Page 1

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119788

I. GENERAL PROVISIONS

HEAD OF STATE
16673

Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights.
FELIPE VI
KING OF SPAIN

All those who were present saw and understood.
Know: That the Cortes Generales have approved and I have come to sanction the following
organic Law.
INDEX

Preamble.
Title I. General provisions.
Article 1. Object of the law.
Article 2. Scope of application of titles I to IX and of articles 89 to 94.
Article 3. Data of the deceased persons.
Title II. Data protection principles.
Article 4. Accuracy of the data.
Article 5. Duty of confidentiality.
Article 6. Treatment based on the consent of the affected party.
Article 7. Consent of minors.
Article 8. Data processing due to legal obligation, public interest or exercise of
public powers.
Article 9. Special categories of data.
Article 10. Processing of data of a criminal nature.
Title III. People rights.
Chapter I. Transparency and information.
Article 11. Transparency and information to the affected party.
Chapter II. Exercise of rights.
Article 12. General provisions on the exercise of rights.
Article 13. Right of access.
Article 14. Right of rectification.
Article 15. Right of deletion.
Article 16. Right to limitation of treatment.
Article 17. Right to portability.
Article 18. Right of opposition.

.boe.es

Title IV. Provisions applicable to specific treatments.
Article 19. Processing of contact data, individual entrepreneurs and
liberal professionals.
Article 20. Credit information systems.
erifiable at http: // www
cve:VBOE-A-2018-16673

Page 2

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119789

Article 21. Treatments related to the performance of certain
commercial operations.
Article 22. Treatment for video surveillance purposes.
Article 23. Advertising exclusion systems.
Article 24. Information systems for internal complaints.
Article 25. Data processing in the field of the public statistical function.
Article 26. Data processing for archiving purposes in the public interest by
the Public Administrations.
Article 27. Processing of data related to infractions and administrative sanctions.
Title V. Responsible and in charge of the treatment.
Chapter I. General provisions. Active liability measures.
Article 28. General obligations of the person in charge and in charge of the treatment.
Article 29. Assumptions of joint responsibility in the treatment.
Article 30. Representatives of those responsible or in charge of the treatment do not
established in the European Union.
Article 31. Registration of treatment activities.
Article 32. Blocking of data.
Chapter II. In charge of the treatment.
Article 33. In charge of the treatment.
Chapter III. Data protection officer.
Article 34. Appointment of a data protection officer.
Article 35. Qualification of the data protection officer.
Article 36. Position of the data protection officer.
Article 37. Intervention of the data protection officer in the event of a claim
before the data protection authorities.
Chapter IV. Codes of conduct and certification.
Article 38. Codes of conduct.
Article 39. Accreditation of certification institutions.
Title VI. International data transfers.
Article 40. Regime of international data transfers.
Article 41. Cases of adoption by the Spanish Agency for Data Protection.
Article 42. Cases subject to prior authorization from the protection authorities
of data.
Article 43. Cases submitted to prior information to the protection authority
competent data.
Title VII. Data protection authorities.
Chapter I. The Spanish Agency for Data Protection.
Section 1. General provisions.
Article 44. General provisions.
Article 45. Legal regime.
Article 46. Economic, budgetary and personnel regime.
Article 47. Functions and powers of the Spanish Agency for Data Protection.
Article 48. The Presidency of the Spanish Agency for Data Protection.
Article 49. Advisory Council of the Spanish Agency for Data Protection.
Article 50. Advertising.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 3

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119790

Section 2. Investigation powers and preventive audit plans.
Article 51. Scope and competent personnel.
Article 52. Duty of collaboration.
Article 53. Scope of the investigation activity.
Article 54. Audit plans.
Section 3. Other powers of the Spanish Data Protection Agency.
Article 55. Regulatory powers. Circulars of the Spanish Agency for
Data Protection.
Article 56. Foreign action.
Chapter II. Autonomous data protection authorities.
Section 1. General provisions.
Article 57. Autonomous data protection authorities.
Article 58. Institutional cooperation.
Article 59. Treatments contrary to Regulation (EU) 2016/679.
Section 2. Coordination within the framework of the procedures established in the
Regulation (EU) 2016/679.
Article 60. Coordination in the event of issuance of an opinion by the European Committee of
Data Protection.
Article 61. Intervention in case of cross-border processing.
Article 62. Coordination in case of conflict resolution by the European Committee
of Data Protection.
Title VIII. Procedures in case of possible violation of the regulations of
Data Protection.
Article 63. Legal regime.
Article 64. Form of initiation of the procedure and duration.
Article 65. Admission of claims for processing.
Article 66. Determination of the territorial scope.
Article 67. Previous investigation actions.
Article 68. Agreement to initiate the procedure for the exercise of power
sanctioning.
Article 69. Provisional measures and guarantee of rights.
Title IX. Sanctions regime.
Article 70. Responsible parties.
Article 71. Infractions.
Article 72. Violations considered very serious.
Article 73. Violations considered serious.
Article 74. Infractions considered minor.
Article 75. Interruption of the prescription of the offense.
Article 76. Sanctions and corrective measures.
Article 77. Regime applicable to certain categories of responsible or
those in charge of the treatment.
Article 78. Prescription of sanctions.

.boe.es

Title X. Guarantee of digital rights.
Article 79. Rights in the Digital Age.
Article 80. Right to Internet neutrality.
erifiable at http: // www
cve:VBOE-A-2018-16673

Page 4

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119791

Article 81. Right of universal access to the Internet.
Article 82. Right to digital security.
Article 83. Right to digital education.
Article 84. Protection of minors on the Internet.
Article 85. Right to rectification on the Internet.
Article 86. Right to update information in the media
digital.
Article 87. Right to privacy and use of digital devices in the workplace.
Article 88. Right to digital disconnection in the workplace.
Article 89. Right to privacy against the use of video surveillance devices and
recording of sounds in the workplace.
Article 90. Right to privacy when using geolocation systems
in the Laboral scene.
Article 91. Digital rights in collective bargaining.
Article 92. Data protection of minors on the Internet.
Article 93. Right to be forgotten in Internet searches.
Article 94. Right to be forgotten in social network services and equivalent services.
Article 95. Right to portability in social media services and services
equivalents.
Article 96. Right to a digital will.
Article 97. Policies to promote digital rights.
First additional provision. Security measures in the field of the public sector.
Second additional provision. Data protection and transparency and access to
public information.
Third additional provision. Computation of terms.
Fourth additional provision. Procedure in relation to competences
attributed to the Spanish Agency for Data Protection by other laws.
Fifth additional provision. Judicial authorization in relation to decisions of the
European Commission on international data transfer.
Sixth additional provision. Incorporation of debts to information systems
credit.
Seventh additional provision. Identification of those interested in the notifications
through announcements and publications of administrative acts.
Eighth additional provision. Authority to verify the Administrations
Public.
Ninth additional provision. Processing of personal data in relation to
notification of security incidents.
Tenth additional provision. Data communications by the listed subjects
in article 77.1.
Eleventh additional provision. Privacy in electronic communications.
Twelfth additional provision. Specific provisions applicable to
treatment of public sector personnel records.
Thirteenth additional provision. International data transfers
tributaries.
Fourteenth additional provision. Rules issued in development of article 13 of
Directive 95/46 / EC.
Fifteenth additional provision. Information request by the
National Stock Market Commission.
Sixteenth additional provision. Aggressive practices regarding the protection of
data.
Seventeenth additional provision. Health data treatment.
Eighteenth additional provision. Security criteria.
Additional provision nineteenth. Rights of minors before the Internet.
Additional provision twentieth. Specialties of the legal regime of the Agency
Spanish Data Protection.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 5

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119792

Twenty-first additional provision. Digital education.
Twenty-second additional provision. Access to public archives and
ecclesiastical.
First transitory provision. Statute of the Spanish Agency for the Protection of
Data.
Second transitory provision. Type codes registered with the authorities of
data protection in accordance with Organic Law 15/1999, of December 13.
Third transitory provision. Transitional regime of procedures.
Fourth transitory provision. Treatments subject to Directive (EU) 2016/680.
Fifth transitory provision. Treatment manager contracts.
Sixth transitory provision. Reuse for research purposes in the field of
health and biomedical data collected prior to the entry into force of
this law.
Sole repealing provision. Regulatory repeal.
First final provision. Nature of this law.
Second final provision. Competency title.
Third final provision. Modification of Organic Law 5/1985, of June 19, on the
General Electoral Regime.
Fourth final provision. Modification of Organic Law 6/1985, of July 1, of the
Power of attorney.
Fifth final provision. Modification of Law 14/1986, of April 25, General of
Health.
Sixth final provision. Modification of Law 29/1998, of July 13, regulating
Contentious-administrative jurisdiction.
Seventh final provision. Modification of Law 1/2000, of January 7, of
Civil procedure.
Eighth final provision. Modification of Organic Law 6/2001, of December 21,
of Universities.
Ninth final provision. Modification of Law 41/2002, of November 14, basic
regulating the autonomy of the patient and rights and obligations regarding
information and clinical documentation.
Tenth final provision. Modification of Organic Law 2/2006, of May 3, of
Education.
Eleventh final provision. Modification of Law 19/2013, of December 9, on
transparency, access to public information and good governance.
Twelfth final provision. Modification of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations.
Final provision thirteenth. Modification of the consolidated text of the Law on
Status of workers.
Fourteenth final provision. Modification of the consolidated text of the Statute Law
Basic of the Public Employee.
Fifteenth final provision. Regulatory development.
Sixteenth final provision. Entry into force.
PREAMBLE
I

.boe.es

The protection of natural persons in relation to data processing
personal rights is a fundamental right protected by article 18.4 of the Constitution
Spanish. In this way, our Constitution was a pioneer in the recognition of the
fundamental right to the protection of personal data when it provided that "the law
limit the use of computers to guarantee honor and personal and family privacy
erifiable at http: // www
cve:VBOE-A-2018-16673

Page 6

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119793

of citizens and the full exercise of their rights ”. Thus echoed the works
developed since the late 1960s in the Council of Europe and the few
legal provisions adopted in neighboring countries.
The Constitutional Court indicated in its Sentence 94/1998, of May 4, that we
We are faced with a fundamental right to data protection by which it is guaranteed
to the person control over their data, any personal data, and their use and
destination, to avoid the illicit traffic of the same or harmful to the dignity and rights
of those affected; in this way, the right to data protection is configured as a
faculty of the citizen to object to the use of certain personal data
for purposes other than the one that justified its obtaining. For its part, in the
Sentence 292/2000, of November 30, considers it as an autonomous right and
independent that consists of a power of disposition and control over the data
personal data that empowers the person to decide which of these data to provide to a
third party, be it the State or an individual, or which third parties can collect, and that also
allows the individual to know who owns that personal data and for what, being able to
object to that possession or use.
At the legislative level, the realization and development of the fundamental right of protection of
natural persons in relation to the processing of personal data took place in their
origins through the approval of Organic Law 5/1992, of October 29, regulating
of the automated processing of personal data, known as LORTAD. The law
Organic Law 5/1992 was replaced by Organic Law 15/1999, of December 5, of
protection of personal data, in order to transpose our right to Directive 95/46 /
EC of the European Parliament and of the Council, of October 24, 1995, on the
protection of natural persons with regard to the processing of personal data and
to the free circulation of these data. This organic law was a second milestone in the
evolution of the regulation of the fundamental right to data protection in Spain and
was supplemented by an increasingly abundant jurisprudence from the
bodies of contentious-administrative jurisdiction.
On the other hand, it is also included in article 8 of the Charter of Rights
Fundamentals of the European Union and in article 16.1 of the Treaty on the Functioning of
the European Union. Previously, at European level, Directive 95/46 / EC had been adopted
cited, whose purpose was to ensure that the guarantee of the right to data protection
personal data would not constitute an obstacle to the free circulation of data within the
Union, thus establishing a common space to guarantee the right that, at the same time,
ensure that in case of international data transfer, its treatment in the country
destination was protected by safeguards appropriate to those provided for in the
directive.
II
In the last years of the past decade, impulses to
achieve a more uniform regulation of the fundamental right to data protection in
the framework of an increasingly globalized society. Thus, they were adopted in different
International bodies proposed for the reform of the current framework. And in this frame
On 4 November 2010, the Commission launched its Communication entitled "A global approach
of the protection of personal data in the European Union ”, which constitutes the germ
of the subsequent reform of the framework of the European Union. At the same time, the Court of
Justice of the Union has been adopting over the last years a jurisprudence
which is fundamental in its interpretation.
The last milestone in this evolution took place with the adoption of Regulation (EU) 2016/679
of the European Parliament and of the Council, of April 27, 2016, regarding the protection of
natural persons with regard to the processing of their personal data and the free
circulation of these data and repealing Directive 95/46 / EC (General Regulation
data protection), as well as Directive (EU) 2016/680 of the European Parliament and
of the Council, of April 27, 2016, regarding the protection of natural persons in what
Regarding the processing of personal data by the competent authorities

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 7

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119794

for the purposes of prevention, investigation, detection or prosecution of criminal offenses
or the execution of criminal sanctions, and the free circulation of said data and by which
Council Framework Decision 2008/977 / JHA is repealed.
III
The General Data Protection Regulation aims with its direct effectiveness to overcome
the obstacles that prevented the harmonizing purpose of Directive 95/46 / EC of the
European Parliament and of the Council, of October 24, 1995, on the protection of
natural persons with regard to the processing of personal data and the free
circulation of that data. The transposition of the directive by the Member States has been
embodied in a regulatory mosaic with irregular profiles throughout the Union
Which, ultimately, has led to appreciable differences in
the protection of the rights of citizens.
Likewise, new circumstances are addressed, mainly the increase in flows
cross-border personal data as a consequence of the functioning of the market
internally, the challenges posed by rapid technological evolution and globalization, which has
fact that personal data is the fundamental resource of the society of the
information. The centrality of personal information has positive aspects, because
enables new and better services, products or scientific findings. But it also has
risks, since information about individuals multiplies exponentially, they are
more accessible, by more actors, and each time they are easier to process while it is
more difficult to control its destination and use.
The General Data Protection Regulation supposes the review of the legal bases
of the European data protection model beyond a mere update of the
current regulations. It proceeds to reinforce legal certainty and transparency while
allows its norms to be specified or restricted by the Law of the States
members to the extent necessary for consistency reasons and so that the
national provisions are understandable to their addressees. Thus, the Regulation
general data protection policy contains a good number of authorizations, when not
impositions, to the Member States, in order to regulate certain matters, allowing
even in recital 8, and unlike what constitutes the general principle of the
European Union law that, when its rules must be specified,
interpreted or, exceptionally, restricted by the law of the Member States,
they have the possibility of incorporating into national law provisions contained
specifically in the regulation, insofar as it is necessary for reasons of
coherence and understanding.
At this point, it must be emphasized that any intervention of the Law is not excluded.
internal in the fields concerned by the European regulations. On the contrary, such
intervention may be appropriate, even necessary, both for the purification of the
national ordinance as well as for the development or complement of the regulation
try. Thus, the principle of legal certainty, in its positive aspect, obliges States
members to integrate the European legal system internally in a way that
sufficiently clear and public as to allow its full knowledge by both the
legal operators as well as by the citizens themselves, inasmuch as, in its aspect
negative, implies the obligation for such States to eliminate situations of uncertainty
derived from the existence of norms in national law incompatible with the European one.
From this second aspect follows the consequent obligation to purify the legal system
legal. In short, the principle of legal certainty requires that internal regulations
that is incompatible with the law of the European Union is definitively
eliminated "through mandatory internal provisions that have the same
legal value that the internal provisions that must be modified "(Judgments of the
Court of Justice of February 23, 2006, Case of Commission v. Spain; from July 13
2000, Case of Commission v. France; and of October 15, 1986, matter of Commission v.
Italy). Finally, the regulations, despite their characteristic of direct applicability, in the
practice may require other complementary internal standards to fully make

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 8

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119795

effective its application. In this sense, rather than incorporation, one could speak of
"Development" or complement of European Union law.
Adaptation to the General Data Protection Regulation, which will be applicable to
As of May 25, 2018, as established in Article 99, it requires, in short, the
development of a new organic law to replace the current one. In this work they have
preserving the principles of good regulation, as it is a necessary norm for the
adaptation of the Spanish legislation to the aforementioned European provision and proportional to this
objective, the ultimate reason being to seek legal certainty.
IV
The Internet, on the other hand, has become a ubiquitous reality both in our
personal and collective life. A large part of our professional, economic activity
and private is developed on the Internet and acquires a fundamental importance both for the
human communication as well as for the development of our life in society. Already in the
nineties, and aware of the impact that the Internet was going to have on our lives, the
Pioneers of the Network proposed to elaborate a Declaration of the Rights of Man and
of the Citizen on the Internet.
Today we identify quite clearly the risks and opportunities that the world of
networks offered to citizens. It is up to the public powers to promote policies
that make the rights of citizenship effective on the Internet by promoting equality of
citizens and the groups in which they are integrated to make full exercise possible
of fundamental rights in digital reality. The digital transformation of our
Society is already a reality in our present and future development both at a social level
as economical. In this context, neighboring countries have already approved regulations
that reinforces the digital rights of citizens.
The constituents of 1978 already sensed the enormous impact that the advances
technological technologies would provoke in our society and, in particular, in the enjoyment of
Fundamental rights. A desirable future reform of the Constitution should include
among its priorities the updating of the Constitution to the digital age and, specifically,
elevate a new generation of digital rights to constitutional status. But, as long as
This challenge is not undertaken, the legislator must address the recognition of a system of
guarantee of digital rights that, unequivocally, finds its anchor in the
mandate imposed by the fourth section of article 18 of the Spanish Constitution and
that, in some cases, have already been outlined by ordinary, constitutional jurisprudence
and European.
V
This organic law consists of ninety-seven articles structured in ten titles,
twenty-two additional provisions, six transitional provisions, one provision
repeal and sixteen final provisions.
Title I, relative to the general provisions, begins by regulating the object of the
Organic law, which is, according to what has been indicated, double. Thus, first of all, it is
aims to achieve the adaptation of the Spanish legal system to the Regulation
(EU) 2016/679 of the European Parliament and the Council, of April 27, 2016, Regulation
general data protection policy, and complete its provisions. In turn, it establishes that the
fundamental right of natural persons to the protection of personal data,
protected by Article 18.4 of the Constitution, it will be exercised in accordance with the provisions
in Regulation (EU) 2016/679 and in this organic law. The autonomous communities
they have powers of normative development and execution of the fundamental right to
protection of personal data in its field of activity and to the regional authorities
of data protection that they believe corresponds to contribute to guarantee this right
fundamental of citizenship. Secondly, it is also the object of the law to guarantee the
digital rights of citizens, under the provisions of article 18.4 of the
Constitution.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 9

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119796

The new regulation of data referring to deceased persons stands out, therefore,
After excluding their treatment from the scope of the law, people are allowed to
related to the deceased for family or de facto reasons or their heirs may request
access to them, as well as their rectification or deletion, where appropriate subject to
the instructions of the deceased. It also excludes treatments from the scope of application
that are governed by specific provisions, referring, among others, to the regulations that
transposes the aforementioned Directive (EU) 2016/680, provided for in the transitional provision
fourth, the application to these treatments of Organic Law 15/1999, of December 13,
until the aforementioned regulation is approved.
In Title II, "Data protection principles", it is established that for the purposes of the
Regulation (EU) 2016/679 will not be attributable to the person responsible for the treatment, always
that it has taken all reasonable measures so that they are suppressed or rectified
without delay, the inaccuracy of the data obtained directly from the affected party, when
had received the data from another person in charge by virtue of the exercise by the affected
right to portability, or when the person responsible obtains them from the mediator or
intermediary when the rules applicable to the sector of activity to which the
responsible for the treatment establish the possibility of intervention of an intermediary
or mediator or when the data had been obtained from a public registry. I also know
expressly includes the duty of confidentiality, the treatment of data protected by
the law, the special categories of data and the processing of data of a criminal nature,
refers specifically to consent, which must come from a statement or a
clear affirmative action by the affected party, excluding what was known as "consent
tacit ”, it is indicated that the consent of the affected party for a plurality of purposes
It will be necessary to state specifically and unequivocally that it is granted for all of them,
and the age from which the minor can lend their
consent.
The possible legal authorizations for the treatment based on
in compliance with a legal obligation enforceable by the person responsible, under the terms
provided for in Regulation (EU) 2016/679, when provided for by a rule of law
of the European Union or a law, which may determine the general conditions of the
treatment and the types of data object of the same as well as the transfers that proceed
as a consequence of compliance with the legal obligation, This is the case, for example,
of the databases regulated by law and managed by public authorities that
respond to specific objectives of risk control and solvency, supervision and
type inspection of the Bank of Spain's Risk Information Center regulated
by Law 44/2002, of November 22, on Financial System Reform Measures,
or of the data, documents and information of a confidential nature that are held by
the General Directorate of Insurance and Pension Funds in accordance with the provisions
in Law 20/2015, of July 14, on organization, supervision and solvency of entities
insurers and reinsurers.
Special conditions may also be imposed on the treatment, such as the
adoption of additional security or other measures, when this derives from the exercise of
public powers or compliance with a legal obligation and can only be considered
founded on the fulfillment of a mission carried out in the public interest or in the exercise of
public powers conferred on the person in charge, in the terms provided in the regulation
European, when it derives from a competence attributed by law. And the
prohibition of consenting to treatments with the main purpose of storing information
identification of certain categories of specially protected data, which does not
prevents them from being processed in the other cases provided
in Regulation (EU) 2016/679. Thus, for example, the provision of consent does not
will cover the creation of "blacklists" of trade unionists, although data from
Union affiliation may be processed by the employer to make possible the exercise of
the rights of workers under article 9.2.b) of the Regulations
(EU) 2016/679 or by the unions themselves in the terms of article 9.2.d) of the same
European standard.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 10

