Data protection as a duty

The protection of natural persons in relation to the processing of personal data is a fundamental right recognized, at the European level, in art.8.1 of the Charter of Fundamental Rights of the European Union and in art.16.1 of the Treaty of Functioning of the European Union and, at the national level, in art.18.4 of our Constitution.

In the Spanish legal system, currently, its regulatory development is contemplated mainly in the General Data Protection Regulation (RGPD) and in the Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), which develops the RGPD by harmonizing its content with the rest of national legislation.

The provisions of the RGPD and LOPDGDD constitute the basic rules of the game. All processing of personal data must be carried out in accordance with the principles and procedural requirements contained therein. They are the minimum requirements that every controller and processor must respect in the processing of personal data so that the fundamental rights and freedoms of natural persons are protected and, in particular, their right to the protection of personal data.

Compliance with these principles and requirements is therefore a duty that must be guaranteed without the need for it to be required by the natural persons who are affected by the treatment, the interested parties. The omission of any of its precepts, as the case may be, by those responsible or in charge, represents a violation of data protection regulations. Depending on the breached provision, this may be considered by the competent judges and courts as a violation of the fundamental right to data protection.

What actions can those interested take?

In the event of a violation of data protection regulations, interested parties have the possibility of asserting our right to have the principles and requirements relating to the processing of our data respected.

This right is fundamentally manifested in three actions that we can exercise in a complementary way, since they provoke independent legal reactions:

Complain to the competent control authority (arts.77 and 78 GDPR):

Without prejudice to any other administrative appeal or judicial action, claims may be presented to the Spanish Data Protection Agency against the person responsible or in charge by providing evidence or indications of a non-compliance or violation of the data protection regulations that affect to the processing of the personal data of the interested party. The claim can be made personally or through representation.

It should be noted that claims regarding possible non-compliance with the rights of access, rectification, limitation, opposition, deletion, portability and opposition to the processing of automated decisions require that, prior to filing the claim, the interested party has addressed the entity. responsible by a means that allows proving the exercise of the corresponding right.

After the claim, if the AEPD considers it necessary, the investigation procedure will be opened, which may result in a sanctioning resolution or archiving of the actions that, among other requirements, must be in writing, be clear and unequivocal, and have been signed by the Presidency of the Agency (Considering 129 RGPD – art.48.1 LOPDGDD).

The acts and provisions dictated by the Presidency of the Spanish Data Protection Agency put an end to the administrative route, being appealable through the optional appeal for reconsideration or, directly, before the Contentious-administrative Chamber of the National Court. In summary, an appeal will be possible when:

The AEPD does not process a claim or does not inform the interested party within three months about the course or result of the claim.
The resolution rejects or dismisses totally or partially the content of a claim, thus considering the right that the RGPD wants to protect to have been violated.

Request appropriate judicial protection (art.79 RGPD):

Additionally, and without prejudice to the aforementioned actions, the right to effective judicial protection may be exercised against a controller or processor when you consider that your rights under the RGPD have been violated as a result of the processing of your personal data.

In accordance with the provisions of article 53.2 of our Constitution, any citizen may seek protection of the right to data protection before the ordinary Courts by a procedure based on the principles of preference and summary and, where appropriate, through the appeal for protection before the Constitutional Court.

In addition to the protection set forth in the previous paragraph, the violation of the right to data protection may be alleged in court within the framework of any other procedures regarding the illegality of obtaining or origin of the admitted evidence (art. .287 Law of Civil Procedure), which, taking into account the multiple requirements of the RGPD and the increasingly extensive interpretation thereof, may be a means of defense that will gain importance in the coming years.

3. Claim compensation for damages as a result of a violation of the GDPR (art.82 GDPR):

On the other hand, again without being an obstacle to the exercise of the previous actions, any person who has suffered material or immaterial damages as a result of a violation of the RGPD will have the right to receive compensation for the damages from the person responsible or the person in charge of the treatment. and damages suffered.

Liability arises from the production of damage to the interested party, when the origin and basis of the damage lies in the violation of the RGPD, it is a criterion of objective imputation. It is important to retain this idea because there will be cases in which the action causing the damage is not a violation of the regulations, as well as others in which there will be a violation without damage, therefore not deriving a right to compensation for damages.

The action for compensation must be brought before the ordinary jurisdiction by the interested party, who will be the one who has the legal standing. Likewise, it is worth remembering that, as jurisdictional doctrine has pointed out on several occasions, the action for liability for damages does not require prior action before the AEPD nor is it conditioned by that action.

Conclusion

The RGPD has outlined actions that were already present in the preceding regulations. This specification, added to the detailed and varied classification of the requirements that must be met in all personal data processing, offers a protection framework that will potentially place this fundamental right in a prominent position in any relationship between natural persons and entities with legal personality. . However, the success of the provisions of the regulations and the seriousness that the market and society bring to their compliance is subject to the necessary assessment by the control authorities, within the framework of their sanctioning powers, as well as by part of judges and courts, on whom falls the responsibility of weighing the limits of the right to data protection in relation to its balance with other fundamental rights, in accordance with the principle of proportionality.

Subscribe to our newsletter to stay up to date with all the news

Name and surname *

Email *

*I give my express consent and accept the Privacy Policy.

Basic information on data protection.
Responsible for the treatment: Mainjobs Internacional Educativa y Tecnológica SAU
Purpose: Manage your subscription to the newsletter.
Legitimation for processing: Explicit consent of the interested party granted when requesting registration.
Transfer of data: No data will be transferred to third parties, except under legal obligation.
Rights: You may exercise the rights of Access, Rectification, Deletion, Opposition, Portability and, where applicable, Limitation, as explained in the additional information.
Additional information: You can consult additional and detailed information on Data Protection at https://www.mainfor.edu.es/politica-privacidad