Organic Law 7/2021 on the Protection of Personal Data Processed for the Purposes of Preventing, Detecting, Investigating and Prosecuting Criminal Offences and the Execution of Criminal Penalties

OFFICIAL BULLETIN OF THE STATE No. 126 Thursday 27 May 2021 Sec. I. Page 64103 I. GENERAL PROVISIONS THE HEAD OF STATE 8806 Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of preventing, detecting, investigating and prosecuting criminal offences and the execution of criminal penalties.

FELIPE VI KING OF SPAIN

To all who shall see and understand this. Know ye: That the General Courts have approved and I hereby sanction the following organic law:

PREAMBLE I

The European Union is a space in which the standards and guarantees of protection of the rights of natural persons to the protection of personal data are at the international forefront and constitute a global reference. The rapid technological development, especially of the Internet, as well as the growing globalization of the world and European economies, have made it essential to address the reform of the legal framework for data protection, with a view to consolidating and even improving this high level of protection through the creation of a new legislative framework, adapted to the changing reality, while at the same time being solid, coherent and comprehensive. In short, a normative environment for a globalized and digital world.

In this sense, the European Commission Communication "A global approach to personal data protection in the European Union", of 4 November 2010, preceded by an intense period of consultations for more than two years with the Member States, the general public, as well as with the various sectors affected, laid the foundations for what would be this new normative perspective.

The resulting normative framework consists, mainly, of two instruments: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (General Data Protection Regulation), which replaces a rule in force for more than twenty years, and Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data by the competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data, and repealing Council Framework Decision 2008/977/JHA.

In our legal system, Organic Law 3/2018, of 5 December, on the Protection of Personal Data and guarantee of digital rights, adapted the General Data Protection Regulation, with regard to the processing of personal data and the free movement of such data.

II

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, the subject of transposition by this Organic Law, repeals Framework Decision 2008/977/JHA of the Council of 27 November 2008 on the protection of personal data processed in the context of police and judicial cooperation in criminal matters, which had been superseded for several reasons.

Firstly, it was a rule prior to the Treaty of Lisbon that required its appropriate adaptation to the new Treaties, in particular, to Article 16 of the Treaty on the Functioning of the European Union, which requires that the Council and the European Parliament, through the ordinary legislative procedure, regulate the protection of personal data.

Secondly, the framework decision was adopted in accordance with the pillar structure of the European Union, prior to the Treaty of Lisbon, and therefore had a scope of application limited exclusively to the processing of personal data of a cross-border nature between Member States, not therefore reaching processing of a strictly national nature.

Likewise, it granted a very wide margin of manoeuvre to Member States, without ensuring a minimum level of harmonization desirable in certain areas, such as the recognition in all States of the right of access of data subjects to their own data, the principle of processing data for specific purposes or the conditions for international transfers.

In short, the fragmentation and complexity of the regulation in this field harmed the necessary confidence between the actors of police and judicial cooperation in criminal matters in Europe, who showed mistrust in sharing information, among other reasons, due to the absence of a minimum harmonization regarding the protection of personal data; data that are essential in the field of operational cooperation.

III

Directive (EU) 2016/680 of the European Parliament and of the Council of 27 April 2016, remedies these deficiencies, extending its scope of application to the national processing of personal data in the space of police and judicial criminal cooperation. Since it covers other shortcomings of the previous European legislation, as it includes the regulation of genetic data – which the European Court of Human Rights had called for – as well as the distinction between personal data according to their degree of accuracy and reliability, or the differentiation between different categories of data subjects.

It is pertinent to highlight that the aforementioned directive transposing this Organic Law was adopted in response to the growing threats to security in the national and international context, which, in numerous cases, have a cross-border component. For this reason, international cooperation and the transmission of personal information between the police and judicial services of the countries involved become an inescapable objective. Indeed, the terrorist attacks in New York in 2001 marked a turning point in the need to strengthen judicial and police cooperation in the fight against terrorism, as would be demonstrated again on the occasion of the attacks in Brussels and Nice in 2016.

Cooperation aimed at sharing operational information in a timely manner has become a requirement for effectiveness in the prevention and fight against this type of threat. All this, taking into account the state of the art, which currently allows for large-scale data processing in the field of security.

This exchange of information must, in any case, be carried out in such a way as to guarantee democratic principles and the security of persons throughout the processing phases.

Consequently, this Organic Law assumes the purpose of achieving a high level of protection of the rights of citizens, in general, and of their personal data, in particular, which is comparable to that of the other Member States of the European Union, incorporating and specifying the rules established by the directive.

In this sense, the Spanish Constitution was a precursor to the recognition and defense of the fundamental right to the protection of personal data. Thus, Article 18.4 of our fundamental law provides that the law shall limit the use of informatics to guarantee the honor and personal and family privacy of citizens and the full exercise of their rights. The Constitutional Court, in repeated jurisprudence, understands data protection as a fundamental right that guarantees every person the capacity to control the use and destination of their data, with the purpose of avoiding the illicit or harmful traffic of the same or a use for purposes other than those that justified their obtaining.

