Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights. New obligations for the public sector

Download document of the Spanish Data Protection Agency on News of the Organic Law 3/2018 for the public sector.

The bodies and agencies of the Public Sector are obliged to publish on their website the inventory of the personal data processing activities they carry out, identifying who processes the data, for what purpose and what legal basis legitimises that processing.

In the Transparency Portal, all the information of the Records of Treatment Activities.

The bodies and agencies of the Public Sector are obliged to include on their website clear and precise information intended for the administrators and those administered on the exercise of the rights of access, rectification, deletion, right to limitation of treatment, as well as portability and opposition.

The bodies and agencies of the Public Sector can verify, without the need to request the consent of the person concerned or , the accuracy of the personal data expressed by citizens who are in the possession of the bodies and agencies of the Public Sector.

Law 30/1992 already recognized the right of the administered and the administered not to contribute to the administrative procedures the documents that were in the possession of the Administration, or that had been prepared by the Administration. The legal basis for the processing of personal data by the Administration was the consent of the person administered or administered, which was tacitly granted if the person concerned did not expressly object.

Both the General Data Protection Regulation and the new Organic Law eliminate the need to obtain the consent, not even tacit, of the citizen, by establishing as a main legitimizing legal basis the processing of personal data by organs and bodies of the Public Sector the fulfillment of a mission in the public interest or, in particular, the exercise of public powers.

Likewise, the new wording granted by the Organic Law to article 28 of Law 39/2015 recognizes the interested person the possibility of opposing the organs and bodies of the Public Sector to consult or obtain the aforementioned documents, but in that case the administered or administered must necessarily provide them so that the Administration can know that the requirements established by the norm are present in it. Otherwise they will not be able to estimate your request, precisely because you would not have demonstrated the required requirements.

In any case, this right of opposition does not play into the cases of powers of verification or inspection.

The new law prevents the joint use of surnames, names and full numbers of the official identification document of persons in those administrative acts that are to be published or notified by means of advertisements.

From the entry into force of the Organic Law:

• When an administrative act is to be published, the person will be identified by name and surname, adding four random numerical figures from his official identification document.
• In the case of notifications by means of advertisements, the person will be identified exclusively with the number of his identification document.

In both cases, when the person lacks an identification document, he or she will be identified only by name and surname.

Public Sector bodies and agencies may communicate the personal data of those administered and administered to subjects of private law at their request:

1. or when they have the consent of the administered or administered.
2. or, where they consider that the applicant private party has a legitimate interest that prevails over the rights and interests of the administrators or administrators concerned.

The organs and bodies of the Public Sector have the obligation to appoint a Data Protection Delegate who is duly qualified, to guarantee him the necessary means for the exercise of his functions and to notify the designation to the AEPD for inclusion in the Public Register of Data Protection Delegates.

The Data Protection Officer is not personally responsible, for this simple fact, for possible data protection infringements committed by his/her organization.

The Data Protection Officer of the body or agency of the Public Sector must receive the claims addressed to them by the managed and those administered or opting for this route before filing a claim with the AEPD, and will communicate the decision adopted to the managed or administered within a maximum period of two months.

Likewise, the Data Protection Delegate must receive the claims that the AEPD decides to transfer to you prior to the start of a sanctioning file. The Delegate must communicate the decision made to the administered or administered and to the AEPD within a maximum period of one month.

In this way, in general, if the Data Protection Delegate manages to get the person responsible to resolve the complaint by either of these two ways, and without prejudice to the interested person subsequently addressing the AEPD, no file of declaration of infringement would be initiated to that Public Administration.

The infringements committed by the organs and bodies of the Public Sector will be sanctioned with a warning with corrective measures and will not have economic sanction.

The sanctioning decision of the AEPD will identify the charge responsible for the infringement, the offender, his superior, the Ombudsman will be notified and will be published on the website of the AEPD and in the corresponding official journal.

The sanctioning decision may propose to the body or body the initiation of disciplinary proceedings, the decision of which must be communicated by the body or body of the Public Sector to the AEPD.

The infractions are attributable to authorities and directors of the Public Sector and the existence of technical reports or recommendations that have not been attended to by them is proven, the sanctioning resolution will include a warning with the identification of the responsible position and will be published in the corresponding official journal.

Public authorities, Computer Emergency Response Teams (CERTs), Computer Security Incident Response Teams (CSIRTs), providers of electronic communications networks and services and providers of security technologies and services may process personal data contained in security incident notifications only for the time and scope necessary for their analysis, detection, protection and response, always adopting appropriate security measures proportionate to the level of risk.

The new Organic Law establishes that the legitimizing basis for the processing of personal data carried out by public sector personnel records is the exercise of public powers.

These records may process personal data that are strictly necessary for the fulfilment of their purposes relating to criminal offences and convictions and administrative offences and penalties, of which they must be informed expressly, clearly and unequivocally.

The Organic Law guarantees the right to privacy of employees and public employees in the workplace against the use of video surveillance and sound recording devices, as well as against the use of digital devices and geolocation systems.

The contract for the processing of personal data between the bodies and agencies of the Public Sector (as responsible) and other bodies or agencies of the public sector or third parties (as data processors) signed before May 25, 2018 will remain in force until May 25, 2022.

The bodies and agencies of the Public Sector will maintain control over the personal data of the users of the public services even if the validity of the contract for the granting of services has ended.

In the Public Sector, a service concessionaire, in charge of the processing of personal data, never becomes responsible even if it establishes relations with the people whose data it has accessed by virtue of the provision of the service.

The Government must submit within one year of the entry into force of the Organic Law a draft law aimed at ensuring a safe and adequate use of digital media.

The Autonomous Communities will have the same deadline to include in the curricula the necessary contents to guarantee the full insertion of the students in the digital society and ensure the adequate training of all the teaching staff.

The new Organic Law makes data processing more flexible for health research:

• extends the purposes for which consent to processing may be granted,
• collects the possibility of reusing information on which consent has already been given previously,
• collects the use of pseudonymized data as an option to facilitate health research including guarantees to prevent the reidentification of affected persons,
• regulates the guarantees of this treatment, including the intervention of the Research Ethics Committees or, failing that, the Data Protection Delegate or an expert in personal data protection.