 1 commit any of the infractions referred to in articles 72 to 74 of this organic law, the competent data protection authority shall issue a resolution sanctioning them with warning. The resolution will also establish the measures to be adopted to stop the conduct or correct the effects of the offense that had been committed.
The resolution will be notified to the person in charge or in charge of the treatment, the body on which it depends hierarchically, where appropriate, and those affected who have the status of interested party, where appropriate.
3. Without prejudice to the provisions of the previous section, the data protection authority will also propose the initiation of disciplinary actions when there is sufficient evidence to do so. In this case, the procedure and the sanctions to be applied will be those established in the applicable legislation on disciplinary or sanctioning regime.
Likewise, when the infractions are attributable to authorities and managers, and the existence of technical reports or recommendations for treatment that have not been duly addressed is proven, the resolution imposing the sanction will include a warning with the title of the position. responsible and the publication will be ordered in the Official Gazette of the corresponding State or regional government.
4. The decisions relating to the measures and actions referred to in the previous sections must be communicated to the data protection authority.
5. The Ombudsman or, where appropriate, the analogous institutions of the autonomous communities shall be notified of the actions carried out and the resolutions issued under this article.
6. When the competent authority is the Spanish Agency for Data Protection, it will publish on its website with due separation the resolutions referring to the entities in section 1 of this article, expressly indicating the identity of the person in charge or in charge of the treatment. who had committed the offense.
When the jurisdiction corresponds to an autonomous data protection authority, the publicity of these resolutions will be governed by its specific regulations.
Article 78. Prescription of sanctions.
1. The sanctions imposed in application of Regulation (EU) 2016/679 and of this organic law prescribe in the following terms:
a) Sanctions for an amount equal to or less than 40,000 euros, prescribe within one year.
b) Sanctions for an amount between 40,001 and 300,000 euros prescribe after two years.
c) Sanctions for an amount greater than 300,000 euros prescribe after three years.
2. The limitation period for sanctions will begin to run from the day following the day on which the resolution imposing the sanction is enforceable or the period to appeal it has elapsed.
3. The prescription will be interrupted by the initiation, with the knowledge of the interested party, of the enforcement procedure, the term will lapse if it is paralyzed for more than six months for reasons not attributable to the offender.
TITLE X
Guarantee of digital rights
Article 79. Rights in the Digital Age.
The rights and freedoms enshrined in the Constitution and in the International Treaties and Conventions to which Spain is a party are fully applicable on the Internet. Information society service providers and Internet service providers will help ensure its application.
Article 80. Right to Internet neutrality.
Users have the right to Internet neutrality. Internet service providers shall provide a transparent offer of services without discrimination on technical or economic grounds.
Article 81. Right of universal access to the Internet.
1. Everyone has the right to access the Internet regardless of their personal, social, economic or geographical condition.
2. Universal, affordable, quality and non-discriminatory access will be guaranteed for the entire population.
3. Access to the Internet for men and women will seek to overcome the gender gap both in the personal and work areas.
4. Access to the Internet will seek to bridge the generation gap through actions aimed at training and accessing the elderly.
5. The effective guarantee of the right of access to the Internet will address the specific reality of rural environments.
6. Internet access must guarantee equal conditions for people with special needs.
Article 82. Right to digital security.
Users have the right to the security of the communications they transmit and receive through the Internet. Internet service providers will inform users of their rights.
Article 83. Right to digital education.
1. The educational system will guarantee the full insertion of students in the digital society and the learning of a use of digital media that is safe and respectful of human dignity, constitutional values, fundamental rights and, particularly with respect and guarantee of personal and family privacy and the protection of personal data. Actions carried out in this area will be inclusive, in particular with regard to students with special educational needs.
The educational administrations must include in the design of the block of freely configured subjects the digital competence referred to in the previous section, as well as the elements related to risk situations derived from the inappropriate use of ICT, with special attention to situations of violence on the Internet.
2. Teachers will receive the digital skills and training necessary for teaching and transmitting the values and rights referred to in the previous section.
3. The study plans for university degrees, especially those that enable students to perform professionally in training, will guarantee training in the use and safety of digital media and in the guarantee of fundamental rights on the Internet.
4. The Public Administrations will incorporate into the agendas of the access tests to higher bodies and those in which they usually perform functions that involve access to personal data matters related to the guarantee of digital rights and in particular that of data protection .
Article 84. Protection of minors on the Internet.
1. Parents, guardians, curators or legal representatives will ensure that minors make a balanced and responsible use of digital devices and the services of the information society in order to guarantee the adequate development of their personality and preserve their dignity and fundamental rights.
2. The use or dissemination of images or personal information of minors in social networks and equivalent information society services that may imply an illegitimate interference in their fundamental rights will determine the intervention of the Public Prosecutor's Office, which will call for precautionary measures and protection provided for in Organic Law 1/1996, of January 15, on the Legal Protection of Minors.
Article 85. Right to rectification on the Internet.
1. Everyone has the right to freedom of expression on the Internet.
2. Those responsible for social networks and equivalent services will adopt appropriate protocols to enable the exercise of the right of rectification before users who disseminate content that violates the right to honor, personal and family privacy on the Internet and the right to freely communicate or receive truthful information, taking into account the requirements and procedures set forth in Organic Law 2/1984, of March 26, regulating the right to rectification.
When the digital media must respond to the rectification request made against them, they must proceed to the publication in their digital files of a clarifying notice that shows that the original news does not reflect the current situation of the individual. Said notice must appear in a visible place together with the original information.
Article 86. Right to update information in digital media.
Everyone has the right to reasonably request from the digital media the inclusion of a sufficiently visible update notice next to the news that concerns them when the information contained in the original news item does not reflect their current situation as a consequence of circumstances that may have taken place. after publication, causing you harm.
In particular, the inclusion of said notice will proceed when the original information refers to police or judicial actions that have been affected for the benefit of the interested party as a result of subsequent judicial decisions. In this case, the notice will refer to the subsequent decision.
Article 87. Right to privacy and use of digital devices in the workplace.
1. Public workers and employees shall have the right to the protection of their privacy in the use of digital devices made available to them by their employer.
