Summary
Felipe VI King of Spain
All those who were present saw and understood.
Sabed: that the General Courts have approved and I come to sanction the following Organic Law:
PREAMBLE
I
The European Union is a space in which the standards and guarantees of protection of the rights of natural persons to the protection of personal data are in the international avant -garde and constitute a world reference.The rapid technological development, especially the Internet, as well as the growing globalization of the world and European economy have made it essential to address the reform of the legal framework for data protection, in order to consolidate and even improve this high level of protection throughthe creation of a new legislative framework, adapted to the changing reality, while solid, coherent and integral.In short, a normative environment for a globalized and digital world.
In this sense, the communication of the European Commission «a global approach to the protection of personal data in the European Union", of November 4, two010, preceded by an intense consultation period for more than two years with the Member States, the general public, as well as with the different sectors affected, laid the foundations for what this new normative perspective would be.
The resulting regulatory framework mainly consists of two instruments: Regulation (EU) two016/679 of the European Parliament and the Council, of April two7, two016, regarding the protection of natural persons in terms of data processingpersonal and free movement of these data and for which Directive 95/46/EC (General Data Protection Regulation) is repealed, which replaces a norm in force for more than twenty years, and the Directive (EU) two016/680 of the European Parliament and the Council, of April two7, two016, regarding the protection of natural persons in regards to the processing of personal data by the competent authorities for the purposes of prevention, research, detection or prosecution ofcriminal infractions or execution of criminal sanctions, and to the free movement of said data and for which the framework two008/977/JAI of the Council is repealed.
In our legal system, Organic Law 3/two018, of December 5, on the Protection of Personfree movement of this data.
II
Directive (EU) two016/680 of the European Parliament and the Council, of April two7, two016, object of transposition by this Organic Law, repeals the Framework Decision two008/977/Jai of the Council, of November two7, two008, relativeto the protection of personal data treated in the framework of police and judicial cooperation in criminal matters, which had been overcome for several reasons.
In the first place, it was a rule prior to the Lisbon treaty that required its timely adaptation to the new treaties, in particular, to article 16 of the Treaty of Operation of the European Union, which requires that the European Council and Parliament,Through the ordinary legislative procedure, regulate the protection of personal data.
Secondly, the framework decision was approved in accordance with the pillars structure of the European Union, prior to the Lisbon Treaty, so it had an area of application limited exclusively to the processing of personal data of a cross -border nature between the Member States,without reaching, therefore, the treatments of a strictly national nature.
Likewise, it granted a wide capacity to maneuver to the Member States, without ensuring a minimum level of desirable harmonization in certain areas, such as recognition in all states of the right of access to their own data, the principle of treatment of the treatment ofdata for certain purposes or conditions for international transfers.
In short, the fragmentation and complexity of the regulation in this field harmed the necessary confidence between the actors of the criminal police and judicial cooperation in Europe, who showed misgivings to share information, among other reasons, for the absence of a minimum harmonization as soon asto the protection of personal data;Some data that are essential in the field of operational cooperation.
III
The Directive (EU) two016/680 of the European Parliament and the Council, of April two7, two016, undermining these deficiencies, expanding its scope to the national treatment of personal data in the space of police and judicial criminal cooperation.Since it covers other deficiencies of the previous European regulations, since it includes the regulation of genetic data-which the European Court of Human Rights claimed-as well as the distinction between personal data according to their degree of accuracy and reliability, or theDifferentiation between different categories of interested parties.
It is pertinent to highlight that the aforementioned directive that transposes this Organic Law was approved in response to the growing threats to security in the national and international context, which have, in numerous cases, a cross -border component.For this reason, international cooperation and the transmission of personal information between the police and judicial services of the countries involved become an unavoidable objective.Indeed, New York terrorist attacks in two001 were a turning point in the need to reinforce judicial and police cooperation in the fight against terrorism, as it would show again on the occasion of the attacks in Brussels and Nice in two016.
Cooperation aimed at sharing in time the precise operational information is erected in a requirement of efficacy in prevention and fight against this type of threat.All this, taking into account the state of the technique, which currently allows large -scale data treatments in the field of security.
This exchange of information must be carried out, in any case, so that democratic principles and the safety of people are guaranteed throughout the treatment phases.
Consequently, this Organic Law assumes the purpose of achieving a high level of protection of citizenship rights, in general, and their personal data, in particular, that is approved to that of the rest of the Member States of the European Union,incorporating and specifying the rules established by the Directive.
In this sense, the Spanish Constitution was a precursor to the recognition and defense of the fundamental right to the protection of personal data.Thus, article 18.4 of our fundamental norm provides that the law will limit the use of computer science to guarantee the personal and family intimacy of citizens and the full exercise of their rights.The Constitutional Court, repeatedly jurisprudence, understands data protection as a fundamental right that guarantees every person the ability to control the use and destination of their data, with the purpose of avoiding the illicit or harmful traffic of them or a usefor purposes other than those who justified their obtaining.
Therefore, the transposition of this directive by the Member States implies the establishment of a consistent legal framework, which provides the necessary legal certainty to facilitate criminal police and judicial cooperation and, therefore, greater efficacy in the performance of their functionsfor security forces and bodies and our criminal judicial system as a whole, including the penitentiary.
IV
This Organic Law consists of sixty -five articles structured in eight chapters, five additional provisions, a transient provision, a repeal provision and twelve final provisions.
