The European Data Protection Regulation in Spain, approved in 2016, came into force in 2018 along with multiple changes that it is essential for every SME to take into account. For that reason we have created this article, Find out here what is the new Organic Law on Data Protection and what should be your compliance!
What is the new Organic Data Law?
Although many still refer to the Spanish Data Protection Law as LOPD, the truth is that the full name of the current law is Ley Orgánica de Protección de Datos y Garantía de Derechos Digitales (LOPDGDD).
This Law, which came into force on December 6, 2018, was created in order to replace the former Organic Law 15/1999 on the Protection of Personal Data.
The current law is intended to adapt Spanish legislation to European regulations, finalized by the General Data Protection Regulation (GDPR), which has been in force since May 25, 2018.
Therefore, when talking about data protection in Spain, the law of reference is the LOPDGDD, which establishes the requirements and responsibilities for data protection in companies and how to proceed with personal information in their custody.
In this way, it is possible to prevent the personal data of customers and users from being used to violate their privacy and other fundamental rights and freedoms.
You may also be interested in: Financial data protection: How are customers protected?
Objective of the new Organic Law on Data Protection
The purpose of the Organic Law on Data Protection of 2018 aims to protect the privacy, intimacy and integrity of individuals in accordance with compliance with Article 18.4 of the Spanish Constitution.
It is responsible for regulating the duties of the individual in the whole process of data transfer to ensure the security of the exchange. Considering as personal data any text, image or audio that allows the identification of the person.
There are data that are considered lower risk, such as e-mail or the person’s name; however, there are other high-risk data, such as sensitive data related to health or religion, for example.
However, data that does not allow a person to be identified will not be considered personal data. For example, machinery manuals, weather forecasts or data that have become anonymous and can no longer be linked to anyone.
In these cases, the regulations to be complied with are those of the Regulation on the Free Flow of Non-Personal Data.
Another of its main purposes is to establish a whole legislative framework for the protection of data circulating on the Internet. It incorporates points such as the right to be forgotten or portability, as well as changes with respect to obtaining consent to collect and use personal information.
Main amendments to the Organic Law on Data Protection
This new law modifies many aspects of the previous law, which dates back to 1999, updating the requirements for obtaining, storing or sharing information, as well as establishing changes regarding the treatment of such information.
It is important to mention that the purpose of this Law is to make companies and organizations have a greater commitment regarding the treatment of personal data and files received from users and their protection.
Compared to the previous law, which did not offer the necessary protection to individuals and did not meet the requirements of the digital era, the new LOPDG establishes a new legal framework for data protection in Spain:
You may also be interested in: Level of digitization of companies in Spain 2022
What is the protection offered by the Organic Law on Data Protection?
The essence of the Data Protection Law is to adapt Spanish legislation to the General Data Protection Regulation and to this end it has had to incorporate certain novelties, as well as specifications, for the processing of data according to the type of data to which it corresponds.
The following is the type of data and the level of protection provided by the new law:
Penalties for non-compliance with the new Data Protection Law
Failure to comply with the regulations and obligations of the law implies different sanctions that will depend on the seriousness of the infraction committed, which may be serious or very serious.
Therefore, if your company deals with personal data, you should be aware of the changes and considerations, and take them very seriously.
In this sense, the information on which the judgments are based are: the time that the infringement has been committed, the volume of information processed incorrectly, the benefits obtained from the infringement, the degree of intentionality and the damage caused by the actions.
Types of sanctions
A minor infringement is defined as, for example, not being registered in the data file of the General Data Protection Register. This infringement may be punishable by a fine of between 900 euros and 40,000 euros.
A serious infringement may consist in processing personal data without the user’s consent. This infringement may involve a financial fine of between 40,001 euros and 300,000 euros.
And, finally, a very serious infringement would consist of collecting personal data fraudulently and deceitfully. This type of infringement would be fined between 300,001 euros and 600,000 euros.
You may also be interested in: Importance of corporate data protection
Now that you know the basics of the new Organic Law on Data Protection and its compliance, are you ready to implement it in your company as soon as possible?
To receive legal and tax advice regarding the activity of your company, you can contact us and request free advice from our professional managers. Also, if you want to keep updated about the business world, you can subscribe to our blog at TAS Consulting.