2. The employer may access the content derived from the use of digital media provided to workers for the sole purpose of controlling compliance with labor or statutory obligations and guaranteeing the integrity of said devices.
3. Employers must establish criteria for the use of digital devices, respecting in all cases the minimum standards for the protection of their privacy in accordance with social practices and constitutionally and legally recognized rights. Workers' representatives must participate in its preparation.
Access by the employer to the content of digital devices with respect to which they have admitted their use for private purposes will require that the authorized uses be precisely specified and guarantees are established to preserve the privacy of the workers, such as, where appropriate, the determination of the periods in which the devices may be used for private purposes.
Workers must be informed of the criteria for use referred to in this section.
Article 88. Right to digital disconnection in the workplace.
1. Public workers and employees shall have the right to digital disconnection in order to guarantee, outside of the legal or conventionally established working time, respect for their rest, leave and vacation time, as well as their personal and family privacy.
2. The modalities of exercise of this right will attend to the nature and object of the labor relationship, will enhance the right to reconcile work activity and personal and family life and will be subject to the provisions of collective bargaining or, in its defect, as agreed between the company and the workers' representatives.
3. The employer, after hearing the workers' representatives, will draw up an internal policy aimed at workers, including those in managerial positions, in which they will define the modalities for exercising the right to disconnection and the training and awareness-raising actions of the personnel on a reasonable use of the technological tools that avoid the risk of computer fatigue. In particular, the right to digital disconnection will be preserved in the cases of total or partial realization of remote work as well as at the employee's home linked to the use of technological tools for employment purposes.
Article 89. Right to privacy against the use of video surveillance and sound recording devices in the workplace.
1. Employers may process the images obtained through camera or video camera systems for the exercise of the control functions of workers or public employees provided, respectively, in article 20.3 of the Workers' Statute and in the legislation of public function, provided that these functions are carried out within its legal framework and within the limits inherent to it. Employers must inform in advance, and expressly, clearly and concisely, workers or public employees and, where appropriate, their representatives, about this measure.
In the event that the flagrant commission of an illegal act by workers or public employees has been captured, the duty to inform will be understood to have been fulfilled when there is at least the device referred to in article 22.4 of this organic law.
2. In no case shall the installation of sound recording or video surveillance systems be allowed in places intended for the rest or recreation of workers or public employees, such as changing rooms, toilets, dining rooms and the like.
3. The use of systems similar to those referred to in the previous sections for the recording of sounds in the workplace will be allowed only when the risks for the safety of the facilities, goods and people derived from the activity carried out in the workplace are relevant. the workplace and always respecting the principle of proportionality, that of minimum intervention and the guarantees provided in the previous sections. The suppression of the sounds preserved by these recording systems will be carried out in accordance with the provisions of section 3 of article 22 of this law.
Article 90. Right to privacy when using geolocation systems in the workplace.
1. Employers may process the data obtained through geolocation systems for the exercise of the functions of control of workers or public employees provided, respectively, in article 20.3 of the Workers' Statute and in the public function legislation , provided that these functions are exercised within its legal framework and with the limits inherent to it.
2. Previously, employers must expressly, clearly and unequivocally inform workers or public employees and, where appropriate, their representatives, about the existence and characteristics of these devices. They must also inform them about the possible exercise of the rights of access, rectification, limitation of treatment and deletion.
Article 91. Digital rights in collective bargaining.
Collective agreements may establish additional guarantees of rights and freedoms related to the processing of personal data of workers and the safeguarding of digital rights in the workplace.
Article 92. Data protection of minors on the Internet.
The educational centers and any natural or legal persons that carry out activities in which minors participate will guarantee the protection of the minor's best interests and their fundamental rights, especially the right to the protection of personal data, in the publication or dissemination of their data. personal information through services of the information society.
When said publication or dissemination were to take place through social network services or equivalent services, they must have the consent of the minor or their legal representatives, in accordance with the provisions of article 7 of this organic law.
Article 93. Right to be forgotten in Internet searches.
1. Everyone has the right to have Internet search engines remove from the lists of results that were obtained after a search carried out based on their name the links published that contain information related to that person when they are inappropriate, inaccurate, irrelevant. , not updated or excessive or have become as such over time, taking into account the purposes for which they were collected or processed, the time elapsed and the nature and public interest of the information.
In the same way, it should be done when the personal circumstances that the affected party invokes in his case show the prevalence of his rights over the maintenance of the links by the Internet search service.
This right will subsist even when the conservation of the information published on the website to which the link was directed is lawful and it does not proceed to its prior or simultaneous deletion.
2. The exercise of the right referred to in this article will not prevent access to the information published on the website through the use of search criteria other than the name of the person exercising the right.
Article 94. Right to be forgotten in social network services and equivalent services.
1. Everyone has the right to have the personal data that they have provided for publication by equivalent social network services and information society services deleted at their simple request.
2. Every person has the right to have personal data that concerns them and that have been provided by third parties for publication by social networking services and equivalent information society services deleted when they are inappropriate, inaccurate, irrelevant, not updated or excessive or have become as such over time, taking into account the purposes for which they were collected or processed, the time elapsed and the nature and public interest of the information.
In the same way, said data must be deleted when the personal circumstances invoked by the affected party show the prevalence of their rights over the maintenance of the data by the service.
The data that have been provided by natural persons in the exercise of personal or domestic activities are excepted from the provisions of this section.
3. In the event that the right is exercised by an affected party regarding data that had been provided to the service, by him or by third parties, during his minority, the provider must proceed without delay to its deletion by his simple request, without the need for the circumstances mentioned in section 2 to concur.
Article 95. Right to portability in social network services and equivalent services.
Users of social network services and equivalent information society services will have the right to receive and transmit the contents that they have provided to the providers of said services, as well as for the providers to transmit them directly to another provider designated by the user. , whenever technically possible.
The providers may keep, without disseminating it through the Internet, a copy of the contents when said conservation is necessary for the fulfillment of a legal obligation.
Article 96. Right to a digital will.
1. Access to content managed by information society service providers on deceased persons will be governed by the following rules:
a) People linked to the deceased for family or de facto reasons, as well as their heirs may contact the information society service providers in order to access said content and give them the instructions they deem appropriate about their use, destination or deletion.
