Ley Orgánica de Protección de Datos de Carácter Personal
The Organic Law 15/1999 of December 13 on Protection of Personal Data (Spanish: Ley Orgánica de Protección de Datos de Carácter Personal, LOPD) was Spanish organic law that guaranteed and protected the processing of personal data, public liberties, and fundamental human rights, and especially of personal and family honor and privacy. It was approved by the General Court on December 13, 1999. This law was developed based on Article 18 of the Spanish Constitution of 1978, the familiar and personal right to privacy, and the secrecy of communications.
Its main objective was to regulate the treatment of data and files, of a personal nature, regardless of the support in which they are treated, the rights of citizens over them and the obligations of those who create or treat them. This law affected all data that referred to registered humans on any support, computer or otherwise. Excluded from this regulation are those data collected for domestic use, classified materials of the state and those files that collected data on Terrorism and other forms of organized crime (not simple delinquency).
Based on this law, the Spanish Agency for Data Protection was created, at the state level, which ensures compliance with this Law.
This act was repealed by the passage of a new data protection act, the Organic Law 3/2018 of December 5, about protection of personal data and guarantees of digital rights, to conform the Spanish legislation with the General Data Protection Regulation[1]
Regulatory development
[edit]- The Royal Decree 994/1999 on Security Measures for automated files that containing personal data of June 11, 1999 (RMS): It is a regulation that develops the Organic Law 5/1992, of October 29, of Regulation of the Automated Treatment of Personal Data (LORTAD), regulates the technical and organizational measures that must be applied to the information systems in which personal data are processed in an automated way. (Repealed since April 19 of 2010)
- The Royal Decree 1720/2007, of December 21 on the development of the Organic Law on Data Protection. It is a development of the Organic Law 15/99 of Data Protection of December 13; develops the principles of the law, and the security measures to be applied in the information systems. It applies to files in automated support, as in any other type of media.
Control bodies and possible sanctions
[edit]The body responsible for monitoring compliance with data protection regulations at Spanish territory, in general, is the Spanish Agency for Data Protection (AEPD), [2] there are other Data Protection Agencies of an autonomous nature, in Autonomous Communities of Catalonia and in Basque Country.
The sanctions are divided into three groups depending on the seriousness of the act committed,[3] Spain being the country of the European Union that has the highest sanctions in terms of protection of data. These sanctions depend on the violation committed. The last company sanctioned has been the company Grupon, sanctioned by the state data protection agency, with 20 000 euros for storing the CVV codes of the Credit cards from their customers without informing them.
They are divided into:
The minor penalties range from 900 to 40 000 €
Serious penalties range from 40 001 a 300 000 €
Very serious penalties range from 300 001 a 600 000 €
Despite the amount of sanctions, there are many companies in Spain that have not yet adapted to it, or have done so in a partial manner or do not periodically review its adequacy; so that, maintenance and review of the adequacy carried out is essential.
In the public sector, the mentioned Law also regulates the use and management of information and files with personal data used by all public administrations.
The Spanish Agency for Data Protection (AEPD) was created in 1994 in accordance with the provisions of the repealed LORTAD. Its headquarters are located in Madrid, although the Autonomous Communities of Madrid, the Basque Country and Catalonia have created their own autonomous Agencies.
Inspection and guardianship of Rights Procedures
[edit]Spanish Agency for Data Protection (AEPD)
[edit]In 2012 complaints filed with the AEPD, increased by 12%. The activity of the Agency has grown significantly in 2012, with an increase of 15% in the files registered and almost 40% in the resolutions issued. The allegations of identity theft, especially in the supply and commercialization of energy and water (222%) and in telecommunications (92%), have experienced a substantial increase. Of the 863 infringement decisions declared to private managers, more than 34% concluded in a warning, without imposing a penalty. On the other hand, most of the sanctions affect the telecommunications sector, which represents 73% of the total. Three of the main operators accumulate 70.94% of the total amount of fines.
In 2011, reported complaints were 51.6% higher than those filed in 2010. This increase is also reflected in the increase in declaratory resolutions of infringement of 37.7%. However, the application of the figure of the warning has determined a decrease of 14.5% in the declared economic sanctions. The sector where sanctions have increased most (64%) and have been declared to a greater extent (25.5%) and amount, (63%) is that of telecommunications. The amount of sanctions has grown by 12% compared to 2010.
Year 2009
[edit]In 2009 they increased by more than 75% of the complaints received, which reached the figure of 4,136, and the number of requests for protection of rights, by 58%. 709 sanctioning procedures were resolved, of which 621 ended with sanction with a total amount of 24.8 million euros.
