Royal Decree-Law 5/2018 of 27 July on Urgent Measures to Adapt Spanish Law to EU Data Protection Regulations

Go to content

Consult the Official State Gazette (BOE)

You are at

Home

BOE

Document BOE-A-2018-10751

previous

next

Document BOE-A-2018-10751

Royal Decree-Law 5/2018, of 27 July, on urgent measures to adapt Spanish law to European Union regulations on data protection. View consolidated text

[Repealed Provision]

Published in:

« BOE » No. 183, of 30 July 2018, pages 76249 to 76257 (9 pages)

Section:

I. General Provisions

Department:

Head of State

Reference:

BOE-A-2018-10751

Permalink ELI:

https://www.boe.es/eli/es/rdl/2018/07/27/5

Other formats:

PDF

EPUB

XML

Co-official languages:

PDF català

PDF galego

PDF euskera

Text

ORIGINAL TEXT

I

Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation), has been fully applicable in Spain since 25 May last.

The General Data Protection Regulation entails a profound modification of the current regime regarding personal data protection, not only from the substantive and compliance perspective of obligated subjects, but particularly regarding the supervisory activity by control authorities regulated therein.

Furthermore, the full application of the General Data Protection Regulation implies that those provisions of internal law which are not in conformity with the regime established by it must be considered displaced. This would be the case with many of the provisions of Organic Law 15/1999, of 13 December, on the Protection of Personal Data, and its implementing regulation, approved by Royal Decree 1720/2007, of 21 December.

On the other hand, numerous provisions of the European regulation refer to their development, mandatory or optional, by Member States, containing a total of fifty-six references to national legal systems. Among these references, the regulation imposes on Member States, among other matters, the regulation of the status of control authorities, the determination of the regime applicable to inspectors from a third country carrying out joint investigation activities, and the designation of the authority that will represent the Member State in the European Data Protection Board.

Other provisions of the General Data Protection Regulation require an adaptation of internal law, even when there is no direct and express reference to it. Thus, although the European regulation establishes a sanctioning regime that typifies specific conduct, it does not regulate such essential issues as the limitation periods for such infringements, considering that this matter corresponds to the legal systems of the Member States. Similarly, it establishes a cooperation procedure between Member States in cases of processing referred to as cross-border, with the participation of all involved authorities, but does not regulate how the internal law of States must be affected as a consequence of the procedures provided for in the European rule itself for these procedures.

The need to adapt the internal normative framework to the General Data Protection Regulation led to the approval by the Council of Ministers in its session of 10 November 2017 of a draft organic law, referred to the General Courts, which is currently undergoing parliamentary processing.

Taking the above into account, and without prejudice to the fact that the aspects constituting the essential content of the fundamental right to the protection of personal data must be incorporated into an organic law, it is no less true that in certain matters that are not subject to organic law reservation, it is imperative to adopt urgently a norm with the rank of law that allows the adaptation of Spanish law to the General Data Protection Regulation. In other words, the object of this royal decree-law is limited to the adaptation of our legal system to the European regulation in those specific aspects that, without organic rank, do not admit delay and must be understood without prejudice to the need for organic data protection legislation that ensures the full adaptation of internal regulations to the standards set in the matter by the European Union through a directly applicable provision.

II

The royal decree-law comprises fourteen articles structured in three chapters, two additional provisions, two transitional provisions, one repealing provision, and one final provision. Its content affects only issues whose immediate incorporation into internal law is essential for the adequate application in Spain of the General Data Protection Regulation and which are not excluded from the scope of the urgent legislator by Article 86 of the Spanish Constitution.

Chapter I addresses the need to identify the competent personnel to exercise the investigative powers that the General Data Protection Regulation grants in its Article 58.1 to control authorities. This requires that internal law regulate how these powers may be exercised, which persons will carry out the inspection and investigation activity, and what these attributions expressly established in the European regulation consist of from the perspective of the Spanish legal system. Likewise, and in application of Article 62.3 of the General Data Protection Regulation, it is necessary to determine the regime applicable to the personnel of control authorities from other Member States participating in joint investigation actions.

