NEWS
Glossary
Data protection
The purpose of the LOPD is to guarantee and protect, with regard to the processing of personal data, the public freedoms and fundamental rights of individuals, and especially their honor, privacy and personal and family privacy.
Any numerical, alphabetical, graphic, photographic, acoustic or any other type of information concerning identified or identifiable natural persons.
Any organized set of personal data that allows access to the data in any form or manner of its creation, storage, organization and access. (Example: computerized or manual files).
It is any operation or technical procedure, whether automated or not, that allows the collection, recording, conservation, elaboration, modification, consultation, use, cancellation, blocking or suppression, as well as the transfer of data resulting from communications, consultations, interconnections and transfers.
Natural person who is the owner of the data to be processed. That is, the customer, employee, supplier, candidate to join the company, patient, etc., whose data is being processed by the company. It is the true owner of the information collected in the files.
Natural or legal person, of a public or private nature, or administrative body, who decides on the purpose, content and use of the processing. That is to say, the company itself will be responsible for the files containing data relating to its employees, suppliers, customers, etc.
The relationship between the data controller and the data processor must be formalized through a written contract.
Any person or entity that provides any type of service that involves the processing of personal data on behalf of the data controller, including, among others, accounting firms, labor consultancies, marketing companies, etc.
It is the person who processes the data collected in a file at different times of a data processing, either by means of specific tools (e.g. computer applications) or by accessing them in paper files.
Any person, company or entity (both public and private) that in the exercise of its activity has to use personal data (e.g. data of customers, suppliers, employees, patients, students, etc.) is obliged to comply with the LOPD. Public and private entities.
Security levels
Personal data:
DNI/NIF; Social Security/Mutuality number; name and surname; address and telephone number; signature/fingerprint; image/voice; academic and professional data, health data, referring exclusively to the degree or condition.
Medium level
Data related to the commission of administrative or criminal infractions.
Provision of solvency and credit services.
Data related to financial services, public finance, economic data, etc.
Data from mutual insurance companies for accidents at work and illnesses, Social Security professionals, etc.
High level
Data concerning ideology, trade union membership, religion, beliefs, racial origin, health or sex life.
Data collected for law enforcement purposes, without the consent of the persons concerned.
Derived from acts of gender violence.
Files for which operators who provide publicly available electronic communications services or operate electronic communications networks are responsible.
Data related to the commission of administrative or criminal infractions.
Provision of solvency and credit services.
Data related to financial services, public finance, economic data, etc.
Data from mutual insurance companies for accidents at work and illnesses, Social Security professionals, etc.
Data concerning ideology, trade union membership, religion, beliefs, racial origin, health or sex life.
Data collected for law enforcement purposes, without the consent of the persons concerned.
Derived from acts of gender violence.
Files for which operators who provide publicly available electronic communications services or operate electronic communications networks are responsible.
Creation, modification or deletion of public files
Publicly-owned files must be made through the publication of a general provision, published in the BOE or the corresponding Official Gazette. This provision or agreement must be issued and published prior to the creation, modification or deletion of the file.
Basic file structure
Planned data communications
International transfers
Bodies responsible for the file
Required safety levels
Identification of the file or treatment
Data origin
Agency notifications
The NOTA system is the means by which those responsible for files containing personal data, whether privately or publicly owned, will be allowed to comply with the obligation to notify their files to the Spanish Data Protection Agency.
The interactive form NOTA in .pdf format allows the submission of notifications through the Internet with and without electronic signature certificate, on paper and in xml format.
Telematics
With the electronic certificate
(Presentation through the Internet with a recognized signature certificate).
Without electronic certificate
(Through the Internet without a recognized electronic signature certificate).
In paper format
Simplified notifications
In XML format
With the electronic certificate
Without electronic certificate
What is XML format?
This format is intended for data controllers who want to comply with their obligations through their own computer applications, as well as for developers of data protection programs who want to offer their clients the possibility of notifying their files.
Who is obliged to notify the creation, modification or deletion of files to the GDPR?
All those natural or legal persons, of a public or private nature, or administrative body, who proceed to the creation of files containing personal data.
What happens if the existence of a file is not notified?
In this case, it could incur in minor or serious misconduct, as indicated in article 44 of Organic Law 15/1999, being subject to the sanctioning regime provided in the Law.
What operations about a file are notified to RGPD?
You must notify the AGPD, if you are going to create a file or will make a new data processing, any changes that affect the content of the registration made in the RGPD, of course you must also communicate to the AGPD the deletion of the file by the controller, to proceed to the cancellation of the registration.
The Spanish Data Protection Agency
It is a public law entity with its own legal personality and full public and private capacity that acts independently from the public administration in the exercise of its functions. Ensures compliance with data protection legislation by those responsible for the files (public entities, private companies, associations, etc.).
In relation to those affected
Helping citizens to exercise their rights
Attends to requests and complaints
Ensures that the existence of the files is publicized.
In relation to those who process data
It helps data controllers and data processors to comply with the obligations established by the LOPD and to solve their doubts.
Guarantees the right to data protection by investigating those actions of those responsible for or in charge of the processing of files that may be contrary to the LOPD, either ex officio or by complaint from an individual.
Imposes the corresponding sanctions.
In the development of standards
It informs on the content, principles and guarantees of the fundamental right to data protection regulated by the LOPD.
It dictates precise instructions to adapt the processing to the LOPD and instructions on the security conditions of the files for statistical purposes.
In telecommunications
Protects the rights and guarantees of subscribers and users in the field of electronic communications.
Other functions
Watch out for advertising in the treatment
International Cooperation
Representation and observance of the provisions of the Law Regulating the Public Statistical Function.