Source: Memory of the Spanish Agency for Data Protection (AEPD) for the years 2007, 2008, 2009.
Place | Sector of economic activity | Procedures resolved |
---|---|---|
1 | Telecommunications | 908 |
2 | Financial sector | 768 |
3 | Videovigilance | 721 |
Place | Sector of economic activity | Procedures resolved |
---|---|---|
1 | Telecommunications | 170 |
2 | Videovigilance | 117 |
3 | Financial sector | 89 |
5 | Electronic communications and spam | 39 |
Place | Type of sanction | Percentage |
---|---|---|
1 | Serious | 74% |
2 | Minor | 21,3% |
3 | Very Serious | 4,6% |
Year 2008
[edit]In 2008 the number of facts reported to the AEPD (together with officio investigations initiated) increased by more than 45%, reaching the value of 2362. AEPD resolved in 2008 a total of 630 sanctioning procedures, almost 58% more than in 2007, of which 535 culminated with the imposition of sanctions. The fines imposed amounted to 22.6 million euros, representing an increase of 15% over the previous year.
The number of procedures solved of declarations of infraction committed by the public administrations rose in 2008 almost 20% with respect to the previous year, going from 66 to 79, of which 59 ended with a declaration of infraction.
Year 2007
[edit]In 2007 the Spanish Agency for Data Protection resolved 399 sanctioning procedures, increasing by 32.5% with respect to the previous year. The economic sanctions imposed by the AEPD amounted to 19 600 000 euros.
Autonomous data protection agencies
[edit]Year 2007
[edit]The Data Protection Agency of the Community of Madrid carried out 196 inspection procedures and 32 procedures for the protection of rights in 2007.
The Basque Data Protection Agency-Datuak Babesteko Euskal Bulegoa (AVDP-DBEB), resolved 43 complaints and 18 infringement procedures in 2007.[4]
Ibero-American Data Protection Network
[edit]The Ibero-American Data Protection Network (RIPD), since its creation in 2003, has developed an intense and fruitful work, such as the organization of ten meetings. In addition to contributing to that more than 150 million Latin American citizens currently have, along with the traditional protection of habeas data, rules that allow to effectively guarantee the use of their personal information and specialized authorities with powers to protect said guarantee.
In Latin America policies are being developed for the protection of personal data. In 2012 two new laws were approved. In Nicaragua, Law No. 787 of Protection of Personal Data, of March 29, 2012 and Statutory Law No. 1581 of October 17, 2012, by which general provisions for the Protection of Personal Data are issued.
In Chile, also Law 19.628, of August 28, 1999, on Protection of Private Life, is currently in the process of reviewing part of its articles.
The National Assembly of Venezuela is processing the bill for the Protection of Personal Data of Habeas Data. And in Costa Rica there is already a Data Protection Agency of the Republic of Costa Rica, in compliance with the law approved in 2011.
Information Duty
[edit]Personal data are classified according to their greater or lesser degree of sensitivity, being the legal requirements and computer security measures more stringent in terms of this greater degree of sensitivity, being mandatory on the other hand, in any case the declaration of the data protection files to the "Spanish Agency for Data Protection".
Interested parties to which personal data are requested must be previously informed in an express, precise and unambiguous way:
1. The existence of a file or treatment of personal data, the purpose of the collection of these and the recipients of the information.
2. Of the obligatory or optional character of his answer to the questions that are posed to them.
3. The consequences of obtaining the data or the refusal to supply them.
4. Of the possibility of exercising rights of access, rectification, cancellation and opposition.
5. The identity and address of the person responsible for the treatment or, if applicable, his representative.
However, the processing of personal data without having been collected directly from the affected party or interested party is permitted, although it is not exempted from the obligation to report expressly, accurately and unequivocally, by the person responsible for the file or its representative, within of the three months following the start of data processing.
Exception: Communication in three months of such information will not be necessary if the data has been collected from "sources accessible to the public",[5] and are intended for advertising or commercial prospecting, in this case "in each communication addressed to the interested party, he will be informed of the origin of the data and the identity of the person responsible for the treatment, as well as the rights that assist him".
- Model clause
This could be a model clause of information / consent of rights protected by the LOPD:
In compliance with the Organic Law 15/1999, of December 13, Protection of Personal Data (LOPD), (replace by the name of the person responsible for the file), as the person in charge of the file, reports the following considerations:
The personal data that we request, will be incorporated into a file whose purpose is (describe the purpose). The fields marked with an asterisk (or any other signal) are mandatory, being impossible to realize the expressed purpose if you do not provide this information.
You are also informed of the possibility of exercising the rights of access, rectification, cancellation and opposition, of your personal data in (substitute the address to exercise the rights).
