SPANISH DATA AGENCY PROTECTION SPANISH DATA AGENCY PROTECTION



Similar documents
SPANISH DATA PROTECTION AGENCY

Factsheet on the Right to be

Assist Members in developing their own national arrangements through being able to draw on and hence benefit from the experience of other members;

Do you have a private life at your workplace?

COMMISSION OF THE EUROPEAN COMMUNITIES REPORT FROM THE COMMISSION ON MONITORING THE APPLICATION OF COMMUNITY LAW (2003) OVERALL POSITION

Registration must be carried out by a top executive or a number of executives having the power to commit the whole company in the EU.

Initial appraisal of a European Commission Impact Assessment

Liechtenstein. Heinz Frommelt. Sele Frommelt & Partners Attorneys at Law Ltd

Corporate Policy. Data Protection for Data of Customers & Partners.

Privacy in the cloud. DNB has indicated that it considers cloud computing a form of outsourcing.

Align Technology. Data Protection Binding Corporate Rules Controller Policy Align Technology, Inc. All rights reserved.

Code of Conduct Code of Conduct for Business Ethics and Compliance

Suspend the negotiations for a free trade agreement with the USA no agreement at the expense of workers, consumers or the environment

27 July 2006 No.152-FZ RUSSIAN FEDERATION FEDERAL LAW PERSONAL DATA. (as amended by Federal Law of No.266-FZ) Chapter 1.

STATUTORY INSTRUMENTS. S.I. No. 336 of 2011

QUEENSLAND COUNTRY HEALTH FUND. privacy policy. Queensland Country Health Fund Ltd ABN better health cover shouldn t hurt

DISCIPLINARY POLICY AND PROCEDURES DISCIPLINARY POLICY AND PROCEDURE

ARTICLE 29 DATA PROTECTION WORKING PARTY

PROTECTION OF EMPLOYEES (TEMPORARY AGENCY WORK) ACT, GUIDANCE

SWEDBANK AS TERMS AND CONDITIONS FOR PAYMENT CARDS SERVICING Valid from

Act on the Protection of Privacy in Working Life (759/2004)

Overview of Employment and Employee Privacy Laws and Key Trends in Austria

Real Estate Agents Act (Professional Conduct and Client Care) Rules 2012

Supplementary Policy on Data Breach Notification Legislation

Interception of Communications Code of Practice. Pursuant to section 71 of the Regulation of Investigatory Powers Act 2000

Human Services Quality Framework. User Guide

Executive Summary. The Review Group Approach to the Review

Compliance Management Systems

UNIVERSITY OF SOUTHAMPTON DATA PROTECTION POLICY

DIRECTIVE 2014/32/EU OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

Unemployment benefits. Active Entry Income. Unemployment protection

CHARTER OF ETHICS AND BEHAVIOUR

Guidance Statement GS 011 Third Party Access to Audit Working Papers

ETHICS APPROVED ETHICS COMMITTEE (PEDRO MIRÓ)

ARTICLE 29 Data Protection Working Party

DRAFT BILL PROPOSITION

T H E G O V E R N M E N T

Clinical trials regulation

Details about this location

ATLANTA DECLARATION AND PLAN OF ACTION FOR THE ADVANCEMENT OF THE RIGHT OF ACCESS TO INFORMATION

INSURANCE BROKERS CODE OF PRACTICE

Risk Management of Outsourced Technology Services. November 28, 2000

Quorum Privacy Policy

Not an Official Translation On Procedure of Coming into Effect of the Law of Ukraine On State Regulation of the Securities Market in Ukraine

Merchants and Trade - Act No 28/2001 on electronic signatures

MRS Guidelines for Online Research. January 2012

MULTILATERAL MEMORANDUM OF UNDERSTANDING CONCERNING CO-OPERATION IN THE EXCHANGE OF INFORMATION FOR AUDIT OVERSIGHT

Policy Statement. Employee privacy, data protection and human resources. Prepared by the Commission on E-Business, IT and Telecoms. I.

