Apart from adapting Spanish legislation to Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR), the new Organic Law 3/2018 of 5 December on the Protection of Data and Guarantee of Digital Rights (LOPDGDD) completes its provisions and enshrines the important new area of “guaranteeing the digital rights of citizens in accordance with the mandate set forth in Article 18.4 of the Constitution” (Art. 1.b).
The main aspects of the new law are highlighted below:
- It completes certain unspecified elements of the GDRP, such as that regarding data relating to the deceased, enabling those persons related to the deceased – relatives or de facto relationships – or their heirs to request access to said data and to its rectification or erasure, where applicable, subject to the instructions of the deceased.
- It sets the valid minimum age of consent at 14 years.
- It simplifies the manner in which the obligation of providing information set forth in the GDPR is fulfilled by accepting an information system by layers. The data subject is provided with a basic level of information in a first layer, presented in summarised format, and this information is provided in further detail and completed in a second layer.
- It includes clarifications regarding the method of exercising the rights of access, rectification, erasure, restricted processing, portability and objection set forth in the GDPR.
- Presumption of lawfulness in certain processing:
- Contact details, individual entrepreneurs and liberal professionals, legitimate interest is presumed pursuant to Article 6.1.f), subject to certain requirements being met.
- Credit information systems.
- Mergers and acquisitions.
- In the cases of video surveillance, advertising exclusion systems or internal complaint systems, the lawfulness of processing lies in the existence of public interest, under the terms of Article 6.1.e) of the GDPR.
- The duties of the Data Protection Officer (DPO) are increased. It must be noted that the data protection officer allows for a measure to be configured for the amicable solution of claims, as the data subject may make a complaint to him or her of not being attended by the controller or processor.
- It regulates extremely relevant issues for company human resource teams that were not regulated by the legislator to date: the use of digital devices in the workplace, video surveillance and sound recording in the workplace, the use of GPS tracking systems in the workplace, the new right to digital disconnection in the workplace and digital rights in collective negotiations.
- It regulates the procedure in the event of a breach of the data protection regulation.
- It improves the sanctioning procedure, and describes typical conduct, making the distinction of very serious, serious and minor breaches, considering the difference that the GDPR establishes by setting the sum of the penalties. The classification of the breaches is introduced solely to determine the statute of limitations, with the description of typical conduct merely listing certain punishable activities as examples, which must be considered included in the general types established in European law.
- Finally, it acknowledges and guarantees a set of digital rights to citizens, in accordance with the mandate set forth in the Constitution. More specifically, the rights and freedoms arising from the internet environment, such as net neutrality and universal access, or the rights to security and digital education, as well as the rights to be forgotten, to portability and to a virtual will. Also relevant is the acknowledgement of the right to digital disconnection in terms of the right to privacy in the use of digital devices in the workplace and the protection of minors on the internet. The guarantee of freedom of speech and the right to the clarification of information in the digital media must also be noted.
- The necessary amendments are also made to Civil Procedure Law 1/2000 of 7 January and to Law 29/1998 of 13 July on Administrative Disputes, Organic Law 6/1985 of 1 July, Law 19/2013 of 9 December on transparency, access to public information and good governance, Organic Law 5/1985 of 19 June on the General Electoral System, General Health Law 14/1986 of 25 April, Law 41/2002 of 14 November providing basic regulations for patient autonomy and rights and obligations regarding medical information and documentation, and Law 39/2015 of 1 October on the Common Administrative Procedure of the Public Authorities. In relation to the guarantee of digital rights, amendments are also made to Organic Law 2/2006 of 3 May on Education, Organic Law 6/2001 of 21 December on Universities, and the Consolidated Text of the Workers’ Statute Law and the Consolidated Text of the Basic Statute Law for Public Employees.
As can be seen, the new LOPDGDD contains many different aspects that are of interest to citizens and to the organisations within its scope, which are almost all of them. This article concisely highlights the main aspects of the new Law and future articles will expand on specific aspects of the regulation.
AddVANTE remains at your disposal for any queries you may have regarding the adaptation process to the new regulatory framework on data protection.