Chapter II articulates the novel sanctioning regime established in the General Data Protection Regulation, replacing the infringing types currently contained in Organic Law 15/1999 with the reference to those established in paragraphs 4, 5, and 6 of Article 83 of said regulation, which is absolutely necessary. Furthermore, there are two issues on which the adoption of provisions by internal law is inescapable to guarantee the effectiveness of this sanctioning regime and legal certainty in its application. The first refers to the necessary delimitation of the subjects who might incur liability derived from the application of said sanctioning regime. The second is of even greater importance and refers to the need to determine the limitation periods for the infringements and sanctions provided for in the European norm.

Chapter III contains the regulation of the procedure in case of a possible violation of the General Data Protection Regulation. In this regard, it is necessary to take into account that the regulation practically distinguishes three types of processing to which different procedural rules would apply: cross-border processing, defined by Article 4.23 of the General Data Protection Regulation; cross-border processing with local relevance in a Member State, referred to in Article 56 of the same; and those that would have the status of exclusively national, among which are those provided for in Article 55 of the European norm. The European regulation provides for a series of specific procedures for the first two cases, including those necessary to determine the competence of the lead control authority, as well as those that allow for the adoption of a consensus decision between the lead authority and the interested parties in the procedure. In these cases, European regulation establishes the obligation for the lead authority to submit the various draft decisions to the other authorities, which will have fixed time limits to issue "relevant reasoned observations," and provides for the submission of the resolution to the European Data Protection Board in case no agreement is reached among all of them.

These provisions must be transferred to the norms regulating the procedure in case a complaint is filed with the Spanish Data Protection Agency, as well as in cases where, without having received a complaint, it has the status of lead authority regarding a complaint received in another Member State or considers that it must intervene as an interested party in a procedure already opened.

All of this imposes the need to incorporate specific phases into the procedure, such as the acceptance for processing of complaints or the possibility of provisional archiving of the file in cases where the Spanish Data Protection Agency does not process the complaint but may have to rule on it. In particular, it is indispensable to include in the procedural norms their suspension in cases where it is appropriate to request the opinion of authorities from other Member States for the entire time provided for its obtaining, given that otherwise there is a very high probability of the expiration of the procedures, with the negative consequences this entails not only for the applicability in Spain of data protection rules, but for the guarantee of the fundamental right of European citizens as a whole in cases where the Spanish Data Protection Agency has the status of lead control authority.

In short, this last chapter aims to make possible the application of the specialities of the procedural regime of the General Data Protection Regulation, in a context where, although the European norm is directly applicable, procedures of special significance have already been launched under the auspices of this regime.

Finally, in compliance with Article 68.4 of the General Data Protection Regulation, the first additional provision designates the Spanish Data Protection Agency as the representative of Spain in the European Board, which will inform autonomous authorities about decisions adopted in said Union body and will request their opinion when matters within their competence are involved. On its part, the second additional provision contains provisions regarding the publicity of the resolutions of the Spanish Data Protection Agency, in order to guarantee the transparency of its action, before the new procedural framework configured by the General Data Protection Regulation.

Consequently, in view of the facts described, the extraordinary and urgent need for this royal decree-law is fully justified. Given the full application of the General Data Protection Regulation since 25 May 2018, until the complete adaptation of our legal system to it, which will only be possible through new organic legislation, it is inescapable to adopt a provision with the rank of law that allows the adaptation of Spanish law in several matters to the European Union regulations on data protection, to effectively guarantee the right under Article 18.4 of the Constitution within a framework of legal certainty. In coherence with this, the validity of this royal decree-law is limited to the period between the day following its publication in the Official State Gazette and the entry into force of the new organic law that is undergoing parliamentary processing.

Furthermore, this royal decree-law does not affect the organization of the basic institutions of the State, the rights, duties, and freedoms of citizens regulated in Title I of the Constitution, the regime of the Autonomous Communities, nor general electoral law.

In short, from all the above, it results that, in this case, the royal decree-law represents a constitutionally lawful instrument, insofar as it is pertinent and adequate for achieving the end that justifies urgent legislation, which is none other, as our Constitutional Court has repeatedly required, to address a concrete situation, within governmental objectives, that for reasons difficult to foresee requires immediate normative action in a shorter timeframe than that required by the normal route or by the urgent procedure for the parliamentary processing of Laws.