GUIDANCE NOTE ON OUTSOURCING

EARLY CALL FOR REGISTRATION FOR UNIVERSITY DOCTORAL STUDIES (PhD) FOR STUDENTS WITH NON-EHEA QUALIFICATIONS. ACADEMIC YEAR

CCBE RECOMMENDATIONS FOR THE IMPLEMENTATION OF THE DATA RETENTION DIRECTIVE

Observations on international efforts to develop frameworks to enhance privacy while realising big data s benefits

EEA EFTA States. Internal Market Scoreboard

COMMISSION OF THE EUROPEAN COMMUNITIES. Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL

EXPLANATORY MEMORANDUM TO THE DATA RETENTION (EC DIRECTIVE) REGULATIONS No. 2199

Monitoring Employee Communications: Data Protection and Privacy Issues

ELECTRONIC TRADING FACILITIES SUPPLEMENTAL TERMS AND CONDITIONS OF TRADING

An Agreement dated [ enter date ] governing the conduct of Insurance Business between:

Evidence-informed regulation The ACMA approach

FRANCE. Chapter XX OVERVIEW

PARALEGAL PRACTITIONERS RULES 2015

LAW ON THE PROTECTOR OF HUMAN RIGHTS AND FREEDOMS

London Borough of Brent Joint Regulatory Services ENFORCEMENT POLICY

Australian Charities and Not-for-profits Commission: Regulatory Approach Statement

REGULATIONS OF THE COMPLIANCE UNIT OF IBERDROLA GENERACIÓN ESPAÑA, S.A.U. 16/12/14

Proposal for a DIRECTIVE OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL. on electronic invoicing in public procurement. (Text with EEA relevance)

14 December 2006 GUIDELINES ON OUTSOURCING

1. Introduction. 2. Sectoral Areas Affected. 3. Data Security. 4. Data Breach Requirements. 5. Traffic Data

Ref. Ares(2014) /05/2014. l(5)vodafone.com>

Document 12. Open Awards Malpractice and Maladministration Policy and Procedures

CNNIC Implementing Rules of Domain Name Registration

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

Royal Decree 1671/2009, of 6 November, which partially develops Law 11/2007 of 22 June, regarding citizens electronic access to public services

Banking & Finance Terms of Reference

Data Protection compliance in Spain Mission Impossible?

We are the regulator: Our job is to check whether hospitals, care homes and care services are meeting essential standards.

CODE GOVERNANCE COMMITTEE CHARTER. 1 Functions and responsibilities of the Code Governance Committee

COMMUNICATION FROM THE COMMISSION TO THE COUNCIL, THE EUROPEAN PARLIAMENT AND THE EUROPEAN ECONOMIC AND SOCIAL COMMITTEE

ELECTRONIC SIGNATURE LAW

Travel Money Terms and Conditions ver. 1.7 (with effect from September 2, 2013)

Principles of Best Practice applicable to the distribution of Life Insurance Products on a Cross-border Basis within the EU or a Third Country

ARTICLE 29 Data Protection Working Party

Department of Defense DIRECTIVE

National Occupational Standards. Compliance

Transcription:

SPANISH

THE SPANISH (AEPD in the Spanish acronym) is the public law authority overseeing compliance with the legal provisions on the protection of personal data, enjoying as such an absolute independence from the Public Administration. CITIZENS AS A PRIORITY The AEPD is of the understanding that its functions must always be conducted with a priority objective, that of guaranteeing the protection of individual rights. Accordingly, it undertakes actions specifically aimed at enhancing citizens' capacity to effectively contribute to that protection. In particular, the following could be pointed out: Dissemination of its activities and of the right to the protection of personal data Information is a key element in fostering awareness among citizens of their right to the protection of personal data. Bearing this in mind and with the purpose of satisfying the increasing demand for information and extending its public dissemination actions, the AEPD has intensified its relations with the media, increasing its personnel and material means dedicated to dissemination. As a result of this strengthening, there has been an increase in the demand for information by different media and in the impact of such information. In this respect, in 2007, approximately 450 requests for interviews and information and about 850 impacts were counted in written and digital media. From a qualitative standpoint, focusing on citizens' major doubts and concerns, the issues that are most frequently queried have to do with: The scope of application of the system of guarantees of the LOPD (Organic Act on Data Protection); Functions of the AEPD; Queries on the exercise of rights, especially the rights of access and cancellation; The obligation that entities collecting data have of informing citizens of their rights and where they may exercise them. There was also an important increase in the number of hits on the AEPD website www.agpd.es, totalling 2,230,120 ( 47%). Procedures to protect rights of individuals: of access, to rectify, to cancel and to object Citizens not only want to know what their rights are, they also want the effective exercise of those rights to be guaranteed, either directly by the data controllers or by requesting the intervention of the AEPD. There was a substantial increase in the number of requests for the protection of rights, with a 54% increase in the number of requests for protection that were met (879 altogether), where the rights to cancel (62%) and of access (32%) were sought most often. GUARANTEEING EFFECTIVE COMPLIANCE WITH THE ORGANIC ACT ON (LOPD) This Organic Act is the basis of the Spanish system for guaranteeing the right to protect personal data. The adequate compliance by all of the agents involved is an essential instrument for better protecting the rights of citizens. The following aspects could be enphasized: Direct assistance in response to citizens' queries The number of queries submitted to the AEPD's Citizen Assistance Service clearly continues on an uptrend, with a 30% increase in 2007 (in total, there were 47,741 queries). Registry of filing systems The evolution of the data on the filing systems registered at the Data Protection General Registry (RGPD) is considered a significant reference point regarding compliance with the LOPD. The

