THE GENERAL REGULATION OF THE PERSONAL DATA PROTECTION LAW WAS ISSUED
On November 6th, 2023, the President of the Republic issued the General Regulation of the Personal Data Protection Law (referred to as “LOPD”).
The Regulation implements the rules for the LOPD application, among whose provisions we highlight the following:
- The incorporation of definitions for the Law application, such as:
Family or domestic activities: The ones carried out in an environment of friendship, kinship, or an inner circle, on private property, and which do not have commercial purposes.
Large-scale processing: This occurs on a large amount of data, of numerous data subjects in various geographical locations, which represents, therefore, a threat to their rights and freedoms.
- Data protection rights: For the exercise of the data subject’s rights, they must include a minimum of information that allows the controller to identify the data subject and their personal data. Once the request has been completed, the controller will consider the data subject’s request.
- Security breach notification: If a data security breach that represents a risk to personal data rights occurs, the Controller must notify the Data Protection Authority and the Telecommunications Regulation and Control Agency. In addition, the holder must be notified with the same information.
- Data protection impact assessment: In order to determine the enforceability of a data protection impact assessment, the Controller could submit a query to the Data Protection Authority. In addition, the Regulation details the requirements for the assessment, which include the outline and purpose of the processing, the fulfillment of necessity and proportionality criteria, the risk evaluation, and the precautionary measures for data protection.
- Joint responsibility: If two or more data Controllers operate (joint Controllers), they must conclude an agreement that restricts their obligations, which must be available to the Data Protection Authority, as well as to the data subjects. Therefore, a differentiated sanctioning regime is implemented according to the scope of their responsibilities.
- Record of activities: Controllers with 100, or more, employees shall keep a record of the actions related to the processing activities under their responsibility. The Regulation establishes the requirements for such a registry.
- Relationship between Controller and Processor: The relationship between the data Controller and its Processors must be established by means of a written contract, detailing the object, duration, nature, purpose, personal data category, identification of the data holders, and the obligations and guidelines related to the processing activities.
- Data Protection Officer (DPO): The DPO shall oversee the Controller and Processor obligations, independently. Either an employment or provision of services contract might be concluded.
The voluntary appointment of a DPO by Controllers or Processors that are not included in the mandatory appointment will be considered a mechanism of good practice.
- DPO for business groups: Business groups may appoint solely one DPO, provided that the activities can be carried out without any conflict of interest.
- International Transfer: The Data Protection Authority will determine the countries, organizations, and legal entities that have equivalent to or higher protection standards for data transfers than those established in the Law, international transfers to such countries, organizations, and individuals will not require prior authorization.
The Regulation establishes the requirements to be complied with for the transfer of data to countries that have not been qualified by the Data Protection Authority, as well as for the authorization of binding corporate rules.
In addition, in the National Data Protection Registry the following information shall be registered: the country of the recipient, data categories, the transfer purpose, identification of the recipient, transfer mechanisms, and the exception criteria, if applicable.
The Regulation will enter into force as from its publication in the Official Gazette.
Contacts: Hipatia Donoso (email@example.com), Ana Mogollón (firstname.lastname@example.org).
This publication contains information of general interest and does not constitute legal opinion on specific issues. Any analysis will require legal advice from the Firm.