Chapter I, relating to the general provisions, defines the object of the Organic Law, being understood as the regulation of the processProtection and prevention against threats against public safety, when such treatment is carried out by the organs that, for the purposes of this Organic Law, are considerate of competent authorities.
The main purpose is that the data is treated by these competent authorities so that the purposes prevented as well as establishing the highest standards for the protection of fundamental rights and freedoms of citizens are met, so that the provisions ofArticle 8, section 1, of the Charter of the Fundamental Rights of the European Union, as well as in article 16, section 1, of the Treaty of Operation of the European Union and article 18.4 of the Constitution.
Also, in correspondence with the provisions of article twotwo.6 of Organic Law 3/two018, of December 5, when the processSecurity forces and bodies, or is carried out by the competent bodies for surveillance and control in the prison or for the control, regulation, surveillance and discipline of traffic, such treatments will be regulated by the provisions of this Organic Law complementing, in what is not contrary to its content, with the current regulations that regulate these areas.In this way, a new system is established that revolves around the obligations of those responsible for the treatment and the different missions assigned to them.
Although some specific forecasts are also included in general, some specific forecasts are included for the process.
The competent authorities, for the purposes of this Organic Law, are defined as public authorities with legally entrusted competences for the achievement of the specific purposes included in the scope of application.Specifically, it is determined that they will be competent authorities: the security forces and bodies;the judicial authorities of the criminal jurisdictional order and the Fiscal Ministry;Penitentiary administrations;the Deputy Directorate of Customs Surveillance;the Executive Service of the Commission for the Prevention of Lighting of Capital and Monetary Infractions;and the commission for surveillance of terrorism financing activities.All this, notwithstanding that the treatments carried out by the jurisdictional bodies are governed by the provisions of this Organic Law, in Organic Law 6/1985, of July 1, of the Judiciary, and in the procedural lawspenalties.
Certain treatments are expressly excluded from the scope, such as those carried out by the competent authorities for purposes other than those covered by the Organic Law;those carried out by the organs of the General State Administration within the framework of the activities included in the scope of Chapter II of Title V of the Treaty of the European Union, in relation to common foreign policy and security;those derived from an activity not included in the scope of the Law of the European Union;and those subject to the regulations on classified matters.Among the latter, the treatments related to national defense are expressly mentioned as including.
Chapter II refers to the principles of data protection whose guarantee corresponds to the person in charge of the treatment.These principles are regulated in terms similar to the provisions of the General Data Protection Regulations, with some specialties of the field of this Organic Law.
A duty of collaboration with the competent authorities is included, according to which, unless legally a judicial authorization, public administrations or any natural or legal person is legally enforceable, the necessary information must be provided with the Fiscal Ministry or the Judicial Police the necessary informationfor the investigation or prosecution of criminal offenses or the execution of the penalties and the necessary information for protection and prevention against a real and serious danger for public security.All this, with the obligation not to inform the interested party of these further treatments.This last precision is essential to prevent the information on the information available to be in danger of the purposes that, in accordance with the Directive and this Organic Law, justify the processing of the data.
Also regulate the conservation and review terms of the personal data treated, being relevant to establish a maximum data conservation period of data with a general character and the implementation of a system that allows the person responsible to review, in thedeadline that it establishes within the legal margin, the need to preserve, limit or suppress the set of personal data contained in each of its treatment activities.The person in charge must, in their treatments, distinguish the data that correspond to the various categories of interested parties, such as suspects, convicted or sanctioned, victims or third parties involved, as well as differentiate, as far as possible, ifThe data that deals with data based on facts or appreciations.
Certain conditions are also required that determine the legality of any personal data processing, that is, that they are treated by the competent authorities;that are necessary for the purposes of this Organic Law and that, if necessary and in each particular field, the specialties are specified by a norm with a range of law that includes minimum content.
In the case of data transmission subject to specific treatment conditions, these conditions must be respected by their recipient, especially the prohibition of transmitting them or using them for different purposes for which they were transmitted.
Similarly, the treatment of special categories of data is required, such as those that reveal ethnic or racial origin, political opinions, religious or philosophical convictions, trade union affiliation or genetic or biometric, can only take place whenbe strictly necessary and certain conditions are met.
Biometric data (such as fingerprints or facial image) are only considered included in this special category when their treatment is aimed at uniquely identifying a natural person.This need for identification in legally protected actions is often carried out by the different competent authorities.The purpose is to singularize the authors or participants of criminal offenses, as well as be able to recognize whether the people who are supposed or sought, and in this way, attribute or exonerate, without a gender of doubt, participation in certain facts, thanks to possiblebiometric signs or vestiges.
Given the vertiginous technological evolution and the electronic means available, the legal qualification is included that facilitates a rapid and adequate response in the use of these data, with the ultimate goal of guaranteeing and protecting the rights of the interested parties andof general citizenship.
The adoption of automated individual decisions is also prohibited, including the elaboration of profiles in this area, unless authorized by a rule with a rank of the Spanish or European legal system.
Chapter III is divided into two sections and addresses the rights of people.Regulates a series of general conditions for the exercise of rights, such as the obligation required that responsible for facilitating the information corresponding to the rights of the interested party in a concise manner, with a clear and simple language and free of charge.The information that must be made available to the interested party is established, being some mandatory data, in any case, and others in specific cases.