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119797

Also in relation to the treatment of special categories of data, the
Article 9.2 establishes the principle of reservation of law for its empowerment in the cases
provided for in Regulation (EU) 2016/679. This forecast not only reaches the
provisions that may be adopted in the future, but allows the safeguarding of
different currently existing legal authorizations, as indicated
specifically, regarding health and insurance legislation, in the provision
additional seventeenth. The General Data Protection Regulation does not affect these
authorizations, which remain fully valid, even allowing to carry out a
extensive interpretation of them, as is the case, in particular, regarding the scope
of the consent of the affected party or the use of their data without consent in the field of
biomedical research. To this end, section 2 of the Additional Provision
seventeenth introduces a series of provisions aimed at guaranteeing the adequate
development of health research, and in particular biomedical, considering
the undoubted benefits that it brings to society with the due guarantees of the
fundamental right to data protection.
Title III, dedicated to the rights of individuals, adapts to Spanish law the
principle of transparency in the treatment of the European regulation, which regulates the
of those affected to be informed about the treatment and collect the so-called
«Layered information» already generally accepted in fields such as
video surveillance or the installation of massive data storage devices (such as
such as "cookies"), providing the affected party with basic information, although indicating a
electronic address or other means that allows easy and immediate access to the
remaining information.
This Title makes use of the authorization allowed by recital 8 of the
Regulation (EU) 2016/679 to complement its regime, guaranteeing adequate
systematic structure of the text. Next, the organic law contemplates the rights of
access, rectification, deletion, opposition, right to limitation of treatment and
right to portability.
Title IV contains "Provisions applicable to specific treatments",
incorporating a series of assumptions that in no case should be considered exhaustive
of all lawful treatments. Among them it is worth appreciating, in the first place, those
with respect to which the legislator establishes a "iuris tantum" presumption of prevalence
of the legitimate interest of the person in charge when they are carried out with a series of requirements,
which does not exclude the legality of this type of treatment when they are not strictly complied with
the conditions provided in the text, although in this case the person in charge must carry out
carry out the legally required weighting, as the prevalence of their interest is not presumed
legitimate. Along with these assumptions, others are included, such as video surveillance,
advertising exclusion files or internal complaint systems in which the legality of the
treatment comes from the existence of a public interest, under the terms established in
Article 6.1.e) of Regulation (EU) 2016/679. Finally, reference is made in this
Title to the legality of other treatments regulated in Chapter IX of the regulation, such as
those related to the statistical function or for archiving purposes of general interest. On
In any case, the fact that the legislator refers to the legality of the treatments does not enervate
the obligation of those responsible to adopt all active liability measures
established in Chapter IV of the European regulation and in Title V of this organic law.
Title V refers to the person in charge and the person in charge of the treatment. It is necessary to have
taking into account that the greatest novelty presented by Regulation (EU) 2016/679 is the
evolution from a model based, fundamentally, on compliance control to another
which rests on the principle of active responsibility, which requires a prior assessment
by the person in charge or by the person in charge of the treatment of the risk that the
processing of personal data to, based on said assessment, adopt the measures
that proceed. In order to clarify these developments, the organic law maintains the same
denomination of Chapter IV of the Regulation, dividing the articles into four chapters
dedicated, respectively, to the general measures of active responsibility, to the
regime of the person in charge of the treatment, the figure of the data protection delegate and

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 11

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119798

self-regulation and certification mechanisms. The figure of the delegate of protection of
data acquires a prominent importance in Regulation (EU) 2016/679 and thus
includes the organic law, which starts from the principle that it may be mandatory
or volunteer, being or not integrated in the organization of the person in charge or in charge and being
both a natural person and a legal person. The appointment of the delegate of
Data protection must be communicated to the competent data protection authority.
The Spanish Agency for Data Protection will maintain a public and updated relationship
of the data protection delegates, accessible by anyone. The
Knowledge in the matter may be accredited through certification schemes.
Likewise, it may not be removed, except in cases of intent or gross negligence. It is
It should be noted that the data protection officer allows you to configure a means for the
amicable resolution of claims, since the interested party may reproduce before him the
claim that is not attended by the person in charge or in charge of the treatment.
Title VI, relative to international data transfers, proceeds to the
adaptation of the provisions of Regulation (EU) 2016/679 and refers to the specialties
related to the procedures through which the protection authorities
data can approve contractual models or binding corporate rules,
assumptions of authorization of a certain transfer, or prior information.
Title VII is dedicated to data protection authorities, which following the
mandate of Regulation (EU) 2016/679 must be established by national law.
Maintaining the scheme that had been collected in its normative antecedents, the law
organic regulates the regime of the Spanish Agency for Data Protection and reflects the
existence of regional data protection authorities and the necessary
cooperation between control authorities. The Spanish Agency for Data Protection
is configured as an independent administrative authority in accordance with the Law
40/2015, of October 1, of the Legal Regime of the Public Sector, which is related to the
Government through the Ministry of Justice.
Title VIII regulates the «Procedures in case of possible violation of the regulations
of data protection ». Regulation (EU) 2016/679 establishes a new and
complex, evolving towards a 'one-stop shop' model in which there is a
lead supervisory authority and other interested authorities. It also establishes a
cooperation procedure between authorities of the Member States and, in case of
discrepancy, the binding decision of the European Data Protection Committee is foreseen.
Consequently, prior to the processing of any procedure, it will be
It must be determined whether or not the processing is cross-border and, if so,
which data protection authority is to be considered primary.
The regulation is limited to defining the legal regime; the initiation of proceedings,
being possible that the Spanish Agency for Data Protection refers the claim to the
data protection officer or the bodies or entities that are in charge of the
extrajudicial conflict resolution in accordance with the provisions of a code of conduct;
the inadmissibility of the claims; the preliminary investigation actions; measures
provisional, among which the order to block the data stands out; and the term of
processing of procedures and, where appropriate, their suspension. The specialties of
procedure refer to regulatory development.
Title IX, which contemplates the sanctioning regime, part of which the Regulation
(EU) 2016/679 establishes a system of sanctions or corrective actions that allows
a wide margin of appreciation. In this framework, the organic law proceeds to describe the
typical behaviors, making the distinction between very serious, serious and
light, taking into account the differentiation that the General Protection Regulation
of data establishes when setting the amount of penalties. The categorization of offenses
is introduced for the sole purpose of determining the statute of limitations, having the
description of typical behaviors as the only object enumeration in a way
exemplary of some of the punishable acts that must be understood including
within the general rates established in the European standard. The organic law regulates
cases of interruption of the prescription based on the constitutional requirement of the

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 12

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

knowledge of the facts that are attributed to the person, but taking into account the
problems derived from the procedures established in the European regulation, in
depending on whether the procedure is processed exclusively by the Spanish Agency for
Data Protection or if the coordinated procedure of article 60 of the
General data protection regulation.
Regulation (EU) 2016/679 establishes wide margins for the determination of
the amount of the penalties. The organic law takes advantage of the residual clause of article 83.2
of the European standard, referring to aggravating or mitigating factors, to clarify that
the elements to be taken into account may include those that already appeared in the
Article 45.4 and 5 of Organic Law 15/1999, and which are known to the operators

Sec. I. Page 119799

legal.
Finally, Title X of this law undertakes the task of recognizing and guaranteeing a
list of digital rights of citizens in accordance with the mandate established in the
Constitution. In particular, the rights and freedoms that can be predicated are subject to regulation.
to the Internet environment such as Net neutrality and universal access or rights
to security and digital education as well as the rights to be forgotten, to portability and to
digital will. The recognition of the right to
digital disconnection within the framework of the right to privacy in the use of devices
digital in the workplace and the protection of minors on the Internet. Finally,
It is worth highlighting the guarantee of freedom of expression and the right to clarification of
information in digital media.
Additional provisions refer to issues such as security measures
in the field of the public sector, data protection and transparency and access to
public information, calculation of deadlines, judicial authorization regarding transfers
international data, protection against abusive practices that could develop
certain operators, or the processing of health data, among others.
In accordance with the fourteenth additional provision, the regulations relating to
exceptions and limitations in the exercise of the rights that have entered into force
prior to the date of application of the European regulation and in particular the
Articles 23 and 24 of Organic Law 15/1999, of December 13, on Data Protection
Personal Character, will remain in force as long as it is not expressly modified, replaced
or repealed. The survival of this regulation supposes the continuity of the exceptions and
limitations that are contained in it until its reform or abrogation takes place, if
well referred to the rights as regulated in Regulation (EU) 2016/679 and in
this organic law. Thus, for example, by virtue of the aforementioned additional provision, the
Tax administrations responsible for relevant data files
referred to in article 95 of Law 58/2003, of December 17, General
Tax, may, in relation to said data, deny the exercise of the rights to which
refer to Articles 15 to 22 of Regulation (EU) 2016/679, when the same
hinder administrative actions aimed at ensuring compliance with the
tax obligations and, in any case, when the affected party is being subject to
inspection actions.
The transitional provisions are dedicated, among other issues, to the statute of
the Spanish Agency for Data Protection, the transitional regime of the procedures
or the treatments subject to Directive (EU) 2016/680. A provision is collected
repeal, and then the final provisions on the precepts with
character of ordinary law, the title of competence and the entry into force.
Likewise, the necessary modifications are introduced to Law 1/2000, of 7
January, of Civil Procedure and Law 29/1998, of July 13, regulating the Jurisdiction
Contentious-administrative law, Organic Law, 6/1985, of July 1, of the Judicial Power, the
Law 19/2013, of December 9, on transparency, access to public information and good
government, Organic Law 5/1985, of June 19, on the General Electoral Regime, the
Law 14/1986, of April 25, General Health, Law 41/2002, of November 14,
basic regulation of the autonomy of the patient and of rights and obligations in

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 13

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119800

of information and clinical documentation and Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations.
Finally, and in relation to the guarantee of digital rights, there is also
introduce modifications in Organic Law 2/2006, of May 3, on Education, the Law
Organic 6/2001, of December 21, of Universities, as well as in the Consolidated Text
of the Law of the Statute of Workers and in the Consolidated Text of the Law of the Statute
Basic of the Public Employee.
TITLE I
General disposition
Article 1. Object of the law.
The present organic law aims to:
a) Adapt the Spanish legal system to Regulation (EU) 2016/679 of the
European Parliament and the Council, of April 27, 2016, regarding the protection of
natural persons with regard to the processing of their personal data and the free
circulation of these data, and complete its provisions.
The fundamental right of natural persons to the protection of personal data,
protected by Article 18.4 of the Constitution, it will be exercised in accordance with the provisions
in Regulation (EU) 2016/679 and in this organic law.
b) Guarantee the digital rights of citizens in accordance with the mandate
established in article 18.4 of the Constitution.
Article 2. Scope of application of Titles I to IX and Articles 89 to 94.
1. The provisions of Titles I to IX and articles 89 to 94 of this law
organic applies to any fully or partially automated data processing
personal data, as well as the non-automated processing of personal data contained or
intended to be included in a file.
2. This organic law will not apply:
a) To the treatments excluded from the scope of application of the General Regulation of
data protection by its article 2.2, without prejudice to the provisions of sections 3 and 4
of this article.
b) To the data processing of deceased persons, without prejudice to the provisions
in Article 3.
c) To the treatments subject to the regulations on the protection of materials
classified.
3. The treatments to which the Regulation is not directly applicable
(EU) 2016/679 for affecting activities not included in the scope of application of the
European Union law, will be governed by the provisions of its specific legislation if the
If any and additionally by the provisions of the aforementioned regulations and in this law
organic. In this situation, among others, are the treatments performed at the
under the organic legislation of the general electoral regime, the treatments carried out
in the field of penitentiary institutions and the treatments derived from the Civil Registry,
the Property and Mercantile Registries.
4. The data processing carried out on the occasion of the processing by the
judicial bodies of the processes of which they are competent, as well as the one carried out
within the management of the Judicial Office, they will be governed by the provisions of the Regulation
(EU) 2016/679 and this organic law, without prejudice to the provisions of the Law
Organic 6/1985, of July 1, of the Judicial Power, that are applicable.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 14

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119801

Article 3. Data of the deceased persons.
1. People linked to the deceased for family or de facto reasons as well as
their heirs may contact the person in charge or in charge of the treatment in order to
request access to her personal data and, where appropriate, its rectification or
suppression.
As an exception, the people referred to in the previous paragraph may not
access the data of the deceased, or request its rectification or deletion, when the
A deceased person would have expressly prohibited it or so established by law. Bliss
prohibition will not affect the right of the heirs to access the character data
patrimonial of the deceased.
2. The persons or institutions to whom the deceased had expressly designated
For this they may also request, in accordance with the instructions received, access to the
personal data of this and, where appropriate, its rectification or deletion.
By royal decree, the requirements and conditions will be established to prove the
validity and validity of these mandates and instructions and, where appropriate, the registration of
themselves.
3. In the event of the death of minors, these powers may also be exercised
by their legal representatives or, within the framework of their powers, by the Ministry
Prosecutor, who may act ex officio or at the request of any natural or legal person
interested.
In the event of the death of people with disabilities, these powers also
may be exercised, in addition to those indicated in the preceding paragraph, by those who have
been designated for the exercise of support functions, if such powers are understood
included in the support measures provided by the designated person.
TITLE II
Data protection principles
Article 4. Accuracy of the data.
1. In accordance with article 5.1.d) of Regulation (EU) 2016/679, the data will be exact
and, if necessary, updated.
2. For the purposes provided for in article 5.1.d) of Regulation (EU) 2016/679, it will not be
attributable to the person responsible for the treatment, provided that he has adopted all the
reasonable measures to eliminate or rectify without delay, the inaccuracy of the
personal data, with respect to the purposes for which they are processed, when the data
inaccurate:
a) They had been obtained by the person responsible directly from the affected party.
b) They had been obtained by the person in charge of a mediator or intermediary in
in the event that the rules applicable to the sector of activity to which the person in charge belongs
of the treatment establish the possibility of intervention of an intermediary or mediator
to collect on its own behalf the data of those affected for transmission to the person in charge.
The mediator or intermediary will assume the responsibilities that may arise in the
assumption of communication to the person responsible for data that does not correspond to the
provided by the affected party.
c) They were subjected to treatment by the person responsible for having received them from another
responsible by virtue of the exercise by the affected party of the right to portability in accordance with
to article 20 of Regulation (EU) 2016/679 and the provisions of this organic law.
d) They were obtained from a public registry by the person in charge.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 15

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119802

Article 5. Duty of confidentiality.
1. Those responsible and in charge of data processing as well as all
people who intervene in any phase of this will be subject to the duty of
confidentiality referred to in article 5.1.f) of Regulation (EU) 2016/679.
2. The general obligation indicated in the previous section will be complementary to the
duties of professional secrecy in accordance with its applicable regulations.
3. The obligations established in the previous sections will be maintained even
when the relationship between the obligated party and the person in charge of the
treatment.
Article 6. Treatment based on the consent of the affected party.
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
The consent of the affected party is understood to be any manifestation of free will,
specific, informed and unequivocal for which it accepts, either through a
declaration or a clear affirmative action, the processing of personal data that
concern.
2. When it is intended to base the treatment of the data on the consent of the
affected for a plurality of purposes, it will be necessary to specifically record
and unequivocal that said consent is granted for all of them.
3. The execution of the contract may not be subject to the consent of the affected party
processing of personal data for purposes that are not related to the
maintenance, development or control of the contractual relationship.
Article 7. Consent of minors.
1. The processing of the personal data of a minor may only be
be based on your consent when you are over fourteen years of age.
Exceptions are those cases in which the law requires the assistance of the holders of the homeland.
power or guardianship for the celebration of the act or legal business in which context is collected
consent to treatment.
2. The treatment of the data of minors under fourteen years of age, based on the
consent, it will only be lawful if it consists of that of the holder of parental authority or guardianship, with the
scope determined by the holders of parental authority or guardianship.
Article 8. Data processing due to legal obligation, public interest or exercise of
public powers.
1. The processing of personal data can only be considered based on the
compliance with a legal obligation enforceable by the person in charge, under the terms provided in
Article 6.1.c) of Regulation (EU) 2016/679, when provided for by a regulation of
European Union law or a rule with the force of law, which may determine the
general conditions of the treatment and the types of data object of the same as well as the
assignments that proceed as a result of compliance with the legal obligation. Bliss
Norm may also impose special conditions on the treatment, such as the
adoption of additional security measures or others established in chapter IV of the
Regulation (EU) 2016/679.
2. The processing of personal data can only be considered based on the
fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred to the person in charge, in the terms provided in article 6.1 e) of the
Regulation (EU) 2016/679, when it derives from a competence attributed by a norm
with the rank of law.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 16

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119803

Article 9. Special categories of data.
1. For the purposes of article 9.2.a) of Regulation (EU) 2016/679, in order to avoid
discriminatory situations, the sole consent of the affected party will not be enough to raise
the prohibition of data processing whose main purpose is to identify your ideology,
union membership, religion, sexual orientation, racial or ethnic beliefs or origin.
The provisions of the preceding paragraph will not prevent the processing of said data by
protection of the rest of the cases contemplated in article 9.2 of the Regulation
(EU) 2016/679, when applicable.
2. The data processing referred to in letters g), h) and i) of article 9.2 of the
Regulation (EU) 2016/679 based on Spanish law must be covered by
a rule with the force of law, which may establish additional requirements related to its
security and confidentiality.
In particular, said rule may protect the processing of data in the field of
health when required by the management of health care systems and services and
social, public and private, or the execution of an insurance contract of which the affected party is
part.
Article 10. Processing of data of a criminal nature.
1. The processing of personal data related to convictions and criminal offenses,
as well as procedures and related precautionary and security measures, for the purpose of
other than those of prevention, investigation, detection or prosecution of infractions
penalties or the execution of criminal sanctions, it can only be carried out when
is covered by a rule of Union Law, in this organic law or in
other norms of legal rank.
2. The complete record of the data referring to convictions and criminal offenses, as well as
as well as procedures and related precautionary and security measures referred to in the
Article 10 of Regulation (EU) 2016/679, may be carried out in accordance with the provisions
in the regulation of the System of administrative records to support the Administration of
Justice.
3. Outside of the assumptions indicated in the previous sections, the processing of
data referring to convictions and criminal offenses, as well as procedures and measures
precautionary and related security measures will only be possible when carried out by
lawyers and attorneys and have the purpose of collecting the information provided by their
clients for the exercise of their functions.
TITLE III
People rights
CHAPTER I
Transparency and information
Article 11. Transparency and information to the affected party.
1. When personal data is obtained from the affected party, the person responsible for the
treatment may comply with the duty of information established in article 13
of Regulation (EU) 2016/679, providing the affected party with the basic information to which
refers to the following section and indicating an electronic address or other means that
allow easy and immediate access to the rest of the information.
2. The basic information referred to in the previous section must contain, at the
less:

.boe.es

a) The identity of the person responsible for the treatment and their representative, if applicable.
b) The purpose of the treatment.

