The Organic Law on Data Protection and Guarantee of Digital Rights enters into force in Spain

Written on 19 Dec 2018

On 7 December, the Organic Law 3/2018 of 5 November, on data protection and guarantee of digital rights entered into force. This law adapts the General Data Protection Regulation, applicable from 25 May 2018, to our legal system, and introduces and guarantees a new set of digital rights to the public, in accordance with the mandate contained in the Spanish Constitution.

After passing through the Senate, where 32 amendments were submitted and rejected in the plenary vote, the Organic Law on the protection of personal data and digital rights (known in Spanish as "LOPDGDD") was finally approved on 6 December repealing Organic Law 15/1999, of 13 December, on the protection of personal data and its regulation of development.

Among the novelties introduced by the LOPDGDD that provide legal security with respect to certain aspects contained in articles of the General Data Protection Regulation ("GDPR"), the following are noteworthy:

  • The legislation includes a specific regulation regarding the processing of the deceased's personal data. It sets out that heirs may be able to request the access, modification or erasure of the deceased's personal data, unless the person who has died has left instructions stating otherwise.
  • Regarding the processing of an underage subject's data, which requires his/her consent and using a provision included in the GDPR that allows EU Member States to establish lower ages, it has been determined that the minimum age to consent to the use of personal data is 14 years.
  • Concerning the rights of the data subjects, the new regulation recognizes that the layered information system that was already recommended by the Spanish Data Protection Agency (known in Spanish as "AEPD") has now acquired regulatory status and specifies the necessary information that must always be provided to the data subject.
  • In addition, the new regulation specifically states that certain processing of personal data may have its legal base on a legitimate interest unless otherwise proven. Such is the case of the contact details, which were the object of prior debate or data for surveillance purposes if the images are recorded in order to preserve security of the data subjects.
  • Anonymity is allowed when submitting an internal complaint regarding entities in the private sector but access to any personal data stored in these systems is limited to those who develop tasks related to internal control and compliance. This personal data may be legally accessed when required in order to implement disciplinary measures or begin judicial proceedings.
  • Regarding the data protection officer, the new legislation introduces accuracy to some aspects of this role that had not been considered in the GDPR, such as the deadlines to notify the AEPD (10 working days as of the appointment being made), how to prove his/her expertise, his/her position within the organization, as well as his/her role when submitting claims before the AEPD. Additionally, there is an updated list of the entities that must appoint a data protection officer.
  • In terms of international data transfers, the new legislation develops channels through which the AEPD and the competent autonomous supervisory authority may approve contractual models or binding corporate rules, as well as authorization rules related to a specific transfer and assumptions subject to the prior information to the competent data protection authority.
  • With regard to the procedure that needs to be followed if the data protection regulation is breached, the law details, among other things, how to begin the procedure (which will vary depending on whether an individual claims there is a lack of interest in the exercise of his/her data protection rights, or the existence of a data protection infringement), the duration of the process (which will not exceed 9 months), the criteria that the competent agency must follow concerning the submission of claims, as well as any preliminary proceedings (which, under no circumstance, may exceed 12 months).
  • Additionally, the new LOPDGDD introduces the penalty regime, which had already been included in Royal Decree 5/2018, of 27 July, on urgent measures to adapt the Spanish law to EU regulations on data protection, which has now been repealed. Among other aspects, the law classifies the data protection infringements as minor, serious or very serious, and specifies the statutes of limitations, that is 1, 2 and 3 years, respectively. Regarding the sanctions amount, the new regulation refers to the provisions set out in the GDPR.

Notwithstanding the importance of the concretions made by the LOPDGDD regarding the aspects already regulated in the GDPR, the great novelty of the LOPDGDD lies in the recognition of a series of digital rights of citizens in accordance with the mandate established in article 18.4 of the Constitution. Although the number of existing rights is greater, we highlight the following due to its importance and novelty:

  • Right to rectify data on the Internet and to update any information in digital media: obliges those responsible for social networks as well as for any similar services to adopt protocols to enable the user to exercise their right to rectification. Likewise, this right ensures that anyone will have the right to request an information update from a digital platform, when the information does not reflect his or her current situation.
  • Right to privacy and use of digital devices in the workplace: in line with the jurisprudential criteria adopted in our country, the workers' right to privacy is recognized with respect to the digital devices provided by the employer to develop their work activity. Entities will not only have to implement the criteria for the use of these devices, but they will also have to prepare this criteria together with the workers' representatives (if any). In this regard, the LOPDGDD indicates that employees must always be informed of this aspect.
  • Right to digital disconnection in the work environment: employees either working in public or private sectors have the right to respect their rest time, leave and holiday, as well as their private and family time as it is necessary to guarantee that outside their work time they are disconnected. To this end, employers must prepare a policy specifying in what ways they will implement this right. As well as in the right to privacy and use of digital devices in the workplace, workers' representatives must be involved in preparing the policy.
  • Right to a digital will: although it may seem that the introduction of this right is a new way of accessing someone's assets after their death, the digital will regulates the legitimacy that a number of subjects, which are specified in the regulation (such as heirs, relatives or any person related to the deceased) to decide whether or not to keep any profile that the deceased may have created in social networks or similar platforms.

In conclusion, the LOPDGDD has gone a step further and has not limited itself to specifying or restricting the provisions of the GDPR (as regulated in recital 8) but has incorporated a series of digital rights to citizens, which a priori covers the needs favoured by the rapid evolution of new technologies, but on which it will be necessary to analyse whether its practical application reflects the reality and needs of the public in relation to said matters, and the impact that they might have on information society and internet services providers, as these are also the main parties affected by the introduction of these new rights.