Acceder al contenido principal

Sección con el contenido principal

Organic law 3/2018, of 5 december on Personal data protection and guarantee of drm. New obligations for the public sector


Download a document of the spanish data protection agency onDevelopments of the organic law 3/2018 public sector.

Publication of the register of treatment activities of the body or agency of the public Sector

The organs and bodies of the public Sector are under an obligation to publish on its website the inventory of the activities of processing of personal data carried out by who, by identifying data, with what purpose and what legal basis legitimizes such treatment.

In the transparency Portal is reflected in a centralized informationRecords of treatment activities.

Obligation of information to the public on the exercise of their rights

The organs and bodies of the public Sector are under an obligation to include in its website clear and accurate information to those administered and managed on the exercise of the rights of access, rectification, deletion, the right to limitation of treatment and to the portability and opposition.

Verification authority of the personal data of citizens

The organs and bodies of the public Sector can verify, without having to apply for consent of the person concerned or the accuracy of personal data of the citizens within the disposition of the organs and bodies of the public Sector.

New arrangements for the provision of documentation on the part of citizenship: amendment to article 28 of law 39/2015

Has the law 30/1992 recognized administered and managed the right not to make administrative procedures obrasen documents held by the administration, or who have been developed by It. The legal basis for the processing of personal data by the administration was the consent of the administered or managed, which was meant implicitly granted if the person concerned does not expressly objected.

Both the General regulations on data protection as the new Organic Law eliminates the need to seek the consent or even tacit, of the citizen, to establish as a legal basis legitimadora for the processing of personal data by organs and Public Sector agencies carrying out a mission in the public interest or, in particular, the exercise of public powers.

In addition, the new wording granted by the organic law, article 28 of law 39/2015 recognizes the person concerned could oppose that bodies and agencies of the public Sector consult or to seek the above-mentioned documents, but in that case the administered or administered must necessarily provide for the administration can know who went there with the requirements of the rule. otherwise it will not be able to estimate their request, precisely because there would have shown the requirements.

In any case, the right of opposition does not play in cases of verification powers or inspection.

Notification of administrative acts: identification of citizens

The new law prevents joint use surnames, name and number of official identification of persons in those administrative acts to be subject to publication or notification through advertisements.

After the entry into force of the organic law:

  • When an administrative act shall be published shall identify the person by its name and surname, adding random numerical four digits of your official identification document.
  • In the case of notices, by means of advertisements will identify the person exclusively with the number of your identification document.

In both cases, where the individual lacks identification document is only through the identify your name and surname.

Communication of personal data of administered and managed by private subject

The organs and bodies of the public Sector can report personal data of those managed and administered to subjects of private law, upon request:

  1. or when they have the consent of the administered or managed.
  2. or, when you appreciate that attends private in the subject applicant a legitimate interest to prevail on the rights and interests of administered or administered concerned.

Appointment of a delegate of data protection (DPD) and communication of the appointment to the AEPD

The organs and bodies of the public Sector have an obligation to appoint a Delegate of data protection to have proper qualifications, guarantee the necessary means for the exercise of its functions and to notify the appointment to the AEPD for inclusion in the public registry of Delegates of data protection.

The Delegate of data protection has no responsibility in their personal capacity, for this fact alone, for possible violations in the field of data protection committed by their organization.

Statement by the representative of data protection in the resolution of claims in the public Sector

The Delegate of data protection of the body or agency of the public Sector must receive any claims they all administered and managed hen will choose the path before making a claim before the AEPD, and shall communicate the decision taken at the administered or administered within a maximum period of two months.

Furthermore, the delegate of data protection must receive the claims which AEPD decides to make a prior to the beginning of a punitive file. The Delegate should communicate the decision taken at the administered or administered and AEPD within one month.

In this way, with a general nature, if the delegate of data protection ensures that responsible resolved by any of these two tracks lareclamación, and without prejudice to the person concerned subsequently to be not AEPD beginning dossier declaration of infringement of the Public administration.

Greater transparency of the sanctions imposed on the Public Sector

Offences committed by organs and agencies of the public Sector shall be punished with a notice with corrective action and will not have a financial penalty.

The resolution on punishment of AEPD this shall identify the office responsible for the offence, shall be notified to the offender, to his supervisor, the ombudsman and posted on the website of the AEPD and in the official journal.

The resolution on punishment may propose to the body or agency the initiation of disciplinary proceedings, whose resolution is a statement by the body or agency of the public Sector to AEPD.

Offences are imputable to authorities and Public Sector and should be credited with the existence of technical reports or recommendations that had not been covered by these sanctions, the resolution will include a warning to the identification of office responsible and will appear in the official journal.

Processing of personal data in the notice of security incidents

The public authorities, the teams of computer emergency response (CERT), country teams in response to incidents of computer security (CSIRT), the suppliers of electronic communications networks and services and suppliers of technology and security services can treat personal information in notifications of security incidents exclusively during the time and scope necessary for its analysis, detection, protection and response, taking the appropriate security measures and proportionate to the level of risk.

Personnel records of the public sector: legitimation of treatment

La nueva Ley Orgánica establece que la base legitimadora del tratamiento de datos personales que realizan los registros de personal del sector público es el ejercicio de potestades públicas. 

Estos registros pueden tratar los datos personales que sean estrictamente necesarios para el cumplimiento de sus fines relativos a infracciones y condenas penales e infracciones y sanciones administrativas, de los que deberán ser informados de manera expresa, clara e inequívoca.

Rights of employees and public employees: more privacy

The Organic Law guarantees the right to privacy of employees and public employees in the workplace against the use of video surveillance devices and audio recording, as well as against the use of digital devices and systems of geolocation.

Adaptation to the organic law of contracts of assignment of processing of personal data

The contracts of assignment of processing of personal data between the organs and bodies of the public Sector (as responsible) and other bodies or agencies of the public sector or third parties (as responsible for treatment) signed by 25 may 2018 keep up to 25 may 2002.

Processing of personal data by concessionaires of public services

Organs and public Sector agencies maintain control over personal data of persons users of public services but had finalized the validity of the concession contract.

In the public Sector, a dealer of services, responsible for the processing of personal data, it becomes ever in responsible even establish relationships with people whose data has agreed under the provision of services.

Education for the digitization

The government should submit within one year after the entry into force of the organic law a bill aimed at ensuring the use of digital media that is safe and appropriate.

The Autonomous Communities will have the same time limit for inclusion in the curricula vitae the precise content to ensure the full integration of pupils in the digital society and ensure adequate training of teachers.

Processing of personal data in health research

The new act makes the data treatment for health research:

  • extends the purposes for which may be granted consent to treatment,
  • provides for the possibility of reuse information on which it has already been given consent before,
  • collects data usage pseudonimizados as an option to facilitate health research including guarantees to prevent the reidentificación of affected persons,
  • regulates the guarantees of this treatment, including the intervention of the committees of ethics of research or, failing that, by the representative of data protection or of an expert in the protection of personal data.