The rights of access, rectification, suppression and limitation of treatment are recognized.By virtue of such rights, the interested party is empowered to know whether or not their data are being treated and, if so, access certain information about the treatment;to obtain the rectification of your data if these will be inaccurate;to suppress them when they were contrary to the provisions of articles 6, 11 or 13, or when required by a legal obligation required to the person responsible;and to limit the treatment, when the interested party doubts the accuracy of the data or these data, they should be kept only for probative purposes.
These rights may be exercised by the interested party directly or, in certain cases, through the data protection authority.
This organic law provides that these rights can be restricted by certain caused causes, such as when necessary to prevent an investigation from being hindered or public security or national security is endangered.
A special regime for the rights of those interested in the framework of investigations and criminal proceedings is established in its second section.
Chapter IV includes the obligations and responsibilities of those responsible and responsible for data protection, security measures and the figure of the data protection delegate, throughout three sections.The person in charge of the treatment, taking into account the nature, the scope, the context and the purposes of the treatment, as well as the risk levels for the rights and freedoms of the natural persons, will apply the appropriate technical and organizational measures.
The person in charge of the treatment will carry out its functions on behalf of the person responsible, and must offer guarantees to apply appropriate technical and organizational measures.
All responsible and responsible for the treatment must retain a registration of treatment activities, with identifying data, such as the contact data of the responsible, the purposes or categories of interested parties, and a registration of operations, angular piece of this system and basic instrumentTo prove compliance with several of the treatment principles, which will include collection, alteration, consultations and transfers of personal data among other operations.They are also obliged to cooperate with the data protection authority, within the framework of current legislation.
Certain obligations are established that respond to a new model of active responsibility that requires a prior risk assessment that could generate the processing of personal data for interested parties, to, from said assessment, adopt the measures that proceed.
Detailed attention to the security of the treatment is given, regulating some of the security measures that will be applied, although only the implementation of the aforementioned registration of operations as a technical and organizational measure is mandatory, being the others that the others that theresponsible determines as the most appropriate to achieve control requested by virtue of the type of treatment that is being carried out and the level of risk that is estimated, after the corresponding analysis.The duty of notification to the data protection authority of any security violation is also imposed that, in general, must be notified to the interested party, except in cases expressly provided for in the law.
The Data Protection Delegate is configured as the body or monitoring body or figure of those responsible for data protection, which may be unique for several competent authorities and whose designation will be mandatory except in relation to data treatments for jurisdictional purposes.In the event that treatments that are under different areas of application are available, in order to avoid dysfunctions in the organizations of the competent authorities, it is established that the figure of the Data Protection Delegate will be unique for all of them.
Chapter V regulates the transfers of personal data made by the Spanish competent authorities to a State that is not a member of the European Union or an international organization, including subsequent transfers to another State that does not belong to the European Union or other international organization and other international organization andThe conditions that must be met so that these are lawful are established.
Thus, in order to ensure that the level of protection of the natural persons provided for in this Organic Law is not impaired, the transfer will respect certain conditions provided for in the same.In this way, they should only be carried out when necessary for the purposes of this Organic Law and when the person responsible for treatment in the third country or international organization is competent authority in relation to said purposes.
Likewise, when the data is transferred to a third country or an international organization, the competent authority of the Member State in which the data was obtained, must previously authorize this transfer and the subsequent that may take place to another third country or an international organization.As for the third country or international organization of the transfer, it must be subject to evaluation by the European Commission in view of its level of data protection or, in case of absence of decision, it must be understood by the person responsible for the treatment it offersadequate guarantees.Only for the exceptional causes provided for in this Organic Law, transfers outside these cases may be authorized.This chapter ends with the regulation of the international transfer of personal data to recipients that, not being competent authorities, are established in third countries.
Chapter VI, relating to data protection authorities, provides that these authorities be the Spanish Agency for Data Protection and regional data protection agencies, in their respective competence areas.Likewise, the Organic Law includes its powers, functions and assistance between data protection authorities of the Member States.It is referred to the remaining to the regulations that are applied.
Chapter VII provides that the claim procedures proposed to the data protection authorities are requested by the provisions of Organic Law 3/two018, of December 5, or, where appropriate, by the regulatory regulations of the authoritycorresponding data protection.It refers to those cases in which those responsible or responsible for the treatment, or the data protection authority, where appropriate, breach this organic law and generate damage or injury to the assets or rights of the interested party.
This chapter, in addition, addresses the responsibility of those responsible or responsible for the treatment or data protection authority, where appropriate, when they fail to comply with this organic law and generate damage or injury to the assets or rights of an interested party.In the same way, the way of exercising the right to the effective judicial protection before the contentious-administrative jurisdiction against the decisions of a data protection authority that can be understood that concern those interested.
Finally, chapter VIII regulates the specific sanctioning regime applicable to breaches of the obligations provided for in this Organic Law.The subjects on which responsibility for the infractions committed will be defined on which.The rules of the rules to resolve cases in which a fact can be qualified in accordance with two or more of them, while the infractions are determined, which, depending on their gravity, may be slight, seriousor very serious.Finally, the sanctions that can be imposed are established, and the prescription periods of both infractions and sanctions and expiration are set.
Additional provisions refer to specific regimes, the exchange of data within the European Union, international agreements in the field of judicial cooperation in criminal matters and police cooperation, and the treatments carried out in relation to filesand to the Population Registry of Public Administrations.
