Introduction

The Final First Provision of Organic Law 15/1999, of 13 December for Protection of Personal Data (LOPD) contemplates the competence of the Government to approve or modify the reglementary provisions necessary for application and development of the Law. Eight years have had to pass for us to see, at least, a draft Royal Decree which – under the aegis of the above mentioned Final Provision – approves the Regulation developing the LOPD. On publication of this article, the Ministry of Justice, responsible for promoting the Draft, exercising the powers granted by the Law, and together with the Spanish Data Protection Agency (AEPD), had already commenced the process for public information. In this regard, many voices express the opinion that the long awaited text will be brought to light before the year end.

In the presentation of motives, the new Regulation indicates that it has come about with the vocation of not reiterating the content of the superior regulation and of developing not only the mandates set out in the LOPD, but also those that, during the years in which the law has been in force, have been shown to require greater regulatory development.

The Regulation shares with the Organic Law the intention of taking on the risks that collecting and processing personal data can represent for identity rights. The needs which the new text looks to cover are two-fold: on the one hand, to provide coherence to the reglementary regulation in all aspects relating to the transposition of Directive 95/46; and on the other hand, to develop not only the new aspects of the LOPD – since they are not contemplated in the LORTAD or in its developmental regulations – but also those which experience has indicated require a certain degree of precision to provide the system with legal security. If there is something that – according to the legislator – characterises the new Draft, it is the interest it expresses in guaranteeing legal security in a recently regulated matter, one which is also very sensitive for fundamental rights like the protection of personal data.

Text of the Regulation

In its nine Titles and one hundred and fifty four articles, the draft for the new Regulation develops essential aspects in this regard: from the object and scope of application of the regulation, to the principles of data protection, in particular, the regulation of the manner for obtaining consent and, especially, when the data processed relate to minors; to delimitation of the figure of processing manager; the regulation of personal rights; or the application of specific criteria to certain types of private files – those relating to equity solvency and credit records and those used in advertising activities and in commercial prospecting – are other points on which the new text focuses.The Regulation does not ignore the criteria and procedures for the international transfer of data; the regulation of an instrument, the type code, understood to be an element dynamising the fundamental right of data protection and, of course, the security measures which should be undertaken to ensure compliance with the responsibility of security set out in article 9 of the LOPD.

New items

We can start from the base that the Regulation developing the LOPD will cover the scope formerly governed by Royal Decrees 1332/1994, of 20 June and 994/1999, of 11 June, which are expressly revoked through the Sole Revoking Provision. In this manner, the main aspects and new items contemplated in the new Regulation include the following:

Scope of application. The new regulation includes the consideration of multiple forms of material and personal organisation of practical security, including measures to be applied to files and structured or automated processes and those not automated, a matter not considered as of yet.

The objective is to make the measures applicable to automated files compatible with those applicable to non-automated files, with a view to unifying processes.

In this sense, companies will have to make great efforts to locate and identify the paper files they use and which will be subject to filing and custody criteria. We would stress that non-automated files should be filed for conservation, location and consultation. Custody should be carried out in a fireproof space and under the safeguarding of a security manager.

Data relating to health and public access sources. As regards data relating to health issues, the Regulation expressly contemplates a broad definition thereof and indicates that these constitute information relating to past, present and future issues of the physical and mental health of an individual. In particular, data relating to personal health matters are considered to be those dealing with percentage disability and genetic information. In respect of these data and the security measures applicable thereto, the Regulation establishes certain cases in which the security measures will not correspond with the normally high level associated with data of this kind. An example of this is the implementation of basic level security measures for files or processes which contain health data relating exclusively to degree of disability or the simple statement of the condition of disability or incapacity of the person involved, with a view to compliance with public responsibilities.

No new items have been contemplated as regards the concept of public access sources, despite the fact that the new Regulation contains an article specifically for that matter (article 7). The list of public access sources is still appraised, leaving out concepts like the Internet or the Mercantile Register, or any other register of a similar nature.

In this sense, we would point out the SAN of 17 March 20061, which stresses the exhaustive nature of the public access sources set out in article 3 of the LOPD and which, although recognising the Mercantile Register as a public access source, states that from a data protection stance it cannot be considered as such, precisely because of the exhaustive nature of the list of public access sources indicated in the above mentioned article of the LOPD.

Responsibility to inform and obtaining consent. The new text establishes certain required formalities regarding accreditation of the responsibility to inform and obtaining consent.

As regards the responsibility to inform, the person in charge will have to offer the owner of the data the possibility to expressly refuse permission for the processing of their data when they, within a contractual relationship, are used for a purpose other than that for which they were provided. In particular the Draft establishes that this responsibility will be understood to be complied with when the person involved is permitted to mark a clearly visible box which has not already been marked. We could then ask how to make this provision compatible with the content of section two of article 21 of the Information Society Services Act, whereby in those cases where a previous contractual relationship exists, the company will not require express consent from the owner of the data to send commercial communications relating to products or services which are similar to those initially subject to contract.

In respect of consent, we would indicate that the file manager is responsible for accrediting that consent is obtained.

Person in charge of processing and subcontracting services. The person in charge of processing is defined and regulated in a detailed manner, as are the various requisites which can be demanded in their relationship with the manager and in their own activity.

Security measures. In addition to the application, as indicated above, of the aforementioned security measures to non-automated files, in this regard the new Regulation introduces certain modification to the categories of files subject to different levels of security. An example of this is the inclusion under high level of files containing data relating to certain groups, such as victims of gender violence and traffic records and the location of operators providing electronic communications services or operating public electronic communication networks.

Regarding data up to now considered to be sensitive and subject to a high level of protection, the new text makes certain practical clarifications such as that in the case of files or processes relating to ideology, union affiliation, religion, beliefs, racial origins, health or sex life, the implementation of basic level security measures will be sufficient when:

a) The data are used exclusively for the purpose of transferring money to entities in which the person involved is an associate or member

b) Non-automated files or processes are involved that incidentally or ancillarily contain those data, but which are not related to the purpose of the file or process.

In the section regarding security measures, the Draft is clear and requires the manager and the person in charge of processing to implement security measures, regardless of the processing system involved.

Conclusions

In summary, as occurred at the time, the new Security Measures Regulation has met with much criticism regarding the Draft, based mainly on the practical difficulties for companies to implement and adopt the new measures.

We must not ignore that the adoption of the new measures will require greater awareness in SMEs and major companies in the face of the structural and organisational changes which will have to be made.

In summary, the need for approval of the Regulation derives from the situation of the current regulatory system for data protection, made up of regulations approved prior to the LOPD, which govern partial aspects thereof and which are insufficient, as is the case of the articles of the LOPD itself. Leading us to ask, when will we have the new Regulation for Data Protection?

Footnotes

1. “Regarding the consideration of the Mercantile Register as a public access source, Organic Law 15/1999 establishes a general concept for public access sources, which it defines as “those files which can be consulted by any person, unimpeded by regulatory restrictions and without further requirements, where applicable, than the payment of a fee”. Summing up, based on this concept, a public access source is any file which has been duly published, provided that there is no regulation restricting said publication, meaning that, in principle, the Mercantile Register would be such a source” And it goes on to say “… after establishing this concept, the LOPD sets out an exhaustive list, since it adds: “`public access sources will be exclusively…” those set out in the LOPD. That means that only the sources set out exhaustively in the precept will be considered to be public access sources, provided that they have been previously published in such a manner that the information is freely accessible”. And it ends with “As the Mercantile Register is not included in the list, it is clear that, for the purposes of protection of personal data, it is not considered to be a public access source”.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.