The new Constitutional Law on the Protection of Personal Data and Guarantee of Digital Rights

7 December 2018

The new Constitutional Law 3/2018, 0f 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (“LOPDGDD” in its Spanish acronym) was published yesterday in the Spanish Official State Gazette (BOE).

The LOPDGDD complements the General Data Protection Regulation (GDPR) and enshrines a new heritage of digital rights for all citizens. Despite being a rule with a vocation of complementarity, its provisions are of enormous importance and affect all sectors of activity transversally.

Among its main developments we would highlight the following:

1. It sets the minimum age for consent in 14 years, giving continuity to the rule arising from the already partially repealed Constitutional Law 15/1999, of 13 December 1999, on the protection of personal data.
2. It allows the different legal authorisations currently contained in health and insurance legislation to be safeguarded for the processing of health data. It even allows an extensive interpretation of the same (for example, in the field of biomedical research).
3. It regulates the possibility of providing information to data subjects in layers and establishes the minimum information to be provided in a first layer, both when personal data are obtained directly from data subjects and when they are obtained from third parties.
4. It establishes a series of rebuttable presumptions of prevalence of the legitimate interest of the controller (when processing contact details of individual entrepreneurs and liberal professionals, in relation to credit information systems, in the context of restructuring operations, video-surveillance systems, advertising exclusion systems, complaint management systems, among others).
5. It establishes the possibility for the data subject to be represented for exercising the rights of access and other rights contained in articles 15 to 22 of the RGPD.
6. It restricts the possibility of processing special categories of data with the main purpose of identifying the ideology, union membership, religion, sexual orientation, beliefs or racial or ethnic origin of the interested party.
7. It regulates the locking of data.
8. It identifies specific cases where it will be necessary to appoint a Data Protection Officer and his/her liability regime and responsibilities.
9. It establishes the applicable sanctioning regime and repeals Royal Decree-Law 5/2018, with express reference to a particular (novel) infringement considered to be very serious: the deliberate reversal of a process of data anonymisation to allow the re-identification of data subjects.
10. It regulates the right to digital disconnection in the workplace in order to guarantee respect for workers' rest, permits and holidays.
11. It establishes the right to privacy against the use of video-surveillance and sound recording devices in the workplace.
12. It includes the right of digital rectification, through the publication of an explanatory notice that shows that the original news does not reflect the current situation of the individual.
13. It regulates the right to a virtual will (testament).
14. It modifies Constitutional Law 5/1985, of 19 June 1985, on the General Electoral System, to allow political parties to collect personal data related to the political opinions of citizens.

Please do not hesitate to contact our TMC department to resolve any questions you may have regarding this new standard.

The comments included do not constitute professional opinions or any form of legal advice. If you wish to receive our CMS publications and newsletters, please subscribe here.