Ley Orgánica de Protección de Datos de Carácter Personal


The Organic Law 15/1999 of December 13 on Protection of Personal Data was Spanish organic law that guaranteed and protected the processing of personal data, public liberties, and fundamental human rights, and especially of personal and family honor and privacy. It was approved by the General Court on December 13, 1999. This law was developed based on Article 18 of the Spanish Constitution of 1978, the familiar and personal right to privacy, and the secrecy of communications.
Its main objective was to regulate the treatment of data and files, of a personal nature, regardless of the support in which they are treated, the rights of citizens over them and the obligations of those who create or treat them. This law affected all data that referred to registered humans on any support, computer or otherwise. Excluded from this regulation are those data collected for domestic use, classified materials of the state and those files that collected data on Terrorism and other forms of organized crime.
Based on this law, the Spanish Agency for Data Protection was created, at the state level, which ensures compliance with this Law.
This act was repealed by the passage of a new data protection act, the Organic Law 3/2018 of December 5, about protection of personal data and guarantees of digital rights, to conform the Spanish legislation with the General Data Protection Regulation

Regulatory development

The body responsible for monitoring compliance with data protection regulations at Spanish territory, in general, is the Spanish Agency for Data Protection,
there are other Data Protection Agencies of an autonomous nature, in Autonomous Communities of Catalonia and in Basque Country.
The sanctions are divided into three groups depending on the seriousness of the act committed, Spain being the country of the European Union that has the highest sanctions in terms of protection of data. These sanctions depend on the violation committed. The last company sanctioned has been the company Grupon, sanctioned by the state data protection agency, with 20 000 euros for storing the CVV codes of the Credit cards from their customers without informing them.
They are divided into:
Despite the amount of sanctions, there are many companies in Spain that have not yet adapted to it, or have done so in a partial manner or do not periodically review its adequacy; so that, maintenance and review of the adequacy carried out is essential.
In the public sector, the mentioned Law also regulates the use and management of information and files with personal data used by all public administrations.
The Spanish Agency for Data Protection was created in 1994 in accordance with the provisions of the repealed LORTAD. Its headquarters are located in Madrid, although the Autonomous Communities of Madrid, the Basque Country and Catalonia have created their own autonomous Agencies.

Inspection and guardianship of Rights Procedures

Spanish Agency for Data Protection (AEPD)

https://web.archive.org/web/20140318220750/http://www.agpd.es/portalwebAGPD/revista_prensa/revista_prensa/2013/notas_prensa/common/octubre/132910_NP_Memoria_2012.pdf Year 2012

In 2012 complaints filed with the AEPD, increased by 12%. The activity of the Agency has grown significantly in 2012, with an increase of 15% in the files registered and almost 40% in the resolutions issued. The allegations of identity theft, especially in the supply and commercialization of energy and water and in telecommunications, have experienced a substantial increase. Of the 863 infringement decisions declared to private managers, more than 34% concluded in a warning, without imposing a penalty. On the other hand, most of the sanctions affect the telecommunications sector, which represents 73% of the total. Three of the main operators accumulate 70.94% of the total amount of fines.

https://web.archive.org/web/20140320185731/http://www.agpd.es/portalwebAGPD/canaldocumentacion/memorias/memoria_2011/common/Memoria_2011.pdf Year 2011

In 2011, reported complaints were 51.6% higher than those filed in 2010. This increase is also reflected in the increase in declaratory resolutions of infringement of 37.7%. However, the application of the figure of the warning has determined a decrease of 14.5% in the declared economic sanctions. The sector where sanctions have increased most and have been declared to a greater extent and amount, is that of telecommunications. The amount of sanctions has grown by 12% compared to 2010.

