It's been three years since the publication of the Organic Law 7/2021, of May 26, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal penalties (hereinafter, LOPD 7/2021), and little has been known about the implementation of this Law.
The reason why this rule has been forgotten is that its application is very limited, but this does not prevent it from being given its importance.
Scope of application:
To delimit the scope of application of the LOPD 7/2021, we must start from an assumption where the GDPR does not apply, which in its article 2.2d, indicates that “This Regulation does not apply to the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences, or the execution of criminal penalties, including the safeguarding against and prevention of threats to public security.This assumption has led to the creation of a specific law to regulate data processing for these purposes.
Does this mean that data of a criminal nature cannot be processed unless it is under the protection of LOPD 7/2021?
The answer is yes. Data of a criminal nature may be processed in accordance with Article 10 of the GDPR (Processing of personal data relating to criminal convictions and offences), which states that “The processing of criminal data may only be carried out in two cases:
- under the supervision of public authorities or
- when authorised by Union or Member State law which provides appropriate safeguards for the rights and freedoms of the data subjects”.
That is, the processing of data relating to criminal convictions and offences is either supervised by a public authority or is carried out in accordance with a law.
But then what data of a criminal nature does the LOPD 7/2021 regulate?
As indicated in the title of the regulation, its application will be effective when such data is used for the purposes of prevention, detection, investigation, and prosecution of criminal offenses and the execution of criminal penalties. When it is not used for these purposes, as indicated in Article 10 of the LOPDGDD (Processing of data of a criminal nature):The processing of personal data relating to criminal convictions and offences, as well as related precautionary and security procedures and measures, for different purposes Of the prevention, investigation, detection or prosecution of criminal offenses or execution of criminal sanctions, only the following may be carried out:
- when it is covered by a rule of Union law, by this organic law or by other rules of legal rank.
- when they are carried out by lawyers and solicitors and their purpose is to collect information provided by their clients for the exercise of their functionss”
Finally, it should be noted that, for LOPD 7/2021 to apply, in addition to the purposes indicated, the processing must be carried out by a competent authority. Article 4 of the regulation (Competent Authorities) establishes:
"In particular, the following authorities will be considered as such, within the scope of their respective powers:
a) The Security Forces and Corps.
b) The Penitentiary Administrations.
c) The Deputy Directorate of Customs Surveillance of the State Tax Administration Agency.
d) The Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offenses.
e) The Commission for the Surveillance of Activities for the Financing of Terrorism.
2. The judicial authorities of the criminal jurisdiction and the Public Prosecutor's Office shall also be considered competent authorities.
In this last case (judicial authorities and the Public Prosecutor's Office), although it will be governed by this Law, provided that it has the aforementioned purposes, it must not be forgotten that it must be applied jointly with:
– Organic Law 6/1985, of July 1, of the Judiciary
– Law 50/1981, of December 30, which regulates the Organic Statute of the Public Prosecutor's Office, and
– the procedural laws applicable to it
It should also be noted that in this last case (judicial authorities and the Public Prosecutor's Office), the data protection authorities (national and regional) will not be competent to control these processing operations, but rather the General Council of the Judiciary will be competent.
It should also be noted that this is regulated whether the treatment is automated, manual, or mixed.
In conclusion, this standard regulates the totally or partially automated processing of personal data, as well as the non-automated processing of personal data contained or intended to be included in a file, carried out by the competent authorities, for the purposes of prevention, detection, investigation and prosecution of criminal offenses and execution of criminal sanctions, including protection and prevention against threats to public security.
As for its detailed regulation, it follows, more or less, the same aspects as those regulated in the GDPR:
- Principles relating to treatment
- Special categories of data
- Duty to provide information
- Exercise of rights
- Obligations of the Data Controller
- Privacy by design and by default
- Joint responsibility for processing
- Data Protection Officer
- Data processing order
- Record of processing activities
- Data Protection Impact Assessment and Prior Consultation
- Treatment safety
- Notification of security breaches
- International data transfers
All these aspects are regulated in a similar way, but the differences will be discussed in subsequent articles.
Finally, there are two aspects not regulated by the GDPR that will be analyzed in detail: the duty to cooperate and video surveillance by law enforcement agencies, which we will also discuss in upcoming articles.
If you would like more information about Regulatory Compliance and Data Protection, visit our blog
