DATA PROTECTION GUIDE

guía protección datos personales

This guide wants to help you to understand the present law Reglamento Europeo y del Consejo de 27 de Abril del 2016 2016/679. So, we´re going to show the citizens rights about protection datas in EU. This information considers the rights form the law Ley Orgánica 3/2018 of 5th December of2018, too.

DEVELOPMENT AND PRESENT SITUATION

Some years ago, before masive use of Internet and computing,  information was stored by company, like personal data, was limited. Files was composed by address, ID number, marital status and telephone number.

Step by step, administration and private companies added more and more information to their files, datas like: bank details, credit card details, email, health information and life styles.

Last years, incorportation of datas to this kind of files has been masive. New tools to process these datas and new technologies have been a truly revolution in our society. Many times we give more information that it´s required. Then, they could know all of our insterests, family situation, work situations… So, it has been necessary to develop a new European Regulation to limit this activity. Especially to fix civil and penal responsabilities.

ADAPTATION AND SAFE HARBOR

Development of new technologies has done necessary to update the European Regulation 46/1995 of 24/11/1995, with a new Regulation and a lay Ley Orgánica 3/2015 of 5th December to Data Protection.

These new limitations weren´t well accepted by some USA companies, that wanted the autocontrol about data protection.  Some of them like Facebook, Google or Apple never felt good with kind of limitations. In spite of this, they offered their services to UE members.

To avoid this control, they joined under SAFE HARBOR agreement. It meant that the comany received  a “presumption of adapation”  to avoid the limits of European Regulation.

Fortunately, the EU Court, 6th October of 2015, found SAFE HARBOR invalid, then the companies had to get a protection of users rights and to adapt their service to new regulation.

PURPOSE OF EUROPEAN REGULATION AND SPANISH LAW

The purpose of Regulation  46/1995 of 24/11/1995, the European Purpose and Conceil of 27th April of 2016 and Spanish Law 3/2018 del 5th December of 2018 is:

  •  To protect personal datas.
  • To protect the human rights.
  • To control the information about personal data.

The laws are created beacuse the companies store too much information. These laws come late, but the speed of technologies does complicate to forsee to situations.

EU members have new laws to protect and to make companies inform previously about the datas that they store. Also the laws make companies use properly the information, respect the law and keep safe  the files that they manage.

The file managers have to give clear information, before and after to collect personal datas. Also they have to inform if the infomation takes a risk.

SPECIAL SITUATIONS

Kids have a special protection. This treatment is legal when the agreement is given by the legal guardian. The agreement has to be clear by the legal guardian.

Some personal datas always must be prohibited to proccess. We are talking about ethnic details, politics, religious, sexual or genetic details. It could be an exception when there is a explicit agreement to:

  • To have a affiliation to some services.
  • To protect vital people´s interests.

Special attention has the medical datas that are necessary to evaluate the work capacity, medical diagnosis, etc. Workers know the results of medical test , but the company couldn´t access to them. The only result shall be known if the worker could develop correctly his work or not.

People have to know:

  • Who is the file´s owner.
  • Which datas are stored.
  • Which is the file purpose.
  • Which are the possible recipients.
  • How long are the data going to be sotered

If the datas are collected without the authorizations of people, they could carry out their rigjts to know where the datas come from.

The interested person has always the right to change the imprecise datas, and to supress them.

CONTROL AUTHORITY

It has been necessary to create, in Spain, a control authority: AGENCIA DE PROTECCIÓN DE DATOS ESPAÑOLA. The agency watchs over the respect and compliance of those laws. To be sure about this compliance, it has been necesassry to create some penalise laws.

Companies have to define who are the file responsibles and whis is their liability.

The Regulations sets 3 different levels to sort  the infractions: mild, serious, so serious. Pescription deadlines are:

  • 3 years to “So Serious” penalties.
  • 2 year to “Serious” penalties.
  • 1 year to “Mild” penalties.

The files responsible have to keep safe all the registered datas. Law unfulfilment has a penalty until 20.000.000 € or 4% of  invoicing.

Big companies has been setenced with millionaire penalties beause they did bad use of information. Also, small companies are sentenced beacuse they send emails to clients and breaking thery rignts, as you could check in this link.

FORGET RIGHT.

Newness of this law is the forget right.  Citizens could require to delete the obsolete or inexact information, even though it was true. It´s never be something easy. Sometimes, it usally prevails the right information above the personal rights, especailly if we talk about famous and public person.

Also, we could order the forget right when the datas have been collect by illict ways or without authorization.

PERSONAL DATAS IN A COMPANY.

Overall, companies could collect the required datas to develop their activity. The could do it if the worker privacy is not invaded.

First hot point is to collect images from work areas or work vehicles.  Usually, this practice is allowed if the cameras respect the Agencia de Protección de Datos´s rules. Recordings have to be justified and and don´t invade the workers privacy. These recordings don´t catch sounds and the cameras couldn´t be installed in toilets or relaxing areas.

In these moments, geolocations are very important to the company. Devices intalled in work vehicles could collecy movement information. It´s logical if  these datas are necessary to develop activities. Devices never could catch sounds.

Cameras installation or geolocations device have to be notified previously. It is illegal to have hidden sytem without previous information.

SECURITY AND SURVEILLANCE CAMERAS.

Agencia Española de Protección de Datos has an easy and practical guide to inform about all you need to install security cameras. You could take a look this link.

With the new regulations, you don´t have to register the installation at the Agencia Española de Protección de Datos. It has been replace for a file with the resposible and activities details. It has to be aviable to autorities required.

The security cameras have to be indicated on the entrances. Then, affeted people always know tthat there are cameras working and they look the informative pannel. This pannel has to inform about responsible´s file details.

Storage of these images musn´t exceed 30 days,  except images collect from Police and they are neccesary to investigations.

If there are people want to access the installation, the responsible has to make a record of the person that wants to access and a photo of him. The responsible never gives access to images form other persons.

Some companies or public departments have to be obliged to install a surveillance system. For example, electric or water supply companies, bank sector, jewellery shops or security companies.  They have to obey the sector regulations.

Communities could install security cameras in private areas. They have to limit the records to accesa areas, public streets. This images couldn´t be watched on communal channels.