As an exception, the aforementioned persons will not be able to access the contents of the deceased, nor request its modification or elimination, when the deceased person has expressly prohibited it or so established by law. Said prohibition will not affect the right of the heirs to access the contents that could be part of the remnant estate.
b) The executor of the will, as well as the person or institution that the deceased had expressly designated for this purpose, may also request, in accordance with the instructions received, access to the contents in order to comply with such instructions.
c) In the case of deceased minors, these powers may also be exercised by their legal representatives or, within the framework of their powers, by the Public Prosecutor, who may act ex officio or at the request of any interested natural or legal person.
d) In the event of the death of people with disabilities, these powers may also be exercised, in addition to those indicated in the previous letter, by those who have been designated to carry out support functions if such powers are understood to be included in the support measures provided. by the designee.
2. The persons entitled in the previous section may decide about the maintenance or elimination of the personal profiles of deceased persons in social networks or equivalent services, unless the deceased had decided about this circumstance, in which case his instructions will be followed. .
The person in charge of the service to which the request to delete the profile is communicated, in accordance with the previous paragraph, must proceed with it without delay.
3. By royal decree the requirements and conditions to prove the validity and validity of the mandates and instructions and, where appropriate, their registration, which may coincide with that provided for in article 3 of this organic law, will be established.
4. What is established in this article in relation to deceased persons in the autonomous communities with civil, foral or special law, their own will be governed by what is established by these within their scope of application.
Article 97. Policies to promote digital rights.
1. The Government, in collaboration with the autonomous communities, will prepare an Internet Access Plan with the following objectives:
a) Overcoming digital gaps and guaranteeing access to the Internet for vulnerable groups or groups with special needs and from economically disadvantaged family and social environments through, among other measures, a social voucher for Internet access;
b) promote the existence of public access connection spaces; and
c) promote educational measures that promote training in basic digital skills and abilities for individuals and groups at risk of digital exclusion and the ability of all people to make autonomous and responsible use of the Internet and digital technologies.
2. An Action Plan will also be approved aimed at promoting the necessary training, dissemination and awareness actions to ensure that minors make a balanced and responsible use of digital devices and of social networks and of society's services. equivalent information on the Internet in order to guarantee their adequate development of personality and to preserve their dignity and fundamental rights.
3. The Government will present an annual report to the corresponding parliamentary commission of the Congress of Deputies in which it will report on the evolution of the rights, guarantees and mandates contemplated in this Title and the necessary measures to promote their promotion and effectiveness. .
First additional provision. Security measures in the field of the public sector.
1. The National Security Scheme will include the measures that must be implemented in the event of the processing of personal data to prevent its loss, alteration or unauthorized access, adapting the criteria for determining the risk in data processing to the provisions of article 32 of Regulation (EU) 2016/679.
2. The persons in charge listed in article 77.1 of this organic law must apply the corresponding security measures to those provided in the National Security Scheme to the processing of personal data, as well as promote a degree of implementation of equivalent measures in companies. or foundations linked to them subject to private law.
In cases where a third party provides a service under a concession, management commission or contract, the security measures will correspond to those of the public Administration of origin and will be adjusted to the National Security Scheme.
Second additional provision. Data protection and transparency and access to public information.
Active advertising and access to public information regulated by Title I of Law 19/2013, of December 9, on transparency, access to public information and good governance, as well as the active advertising obligations established by legislation. autonomic, will be subject, when the information contains personal data, to the provisions of articles 5.3 and 15 of Law 19/2013, Regulation (EU) 2016/679 and this organic law.
Third additional provision. Computation of terms.
The terms established in Regulation (EU) 2016/679 or in this organic law, regardless of whether they refer to relationships between individuals or with public sector entities, will be governed by the following rules:
a) When the terms are indicated by days, it is understood that these are working days, excluding Saturdays, Sundays and holidays declared from the calculation.
b) If the term is set in weeks, it will end on the same day of the week in which the event that determines its initiation occurred in the expiration week.
c) If the term is set in months or years, it will end on the same day that the event that determines its initiation occurred in the month or year of expiration. If in the expiration month there is no day equivalent to the one on which the computation begins, it shall be understood that the term expires on the last day of the month.
d) When the last day of the period is non-business, it will be understood to be extended to the next business day.
Fourth additional provision. Procedure in relation to the powers attributed to the Spanish Agency for Data Protection by other laws.
The provisions of Title VIII and its implementing regulations will be applied to the procedures that the Spanish Data Protection Agency would have to process in the exercise of the powers that were attributed to it by other laws.
Fifth additional provision. Judicial authorization in relation to decisions of the European Commission regarding international data transfer.
1. When a data protection authority considers that a decision of the European Commission on international data transfer, the validity of which depends on the resolution of a specific procedure, violates the provisions of Regulation (EU) 2016/679, undermining the fundamental right to data protection, will immediately agree to suspend the procedure, in order to request authorization from the judicial body to declare it so within the procedure of which it is hearing. Said suspension must be confirmed, modified or lifted in the agreement of admission or inadmissibility for processing of the request of the data protection authority addressed to the competent court.
The decisions of the European Commission to which this channel may apply are:
a) those that declare the adequate level of protection of a third country or international organization, by virtue of article 45 of Regulation (EU) 2016/679;
b) those that approve standard data protection clauses for international data transfers, or
c) those that declare the validity of the codes of conduct for this purpose.
2. The authorization referred to in this provision may only be granted if, after raising a preliminary ruling of validity in the terms of article 267 of the Treaty on the Functioning of the European Union, the decision of the European Commission questioned was declared invalid by the Court of Justice of the European Union.
Sixth additional provision. Incorporation of debts to credit information systems.
Debts in which the amount of the principal is less than fifty euros will not be incorporated into the credit information systems referred to in article 20.1 of this organic law.
The Government, by royal decree, may update this amount.
Seventh additional provision. Identification of those interested in notifications through announcements and publications of administrative acts.
1. When it is necessary to publish an administrative act that contains the personal data of the affected person, it will be identified by his or her name and surname, adding four random numerical figures from the national identity document, foreigner identity number, passport or equivalent document. When the publication refers to a plurality of those affected, these random figures should be alternated.