The final provisions introduce the necessary modifications to Organic Law 1/1979, of September two6, Penitentiary General, to adapt it to the forecasts of this Organic Law in relation to the treatments for the execution of the penalty; in Law 50/1981, of December 30; in Organic Law 6/1985, of July 1; in Organic Law 3/two018, of December 5; In Organic Law 1/two0two0, of September 16, on the use of the data of the registration of passenger names for the prevention, detection, investigation and prosecution of crimes of terrorism and serious crimes in correspondence with certain obligations of the operators; in Law 19/two007, of July 11, against violence, racism, xenophobia and sports intolerance; in Law 5/two014, of April 4, private security to adapt, in both cases, the expiration deadlines of the sanctioning files; and in the consolidated text of the Law on Traffic, circulation of motor vehicles and road safety, approved by Royal Legislative Decree 6/two015, of October 30, to give specific legal support to enrollments for reasons of national security.
In the elaboration of this Organic Law, the principles of necessity, effectiveness, proportionality, legal certainty, transparency and efficiency, required by article 1two9 of Law 39/two015, of October 1, of the common administrative procedure of the administrationsPublic.
In the first place, it is a necessary norm, given that the transposition of the Directive (EU) two016/680 of the European Parliament and the Council, of April two7, two016, requires an organic law, by affecting the community normto a fundamental right recognized in article 18 of the Constitution and by imperative of article 81 of the same.In this sense, article 18.4 of the Constitution dispone que la ley limitará el uso de la informática para garantizar el honor y la intimidad personal y familiar de la ciudadanía y el pleno ejercicio de sus derechos.
This Organic Law also incorporates into our internal order the instruments that will allow effective protection of the data of natural persons against their treatment by the competent authorities for prevention, detection, investigation or prosecution of criminal infractions orExecution of criminal sanctions, including protection and prevention against threats against public safety.
With regard to the principle of legal certainty, due to the subject matter, the transposition of the directive is carried out through an organic law, whose processing and integration in the legal system enjoys the guarantees that protect the norms of this nature.
Regarding the principle of proportionality, this Organic Law contemplates an important number of guarantees aimed at the process that the processing of personal data is proportional, timely, minimum and sufficient for the fulfillment of the purposes pursued.In particular, its treatment is subject to the principles that govern the processEuropean or for our domestic law.When personal data is treated for other purposes other than those of the prevention, detection, investigation or prosecution of criminal offenses or the execution of criminal sanctions, including protection and prevention against threats against public safety, theGeneral Data Protection Regulation, unless the treatment is carried out as part of an activity that is outside the scope of the European Union Law.
The principle of transparency is also fulfilled, since this rule has been submitted to the corresponding public participation procedures, that is, the prior public consultation and the audience and public information.
In the processing of this Organic Law, in addition to the various ministries concerned by reason of the subject, they have issued the Spanish Agency for Data Protection;the Basque data protection agency;the Catalan Data Protection Authority;the Fiscal Council;the General Council of the Judiciary;the Public Security Departments of the Basque Government and the Interior of the Generalitat of Catalonia;And finally the State Council.It is, therefore, a text in which the considerations of organs as relevant as those exposed have been incorporated.
Finally, this Organic Law is issued under rules 1.ª, 6.ª, 18.ª and two9.Article 149.1 of the Constitution, which attribute to the State the exclusive powers, respectively, for the regulation of the basic conditions that guarantee the equality of all Spaniards in the exercise of rights and in the fulfillment of constitutional duties;on criminal, penitentiary and procedural legislation;Regarding the basis of the legal regime of public administrations, the common administrative procedure and in relation to the system of responsibility of all public administrations;and in terms of public safety.
Chapter General Idispositions
Article 1 Object
This Organic Law is aimed at establishing the norms related to the protection of natural persons in regard to the processof execution of criminal sanctions, including protection and prevention against threats against public safety.
Article two scope of application
1.It will be applied to totally or partially automated treatment of personal data, as well as the non -automated treatment of personal data contained or intended to be included in a file, carried out by the competent authorities, for prevention, detection, research and prosecution of infractionscriminal and execution of criminal sanctions, including protection and prevention against threats against public safety.
two.The processing of the personal data carried out on the occasion of the processing by the judicial bodies and prosecutors of the actions or processes of which they are competent, as well as that carried out within the management of the Judicial and Fiscal Office, within the scope of theArticle 1, shall be governed by the provisions of this Organic Law, without prejudice to the provisions of Organic Law 6/1985, of July 1, of the Judiciary, the procedural laws that are applicable and, where appropriate, byLaw 50/1981, of December 30, which regulates the Organic Statute of the Fiscal Ministry.The data protection authorities referred to in Chapter VI will not be competent to control these treatment operations.
3.The following personal data treatments are outside the scope of this Organic Law:
4.This Organic Law will not apply to the data treatments of deceased persons, without prejudice to the provisions of the following article.
ARTICLE 3 DATA OF DEATHED PEOPLE
1.People linked to the deceased for family or in fact reasons, as well as their heirs, may address the person in charge or in charge of the treatment in order to request access, rectification or suppression of the data of that.These rights will be regulated in accordance with the provisions of this Organic Law.
two.In case of death of minors, these powers may also be exercised by their legal representatives or, within the framework of their powers, by the Prosecutor's Office, which may act ex officio or at the request of any interested person.
3.In the event of the death of people with disabilities, these powers may also be exercised, in addition to those who indicate the previous section, by whom they had been designated for the exercise of support functions, if such faculties were understood in the support measures provided byThe designated.