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 17

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119804

c) The possibility of exercising the rights established in articles 15 to 22 of the
Regulation (EU) 2016/679.
If the data obtained from the affected party were to be processed for the preparation of
profiles, the basic information will also include this circumstance. In this case, the
affected must be informed of their right to oppose the adoption of decisions
individual automated that produce legal effects on him or affect him
significantly similarly, when this right concurs in accordance with the
provided for in article 22 of Regulation (EU) 2016/679.
3. When the personal data had not been obtained from the affected party, the
responsible may comply with the duty of information established in article 14
of Regulation (EU) 2016/679, providing them with the basic information indicated in the
previous section, indicating an electronic address or other means that allows access
in a simple and immediate way to the rest of the information.
In these cases, the basic information will also include:
a) The categories of data being processed.
b) The sources from which the data came.
CHAPTER II
Exercise of rights
Article 12. General provisions on the exercise of rights.
1. The rights recognized in articles 15 to 22 of Regulation (EU) 2016/679,
They may be exercised directly or through a legal or voluntary representative.
2. The person responsible for the treatment will be obliged to inform the affected party about the
means at your disposal to exercise the rights that correspond to you. The media
They must be easily accessible to the affected person. The exercise of the right may not be
denied for the sole reason of choosing the affected by another means.
3. The person in charge may process, on behalf of the person in charge, requests for
exercise made by those affected of their rights if so established in the contract
or legal act that binds them.
4. Proof of compliance with the duty to respond to the request for the exercise of
Your rights formulated by the affected party will fall on the person responsible.
5. When the laws applicable to certain treatments establish a regime
that affects the exercise of the rights provided for in Chapter III of the Regulation
(EU) 2016/679, the provisions of those will be followed.
6. In any case, the holders of parental authority may exercise on behalf of and
representation of minors under fourteen years of age the rights of access, rectification,
cancellation, opposition or any others that may correspond to them in the context
of this organic law.
7. The actions carried out by the person responsible for the treatment will be free
to meet requests for the exercise of these rights, without prejudice to the provisions of
Articles 12.5 and 15.3 of Regulation (EU) 2016/679 and sections 3 and 4 of the
Article 13 of this organic law.
Article 13. Right of access.
1. The right of access of the affected party will be exercised in accordance with the provisions of
Article 15 of Regulation (EU) 2016/679.
When the person in charge treats a large amount of data related to the affected person and this
exercise your right of access without specifying whether it refers to all or part of the
data, the person in charge may request, before providing the information, that the affected
specify the data or processing activities to which the request refers.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 18

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119805

2. The right of access will be understood to be granted if the person responsible for the treatment
provide the affected party with a remote, direct and secure access system to personal data
that guarantees, permanently, access to its entirety. To this end, the
communication by the person in charge to the affected party of the way in which he can access said
The system will suffice to consider the request for the exercise of the right to be considered.
However, the interested party may request from the person in charge the information referred to the
extremes provided for in article 15.1 of Regulation (EU) 2016/679 that are not included
on the remote access system.
3. For the purposes established in article 12.5 of Regulation (EU) 2016/679,
may consider the exercise of the right of access repetitive on more than one occasion
during the period of six months, unless there is legitimate cause for it.
4. When the affected party chooses a means other than the one offered that involves a
disproportionate cost, the request will be considered excessive, so said affected
You will assume the excess costs that your choice entails. In this case, it will only be required by
responsible for the treatment the satisfaction of the right of access without undue delay.
Article 14. Right of rectification.
By exercising the right of rectification recognized in article 16 of the Regulation
(EU) 2016/679, the data subject must indicate in his request what data he refers to and the
correction to be made. It must accompany, when necessary, the
Documentation justifying the inaccuracy or incompleteness of the data subject to
treatment.
Article 15. Right of deletion.
1. The right of deletion shall be exercised in accordance with the provisions of article 17
of Regulation (EU) 2016/679.
2. When the deletion derives from the exercise of the right of opposition in accordance with the
Article 21.2 of Regulation (EU) 2016/679, the person in charge may keep the data
identification of the affected person necessary in order to prevent future treatments for
direct marketing.
Article 16. Right to limitation of treatment.
1. The right to limit the treatment will be exercised in accordance with the provisions
in article 18 of Regulation (EU) 2016/679.
2. The fact that the processing of personal data is limited must be stated
clearly in the information systems of the person in charge.
Article 17. Right to portability.
The right to portability will be exercised in accordance with the provisions of article 20
of Regulation (EU) 2016/679.
Article 18. Right of opposition.
The right to object, as well as the rights related to decisions
automated individual, including profiling, will be exercised in accordance with
what is established, respectively, in articles 21 and 22 of Regulation (EU) 2016/679.
.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 19

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119806

TITLE IV
Provisions applicable to specific treatments
Article 19. Processing of contact data, individual entrepreneurs and
liberal professionals.
1. Unless proven otherwise, it shall be presumed covered by the provisions of the
Article 6.1.f) of Regulation (EU) 2016/679 the treatment of contact data and in
where applicable, those relating to the function or position held by the natural persons who
provide services in a legal entity provided that the following requirements are met:
a) That the treatment refers only to the data necessary for its
professional localization.
b) That the purpose of the treatment is solely to maintain relationships of any
nature with the legal person in which the affected person provides their services.
2. The same presumption will operate for the treatment of data related to
sole proprietors and liberal professionals, when referred to
only in this condition and are not tried to establish a relationship with them
as natural persons.
3. Those responsible or in charge of the treatment referred to in article 77.1
of this organic law may also process the data mentioned in the two sections
above when this is derived from a legal obligation or is necessary for the exercise
of their powers.
Article 20. Credit information systems.
1. Unless proven otherwise, the processing of personal data will be presumed lawful
related to the breach of monetary, financial or credit obligations by systems
common credit information when the following requirements are met:
a) That the data have been provided by the creditor or by whoever acts on their behalf
account or interest.
b) That the data refer to certain, past due and enforceable debts, whose existence or
amount had not been the subject of an administrative or judicial claim by the debtor or
through a binding alternative dispute resolution procedure between the
parts.
c) That the creditor has informed the affected party in the contract or at the time of
require payment about the possibility of inclusion in said systems, with an indication of
those in which it participates.
The entity that maintains the credit information system with data related to the
breach of monetary, financial or credit obligations must notify the
affected the inclusion of such data and will inform you about the possibility of exercising the
rights established in articles 15 to 22 of Regulation (EU) 2016/679 within
the thirty days following the notification of the debt to the system, remaining
data blocked during that period.
d) That the data is only kept in the system as long as the
non-compliance, with a maximum limit of five years from the expiration date of the
monetary, financial or credit obligation.
e) That the data referring to a specific debtor can only be
consulted when whoever consults the system maintains a contractual relationship with the
affected that implies the payment of a pecuniary amount or this would have requested the
conclusion of a contract that involves financing, deferred payment or invoicing
periodically, as happens, among other cases, in those provided for in the legislation of
consumer credit agreements and real estate credit agreements.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 20

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119807

When the right to limit treatment has been exercised before the system
of the data challenging its accuracy in accordance with the provisions of article 18.1.a) of the
Regulation (EU) 2016/679, the system will inform those who could consult it with
according to the previous paragraph about the mere existence of said circumstance, without facilitating
the specific data with respect to which the right has been exercised, as long as
resolves on the request of the affected party.
f) That, in the event that the request for the conclusion of the contract is denied, or this
As a result of the consultation carried out, whoever has
After consulting the system, inform the affected party of the result of said consultation.
2. The entities that maintain the system and the creditors, regarding the treatment
of the data referring to their debtors, will have the status of joint controllers of the
data processing, the provisions of article 26 of the
Regulation (EU) 2016/679.
It will be up to the creditor to ensure that the requirements for the
inclusion in the debt system, responding to its non-existence or inaccuracy.
3. The presumption referred to in section 1 of this article does not cover the
assumptions in which the credit information was associated by the entity that maintained the
system to additional information to those contemplated in said section, related
with the debtor and obtained from other sources, in order to carry out a profiling of the same,
in particular through the application of credit rating techniques.
Article 21. Treatments related to the performance of certain operations
mercantile.
1. Unless proven otherwise, data processing, including
your prior communication, which may arise from the development of any
operation of structural modification of companies or the contribution or transfer of
business or branch of business activity, provided that the treatments were
necessary for the successful completion of the operation and ensure, where appropriate, the continuity
in the provision of services.
2. In the event that the transaction is not concluded, the transferee entity
must proceed immediately to the deletion of the data, without it being
application of the blocking obligation provided for in this organic law.
Article 22. Treatment for video surveillance purposes.
1. Individuals or legal entities, public or private, may carry out the
image processing through camera or video camera systems for the purpose
to preserve the safety of people and property, as well as its facilities.
2. Images of the public road may only be captured to the extent that it is
Essential for the purpose mentioned in the previous section.
However, it will be possible to capture the public road in a greater extension
when necessary to ensure the security of strategic assets or facilities
or infrastructure related to transport, without in any case implying the
capturing images of the interior of a private home.
3. The data will be deleted within a maximum period of one month from its capture,
except when they had to be conserved to prove the commission of acts that attempt to
against the integrity of people, property or facilities. In this case, the images must
be made available to the competent authority within a maximum period of seventy-two
hours since the existence of the recording was known.
The blocking obligation provided for in the
Article 32 of this organic law.
4. The duty of information provided for in article 12 of Regulation (EU) 2016/679
it shall be understood as fulfilled by placing an information device in place
sufficiently visible identifying, at least, the existence of the treatment, the identity

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 21

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119808

of the person in charge and the possibility of exercising the rights provided for in articles 15 to 22
of Regulation (EU) 2016/679. An information device may also include a
connection code or internet address to this information.
In any case, the data controller must keep at the disposal of the
affected the information referred to in the aforementioned regulation.
5. Under article 2.2.c) of Regulation (EU) 2016/679, it is considered excluded
of its scope the treatment by a natural person of images that
just capture the inside of your own home.
This exclusion does not cover the treatment carried out by a private security entity
that had been hired for the surveillance of a home and had access to the
images.
6. The treatment of personal data from images and sounds
obtained through the use of cameras and video cameras by the Forces and Corps
Security and by the competent bodies for surveillance and control in the centers
prisons and for the control, regulation, surveillance and discipline of traffic, will be governed by
the transposition legislation of Directive (EU) 2016/680, when the treatment has
purposes of prevention, investigation, detection or prosecution of criminal offenses or of
execution of criminal sanctions, including protection and prevention against
threats to public safety. Outside of these assumptions, said treatment is
will be governed by its specific legislation and supplementary by Regulation (EU) 2016/679 and
the present organic law.
7. What is regulated in this article is understood without prejudice to the provisions of the
Law 5/2014, of April 4, on Private Security and its development provisions.
8. The treatment by the employer of data obtained through
cameras or video cameras is subject to the provisions of article 89 of this organic law.
Article 23. Advertising exclusion systems.
1. It will be lawful to process personal data that is intended to prevent the sending
of commercial communications to those who have expressed their refusal or opposition
to receive them.
For this purpose, general or sectoral information systems may be created in the
that only the data essential to identify those affected will be included. These
systems may also include preference services, through which those affected
limit the receipt of commercial communications to those from certain
Business.
2. The entities responsible for the advertising exclusion systems will communicate
to the competent control authority its creation, its general or sectoral nature, as well as
the way in which those affected can join them and, where appropriate, enforce
your preferences.
The competent control authority will publish in its electronic headquarters a list
of the systems of this nature that were communicated to it, incorporating the information
mentioned in the previous paragraph. For this purpose, the competent control authority to which
the creation of the system has been communicated, it will be made known to the remaining
control authorities for publication by all of them.
3. When an affected party expresses to a person in charge his wish that his data not
are processed for the referral of commercial communications, it must inform you of
the existing advertising exclusion systems, being able to refer to the information
published by the competent control authority.
4. Those who intend to make direct marketing communications must
previously consult the advertising exclusion systems that could affect your
action, excluding from the treatment the data of those affected who have expressed
your opposition or refusal to it. For these purposes, to consider the obligation fulfilled
above, it will be sufficient to consult the exclusion systems included in the list
published by the competent control authority.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 22

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119809

It will not be necessary to carry out the query referred to in the previous paragraph when the
affected would have given, in accordance with the provisions of this organic law, their consent
to receive the communication to whoever intends to make it.
Article 24. Information systems for internal complaints.
1. The creation and maintenance of information systems through the
which may be brought to the attention of a private law entity, including
anonymously, the commission within it or in the actions of third parties that
contracted with her, of acts or conducts that could be contrary to the regulations
general or sectoral that is applicable. Employees and third parties must be informed
about the existence of these information systems.
2. Access to the data contained in these systems will be limited
exclusively to those who, whether or not incardinated within the entity, develop the
internal control and compliance functions, or those in charge of the treatment that
eventually they are designated for this purpose. However, its access by other
people, or even their communication to third parties, when necessary for the adoption
of disciplinary measures or for the processing of judicial procedures that, in its
case, proceed.
Without prejudice to the notification to the competent authority of facts constituting
criminal or administrative offense, only when the adoption of measures could proceed
disciplinary actions against a worker, such access will be allowed to personnel with
management and control of human resources.
3. The necessary measures must be taken to preserve identity and guarantee
the confidentiality of the data corresponding to the persons affected by the
information provided, especially that of the person who had put the facts
in the knowledge of the entity, if it had been identified.
4. The data of the person making the communication and of the employees and third parties must
be kept in the whistleblower system only for the time essential to
decide on the appropriateness of initiating an investigation into the facts denounced.
In any case, after three months from the introduction of the data, you must
proceed to its removal from the reporting system, unless the purpose of the
conservation is to leave evidence of the operation of the model of
commission of crimes by the legal person. Complaints that have not been processed
they may only be recorded anonymously, without the obligation being applicable
of blocking foreseen in article 32 of this organic law.
After the period mentioned in the previous paragraph, the data may continue to be
treated, by the corresponding body, in accordance with section 2 of this article, the
investigation of the denounced facts, not being conserved in the own system of
information on internal complaints.
5. The principles of the previous sections will be applicable to the systems of
internal complaints that could be created in the Public Administrations.
Article 25. Data processing in the field of the public statistical function.
1. The processing of personal data carried out by the organizations that have
attributed the competences related to the exercise of the public statistical function
will be subject to the provisions of its specific legislation, as well as the Regulation
(EU) 2016/679 and in this organic law.
2. The communication of the data to the competent bodies in statistical matters
It will only be understood to be covered by article 6.1 e) of Regulation (EU) 2016/679 in the
cases in which the statistics for which the information is required is required by a
European Union law standard or is included in the instruments of
Statistical programming legally foreseen.
In accordance with the provisions of article 11.2 of Law 12/1989, of May 9,
of the Public Statistical Function, will be strictly voluntary and, in

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 23

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Consequently, the data may only be collected with the prior express consent of those affected
data referred to in articles 9 and 10 of Regulation (EU) 2016/679.
3. The competent bodies for the exercise of the public statistical function
may deny requests for exercise by those affected of the rights established
in articles 15 to 22 of Regulation (EU) 2016/679 when the data is found
protected by the guarantees of statistical secrecy provided for in state legislation or
autonomic.
Article 26. Data processing for archiving purposes in the public interest by the
Public administrations.
The treatment by the Public Administrations of data for the purposes of
file in the public interest, which will be subject to the provisions of Regulation (EU) 2016/679
and in the present organic law with the specialties derived from the provisions of the Law
16/1985, of June 25, of the Spanish Historical Heritage, in Royal Decree 1708/2011,
of November 18, which establishes the Spanish File System and regulates
the File System of the General Administration of the State and its Bodies
Public and their access regime, as well as the regional legislation that results from
app.
Article 27. Processing of data related to infractions and administrative sanctions.
1. For the purposes of article 86 of Regulation (EU) 2016/679, the treatment of
data related to administrative offenses and penalties, including the maintenance of
records related to them, will require:
a) That those responsible for said processing are the competent bodies for
the instruction of the sanctioning procedure, for the declaration of the infractions or the
imposition of sanctions.
b) That the treatment is limited to the data strictly necessary for the purpose
persecuted by that one.
2. When any of the conditions provided in the previous section are not met,
the processing of data referring to infractions and administrative sanctions will have to
have the consent of the interested party or be authorized by a norm with rank
of law, which will regulate, where appropriate, additional guarantees for the rights and
freedoms of those affected.
3. Outside of the assumptions indicated in the previous sections, the processing of
data referring to infractions and administrative sanctions will only be possible when
are carried out by lawyers and solicitors and are intended to collect the

Sec. I. Page 119810

information provided by its clients for the exercise of their functions.
TITLE V
Responsible and in charge of the treatment
CHAPTER I
General disposition. Active liability measures
Article 28. General obligations of the person in charge and in charge of the treatment.

.boe.es

1. Those responsible and in charge, taking into account the elements listed
in articles 24 and 25 of Regulation (EU) 2016/679, they will determine the technical measures
and appropriate organizational measures that must be applied in order to guarantee and accredit that the
treatment is in accordance with the aforementioned regulation, with this organic law, its
implementing rules and applicable sectoral legislation. In particular, they will assess whether it proceeds

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 24

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119811

carrying out the impact assessment on data protection and prior consultation with
referred to in Section 3 of Chapter IV of the aforementioned regulation.
2. For the adoption of the measures referred to in the previous section, the
Those responsible and those in charge of the treatment will take into account, in particular, the
risks that could occur in the following cases:
a) When the treatment could generate situations of discrimination, usurpation
identity or fraud, financial loss, reputational damage, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymisation or any other significant economic, moral or social damage to the
affected.
b) When the treatment could deprive those affected of their rights and freedoms
or it could prevent them from exercising control over their personal data.
c) When the treatment not merely incidental or accessory of the
special categories of data referred to in articles 9 and 10 of the Regulation
(EU) 2016/679 and 9 and 10 of this organic law or the data related to the commission
of administrative offenses.
d) When the treatment involves an evaluation of personal aspects of the
affected in order to create or use personal profiles thereof, in particular
by analyzing or predicting aspects of their performance at work,
your financial situation, your health, your personal preferences or interests, your reliability or
behavior, its financial solvency, its location or its movements.
e) When the data processing of affected groups is carried out in
situation of special vulnerability and, in particular, of minors and people with
disability.
f) When there is a massive treatment that involves a large number of
affected or involves the collection of a large amount of personal data.
g) When personal data were to be transferred, with character
customary, to third States or international organizations with respect to which there is no
declared an adequate level of protection.
h) Any others that in the opinion of the person in charge or the person in charge may have
relevance and in particular those provided for in defined codes of conduct and standards
by certification schemes.
Article 29. Assumptions of joint responsibility in the treatment.
The determination of the responsibilities referred to in article 26.1 of the
Regulation (EU) 2016/679 will be carried out according to the activities that effectively
develop each of the joint controllers of the treatment.
Article 30. Representatives of those responsible or in charge of the treatment do not
established in the European Union.
1. In the cases in which Regulation (EU) 2016/679 is applicable to a
controller or processor not established in the European Union by virtue of
the provisions of its article 3.2 and the treatment refers to those affected who are in
Spain, the Spanish Agency for Data Protection or, where appropriate, the authorities
regional data protection authorities may impose the representative, jointly and severally with
the person in charge of the treatment, the measures established in the Regulation
(EU) 2016/679.
Said requirement shall be understood without prejudice to the liability that may in its
case corresponds to the person in charge or the person in charge of the treatment and of the exercise by the
representative of the action of repetition in front of whoever proceeds.
2. Likewise, in the event of a liability requirement under the terms provided in
Article 82 of Regulation (EU) 2016/679, those responsible, managers and
Representatives will be jointly and severally liable for damages caused.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 25

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119812

Article 31. Registration of treatment activities.
1. Those responsible and in charge of the treatment or, where appropriate, their representatives
must maintain the record of treatment activities referred to in article 30
of Regulation (EU) 2016/679, unless the exception provided for in its
section 5.
The registry, which may be organized around structured data sets, must
specify, according to their purposes, the processing activities carried out and the
other circumstances established in the aforementioned regulation.
When the person in charge or the person in charge of the treatment has designated a
data protection officer must notify you of any addition, modification or
exclusion in the content of the registry.
2. The subjects listed in article 77.1 of this organic law will make public a
inventory of your treatment activities accessible by electronic means in which
The information established in article 30 of Regulation (EU) 2016/679 and its
legal base.
Article 32. Blocking of data.
1. The data controller will be obliged to block the data when
proceed to its rectification or deletion.
2. The blocking of the data consists of the identification and reservation of the same,
adopting technical and organizational measures, to prevent its treatment, including its
visualization, except for making the data available to judges and courts,
the Public Prosecutor's Office or the competent Public Administrations, in particular of the
data protection authorities, for the requirement of possible responsibilities
derived from the treatment and only for the prescription period of the same.
After this period, the data must be destroyed.
3. The blocked data may not be processed for any purpose other than
indicated in the previous section.
4. When for the fulfillment of this obligation, the configuration of the
information does not allow blocking or an adaptation is required that involves an effort
disproportionate, the information will be copied securely so that
there is digital evidence, or of another nature, that allows to accredit the authenticity of the
itself, the date of the blocking and the non-manipulation of the data during it.
5. The Spanish Agency for Data Protection and the regional authorities of
data protection, within the scope of their respective competences, may set
exceptions to the blocking obligation established in this article, in the cases in which
that, given the nature of the data or the fact that they refer to a number
particularly high number of affected, its mere conservation, even blocked, could
generate a high risk for the rights of those affected, as well as in those cases
in which the conservation of the blocked data could imply a cost
disproportionate for the person responsible for the treatment.
CHAPTER II
In charge of the treatment
Article 33. In charge of the treatment.
.boe.es

1. Access by a person in charge of treatment to the personal data that
are necessary for the provision of a service to the person in charge, it will not be considered
communication of data provided that the provisions of the Regulation are complied with
(EU) 2016/679, in this organic law and its implementing regulations.
2. You will be considered the person responsible for the treatment and not the person in charge.
who in his own name and without stating that he acts on behalf of another, establishes