Therefore, in the entirety and in each of the measures adopted, the circumstances of extraordinary and urgent need required by Article 86 of the Spanish Constitution as enabling prerequisites for the approval of a royal decree-law concur, by their nature and purpose.

By virtue thereof, in use of the authorization contained in Article 86 of the Spanish Constitution, upon proposal of the Minister of Justice, after deliberation by the Council of Ministers in its meeting of 27 July 2018,

I HEREBY ORDER:

CHAPTER I

Inspection in matters of data protection

Article 1. Scope and competent personnel for the exercise of the Spanish Data Protection Agency's investigative activity.

1. The investigative activity of the Spanish Data Protection Agency shall be carried out by officials of the Agency or by officials external to it expressly authorized by its Director.

2. In cases of joint investigation actions in accordance with Article 62 of Regulation (EU) 2016/679, personnel from control authorities of other Member States of the European Union collaborating with the Agency shall exercise their powers in accordance with Spanish regulations and under the guidance and presence of its personnel.

3. Officials carrying out investigative activities shall have the status of authority agents in the exercise of their functions, and shall be obligated to keep secret the information they become aware of during such exercise, even after having ceased in it.

Article 2. Scope of the investigative activity.

Those carrying out the investigative activity may request the information necessary to fulfill their functions, conduct inspections, require the exhibition or sending of necessary documents and data, examine them in the place where they are deposited or where the processing takes place, obtain copies of them, inspect physical and logical equipment, and require the execution of processing and programs or management and support procedures for processing subject to investigation. The powers of investigation regarding entry into dwellings must be exercised in accordance with procedural rules, particularly in cases where prior judicial authorization is required. When dealing with judicial bodies or Judicial Offices, the exercise of inspection powers shall be carried out through and by mediation of the General Council of the Judiciary.

CHAPTER II

Sanctioning regime in matters of data protection

Article 3. Responsible subjects.

1. The following are subject to the sanctioning regime established in Regulation (EU) 2016/679 and Spanish data protection regulations:

a) Data controllers.

b) Data processors.

c) Representatives of controllers or processors not established in the territory of the European Union.

d) Certification bodies.

e) Accredited bodies supervising codes of conduct.

2. The sanctioning regime in this matter shall not apply to the Data Protection Officer.

Article 4. Infringements.

Infringements constitute violations of Regulation (EU) 2016/679 referred to in paragraphs 4, 5, and 6 of its Article 83.

Article 5. Limitation of infringements.

1. The infringements provided for in paragraphs 5 and 6 of Article 83 of Regulation (EU) 2016/679 shall prescribe after three years.

2. The infringements provided for in Article 83.4 of Regulation (EU) 2016/679 shall prescribe after two years.

3. The limitation period shall be interrupted by the initiation, with knowledge of the interested party, of the sanctioning procedure, and the limitation period shall restart if the sanctioning file is paralyzed for more than six months for reasons not attributable to the alleged infringer.

When the Spanish Data Protection Agency holds the status of lead control authority and the procedure provided for in Article 60 of Regulation (EU) 2016/679 must be followed, the limitation period shall be interrupted by the formal knowledge by the interested party of the draft agreement on the initiation of the procedure that is submitted to the interested control authorities.

Article 6. Limitation of sanctions.

1. Sanctions imposed in application of Regulation (EU) 2016/679 prescribe within the following timeframes:

a) Sanctions of an amount equal to or less than 40,000 euros prescribe within one year.

b) Sanctions of an amount between 40,001 and 300,000 euros prescribe after two years.

c) Sanctions of an amount greater than 300,000 euros prescribe after three years.

2. The limitation period for sanctions shall begin to run from the day following that on which the resolution imposing the sanction becomes enforceable or the time limit to appeal it has elapsed.

3. The limitation shall be interrupted by the initiation, with knowledge of the interested party, of the enforcement procedure, and the period shall resume if the same is paralyzed for more than six months for a cause not attributable to the infringer.

CHAPTER III

Procedures in case of possible violation of data protection regulations

Article 7. Legal regime.