- Data whose treatment is prohibited
- Those relating to "criminal or administrative infractions".
- Exception: They can only be included in files of the competent public administrations.
Consent
[edit]Types of consent
[edit]A) Unmistakable consent
The treatment of personal data will require the unambiguous consent of the affected party, unless the law provides otherwise.
B) Tacit Consent
This will be the normal form of consent in cases where an express or express consent is not required in writing.
C) Express consent
Personal data referring to racial origin, health and sexual life may only be collected, processed and assigned when, for reasons of general interest, it is provided by a law or the person expressly consents.
D) Express and written consent
Express consent is required in writing from the affected party regarding data related to ideology, union affiliation, religion and beliefs and may only be transferred with express consent.[6]
Data communication
[edit]They have responsibility in the communication and treatment of data not only the legal persons (companies) but also freelancers, freelancers, associations, collectives and people who own a blog (bloggers) through from which data from third parties are collected to make queries and for any other transaction.[7]
The personal data object of the treatment can only be communicated to a third party for the fulfillment of purposes directly related to the legitimate functions of the transferor and the transferee with the prior consent of the interested party.
The consent required in the previous section will not be precise:
- When the assignment is authorized by law.
- In the case of data collected from sources accessible to the public.
- When the treatment responds to the free and legitimate acceptance of a legal relationship whose development, compliance and control necessarily implies the connection of said treatment with third-party files. In this case the communication will only be legitimate as long as it is limited to the purpose that justifies it.
- When the communication to be made is addressed to the Ombudsman, the Public Prosecutor or the Judges or Courts or the Court of Accounts, in the exercise of the functions assigned to it. Neither will consent be required when the communication is addressed to autonomous institutions with analogous functions to the Ombudsman or the Court of Auditors.
- When the transfer occurs between Public Administrations and has as its objective the subsequent processing of the data for historical, statistical or scientific purposes.
- When the transfer of personal data related to health is necessary to solve an emergency that requires access to a file or to perform epidemiological studies in the terms established in the legislation on state or regional health.
The consent for the communication of personal data to a third party will be void when the information provided to the interested party does not allow him to know the purpose to which the data will be destined whose communication is authorized or the type of activity of the person to whom it is sent. They intend to communicate.
The consent for the communication of personal data also has a revocable nature.
The one to whom the personal data are communicated is obliged, by the mere fact of the communication, to observe the provisions of this Law.
If the communication is made prior to the dissociation procedure, the provisions of the previous sections will not apply.
Access to the data by third parties
[edit]- The access of a third party to the data will not be considered as data communication when said access is necessary for the provision of a service to the data controller.
- The performance of treatments on behalf of third parties must be regulated in a contract that must be recorded in writing or in some other form that allows proof of its conclusion and content, establishing expressly that the processor will only process the data according to the instructions of the person in charge of the treatment, which will not apply them or use them for purposes other than those stated in said contract, nor will they communicate them, even for their preservation, to other persons.
The contract will stipulate, in addition, the security measures to which refers to article 9 of this Law that the person in charge of the treatment is obliged to implement. - Once the contractual provision has been fulfilled, the personal data must be destroyed or returned to the data controller, as well as any support or documents that contain any personal data object of the treatment.
- In the event that the person in charge of the treatment allocates the data for another purpose, communicates them or uses them in breach of the stipulations of the contract, it will also be considered responsible for the treatment, responding to the infractions that would have been incurred personally.
Criticisms and main problems
[edit]Certain aspects of the law were declared unconstitutional in November 2000 and deleted from the current text.
It is considered that the increase in the creation of files and processing of personal data affects the right to protection of citizens' data; This concern was picked up by the European bodies that even ordered that January 28 be held annually on "European Data Protection Day". The celebration dates back to 2006, when the Committee of Ministers of the Council of Europe established the annual celebration of the Data Protection Day in Europe on January 28, commemorating the anniversary of the signing of Convention 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data.
A very strict compliance with the regulation on data protection could slow down the normal work of a File Manager for the documentary accreditation of the information and consent principles of the LOPD; also in the opposite direction, a mere fulfillment of formal obligations, would leave the law senseless and the citizens unprotected and go against the "spirit" of the LOPD.
The possibility that companies can collect data without the consent of the affected has been criticized.