Article 4 competent authorities
1.It will be competent authority, for the purposes of this Organic Law, any public authority that has legally entrusted competences for the processing of personal data with any of the purposes provided for in article 1.
In particular, they will have that consideration, within the scope of their respective competences, the following authorities:
two.The judicial authorities of the criminal jurisdictional order and the Fiscal Ministry will also be considered competent authorities.
Article 5 Definitions
For the purposes of this Organic Law, it will be understood by:
Chapter Iiprincipios, Leading of Treatment and Video Surveillance
Section 1 Principles and treatment legitude
Article 6 Principles related to the processing of personal data
1.Personal data will be:
two.Personal data collected by the competent authorities will not be treated for other purposes other than those established in article 1, unless said treatment is authorized by the right of the European Union or by Spanish legislation. Cuando los datos personales sean tratados para otros fines, se aplicará el Reglamento General de Protección de Datos y la Ley Orgánica 3/two018, de 5 de diciembre, a menos que el tratamiento se efectúe como parte de una actividad que quede fuera del ámbito de aplicación del Derecho de la Unión Europea.
3.Personal data may be treated by the same person or another, for purposes established in article 1 different from that for which they have been collected, to the extent that the following two circumstances cumulatively attend:
4.The treatment by the same person responsible or on the other may include the archive for reasons of public interest, and the scientific, statistical or historical use for the purposes established in article 1, subject to the appropriate guarantees for the rights and freedoms of the interested parties.
5.The person in charge of the treatment must guarantee and be able to demonstrate compliance with the provisions of this article.
ARTICLE 7 COLLABORATION Duty
1.Public administrations, as well as any natural or legal person, will provide the judicial authorities or the Judicial Police with the data, reports, background and justifying that they request and that are necessary for the investigation and prosecution of criminal offenses or forThe execution of penalties.The request of the Judicial Police must be adjusted exclusively to the exercise of the functions entrusted to you of article 549.1 of Organic Law 6/1985, of July 1 and must always be carried out in a motivated, concrete and specific manner, in any case account for the Judicial and Fiscal Authority.
The communication of data, reports, background and supporting by the Tax Administration, the Social Security Administration and the Labor and Social Security Inspection, will be carried out in accordance with its respective legislation.
two.In the remaining cases, public administrations, as well as any natural or legal person, will provide the data, reports, background and supporting to the competent authorities that request them, provided that these are necessary for the specific development of their missions for prevention,detection and research of criminal offenses and for prevention and protection against real and serious danger for public safety.The request of the competent authority must be concrete and specific and contain the motivation that proves its relationship with the indicated assumptions.
3.The provisions of the previous sections will not apply when the judicial authorization is legally required to collect the necessary data for compliance with the purposes of article 1.
4.In the cases contemplated in the previous sections, the interested party will not be informed of the transmission of his data to the competent authorities, or having facilitated access to them by said authorities in any other way, in order to guarantee the investigative activity.
With the same purpose, the subjects to which the legal system imposes a specific duty of collaboration with the competent authorities for the fulfillment of the purposes established in article 1 will not inform the interested party of the transmission of their data to said authorities, orhaving facilitated access to them by these authorities in any other way, in compliance with their specific obligations.
ARTICLE 8 CONSERVATION AND REVIEW
1.The person in charge of the treatment will determine that the conservation of personal data takes place only during the time necessary to comply with the purposes provided for in article 1.
two.The person in charge of the treatment must review the need to preserve, limit or suppress the set of personal data contained in each of the treatment activities under their responsibility, at most every three years, attending especially in each review at the age of the affected,the character of the data and to the conclusion of an investigation or criminal procedure.If possible, it will be done by appropriate automated treatment.
3.In general, the maximum period for the suppression of the data will be twenty years, unless factors such as the existence of open investigations or crimes that have not prescribed, the non -conclusion of the execution of the penalty, recidivism, need for protectionof the victims or other motivated circumstances that make necessary the processing of the data for the fulfillment of the purposes of article 1.
Article 9 Distinction between categories of interested parties
The person responsible for the treatment, as far as possible, will establish among the personal data of the different categories of interested parties, distinctions such as:
Lo anterior no debe impedir la aplicación del derecho a la presunción de inocencia tal como lo garantiza el artículo two4 of the Constitution.
Article 10 Verification of the quality of personal data
1.The person responsible for the treatment, as far as possible, will establish a distinction between personal data based on facts and those based on personal appreciations.
two.The competent authorities will adopt all reasonable measures to ensure that personal data that are inaccurate, incomplete or not updated, are not transmitted or made available to third parties.In any data transmission, the valuation of its quality, accuracy and update will be transferred at the same time.
To the extent possible, in all personal data transmissions the necessary information will be added so that the competent receiving authority can assess to what extent they are accurate, complete and reliable, and to what extent they are updated.Likewise, the competent transmitting authority, to the extent that it is feasible, will control the quality of personal data before transmitting or making them available to third parties.
3.If it is observed that the personal data transmitted are incorrect or that they have been transmitted illegally, these circumstances will be informed of the recipient without undue delay. En tal caso, los datos deberán rectificarse o suprimirse, o el tratamiento deberá limitarse de conformidad con lo previsto en el artículo two3.
Article 11 treatment legitude
1.The treatment will only be lawful to the extent that it is necessary for the purposes indicated in article 1 and is carried out by a competent authority in the exercise of its functions.
two.Any law that regulates personal data treatments for the purposes included within the scope of this Organic Law must indicate, at least, the objectives of the treatment, the personal data that will be subject to it and the purposes of the treatment.