In the case of notification by means of announcements, particularly in the cases referred to in article 44 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the affected party will be identified exclusively through the complete number of your national identity document, foreigner identity number, passport or equivalent document.
When the affected person lacks any of the documents mentioned in the two previous paragraphs, the affected person will be identified only by his or her name and surname. In no case should the name and surname be published together with the complete number of the national identity document, foreigner identity number, passport or equivalent document.
2. In order to prevent risks for victims of gender violence, the Government will promote the development of a collaboration protocol that defines safe procedures for the publication and notification of administrative acts, with the participation of the bodies with competence in the matter.
Eighth additional provision. Verification power of the Public Administrations.
When requests are made by any means in which the interested party declares personal data held by the Public Administrations, the body receiving the request may carry out, in the exercise of its powers, the necessary verifications to verify the accuracy of the data.
Ninth additional provision. Processing of personal data in relation to the notification of security incidents.
When, in accordance with the provisions of the applicable national legislation, security incidents must be reported, the competent public authorities, computer emergency response teams (CERT), computer security incident response teams (CSIRT), suppliers of electronic communications networks and services and providers of security technologies and services, may process the personal data contained in such notifications, exclusively for the time and scope necessary for their analysis, detection, protection and response to incidents and adopting the security measures adequate and proportionate to the level of risk determined.
Tenth additional provision. Data communications by the subjects listed in article 77.1.
The persons in charge listed in article 77.1 of this organic law may communicate the personal data that is requested from them by subjects of private law when they have the consent of those affected or they appreciate that the applicants have a legitimate interest that prevails over the rights and interests. of those affected in accordance with the provisions of article 6.1 f) of Regulation (EU) 2016/679.
Eleventh additional provision. Privacy in electronic communications.
The provisions of this organic law shall be understood without prejudice to the application of the rules of internal law and of the European Union regulating privacy in the electronic communications sector, without imposing additional obligations on natural or legal persons in the matter of treatment within the framework of the provision of public electronic communications services in public communication networks in areas in which they are subject to specific obligations established in said regulations.
Twelfth additional provision. Specific provisions applicable to the processing of public sector personnel records.
1. The processing of public sector personnel records shall be understood to have been carried out in the exercise of public powers conferred on those responsible, in accordance with the provisions of article 6.1.e) of Regulation (EU) 2016/679.
2. The public sector personnel records may process personal data related to criminal offenses and convictions and administrative offenses and penalties, limiting themselves to the data strictly necessary for the fulfillment of their purposes.
3. In accordance with the provisions of article 18.2 of Regulation (EU) 2016/679, and as it is considered an important public interest reason, the data whose treatment has been limited by virtue of article 18.1 of the aforementioned regulation, may be subject to treatment when necessary for the development of personnel procedures.
Thirteenth additional provision. International transfers of tax data.
Transfers of tax data between the Kingdom of Spain and other States or international or supranational entities will be regulated by the terms and with the limits established in the regulations on mutual assistance between the States of the European Union, or within the framework of the agreements to avoid double taxation or other international agreements, as well as by the rules on mutual assistance established in Chapter VI of Title III of Law 58/2003, of December 17, General Tax.
Fourteenth additional provision. Rules issued pursuant to article 13 of Directive 95/46 / EC.
The rules issued in application of article 13 of Directive 95/46 / EC of the European Parliament and of the Council, of October 24, 1995, regarding the protection of natural persons with regard to the processing of personal data and freedom of circulation of these data, which had entered into force prior to May 25, 2018, and in particular articles 23 and 24 of Organic Law 15/1999, of December 13, on the Protection of Personal Data, remain in force as long as they are not expressly modified, substituted or repealed.
Fifteenth additional provision. Information request by the National Securities Market Commission.
When it has not been able to obtain by other means the information necessary to carry out its supervision or inspection tasks, the National Securities Market Commission may collect from the operators that provide electronic communications services available to the public and from the company's service providers of the information, the data in their possession related to the electronic communication or service of the information society provided by said providers that are different from their content and are essential for the exercise of said tasks.
The transfer of these data will require the prior obtaining of judicial authorization granted in accordance with the procedural rules.
Traffic data that operators were treating with the sole purpose of complying with the obligations set forth in Law 25/2007, of October 18, on the conservation of data relating to electronic communications and to public communications networks.
Sixteenth additional provision. Aggressive practices regarding data protection.
For the purposes set forth in article 8 of Law 3/1991, of January 10, on Unfair Competition, the following are considered aggressive practices:
a) Act with the intention of supplanting the identity of the Spanish Agency for Data Protection or an autonomous data protection authority in making any communication to those responsible and in charge of the treatments or to the interested parties.
b) Generate the appearance that it is acting on behalf, on behalf of or in collaboration with the Spanish Agency for Data Protection or an autonomous data protection authority in the performance of any communication to those responsible and in charge of the treatments in which the sender offers its products or services.
c) Carry out commercial practices in which the decision-making power of the recipients is restricted by referring to the possible imposition of sanctions for breach of the personal data protection regulations.
d) Offer any type of document by which it is intended to create an appearance of compliance with the data protection provisions in a complementary way to the performance of training actions without having carried out the necessary actions to verify that said compliance is effectively produced.
e) Assume, without express designation of the person in charge or the person in charge of the treatment, the function of data protection delegate and communicate in such condition with the Spanish Agency for Data Protection or the regional data protection authorities.
Seventeenth additional provision. Health data treatment.
1. The treatment of data related to health and genetic data that are regulated in the following laws and their development provisions:
a) Law 14/1986, of April 25, General Health.
b) Law 31/1995, of November 8, on Occupational Risk Prevention.
c) Law 41/2002, of November 14, regulating basic patient autonomy and rights and obligations regarding information and clinical documentation.
d) Law 16/2003, of May 28, on cohesion and quality of the National Health System.
e) Law 44/2003, of November 21, on the organization of the health professions.
f) Law 14/2007, of July 3, on Biomedical Research.
g) Law 33/2011, of October 4, General Public Health.
h) Law 20/2015, of July 14, on the organization, supervision and solvency of insurance and reinsurance entities.
i) The revised text of the Law on guarantees and rational use of 105 medicines and health products, approved by Royal Legislative Decree 1/2015, of July 24.
j) The revised text of the General Law on the rights of people with disabilities and their social inclusion, approved by Royal Legislative Decree 1/2013 of November 29.