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 26

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119813

relationships with those affected even when there is a contract or legal act with the content
set in article 28.3 of Regulation (EU) 2016/679. This forecast will not be applicable
to the treatment orders carried out within the framework of the contracting legislation of the
public sector.
The person responsible for the treatment will also be considered
as a manager, he uses the data for his own purposes.
3. The person responsible for the treatment will determine whether, when the provision of the
services of the manager, personal data must be destroyed, returned to the
responsible or handed over, where appropriate, to a new manager.
The destruction of the data will not proceed when there is a legal provision that requires
to their conservation, in which case they must be returned to the person in charge, who will guarantee their
conservation as long as such obligation persists.
4. The person in charge of the treatment may keep, duly blocked, the data
as long as responsibilities may arise from their relationship with the person responsible for the
treatment.
5. In the field of the public sector, the competences of a
in charge of the treatment to a certain body of the General Administration of the
State, the Administration of the autonomous communities, the Entities that make up the
Local Administration or the Organizations linked or dependent on them
through the adoption of a regulatory norm of said competences, which must
incorporate the content required by article 28.3 of Regulation (EU) 2016/679.
CHAPTER III
Data protection officer
Article 34. Appointment of a data protection officer.
1. Those responsible and in charge of the treatment must designate a delegate of
data protection in the cases provided for in article 37.1 of the Regulation
(EU) 2016/679 and, in any case, in the case of the following entities:
a) Professional associations and their general councils.
b) Educational centers that offer education at any of the levels
established in the legislation regulating the right to education, as well as the
Public and private universities.
c) Entities that operate networks and provide communications services
electronic devices in accordance with the provisions of its specific legislation, when they deal regularly and
systematically personal data on a large scale.
d) The information society service providers when they prepare
large-scale profiles of service users.
e) The entities included in article 1 of Law 10/2014, of June 26, of
organization, supervision and solvency of credit institutions.
f) Financial credit institutions.
g) Insurance and reinsurance entities.
h) Investment services companies, regulated by Market legislation
of Securities.
i) The distributors and marketers of electrical energy and the distributors and
natural gas traders.
j) The entities responsible for common files for the assessment of solvency
assets and credit or common files for the management and prevention of fraud,
including those responsible for the files regulated by prevention legislation
money laundering and terrorist financing.
k) The entities that carry out advertising and commercial prospecting activities,
including those of commercial and market research, when they carry out

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 27

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119814

treatments based on the preferences of those affected or carry out activities that
involve the elaboration of profiles of the same.
l) Health centers legally obliged to maintain records
patient clinics.
Health professionals are excepted who, even though they are legally obliged to
maintenance of the medical records of patients, carry out their activity as a
individual.
m) The entities that have as one of their objects the issuance of reports
commercial that may refer to natural persons.
n) Operators that develop gambling activity through channels
electronic, computer, telematic and interactive, in accordance with regulatory standards
of the game.
ñ) Private security companies.
o) Sports federations when they process data of minors.
2. Those responsible or in charge of the treatment not included in the previous paragraph
may voluntarily designate a data protection officer, who will remain
subject to the regime established in Regulation (EU) 2016/679 and in this law
organic.
3. Those responsible and in charge of the treatment will communicate within ten
days to the Spanish Agency for Data Protection or, where appropriate, to the authorities
autonomic data protection, the designations, appointments and dismissals of the
data protection delegates both in the cases in which they are obliged
to their appointment as in the case in which it is voluntary.
4. The Spanish Agency for Data Protection and the regional authorities of
data protection will maintain, within the scope of their respective competences, a list
updated data protection delegates that will be accessible by means of
electronic
5. In compliance with the obligations of this article, those responsible and
those in charge of the treatment may establish full or part-time dedication
of the delegate, among other criteria, depending on the volume of treatments, the category
of the data processed or of the risks to the rights or freedoms of the
interested.
Article 35. Qualification of the data protection officer.
Compliance with the requirements established in article 37.5 of the Regulation
(EU) 2016/679 for the appointment of the data protection officer, be it a person
physical or legal, it may be demonstrated, among other means, through mechanisms
certification volunteers who will take particular account of obtaining a certification
university degree that certifies specialized knowledge in law and
practice in data protection.
Article 36. Position of the data protection officer.
1. The data protection officer will act as the interlocutor of the person in charge or
in charge of the treatment before the Spanish Agency for Data Protection and the
Autonomous data protection authorities. The delegate may inspect the
procedures related to the purpose of this organic law and issue
recommendations within the scope of their competences.
2. In the case of a natural person integrated in the organization of the person in charge
or in charge of the treatment, the data protection delegate may not be removed or
sanctioned by the person in charge or the person in charge for performing their functions unless
incur in fraud or gross negligence in its exercise. The independence of the
data protection officer within the organization, avoiding any
conflict of interests.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 28

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119815

3. In the exercise of their functions, the data protection officer will have access
to personal data and treatment processes, not being able to oppose this access the
responsible or the person in charge of the treatment the existence of any duty of
confidentiality or secrecy, including that provided for in article 5 of this organic law.
4. When the data protection officer appreciates the existence of a
relevant violation in terms of data protection will document and communicate it
immediately to the administrative and management bodies of the person in charge or the
in charge of the treatment.
Article 37. Intervention of the data protection officer in the event of a claim
before the data protection authorities.
1. When the person in charge or the person in charge of the treatment has designated a
data protection officer the affected party may, prior to the presentation
of a claim against those before the Spanish Agency for Data Protection or,
where appropriate, before the regional data protection authorities, contact the delegate
of data protection of the entity against which the claim is made.
In this case, the data protection officer will inform the affected party of the decision
that had been adopted within a maximum period of two months from receipt
of the claim.
2. When the affected party files a claim with the Spanish Agency for
Data Protection or, where appropriate, before the regional authorities for the protection of
data, they may refer the claim to the data protection officer in order to
that it responds within a month.
If after this period the data protection officer has not communicated
to the competent data protection authority the response given to the claim,
said authority will continue the procedure in accordance with the provisions of Title VIII of
this organic law and its implementing regulations.
3. The procedure before the Spanish Agency for Data Protection will be the
established in Title VIII of this organic law and its implementing regulations. In addition,
The autonomous communities will regulate the corresponding procedure before their
Autonomous data protection authorities.
CHAPTER IV
Codes of conduct and certification
Article 38. Codes of conduct.
1. The codes of conduct regulated by section 5 of Chapter IV of the
Regulation (EU) 2016/679 will be binding for those who adhere to them.
Said codes may be equipped with mechanisms for extrajudicial resolution of
conflicts.
2. Said codes may be promoted, in addition to by associations and organizations
referred to in article 40.2 of Regulation (EU) 2016/679, by companies or groups
of companies as well as by the managers or managers referred to in the
Article 77.1 of this organic law.
Likewise, they may be promoted by the organizations or entities that assume the
functions of supervision and extrajudicial resolution of conflicts referred to in the
Article 41 of Regulation (EU) 2016/679.
Those responsible or in charge of the treatment that adhere to the code of conduct
They are obliged to submit to the supervisory body or entity the claims that they
were formulated by those affected in relation to the data processing included in
its scope of application if it is considered that it is not appropriate to attend to what is requested in
the claim, without prejudice to the provisions of article 37 of this organic law. What's more,
without prejudice to the powers conferred by Regulation (EU) 2016/679 to the

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 29

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119816

data protection authorities, may voluntarily and before carrying out the
treatment, submit to the aforementioned supervisory body or entity the verification of the
compliance of the same with the matters subject to the code of conduct.
In the event that the supervisory body or entity rejects or rejects the
claim, or if the controller or processor does not submit the claim to
his decision, the affected party may formulate it before the Spanish Agency for Data Protection
or, where appropriate, the regional data protection authorities.
The competent data protection authority will verify that the bodies or
entities that promote codes of conduct have endowed these codes of conduct
supervisory bodies that meet the requirements established in article 41.2 of the
Regulation (EU) 2016/679.
3. The codes of conduct will be approved by the Spanish Protection Agency
of Data or, where appropriate, by the competent regional data protection authority.
4. The Spanish Agency for Data Protection or, where appropriate, the authorities
regional data protection authorities will submit the code projects to the mechanism of
coherence mentioned in article 63 of Regulation (EU) 2016/679 in the cases
in which it proceeds according to its article 40.7. The procedure will be suspended as long as
the European Data Protection Committee does not issue the opinion to which the
Articles 64.1.b) and 65.1.c) of the aforementioned regulation.
When it is an autonomous data protection authority that submits the
draft code to the coherence mechanism, the provisions of article 60 will apply
of this organic law.
5. The Spanish Agency for Data Protection and the regional authorities of
data protection will keep records of the codes of conduct approved by the
themselves, which will be interconnected with each other and coordinated with the registry managed by
the European Data Protection Committee in accordance with article 40.11 of the aforementioned regulation.
The registry will be accessible through electronic means.
6. By royal decree the content of the registry and the specialties will be established.
of the procedure for the approval of codes of conduct.
Article 39. Accreditation of certification institutions.
Without prejudice to the functions and accreditation powers of the supervisory authority
competent under articles 57 and 58 of Regulation (EU) 2016/679, the
accreditation of the certification institutions referred to in article 43.1 of the
said regulation may be carried out by the National Accreditation Entity
(ENAC), which will notify the Spanish Data Protection Agency and the authorities
of data protection of the autonomous communities concessions, denials or
revocation of accreditations, as well as their motivation.
TITLE VI
International data transfers
Article 40. Regime of international data transfers.
International data transfers will be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law and its implementing regulations
approved by the Government, and in the circulars of the Spanish Agency for the Protection of
Data and the regional data protection authorities, within the scope of their
respective competencies.
In any case, the treatments in which the transfer itself consists of the
provisions contained in said standards, in particular those that regulate the principles of
Data Protection.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 30

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119817

Article 41. Cases of adoption by the Spanish Agency for Data Protection.
1. The Spanish Agency for Data Protection and the regional authorities of
data protection may adopt, in accordance with the provisions of article 46.2.c) of the
Regulation (EU) 2016/679, standard contractual clauses for the performance of
international data transfers, which will be previously submitted to the opinion of the
European Data Protection Committee provided for in article 64 of the aforementioned regulation.
2. The Spanish Agency for Data Protection and the regional authorities of
data protection may approve binding corporate regulations in accordance with the
provided for in article 47 of Regulation (EU) 2016/679.
The procedure will begin at the request of an entity located in Spain and will have a
maximum duration of nine months. It will be suspended as a result of the
Referral of the file to the European Data Protection Committee to issue the
opinion referred to in article 64.1.f) of Regulation (EU) 2016/679, and will continue
after notification to the Spanish Data Protection Agency or the authority
Autonomous competent data protection authority.
Article 42. Cases subject to prior authorization from the protection authorities
of data.
1. International data transfers to countries or organizations
international organizations that do not have an adequacy decision approved by the Commission or
that are not covered by any of the guarantees provided in the previous article and in the
Article 46.2 of Regulation (EU) 2016/679, will require prior authorization from the
Spanish Data Protection Agency or, where appropriate, regional authorities of
data protection, which may be granted in the following cases:
a) When the transfer is intended to be based on the provision of guarantees
adequate based on contractual clauses that do not correspond to the
Standard clauses provided for in article 46.2, letters c) and d), of Regulation (EU) 2016/679.
b) When the transfer is carried out by one of those responsible or
managers referred to in article 77.1 of this organic law and is based on
provisions incorporated into non-normative international agreements with other
authorities or public bodies of third States, which incorporate effective rights
and enforceable for those affected, including memoranda of understanding.
The procedure will have a maximum duration of six months.
2. The authorization shall be subject to issuance by the European Committee of
Data Protection of the opinion referred to in articles 64.1.e), 64.1.f) and 65.1.c)
of Regulation (EU) 2016/679. The referral of the file to the aforementioned committee will imply the
suspension of the procedure until the opinion is notified to the Spanish Agency
of Data Protection or, through it, to the competent control authority,
in your case.
Article 43. Cases submitted to prior information to the protection authority of
competent data.
Those responsible for the treatment must inform the Spanish Agency of
Data Protection or, where appropriate, the regional data protection authorities,
of any international transfer of data that they intend to carry out on the
basis of need for purposes related to compelling legitimate interests
pursued by those and the concurrence of the rest of the requirements provided in the last
paragraph of article 49.1 of Regulation (EU) 2016/679. Likewise, they will inform the
affected by the transfer and the compelling legitimate interests pursued.
This information must be provided prior to the completion of the
transfer.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 31

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119818

The provisions of this article will not apply to the activities carried out.
by public authorities in the exercise of their public powers, in accordance with the
Article 49.3 of Regulation (EU) 2016/679.
TITLE VII
Data protection authorities
CHAPTER I
The Spanish Agency for Data Protection
Section 1. General provisions
Article 44. General provisions.
1. The Spanish Agency for Data Protection is an administrative authority
independent state level, from those provided for in Law 40/2015, of October 1, of
Legal Regime of the Public Sector, with legal personality and full public capacity
and private, which acts with full independence from the public powers in the exercise of
its functions.
Its official name, in accordance with the provisions of article 109.3 of the
Law 40/2015, of October 1, on the Legal Regime of the Public Sector, will be «Agency
Spanish Data Protection, Independent Administrative Authority ».
It is related to the Government through the Ministry of Justice.
2. The Spanish Agency for Data Protection will have the status of representative
common of the data protection authorities of the Kingdom of Spain in the Committee
European Data Protection.
3. The Spanish Agency for Data Protection and the General Council of Power
Judicial will collaborate for the sake of the proper exercise of the respective powers that
Organic Law 6/1985, of July 1, of the Judicial Power, attributes to them in matters of protection
of personal data in the field of the Administration of Justice.
Article 45. Legal regime.
1. The Spanish Agency for Data Protection is governed by the provisions of the
Regulation (EU) 2016/679, this organic law and its development provisions.
In addition, as long as it is compatible with their full independence and without prejudice
of the provisions of article 63.2 of this organic law, will be governed by the rules cited in
Article 110.1 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public.
2. The Government, at the proposal of the Spanish Data Protection Agency, will approve
its Statute by royal decree.
Article 46. Economic, budgetary and personnel regime.
1. The Spanish Agency for Data Protection will prepare and approve your budget
and will forward it to the Government to be integrated, independently, in the Budgets
Generals of the State.
2. The regime of modifications and linking of the appropriations of your budget
will be established in the Statute of the Spanish Agency for Data Protection.
It is the responsibility of the Presidency of the Spanish Data Protection Agency to authorize
budgetary modifications involving up to three percent of the initial figure
of your total spending budget, as long as your spending credits are not increased
of personal. The remaining modifications that do not exceed five percent of the

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 32

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119819

budget will be authorized by the Ministry of Finance and, in other cases, by the
Government.
3. The Spanish Agency for Data Protection will count for compliance with its
purposes with the allocations established under the General Budgets
of the State, the goods and values ​that constitute its patrimony and the income, ordinary and
extraordinary events arising from the exercise of their activities, including those arising from
exercise of the powers established in article 58 of Regulation (EU) 2016/679.
4. The positive result of your income will be allocated by the Spanish Agency for
Data Protection for the provision of your reservations in order to guarantee their full
independence.
5. The staff at the service of the Spanish Data Protection Agency will be
civil servant or labor and will be governed by the provisions of the consolidated text of the Statute Law
Basic of the Public Employee, approved by Royal Legislative Decree 5/2015, of 30
October, and other regulations governing public officials and, where appropriate, by the
labor regulations.
6. The Spanish Agency for Data Protection will prepare and approve your relationship of
jobs, within the framework of the criteria established by the Ministry of Finance,
respecting the personnel expense limit established in the budget. In said relationship
of jobs will consist, in any case, those positions that must be
performed exclusively by public officials, as they consist of the exercise of the
functions that imply direct or indirect participation in the exercise of powers
public interests and the safeguarding of the general interests of the State and the Administrations
Public.
7. Without prejudice to the powers conferred on the Court of Auditors, the management
economic-financial of the Spanish Agency for Data Protection will be subject to the
control of the General Intervention of the State Administration in the terms that
establishes Law 47/2003, of November 26, General Budgetary.
Article 47. Functions and powers of the Spanish Agency for Data Protection.
It is the responsibility of the Spanish Data Protection Agency to supervise the application
of this organic law and of Regulation (EU) 2016/679 and, in particular, to exercise the functions
established in article 57 and the powers provided in article 58 of the same
regulation, in this organic law and in its development provisions.
Likewise, it corresponds to the Spanish Agency for Data Protection the performance
of the functions and powers attributed to it by other laws or regulations of the Law of the
European Union.
Article 48. The Presidency of the Spanish Agency for Data Protection.
1. The Presidency of the Spanish Data Protection Agency directs it, holds it
its representation and dictates its resolutions, circulars and guidelines.
2. The Presidency of the Spanish Data Protection Agency will be assisted
by a Deputy to whom he may delegate his functions, with the exception of those related to
the procedures regulated by Title VIII of this organic law, and that will replace it in
the exercise of the same in the terms provided in the Organic Statute of the Agency
Spanish Data Protection.
Both will exercise their functions with full independence and objectivity and will not be
subject to any instruction in their performance. Regulatory legislation will be applicable to them
of the exercise of the high position of the General Administration of the State.
3. The Presidency of the Spanish Data Protection Agency and its Deputy will be
appointed by the Government, at the proposal of the Ministry of Justice, among persons of
recognized professional competence, in particular in the field of data protection.
Two months before the expiration of the mandate or, in all other cases
of termination, when this has occurred, the Ministry of Justice will order the publication
in the Official State Gazette of the public call for candidates.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 33

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119820

After evaluation of the merit, capacity, competence and suitability of the candidates,
The Government will submit to the Congress of Deputies a proposal for the Presidency and Deputy
accompanied by a supporting report that, after holding the mandatory hearing
of the candidates, must be ratified by the Justice Commission in a public vote by
majority of three-fifths of its members in the first vote or, if this is not reached,
by an absolute majority in a second ballot, which will take place immediately after
the first. In the latter case, the favorable votes must come from Deputies
belonging to at least two different parliamentary groups.
4. The Presidency and the Deputy of the Spanish Agency for Data Protection will be
appointed by the Council of Ministers by royal decree.
5. The mandate of the Presidency and the Deputy of the Spanish Protection Agency
of Data has a duration of five years and can be renewed for another period of
equal duration.
The Presidency and the Deputy will only cease before the expiration of their mandate, to
own request or by separation agreed by the Council of Ministers, by:
a) Serious breach of its obligations,
b) supervening incapacity for the exercise of his function,
c) incompatibility, or
d) final conviction for intentional crime.
In the cases provided for in letters a), b) and c), the ratification of the
separation by the parliamentary majorities provided for in section 3 of this article.
6. The acts and provisions issued by the Presidency of the Spanish Agency for
Data Protection put an end to the administrative route, being actionable, directly,
before the Contentious-Administrative Chamber of the National Court.
Article 49. Advisory Council of the Spanish Agency for Data Protection.
1. The Presidency of the Spanish Data Protection Agency will be advised
by an Advisory Council composed of the following members:
a) A Deputy, proposed by the Congress of Deputies.
b) A Senator, proposed by the Senate.
c) A representative appointed by the General Council of the Judiciary.
d) A representative of the General State Administration with experience in the
matter, proposed by the Minister of Justice.
e) A representative of each Autonomous Community that has created an Authority
of data protection in its territorial scope, proposed in accordance with what is established
the respective Autonomous Community.
f) An expert proposed by the Spanish Federation of Municipalities and Provinces.
g) An expert proposed by the Council of Consumers and Users.
h) Two experts proposed by Business Organizations.
i) A representative of data protection and privacy professionals,
proposed by the state-level association with the largest number of associates.
j) A representative of the supervisory and resolution bodies or entities
extrajudicial of conflicts foreseen in Chapter IV of Title V, proposed by the Minister
of Justice.
k) An expert, proposed by the Conference of Rectors of the Universities
Spanish.
l) A representative of the organizations that group the General Councils,
Superiors and Professional Associations of state scope of the different professions
collegiate, proposed by the Minister of Justice.
m) A representative of information security professionals,
proposed by the state-level association with the largest number of associates.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 34

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119821

n) An expert in transparency and access to public information proposed by the
Council for Transparency and Good Governance.
ñ) Two experts proposed by the most representative union organizations.
2. For the purposes of the previous section, the condition of expert will require proof
specialized knowledge in law and practice in the field of protection of
data through professional or academic exercise.
3. The members of the Advisory Council shall be appointed by order of the Minister of
Justice, published in the Official State Gazette.
4. The Advisory Council will meet when so ordered by the Presidency of the
Spanish Data Protection Agency and, in any case, once a semester.
5. The decisions taken by the Advisory Council will not have in any case
binding character.
6. In everything not provided for by this organic law, the regime, powers and
functioning of the Advisory Council will be those established in the Organic Statute of
the Spanish Agency for Data Protection.
Article 50. Advertising.
The Spanish Agency for Data Protection will publish the resolutions of its
Presidency that declare there is place or not for the attention of the rights recognized in
Articles 15 to 22 of Regulation (EU) 2016/679, which put an end to the procedures
claims, those that file the previous investigation actions, those that
sanction with warning the entities referred to in article 77.1 of this law
organic, those that impose precautionary measures and the others provided by its Statute.
Section 2. Investigation powers and preventive audit plans
Article 51. Scope and competent personnel.
1. The Spanish Agency for Data Protection will develop its activity of
investigation through the actions provided for in Title VIII and the
preventive audits.
2. The investigation activity will be carried out by the officials of the Agency.
Spanish Data Protection or by officials outside it expressly authorized
for his Presidency.
3. In cases of joint investigation actions in accordance with the provisions
in Article 62 of Regulation (EU) 2016/679, the staff of the supervisory authorities
from other Member States of the European Union that collaborate with the Spanish Agency for
Data Protection will exercise its powers in accordance with the provisions of this law
organic and under the guidance and in the presence of its staff.
4. Officials who carry out investigation activities will have the
consideration of agents of the authority in the exercise of their functions, and will be
obliged to keep secret the information they know on the occasion of said
exercise, even after you've stopped.
Article 52. Duty of collaboration.
1. Public Administrations, including tax and Social Security, and
Individuals will be obliged to provide the Spanish Agency for the Protection of
Data the data, reports, antecedents and supporting documents necessary to carry out your
research activity.
When the information contains personal data, the communication of said data
It will be covered by the provisions of article 6.1 c) of Regulation (EU) 2016/679.
2. In the framework of the preliminary investigation actions, when it has not been possible to
carry out the identification by other means, the Spanish Agency for Data Protection
may collect from Public Administrations, including tax and Security