Artículo 1two Condiciones específicas de tratamiento
1.When the right of the European Union or Spanish legislation provides specific conditions applicable to the treatment, the competent transmitting authority must inform the recipient to which the data is transmitted, of said conditions and the obligation to respect them.
two.The specific treatment conditions may be, among others, the prohibition of data transmission or their use for different purposes for those that were transmitted or, in case of limitation of the right to information, the prohibition of giving information to the interested party without thePrior authorization of the transmitting authority.
3.The transmitting competent authority will not apply to the recipients of other Member States of the European Union or of agencies, agencies and bodies established by virtue of chapters 4 and 5 of Title V of the third part of the Treaty of Operation of the European Union, conditions, conditionsother than those applicable to similar data transmissions within Spain.
Article 13 Treatment of special categories of personal data
1.The processing of personal data that reveal ethnic or racial origin, political opinions, religious or philosophical convictions or union affiliation, as well as the processing of genetic data, biometric data aimed at uniquely identifying a natural person, data, dataRelative to health or sexual life or sexual orientation of a natural person, it will only be allowed when strictly necessary, subject to adequate guarantees for the rights and freedoms of the interested party and when any of the following circumstances are fulfilled:
two.The competent authorities, within the framework of their respective functions and competences, may deal with biometric data aimed at uniquely identifying a natural person for the purposes of prevention, research, detection of criminal offenses, including protection and prevention againstthreats against public safety.
3.The data of the minors and of the people with judicially modified capacity or who are incurred in processes of said nature, will be treated guaranteeing their best interest and with the appropriate security level.
Article 14 Automated individual decision mechanism
1.Decisions based solely on automated treatment are prohibited, including the elaboration of profiles, which produce negative legal effects for the interested party or that significantly affect it, unless expressly authorized by a rule with a range of law or by the right of the unionEuropean.The regulation enabled treatment must establish the appropriate measures to safeguard the rights and freedoms of the interested party, including the right to obtain human intervention in the process of reviewing the decision adopted.
two.The decisions referred to in the previous section will not be based on the special categories of personal data contemplated in article 13, unless the appropriate measures have been taken to safeguard the rights and freedoms and legitimate interests of the interested party.
3.The elaboration of profiles that leads to discrimination of natural persons based on special categories of personal data established in article 13 is prohibited.
Sección twoTratamiento de datos personales en el ámbito de la videovigilancia por Fuerzas y Cuerpos de Seguridad
Article 15 Image and sound recording systems for security forces and bodies
1. La captación, reproducción y tratamiento de datos personales por las Fuerzas y Cuerpos de Seguridad en los términos previstos en esta Ley Orgánica, así como las actividades preparatorias, no se considerarán intromisiones ilegítimas en el derecho al honor, a la intimidad personal y familiar y a la propia imagen, a los efectos de lo establecido en el artículo two.two de la Ley Orgánica 1/198two, de 5 de mayo, de protección civil del derecho al honor, a la intimidad personal y familiar y a la propia imagen.
two.In the installation of image and sound recording systems, the following criteria will be taken into account, according to the protection of their own buildings and facilities;ensure the protection of public buildings and facilities and their accesses that are in custody;Safeguard and protect useful facilities for national security and prevent, detect or investigate the commission of criminal offenses and protection and prevention against threats against public security.
Article 16 Fixed systems installation
1.In the roads or public places where fixed camcorder are installed, the person in charge of the treatment must make an assessment of the aforementioned principle of proportionality in its double version of suitability and minimum intervention.Likewise, it must carry out an analysis of the risks or an evaluation of impact of data protection related to the treatment that is intended to be carried out, depending on the level of damage that can be derived for citizenship and the purpose pursued.
It will be understood as a fixed camcorder that anchored to a fixed or facade support, although the recording system can move in any direction.
two.This provision will also be applied when the security forces and bodies use fixed videocamaras facilities of those that are not holders and there is, for its part, an effective control and address of the complete process of treatment process.
3.These fixed videocamara facilities will not be subject to the preventive control of the local entities provided for in their basic regulatory legislation, or to the exercise of the powers of the different public administrations, notwithstanding that they must respect the principles of current legislation in each material fieldof administrative action.
4.The owners and, where appropriate, the holders of real rights over the assets affected by these facilities, or who possess them for any degree, are obliged to facilitate and allow their installation and maintenance, without prejudice to the compensation that proceed.
5.Citizens will be clearly and permanently informed of the existence of these fixed camcorders, without specifying their location, as well as the authority responsible for the treatment of which to exercise their rights.
Article 17 mobile devices
1.Mobile image and sound takeover devices may be used for the best compliance with the purposes provided for in this Organic Law, in accordance with the specific competences of security forces and bodies.The image and sound take.The use of mobile devices must be authorized by the person holding of the Government Delegation or Subdelegation, who will attend to the nature of the possible facts that are susceptible to filming, adapting the use of said devices to the principles of treatment and that of proportionality.
In the case of the police forces of the Autonomous Communities that have and exercise competencies assumed for the protection of people and property and for the maintenance of public order, it will be their corresponding bodies that will authorize this type of actions for their police forces for their police forces, as well as for those dependent on local corporations based in their territory.
two.In these cases of mobile devices, authorizations cannot be granted in any case indefinitely or permanently, being granted for the appropriate period to nature and circumstances derived from the concrete danger or event, for a maximum period of a month extendable byother.