Year 2009

In 2009 they increased by more than 75% of the complaints received, which reached the figure of 4,136, and the number of requests for protection of rights, by 58%. 709 sanctioning procedures were resolved, of which 621 ended with sanction with a total amount of 24.8 million euros.
Source: Memory of the Spanish Agency for Data Protection for the years 2007, 2008, 2009.
PlaceSector of economic activityProcedures resolved
1Telecommunications908
2Financial sector768
3Videovigilance721

PlaceSector of economic activityProcedures resolved
1Telecommunications170
2Videovigilance117
3Financial sector89
5Electronic communications and spam39

PlaceType of sanctionPercentage
1Serious74%
2Minor21,3%
3Very Serious4,6%

Year 2008

In 2008 the number of facts reported to the AEPD increased by more than 45%, reaching the value of 2362. AEPD resolved in 2008 a total of 630 sanctioning procedures, almost 58% more than in 2007, of which 535 culminated with the imposition of sanctions. The fines imposed amounted to 22.6 million euros, representing an increase of 15% over the previous year.
The number of procedures solved of declarations of infraction committed by the public administrations rose in 2008 almost 20% with respect to the previous year, going from 66 to 79, of which 59 ended with a declaration of infraction.

Year 2007

In 2007 the Spanish Agency for Data Protection resolved 399 sanctioning procedures, increasing by 32.5% with respect to the previous year. The economic sanctions imposed by the AEPD amounted to 19 600 000 euros.

Autonomous data protection agencies

Year 2007

The Data Protection Agency of the Community of Madrid carried out 196 inspection procedures and 32 procedures for the protection of rights in 2007.
The Basque Data Protection Agency-Datuak Babesteko Euskal Bulegoa, resolved 43 complaints and 18 infringement procedures in 2007.

Ibero-American Data Protection Network

The Ibero-American Data Protection Network, since its creation in 2003, has developed an intense and fruitful work, such as the organization of ten meetings. In addition to contributing to that more than 150 million Latin American citizens currently have, along with the traditional protection of habeas data, rules that allow to effectively guarantee the use of their personal information and specialized authorities with powers to protect said guarantee.
In Latin America policies are being developed for the protection of personal data. In 2012 two new laws were approved. In Nicaragua, Law No. 787 of Protection of Personal Data, of March 29, 2012 and Statutory Law No. 1581 of October 17, 2012, by which general provisions for the Protection of Personal Data are issued.
In Chile, also Law 19.628, of August 28, 1999, on Protection of Private Life, is currently in the process of reviewing part of its articles.
The National Assembly of Venezuela is processing the bill for the Protection of Personal Data of Habeas Data. And in Costa Rica there is already a Data Protection Agency of the Republic of Costa Rica, in compliance with the law approved in 2011.

Information Duty

Personal data are classified according to their greater or lesser degree of sensitivity, being the legal requirements and computer security measures more stringent in terms of this greater degree of sensitivity, being mandatory on the other hand, in any case the declaration of the data protection files to the "Spanish Agency for Data Protection".
Interested parties to which personal data are requested must be previously informed in an express, precise and unambiguous way:
1. The existence of a file or treatment of personal data, the purpose of the collection of these and the recipients of the information.
2. Of the obligatory or optional character of his answer to the questions that are posed to them.
3. The consequences of obtaining the data or the refusal to supply them.
4. Of the possibility of exercising rights of access, rectification, cancellation and opposition.
5. The identity and address of the person responsible for the treatment or, if applicable, his representative.
However, the processing of personal data without having been collected directly from the affected party or interested party is permitted, although it is not exempted from the obligation to report expressly, accurately and unequivocally, by the person responsible for the file or its representative, within of the three months following the start of data processing.
Exception: Communication in three months of such information will not be necessary if the data has been collected from "sources accessible to the public", and are intended for advertising or commercial prospecting, in this case "in each communication addressed to the interested party, he will be informed of the origin of the data and the identity of the person responsible for the treatment, as well as the rights that assist him".
; Model clause
This could be a model clause of information / consent of rights protected by the LOPD:
; Data whose treatment is prohibited

Types of consent

A) Unmistakable consent
The treatment of personal data will require the unambiguous consent of the affected party, unless the law provides otherwise.
B) Tacit Consent
This will be the normal form of consent in cases where an express or express consent is not required in writing.
C) Express consent
Personal data referring to racial origin, health and sexual life may only be collected, processed and assigned when, for reasons of general interest, it is provided by a law or the person expressly consents.
D) Express and written consent
Express consent is required in writing from the affected party regarding data related to ideology, union affiliation, religion and beliefs and may only be transferred with express consent.