1. The provisions of this chapter shall apply to procedures processed by the Spanish Data Protection Agency in cases where a data subject claims that their request to exercise the rights recognized in Articles 15 to 22 of Regulation (EU) 2016/679 has not been attended, as well as in cases where the Agency investigates the existence of a possible violation of the provisions of said regulation and Spanish data protection regulations.

2. Procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, Spanish data protection regulations, and, to the extent they do not contradict them, subsidiarily, by the general rules on administrative procedures.

Article 8. Form of initiation of the procedure and duration.

1. When the procedure refers exclusively to the failure to attend a request to exercise the rights established in Articles 15 to 22 of Regulation (EU) 2016/679, it shall be initiated by an agreement to accept for processing, which shall be adopted in accordance with the provisions of the following article.

In this case, the time limit to resolve the procedure shall be six months from the date on which the agreement to accept for processing was notified to the complainant. Upon expiration of this period, the interested party may consider their complaint upheld.

2. When the procedure aims to determine the possible existence of a violation of the provisions of Regulation (EU) 2016/679 and Spanish data protection regulations, it shall be initiated by an agreement of initiation adopted ex officio or as a consequence of a complaint.

If the procedure is based on a complaint filed with the Spanish Data Protection Agency, beforehand, the Agency shall decide on its acceptance for processing, in accordance with the provisions of the following article.

When the rules established in Article 60 of Regulation (EU) 2016/679 are applicable, the procedure shall be initiated by the adoption of the draft agreement on the initiation of the sanctioning procedure, of which formal knowledge shall be given to the interested party for the purposes provided for in Article 5 of this royal decree-law.

Once the complaint is accepted for processing, as well as in cases where the Spanish Data Protection Agency acts ex officio, prior to the agreement of initiation, there may be a phase of preliminary investigative actions, which shall be governed by the provisions of Article 11 of this royal decree-law.

The procedure shall have a maximum duration of nine months from the date of the agreement of initiation or, where applicable, the draft agreement of initiation. Upon expiration of this period, it shall expire, and consequently, the archiving of actions.

3. The procedure may also be processed as a consequence of communication to the Spanish Data Protection Agency by the control authority of another Member State of the European Union of the complaint filed before it, when the Spanish Data Protection Agency has the status of lead control authority for the processing of a procedure in accordance with Articles 56 and 60 of Regulation (EU) 2016/679. In this case, the provisions of paragraph 1 and the first, third, fourth, and fifth paragraphs of paragraph 2 shall apply.

4. The processing timeframes established in this article, as well as those for acceptance for processing regulated by paragraph 5 of the following article and the duration of preliminary investigative actions provided for in Article 11.2 of this royal decree-law, shall be automatically suspended when information, consultation, request for assistance, or mandatory opinion must be requested from a body or organism of the European Union or from one or more control authorities of Member States in accordance with Regulation (EU) 2016/679, for the time elapsed between the request and the notification of the opinion to the Spanish Data Protection Agency.

Article 9. Acceptance for processing of complaints.

1. When a complaint is filed with the Spanish Data Protection Agency, it must evaluate its admissibility for processing, in accordance with the provisions of this article.

2. The Spanish Data Protection Agency shall reject complaints filed when they do not concern matters of personal data protection, manifestly lack merit, are abusive, or do not provide rational indications of the existence of an infringement.

3. Likewise, the Spanish Data Protection Agency may reject the complaint when the controller or processor, after a warning issued by the Agency, has adopted corrective measures aimed at ending the possible non-compliance with data protection legislation and any of the following circumstances concur:

a) That no damage has been caused to the data subject.

b) That the right of the data subject is fully guaranteed through the application of the measures.

4. Before ruling on the acceptance for processing of the complaint, the Spanish Data Protection Agency may refer the same to the Data Protection Officer who may have been designated by the controller or processor, or to the supervisory body established for the application of codes of conduct, in order for them to respond to the complaint within one month.

The Spanish Data Protection Agency may also refer the complaint to the controller or processor when no Data Protection Officer has been designated nor adhered to extrajudicial conflict resolution mechanisms, in which case the controller or processor must respond to the complaint also within one month.

5. The decision on the acceptance