2. The treatment of data in health research will be governed by the following criteria:
a) The interested party or, where appropriate, their legal representative may grant consent for the use of their data for health research purposes and, in particular, biomedical research. Such purposes may include categories related to general areas linked to a medical or research specialty.
b) Health authorities and public institutions with powers in public health surveillance may carry out scientific studies without the consent of those affected in situations of exceptional relevance and seriousness to public health.
c) The reuse of personal data for health and biomedical research purposes will be considered lawful and compatible when, having obtained consent for a specific purpose, the data is used for research purposes or areas related to the area in which the initial study is scientifically integrated.
In such cases, those responsible must publish the information established by article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of your personal data and the free circulation of these data, in an easily accessible place on the corporate website of the center where the research or clinical study is carried out, and, where appropriate, in that of the promoter, and notify the existence of this information by electronic means to those affected. When they lack the means to access such information, they may request its remission in another format.
For the treatments provided for in this letter, a prior favorable report from the research ethics committee will be required.
d) The use of pseudonymised personal data for health and, in particular, biomedical research purposes is considered lawful.
The use of pseudonymised personal data for public health and biomedical research purposes will require:
1.º A technical and functional separation between the research team and those who carry out the pseudonymization and keep the information that enables re-identification.
2. That the pseudonymized data are only accessible to the research team when:
i) There is an express commitment to confidentiality and not to carry out any re-identification activity.
ii) Specific security measures are adopted to prevent re-identification and access by unauthorized third parties.
The data may be re-identified at its source, when, as a result of an investigation that uses pseudonymised data, the existence of a real and concrete danger to the safety or health of a person or group of people, or a serious threat is appreciated. for their rights or is necessary to guarantee adequate healthcare.
e) When personal data is processed for health research purposes, and in particular biomedical, for the purposes of article 89.2 of Regulation (EU) 2016/679, the rights of those affected provided for in articles 15, 16, may be exempted. 18 and 21 of Regulation (EU) 2016/679 when:
1.º The aforementioned rights are exercised directly before researchers or research centers that use anonymized or pseudonymized data.
2. The exercise of such rights refers to the results of the investigation.
3. The purpose of the investigation is an essential public interest related to State security, defense, public security or other important objectives of general public interest, provided that in the latter case the exception is expressly included in a regulation with rank Of law.
f) When, in accordance with the provisions of Article 89 of Regulation (EU) 2016/679, a treatment is carried out for research purposes in public health and, in particular, biomedical, the following will be carried out:
1.º Carry out an impact assessment that determines the risks derived from the treatment in the cases provided for in article 35 of Regulation (EU) 2016/679 or in those established by the supervisory authority. This evaluation will specifically include the re-identification risks linked to the anonymization or pseudonymization of the data.
2. Submit scientific research to quality standards and, where appropriate, to international guidelines on good clinical practice.
3.º Adopt, where appropriate, measures aimed at guaranteeing that researchers do not access data identifying the interested parties.
4. Appoint a legal representative established in the European Union, in accordance with article 74 of Regulation (EU) 536/2014, if the promoter of a clinical trial is not established in the European Union. Said legal representative may coincide with the one provided for in article 27.1 of Regulation (EU) 2016/679.
g) The use of pseudonymised personal data for research purposes in public health and, in particular, biomedical, must be submitted to the prior report of the research ethics committee provided for in the sectoral regulations.
In the absence of the existence of the aforementioned Committee, the entity responsible for the investigation will require a prior report from the data protection officer or, failing that, from an expert with the prior knowledge of article 37.5 of Regulation (EU) 2016/679.
h) Within a maximum period of one year from the entry into force of this law, the research ethics committees, in the field of health, biomedical or medicine, must include among their members a data protection delegate or , failing that, an expert with sufficient knowledge of Regulation (EU) 2016/679 when dealing with research activities involving the processing of personal data or pseudonymized or anonymized data.
Eighteenth additional provision. Security criteria.
The Spanish Agency for Data Protection will develop, with the collaboration, when necessary, of all the stakeholders involved, the tools, guides, guidelines and guidelines that are necessary to provide professionals, micro-enterprises, and small and medium-sized enterprises with adequate guidelines for compliance with the active responsibility obligations established in Title IV of Regulation (EU) 2016/679 and in Title V of this organic law.
Additional provision nineteenth. Rights of minors before the Internet.
Within a year from the entry into force of this organic law, the Government will send to the Congress of Deputies a bill specifically aimed at guaranteeing the rights of minors in the face of the impact of the Internet, in order to guarantee their safety. and fight against discrimination and violence that is exerted on them through new technologies.
Additional provision twentieth. Specialties of the legal regime of the Spanish Agency for Data Protection.
1. Article 50.2.c) of Law 40/2015, of October 1, on the Public Sector Legal Regime, will not apply to the Spanish Data Protection Agency.
2. The Spanish Data Protection Agency may adhere to the centralized contracting systems established by the Public Administrations and participate in the shared management of common services provided for in article 85 of Law 40/2015, of October 1, on the Regime Public Sector Legal.
Twenty-first additional provision. Digital education.
The educational administrations will comply with the mandate contained in the second paragraph of section 1 of article 83 of this organic law within a period of one year from its entry into force.
Twenty-second additional provision. Access to public and ecclesiastical archives.
The competent public authorities will facilitate access to public and ecclesiastical archives in relation to the data that are requested on the occasion of police or judicial investigations of disappeared persons, and the religious institutions or congregations to which they are made must respond promptly and diligently. access requests.
First transitory provision. Statute of the Spanish Agency for Data Protection.
1. The Statute of the Spanish Agency for Data Protection, approved by Royal Decree 428/1993, of March 26, will continue in force as long as it does not oppose what is established in Title VIII of this organic law.
2. The provisions of sections 2, 3 and 5 of article 48 and article 49 of this organic law shall apply once the mandate of the person holding the status of Director of the Spanish Data Protection Agency expires upon entry into vigor of it.
Second transitory provision. Standard codes registered with the data protection authorities in accordance with Organic Law 15/1999, of December 13, on the Protection of Personal Data.