For all these reasons, the transposition of this directive by Member States entails the establishment of a consistent legal framework, which provides the necessary legal certainty to facilitate police and judicial criminal cooperation and, therefore, greater effectiveness in the performance of their functions by the Security Forces and Corps and by our criminal justice system as a whole, including the penitentiary system.

IV

This Organic Law consists of sixty-five articles structured in eight chapters, five additional provisions, one transitional provision, one repealing provision and twelve final provisions.

Chapter I, relating to general provisions, defines the object of the Organic Law, understood as the regulation of the processing of personal data for the purposes of preventing, detecting, investigating and prosecuting criminal offences and the execution of criminal penalties, including protection and prevention against threats to public security, when such processing is carried out by the bodies that, for the purposes of this Organic Law, have the status of competent authorities.

The main purpose is that the data are processed by these competent authorities in such a way that the purposes provided for are fulfilled while establishing the highest standards of protection of the fundamental rights and freedoms of citizens, so that what is provided for in Article 8(1) of the Charter of Fundamental Rights of the European Union, as well as in Article 16(1) of the Treaty on the Functioning of the European Union and Article 18.4 of the Constitution is complied with.

Likewise, in correspondence with what is provided in Article 22.6 of Organic Law 3/2018, of 5 December, when the processing of personal data is carried out for any of the purposes established in this Organic Law and comes from the images and sounds obtained through the use of cameras and video cameras by the Security Forces and Corps, or is carried out by the bodies competent for surveillance and control in penitentiary centers or for the control, regulation, surveillance and discipline of traffic, such processing shall be governed by the provisions of this Organic Law, complemented, insofar as it is not contrary to its content, by the current legislation regulating these areas. In this way, a new system is established that revolves around the obligations of the data controllers and the different missions assigned to them.

Although they must be excluded in general, some specific provisions are also included for the processing of data of deceased persons, similar to what is provided in the aforementioned Organic Law 3/2018, of 5 December.

The competent authorities, for the purposes of this Organic Law, are defined as public authorities with legally entrusted competences for the achievement of the specific purposes included in the scope of application. Specifically, it is determined that they shall be competent authorities: the Security Forces and Corps; the judicial authorities of the criminal jurisdiction and the Public Prosecutor's Office; the Penitentiary Administrations; the Deputy Director of Customs Surveillance; the Executive Service of the Commission for the Prevention of Money Laundering and Monetary Offences; and the Commission for the Surveillance of Activities of Financing of Terrorism. All this, without prejudice to the fact that the processing carried out by the judicial bodies shall be governed by what is provided in this Organic Law, in Organic Law 6/1985, of 1 July, on the Judiciary, and in the criminal procedural laws.

Certain processing is expressly excluded from the scope of application, such as those carried out by the competent authorities for purposes other than those covered by the Organic Law; those carried out by the bodies of the General State Administration within the framework of the activities included in the scope of Chapter II of Title V of the Treaty on the European Union, in relation to the Common Foreign and Security Policy; those derived from an activity not included in the scope of application of European Union law; and those subject to the legislation on classified matters. Among the latter, processing relating to National Defense is expressly mentioned as included.

Chapter II refers to the data protection principles whose guarantee corresponds to the data controller. These principles are regulated in terms similar to those established in the General Data Protection Regulation, with some specificities inherent to the scope of this Organic Law.

A duty of collaboration with the competent authorities is included, according to which, unless judicial authorization is legally required, Public Administrations or any natural or legal person must provide the judicial authorities, the Public Prosecutor's Office or the Judicial Police with the information necessary for the investigation or prosecution of criminal offences or the execution of sentences and the information necessary for the protection and prevention against a real and serious danger to public security. All this, with the obligation not to inform the data subject of such subsequent processing. This last clarification is fundamental to avoid that making the information available to the data subject could endanger the purposes that, in accordance with the directive and this Organic Law, justify the processing of the data.

The retention periods and review of personal data processed are also regulated, with the establishment of a maximum retention period for data in general and the implementation of a system that allows the controller to review, within the period established by itself within the legal margin, the need to retain, limit or delete the set of personal data contained in each of its processing activities. The controller must, in its processing, distinguish the data corresponding to the various categories of data subjects, such as suspects, convicts or sanctioned persons, victims or third parties involved, as well as differentiate, as far as possible, whether the data processed are data based on facts or on assessments.

Certain conditions that determine the lawfulness of any processing of personal data are also required, namely, that they are processed by the competent authorities; that they are necessary for the purposes of this Organic Law and that, if necessary and in each particular area, the specificities are specified by a law with the rank of law that includes certain minimum contents.

In the event of the transmission of data subject to specific processing conditions, such conditions must be respected by the recipient thereof, in particular, the prohibition of transmitting them or using them for purposes other than those for which they were transmitted.

