The Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights enters into force

On December 7, 2018, Organic Law 3/2018, of December 5, on Data Protection and Guarantee of Digital Rights came into force in Spain. The new Law adapts the EU GDPR to Spanish legislation and repeals the previous Organic Law 15/1999.

The Law introduces several novelties and facilitates that citizens can exercise their rights by requiring that easily accessible means be used.

The main novelty presented by the Law is the evolution of a model based on the control of compliance that is now based on the principle of active responsibility, which requires a prior assessment by the controller or by the processor of the treatment of the risk generated by the treatment of personal data to adopt appropriate measures.

It regulates the way in which people should be informed about the treatment of their data in the Internet, requiring a system of information by layers that allows the citizen to know in a clear and simple way the information about the treatment of their data, being able to access the rest of the information through a link.

The rights of access and, where appropriate, rectification or suppression are specifically recognized by those who have links with deceased persons for family or de facto reasons and their heirs. Unless the deceased had prohibited it.

With regard to minors, the consent can be given at the age of 14 years. Unless a law requires the assistance of the holders of parental authority or guardianship. Minors will also have the right to request the deletion of data provided to social networks or other services of the information society by the minor himself or by third parties.

The Guarantee of Digital Rights is expressly regulated, such as the right to digital education, the right to digital disconnection, the right to be forgotten, and the right to privacy in different areas, such as the use of video surveillance devices and recording of sounds in the workplace, the use of digital devices made available to employees, or the use of geolocation systems in the workplace, among others.

It will also be possible to create anonymous internal complaint systems to inform a private entity, even anonymously, of the commission within it or of the actions of third parties that contract with it, of acts contrary to the regulations. Through this system, companies could be exempt from criminal liability in their actions.

It also includes the regulation of credit information systems (the so-called delinquent files), reducing the maximum period for the inclusion of debts from 6 to 5 years, and a minimum amount of 50 euros is required for the incorporation of debts into debt. these systems.

In addition, the Unfair Competition Law is amended, regulating as aggressive practices those that try to supplant the identity or functions of the Data Protection Agency and those related to the advice known as ‘adaptation to zero cost’ in order to limit assessments of very poor quality to companies.