evolution of the registrations has continued upwards, reaching in 2007 a number of more than one million filing systems registered (1,017,266 entries in total), with the largest increases in privately-owned filing systems, particularly those of small and medium-sized companies and independent professionals, which were the sectors where traditionally substantial flaws have appeared in terms of compliance with the LOPD. Inspection & sanction procedures The greater degree of compliance with and awareness of the regulations on data protection that arises from the above figures does not mean that there has been a reduction of the AEP- D'S activities in terms of sanctions handed down for breaches of the LOPD. This has surely been enhanced by the greater awareness among citizens of the guarantees to which they are entitled, as mentioned above. This circumstance has led to an increase in the claims for alleged breaches of the LOPD. Thus, in 2007, the procedures iniciated as a result of complaints lodged by citizens or due to an initiative of the Director of the AEPD rose by around 7% to a total of 1,263. The largest number of inspections had to do with telecommunication companies and financial institutions, followed by videosurveillance, with an increase of over 400% compared to the previous year. In terms of exercising the power to impose sanctions, in 2007, the Spanish Data Protection Agency resolved 399 sanction procedures, which represents an increase by 32.5% over the previous year. In terms of financial penalties, the aggregate volume of the fines imposed by the AEPD was 19.6 million. The figures provided above attest to the consolidation of the increase in the AEPD'S inspection and penalisation activities compared to previous years. The year 2007, however, stands out for a distinct characteristic related to the exercise of its authority to impose penalties: there has been an increase in the number of decisions to put an end to the proceedings and in the number of complaints that have been rejected, but also the overall number of the sanctions that have been imposed declined by nearly 20% compared to the previous year. An initial appraisal of these data leads to a very important conclusion: there is a greater awareness of the LOPD and the subjects that are obliged by it are more diligent in terms of compliance. However, it will be necessary to compare the figures for the coming years to see the true scope of this trend. ENHANCING THE LEGAL FRAMEWORK FOR The AEPD encourages the adoption of rules that are meant to fill in or complete the legal framework for data protection, and it also contributes to ensuring that the right to data protection is treated correctly in the legal provisions adopted with purposes that have no specific relation to data protection: Approval in 2007 of the Regulation implementing the Organic Act on Data Protection The need to approve the Regulation for the implementation of the LOPD as an instrument aimed at obtaining greater levels of legal certainty in the application of the Act led to the publication of Royal Decree 1720/2007, of 21 December, approving the Regulation for the Implementation of the Organic Act on the Protection of Personal Data. The approval of the Regulation is the end of a long process featuring a great deal of transparency and participation, with a large range of companies contributing with their remarks. The Regulation is meant to satisfy the following purposes: To increase the legal certainty; To reflect in the legal provisions the consolidated criteria in the implementation of the LOPD both via Decisions of the AEPD and especially in view of case law; To respond to the concerns of the European Commission regarding the transposition of Directive 95/46/EC; To incorporate legislative policy criteria and complete the regulatory implementation of the novelties introduced in the LOPD.