Data communication

They have responsibility in the communication and treatment of data not only the legal persons but also freelancers, freelancers, associations, collectives and people who own a blog through from which data from third parties are collected to make queries and for any other transaction.
The personal data object of the treatment can only be communicated to a third party for the fulfillment of purposes directly related to the legitimate functions of the transferor and the transferee with the prior consent of the interested party.
The consent required in the previous section will not be precise:
  1. When the assignment is authorized by law.
  2. In the case of data collected from sources accessible to the public.
  3. When the treatment responds to the free and legitimate acceptance of a legal relationship whose development, compliance and control necessarily implies the connection of said treatment with third-party files. In this case the communication will only be legitimate as long as it is limited to the purpose that justifies it.
  4. When the communication to be made is addressed to the Ombudsman, the Public Prosecutor or the Judges or Courts or the Court of Accounts, in the exercise of the functions assigned to it. Neither will consent be required when the communication is addressed to autonomous institutions with analogous functions to the Ombudsman or the Court of Auditors.
  5. When the transfer occurs between Public Administrations and has as its objective the subsequent processing of the data for historical, statistical or scientific purposes.
  6. When the transfer of personal data related to health is necessary to solve an emergency that requires access to a file or to perform epidemiological studies in the terms established in the legislation on state or regional health.
The consent for the communication of personal data to a third party will be void when the information provided to the interested party does not allow him to know the purpose to which the data will be destined whose communication is authorized or the type of activity of the person to whom it is sent. They intend to communicate.
The consent for the communication of personal data also has a revocable nature.
The one to whom the personal data are communicated is obliged, by the mere fact of the communication, to observe the provisions of this Law.
If the communication is made prior to the dissociation procedure, the provisions of the previous sections will not apply.

Access to the data by third parties

  1. The access of a third party to the data will not be considered as data communication when said access is necessary for the provision of a service to the data controller.
  2. The performance of treatments on behalf of third parties must be regulated in a contract that must be recorded in writing or in some other form that allows proof of its conclusion and content, establishing expressly that the processor will only process the data according to the instructions of the person in charge of the treatment, which will not apply them or use them for purposes other than those stated in said contract, nor will they communicate them, even for their preservation, to other persons.
The contract will stipulate, in addition, the security measures to which refers to article 9 of this Law that the person in charge of the treatment is obliged to implement.
  1. Once the contractual provision has been fulfilled, the personal data must be destroyed or returned to the data controller, as well as any support or documents that contain any personal data object of the treatment.
  2. In the event that the person in charge of the treatment allocates the data for another purpose, communicates them or uses them in breach of the stipulations of the contract, it will also be considered responsible for the treatment, responding to the infractions that would have been incurred personally.

    Criticisms and main problems

Certain aspects of the law were declared unconstitutional in November 2000 and deleted from the current text.
It is considered that the increase in the creation of files and processing of personal data affects the right to protection of citizens' data; This concern was picked up by the European bodies that even ordered that January 28 be held annually on "European Data Protection Day". The celebration dates back to 2006, when the Committee of Ministers of the Council of Europe established the annual celebration of the Data Protection Day in Europe on January 28, commemorating the anniversary of the signing of Convention 108 of the Council of Europe for the protection of persons with regard to the automated processing of personal data.
A very strict compliance with the regulation on data protection could slow down the normal work of a File Manager for the documentary accreditation of the information and consent principles of the LOPD; also in the opposite direction, a mere fulfillment of formal obligations, would leave the law senseless and the citizens unprotected and go against the "spirit" of the LOPD.
The possibility that companies can collect data without the consent of the affected has been criticized.
Certain resolutions of the AEPD have been reason for controversy: