Ley Orgánica de Protección de Datos de Carácter Personal

The Organic Law 15/1999 of December 13 on Protection of Personal Data (Ley Orgánica de Protección de Datos de Carácter Personal, LOPD) was Spanish organic law that guaranteed and protected the processing of personal data, public liberties, and fundamental human rights, and especially of personal and family honor and privacy. It was approved by the General Court on December 13, 1999. This law was developed based on Article 18 of the Spanish Constitution of 1978, the familiar and personal right to privacy, and the secrecy of communications.

Its main objective was to regulate the treatment of data and files, of a personal nature, regardless of the support in which they are treated, the rights of citizens over them and the obligations of those who create or treat them. This law affected all data that referred to registered humans on any support, computer or otherwise. Excluded from this regulation are those data collected for domestic use, classified materials of the state and those files that collected data on Terrorism and other forms of organized crime (not simple delinquency).

Based on this law, the Spanish Agency for Data Protection was created, at the state level, which ensures compliance with this Law.

This act was repealed by the passage of a new data protection act, the Organic Law 3/2018 of December 5, about protection of personal data and guarantees of digital rights, to conform the Spanish legislation with the General Data Protection Regulation

Regulatory development

 * The Royal Decree 994/1999 on Security Measures for automated files that containing personal data of June 11, 1999 (RMS): It is a regulation that develops the Organic Law 5/1992, of October 29, of Regulation of the Automated Treatment of Personal Data (LORTAD), regulates the technical and organizational measures that must be applied to the information systems in which personal data are processed in an automated way. (Repealed since April 19 of 2010)
 * The Royal Decree 1720/2007, of December 21 on the development of the Organic Law on Data Protection. It is a development of the Organic Law 15/99 of Data Protection of December 13; develops the principles of the law, and the security measures to be applied in the information systems. It applies to files in automated support, as in any other type of media.

Control bodies and possible sanctions
The body responsible for monitoring compliance with data protection regulations at Spanish territory, in general, is the Spanish Agency for Data Protection (AEPD), there are other Data Protection Agencies of an autonomous nature, in Autonomous Communities of Catalonia and in Basque Country.

The sanctions are divided into three groups depending on the seriousness of the act committed, Spain being the country of the European Union that has the highest sanctions in terms of protection of data. These sanctions depend on the violation committed. The last company sanctioned has been the company Grupon, sanctioned by the state data protection agency, with 20 000 euros for storing the CVV codes of the Credit cards from their customers without informing them.

They are divided into:

"The minor penalties range from 900 to 40 000 €

Serious penalties range from 40 001 a 300 000 €

Very serious penalties range from 300 001 a 600 000 €"

Despite the amount of sanctions, there are many companies in Spain that have not yet adapted to it, or have done so in a partial manner or do not periodically review its adequacy; so that, maintenance and review of the adequacy carried out is essential.

In the public sector, the mentioned Law also regulates the use and management of information and files with personal data used by all public administrations.

The Spanish Agency for Data Protection (AEPD) was created in 1994 in accordance with the provisions of the repealed LORTAD. Its headquarters are located in Madrid, although the Autonomous Communities of Madrid, the Basque Country and Catalonia have created their own autonomous Agencies.

Year 2012
In 2012 complaints filed with the AEPD, increased by 12%. The activity of the Agency has grown significantly in 2012, with an increase of 15% in the files registered and almost 40% in the resolutions issued. The allegations of identity theft, especially in the supply and commercialization of energy and water (222%) and in telecommunications (92%), have experienced a substantial increase. Of the 863 infringement decisions declared to private managers, more than 34% concluded in a warning, without imposing a penalty. On the other hand, most of the sanctions affect the telecommunications sector, which represents 73% of the total. Three of the main operators accumulate 70.94% of the total amount of fines.

Year 2011
In 2011, reported complaints were 51.6% higher than those filed in 2010. This increase is also reflected in the increase in declaratory resolutions of infringement of 37.7%. However, the application of the figure of the warning has determined a decrease of 14.5% in the declared economic sanctions. The sector where sanctions have increased most (64%) and have been declared to a greater extent (25.5%) and amount, (63%) is that of telecommunications. The amount of sanctions has grown by 12% compared to 2010.

Year 2009
In 2009 they increased by more than 75% of the complaints received, which reached the figure of 4,136, and the number of requests for protection of rights, by 58%. 709 sanctioning procedures were resolved, of which 621 ended with sanction with a total amount of 24.8 million euros.

Source: Memory of the Spanish Agency for Data Protection (AEPD) for the years 2007, 2008, 2009.

Year 2008
In 2008 the number of facts reported to the AEPD (together with officio investigations initiated) increased by more than 45%, reaching the value of 2362. AEPD resolved in 2008 a total of 630 sanctioning procedures, almost 58% more than in 2007, of which 535 culminated with the imposition of sanctions. The fines imposed amounted to 22.6 million euros, representing an increase of 15% over the previous year.