Page 35

STATE OFFICIAL NEWSLETTER

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

No. 294

Thursday 6 December 2018

Sec. I. Page 119822

Social, the information and data that are essential for the exclusive purpose of
achieve the identification of those responsible for the behaviors that could be constitutive
of infringement of Regulation (EU) 2016/679 and of this organic law.
In the case of the Tax and Social Security Administrations, the
Information will be limited to that which is necessary to be able to unequivocally identify
Against whom should the action of the Spanish Data Protection Agency be directed in
the assumptions of the creation of corporate networks that make it difficult to know
direct of the alleged person responsible for the conduct contrary to Regulation (EU) 2016/679 and
to this organic law.
3. When it has not been possible to carry out the identification by other means, the Agency
Spanish Data Protection may collect from operators that provide services
electronic communications available to the public and service providers
the information society the data that are in its possession and that result
essential for the identification of the person presumed responsible for the conduct contrary to the
Regulation (EU) 2016/679 and this organic law when it has been carried out
through the use of an information society service or carrying out
an electronic communication. For this purpose, the data that the Spanish Agency for
Data Protection may be collected under this section are the following:
a) When the conduct had been carried out through the use of a service of
landline or mobile phone:
1.º The telephone number of origin of the call in case it is
would have hidden.
2. The name, identification document number and address of the subscriber or user
registered to that phone number.
3.º The mere confirmation that a specific call has been made between two
numbers at a certain date and time.
b) When the conduct was carried out through the use of a service of
the society of the information:
1.º The identification of the Internet protocol address from which the
carried out the conduct and the date and time of its completion.
2. If the conduct had been carried out by email, the
identification of the Internet protocol address from which the account was created
email and the date and time it was created.
3. The name, identification document number and address of the subscriber or the
registered user who has been assigned the Internet Protocol address to the
referred to in the two previous paragraphs.
These data must be transferred, prior motivated request of the Agency.
Spanish Data Protection, exclusively within the framework of actions of
investigation initiated as a result of a complaint filed by an affected
regarding a conduct of a legal person or regarding the use of systems
that allow the unrestricted disclosure of personal data. In the rest of the
assumptions the transfer of these data will require the prior obtaining of judicial authorization
granted in accordance with the procedural rules when it is enforceable.
Excluded from the provisions of this section are the traffic data that the
operators were dealing with the sole purpose of complying with the
Obligations provided for in Law 25/2007, of October 18, on data conservation
relating to electronic communications and public communications networks,
whose assignment may only take place in accordance with the provisions of it, prior
judicial authorization requested by one of the authorized agents referred to in the
Article 6 of said law.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 36

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119823

Article 53. Scope of the investigation activity.
1. Those who carry out the research activity may collect the information
required for the fulfillment of their functions, carry out inspections, require the
exhibition or dispatch of the necessary documents and data, examine them on the spot in
that are deposited or where the treatments are carried out, obtain
copy of them, inspect the physical and logical equipment and require the execution of
treatments and treatment management and support programs or procedures subject to
investigation.
2. When access is necessary by the personnel who carry out the activity of
investigation to the constitutionally protected domicile of the inspected person, it will be necessary
have your consent or have obtained the corresponding judicial authorization.
3. In the case of judicial bodies or judicial offices, the exercise of the
Inspection powers will be carried out through and through the General Council of the
Power of attorney.
Article 54. Audit plans.
1. The Presidency of the Spanish Data Protection Agency may agree on the
realization of preventive audit plans, referring to the treatments of a sector
concrete activity. Their purpose will be to analyze compliance with the provisions
of Regulation (EU) 2016/679 and of this organic law, as of the completion of
investigation activities on entities belonging to the inspected sector or
on those responsible for the audit.
2. As a result of the audit plans, the Presidency of the Spanish Agency for
Data Protection may dictate general or specific guidelines for a specific
responsible or in charge of the necessary treatments to ensure full adaptation
of the sector or responsible to Regulation (EU) 2016/679 and to this organic law.
In preparing these guidelines, the Presidency of the Spanish Agency for
Data Protection may request the collaboration of the supervisory bodies of
codes of conduct and extrajudicial conflict resolution, if any.
3. The guidelines will be mandatory for the sector or manager to whom
the audit plan refers.
Section 3. Other powers of the Spanish Data Protection Agency
Article 55. Regulatory powers. Circulars of the Spanish Protection Agency
of data.
1. The Presidency of the Spanish Data Protection Agency may dictate
provisions that establish the criteria to which the actions of this authority will respond in the
application of the provisions of Regulation (EU) 2016/679 and in this organic law,
which will be called "Circulars of the Spanish Agency for Data Protection".
2. Its preparation will be subject to the procedure established in the Statute of the
Spanish Data Protection Agency, which must provide the technical reports and
that were necessary and the audience to the interested parties.
3. The circulars will be mandatory once published in the Official Gazette of the
Condition.
Article 56. Foreign action.

.boe.es

1. It corresponds to the Spanish Agency for Data Protection the ownership and the
exercise of the functions related to the foreign action of the State in matters of
Data Protection.
Also to the autonomous communities, through the autonomous authorities of
data protection, they are responsible for exercising their functions as subjects of foreign action
within the framework of its powers in accordance with the provisions of Law 2/2014, of 25

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 37

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119824

March, the Action and the Foreign Service of the State, as well as entering into agreements
administrative procedures in execution and concretion of an international treaty and
Non-normative agreements with analogous bodies of other subjects of law
international, not legally binding for those who subscribe, on matters of
its competence within the framework of Law 25/2014, of November 27, on Treaties and other
International Agreements.
2. The Spanish Data Protection Agency is the competent body for the
protection of natural persons with regard to the processing of personal data
derived from the application of any International Convention to which the Kingdom is a party
of Spain that attributes to a national supervisory authority that competence and the
common representative of the Data Protection authorities in the European Committee of
Data Protection, in accordance with the provisions of article 68.4 of the Regulation
(EU) 2016/679.
The Spanish Agency for Data Protection will inform the regional authorities
protection of data about the decisions taken in the European Committee of
Data Protection and will seek your opinion when it comes to matters within its competence.
3. Without prejudice to the provisions of section 1, the Spanish Protection Agency
of data:
a) Participate in international meetings and forums other than that of the Union
European Union established by common agreement by the independent control authorities in
data protection matters.
b) Participate, as a Spanish authority, in international organizations
competent in data protection matters, in committees or working groups, of
study and collaboration of international organizations that deal with matters that
affect the fundamental right to the protection of personal data and in other forums or
international working groups, within the framework of the State's foreign action.
c) Collaborate with authorities, institutions, agencies and Administrations of other
States in order to promote, promote and develop the fundamental right to protection
of data, in particular in the Ibero-American area, being able to sign agreements
administrative and non-normative international regulations on the matter.
CHAPTER II
Autonomous data protection authorities
Section 1. General provisions
Article 57. Autonomous data protection authorities.
1. The regional authorities for the protection of personal data may exercise,
the functions and powers established in articles 57 and 58 of the Regulation
(EU) 2016/679, in accordance with regional regulations, when they refer to:
a) Treatments for which the entities that make up the sector are responsible
public of the corresponding Autonomous Community or of the Local Entities included
in their territorial scope or those who provide services through any form of management
direct or indirect.
b) Treatments carried out by natural or legal persons for the exercise of
public functions in matters that are the competence of the corresponding
Autonomous or Local Administration.
c) Treatments that are expressly provided, where appropriate, in the
respective Statutes of Autonomy.

.boe.es

2. The regional data protection authorities may dictate, in relation to
with the treatments submitted to its competence, circulate with the scope and effects
erifiable at http: // www
cve:VBOE-A-2018-16673

Page 38

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119825

established for the Spanish Data Protection Agency in article 55 of this law
organic.
Article 58. Institutional cooperation.
The Presidency of the Spanish Agency for Data Protection will convene, by
own initiative or when requested by another authority, to the autonomous authorities of
data protection to contribute to the consistent application of Regulation (EU) 2016/679
and of the present organic law. In any case, biannual meetings of
cooperation.
The Presidency of the Spanish Data Protection Agency and the authorities
regional data protection authorities may request and must mutually exchange
the information necessary for the fulfillment of its functions and, in particular, the relative
to the activity of the European Data Protection Committee. Likewise, they may constitute
working groups to deal with specific matters of common interest.
Article 59. Treatments contrary to Regulation (EU) 2016/679.
When the Presidency of the Spanish Data Protection Agency considers that
a treatment carried out in matters that were the competence of the authorities
autonomic data protection rules violates Regulation (EU) 2016/679 may
require them to adopt, within a month, the necessary measures for their
cessation.
If the regional authority does not respond to the request or the measures
adopted do not suppose the cessation of the illicit treatment, the Spanish Agency for
Data Protection may exercise the actions that proceed before the jurisdiction
contentious-administrative.
Section 2. Coordination within the framework of the procedures established in the
Regulation (EU) 2016/679
Article 60. Coordination in the event of issuance of an opinion by the European Committee of
Data Protection.
All data protection procedures will be carried out through the Spanish Data Protection Agency.
communications between the European Data Protection Committee and the authorities
autonomic data protection authorities when they, as competent authorities, must
submit their draft decision to the aforementioned committee or request the examination of a matter in
by virtue of the provisions of paragraphs 1 and 2 of Article 64 of the Regulation
(EU) 2016/679.
In these cases, the Spanish Data Protection Agency will be assisted by a
representative of the Autonomous Authority in his speech before the Committee.
Article 61. Intervention in case of cross-border processing.
1. The regional data protection authorities will hold the status of
main supervisory authority or interested in the procedure established by the
Article 60 of Regulation (EU) 2016/679 when it refers to a treatment provided in
Article 57 of this organic law that will be carried out by a person in charge or in charge
of the treatment of those provided for in article 56 of Regulation (EU) 2016/679, except that
significantly develop treatments of the same nature in the rest of the territory
Spanish.
2. In these cases, it will be the responsibility of the regional authorities to intervene in the
procedures established in article 60 of Regulation (EU) 2016/679, informing
to the Spanish Agency for Data Protection about its development in the cases in which
the consistency mechanism should be applied.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 39

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119826

Article 62. Coordination in case of conflict resolution by the European Committee of
Data Protection.
1. They will be practiced through the Spanish Agency for Data Protection all
communications between the European Data Protection Committee and the authorities
autonomic data protection authorities when these, as main authorities, must
request from the aforementioned Committee the issuance of a binding decision as provided in the
Article 65 of Regulation (EU) 2016/679.
2. The regional data protection authorities that have the status of
non-main interested authority in a procedure of those provided for in article 65 of the
Regulation (EU) 2016/679 will inform the Spanish Agency for Data Protection
When the matter is referred to the European Data Protection Committee, facilitating the
documentation and information necessary for its processing.
The Spanish Data Protection Agency will be assisted by a representative of the
Autonomous authority interested in your intervention before the aforementioned committee.
TITLE VIII
Procedures in case of possible violation of the protection regulations of
data
Article 63. Legal regime.
1. The provisions of this Title shall apply to the procedures
processed by the Spanish Agency for Data Protection in the cases in which
an affected party claims that their request to exercise their rights has not been addressed
recognized in articles 15 to 22 of Regulation (EU) 2016/679, as well as those that
that investigates the existence of a possible infringement of the provisions of the aforementioned
regulation and in this organic law.
2. The procedures processed by the Spanish Agency for Data Protection are
shall be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by
the regulatory provisions issued in its development and, insofar as they do not contradict them,
in the alternative, by the general rules on procedures
administrative.
3. The Government shall regulate by royal decree the procedures processed by the Agency.
Spanish Data Protection Protection under this Title, ensuring in any case the
defense and hearing rights of the interested parties.
Article 64. Form of initiation of the procedure and duration.
1. When the procedure refers exclusively to the lack of attention of a
request to exercise the rights established in articles 15 to 22 of the Regulation
(EU) 2016/679, will start by agreement of admission for processing, which will be adopted in accordance with
what is established in article 65 of this organic law.
In this case, the term to resolve the procedure will be six months from
from the date the claimant was notified of the admission agreement to
Procedure. After this period, the interested party may consider his claim upheld.
2. When the purpose of the procedure is to determine the possible existence
of an infringement of the provisions of Regulation (EU) 2016/679 and this law
organic, will be initiated by means of an initiation agreement adopted on its own initiative or as
consequence of claim.
If the procedure is based on a claim made before the Agency
Spanish Data Protection, in advance, this will decide on your admission to
procedure, in accordance with the provisions of article 65 of this organic law.
When the rules established in Article 60 of the Regulation apply
(EU) 2016/679, the procedure will begin by adopting the draft agreement

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 40

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119827

initiation of the sanctioning procedure, of which the interested party will be formally informed
for the purposes provided in article 75 of this organic law.
The claim is admitted for processing as well as in the cases in which the Agency
Spanish Data Protection Act on its own initiative, prior to the agreement
Initially, there may be a preliminary investigation phase, which will be governed by
the provisions of article 67 of this organic law.
The procedure will have a maximum duration of nine months from the date
of the initiation agreement or, where appropriate, the draft initiation agreement. After that
term will expire and, consequently, the file of actions.
3. The procedure may also be processed as a result of the communication
to the Spanish Agency for Data Protection by the control authority of another
Member State of the European Union of the claim made before it, when
the Spanish Agency for Data Protection had the status of control authority
principal for the processing of a procedure in accordance with the provisions of articles
56 and 60 of Regulation (EU) 2016/679. In this case of application, it will be the provisions of the
section 1 and in the first, third, fourth and fifth paragraphs of section 2.
4. The processing periods established in this article as well as those for admission
procedure regulated by article 65.5 and duration of the previous actions of
investigation provided for in article 67.2, will be automatically suspended when
information, consultation, request for assistance or mandatory pronouncement must be collected
of a body or body of the European Union or of one or more control authorities
of the Member States in accordance with the provisions of Regulation (EU) 2016/679,
for the time between the request and the notification of the pronouncement to the Agency
Spanish Data Protection.
Article 65. Admission of claims for processing.
1. When a
claim, it must evaluate its admissibility for processing, in accordance with the
forecasts of this article.
2. The Spanish Agency for Data Protection will reject claims
presented when they do not relate to personal data protection issues,
are manifestly unfounded, abusive or do not provide rational evidence
of the existence of a violation.
3. Likewise, the Spanish Data Protection Agency may reject the
claim when the person in charge of the treatment, after warning
formulated by the Spanish Data Protection Agency, would have adopted the measures
corrective measures aimed at putting an end to possible non-compliance with the legislation of
data protection and any of the following circumstances concur:
a) That no damage has been caused to the affected party in the case of infractions
provided for in article 74 of this organic law.
b) That the right of the affected party is fully guaranteed through the application
of the measurements.
4. Before deciding on the admission for processing of the claim, the Agency
Spanish Data Protection may send the same to the delegate of protection of
data that may be, where appropriate, designated by the person in charge or in charge of the treatment or the
supervisory body established for the application of codes of conduct to
effects provided for in articles 37 and 38.2 of this organic law.
The Spanish Agency for Data Protection may also submit the claim
to the person in charge or in charge of the treatment when a delegate has not been appointed
protection of data or was adhered to mechanisms of extrajudicial resolution of
conflicts, in which case the person in charge or manager must respond to the claim
within a month.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 41

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119828

5. The decision on admission or inadmissibility for processing, as well as the one determined,
where appropriate, the referral of the claim to the main supervisory authority deemed
competent authority, the claimant must be notified within three months. If elapsed
This period does not occur such notification, it will be understood that the processing of
the claim in accordance with the provisions of this Title as of the date on which the
were three months after the claim was entered in the Spanish Agency for
Data Protection.
Article 66. Determination of the territorial scope.
1. Except in the cases referred to in article 64.3 of this organic law, the
Spanish Data Protection Agency must, prior to carrying out the
any other action, including the admission for processing of a claim or the initiation
of previous investigative actions, examine its competence and determine the nature of
national or cross-border, in any of its modalities, of the procedure to be followed.
2. If the Spanish Agency for Data Protection considers that you do not have the condition
of the main supervisory authority for the processing of the procedure will send, without further ado
procedure, the claim made to the main supervisory authority that considers
competent, so that it is given the appropriate course. The Spanish Agency for
Data Protection will notify this circumstance to whoever, if applicable, has formulated
the claim.
The agreement by which the referral referred to in the previous paragraph is resolved
will involve the provisional filing of the procedure, without prejudice to the fact that the Agency
Spanish Data Protection Issue, if applicable, the resolution to the
referred to in paragraph 8 of article 60 of Regulation (EU) 2016/679.
Article 67. Previous investigation actions.
1. Before the adoption of the agreement to initiate the procedure, and once admitted to
processing the claim, if any, the Spanish Data Protection Agency may
carry out preliminary investigation actions in order to achieve a better determination
of the facts and circumstances that justify the processing of the procedure.
The Spanish Agency for Data Protection will act in any case when necessary
the investigation of treatments that imply a massive traffic of personal data.
2. The preliminary investigation actions will be subject to the provisions of the
Section 2 of Chapter I of Title VII of this organic law and may not have a duration
more than twelve months from the date of the approval agreement for processing or the
date of the agreement by which its initiation is decided when the Spanish Agency for
Data Protection acts on its own initiative or as a result of communication
that had been sent to you by the supervisory authority of another Member State of the Union
European, in accordance with article 64.3 of this organic law.
Article 68. Agreement to initiate the procedure for the exercise of power
sanctioning.
1. Once, where appropriate, the actions referred to in the previous article,
It will correspond to the Presidency of the Spanish Agency for Data Protection, when
as appropriate, issue an agreement to initiate the procedure for the exercise of power
sanctioning, in which the facts will be specified, the identification of the person or entity
against which the procedure is directed, the offense that could have been committed and its
possible sanction.
2. When the Spanish Data Protection Agency holds the status of
main supervisory authority and the procedure provided for in article 60 must be followed
of Regulation (EU) 2016/679, the draft agreement to initiate the procedure
sanctioner shall be subject to the provisions therein.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 42

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119829

Article 69. Provisional measures and guarantee of rights.
1. While carrying out the preliminary investigation actions or initiating a
procedure for the exercise of sanctioning power, the Spanish Agency for
Data Protection may justifiably agree on the necessary provisional measures
and provided to safeguard the fundamental right to data protection and, in
those provided for in article 66.1 of Regulation (EU) 2016/679, the blocking
precautionary of the data and the immediate obligation to attend the requested right.
2. In cases where the Spanish Data Protection Agency considers that the
continuation of the processing of personal data, its communication or transfer
international will lead to a serious impairment of the right to data protection
personal data, may order those responsible or in charge of the treatments to block
of the data and the cessation of its treatment and, in case of breach by these said
mandates, proceed to immobilization.
3. When it has been submitted to the Spanish Agency for Data Protection
a claim that referred, among other issues, to the lack of attention within the
the rights established in articles 15 to 22 of Regulation (EU) 2016/679, the
Spanish Data Protection Agency may agree at any time, including
prior to the initiation of the procedure for the exercise of power
sanctioning, by means of a reasoned resolution and after hearing the person responsible for the
treatment, the obligation to comply with the requested right, continuing the procedure
regarding the rest of the issues that are the subject of the claim.
TITLE IX
Sanctions regime
Article 70. Responsible parties.
1. They are subject to the sanctioning regime established in Regulation (EU) 2016/679
and in this organic law:
a) Those responsible for the treatments.
b) Those in charge of the treatments.
c) The representatives of those responsible or in charge of the treatments do not
established in the territory of the European Union.
d) Certification entities.
e) Accredited entities for the supervision of codes of conduct.
2. The sanctioning regime will not apply to the data protection officer.
established in this Title.
Article 71. Infractions.
The acts and conducts referred to in sections 4, 5 constitute offenses.
and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to
the present organic law.
Article 72. Violations considered very serious.
1. In accordance with the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:

.boe.es

a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679.
b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 43

