Organic Law on Protection of Personal Data and Guarantee of Digital Rights

The Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights (Spanish: Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales) is an organic law approved by the Cortes Generales that has the goal of adapting the Spanish domestic law on the General Data Protection Regulation. This organic law repeals the previous Organic Law 15/1999 on Personal Data Protection, although it still remains in force for certain activities.

This law came into effect on December 7, 2018.

Structure
The law consists of ninety-seven articles structured in ten headings, twenty-two additional provisions, six transitory provisions, a repeal provision, and sixteen final provisions.

Heading I
It relates to the general provisions of the law.

According to the first article, the organic law has two purposes. The first is to adapt the Spanish law from what is contained in the General Data Protection Regulation and "guarantee that the digital rights of the citizen conform with the mandate established in article 18.4 of the Constitution."

Heading II
It relates to the principles of personal data protection. These include accuracy, confidentiality, consent, and the processing of special data such as that of criminals and minors. A minor has to be fourteen years of age before they can give consent.

Heading III
Heading III declares the personal data protection and processing rights that entities have. These are, in conformation with European regulations, the following: access, correction, deletion, opposition, the right to restriction of processing, and the right to portability. Compared to previous regulation, the rights to limitation of processing and the right to portability of data are a change.

Heading IV
In Heading IV provisions for specific treatments are included. These rules should be followed when a responsible party intends to process a specific data set.

This title includes the regulation related to the inclusion and processing of data by credit reporting agencies, known popularly as "defaulter lists."

In recognition of the legality of data processing for credit reporting purposes, this process is subject to certain precautions. Article 20 indicates that only data relating to "debts that are confirmed and overdue, whose existence or amount hasn't been the object of an administrative or judicial claim by the debtor, and that aren't being resolved by alternative agreement between the two parties."

Through this same process, the creditor is required to inform the other party of what personal data might be given to the appropriate entities if they break their contract. This must be communicated before the contract is signed.

The entities that possess the data will be able to process and hold it during the time the contract is unfulfilled. This can occur for up to five years after the contract has been broken, until the data must be deleted.

The sixth additional provision of the law prohibits the inclusion of data in these files when the principal amount (without interest or penalties) is less than 50 euros, but the government is able to change the principal amount with a Royal Decree.

Heading V
Heading V refers to those responsible and in charge of the processing of data. In contrast with the previous model based on compliance management, the current model established by the laws and regulations is one of active responsibility. Those responsible must evaluate a priori the data they wish to process and then adopt the necessary security measures for the processing to occur. There are also provisions related to the figure of the Data Protection Officer(DPO).

Heading VI
Heading VI regulates the international transfer of data.

Heading VII
Principal Article: Spanish Data Protection Agency

Heading VII deals with the legal status of the Spanish Data Protection Agency as state control authority. Its Second Chapter regulates the power of the data protection authorities that can exist in the autonomous communities whose power is limited to the data processing carried out by the autonomous public sector and the obligation of the control authorities to cooperate with each other. In reality, such data protection authorities only exist in the autonomous communities of Catalonia, Basque Country, and Andalusia.

Heading VIII
Heading VIII regulates the procedures in the case of a possible violation of data protection regulations.

Heading IX
Heading IX regulates the punishment regime for violations of the law which determines the responsible parties and establishes a catalog of violations classified as very serious, serious, or minor. The law refers to the General Data Protection Regulation with respect to the amount and level of responsibility for the punishments. The statute of limitations for offenses is equally regulated.

As an exception, the second paragraph of article 77 of the law provides that when the responsible violators are organizations with constitutional relevance or public administrations, they can only be penalized with a warning. This rules out the possibility of economic punishments for these entities, as was the case with the previous Organic Law 15/1999 of December 13.

Heading X
Heading X of the law recognizes and guarantees a series of rights a series rights that the law refers to as "digital" such as net neutrality and universal access, the right to security and digital education, the right to be forgotten, the right of portability of digital data and the digital will; being equally regulated the right to digital disconnection in the context of labor relations.

Collection of personal data by political parties
The third-to-last provision of the law added a new article fifty-eight (a) to the Organic Law of the General Electoral Regime that permitted political parties to collect personal data related to political opinions in the context of their electoral activities. This could occur whenever such activities were carried out with “appropriate guarantees.” This was considered “protected by the public interest.” Similarly, it allowed political parties to “utilize personal data obtained on web pages and other publicly accessible sources to realize political activities during the electoral period” such as sending electoral propaganda electronically or through social media.

This article appeared to have protection in the Whereas Clause 56 of the General Data Protection Regulation which provides that “if, in the context of electoral activities, the functioning of the democratic system demands that in a member state that the political parties collect personal data about people's political opinion, the processing of this data can be authorized for reasons of public interest, as long as appropriate guarantees are offered.”

This provision caused deep concern in the legal sector because the aforementioned activities didn't require prior consent and apparently would allow the creation of databases of citizens on the basis of their political opinions. This creates profiles of individual people. According to certain sectors, this practice would have legalized the case of Cambridge Analytica in Spain. The Spanish Data Protection Agency has indicated that they believe the law doesn't permit the creation of ideological databases, nor the distribution of personalized information based on ideological or political profiles. The political party Unidos Podemos announced that it would present an appeal of unconstitutionality against said article on the understanding that it contradicted articles 16 and 18 of the Spanish Constitution. They ultimately never did. The Spanish Ombudsman presented an appeal of unconstitutionality against this provision. Said appeal was admitted for processing on March 12, 2019. On May 22, 2019, the plenary session of the Constitutional Court upheld said appeal and declared the precept unconstitutional and null by a consensus of twelve members.