The number of procedures solved of declarations of infraction committed by the public administrations rose in 2008 almost 20% with respect to the previous year, going from 66 to 79, of which 59 ended with a declaration of infraction.

Year 2007
In 2007 the Spanish Agency for Data Protection resolved 399 sanctioning procedures, increasing by 32.5% with respect to the previous year. The economic sanctions imposed by the AEPD amounted to 19 600 000 euros.

Year 2007
The Data Protection Agency of the Community of Madrid carried out 196 inspection procedures and 32 procedures for the protection of rights in 2007.

The Basque Data Protection Agency-Datuak Babesteko Euskal Bulegoa (AVDP-DBEB), resolved 43 complaints and 18 infringement procedures in 2007.

Ibero-American Data Protection Network
The Ibero-American Data Protection Network (RIPD), since its creation in 2003, has developed an intense and fruitful work, such as the organization of ten meetings. In addition to contributing to that more than 150 million Latin American citizens currently have, along with the traditional protection of habeas data, rules that allow to effectively guarantee the use of their personal information and specialized authorities with powers to protect said guarantee.

In Latin America policies are being developed for the protection of personal data. In 2012 two new laws were approved. In Nicaragua, Law No. 787 of Protection of Personal Data, of March 29, 2012 and Statutory Law No. 1581 of October 17, 2012, by which general provisions for the Protection of Personal Data are issued.

In Chile, also Law 19.628, of August 28, 1999, on Protection of Private Life, is currently in the process of reviewing part of its articles.

The National Assembly of Venezuela is processing the bill for the Protection of Personal Data of Habeas Data. And in Costa Rica there is already a Data Protection Agency of the Republic of Costa Rica, in compliance with the law approved in 2011.

Information Duty
Personal data are classified according to their greater or lesser degree of sensitivity, being the legal requirements and computer security measures more stringent in terms of this greater degree of sensitivity, being mandatory on the other hand, in any case the declaration of the data protection files to the "Spanish Agency for Data Protection".

Interested parties to which personal data are requested must be previously informed in an express, precise and unambiguous way:

1. The existence of a file or treatment of personal data, the purpose of the collection of these and the recipients of the information.

2. Of the obligatory or optional character of his answer to the questions that are posed to them.

3. The consequences of obtaining the data or the refusal to supply them.

4. Of the possibility of exercising rights of access, rectification, cancellation and opposition.

5. The identity and address of the person responsible for the treatment or, if applicable, his representative.

However, the processing of personal data without having been collected directly from the affected party or interested party is permitted, although it is not exempted from the obligation to report expressly, accurately and unequivocally, by the person responsible for the file or its representative, within of the three months following the start of data processing.

Exception: Communication in three months of such information will not be necessary if the data has been collected from "sources accessible to the public", and are intended for advertising or commercial prospecting, in this case "in each communication addressed to the interested party, he will be informed of the origin of the data and the identity of the person responsible for the treatment, as well as the rights that assist him".


 * Model clause

This could be a model clause of information / consent of rights protected by the LOPD:

"In compliance with the Organic Law 15/1999, of December 13, Protection of Personal Data (LOPD), (replace by the name of the person responsible for the file), as the person in charge of the file, reports the following considerations:

The personal data that we request, will be incorporated into a file whose purpose is (describe the purpose). The fields marked with an asterisk (or any other signal) are mandatory, being impossible to realize the expressed purpose if you do not provide this information.

You are also informed of the possibility of exercising the rights of access, rectification, cancellation and opposition, of your personal data in (substitute the address to exercise the rights)."


 * Data whose treatment is prohibited


 * Those relating to "criminal or administrative infractions".
 * Exception: They can only be included in files of the competent public administrations.

Types of consent
A) Unmistakable consent

The treatment of personal data will require the unambiguous consent of the affected party, unless the law provides otherwise.

B) Tacit Consent

This will be the normal form of consent in cases where an express or express consent is not required in writing.

C) Express consent

Personal data referring to racial origin, health and sexual life may only be collected, processed and assigned when, for reasons of general interest, it is provided by a law or the person expressly consents.

D) Express and written consent

Express consent is required in writing from the affected party regarding data related to ideology, union affiliation, religion and beliefs and may only be transferred with express consent.

Data communication
They have responsibility in the communication and treatment of data not only the legal persons (companies) but also freelancers, freelancers, associations, collectives and people who own a blog (bloggers) through from which data from third parties are collected to make queries and for any other transaction.

The personal data object of the treatment can only be communicated to a third party for the fulfillment of purposes directly related to the legitimate functions of the transferor and the transferee with the prior consent of the interested party.

