In a nutshell, the Privacy Act:
- sets the age of children to validly consent to information society services at 13 (Article 7, Privacy Act);
- provides a comprehensive list of the processing activities considered as “processing necessary for reasons of substantial public interest” (Article 8(1), Privacy Act);
- requires that the controller, when processing genetic data, biometric data and data concerning health, lists the categories of persons having access to those personal data (Article 9, Privacy Act);
- specifies a limitative list of cases where the processing of data relating to criminal convictions and offences is authorised (Article 10, Privacy Act);
- enunciates some of the derogations and exemptions to the rights of data subjects as authorised under Article 23, GDPR (Articles 11-17, Privacy Act);
- provides derogations and exemptions for processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes (Article 24, Privacy Act);
- introduces the possibility to seek an injunction (“action en cessation”; “vordering tot staking”) (under summary proceedings) before the president of the Court of First Instance in case of a violation of the GDPR or the Privacy Act (Article 209, Privacy Act);
- provides administrative fines (except on public sector entities) and criminal sanctions for violations of the GDPR or the Privacy Act (Articles 221-230, Privacy Act)
According to the CDLP the processing of all data shall be carried out:
- In a manner consistent with the law;
- For the purposes permitted by the legal system; and
- With attention to the full exercise of the fundamental rights of the data subject.
Consent of the data subject: Article 4 of the law establishes that the processing of personal data is permitted only when the law authorises it, or the subject expressly consents or authorises it. However, the law does not provide a definition of what the “authorisation” or “consent” of the data subject means or entails.
Quality: Article 6 of the law establishes that personal data will be: destroyed or cancelled when the purpose of its storage has no legal basis or when it has expired; modified when it is inaccurate, inexact, misleading or incomplete; and blocked when it cannot be destroyed or cancelled, and its accuracy cannot be established or whose validity is doubtful.
Confidentiality: Article 7 of the law establishes that people who work in the processing of personal data, in the private and public sector, must maintain confidentiality when the data comes from sources not accessible to the public, as well as with respect to other data information related to the data bank; an obligation that does not cease upon completion of its functions or activities in that field.
Purpose: Personal data will be used only for the purposes for which it was collected, unless it is obtained from sources accessible to the public (Article 9 of the law)
Personal data: Article 10 of the law prescribes that sensitive personal data, defined as any information regarding characteristics of a physical or moral nature of an individual or facts or circumstances of his private life, such as personal habits, racial or ethnic origin, ideologies and political opinions, religious beliefs or convictions, physical or mental health and sexual life, cannot be processed unless:
- The law authorises it;
- The data subject expressly accepts said processing;
- Such data is necessary to establish or grant health benefits that pertain to the respective data subject.
Data security: Article 11 of the law establishes that those responsible for the registries or personal data must “take care of them with due diligence” and be liable for damages.