Personal Data Protection
Legal Protection of Data of Personal Character
The Organic Law 15/1999 of 13 December on the Protection of Personal Data (LOPD), is a Spanish Organic Law whose purpose is to guarantee and protect, with respect to the processing of personal data, public freedoms and the fundamental rights of natural persons, and especially their honor, privacy and personal and family privacy.
Its main objective is to regulate the processing of data and files of a personal nature, regardless of the medium in which they are treated, the rights of citizens over them and the obligations of those who create or treat them.
Normative Development:
- The Royal Decree 994/1999 of Security Measures of the automated files containing personal data of June 11, 1999 (RMS): is a regulation that develops Organic Law 5/1992, of October 29, Regulation of the Automated Treatment of Personal Data (LORTAD), regulates the technical and organizational measures to be applied to information systems in which personal data are processed in an automated manner (Repealed since April 19, 2010)
- Royal Decree 1720/2007, of December 21, on the development of the Organic Law on Data Protection. This is a development of the Organic Law 15/1999 on Data Protection of 13 December; develops both the principles of the law and the security measures to be applied in information systems. It applies to both files in automated support, as in any other type of media.
Mandatory of the Law:
This law obliges all persons, companies and organizations – both private and public that have personal data – to comply with a series of requirements and apply certain security measures depending on the type of data they have.
Broadly speaking the fundamental legal obligations are:
- Register the files in the Spanish Agency for Data Protection.
- Prepare and keep updated the Security Document.
- Obtain the legitimacy of those affected.
Control regime:
The control body for compliance with data protection regulations within Spanish territory, in general, is the Spanish Data Protection Agency (AEPD), and there are other Data Protection Agencies of an autonomous nature, in the Autonomous Communities of Madrid , Catalonia and in the Basque Country.
The sanctions have a high amount, being Spain the country of the European Union that has the highest penalties on data protection.
These penalties depend on the offense committed.
- Light penalties range from € 900 to € 40,000.
- The severe sanctions range from 40,001 to 300,000 €
- The very serious sanctions range from 300.001 to 600.000 €
Despite this high amount, there are many companies in Spain that have not yet adapted to the same, or have done so in a partial way or do not periodically review their adequacy; so it is essential to maintain and review the adequacy.
In the public sector, this Law also regulates the use and management of information and files with personal data used by all public administrations.
Montelongo Asesores guarantees a quality service, in conditions of monitoring, commitment and confidentiality in accordance with the new times and the new forms of management.
Our service in this field of the LOPD consists of a comprehensive quality advice to solve the legal deficiencies as well as those that may affect the technical and organizational, defining the Data Protection policy that should prevail in its activity, and including the protective measures that will contribute to avoid any type of incidence.
Services we provide include:
- Initial diagnosis of compliance with the LOPD.
- Registration of the files before the Spanish Agency for Data Protection.
- Preparation of the security document and annexes.
- Preparation of legal notices and mandatory texts.
- Elaboration of confidentiality contracts with external suppliers.
- Elaboration of clauses of employment contracts for employees.
- Confidentiality clauses for employees and collaborators.
- Informative circulars for employees.
- Elaboration of the privacy policy for Web pages.
- Tutorial sheet with a brief explanation of the Documentation.
- Continuous advice to the responsible in data protection.
- Legal advice.
- Reply to the requirements of the Data Protection Agency.
- Defense before sanction procedures processed by the Data Protection Agency.