As we have been reporting, both in previous news and through various communications sent in recent weeks, on May 25th the European Data Protection Regulation (GDPR) came into force, directly applicable in the member states of the Union, which replaced the Organic Law on Data Protection, at least partially, as the Regulation left the states the capacity to regulate certain areas.
One of them is the sanctioning procedure applicable to breaches of the new regulations. Although the Regulation provides for economic sanctions (quite substantial), it left it to the respective Member States to develop them. And precisely this is what the Government has done, which on July 27th approved Royal Decree Law 5/2018, on urgent measures for the adaptation of Spanish law to European Union regulations on data protection, which approves the regulation of the sanctioning procedure and which will be applicable until the new regulations are approved at national level.
Data Protection. Sanctioning Regime
The Royal Decree that refers to the Regulation for the classification of infringements includes the sanctioning regime of said Regulation. And the most important points it regulates are:
- Data controllers to whom the system of penalties applies. Data controllers and data processors and their representatives not established in the territory of the European Union.
- Limitation periods.
- A limitation period of two years is established for less serious infringements
- Three years for more serious infringements.
- As for penalties.
- With an amount equal to or less than 40,000€ are statute-barred within one year:
- Those of between 40,001€ and 300,000€ are statute-barred after two years.
- And finally those of more than 300,000€ after three years.
- The sanctioning procedure. Distinguishing between procedures that refer to the rights of the interested parties or those that infringe the Regulation itself.
- The Spanish Data Protection Agency, prior to the admission of the complaint for processing, may send it to the Protection Delegate (if appointed), to the data controller and to the person in charge, as the case may be, so that they may make allegations within one month.
- Once the complaint has been accepted for processing, the Agency shall open an investigation after which the sanctioning procedure shall be initiated for the alleged infringements committed and shall be communicated to the entity or entities responsible for them. The maximum duration of the procedure will be 9 months from the date of the agreement to initiate the file.
- It also regulates the personnel competent to carry out the research work and the way in which it is carried out.
- Finally, since the Regulation provides for the cooperation of the various supervisory authorities in cross-border proceedings, the Royal Decree Law regulates the suspension or interruption of limitation periods, while the authorities of other countries review the proceedings.
Conclusion
Therefore, we already have a complete legislation in force. It only remains for all the regulated entities to comply with this new regulation in order to avoid the large fines that both the Regulation and this new Royal Decree Law contemplate.
Arrabe Integra
Legal Consulting Department