Certain resolutions of the AEPD[8] have been reason for controversy:
- In October 2008, the Spanish Agency for Data Protection sanctioned the Popular Party (PP), then in opposition, with a fine of 60 101.21 euros for a serious infringement of the Organic Law of Protection of Personal Data consisting of the inclusion, without their consent, of four O Grove neighbors as "false volunteers" of the election lists of Basque Country of May 2007.[9][10]
- The possibility offered by some websites to "send a friend" certain information, or "recommend this page to a friend" have also been sanctioned in strict application of the LOPD[11][12]
- La AEPD también resolvió que los datos relativos a los abortos practicados eran confidenciales, a raíz de la denuncias criminales interpuestas contra varias clínicas por presuntos abortos irregulares[13]
- The AEPD also resolved that the data regarding the abortions practiced were confidential, as a result of the criminal complaints filed against several clinics for alleged irregular abortions[14]
- In 2008, a judgment of the Supreme Court declared that the "baptismal books" of the Catholic Church are not "data files", disavowing a resolution of October 20, 2006 issued by the Spanish Agency for the Protection of Data; the agency had given the reason to an apostate who requested that, through the Agency, his inscription in the Baptism Book be canceled.[15]
- Due to breaches of data protection legislation, several insurers and health centers have been sanctioned, since they exchanged medical information about patients without their express consent. However, they are subject to reduced sanctions for not being assessed "intentionality in the commission of the offense"[16][17]
- AEPD sanctioned a company after a hacker attempted to blackmail it by finding a hole in its security and later denounced it[18]
- The LOPD continues to have gaps and social agents have requested certain reforms. In August 2008, Bernat Soria, Socialist Minister of Health and Consumer Affairs stated that action would be taken to create a law against companies that were making commercial calls not consented to homes, usually at meal times, which was a behavior popularly known as "telephone spam".[19][20]
See also
[edit]- Fundamental rights in the personal sphere
- Privacy
- Internet security
- Spam
- European Data Protection Supervisor
References
[edit]- ^ "Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales" (in Spanish). Retrieved 2018-12-09.
- ^ "Spanish Agency for Data Protection". Archived from the original on 2009-12-10. Retrieved 2018-01-16.
- ^ List of companies sanctioned in 2009 Archived 2009-12-08 at the Wayback Machine List of companies that are being sanctioned during the year 2009, indicating the amount imposed and the date. It also reflects the "Top 3" of the most sanctioned companies during this period, total amount in euros of all sanctions and other statistical information
- ^ "Report of the basque agency 2007". Archived from the original on 2008-12-15. Retrieved 2018-01-16.
- ^ defined as those "files whose consultation can be carried out, by any person, not prevented by a rule limitative or without further requirement that, where appropriate, the payment of a consideration "and" are considered as sources of public access, exclusively, the promotional census, telephone directories (...) and lists of persons belonging to groups of professionals (...) Also, the newspapers and official bulletins and the media have the character of public access sources ". "In each communication addressed to the interested party will be informed of the origin of the data and the identity of the person responsible for the treatment, as well as the rights that assist".
- ^ «The files kept by political parties, trade unions, churches are excepted, confessions or religious communities and associations, foundations and other non-profit entities, whose purpose is political, philosophical, religious or union, in terms of data relating to its members or members (... and) for the prevention or for the medical diagnosis, the provision of health care or medical treatment or the management of health services (... and) to safeguard the vital interest of the affected person or of another person, in the event that the affected person is physically or legally incapable of giving your consent. »
- ^ "LOPD and LSSI for SMEs, freelancers, associations and blogs".
- ^ "Some resolutions of the AEPD on its website". Archived from the original on 2009-12-10. Retrieved 2018-01-16.
- ^ Data Protection fine to the PP for the 'voluntary volunteers' of the Basque lists
- ^ Data Protection fine to the PP for the "false volunteers" from the Basque lists
- ^ Beware of sending data "to a friend! Protection of Data considers that it is punishable "Recommend this page to a friend." If on your website this self-promotion formula appears, know that this option has the days counted, if you do not want to receive a fine. Data this practice violates the Law of Services of the Information Society and Electronic Commerce (LSSI), which does not foresee that you can send any mail with advertising or promotional content, if it is reflected in a Resolution of the Agency, of February 20 of 2008, in which a webpage is fined for offering the internaut The ease of sending an informative message to the email address of a family member or friend inviting the recipient to register.
- ^ The Agency of data protection against "send to a friend" Stone remains one before the sanction of the Data Protection Agency to a website with the option of "send to a friend", that mechanism which many try to get their most convinced users invite their friends and family. The information is given, among others, The economist and on the website of the Data Protection Agency you can access the resolution (in PDF format).
