Complaints Channel

The Spanish Data Protection Agency has ruled on the recent Law 2/2023, of February 20, regulating the protection of people who report regulatory infractions and the fight against corruption, specifically through its Legal Report 0054/2023 in which it analyzes and interprets the provisions of article 5.1 of the aforementioned law. This article establishes the following:

“Article 5. Internal information system.

The administrative body or governing body of each entity or body bound by this law will be responsible for the implementation of the internal information system, after consultation with the legal representation of the workers, and will have the status of responsible for the processing of the data. personal data in accordance with the provisions of the regulations on the protection of personal data”

The main question that we came to ask ourselves through reading this article is that there could be two data controllers, one of them, the obligated subject and, on the other hand, the entity's own body obligated to manage the complaints. that are presented in the internal information system. Well then, The Spanish Data Protection Agency, making use of its functions and powers, has raised this doubt of legal interpretation.

The consideration of the administrative body or governing body of each entity or body as responsible for the processing of personal data is derived by the Spanish Data Protection Agency itself in its opinion on the government's draft law through its Legal Report 0020/2022 , in which the following was indicated:

“Starting with the legal position of those involved in the processing of personal data, we must start from the definition of “data controller” contained in article 4.7. of the GDPR. Consequently, by virtue of the functions legally attributed to it, it is the responsibility of the administrative body or governing body of each obligated entity or body to hold the status of "responsible for the processing" of personal data, in accordance with the provisions of the regulations on the protection of personal data, which should be included in the text of article 5 itself.”

With the Legal Report prepared on the draft law, what the Spanish Data Protection Agency was trying to do was clarify the different legal positions that could be held, from the perspective of the regulations on the protection of personal data, by the different subjects that could intervene in the treatments of the internal information system.

Reference must also be made to Opinion 1/2010 of the Article 29 Group about “responsible and in charge of the treatment”. In this Opinion the Article 29 Group recognizes that “the concrete application of the concepts of data controller and data processor is becoming increasingly complex. This is primarily due to the increasing complexity of the environment in which these concepts are used and, in particular, to a growing trend, in both the private and public sectors, towards organizational differentiation, combined with the development of ICT and globalization.

According to Spanish Data Protection Agency, the correct interpretation of article 5 of Law 2/2023, of February 20, from the perspective of the protection of personal data, requires identifying as responsible for the treatment the entity or body obliged by law to have an internal information system, without prejudice to the fact that the decisions necessary for its correct implementation must be adopted by the corresponding administrative body or governing body.

In the public sector, the status of data controller will correspond to the entity or body required by law and not to its governing body, without prejudice to the fact that in this area it is a frequent practice in the preparation of records of data processing activities. treatment, to identify as responsible for the treatment the higher or managerial body that holds the corresponding powers, thus contributing to facilitating the identification of the administrative body that adopts the corresponding decisions on the processing of personal data and the exercise of rights. rights of those affected, a practice accepted and followed by the AEPD, but without excluding the status of data controller of the corresponding entity or body.

Don't miss all the latest news on Data Protection & Regulatory Compliance from the best professionals in the sector in our Professional Master in Compliance & Data Protection Management

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

*I give my express consent and accept the Privacy Policy.

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad