News

Start of main content

Keys to the new data protection law: from political spam to the figure of the DPO

| News | Privacy, IT & Digital Business

Isabel Martínez Moriel and María García Zarzalejos analyse the keys to the new LOPDGDD in an article published by Cinco Días

On 6 December, the new Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights ("LOPDGDD") was published in the Official State Gazette (BOE), which includes novelties that exceed the provisions of the General Data Protection Regulations ("RGPD").

Among the new provisions, it incorporates digital rights by introducing an ex novo title dedicated exclusively to the regulation and guarantee of digital rights that protect the holders of personal data, such as digital disconnection in the workplace, geolocation or digital testament, among others.

It also includes the processing of personal data of businessmen and liberal professionals, with which it resolves all doubts raised after the entry into force of the RGPD on the processing of this type of data, maintaining that they may be processed for legitimate interest without it being necessary to obtain consent.

It modifies the regulation of credit information systems, reducing the period previously established from six to five years for the maintenance of creditors' personal data included in asset solvency and credit information files such as ASNEF delinquency files. In addition, it is established that debts with a principal amount of less than 50 euros will not be included in these files. 

It also regulates the creation of an internal complaint channel within the company and confirms that complaints may be made either by an identified subject or anonymously, an issue that has been widely debated so far in case law. It establishes, at this point, a conservation period of three months for the data collected, unless they are the subject of an investigation procedure.

With regard to the Data Protection Delegate (DPD), Article 34.1 rates specific sectors in which the appointment of a DPD will be mandatory.

It provides for a sanctioning procedure compatible with the RGPD, which had already been adapted to national law by Royal Decree-Law 5/2018 which is now repealed.

Regarding aggressive data protection practices, the LOPDGDD modifies article 8 of the Law on Unfair Competition to classify as unfair certain conduct related to the processing of personal data, such as supplanting the identity of the Spanish Data Protection Agency or carrying out commercial practices in which the decision-making power of users is curtailed.

For the treatment of health data, it incorporates a detailed regulation on the treatment of data in medical research, the permitted uses and purposes, as well as its subsequent process of pseudonymization, at the end of the clinical trial.

The new regulation also modifies Organic Law 5/1985 on the General Electoral System, including an article 58 bis: Undoubtedly, the most controversial point that has not left users, the media and even the Spanish Data Protection Agency itself indifferent, which since the publication of the definitive text of the LOPDGDD has had to express itself through a press release on two occasions.

This article allows political parties to collect personal data from publicly accessible sources for the conduct of political activities during the election period, not considering electoral propaganda communications as an activity or commercial communication.

After this essay, the heated debate started, and the media did not wait to echo the new provision that allows users to be "spammed" by political parties without our consent. Faced with such a stir, the Spanish Data Protection Agency had no choice but to go out and clarify the matter in the following terms: "political parties will not be allowed to profile ideological, sexual, religious or any other type of data that can be obtained from citizens on social networks or other Internet services" and "neither will parties be allowed to send advertising or electoral propaganda based on an ideological profile from information obtained in those services".

This interpretation of the Agency for many is unconvincing and contrary to what is literally established in the new LOPDGDD, but we will only be able to verify its application and extension in the next electoral campaign.

Meanwhile, the Platform in Defence of Freedom of Information, the Association of Cybernauts and legal experts in the sector have prepared a form to prevent parties from creating databases with the political opinions of citizens.

In conclusion, these new provisions will apply to all operators processing personal data in Spain, and given the margin of discretion allowed by the RGPD itself, it constitutes a complementary rule to European Union law, which may lead to discordance with internal rules that have been approved by other Member States.

End of main content