The promoters of the type codes registered in the registry of the Spanish Agency for Data Protection or in the regional data protection authorities must adapt their content to the provisions of article 40 of Regulation (EU) 2016/679 within the term of one year from the entry into force of this organic law.
If, after said period, the approval provided for in article 38.4 of this organic law has not been requested, the registration will be canceled and its promoters will be notified.
Third transitory provision. Transitional regime of the procedures.
1. The procedures already initiated at the entry into force of this organic law will be governed by the previous regulations, unless this organic law contains more favorable provisions for the interested party.
2. The provisions of the preceding section shall also apply to the procedures in respect of which the previous actions referred to in Section 2 of Chapter III of Title IX of the Regulations for the development of the Organic Law have already been initiated. 15/1999, of December 13, Protection of Personal Data, approved by Royal Decree 1720/2007, of December 21.
Fourth transitory provision. Treatments subject to Directive (EU) 2016/680.
The treatments subject to Directive (EU) 2016/680 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data by the competent authorities for purposes of prevention, investigation, detection or prosecution of criminal offenses or the execution of criminal sanctions, and the free circulation of said data and by which the Council Framework Decision 2008/977 / JAI is repealed, will continue to be governed by Organic Law 15 / 1999, of December 13, and in particular article 22, and its implementing provisions, as long as the rule that transposes the provisions of the aforementioned directive into Spanish law does not come into force.
Fifth transitory provision. Treatment manager contracts.
The treatment manager contracts signed prior to May 25, 2018 under the provisions of article 12 of Organic Law 15/1999, of December 13, on the Protection of Personal Data will remain in force to date. expiration date indicated therein and if it has been agreed indefinitely, until May 25, 2022.
During said periods, either party may require the other to modify the contract in order for it to be in accordance with the provisions of article 28 of Regulation (EU) 2016/679 and Chapter II of Title V of this law. organic.
Sixth transitory provision. Reuse for health and biomedical research purposes of personal data collected prior to the entry into force of this organic law.
The reuse of personal data lawfully collected prior to the entry into force of this organic law will be considered lawful and compatible when any of the following circumstances occur:
a) That said personal data be used for the specific purpose for which consent has been given.
b) That, having obtained consent for a specific purpose, such data are used for purposes or areas of research related to the medical or research specialty in which the initial study is scientifically integrated.
Sole repealing provision. Regulatory repeal.
1. Notwithstanding the provisions of the fourteenth additional provision and the fourth transitory provision, Organic Law 15/1999, of December 13, on the Protection of Personal Data, is repealed.
2. Royal Decree-Law 5/2018, of July 27, on urgent measures for the adaptation of Spanish law to the regulations of the European Union on data protection is hereby repealed.
3. Likewise, any provisions of equal or lower rank that contradict, oppose, or are incompatible with the provisions of Regulation (EU) 2016/679 and this organic law are repealed.
First final provision. Nature of the present law.
This law has the character of an organic law.
However, they have the character of ordinary law:
- Title IV,
- Title VII, except for articles 52 and 53, which are organic,
- Title VIII,
- Title IX,
- Articles 79, 80, 81, 82, 88, 95, 96 and 97 of Title X,
- the additional provisions, except for the second additional provision and the seventeenth additional provision, which are organic in nature,
- the transitional provisions,
- and the final provisions, except for the first, second, third, fourth, eighth, tenth and sixteenth final provisions, which are organic.
Second final provision. Competency title.
1. This organic law is issued under the protection of article 149.1.1.ª of the Constitution, which attributes to the State the exclusive competence for the regulation of the basic conditions that guarantee the equality of all Spaniards in the exercise of rights and in the fulfillment of constitutional duties.
2. Chapter I of Title VII, Title VIII, the fourth additional provision and the first transitory provision will only be applicable to the General State Administration and its public bodies.
3. Articles 87 to 90 are issued under the exclusive jurisdiction that Article 149.1.7th and 18th of the Constitution reserves to the State in matters of labor legislation and bases of the statutory regime of public officials respectively.
4. The fifth additional provision and the seventh and sixth final provisions are issued under the jurisdiction that article 149.1.6.ª of the Constitution attributes to the State in matters of procedural legislation.
5. The third additional provision is issued under article 149.1.18 of the Constitution.
6. Article 96 is issued under the protection of article 149.1.8.ª of the Constitution.
Third final provision. Modification of Organic Law 5/1985, of June 19, of the General Electoral Regime.
The Organic Law 5/1985, of June 19, of the General Electoral Regime is modified, which is worded as follows:
One. Section 3 of article thirty-nine is worded as follows:
"3. Within the aforementioned period, any person may make a claim addressed to the Provincial Delegation of the Electoral Census Office about their census data, although only those that refer to the rectification of errors in personal data, may be taken into account. changes of address within the same constituency or the non-inclusion of the claimant in any Census Section of the constituency despite having the right to do so. The requests of the voters who oppose their inclusion in the copies of the electoral roll that are provided to the representatives of the candidacies to send electoral propaganda mailings will also be attended to. Those that reflect a change of residence from one district to another will not be taken into account for the election called.
Two. A new article fifty-eight bis is added, with the following content:
«Article fifty-eight bis. Use of technological means and personal data in electoral activities.
1. The collection of personal data related to the political opinions of people carried out by political parties in the framework of their electoral activities will be protected in the public interest only when adequate guarantees are offered.
2. Political parties, coalitions and electoral groups may use personal data obtained from web pages and other sources of public access to carry out political activities during the electoral period.
3. The sending of electoral propaganda by electronic means or messaging systems and the contracting of electoral propaganda in social networks or equivalent means will not be considered commercial activity or communication.
4. The aforementioned outreach activities will prominently identify their electoral nature.
5. The recipient will be provided with a simple and free way to exercise the right of opposition. "
Fourth final provision. Modification of Organic Law 6/1985, of July 1, of the Judicial Power.
The Organic Law, 6/1985, of July 1, of the Judicial Power is modified, in the following terms:
One. A third paragraph is added to article 58, with the following wording:
«Article 58.