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119830

c) Failure to comply with the requirements of article 7 of the Regulation
(EU) 2016/679 for the validity of the consent.
d) The use of the data for a purpose that is not compatible with the purpose
for which they were collected, without the consent of the affected party or with a
legal basis for it.
e) The processing of personal data of the categories to which the
Article 9 of Regulation (EU) 2016/679, without any of the circumstances concurring
provided for in said precept and in article 9 of this organic law.
f) The processing of personal data related to convictions and criminal offenses or
related security measures outside the assumptions allowed by article 10 of the
Regulation (EU) 2016/679 and in article 10 of this organic law.
g) The processing of personal data related to infractions and sanctions
administrative outside the assumptions allowed by article 27 of this organic law.
h) The omission of the duty to inform the affected party about the processing of their data
personal in accordance with the provisions of articles 13 and 14 of Regulation (EU) 2016/679
and 12 of this organic law.
i) Violation of the duty of confidentiality established in article 5 of this
organic Law.
j) The requirement to pay a fee to provide the affected party with the information to which
refer to articles 13 and 14 of Regulation (EU) 2016/679 or by responding to requests
of the exercise of rights of those affected provided for in articles 15 to 22 of the Regulation
(EU) 2016/679, outside of the assumptions established in its article 12.5.
k) The impediment or the obstruction or the repeated neglect of the exercise of the
rights established in articles 15 to 22 of Regulation (EU) 2016/679.
l) The international transfer of personal data to a recipient who is
is located in a third country or an international organization, when the
guarantees, requirements or exceptions established in articles 44 to 49 of the Regulation
(EU) 2016/679.
m) Failure to comply with the resolutions issued by the protection authority of
competent data in the exercise of the powers conferred by article 58.2 of the
Regulation (EU) 2016/679.
n) Failure to comply with the obligation to block the data established in the
Article 32 of this organic law when it is required.
ñ) Not facilitating the access of the personnel of the data protection authority
competent to personal data, information, premises, equipment and means of treatment
that are required by the data protection authority for the exercise of their
investigative powers.
o) The resistance or obstruction of the exercise of the inspection function by the authority
competent data protection authority.
p) The deliberate reversal of an anonymization procedure in order to allow the
re-identification of those affected.
2. They will have the same consideration and will also prescribe after three years the
offenses referred to in article 83.6 of Regulation (EU) 2016/679.
Article 73. Violations considered serious.
In accordance with the provisions of article 83.4 of Regulation (EU) 2016/679,
considered serious and will prescribe after two years the infractions that suppose a
substantial violation of the articles mentioned therein and, in particular, the following:

.boe.es

a) The processing of personal data of a minor without collecting their
consent, when they have the capacity to do so, or that of the holder of their parental authority or
guardianship, in accordance with article 8 of Regulation (EU) 2016/679.
b) Failure to certify that reasonable efforts have been made to verify the validity of the
consent given by a minor or by the holder of his parental authority or

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 44

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119831

guardianship over the same, as required by article 8.2 of the Regulation
(EU) 2016/679.
c) The impediment or the obstruction or the repeated lack of attention to the rights of
access, rectification, deletion, limitation of the treatment or the portability of the data
in treatments in which the identification of the affected person is not required, when this, to
the exercise of these rights, has provided additional information that allows your
ID.
d) The lack of adoption of those technical and organizational measures that result
appropriate to effectively apply the principles of data protection from the
design, as well as the non-integration of the necessary guarantees in the treatment, in the
terms required by article 25 of Regulation (EU) 2016/679.
e) The lack of adoption of the appropriate technical and organizational measures to
guarantee that, by default, only the personal data necessary for each
one of the specific purposes of the treatment, as required by article 25.2 of the
Regulation (EU) 2016/679.
f) Failure to adopt technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment, in
the terms required by article 32.1 of Regulation (EU) 2016/679.
g) The breach, as a consequence of the lack of due diligence, of the
technical and organizational measures that have been implemented as required by the
Article 32.1 of Regulation (EU) 2016/679.
h) Failure to comply with the obligation to appoint a representative of the person in charge
or in charge of the treatment not established in the territory of the European Union, according to
to the provisions of article 27 of Regulation (EU) 2016/679.
i) The lack of attention by the representative in the Union of the person in charge or the
in charge of the treatment of the requests made by the protection authority of
data or by those affected.
j) The hiring by the person in charge of the treatment of a person in charge of treatment
that does not offer sufficient guarantees to apply the technical and organizational measures
appropriate in accordance with the provisions of Chapter IV of Regulation (EU) 2016/679.
k) Entrusting the processing of data to a third party without the prior formalization of a
contract or other written legal act with the content required by article 28.3 of the
Regulation (EU) 2016/679.
l) The hiring by a person in charge of the treatment of other managers without counting
with the prior authorization of the person in charge, or without having informed him about the changes
produced in subcontracting when legally required.
m) The infringement by a person in charge of the treatment of the provisions of the Regulation
(EU) 2016/679 and in this organic law, when determining the purposes and means of the
treatment, in accordance with the provisions of article 28.10 of the aforementioned regulation.
n) Not having the record of treatment activities established in article 30
of Regulation (EU) 2016/679.
ñ) Not to make available to the data protection authority that has it
requested, the registration of processing activities, in accordance with section 4 of article 30
of Regulation (EU) 2016/679.
o) Failure to cooperate with the control authorities in the performance of their functions in
the assumptions not provided for in article 72 of this organic law.
p) The processing of personal data without carrying out a prior assessment of the
elements mentioned in article 28 of this organic law.
q) Failure to comply with the duty of the person in charge of the treatment to notify the
responsible for the treatment of security violations of which he had knowledge.
r) Failure to comply with the duty to notify the data protection authority
of a personal data security breach in accordance with the provisions of
Article 33 of Regulation (EU) 2016/679.
s) Failure to comply with the duty to notify the affected party of a violation of the
data security in accordance with the provisions of article 34 of the Regulation

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 45

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119832

(EU) 2016/679 if the data controller had been required by the authority of
data protection to carry out such notification.
t) The processing of personal data without having carried out the evaluation of the
impact of processing operations on the protection of personal data in the
assumptions in which it is enforceable.
u) The processing of personal data without having previously consulted the
data protection authority in cases where such consultation is mandatory
in accordance with article 36 of Regulation (EU) 2016/679 or when the law establishes the
obligation to carry out such consultation.
v) Failure to comply with the obligation to designate a delegate for the protection of
data when their appointment is required in accordance with article 37 of the Regulation
(EU) 2016/679 and article 34 of this organic law.
w) Not allowing the effective participation of the data protection officer in
all matters relating to the protection of personal data, not endorse it or
interfere in the performance of their duties.
x) The use of a seal or certification regarding data protection that does not
has been granted by a duly accredited certification body or in case of
that the validity of the same had expired.
y) Obtain accreditation as a certification body by submitting information
inaccurate on the fulfillment of the requirements demanded by article 43 of the Regulation
(EU) 2016/679.
z) The performance of functions that Regulation (EU) 2016/679 reserves to the
certification bodies, without having been duly accredited in accordance with the
established in article 39 of this organic law.
aa) Failure by a certification body to comply with the principles and
duties to which he is subject as provided in articles 42 and 43 of the Regulations
(EU) 2016/679.
ab) The performance of functions that article 41 of Regulation (EU) 2016/679
reserve to the supervisory bodies of codes of conduct without having been
previously accredited by the competent data protection authority.
ac) The lack of adoption by the accredited bodies for the supervision of
a code of conduct for the appropriate measures in the event that a
An infringement of the code has occurred, as required by article 41.4 of the Regulation
(EU) 2016/679.
Article 74. Infractions considered minor.
They are considered minor and the remaining character offenses will prescribe a year.
merely formal of the articles mentioned in sections 4 and 5 of article 83 of the
Regulation (EU) 2016/679 and, in particular, the following:
a) Failure to comply with the principle of transparency of information or the right to
information of the affected party for not providing all the information required by articles 13
and 14 of Regulation (EU) 2016/679.
b) The requirement to pay a fee to provide the affected party with the required information
by articles 13 and 14 of Regulation (EU) 2016/679 or by responding to requests for
exercise of rights of those affected provided for in articles 15 to 22 of the Regulation
(EU) 2016/679, when permitted by article 12.5, if the amount exceeds the amount
of the costs incurred to provide the information or perform the requested action.
c) Failure to respond to requests to exercise the rights established in articles 15
to 22 of Regulation (EU) 2016/679, unless the provisions of the
article 72.1.k) of this organic law.
d) Not meeting the rights of access, rectification, deletion, limitation of the
treatment or the portability of the data in treatments in which the
identification of the affected party, when he, for the exercise of those rights, has facilitated

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 46

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

additional information that allows its identification, unless it is applicable
provided in article 73 c) of this organic law.
e) Failure to comply with the obligation to notify regarding the rectification or
deletion of personal data or the limitation of treatment required by article 19 of the
Regulation (EU) 2016/679.
f) Failure to comply with the obligation to inform the affected party, when there is such a
requested, of the recipients to whom the personal data have been communicated
rectified, deleted or for which the treatment has been limited.
g) Failure to comply with the obligation to delete data referring to a person
deceased when it is required according to article 3 of this organic law.
h) The lack of formalization by the joint controllers of the agreement that
determine the respective obligations, functions and responsibilities with respect to the
processing of personal data and their relationships with those affected to whom the
Article 26 of Regulation (EU) 2016/679 or the inaccuracy in the determination of the
themselves.
i) Failure to make the essential aspects of the agreement available to those affected
formalized between the joint controllers, as required by article 26.2 of the
Regulation (EU) 2016/679.
j) Failure to comply with the obligation of the data processor to report
to the controller about the possible infringement due to an instruction received
of this of the provisions of Regulation (EU) 2016/679 or of this organic law,
as required by article 28.3 of the aforementioned regulation.
k) Failure by the person in charge of the stipulations imposed in the contract
or legal act that regulates the treatment or the instructions of the person responsible for the treatment,
unless it is legally obliged to do so in accordance with Regulation (EU) 2016/679 and the
present organic law or in the cases in which it is necessary to avoid the infringement

Sec. I. Page 119833

of the legislation on data protection and the
responsible or the person in charge of the treatment.
l) Have a register of treatment activities that does not include all the information
information required by article 30 of Regulation (EU) 2016/679.
m) Incomplete, late or defective notification to the protection authority of
information data related to a personal data security breach
in accordance with the provisions of article 33 of Regulation (EU) 2016/679.
n) Failure to comply with the obligation to document any breach of security,
required by article 33.5 of Regulation (EU) 2016/679.
ñ) Failure to comply with the duty to notify the affected party of a violation of the
data security that entails a high risk to the rights and freedoms of the
affected, as required by article 34 of Regulation (EU) 2016/679, except
that the provisions of article 73 s) of this organic law are applicable.
o) Provide inaccurate information to the Data Protection Authority, in the
cases in which the person responsible for the treatment must raise a prior consultation,
in accordance with article 36 of Regulation (EU) 2016/679.
p) Not publishing the contact details of the data protection officer, or not
communicate them to the data protection authority, when their appointment is required
in accordance with article 37 of Regulation (EU) 2016/679 and article 34 of this law
organic.
q) Non-compliance by certification bodies with the obligation to report
to the data protection authority of the issuance, renewal or withdrawal of a
certification, as required by sections 1 and 5 of article 43 of the Regulation
(EU) 2016/679.
r) Failure to comply by the accredited supervisory bodies of a
code of conduct on the obligation to inform data protection authorities
about the measures that are appropriate in case of violation of the code, according to
required by article 41.4 of Regulation (EU) 2016/679.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 47

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119834

Article 75. Interruption of the prescription of the offense.
The prescription shall be interrupted by the initiation, with the knowledge of the interested party, of the
sanctioning procedure, restarting the limitation period if the file
sanctioner was paralyzed for more than six months for reasons not attributable to the
alleged offender.
When the Spanish Data Protection Agency holds the status of authority
of main control and the procedure provided for in article 60 of the
Regulation (EU) 2016/679 will interrupt the prescription the formal knowledge by the
interested party in the draft start-up agreement that is submitted to the control authorities
interested.
Article 76. Sanctions and corrective measures.
1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria established in
section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have induced the commission
of the offense.
e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party.
3. It will be possible, complementary or alternative, the adoption, when appropriate, of
the remaining corrective measures referred to in article 83.2 of the Regulation
(EU) 2016/679.
4. The information that
identify the offender, the offense committed and the amount of the penalty imposed when
the competent authority is the Spanish Agency for Data Protection, the sanction is
more than one million euros and the offender is a legal person.
When the competent authority to impose the sanction is an authority
autonomic data protection, it will be in accordance with its applicable regulations.
Article 77. Regime applicable to certain categories of managers or managers
treatment.
1. The regime established in this article will be applicable to the treatment of
who are responsible or in charge:
a) Constitutional or constitutionally relevant bodies and institutions of
the autonomous communities analogous to them.
b) The jurisdictional bodies.
c) The General Administration of the State, the Administrations of the communities
autonomous and the entities that make up the Local Administration.
d) Public bodies and public law entities linked to or
dependent on Public Administrations.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 48

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119835

e) The independent administrative authorities.
f) The Bank of Spain.
g) Public law corporations when the purposes of the treatment are
relate to the exercise of powers of public law.
h) Public sector foundations.
i) Public Universities.
j) Consortia.
k) The parliamentary groups of the Cortes Generales and the Legislative Assemblies
autonomic, as well as the political groups of the Local Corporations.
2. When the managers or managers listed in section 1 commit
any of the infractions referred to in articles 72 to 74 of this organic law,
the competent data protection authority will issue a resolution sanctioning
to them with warning. The resolution will also establish the measures that
It is appropriate to adopt so that the conduct ceases or the effects of the infraction that
it would have been committed.
The resolution will be notified to the person in charge of the treatment, the body of the
that depends hierarchically, where appropriate, and those affected who had the status of
interested, if applicable.
3. Without prejudice to the provisions of the previous section, the protection authority
of data will also propose the initiation of disciplinary actions when there are
sufficient evidence for it. In this case, the procedure and the penalties to be applied
will be those established in the legislation on disciplinary or sanctioning regime that
result of application.
Likewise, when the infractions are attributable to authorities and managers, and
certify the existence of technical reports or recommendations for treatment that do not
had been duly attended, in the resolution in which the sanction is imposed,
It will include a warning with the name of the responsible position and the
publication in the Official Gazette of the corresponding state or autonomous community.
4. The data protection authority must be notified of the resolutions that
fall in relation to the measures and actions referred to in the sections
previous.
5. They will be communicated to the Ombudsman or, where appropriate, to similar institutions
of the autonomous communities, the actions carried out and the resolutions issued to the
under this article.
6. When the competent authority is the Spanish Agency for Data Protection,
this will publish on its website with due separation the resolutions referring to the
entities of section 1 of this article, expressly indicating the identity of the
responsible or in charge of the treatment that had committed the infringement.
When the competence corresponds to an autonomous authority for the protection of
data will be, in terms of the publicity of these resolutions, to what your
specific regulations.
Article 78. Prescription of sanctions.
1. The sanctions imposed in application of Regulation (EU) 2016/679 and this
Organic law prescribe in the following terms:
a) Sanctions for an amount equal to or less than 40,000 euros, prescribe within the term
one year.
b) Sanctions for an amount between 40,001 and 300,000 euros prescribe
at two years.
c) Sanctions for an amount greater than 300,000 euros prescribe after three years.

.boe.es

2. The statute of limitations for sanctions will begin to run from the day
following the one in which the resolution imposing the sanction or
the period to appeal it has elapsed.

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 49

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119836

3. The prescription will be interrupted by the initiation, with the knowledge of the interested party,
of the execution procedure, with the term running again if it is paralyzed
for more than six months for reasons not attributable to the offender.
TITLE X
Guarantee of digital rights
Article 79. Rights in the Digital Age.
The rights and freedoms enshrined in the Constitution and in the Treaties and
International Agreements to which Spain is a party are fully applicable in
Internet. Information society service providers and suppliers
Internet services will help ensure its implementation.
Article 80. Right to Internet neutrality.
Users have the right to Internet neutrality. Service providers
Internet will provide a transparent offer of services without discrimination based on
technical or economic reasons.
Article 81. Right of universal access to the Internet.
1. Everyone has the right to access the Internet regardless of their status
personal, social, economic or geographic.
2. Universal, affordable, quality and non-discriminatory access will be guaranteed for
the entire population.
3. Access to the Internet for men and women will seek to bridge the gap
gender both in the personal and labor spheres.
4. Access to the Internet will seek to bridge the generation gap through
actions aimed at training and accessing the elderly.
5. The effective guarantee of the right of access to the Internet will address the reality
specific to rural settings.
6. Internet access must guarantee equal conditions for people
who have special needs.
Article 82. Right to digital security.
Users have the right to the security of the communications they transmit and
received via the Internet. Internet service providers will inform users
users of their rights.
Article 83. Right to digital education.
1. The educational system will guarantee the full insertion of students in society
and learning how to use digital media that is safe and respectful of
human dignity, constitutional values, fundamental rights and,
particularly with respect and the guarantee of personal and family privacy and the
personal data protection. The actions carried out in this area will have
inclusive character, in particular with regard to students with needs
special educational.
The educational administrations must include in the design of the block of subjects
free configuration of the digital competence referred to in the previous section, as well as
such as elements related to risk situations derived from inadequate
use of ICT, with special attention to situations of violence on the Internet.
2. Teachers will receive the digital skills and training necessary for the
teaching and transmission of the values ​and rights referred to in the previous section.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 50

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119837

3. The study plans of university degrees, especially those that
enable them for professional performance in the training of students, they will guarantee the
training in the use and security of digital media and in the guarantee of rights
fundamentals on the Internet.
4. The Public Administrations will add to the syllabi of the tests of
access to higher bodies and those in which they habitually function
functions that involve access to personal data matters related to the
guarantee of digital rights and in particular that of data protection.
Article 84. Protection of minors on the Internet.
1. Parents, guardians, curators or legal representatives will ensure that
minors make a balanced and responsible use of digital devices
and the services of the information society in order to guarantee the adequate
development of their personality and preserve their dignity and fundamental rights.
2. The use or dissemination of images or personal information of minors in the
Social networks and equivalent information society services that can
Involving an illegitimate interference with their fundamental rights will determine the
intervention of the Public Prosecutor's Office, which will institute precautionary and protection measures
provided for in Organic Law 1/1996, of January 15, on the Legal Protection of Minors.
Article 85. Right to rectification on the Internet.
1. Everyone has the right to freedom of expression on the Internet.
2. Those responsible for social networks and equivalent services will adopt protocols
adequate to enable the exercise of the right of rectification before users who
disseminate content that violates the right to honor, personal and family privacy
on the Internet and the right to freely communicate or receive truthful information, according to
the requirements and procedures set forth in Organic Law 2/1984, of March 26,
regulating the right of rectification.
When the digital media must respond to the request for rectification
formulated against them must proceed to the publication in their digital files of a
explanatory notice that shows that the original news does not reflect the situation
current of the individual. Said notice must appear in a visible place together with the information
original.
Article 86. Right to update information in the media
digital.
Every person has the right to motivated request from the media
the inclusion of a sufficiently visible update notice next to the news
that concern you when the information contained in the original news does not reflect your
current situation as a result of circumstances that would have taken place after
of the publication, causing damage.
In particular, the inclusion of said notice will proceed when the original information
refer to police or judicial actions that have been affected for the benefit
of the interested party as a result of subsequent judicial decisions. In this case, the
Notice will refer to the subsequent decision.
Article 87. Right to privacy and use of digital devices in the workplace.
.boe.es

1. Public workers and employees shall have the right to the protection of their
privacy in the use of digital devices made available to you by your employer.
2. The employer may access the content derived from the use of digital media
provided to workers for the sole purpose of controlling compliance with the
labor or statutory obligations and to guarantee the integrity of said devices.
erifiable at http: // www
cve:VBOE-A-2018-16673

Page 51

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119838

3. Employers must establish criteria for the use of devices
respecting in any case the minimum standards of protection of your privacy
in accordance with social customs and constitutionally and legally recognized rights.
Workers' representatives must participate in its preparation.
Access by the employer to the content of digital devices with respect to which
has admitted their use for private purposes will require that they be specified precisely
authorized uses and guarantees are established to preserve the privacy of the
workers, such as, where appropriate, the determination of the periods in which the
Devices may be used for private purposes.
Workers must be informed of the criteria for use to which they are
refers to this section.
Article 88. Right to digital disconnection in the workplace.
1. Workers and public employees shall have the right to disconnection
digital in order to guarantee, outside the legal or conventional working time
established, respecting their rest time, leave and vacations, as well as their
personal and family privacy.
2. The modalities of exercise of this right will attend to the nature and object
of the employment relationship, will enhance the right to conciliation of work activity and
personal and family life and will be subject to the provisions of collective bargaining or, in its
defect, as agreed between the company and the workers' representatives.
3. The employer, after hearing the workers' representatives,
develop an internal policy aimed at workers, including those in positions
managers, in which they will define the modalities of exercise of the right to disconnection and
training and awareness-raising actions for staff on a reasonable use of the
technological tools that avoid the risk of computer fatigue. In particular,
will preserve the right to digital disconnection in the cases of total realization or
part of distance work as well as at the employee's home linked to the use with
labor purposes of technological tools.
Article 89. Right to privacy regarding the use of video surveillance devices and
sound recording in the workplace.
1. Employers will be able to process the images obtained through
cameras or video cameras for the exercise of control functions of workers
or the public employees provided, respectively, in article 20.3 of the Statute of the
Workers and in public service legislation, provided that these functions are performed
within its legal framework and with the limits inherent to it. Employers will have
to inform in advance, and expressly, clearly and concisely, the workers or
public employees and, where appropriate, their representatives, about this measure.
In the event that the flagrant commission of an illicit act by the
workers or public employees shall be understood to have fulfilled the duty to inform when
At least the device referred to in article 22.4 of this organic law exists.
2. In no case will the installation of sound recording systems or
video surveillance in places intended for rest or recreation of workers
or public employees, such as changing rooms, toilets, dining rooms and the like.
3. The use of systems similar to those referred to in the previous sections to
the recording of sounds in the workplace will be allowed only when they are
relevant risks for the safety of the facilities, goods and people derived
of the activity that takes place in the workplace and always respecting the principle
proportionality, the minimum intervention and the guarantees provided in sections
previous. The suppression of the sounds preserved by these recording systems is
It will be carried out in accordance with the provisions of section 3 of article 22 of this law.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 52

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119839

Article 90. Right to privacy when using geolocation systems in
the workplace.
1. Employers may process the data obtained through systems of
geolocation for the exercise of the functions of control of the workers or the
public employees provided, respectively, in article 20.3 of the Statute of the
Workers and in public service legislation, provided that these functions are performed
within its legal framework and with the limits inherent to it.
2. Previously, employers must expressly and clearly inform
and unequivocally the workers or public employees and, where appropriate, their
representatives, about the existence and characteristics of these devices. Equally
must inform them about the possible exercise of rights of access, rectification,
limitation of treatment and deletion.
Article 91. Digital rights in collective bargaining.
Collective agreements may establish additional guarantees of the rights and
freedoms related to the processing of personal data of workers and the
safeguarding digital rights in the workplace.
Article 92. Data protection of minors on the Internet.
The educational centers and any natural or legal persons who develop
activities in which minors participate will guarantee the protection of the interest
superior of the minor and their fundamental rights, especially the right to
protection of personal data, in the publication or dissemination of your personal data to
through information society services.
When such publication or dissemination were to take place through network services
social services or equivalent services must have the consent of the minor or their
legal representatives, in accordance with the provisions of article 7 of this organic law.
Article 93. Right to be forgotten in Internet searches.
1. Everyone has the right to have Internet search engines remove
of the lists of results that were obtained after a search carried out from its
Name the links posted that contain information about that person when
were inadequate, inaccurate, irrelevant, outdated or excessive or there were
become as such over time, taking into account the purposes for which
that were collected or processed, the time elapsed and the nature and public interest of the
information.
In the same way, it should proceed when the personal circumstances that in your
If the affected party invokes evidence in the prevalence of their rights over the
maintenance of the links by the Internet search service.
This right will subsist even when the conservation of the information is lawful.
published on the website to which the link was directed and it did not proceed to its
previous or simultaneous erasure.
2. The exercise of the right referred to in this article will not prevent access to the
information published on the website through the use of other criteria of
search other than the name of the person exercising the right.
Article 94. Right to be forgotten in social network services and equivalent services.