Issue of reports Together with the approval of the Regulation, the AEPD has continued working on the goal of achieving greater legal security, both via mandatory advisory opinions on provisions of a general nature being foreseen and answering the queries that citizens and companies may have submitted to its Legal Department. The number of advisory reports issued in 2007 in response to the queries made by Public Administration bodies and private entities totalled 555. In addition, the Legal Department issued 77 mandatory advisory opinions concerning general provisions being foreseen. It should be stressed that, in recent years, there has been an increasing complexity in the issues that have been submitted to the AEPD's consideration, with a decline in the number of very simple queries, due to the important dissemination task that has been carried out. INTERNATIONAL CO-OPERATION Many of the important topics affecting data protection are of an international scope, to the same extent that there has been a globalisation in the movement of individuals, goods, services and capital. In addition, there is the fact that certain concerns, for instance those relating to security or the fight against terrorism, reach well beyond national boundaries. This important international dimension is present in all of the activities of the AEPD, which has been and continues to be present and well involved in a number of international forums. CO-OPERATION WITH THE AGENCIES OF THE AUTONOMOUS COMMUNITIES When performing its functions, the Spanish Data Protection Agency relies on clear and effective mechanisms for co-ordinating and collaborating with the Data Protection Agencies of the Autonomous Communities of Catalonia, the Basque Country and Madrid, in order to ensure the equality of all citizens in terms of their right to protect their personal data. THE AEPD & EMERGING RISKS The protection of personal data has to adapt to the continuous evolution of economic and social relations, as well as to rapid technological changes. It is necessary that those changes be anticipated and that answers be provided to allow citizens to safeguard their right to privacy with respect to situations such as: The undue use of personal data on the Internet. The main novelties that have been raised in relation to the protection of personal data have arisen in the area of the services provided via the Internet. The development of these services has extended citizens' possibilities in terms of exchanging and obtaining information, as well as facilitating access to it whilst jeopardising the traditional criteria for guaranteeing privacy and hence making an urgent updating necessary. On the one hand, it is apparent that the service offer of Internet search engines entails a massive and selective processing of users' data, the implications of which are often not known by those users. On the other hand, the AEPD has answered new complaints relating to the possibility of citizens reacting against information provided by a third party on an Internet forum or message board without their consent or against other services such as YouTube. It should also be specifically noted that there have been instances of files containing personal data being found in P2P networks, particularly in e-mule, giving rise to penalties being imposed due to infringements of the LOPD. The AEPD, acknowledging the new possibilities with which citizens are provided as a result of the development of Internet services, has faced the challenge of adapting the guarantees set

out in the data protection provisions to these new situations, especially in terms of the possibility of reacting against the global dissemination of personal information. Generalisation of video-surveillance systems The substantial increase of video-surveillance in recent years is largely due to citizens' initiatives in the quest towards a surveillance society. The filing systems registered with the RGPD, which declare that safety reasons are behind their video-surveillance, are proof of this trend. The registered filing systems have gone from 67 in 2003 and 700 in 2006 to 5,026 en 2007 ( 618% over the previous year). The initial data for 2008 ratify the intensity of this trend. At the same time, there has been an important reaction against this practice as shown by the increase in the number of complaints relating to video-surveillance. The inspections involving video-surveillance have grown by 412.5% and as a result, this matter accounts for the third largest number of inspections. Rising control of labour activities The development of new technologies used in the workplace, such as video-surveillance, the use of biometric data, electronic mail and access to the Internet, among others, as well as the implementation of internal whistleblowing systems, has intensified the debate on the limits and guarantees that should accompany the exercise of powers of control. Intensification of international data flows The Agency has recorded an important increase in the number of international data transfers via notifications of filing systems to the RGPD (8,838 transfers were declared). It is necessary to apply a measure of caution when dealing with international data flows that allow transfers from countries with adequate levels of protection to other countries lacking such levels. Hence, the monitoring of international data transfers represents a priority for the AEPD, especially when business delocalisation is involved. In light of the challenges that have been described above and building on the practical experience it has accumulated, the AEPD has set forth a number of recommendations for policy makers with the purpose of encouraging initiatives and actions that will foster an effective guarantee of the fundamental right to data protection in certain areas deserving a singular or specific attention, specified in the following actions: Developing procedures allowing copyright protection in a manner compatible with the fundamental right to data protection; Regulating the anonymized publication of judgements passed by Courts of Law; Regulating internal whistleblowing systems available to workers within companies, outlining the activities in which it may be necessary to establish these systems and guaranteeing the confidentiality of those reporting and the rights of those being reported on; Development of specific public policy plans for the protection of minors on the Internet; Increased caution in order to prevent the undesirable exchange of sensitive personal data on the Internet via P2P networks; Fostering of self-regulation among the media to guarantee privacy and the protection of personal data, by encouraging more respect for the usage in relation to the data protection provisions; Citizen guideline actions regarding the use of guarantees of confidentiality for the recipients of emails; Plan for the Fostering of Good Practices in terms of guaranteeing privacy in Official Gazettes and Journals, by adopting measures that, without affecting their purpose, will limit the gathering of personal information by Internet search engines; Local Strategy aimed at conforming the installation of traffic control cameras to the provisions on the protection of personal data.

Jorge Juan nº6 28001-MADRID www.agpd.es SPANISH

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information