Modified LO 3/2018 on Protection of Personal Data and guarantee of Digital Rights

Last week it was announced through the State official newsletter several regulatory modifications, including one that directly affected the regulation of our data and personal information, specifically Organic Law 3/2018, on the Protection of Personal Data and guarantee of Digital Rights and other sectoral regulations with direct implication, as could be Law 34/2002, of July 11, on information society services and electronic commerce (LSSI).

Remember that in May 2016, the European Union approved General Data Protection Regulation 2016/679, which completely transformed all legal regulations regarding the processing of our personal information that had been included in Directive 95/46/EC. Regulation that began to be applied on May 25, 2018, this year 2023 will mark five years since this regulation came into force. In the case of Spain, in 2018 Organic Law 3/2018 was approved, which repealed and updated Organic Law 15/1999, after nearly twenty years in force.

Well, since nothing is lasting and perfect, not even legislation, we have proceeded, after five years since the entry into force of the new regulations, to incorporate certain regulatory changes:

• Creation of the warning procedure as a specific, more flexible and faster procedure, with a maximum duration of six months, which will speed up the response to claims submitted by interested parties.

• Inclusion of being able to perform investigative actionsna travands of digital systems, to regulate the option of carrying out not only in-person but also remote investigations.

• Possibility of establishing models for submitting claims to the Spanish Data Protection Agency in all areas in which it has jurisdiction, which will be mandatory for interested parties regardless of whether or not they are required to interact electronically with Public Administrations. These models will be published in the BOE and in the electronic headquarters of the Control Authority, they will be mandatory one month after their publication and will facilitate and simplify the presentation of claims.

Modified articles of LO 3/2018 on Protection of Personal Data and guarantee of Digital Rights:

• Article 48.2
• Article 50.
• Incorporation of article 53 bis.
• Article 64.
• Article 65.4 and 65.5. A new section will be incorporated: 65.6.
• Article 66.1.
• Article 67.2.
• Article 75.
• Article 77.2.
• Incorporation of the twenty-third additional provision relating to Claim Submission Models.

Very striking is the correction of article 77 of LO 3/2018, which prior to this modification made certain data controllers and processors, especially belonging to public administrations, when they were investigated and sanctioned by the Control Authority in question, since Be the Spanish Data Protection Agency or any of those existing in Andalusia, the Basque Country and Catalonia, was sanctioned, and this was included in the resolution, with a WARNING, and economic sanctions could not be applicable as occurs with the private sector.

Why is this situation changing now?

What is intended is for the Authority to issue the resolution indicating whether there has been a violation or not, thus creating a procedure with a maximum duration of six months, like a Corrective measure aimed at putting an end to possible non-compliance, but of a non-sanctioning nature. The name “warning” disappears from the regulatory text.

Modification regarding the deadlines for resolving complaints and investigation:

• Claim for Exercises of Rights: the period to resolve the procedure will be six months from the date on which the claimant was notified of the agreement for admission to processing. After this period, the interested party may consider their claim to be upheld.

• Claim for non-compliance with regulations: If a complaint is filed and no response is obtained after 3 months, it is considered accepted for processing. The investigation period, once admitted for processing, will be a maximum of 18 months (previously 12). The period to resolve from the agreement to initiate the sanctioning procedure will be 12 months (previously 9).

The investigative actions may be carried out throughands of digital systems that, through videoconferencing or another similar system, allow bidirectional and simultaneous communication of image and sound, visual, auditory and verbal interaction between the Spanish Data Protection Agency and the inspected. In addition, the secure transmission and reception of the documents and information that are exchanged must be guaranteed, and, where appropriate, the necessary evidence and the result of the actions carried out must be collected, ensuring their authorship, authenticity and integrity. The deadlines will be automatically suspended when information, consultation, request for assistance or mandatory statement from a body or agency of the European Union must be collected.

The application of the new warning procedure, established in article 64.3, will be limited, due to the interpretation made by the Spanish Data Protection Agency in which it considered that the warning can only be applicable to natural persons and public organizations under the considering 148 of General Data Protection Regulation 2016/679:

“In the case of a minor infringement, or if the fine that would likely be imposed would constitute a disproportionate burden on a natural person, instead of a fine, a warning may be imposed.”

Don't miss all the latest news on Data Protection & Regulatory Compliance from the best professionals in the sector in our Professional Master in Compliance & Data Protection Management