.boe.es

1. Everyone has the right to have their data deleted at their simple request.
personal data that you have provided for publication by social networking services and
equivalent information society services.
2. Everyone has the right to have their personal data deleted
concern and that had been provided by third parties for publication by the

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 53

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119840

equivalent social media services and information society services
when they are inadequate, inaccurate, irrelevant, outdated or excessive or
have become as such over time, taking into account the purposes
for those collected or treated, the time elapsed and the nature and interest
information public.
In the same way, the deletion of said data should be carried out when the
personal circumstances that, if applicable, the affected party invokes evidence the prevalence
of your rights regarding the maintenance of the data by the service.
The data that have been provided are excepted from the provisions of this section
by natural persons in the exercise of personal or domestic activities.
3. In the event that the right is exercised by an affected party regarding data that
had been provided to the service, by him or by third parties, during his minority, the
Provider must proceed without delay to its deletion by its simple request, without the need
of the circumstances mentioned in section 2.
Article 95. Right to portability in social media services and services
equivalents.
Users of social network services and information society services
equivalents will have the right to receive and transmit the contents that they have provided to
the providers of said services, as well as the providers transmitting them
directly to another provider designated by the user, provided that it is technically
possible.
Providers may keep, without disseminating it through the Internet, a copy of the
contents when said conservation is necessary for the fulfillment of a
legal obligation.
Article 96. Right to a digital will.
1. Access to content managed by service providers of the company
Information on deceased persons will be governed by the following rules:
a) Persons related to the deceased for family or de facto reasons, as well as
His heirs may address the service providers of the company of the
information in order to access said content and give them the instructions that
they deem appropriate on their use, destination or deletion.
As an exception, the aforementioned persons will not be able to access the contents of the
cause, or request its modification or elimination, when the deceased person had
expressly prohibited or as established by law. Said prohibition shall not affect the
right of the heirs to access the content that could be part of the
relict flow.
b) The executor of the will as well as the person or institution to which the
the deceased had expressly designated for this purpose, he may also request, in accordance with
the instructions received, access to the content in order to comply with
such instructions.
c) In the case of deceased minors, these powers may
also be exercised by their legal representatives or, within the framework of their powers, by
the Public Prosecutor's Office, which may act ex officio or at the request of any natural person or
interested legal entity.
d) In the event of the death of persons with disabilities, these powers may
also be exercised, in addition to those indicated in the previous letter, by those who have
been designated for the exercise of support functions if such powers are understood
included in the support measures provided by the designated person.

.boe.es

2. The legitimated persons in the previous section may decide about the
maintenance or elimination of personal profiles of deceased persons in networks
erifiable at http: // www
cve:VBOE-A-2018-16673

Page 54

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119841

social services or equivalent services, unless the deceased had decided about this
circumstance, in which case it will be at your instructions.
The person in charge of the service to whom, in accordance with the previous paragraph, the
request to delete the profile, you must proceed without delay.
3. By royal decree the requirements and conditions will be established to prove
the validity and validity of the mandates and instructions and, where appropriate, the registration of
same, which may coincide with that provided for in article 3 of this organic law.
4. What is established in this article in relation to persons who died in the
Autonomous communities with civil, foral or special law, their own will be governed by the
established by these within their scope of application.
Article 97. Policies to promote digital rights.
1. The Government, in collaboration with the autonomous communities, will prepare a Plan
Internet Access with the following objectives:
a) Overcoming digital gaps and guaranteeing access to the Internet for groups
vulnerable or with special needs and from family and social environments
economically disadvantaged through, among other measures, a social access voucher
to Internet;
b) promote the existence of public access connection spaces; Y
c) promote educational measures that promote training in skills and
basic digital skills for people and groups at risk of digital exclusion and the
the ability of all people to make autonomous and responsible use of the Internet
and digital technologies.
2. Likewise, an Action Plan will be approved aimed at promoting the actions of
training, dissemination and awareness necessary to ensure that minors
make a balanced and responsible use of digital devices and social networks
and the equivalent information society services of the Internet for the purpose
to guarantee their adequate development of the personality and to preserve their dignity and
Fundamental rights.
3. The Government will present an annual report to the parliamentary commission
corresponding to the Congress of Deputies in which the evolution of the
of the rights, guarantees and mandates contemplated in this Title and of the
necessary measures to promote its momentum and effectiveness.
First additional provision. Security measures in the field of the public sector.
1. The National Security Scheme will include the measures to be implemented in
case of processing of personal data to avoid its loss, alteration or access not
authorized, adapting the criteria for determining the risk in the treatment of
data as established in article 32 of Regulation (EU) 2016/679.
2. Those responsible listed in article 77.1 of this organic law must
apply the corresponding security measures to the processing of personal data
of those provided for in the National Security Scheme, as well as promoting a degree of
implementation of equivalent measures in companies or foundations linked to the
themselves subject to private law.
In cases where a third party provides a service under a concession regime,
management commission or contract, the security measures will correspond to the
of the public Administration of origin and will conform to the National Security Scheme.

.boe.es

Second additional provision. Data protection and transparency and access to
public information.
Active advertising and access to public information regulated by Title I of the
Law 19/2013, of December 9, on transparency, access to public information and good

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 55

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119842

government, as well as the obligations of active publicity established by the legislation
autonomic, will be submitted, when the information contains personal data, to the
provided in articles 5.3 and 15 of Law 19/2013, in Regulation (EU) 2016/679 and
in the present organic law.
Third additional provision. Computation of terms.
The terms established in Regulation (EU) 2016/679 or in this organic law, with
regardless of whether they refer to relationships between individuals or with entities in the sector
public, will be governed by the following rules:
a) When the terms are indicated by days, it is understood that these are working,
excluding from the computation Saturdays, Sundays and those declared holidays.
b) If the term is set in weeks, it will end on the same day of the week on which the
produced the fact that determines its initiation in the expiration week.
c) If the term is set in months or years, it will end on the same day that the
fact that determines its initiation in the month or year of expiration. If in the month of
expiration date would not be equivalent to the one on which the computation begins, it will be understood
that the term expires on the last day of the month.
d) When the last day of the period is non-working, it will be understood to be extended to the first day
next handy.
Fourth additional provision. Procedure in relation to conferred powers
to the Spanish Agency for Data Protection for other laws.
The provisions of Title VIII and its implementing regulations shall apply to the
procedures that the Spanish Data Protection Agency would have to process in
exercise of the powers attributed to it by other laws.
Fifth additional provision. Judicial authorization in relation to decisions of the
European Commission on international data transfer.
1. When a data protection authority considers that a decision of the
European Commission on international data transfer, whose validity
depends on the resolution of a specific procedure, violates the provisions of the
Regulation (EU) 2016/679, undermining the fundamental right to the protection of
data, will immediately agree to suspend the procedure, in order to request the
judicial body authorization to declare it so within the procedure of which it is
knowing. Said suspension must be confirmed, modified or lifted in the
agreement of admission or inadmissibility of processing the request of the protection authority of
data addressed to the competent court.
The decisions of the European Commission to which this
channel are:
a) those that declare the adequate level of protection of a third country or
international organization, pursuant to article 45 of Regulation (EU) 2016/679;
b) those that approve standard data protection clauses for the
making international data transfers, or
c) those that declare the validity of the codes of conduct for this purpose.
2. The authorization referred to in this provision may only be granted
Yes, after submitting a preliminary ruling of validity in the terms of article 267
of the Treaty on the Functioning of the European Union, the decision of the European Commission
questioned was declared invalid by the Court of Justice of the European Union.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 56

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119843

Sixth additional provision. Incorporation of debts to information systems
credit.
They will not be incorporated into the credit information systems to which the
Article 20.1 of this organic law debts in which the amount of the principal is less than
fifty euros.
The Government, by royal decree, may update this amount.
Seventh additional provision. Identification of those interested in notifications by
means of announcements and publications of administrative acts.
1. When the publication of an administrative act containing
personal data of the affected person, they will be identified by their name and surname,
adding four random numerical figures of the national identity document, number
identity card of foreigner, passport or equivalent document. When the post is
refer to a plurality of affected these random figures should be alternated.
In the case of notification by means of advertisements, particularly in the
assumptions referred to in article 44 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, will be identified at
affected exclusively by the complete number of your national document of
identity, foreigner identity number, passport or equivalent document.
When the affected person lacks any of the documents mentioned in the
two previous paragraphs, the affected party will be identified solely by name and
surnames. In no case should the name and surname be published jointly with
the complete number of the national identity document, identity number of
foreigner, passport or equivalent document.
2. In order to prevent risks for victims of gender violence, the Government
will promote the development of a collaboration protocol that defines procedures
insurance of publication and notification of administrative acts, with the participation of
bodies with competence in the matter.
Eighth additional provision. Verification power of the Public Administrations.
When requests are made by any means in which the interested party declares
personal data held by the Public Administrations, the body
The recipient of the request may, in the exercise of its powers, carry out the
Verifications necessary to verify the accuracy of the data.
Ninth additional provision. Processing of personal data in relation to
notification of security incidents.
When, in accordance with the provisions of national legislation resulting from
enforcement, security incidents need to be reported, public authorities
competent authorities, Computer Emergency Response Teams (CERT), emergency response teams,
Computer Security Incident Response (CSIRT), Network and Service Providers
of electronic communications and providers of technologies and security services,
may process the personal data contained in such notifications, exclusively
for the time and scope necessary for its analysis, detection, protection and response
in the event of incidents and adopting adequate and proportionate security measures to the
determined risk level.
.boe.es

Tenth additional provision. Data communications by the subjects listed in
Article 77.1.
Those responsible listed in article 77.1 of this organic law may
communicate the personal data that are requested by subjects of private law
when they have the consent of those affected or appreciate that they concur in the

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 57

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119844

applicants a legitimate interest that prevails over the rights and interests of the
affected in accordance with the provisions of article 6.1 f) of Regulation (EU) 2016/679.
Eleventh additional provision. Privacy in electronic communications.
The provisions of this organic law shall be understood without prejudice to the application of
the rules of internal law and of the European Union regulating privacy in the
electronic communications sector, without imposing additional obligations on the
natural or legal persons in matters of treatment in the framework of the provision of
public electronic communications services in public communication networks in
areas in which they are subject to specific obligations established in said
rules.
Twelfth additional provision. Specific provisions applicable to processing
of public sector personnel records.
1. The treatment of the personnel records of the public sector shall be understood
carried out in the exercise of public powers conferred on those responsible, in accordance with
with the provisions of article 6.1.e) of Regulation (EU) 2016/679.
2. Public sector personnel records may process personal data
relating to criminal offenses and convictions and administrative offenses and penalties,
limiting itself to the data strictly necessary for the fulfillment of its purposes.
3. In accordance with the provisions of article 18.2 of Regulation (EU) 2016/679, and
considering it an important public interest reason, the data whose treatment is
limited by virtue of article 18.1 of the aforementioned regulation, they may be subject to
treatment when necessary for the development of personnel procedures.
Thirteenth additional provision. International transfers of tax data.
Transfers of tax data between the Kingdom of Spain and other States or
international or supranational entities, will be regulated by the terms and with the
limits established in the regulations on mutual assistance between the States of the Union
European, or within the framework of conventions to avoid double taxation or other
international conventions, as well as the rules on mutual assistance established
in Chapter VI of Title III of Law 58/2003, of December 17, General Tax.
Fourteenth additional provision. Rules issued pursuant to article 13 of the
Directive 95/46 / CE.
The rules issued in application of article 13 of Directive 95/46 / EC of the
European Parliament and of the Council, of October 24, 1995, on the protection of
natural persons with regard to the processing of personal data and the free
circulation of these data, which had entered into force prior to May 25
of 2018, and in particular articles 23 and 24 of Organic Law 15/1999, of 13
December, Protection of Personal Data, remain in force as long as they are not
expressly modified, substituted or repealed.
Fifteenth additional provision. Information request by the
National Stock Market Commission.
When you have not been able to obtain by other means the information necessary to
carry out its supervision or inspection tasks, the National Market Commission of
Securities may be collected from operators that provide communications services
electronic files available to the public and to the service providers of the society of the
information, the data in their possession related to electronic communication or
information society service provided by said providers that are

.boe.es

other than their content and are essential for the exercise of said tasks.

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 58

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119845

The transfer of these data will require the prior obtaining of judicial authorization granted
in accordance with the procedural rules.
Excluded from the provisions of this section are the traffic data that the
operators were dealing with the sole purpose of complying with the
Obligations provided for in Law 25/2007, of October 18, on data conservation
relating to electronic communications and public communications networks.
Sixteenth additional provision. Aggressive practices regarding the protection of
data.
For the purposes provided for in article 8 of Law 3/1991, of January 10, of
Unfair Competition, the following are considered aggressive practices:
a) Act with the intention of supplanting the identity of the Spanish Agency for
Data Protection or an autonomous data protection authority in the
realization of any communication to those responsible and in charge of the treatments
or interested parties.
b) Generate the appearance that it is acting on behalf, on behalf of or in
collaboration with the Spanish Data Protection Agency or an autonomous authority
of data protection in the realization of any communication to those responsible and
responsible for the treatments in which the sender offers its products or services.
c) Carry out commercial practices in which the decision-making power of the
recipients by referring to the possible imposition of sanctions for
breach of personal data protection regulations.
d) Offer any type of document for which it is intended to create an appearance
of compliance with the data protection provisions in a complementary way to
carrying out training actions without having carried out the necessary actions
to verify that such compliance occurs effectively.
e) Assume, without express designation of the person in charge or the person in charge of the treatment,
the function of data protection delegate and communicate in such condition with the
Spanish Agency for Data Protection or the regional authorities for the protection of
data.
Seventeenth additional provision. Health data treatment.
1. They are covered by letters g), h), i) and j) of Article 9.2 of the Regulations.
(EU) 2016/679 the processing of data related to health and genetic data
that are regulated in the following laws and their development provisions:
a) Law 14/1986, of April 25, General Health.
b) Law 31/1995, of November 8, on Occupational Risk Prevention.
c) Law 41/2002, of November 14, basic regulating the autonomy of the
patient and rights and obligations regarding information and clinical documentation.
d) Law 16/2003, of May 28, on cohesion and quality of the National System of
Health.
e) Law 44/2003, of November 21, on the organization of the health professions.
f) Law 14/2007, of July 3, on Biomedical Research.
g) Law 33/2011, of October 4, General Public Health.
h) Law 20/2015, of July 14, on the management, supervision and solvency of the
insurance and reinsurance entities.
i) The consolidated text of the Law of guarantees and rational use of 105 medicines
and sanitary products, approved by Royal Legislative Decree 1/2015, of July 24.
j) The consolidated text of the General Law on the rights of persons with disabilities
and its social inclusion, approved by Royal Legislative Decree 1/2013 of November 29.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 59

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119846

2. The treatment of data in health research will be governed by the following
criteria:
a) The interested party or, where appropriate, their legal representative may grant consent
for the use of your data for health research purposes and, in particular, biomedical.
Such purposes may cover categories related to general areas related to
to a medical or research specialty.
b) Health authorities and public institutions with powers in surveillance
public health authorities may carry out scientific studies without the consent of the
affected in situations of exceptional relevance and seriousness for public health.
c) The reuse of personal data for the purposes of
research in health and biomedical matters when, having obtained the
consent for a specific purpose, the data is used for purposes or areas
of research related to the area in which the study is scientifically integrated
initial.
In such cases, those responsible must publish the information established by the
Article 13 of Regulation (EU) 2016/679 of the European Parliament and of the Council, of 27
of April 2016, regarding the protection of natural persons with regard to the
processing of your personal data and the free circulation of these data, in a place
easily accessible from the corporate website of the center where the
research or clinical study, and, where appropriate, that of the promoter, and notify the existence of
this information by electronic means to those affected. When these lack
means to access such information, may request its submission in another format.
For the treatments provided for in this letter, a prior favorable report from the
research ethics committee.
d) The use of pseudonymised personal data for the purposes of
research in health and, in particular, biomedical.
The use of pseudonymised personal data for public health research purposes
and biomedical will require:
1.º A technical and functional separation between the research team and those who carry out
pseudonymization and retain the information that enables re-identification.
2. That the pseudonymised data is only accessible to the team of
investigation when:
i) There is an express commitment to confidentiality and not to carry out any
re-identification activity.
ii) Specific security measures are adopted to avoid re-identification and
unauthorized third party access.
The data may be re-identified at its source, when due to
an investigation using pseudonymised data, a danger is found
real and concrete for the safety or health of a person or group of people, or a
serious threat to your rights or is necessary to ensure adequate
healthcare.
e) When personal data is processed for health research purposes, and in
particularly biomedical, for the purposes of article 89.2 of Regulation (EU) 2016/679,
The rights of those affected provided for in articles 15, 16, 18 may be exempted
and 21 of Regulation (EU) 2016/679 when:
1.º The aforementioned rights are exercised directly before the researchers or centers
research using anonymized or pseudonymized data.
2. The exercise of such rights refers to the results of the investigation.
3. The purpose of the investigation is an essential public interest related to the
state security, defense, public safety or other important objectives of
general public interest, provided that in the latter case the exception is expressly
collected by a norm with the rank of Law.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 60

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119847

f) When, in accordance with the provisions of article 89 of Regulation (EU) 2016/679,
carry out a treatment for research purposes in public health and, in particular,
biomedical will proceed to:
1.º Carry out an impact assessment that determines the risks derived from the
treatment in the cases provided for in article 35 of Regulation (EU) 2016/679 or
in those established by the supervisory authority. This evaluation will specifically include
the re-identification risks linked to the anonymization or pseudonymization of the
data.
2.º Submit scientific research to quality standards and, where appropriate, to the
international guidelines on good clinical practice.
3.º Adopt, where appropriate, measures aimed at guaranteeing that researchers do not
They access the identification data of the interested parties.
4.º Appoint a legal representative established in the European Union, in accordance with
Article 74 of Regulation (EU) 536/2014, if the sponsor of a clinical trial is not
established in the European Union. Said legal representative may coincide with the foreseen
in article 27.1 of Regulation (EU) 2016/679.
g) The use of pseudonymised personal data for health research purposes
public and, in particular, biomedical should be submitted to the prior report of the committee of
research ethics provided for in the sectoral regulations.
In the absence of the aforementioned Committee, the entity responsible for the
investigation will require a prior report from the data protection officer or, in his / her
defect, of an expert with the previous knowledge in article 37.5 of the Regulation
(EU) 2016/679.
h) Within a maximum period of one year from the entry into force of this law, the committees
of research ethics, in the field of health, biomedical or medicine,
They must integrate among their members a data protection delegate or, failing that,
an expert with sufficient knowledge of Regulation (EU) 2016/679 when
engage in research activities involving the processing of personal data
or pseudonymized or anonymized data.
Eighteenth additional provision. Security criteria.
The Spanish Agency for Data Protection will develop, with the collaboration, when
is accurate, of all the actors involved, the tools, guides, guidelines and
guidelines that are accurate to provide professionals, micro-enterprises and
small and medium-sized enterprises of adequate guidelines for compliance with the
Active liability obligations established in Title IV of the Regulation (EU)
2016/679 and in Title V of this organic law.
Additional provision nineteenth. Rights of minors before the Internet.
Within one year from the entry into force of this organic law, the Government
will forward to the Congress of Deputies a bill specifically addressed to
guarantee the rights of minors in the face of the impact of the Internet, in order to guarantee
their safety and fight against discrimination and violence against them is
exercised through new technologies.
Additional provision twentieth. Specialties of the legal regime of the Agency
Spanish Data Protection.