The consent required in the previous section will not be precise:
 * 1) When the assignment is authorized by law.
 * 2) In the case of data collected from sources accessible to the public.
 * 3) When the treatment responds to the free and legitimate acceptance of a legal relationship whose development, compliance and control necessarily implies the connection of said treatment with third-party files. In this case the communication will only be legitimate as long as it is limited to the purpose that justifies it.
 * 4) When the communication to be made is addressed to the Ombudsman, the Public Prosecutor or the Judges or Courts or the Court of Accounts, in the exercise of the functions assigned to it. Neither will consent be required when the communication is addressed to autonomous institutions with analogous functions to the Ombudsman or the Court of Auditors.
 * 5) When the transfer occurs between Public Administrations and has as its objective the subsequent processing of the data for historical, statistical or scientific purposes.
 * 6) When the transfer of personal data related to health is necessary to solve an emergency that requires access to a file or to perform epidemiological studies in the terms established in the legislation on state or regional health.

The consent for the communication of personal data to a third party will be void when the information provided to the interested party does not allow him to know the purpose to which the data will be destined whose communication is authorized or the type of activity of the person to whom it is sent. They intend to communicate.

The consent for the communication of personal data also has a revocable nature.

The one to whom the personal data are communicated is obliged, by the mere fact of the communication, to observe the provisions of this Law.

If the communication is made prior to the dissociation procedure, the provisions of the previous sections will not apply.

Access to the data by third parties
The contract will stipulate, in addition, the security measures to which refers to article 9 of this Law that the person in charge of the treatment is obliged to implement.
 * 1) The access of a third party to the data will not be considered as data communication when said access is necessary for the provision of a service to the data controller.
 * 2) The performance of treatments on behalf of third parties must be regulated in a contract that must be recorded in writing or in some other form that allows proof of its conclusion and content, establishing expressly that the processor will only process the data according to the instructions of the person in charge of the treatment, which will not apply them or use them for purposes other than those stated in said contract, nor will they communicate them, even for their preservation, to other persons.
 * 1) Once the contractual provision has been fulfilled, the personal data must be destroyed or returned to the data controller, as well as any support or documents that contain any personal data object of the treatment.
 * 2) In the event that the person in charge of the treatment allocates the data for another purpose, communicates them or uses them in breach of the stipulations of the contract, it will also be considered responsible for the treatment, responding to the infractions that would have been incurred personally.

Criticisms and main problems
Certain aspects of the law were declared unconstitutional in November 2000 and deleted from the current text.

It is considered that the increase in the creation of files and processing of personal data affects the right to protection of citizens' data; This concern was picked up by the European bodies that even ordered that January 28 be held annually on "European Data Protection Day". The celebration dates back to 2006, when the Committee of Ministers of the Council of Europe established the annual celebration of the Data Protection Day in Europe on January 28, commemorating the anniversary of the signing of Convention 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data.

A very strict compliance with the regulation on data protection could slow down the normal work of a File Manager for the documentary accreditation of the information and consent principles of the LOPD; also in the opposite direction, a mere fulfillment of formal obligations, would leave the law senseless and the citizens unprotected and go against the "spirit" of the LOPD.

The possibility that companies can collect data without the consent of the affected has been criticized.

Certain resolutions of the AEPD have been reason for controversy:


 * In October 2008, the Spanish Agency for Data Protection sanctioned the Popular Party (PP), then in opposition, with a fine of 60 101.21 euros for a serious infringement of the Organic Law of Protection of Personal Data consisting of the inclusion, without their consent, of four O Grove neighbors as "false volunteers" of the election lists of Basque Country of May 2007.
 * The possibility offered by some websites to "send a friend" certain information, or "recommend this page to a friend" have also been sanctioned in strict application of the LOPD
 * La AEPD también resolvió que los datos relativos a los abortos practicados eran confidenciales, a raíz de la denuncias criminales interpuestas contra varias clínicas por presuntos abortos irregulares
 * The AEPD also resolved that the data regarding the abortions practiced were confidential, as a result of the criminal complaints filed against several clinics for alleged irregular abortions
 * In 2008, a judgment of the Supreme Court declared that the "baptismal books" of the Catholic Church are not "data files", disavowing a resolution of October 20, 2006 issued by the Spanish Agency for the Protection of Data; the agency had given the reason to an apostate who requested that, through the Agency, his inscription in the Baptism Book be canceled.
 * Due to breaches of data protection legislation, several insurers and health centers have been sanctioned, since they exchanged medical information about patients without their express consent. However, they are subject to reduced sanctions for not being assessed "intentionality in the commission of the offense"
 * AEPD sanctioned a company after a hacker attempted to blackmail it by finding a hole in its security and later denounced it
 * The LOPD continues to have gaps and social agents have requested certain reforms. In August 2008, Bernat Soria, Socialist Minister of Health and Consumer Affairs stated that action would be taken to create a law against companies that were making commercial calls not consented to homes, usually at meal times, which was a behavior popularly known as "telephone spam".