Throughout 2019 two laws which were reformed at the end of 2018 – the Organic Law on Data Protection (LOPD) and the Trademark Law – will generate great changes in the technological world. Here we have a look at the changes of the Data Protection Law:
The law obliges now that images taken by video surveillance systems must be deleted 30 days after they have been captured. When using video surveillance systems in companies, the employees must be expressly and precisely informed.
Information systems for internal complaints:
The new LOPD specifically regulates, for the first time, information systems for internal complaints and establishes that their creation and maintenance will be allowed. Internal complaints can from now on also be made anonymously through the internal complaint channels. The data processing therefore are specifically regulated. However, after three months the “whistle-blower’s” information must be eliminated from the complaint system.
Regarding possible infractions, the LOPD refers to those already given in the RGPD. For serious infractions they amount up to max. 10 million Euros or, in case of a company, up to max. 2% of the annual turnover. For very serious infractions the sanctions amount up to max. 20 million Euros, or 4% of annual turnover in case of a company. However, to public administrations it does not pose any economic sanctions.
The Spanish regime of infractions is divided into:
Very serious: This type of infraction expires after 3 years. Those infractions are considered very serious that, among others, involve a substantial violation of the treatment and affect the use of the data for a purpose which is different from that announced, the omission of the duty to inform the user and an international transfer of personal data to countries with
a lower data protection level.
Serious: Serious infractions expire after 2 years. Serious infractions are, for example, not to be registered at the Spanish Agency for Data Protection (AEPD), to use the data in anotherform as for which they have been given, not to have the necessary consent of the user to collect his personal data, to deny users access to their data, not to maintain the data
records by not making the changes requested by the user, and not to comply with the principles of the LOPD. Furthermore, the lack of enough security in maintaining the files is considered as a serious infraction and if the company does not send to the AEPD the required notifications.
Mild: They will expire after one year and refer to cases such as, for example, not to have applied for the inscription of the file of the AEPD, not to inform when collecting personal data, not to attend users’ requests for rectification or cancellation of data or not to attend inquiries from the AEPD.
The user now can select what type of advertising he wants to receive. In addition to the general exclusions services, the companies have also the possibility to include systems of preference so that users can limit the reception of advertising in a more personalized way.
The new law obliges also to carry out an Impact Evaluation in Data Protection (Evaluación de Impacto en la Protección de Datos) of those treatments that may mean a significant risk for the rights of natural persons.