.boe.es

1. The article will not apply to the Spanish Agency for Data Protection.
50.2.c) of Law 40/2015, of October 1, on the Legal Regime of the Public Sector.
2. The Spanish Agency for Data Protection may adhere to the systems of
centralized contracting established by the Public Administrations and participate in the
erifiable at http: // www
cve:VBOE-A-2018-16673

Page 61

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119848

shared management of common services provided for in article 85 of Law 40/2015,
of October 1, of the Legal Regime of the Public Sector.
Twenty-first additional provision. Digital education.
The educational administrations will comply with the mandate contained in the
second paragraph of section 1 of article 83 of this organic law within a period of one year
counting from the entry into force of the same.
Twenty-second additional provision. Access to public and ecclesiastical archives.
The competent public authorities will facilitate access to public archives and
ecclesiastical in relation to the data requested on the occasion of investigations
police or judicial authorities of disappeared persons, having to respond to requests with
promptly and diligently the institutions or religious congregations to which the
access requests.
First transitory provision. Statute of the Spanish Agency for Data Protection.
1. The Statute of the Spanish Data Protection Agency, approved by Real
Decree 428/1993, of March 26, will continue in force in what is not opposed to
established in Title VIII of this organic law.
2. The provisions of sections 2, 3 and 5 of article 48 and article 49 of this law
Organic will be applied once the mandate of the person holding the status of Director expires
of the Spanish Agency for Data Protection upon its entry into force.
Second transitory provision. Type codes registered with the protection authorities
of data in accordance with Organic Law 15/1999, of December 13, on the Protection of
Personal data.
The promoters of the standard codes registered in the registry of the Spanish Agency for
Data Protection or the regional data protection authorities must
adapt its content to the provisions of article 40 of Regulation (EU) 2016/679 in the
one year from the entry into force of this organic law.
If, after said period, the approval provided for in the
Article 38.4 of this organic law, the registration will be canceled and its
promoters.
Third transitory provision. Transitional regime of procedures.
1. The procedures already initiated at the entry into force of this organic law are
will be governed by the previous regulations, unless this organic law contains provisions more
favorable for the interested party.
2. The provisions of the preceding section shall also apply to the
procedures in respect of which the actions prior to the
those referred to in Section 2 of Chapter III of Title IX of the Development Regulations
of Organic Law 15/1999, of December 13, on the Protection of Character Data
Personal, approved by Royal Decree 1720/2007, of December 21.
Fourth transitory provision. Treatments subject to Directive (EU) 2016/680.
The treatments subject to Directive (EU) 2016/680 of the European Parliament and of the
Council, of April 27, 2016, regarding the protection of natural persons in what
Regarding the processing of personal data by the competent authorities
for the purposes of prevention, investigation, detection or prosecution of criminal offenses
or the execution of criminal sanctions, and the free circulation of said data and by which
Framework Decision 2008/977 / JAI of the Council is repealed, they will continue to be governed by the Law
Organic Law 15/1999, of December 13, and in particular Article 22, and its provisions

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 62

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119849

of development, as long as the rule that transposes into Spanish Law does not enter into force
provided in the aforementioned directive.
Fifth transitory provision. Treatment manager contracts.
The treatment manager contracts signed prior to May 25
of 2018 under the provisions of article 12 of Organic Law 15/1999, of 13 of
December, Protection of Personal Data will remain in force until the
expiration date indicated therein and in the event that it has been agreed
indefinite, until May 25, 2022.
During these periods, either party may require the other to modify the
contract so that it is in accordance with the provisions of article 28 of the
Regulation (EU) 2016/679 and in Chapter II of Title V of this organic law.
Sixth transitory provision. Reuse for health research purposes
and biomedical data collected prior to the entry into force of
this organic law.
Reuse for health research purposes will be considered lawful and compatible.
biomedical of personal data collected lawfully prior to the entry into force
of this organic law when any of the following circumstances concur:
a) That said personal data be used for the specific purpose for which it is
would have given consent.
b) That, having obtained consent for a specific purpose, it is
use such data for purposes or areas of research related to the
medical or research specialty in which the study is scientifically integrated
initial.
Sole repealing provision. Regulatory repeal.
1. Without prejudice to the provisions of the fourteenth additional provision and the
Fourth transitory provision, Organic Law 15/1999, of
December, Protection of Personal Data.
2. Royal Decree-Law 5/2018, of July 27, on urgent measures is hereby repealed
for the adaptation of Spanish law to the regulations of the European Union regarding
Data Protection.
3. Likewise, any provisions of equal or lower rank are repealed.
contradict, oppose, or are incompatible with the provisions of the Regulation
(EU) 2016/679 and in this organic law.
First final provision. Nature of this law.
This law has the character of an organic law.
However, they have the character of ordinary law:
- Title IV,
- Title VII, except for articles 52 and 53, which are organic,
- Title VIII,
- Title IX,
- Articles 79, 80, 81, 82, 88, 95, 96 and 97 of Title X,
- the additional provisions, except for the second additional provision and the provision
additional seventeenth, which have an organic character,
- the transitional provisions,
- and the final provisions, except for the first, second, third final provisions,
fourth, eighth, tenth and sixteenth, which have an organic character.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 63

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119850

Second final provision. Competency title.
1. This organic law is issued under the protection of article 149.1.1.ª of the Constitution, which
attributes to the State the exclusive competence for the regulation of the basic conditions
that guarantee the equality of all Spaniards in the exercise of rights and in the
fulfillment of constitutional duties.
2. Chapter I of Title VII, Title VIII, the fourth additional provision and the
First transitory provision will only apply to the General Administration of the
State and its public bodies.
3. Articles 87 to 90 are issued under the exclusive jurisdiction that the
Article 149.1.7th and 18th of the Constitution reserve to the State in matters of legislation
labor and bases of the statutory regime of public officials respectively.
4. The fifth additional provision and the seventh and sixth final provisions are issued
under the jurisdiction that article 149.1.6 of the Constitution attributes to the State
regarding procedural legislation.
5. The third additional provision is issued under article 149.1.18 of the
Constitution.
6. Article 96 is issued under the protection of article 149.1.8.ª of the Constitution.
Third final provision. Modification of Organic Law 5/1985, of June 19, on the
General Electoral Regime.
Organic Law 5/1985, of June 19, of the General Electoral Regime is modified
which is worded as follows:
One. Section 3 of article thirty-nine is worded as follows:
"3. Within the previous period, any person may file a claim
addressed to the Provincial Delegation of the Electoral Census Office about your data
census, although only those that refer to the
rectification of errors in personal data, changes of address within
of the same constituency or the non-inclusion of the claimant in any Section
Census of the constituency despite having the right to do so. Will also be
the requests of the voters who oppose their inclusion in the
copies of the electoral roll provided to the representatives of the candidacies
to send postal mailings of electoral propaganda. They will not be taken into account
for the election called those that reflect a change of residence of a
circumscription to another, carried out after the closing date of the census
for each election, having to exercise their right in the section corresponding to their
previous address. "
Two. A new article fifty-eight bis is added, with the following content:
«Article fifty-eight bis. Use of technological means and data
personnel in electoral activities.
1. The collection of personal data related to the political opinions of the
people who carry out political parties in the framework of their activities
elections will be protected in the public interest only when it is
offer adequate guarantees.
2. Political parties, coalitions and electoral groups may use
personal data obtained from web pages and other publicly accessible sources for
carrying out political activities during the electoral period.
3. Sending electoral propaganda by electronic means or communication systems
messaging and the hiring of electoral propaganda on social networks or media
equivalents will not be considered commercial activity or communication.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 64

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119851

4. The aforementioned outreach activities will identify in a way
highlighted its electoral nature.
5. The recipient will be provided with a simple and free way of exercising the
right of opposition. "
Fourth final provision. Modification of Organic Law 6/1985, of July 1, on Power
Judicial.
The Organic Law, 6/1985, of July 1, of the Judicial Power, is modified in the following
terms:
One. A third paragraph is added to article 58, with the following wording:
«Article 58.
Third. From the authorization request for the declaration provided for in the
Fifth additional provision of the Organic Law on Protection of Personal Data
and Guarantee of Digital Rights, when such request is made by the
General Council of the Judiciary. »
Two. A letter f) is added to article 66, with the following wording:
«Article 66.
f) The request for authorization for the declaration provided for in the provision
Additional fifth of the Organic Law on Protection of Personal Data and Guarantee
of Digital Rights, when such request is made by the Agency
Spanish Data Protection. »
Three. A letter k) is added to section 1 and a new section 7 to article 74, with
the following wording:
«Article 74.
1. […]
k) The authorization request for the declaration provided for in the provision
Additional fifth of the Organic Law on Protection of Personal Data and Guarantee
of Digital Rights, when such request is made by the authority of
data protection of the respective Autonomous Community.
[…]
7. Corresponds to the Contentious-Administrative Chambers of the Courts
Superiors of Justice authorize, by order, the request for information by
part of regional data protection authorities to operators that
provide electronic communications services available to the public and to the
information society service providers, when necessary
in accordance with specific legislation. "
Four. A new paragraph 7 is added to article 90:
«7. Corresponds to the Central Courts of the Contentious-administrative
authorize, by order, the request for information by the Agency
Spanish Data Protection and other independent administrative authorities
state-wide to operators that provide communications services
electronic files available to the public and to the company's service providers
of the information, when it is necessary in accordance with the legislation
specific. "

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 65

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119852

Fifth final provision. Modification of Law 14/1986, of April 25, General of
Health.
A new Chapter II is added to Title VI of Law 14/1986, of April 25, General
of Health with the following content:
"CHAPTER II
Treatment of health research data
Article 105 bis.
The processing of personal data in health research will be governed by
provided in the seventeenth additional provision of the Organic Law of
Protection of Personal Data and Guarantee of Digital Rights. »
Sixth final provision. Modification of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction.
Law 29/1998, of July 13, regulating the Contentious Jurisdictionadministrative, is modified in the following terms:
One. A new paragraph 7 is added to article 10:
«7. They will be aware of the request for authorization under article 122 ter,
when formulated by the Community data protection authority
Respective autonomous. "
Two. A new paragraph 5 is added to article 11:
"5. It will be aware of the request for authorization under article 122 ter,
when formulated by the Spanish Data Protection Agency. "
Three. A new paragraph 4 is added to article 12:
"4. It will be aware of the request for authorization under article 122 ter,
when it is formulated by the General Council of the Judiciary. "
Four. A new article 122 ter is introduced, with the following wording:
«Article 122 ter. Judicial authorization procedure pursuant to a
decision of the European Commission on the international transfer of
data.
1. The procedure to obtain the judicial authorization referred to in the
Fifth additional provision of the Organic Law on Protection of Personal Data
and Guarantee of Digital Rights, will begin with the request of the authority of
data protection addressed to the competent Court to rule on the
the conformity of a decision of the European Commission on transfer
international data with the law of the European Union. The request will go
accompanied by a copy of the file that is pending resolution
before the data protection authority.
2. They will be parties to the procedure, in addition to the protection authority of
data, who were in the procedure processed before it and, in any case, the
European Comission.
3. The admission or inadmissibility agreement to process the procedure will confirm,
modify or lift the suspension of the procedure for possible violation of
the data protection regulations processed before the protection authority of
data, which is the cause of this judicial authorization procedure.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 66

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119853

4. Once the application is admitted for processing, the competent Court will notify the
data protection authority in order to transfer to those who intervene in
the procedure processed before the same so that they appear in the term of three
days. Likewise, it will be transferred to the European Commission for the same purposes.
5. Once the term mentioned in the previous letter has concluded, the
request for authorization to the parties in person so that within ten
days claim what they deem appropriate, being able to request at that time the
practice of the tests they deem necessary.
6. Once the trial period has elapsed, if any of the parties has
requested and the court deems it pertinent, a hearing will be held. The
The Tribunal may decide the scope of the issues on which the parties must
focus your allegations on said hearing.
7. Once the procedures mentioned in the three previous sections have been completed, the
Competent court will adopt one of these decisions within ten days:
a) If it considers that the decision of the European Commission is in accordance with the
European Union law, will issue a sentence declaring it so and denying the
requested authorization.
b) In the event that the decision is considered contrary to Union law
European Parliament, will issue a preliminary ruling on the validity of the
cited decision before the Court of Justice of the European Union, under the terms of the
Article 267 of the Treaty on the Functioning of the European Union.
The authorization may only be granted if the decision of the Commission
European Union questioned was declared invalid by the Court of Justice of the Union
European.
8. The resources regime will be the one provided for in this law. "
Seventh final provision. Modification of Law 1/2000, of January 7, on Prosecution
Civil.
Article 15 bis of Law 1/2000, of January 7, on Civil Procedure is modified,
which is worded as follows:
«Article 15 bis. Intervention in antitrust and antitrust processes
Data Protection.
1. The European Commission, the National Markets Commission and the
Competence and the competent bodies of the autonomous communities in the
scope of their powers may intervene in the processes of defense of the
competition and data protection, without being a party, on its own
initiative or at the request of the judicial body, by providing information or
submission of written observations on issues relating to the application of
Articles 101 and 102 of the Treaty on the Functioning of the European Union or the
Articles 1 and 2 of Law 15/2007, of July 3, on the Defense of Competition. With
the permission of the corresponding judicial body, they may also present
verbal observations. For these purposes, they may request the court
competent authority to send them or have them send all the documents necessary to
make an assessment of the matter in question.
The contribution of information will not reach the data or documents obtained
within the scope of the circumstances of application of the exemption or reduction of the
amount of the fines provided for in articles 65 and 66 of Law 15/2007, of 3
July, on the Defense of Competition.
2. The European Commission, the National Markets Commission and the
Competence and the competent bodies of the autonomous communities will contribute
the information or will present the observations provided for in the previous number ten

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 67

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119854

days before the holding of the trial act referred to in article 433 or
within the period of opposition or challenge of the appeal filed.
3. The provisions of the previous sections on procedural matters will be
also applicable when the European Commission, the Spanish Agency for
Data Protection and the regional data protection authorities, in the
scope of their competences, consider it necessary to intervene in a process that
affects issues related to the application of Regulation (EU) 2016/679 of the
European Parliament and of the Council, of April 27, 2016. "
Eighth final provision. Modification of Organic Law 6/2001, of December 21, of
Universities
A new letter l) is included in section 2 of article 46 of Organic Law 6/2001,
of December 21, of Universities, with the following content:
«L) Training in the use and safety of digital media and in the guarantee
of fundamental rights on the Internet. "
Ninth final provision. Modification of Law 41/2002, of November 14, basic
regulating the autonomy of the patient and rights and obligations regarding
information and clinical documentation.
Section 3 of article 16 of Law 41/2002, of November 14, is amended.
basic regulation of the autonomy of the patient and of rights and obligations in
of information and clinical documentation, which now has the following content:
«Article 16. […]
3. Access to medical records for judicial, epidemiological, and health purposes
public, research or teaching, is governed by the provisions of the legislation
in force regarding the protection of personal data, and in Law 14/1986, of 25
April, General Health, and other rules of application in each case. The access
to the clinical history for these purposes requires the preservation of the identification data
patient personnel, separated from those of a clinical-care nature, in a
that, as a general rule, anonymity is ensured, unless the person himself
patient has given their consent not to separate them.
The investigation cases provided for in section 2 of the
Additional provision seventeenth of the Organic Law on Data Protection
Personal and Guarantee of Digital Rights.
Likewise, the cases of investigation of the judicial authority are excepted.
in which it is considered essential to unify the identification data with
the clinicoassistance, in which it will be to what the judges and
courts in the corresponding process. Access to data and documents of the
Clinical history is strictly limited to the specific purposes of each case.
When this is necessary for the prevention of a serious risk or danger to
the health of the population, the health administrations referred to in the Law
33/2011, of October 4, General Public Health, will be able to access the data
identification of the patients for epidemiological reasons or for the protection of the
public health. Access must be done, in any case, by a professional
sanitary subject to professional secrecy or by another person also subject to a
equivalent obligation of secrecy, prior motivation by the Administration
requesting access to the data. "

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 68

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119855

Tenth final provision. Modification of Organic Law 2/2006, of May 3, of
Education.
A new letter l) is included in section 1 of article 2 of Organic Law 2/2006,
of May 3, Education, which is worded as follows:
«L) Training to guarantee the full insertion of students in the
digital society and learning the safe use of digital media and
respectful of human dignity, constitutional values, rights
fundamental and, particularly, with the respect and guarantee of privacy
individual and collective. "
Eleventh final provision. Modification of Law 19/2013, of December 9, on
transparency, access to public information and good governance.
Law 19/2013, of December 9, on transparency, access to the
public information and good governance, in the following terms:
One. A new article 6 bis is added, with the following wording:
«Article 6 bis. Registration of treatment activities.
The subjects listed in article 77.1 of the Organic Law for the Protection of
Personal Data and Guarantee of Digital Rights, will publish their inventory of
treatment activities in application of article 31 of the aforementioned Organic Law. "
Two. Section 1 of article 15 is worded as follows:
"1. If the requested information contains personal data that reveals the
ideology, union affiliation, religion or beliefs, access can only be
authorize in case of the express and written consent of the
affected, unless said affected had made manifestly public the
data before access was requested.
If the information includes personal data that refers to the origin
racial, health or sexual life, including genetic or biometric data or
contains data related to the commission of criminal or administrative offenses
that do not entail a public reprimand to the offender, access can only be
authorize if you have the express consent of the affected party or if
that one was protected by a norm with the force of law. "
Twelfth final provision. Modification of Law 39/2015, of October 1, on
Common Administrative Procedure of Public Administrations.
Sections 2 and 3 of article 28 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations, which now have
the following wording:
«Article 28. […]
2. Interested parties have the right not to provide documents that are already
are in the power of the acting Administration or have been prepared by
any other Administration. The acting administration may consult or collect
said documents unless the interested party objects to it. The opposition will not fit
when the contribution of the document is required in the framework of the exercise of
sanctioning or inspection powers.
Public Administrations must collect the documents
electronically through their corporate networks or by consulting the
data intermediation platforms or other electronic systems enabled by the
effect.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 69

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

In the case of mandatory reports already prepared by a body
administrative office other than the one that processes the procedure, these must be sent
within ten days from your request. Once this period has elapsed,
inform the interested party that they can provide this report or wait for it to be sent
by the competent body.
3. Administrations will not require interested parties to submit
original documents, except that, exceptionally, the regulatory regulations
applicable state otherwise.
Likewise, the Public Administrations will not require data from the interested parties.
or documents not required by the applicable regulatory regulations or that have been
previously contributed by the interested party to any Administration. To these
effects, the interested party must indicate at what time and before which body
The administrative department presented the aforementioned documents, and the Administrations

Sec. I. Page 119856

Collect them electronically through their corporate networks or a
consult data intermediation platforms or other electronic systems
authorized for this purpose, unless the express opposition of the
interested party or the applicable special law requires their express consent.
Exceptionally, if the Public Administrations could not collect the aforementioned
documents, may again request the interested party for their contribution. "
Final provision thirteenth. Modification of the consolidated text of the Statute Law
from the workers.
A new article 20 bis is added to the consolidated text of the Law of the Statute of
Workers, approved by Royal Legislative Decree 2/2015, of October 23, with the
following content:
«Article 20 bis. Workers' rights to privacy in relation to the
digital environment and disconnection.
Workers have the right to privacy in the use of the devices
made available to them by the employer, to the digital disconnection and to the
privacy against the use of video surveillance and geolocation devices in the
terms established in current legislation on data protection
personal data and guarantee of digital rights. "
Fourteenth final provision. Modification of the consolidated text of the Statute Law
Basic of the Public Employee.
A new letter ja) is added to article 14 of the consolidated text of the Law on
Basic Statute of Public Employees, approved by Royal Legislative Decree 5/2015,
of October 30, which will be worded as follows:
«Ja) To privacy in the use of digital devices made available to you
and against the use of video surveillance and geolocation devices, as well as the
digital disconnection in the terms established in the current legislation on the matter
protection of personal data and guarantee of digital rights. »
Fifteenth final provision. Regulatory development.
The Government is empowered to develop the provisions of articles 3.2, 38.6, 45.2,
63.3, 96.3 and sixth additional provision, in the terms established therein.

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

Page 70

STATE OFFICIAL NEWSLETTER
No. 294

Thursday 6 December 2018

Sec. I. Page 119857

Sixteenth final provision. Entry into force.
This organic law will enter into force the day following its publication in the
State official newsletter.
Therefore,
I command all Spaniards, individuals and authorities, to keep and keep
this organic law.
Madrid, December 5, 2018.
FELIPE R.
The president of the Government,
PEDRO SÁNCHEZ PÉREZ-CASTEJÓN

.boe.es

erifiable at http: // www
cve:VBOE-A-2018-16673

http://www.boe.es

STATE OFFICIAL NEWSLETTER

DL: M-1/1958 - ISSN: 0212-033X

