New Data Protection Law. Was passed in the Senate on December 6th

The New Data Protection Law, called Organic Law 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (LOPD). It was passed in the Senate by an absolute majority on December 6. It adapts Spanish legislation and develops the content of the European Data Protection Regulation (RGPD). In force since 25 May 2018.

The main contribution of this LOPD to the content of the RGPD is the regulation of the guarantees of digital rights. Putting our country as the first European reference in the regulation of this matter.

The following is a summary and highlights some key points of the new LOPD, in force since 7 December.

New Data Protection Law

Key Points

Consent to treatment. In line with the provisions of the RGPD, it is established that consent must be specific and unequivocal. In addition, it is granted for all treatment purposes. The minimum age for consent is set at 14.

Duty to provide information. A two-tier system is established whereby data subjects must be informed about the processing of their data. When the data are obtained from the data subject, the data controller may fulfil his information obligation by providing the data subject with a first layer of basic information. Indicating how the affected person can access the rest of the information, free of charge and immediately.

Preservation of data. The conservation period in the systems or internal complaint channels will be three months from the complaint.

Data blocking (preventing the processing and/or display of data). The cancellation will lead to the blocking of the data. That they will be kept only for the attention of the possible responsibilities born of the treatment, during the term of prescription of these. Therefore, the obligation is established to block the data when its deletion or rectification is necessary.

Credit information system. With reference to the processing of personal solvency data. Conditions are established to consider the processing to be lawful:

firstly, that the information is provided by the creditor
and, in addition, that the data included refer to certain debts that are due and payable. This includes the fact that the debtor has not complained about the existence of the debt.

Video-surveillance. Its lawfulness is established, even for images captured on public roads, provided that the treatment is proportional and necessary to preserve the security of the persons, goods and installations under surveillance. Images must be deleted within a maximum of one month.

Data Protection Officer (DPO)

The entities that will have to assign a DPO are established:

Professional Associations.
Educational centres.
Entities that operate networks and provide electronic communications services.
Information society service providers, when profiling service users on a large scale.
Organisational, supervisory and solvency bodies of credit institutions.
Financial credit establishments.
Insurance and reinsurance entities.
Investment services companies.
Distributors and traders of electrical energy.
Entities responsible for common files for the evaluation of capital and credit solvency.
Entities carrying out advertising and commercial prospecting activities. When they carry out treatments based on the preferences of those affected or carry out activities that involve the preparation of profiles of the same.
Health centres.
Entities whose object is to issue commercial reports that may refer to individuals.
Operators that develop the activity of the game through electronic channels.
Private security entities.
Sports Federations.
Failure to comply with this obligation will result in the corresponding sanction.

Digital Rights

Net Neutrality. Users have the right to neutrality on the Internet. Therefore, all circulating information must be treated in the same way, without discrimination on the basis of who issues or receives it.

Universal access. Universal access to the Internet should be affordable, of good quality and non-discriminatory to the population. Taking into account the specific needs of rural environments.

Right to digital security and education. Users have the right to the security of communications transmitted and received through the Internet.

Right to portability. In other words, to receive and transmit the content that users would have provided to the service providers. As well as that the providers transmit them directly to another provider designated by the user.

Right to a digital will. It regulates who can access and decide on the content managed by information society service providers, in reference to deceased persons. The persons linked to the deceased (relatives and heirs), among others, will be legitimated.

Right to digital rectification. The one that grants its holder the capacity to demand the rectification of information poured into digital media. The LOPD extends it to social networks and other digital platforms. And it establishes obligatory guidelines to include in the protocols of service providers to guarantee this right.

Right to forget. The one that grants its owner the power to require search engines to remove from the results those links with inadequate, inaccurate, not relevant, not updated or excessive information.

Sanctions

With regard to the imposition of sanctions for non-compliance, there is a difference:

The sanctioning procedure for the case of lack of attention to a request for exercise of rights by a holder.

For an infringement of the content of the RGPD.

Finally, in the case of processing of the procedure because the Data Protection Agency has received a complaint from another Member State or its supervisory authority.

Therefore, do not hesitate to contact our Legal Department, in order to assess the actions to be taken by your company in terms of compliance with data protection regulations.