Likewise, it is required that the processing of special categories of data, such as those revealing ethnic or racial origin, political opinions, religious or philosophical beliefs, trade union affiliation or genetic or biometric data, may only take place when it is strictly necessary and certain conditions are met.

Biometric data (such as fingerprints or facial image) are only considered included in this special category when their processing is aimed at uniquely identifying a natural person. This need for identification in legally backed actions is often carried out by the various competent authorities. The purpose is to single out the perpetrators or participants in criminal offences, as well as to be able to recognize if they are the persons supposed or sought, and in this way, to attribute or exonerate, without any doubt, participation in certain facts, thanks to possible biometric clues or traces.

Given the rapid technological evolution and the electronic means available, a legal authorization is included to facilitate a quick and adequate response in the use of this data, with the final objective of guaranteeing and protecting the rights of the data subjects and of citizens in general.

The adoption of individual automated decisions, including profiling in this field, is also prohibited, unless authorized by a law with the rank of law of the Spanish or European legal order.

Chapter III is divided into two sections and addresses the rights of persons. It regulates a series of general conditions for the exercise of rights, such as the obligation incumbent on the controller to provide the information corresponding to the data subject's rights in a concise manner, with clear and simple language and free of charge. The information that must be made available to the data subject is established, with some data being mandatory in all cases and others in specific cases.

The rights of access, rectification, erasure and limitation of processing are recognized. By virtue of such rights, the data subject is empowered to know whether their data are being processed or not and, if so, to access certain information about the processing; to obtain the rectification of their data if they are inaccurate; to delete them when they are contrary to what is provided in Articles 6, 11 or 13, or when so required by a legal obligation incumbent on the controller; and to limit the processing, when the data subject doubts the accuracy of the data or when such data must be retained solely for evidentiary purposes.

These rights may be exercised by the data subject directly or, in certain cases, through the data protection authority.

This Organic Law provides that these rights may be restricted for certain exhaustive causes, such as when it is necessary to avoid obstructing an investigation or endangering public security or national security.

A special regime of data subject rights in the context of criminal investigations and proceedings is established in its second section.

Chapter IV collects the obligations and responsibilities of controllers and data protection officers, security measures and the figure of the data protection officer, across three sections. The data controller, taking into account the nature, scope, context and purposes of the processing, as well as the levels of risk for the rights and freedoms of natural persons, will apply the appropriate technical and organizational measures.

The data processor will carry out its functions on behalf of the controller, having to provide guarantees to apply appropriate technical and organizational measures.

Every controller and data processor must keep a record of processing activities, with identifying data, such as the contact details of the controller, the purposes or categories of data subjects, and a record of operations, the cornerstone of this system and a basic instrument for proving compliance with several of the processing principles, which will include the collection, alteration, consultations and transfers of personal data among other operations. Likewise, they are obliged to cooperate with the data protection authority, within the framework of current legislation.

Certain obligations are established that respond to a new model of active responsibility that requires a prior risk assessment that the processing of personal data could generate for data subjects, in order to, from that assessment, adopt the appropriate measures.

Detailed attention is paid to the security of the processing, regulating some of the security measures that will be applied, although only the implementation of the aforementioned record of operations is mandated as a technical and organizational measure, the others being those that the controller determines as most appropriate to achieve the control requested of it by virtue of the type of processing being carried out and the level of risk estimated, after the corresponding analysis. The duty to notify the data protection authority of any security breach is also imposed, which, in general, must be notified to the data subject, except in expressly provided cases in the law.

The data protection officer is configured as the body or figure of advice and supervision of data protection controllers, which may be unique for several competent authorities and whose designation will be mandatory except in relation to data processing for judicial purposes. In the event that processing is available that falls under different scopes of application, in order to avoid dysfunctions in the organizations of the competent authorities, it is established that the figure of the data protection officer will be unique for all of them.

Chapter V regulates the transfers of personal data carried out by Spanish competent authorities to a State that is not a member of the European Union or to an international organization, including subsequent transfers to another State that does not belong to the European Union or another international organization and establishes the conditions that must be met for these to be lawful.

Thus, in order to guarantee that the level of protection of natural persons provided for in this Organic Law is not undermined, the transfer will respect certain conditions provided for therein. In this way, they should only be carried out when they are necessary for the purposes of this Organic Law and when the data controller in the third country or international organization is a competent authority in relation to such purposes.

Likewise, when the data is transferred to a third country or to an international organization, the competent authority of the Member State in which the data was obtained must authorize this transfer in advance and any subsequent transfers that may take place to another third country or to an international organization. As for the third country or international organization receiving the transfer, it must be evaluated by the European Commission in view of its level of data protection or, in the absence of a decision, it must be understood by the data controller that it offers adequate guarantees. Only for the exceptional causes provided for in this Organic Law may transfers outside these cases be authorized. This chapter concludes with the regulation of the international transfer of personal data to recipients who, not being competent authorities, are not subject to the conditions established in this chapter, provided that they offer appropriate safeguards and that data subjects have enforceable rights and effective legal remedies.