On December 6, the Organic Law 3 / 2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDPGDD), which was approved by the Senate Plenary on November 21.
While General Data Protection Regulation (GDPR) does not leave the EU Member States a very wide margin of action, which is why the new Law frequently refers to said Regulation, however, it does contemplate some new provisions that we reflect in this informative post.
The Data Protection Officer
In addition to the provisions already contemplated by the General Data Protection Regulation (GDPR) in this regard, the regulation establishes a total of 16 cases in which it is mandatory that a DPO be appointed.
Thus, companies advertising that they carry out Profiling, operators who develop the activity of game via electronic channels, insurance entities, educational centers or investment services companies related to the Stock market, entities financial and certain energy companies, among others, will be affected by this forecast.
Transparency and information
Through its article 11, the LOPDPGDD converts into norm what until now have been recommendations of the Spanish Data Protection Agency and the former Working Group of Article 29 in relation to the double layer information system.
Thus, if this leveled information method is now used, the first layer must necessarily contain at least the aspects that this article 11 requires:
- The identity of the person responsible and, where applicable, his representative.
- The purpose of the treatment.
- The possibility of exercising data protection rights.
- If the data is not obtained directly from the owner, also the type of data and its source of obtaining.
Minimum age restriction
Maintains the age limit criterion in the 14 years in the Making and introduce provisions in favor of the defense of minors and their interaction with the digital sphere, such as the possible intervention of the Public Prosecutor's Office in those cases of use or dissemination of images and personal information of minors in the RRSS in the event that these represent a illegitimate interference in their fundamental rights.
Legitimate interest and public interest
Certain data processing is expressly included in respect of which it is presumed that the controller has a legitimate interest or that is carried out based on the public interest.
Regarding the first, we would find the credit information systems, the structural modification of companies or its transfer and the case of the contact details of individual entrepreneurs and professionals liberal, as long as its treatment is limited solely to the professional field in terms of its location and contact for the provision of specialized services.
For its part, in relation to the public interest, we have the video surveillance, the files of advertising exclusion or systems internal complaints.
The controversy over political parties
In its final provisions, the new LOPD contemplates the modification of the Electoral Regime Law, allowing political parties to collect and use data collected through through web pages and other publicly accessible sources, as well as guarantee the sending of electoral propaganda, even electronically, by confirming that such propaganda should not be considered commercial communication.
From a technical point of view, the implicit consideration of web pages as publicly accessible sources stands out, since until now the Internet was not considered as such.
Sanctions system
The standard specifies and grades the conduct that violates the data protection regulations into the traditional categories of (i) minor, (ii) serious and (iii) very serious, maintaining the amounts already established in the RGPD, which range from a minimum of €10.000.000 or 2% of global annual turnover and a maximum of €20.000.000 or 4% of global annual turnover.
Access to the second part of this post here
Authors: Ruth Benito y Fernando Díaz
Visit our web page: http://www.elzaburu.com/