Third. Of the authorization request for the declaration provided for in the fifth additional provision of the Organic Law on Protection of Personal Data and Guarantee of Digital Rights, when such request is made by the General Council of the Judiciary. "
Two. A letter f) is added to article 66, with the following wording:
«Article 66.
f) The request for authorization for the declaration provided for in the fifth additional provision of the Organic Law on Protection of Personal Data and Guarantee of Digital Rights, when such request is made by the Spanish Agency for Data Protection. "
Three. A letter k) is added to section 1 and a new section 7 to article 74, with the following wording:
«Article 74.
1. […]
k) The request for authorization for the declaration provided for in the fifth additional provision of the Organic Law on Protection of Personal Data and Guarantee of Digital Rights, when such request is made by the data protection authority of the respective Autonomous Community.
[…]
7. It is the responsibility of the Contentious-Administrative Chambers of the Superior Courts of Justice to authorize, by order, the request for information by regional data protection authorities from operators that provide electronic communications services available to the public and from the Information society service providers, when necessary in accordance with specific legislation. "
Four. A new paragraph 7 is added to article 90:
«7. It is the responsibility of the Central Contentious-Administrative Courts to authorize, by order, the request for information by the Spanish Agency for Data Protection and other independent administrative authorities at the state level to the operators that provide electronic communications services available to the public and of the service providers of the information society, when it is necessary in accordance with the specific legislation. "
Fifth final provision. Modification of Law 14/1986, of April 25, General Health.
A new Chapter II is added to Title VI of Law 14/1986, of April 25, General Health with the following content:
"CHAPTER II
Treatment of health research data
Article 105 bis.
The processing of personal data in health research will be governed by the provisions of the seventeenth additional provision of the Organic Law on Protection of Personal Data and Guarantee of Digital Rights. "
Sixth final provision. Modification of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction.
Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, is modified in the following terms:
One. A new paragraph 7 is added to article 10:
«7. They will be aware of the authorization request under article 122 ter, when it is formulated by the data protection authority of the respective Autonomous Community. "
Two. A new paragraph 5 is added to article 11:
"5. It will be aware of the authorization request under article 122 ter, when it is formulated by the Spanish Data Protection Agency. "
Three. A new paragraph 4 is added to article 12:
"4. It will hear the request for authorization under article 122 ter, when it is formulated by the General Council of the Judiciary. "
Four. A new article 122 ter is introduced, with the following wording:
«Article 122 ter. Judicial authorization procedure in accordance with a decision of the European Commission on international data transfer.
1. The procedure to obtain the judicial authorization referred to in the fifth additional provision of the Organic Law on Protection of Personal Data and Guarantee of Digital Rights, will begin with the request of the data protection authority addressed to the competent Court for to rule on the conformity of a decision of the European Commission on international data transfer with European Union law. The request will be accompanied by a copy of the file that is pending resolution before the data protection authority.
2. The parties to the procedure, in addition to the data protection authority, shall be parties to the procedure processed before it and, in any case, the European Commission.
3. The agreement of admission or inadmissibility to process the procedure will confirm, modify or lift the suspension of the procedure for possible violation of the data protection regulations processed before the data protection authority, which is caused by this judicial authorization procedure.
4. Once the request has been accepted for processing, the competent Court will notify the data protection authority so that it may notify those who intervene in the procedure processed before it to appear within three days. Likewise, it will be transferred to the European Commission for the same purposes.
5. Once the period mentioned in the previous letter has concluded, the request for authorization will be transmitted to the parties in person so that within a period of ten days they can claim what they deem appropriate, being able to request at that time the practice of the tests that deem necessary.
6. Once the trial period has elapsed, if any of the parties has requested it and the court deems it appropriate, a hearing will be held. The Court may decide the scope of the issues on which the parties must focus their allegations in said hearing.
7. Once the procedures mentioned in the three previous sections have been completed, the competent Court will adopt one of these decisions within ten days:
a) If it considers that the decision of the European Commission is in accordance with European Union law, it will issue a judgment declaring it so and denying the requested authorization.
b) If it considers that the decision is contrary to European Union law, it will issue a preliminary ruling on the validity of the aforementioned decision before the Court of Justice of the European Union, in the terms of article 267 of the Treaty of Functioning of the European Union.
The authorization can only be granted if the decision of the European Commission questioned was declared invalid by the Court of Justice of the European Union.
8. The system of resources will be the one provided for in this law. "
Seventh final provision. Modification of Law 1/2000, of January 7, on Civil Procedure.
Article 15 bis of Law 1/2000, of January 7, on Civil Procedure is modified, which is worded as follows:
«Article 15 bis. Intervention in antitrust and data protection processes.
1. The European Commission, the National Commission for Markets and Competition and the competent bodies of the autonomous communities within the scope of their powers may intervene in the defense of competition and data protection processes, without having the status of party, on its own initiative or at the request of the judicial body, by providing information or submitting written observations on issues relating to the application of articles 101 and 102 of the Treaty on the Functioning of the European Union or articles 1 and 2 of the Law 15/2007, of July 3, on the Defense of Competition. With the permission of the corresponding judicial body, they may also present verbal observations. To these effects,
The contribution of information will not reach the data or documents obtained in the scope of the circumstances of application of the exemption or reduction of the amount of the fines provided for in articles 65 and 66 of Law 15/2007, of July 3, of Defense of Competition.
2. The European Commission, the National Commission of Markets and Competition and the competent bodies of the autonomous communities will provide the information or present the observations provided for in the previous number ten days before the holding of the act of the trial referred to in the Article 433 or within the period of opposition or challenge of the appeal filed.
3. The provisions of the previous sections on procedural matters will also apply when the European Commission, the Spanish Agency for Data Protection and the regional data protection authorities, within the scope of their powers, consider it necessary to intervene in a process that affects issues related to the application of Regulation (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016. "
Eighth final provision. Modification of Organic Law 6/2001, of December 21, on Universities.
A new letter l) is included in section 2 of article 46 of Organic Law 6/2001, of December 21, on Universities, with the following content:
"L) Training in the use and safety of digital media and in guaranteeing fundamental rights on the Internet."
Ninth final provision. Modification of Law 41/2002, of November 14, regulating basic patient autonomy and rights and obligations regarding information and clinical documentation.