- ^ «La Agencia de Protección de Datos exige respetar la confidencialidad en los abortos.» La polémica en torno al aborto se desató a principios de este año. Las clínicas abortistas organizaron una huelga para protestar por las presiones recibidas por sus profesionales y por las investigaciones iniciadas en varios centros de Madrid y Barcelona por presuntos abortos irregulares... Por último, el documento establece que el acceso por parte de los órganos de inspección sanitaria será permitido cuando su finalidad sea la "comprobación de la calidad de la asistencia, el respeto de los derechos del paciente o cualquier otra obligación del centro en relación con los pacientes y usuarios o la propia Administración sanitaria".
- ^ «The Data Protection Agency demands to respect the confidentiality in abortions.» The controversy about abortion was unleashed earlier this year. The abortion clinics organized a strike to protest the pressure received by their professionals and the investigations initiated in several centers in Madrid and Barcelona for alleged irregular abortions ... Finally, the document states that access by inspection bodies sanitary will be allowed when its purpose is "checking the quality of care, respect for the rights of the patient or any other obligation of the center in relation to patients and users or the health administration itself."
- ^ «The Agency for Data Protection and apostasy.» «Data Protection paralyzes the processing of apostasy requests. Frenazo for the more than half a thousand requests for apostasy that were to be resolved in the Spanish Agency for Data Protection (AEPD), and all those that may continue to arrive: The director of the AEPD, Artemi Rallo, announced yesterday that all these requests for cancellation of data in the baptismal books are suspended until new judicial decisions confirm or move away from the judgment of the Supreme Court last September, which, for the first time, exempted the ecclesiastical hierarchy from making a note of apostasy in the baptismal books. »(It has the sentence of the TS in PDF format)
- ^ [Data Protection, new fine to a health entity] That is why the AEPD imposes a fine of 60.101,27 euros for a very serious infraction, and another for the same amount and causes the plaintiff's doctor. Very serious faults are usually punishable by fines between 300 506and601 012 euros. In this case, the agency recognizes mitigating factors such as' there was no intentionality in the commission of the infringement, there is no recidivism, and the report was requested to avoid harm to the company, since the complainant had said that she was not suffering from venous insufficiency varicose veins when he had it. ' National Court.
- ^ CURRENT PROBLEMATIC REGARDING THE PROTECTION OF PERSONAL DATA IN THE HEALTH SECTOR Is health data considered the result of "fit" or "not apt" of a worker when it is submitted to the annual medical examination of the company? Is a simple medical prescription with the name of a medicine a health fact, even if the specific disease is not reflected? Are the measurements of a person, such as the size of the foot, or for example the color of the eyes, considered health data? ...
- ^ "Data Protection fines Telefónica with 60,000 euros." The agency considered the high level of computer knowledge of the complainant proved, as well as its lucrative spirit, which "bordered on the criminal offense and notoriety of a" pirate ", according to the content of the resolution, its opinion is supported by article 9 of the Organic Law of Protection of Personal Data that establishes the principle of" data security ", imposing the obligation to adopt the measures of technical and organizational nature that guarantee their security, with the purpose of avoiding the unauthorized access In any case, the fine imposed by the regulatory agency is of "minimum amount" because it maintains that there was no intention nalidad by Telefonica. However, the company has announced its intention to file an appeal against this resolution.
- ^ "Receive unsolicited advertising calls, within the limits of the legislation."
- ^ «Fence to the 'junk calls'. The Government wants to end the unsolicited calls, with the annoying and increasingly frequent telephone spam, with ringing at the time of nap to the fixed or to the mobile to offer a change of operator, a new credit or an offer of connection to Int ernet, often produced from "private numbers" or "unknown" or local locutions or from abroad, which makes it impossible for the consumer to report it. The Ministry of Health and Consumer Affairs in collaboration with the Ministry of Justice, Economy and Industry are working on a preliminary bill to transpose a European directive that considers this practice illegal. The Government expects to enter into force before the end of the year ... "Many are also produced at the time of siesta or at night, which makes them even more annoying," adds the head of Health and Consumption. Until now these practices were not regulated in a specific way. There is a law (of 2002) that prohibits unwanted email. ( El País , August 2008).
Bibliography
[edit]Translation of :"LOPD in Spanish"
External links
[edit]- Organic Law 5/1992, of October 29, on Regulation of the automated processing of personal data (LORTAD)
- Organic Law 15/1999, of December 13, Protection of Personal Data (LOPD)
- Royal Decree 1720/2007, of December 21, by which the Regulation of development of the Organic Law 15/1999, of December 13, of protection of personal data is approved (RLOPD)
- OECD Guide on privacy and international data transfers (English)
- Introduction to LOPD
- Link of the Spanish Agency for Data Protection for File Registration
- Association of Data Protection Companies
- Protection of Personal Data in Spain
- Latin American Journal of Protection of Personal Data