3. En casos de urgencia o necesidad inaplazable será el responsable operativo de las Fuerzas y Cuerpos de Seguridad competentes el que podrá determinar su uso, siendo comunicada tal actuación con la mayor brevedad posible, y siempre en el plazo de two4 horas, al Delegado o Subdelegado del Gobierno o autoridad competente de las comunidades autónomas.
Article 18 Treatment and conservation of images
1.Make the filming in accordance with the requirements established in this Organic Law, if the recording will capture the commission of facts that could be constitutive of criminal offenses, the security forces and bodies will put the original tape or support of the images and sounds in their integrity, at the judicial provision as soon as possible and, in any case, within the maximum period of seventy -two hours from his recording.If the attestation is not being drafted in such a period, the facts will be verbally reported to the Judicial Authority, or to the Fiscal Ministry, together with the delivery of the recording.
two.If facts that could be constitutive of administrative infractions related to public safety, will be sent to the competent body, immediately, for the beginning of the appropriate sanctioning procedure,.
3.The recordings will be destroyed within a maximum period of three months from their collection, unless they are related to serious or very serious criminal or administrative infractions in public safety, subject to an ongoing police investigation or with an open judicial or administrative procedure.
Article 19 Disciplinary Regime
1.Without prejudice to the criminal responsibilities they could incur, the infractions to the provisions of this Organic Law by the members of the Security Forces and Bodies, will be sanctioned according to the disciplinary regime corresponding to the offenders and, failing that, withsubject to the general regime of sanctions regarding personal data protection established in this Organic Law.
two.Very serious offenses will be considered in the disciplinary regime of the State Security Forces and Bodies, the following infractions:
CHAPTER II PEOPLE RIGHTS
Section 1 general regime
Artículo two0 Condiciones generales de ejercicio de los derechos de los interesados
1. El responsable del tratamiento deberá facilitar al interesado, de forma concisa, inteligible, de fácil acceso y con lenguaje claro y sencillo para todas las personas, incluidas aquellas con discapacidad, toda la información contemplada en el artículo two1, así como la derivada de los artículos 14, twotwo a two6 y 39.
Además, el responsable del tratamiento deberá adoptar las medidas necesarias para garantizar al interesado el ejercicio de sus derechos a los que se refieren los artículos 14 y twotwo a two6.
two.The interested party, with the ability to act, may act in their own name and representation or through representatives, in accordance with the provisions of the regulations on the common administrative procedure of public administrations.
3.The information will be provided by any appropriate means, including electronic means, trying to use the same medium used in the application.
4.The person in charge of the treatment will inform the interested party, without undue delay, on the course given to his request.The request will be understood dismissed if elapsed a month since its presentation has not been expressly resolved and notified to the interested party.
5.The information referred to in section 1 will be provided for free.When the requests of an interested party are manifestly unfounded or excessive, in particular due to their repetitive character, the person responsible for the treatment may inadmit them to process, by means of a motivated resolution.
The person in charge of the treatment must demonstrate the manifestly unfounded or excessive nature of the application.
In any case, the application will be considered to be repetitive when three requests are made on the same assumption during a period of six months, unless there is a legitimate cause for this.
6. Cuando el responsable del tratamiento tenga dudas razonables acerca de la identidad de la persona física que formula la solicitud a la que se refieren los artículos twotwo y two3, le requerirá para que facilite la información complementaria que resulte necesaria para confirmar su identidad en el plazo de diez días.After this period has elapsed without the information is provided, it will be taken from your request by motivated resolution.The deadline referred to in section 4 will begin to be computed from the date on which such complementary information is provided.
Artículo two1 Información que debe ponerse a disposición del interesado
1.The person responsible for the processing of the data will make at least the following information:
two.In addition to the information referred to in section 1, attending to the circumstances of the specific case, the person in charge of the treatment will provide the interested party with the following additional information to allow the exercise of their rights:
Artículo twotwo Derecho de acceso del interesado a sus datos personales
1.The interested party will have the right to obtain from the person responsible for the confirmation of whether or not to deal with personal data that concern him.In case the treatment is confirmed, the interested party will have the right to access said personal data, as well as the following information:
two.When the person in charge treats a large amount of information related to the interested party and he exercises his right of access without specifying whether he refers to all or a part of the data, the person in charge may require the interested party to specify the application within ten days.
3.The right of access will be granted if the person in charge of the treatment facilitates the interested party a remote, direct and sure system that guarantees, in a permanent way, access to all of their personal data.The notification informing the interested party of the procedure launched through this system, will allow to deny its request for access made by other roads.
If remote access does not facilitate all the information contained in section 1, the interested party will have the right to request it.
4.When the interested party chooses a different medium from that offered to suppose a disproportion.In this case, it will only be enforceable to the person responsible for the treatment that the satisfaction of the right of access through the proposed means occurs without undue delay.If the interested party did not assume excess cost, access will be provided by the medium initially proposed by the person responsible for the treatment.
Artículo two3 Derechos de rectificación, supresión de datos personales y limitación de su tratamiento
1.The interested party will have the right to obtain from the person in charge of the treatment, without improper delay, the rectification of the personal data that concerns him, when such data is inaccurate.
Taking into account the purposes of treatment, the interested party will have the right to complete personal data when they are incomplete.