Section 3 of article 16 of Law 41/2002, of November 14, basic regulating the autonomy of the patient and of rights and obligations in matters of information and clinical documentation, is modified, which happens to have the following wording:
«Article 16. […]
3. Access to medical records for judicial, epidemiological, public health, research or teaching purposes is governed by the provisions of current legislation on the protection of personal data, and in Law 14/1986, of April 25, General Health, and other rules of application in each case. Access to the medical history for these purposes requires the preservation of the patient's personal identification data, separate from those of a clinical-care nature, so that, as a general rule, anonymity is ensured, unless the patient himself has given his consent to do not separate them.
The investigation cases provided for in section 2 of the seventeenth additional provision of the Organic Law on Protection of Personal Data and Guarantee of Digital Rights are excepted.
Likewise, the cases of investigation of the judicial authority in which the unification of the identifying data with the clinical care are considered essential, in which the judges and courts in the corresponding process will be subject to. Access to the data and documents of the medical record is strictly limited to the specific purposes of each case.
When this is necessary for the prevention of a serious risk or danger to the health of the population, the health administrations referred to in Law 33/2011, of October 4, General Public Health, may access the identifying data of patients for epidemiological reasons or for the protection of public health. Access must be made, in any case, by a healthcare professional subject to professional secrecy or by another person subject, likewise, to an equivalent obligation of secrecy, with prior motivation from the Administration requesting access to the data. "
Tenth final provision. Modification of Organic Law 2/2006, of May 3, on Education.
A new letter l) is included in section 1 of article 2 of Organic Law 2/2006, of May 3, on Education, which is worded as follows:
«L) Training to guarantee the full insertion of students in the digital society and the learning of a safe use of digital media and respectful of human dignity, constitutional values, fundamental rights and, particularly, with respect and guarantee of individual and collective privacy. "
Eleventh final provision. Modification of Law 19/2013, of December 9, on transparency, access to public information and good governance.
Law 19/2013, of December 9, on transparency, access to public information and good governance is modified, in the following terms:
One. A new article 6 bis is added, with the following wording:
«Article 6 bis. Registration of treatment activities.
The subjects listed in article 77.1 of the Organic Law on Protection of Personal Data and Guarantee of Digital Rights, will publish their inventory of treatment activities in application of article 31 of the aforementioned Organic Law. "
Two. Section 1 of article 15 is worded as follows:
"1. If the requested information contains personal data that reveals the ideology, union affiliation, religion or beliefs, access may only be authorized in the event of the express and written consent of the affected party, unless said affected party has clearly made it public. the data before access was requested.
If the information includes personal data that refer to racial origin, health or sexual life, includes genetic or biometric data or contains data related to the commission of criminal or administrative offenses that do not entail public reprimand to the offender, access only it may be authorized in the event of the express consent of the affected party or if he or she is covered by a rule with the force of law. "
Twelfth final provision. Modification of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations.
Sections 2 and 3 of article 28 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations are modified, which now have the following wording:
«Article 28. […]
2. Interested parties have the right not to provide documents that are already in the possession of the acting Administration or have been prepared by any other Administration. The acting administration may consult or collect said documents unless the interested party objects to it. The opposition will not fit when the contribution of the document is required within the framework of the exercise of sanctioning or inspection powers.
The Public Administrations must collect the documents electronically through their corporate networks or by consulting the data intermediation platforms or other electronic systems enabled for this purpose.
In the case of mandatory reports already prepared by an administrative body other than the one that handles the procedure, these must be sent within ten days from their request. Once this period has elapsed, the interested party will be informed that they can provide this report or wait for it to be sent by the competent body.
3. The Administrations will not require the interested parties to present original documents, unless, exceptionally, the applicable regulatory regulations establish otherwise.
Likewise, the Public Administrations will not require data or documents from the interested parties that are not required by the applicable regulatory regulations or that have been previously provided by the interested party to any Administration. For these purposes, the interested party must indicate at what time and before which administrative body they presented the aforementioned documents, and the Public Administrations must collect them electronically through their corporate networks or by consulting the data intermediation platforms or other electronic systems enabled to the effect, unless stated in the procedure the express opposition of the interested party or the applicable special law requires their express consent. Exceptionally, if the Public Administrations could not obtain the aforementioned documents,
Thirteenth final provision. Modification of the consolidated text of the Workers' Statute Law.
A new article 20 bis is added to the consolidated text of the Workers' Statute Law, approved by Royal Legislative Decree 2/2015, of October 23, with the following content:
«Article 20 bis. Workers' rights to privacy in relation to the digital environment and to disconnection.
Workers have the right to privacy in the use of digital devices made available to them by the employer, to digital disconnection and privacy from the use of video surveillance and geolocation devices in the terms established in the current legislation on protection of personal data and guarantee of digital rights. »
Fourteenth final provision. Modification of the consolidated text of the Law of the Basic Statute of the Public Employee.
A new letter ja) is added to article 14 of the revised text of the Law of the Basic Statute of Public Employees, approved by Royal Legislative Decree 5/2015, of October 30, which will be worded as follows:
«Ja) To privacy in the use of digital devices made available to them and against the use of video surveillance and geolocation devices, as well as digital disconnection in the terms established in the current legislation on the protection of personal data and guarantee of digital rights. »
Fifteenth final provision. Regulatory development.
The Government is empowered to develop the provisions of articles 3.2, 38.6, 45.2, 63.3, 96.3 and the sixth additional provision, in the terms established therein.
Sixteenth final provision. Entry into force.
This organic law shall enter into force the day following its publication in the Official State Gazette.
Therefore,
I command all Spaniards, individuals and authorities, to keep and enforce this organic law.
Madrid, December 5, 2018.
FELIPE R.
The president of the Government,
PEDRO SÁNCHEZ PÉREZ-CASTEJÓN
For more information, see here: https://www.boe.es/buscar/doc.php?id=BOE-A-2018-16673
These materials were obtained directly from the International Government public websites and are posted here for your review and reference only. No Claim to Original International Government Works. These may not be the most recent versions. The International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information or the information linked to. Please check the linked sources directly.
| Attachment | Size |
|---|---|
 spain_boe-a-2018-16673.pdf | 1.2 MB |