Types of files
In order to proceed with the collection of personal data from our customers, suppliers or any other person, we need to obtain the consent of the person concerned.
An organized set of personal data that allows access to information relating to a specific natural person using automated search procedures, i.e., those in which the information is stored on computer media.
File whose physical support allows direct reading and writing, without the need to use an intermediary electronic device. This includes data contained on paper or other printable material.
These are those for which individuals, companies or private law entities are responsible, regardless of who provides the capital or economic resources.
They are those for which the constitutional bodies or bodies with constitutional relevance of the state, the autonomous institutions with analogous functions to them, the territorial public administrations, public law corporations as long as their purpose is the exercise of public law powers.
These are work files created by users or processes that are necessary for occasional processing, or as an intermediate step in the course of processing. Once they have been used they must be deleted or destroyed.
Domestic and gender violence file. Purpose
Improve the effectiveness of protection for victims of gender-based violence.
To facilitate the monitoring of the risk circumstances that may be present in them and to alert on their evolution.
Personal data from the patient’s medical history
Healthcare facilities are required to keep clinical documentation for 5 years.
The management and administration staff of the healthcare facilities can only access the data in the medical record related to their own functions. The personnel is subject to the duty of secrecy.
All professionals involved in the care activity are obliged to comply with the duties of information and clinical documentation, and to respect the decisions freely and voluntarily made by the patient.
Patients have the right to know all the information available on their clinical history and to have it kept confidential, and even to refuse the processing of their data, except in the cases established by law. Any action in the field of a patient’s health requires the free and voluntary consent of the person concerned.
Infringements and penalties under the GDPR
These are minor infractions:
a) Failure to send to the Spanish Data Protection Agency the notifications provided for in this Law or in its implementing provisions.
b) Failure to request the registration of the personal data file in the General Data Protection Registry.
c) Failure to comply with the duty to inform the data subject about the processing of his or her personal data when the data is collected from the data subject.
d) The transmission of data to a data processor without complying with the formal duties established in Article 12 of this Law.
Incident log: Between 900 to 40,000 euros
Access control: Per year
Archiving criteria: Per year
These are serious infractions:
a) Proceed with the creation of publicly-owned files or initiate the collection of personal data for the same, without the authorization of a general provision, published in the “Official State Gazette” or corresponding official journal.
b) To process personal data without obtaining the consent of the affected persons, when such consent is necessary in accordance with the provisions of this Law and its implementing provisions.
c) Processing personal data or subsequently using them in violation of the principles and guarantees set forth in Article 4 of this Law and the provisions that develop it, except when it constitutes a very serious infringement.
d) Violation of the duty of secrecy regarding the processing of personal data referred to in Article 10 of this Law.
Incident log: Between 40,001 to 300,000 euros
Access control: At 2 years of age
Archiving criteria: At 2 years
These are very serious infractions:
a) The collection of data in a misleading or fraudulent manner.
b) To process or transfer the personal data referred to in sections 2, 3 and 5 of Article 7 of this Law, except in the cases authorized by this Law, or to violate the prohibition contained in section 4 of Article 7.
c) Not to cease the unlawful processing of personal data when previously requested to do so by the Director of the Spanish Data Protection Agency.
d) The transfer of personal data to countries that do not provide a comparable level of protection without the authorization of the Director of the Spanish Data Protection Agency, except in those cases in which, in accordance with this Law and its implementing provisions, such authorization is not necessary.
Incident log: Between 300,000 to 600,000 euros
Access control: At 3 years of age
Archiving criteria: At 3 years
The security document
The security document is a private but publicly accessible document that indicates the security policies to be followed by those who process data, i.e., it will contain the technical and organizational measures, which will be mandatory for personnel with access to the data.
Required safety measures, standards, procedures and rules
Some of the most important measures you will need to reflect in your security document:
Identification and authentication.
Access control.
Incident log.
Management of media and documents.
Archiving criteria.
Information storage.
Backup copies.
Transfer of documentation.
Files processed outside the company’s premises.
Personnel functions and duties.
General personnel information procedure
In the security document we must indicate the procedure by which each person with access to the data will be informed of the rules they must comply with and the consequences of not doing so. E.g.: circulars, reminders, new rules, etc. (Internal Circular…).
Functions and duties of a personal nature
The roles and obligations of each of the users or user profiles with access to personal data and information systems shall be clearly defined.
Incident notification, management and response procedure
Specify incident notification and management procedures.
Review procedures
Specify the procedures foreseen for the modification of the security document, with specific specification of the persons who can or must propose them for approval.
Consequences of non-compliance with the security document
Indicate the applicable sanctioning regulations in the event of non-compliance with the obligations and safety measures established in this document.
Audit
In the case of an external audit, a contract must be signed with the person performing the audit procedure.
It consists of the verification of the Security Measures of RD 1720/2007.
It is mandatory in Medium and High level files.
Can be performed internally or externally
It will be optional for basic level files
It must be performed every two years.
Exceptions to access, rectification and cancellation rights
Exceptions:
The files containing the data referred to in paragraphs 2.3 and 4 of art. 22 RGPD may deny access, rectification or cancellation depending on:
Of the dangers that may arise for the defense of the State or Public Security.
Protection of the rights and freedoms of 3º.
The needs of the research being carried out.
The persons in charge of the Treasury may refuse to exercise Arco rights when:
Obstructs administrative actions aimed at ensuring compliance with tax obligations.
When the affected party is being inspected.
The affected party who is denied, in whole or in part, the exercise of his rights shall make it known:
From the Agpd Director
Competent body of each Autonomous Community.
These bodies shall ascertain whether the denial is appropriate or inappropriate.
Other exceptions to the rights of data subjects are set forth in Articles 21 and 24 of the GDPR.