The interested party must indicate in your application to what data it refers to and the correction to be made.Must accompany, when necessary, the justification documentation of the incomplete or inaccurate character of the data under treatment.
two.The person in charge of the treatment, on his own initiative or as a result of the exercise of the right of suppression of the interested party, will suppress personal data without improper delay and, in any case, within a maximum period of one month from that he has knowledge, when the treatmentUnderstand articles 6, 11 or 13, or when personal data must be suppressed by virtue of a legal obligation to which it is subject.
3.Instead of proceeding to suppression, the person responsible for the treatment will limit the processing of personal data when any of the following circumstances are given:
When the treatment is limited by virtue of letter a), the person in charge of the treatment will inform the interested party before lifting the limitation of the treatment.
4.In the event that the person responsible for the rectifying inexact personal data that comes from another competent authority, the rectification must be communicated to this.
5.When personal data has been rectified or suppressed or the treatment has been limited, the person responsible for the treatment will notify the recipients, who must rectify or suppress personal data that are under their responsibility or limit their treatment.
Artículo two4 Restricciones a los derechos de información, acceso, rectificación, supresión de datos personales y a la limitación de su tratamiento
1. El responsable del tratamiento podrá aplazar, limitar u omitir la información a la que se refiere el artículo two1.two, así como denegar, total o parcialmente, las solicitudes de ejercicio de los derechos contemplados en los artículos twotwo y two3, siempre que, teniendo en cuenta los derechos fundamentales y los intereses legítimos de la persona afectada, resulte necesario y proporcional para la consecución de los siguientes fines:
two. En caso de restricción de los derechos contemplados en los artículos twotwo y two3, el responsable del tratamiento informará por escrito al interesado sin dilación indebida, y en todo caso, en el plazo de un mes a contar desde que tenga conocimiento, de dicha restricción, de las razones de la misma, así como de las posibilidades de presentar una reclamación ante la autoridad de protección de datos, sin perjuicio de las restantes acciones judiciales que pueda ejercer en virtud de lo dispuesto en esta Ley Orgánica.
The reasons for the restriction may be omitted or replaced by a neutral wording when the revelation of the reasons for the restriction can put at risk the purposes referred to.
3.The person responsible for the treatment will document the foundations of fact or law on which the denegatory decision of the exercise of the access is supported.This information will be available to data protection authorities.
Artículo two5 Ejercicio de los derechos del interesado a través de la autoridad de protección de datos
1. En los casos en que se produzca un aplazamiento, limitación u omisión de la información a que se refiere el artículo two1 o una restricción del ejercicio de los derechos contemplados en los artículos twotwo y two3, en los términos previstos en el artículo two4, el interesado podrá ejercer sus derechos a través de la autoridad de protección de datos competente.The person in charge of the treatment will inform the interested party of this possibility.
two.When, by virtue of the provisions of the previous section, the rights are exercised through the data protection authority, it must inform the interested party, at least, of the realization of all the necessary checks or the corresponding review and of itsRight to file a contentious-administrative appeal.
Sección twoRégimen especial
Artículo two6 Derechos de los interesados como consecuencia de investigaciones y procesos penales
1.The exercise of information, access, rectification, suppression and limitation of the treatment referred to in the previous articles will be carried out in accordance with the criminal procedural norms when personal data appears in a judicial resolution, or inA registration, proceedings or files processed in the course of research and criminal proceedings.
two.When the data is subject to a treatment for jurisdictional purposes for which an organ of the criminal jurisdictional order is responsible, or the Fiscal Ministry, the exercise of the rights of information, access, rectification, suppression and limitation of the treatment will be carried out in accordance with theprovided for in Organic Law 6/1985, of July 1, in the procedural norms and where appropriate, the Organic Statute of the Prosecutor's Office.
3.In the absence of regulation of the exercise of these rights in said norms, the provisions of this Organic Law shall apply.
Chapter Ivresponsible and Treatment Manager
Section 1 General Obligations
Artículo two7 Obligaciones del responsable del tratamiento
1.The person in charge of the treatment, taking into consideration the nature, the scope, the context and the purposes of the treatment, as well as the risk levels for the rights and freedoms of natural persons, will apply the appropriate technical and organizational measures to ensure that treatmentIt is carried out in accordance with this Organic Law and with the provisions of sector legislation and its development standards.Such measures will be reviewed and updated when necessary.
two.Among the measures mentioned in the previous section, the application of the appropriate data protection policies will be included, when provided in relation to treatment activities.
Artículo two8 Protección de datos desde el diseño y por defecto
1.At the time of determining the means for treatment, as well as at the time of treatment itself, the technical and organizational measures that are appropriate according to the state of the technique and the cost of application, nature, the scope, the scope,The context, the purposes of treatment and the risks to the rights and freedoms of natural persons.The objective will be to safeguard the principles of data protection effectively, while integrating the necessary guarantees in the treatment.Among these technical measures, the pseudonymization of personal data may be adopted in order to contribute to the application of the principles established in this Organic Law, in particular, the minimization of personal data.
two.In addition, technical and organizational measures must ensure that, by default, only the personal data that is necessary for each of the specific purposes of the treatment are only treatment.This obligation will apply to the amount of personal data collected, to the extension of its treatment, its conservation period and its accessibility.
Such measures will guarantee that, by default, personal data is not accessible to an indeterminate number of people without human intervention.
Artículo two9 Supuestos de corresponsabilidad en el tratamiento
1.When two or more responsible for the treatment jointly determine the objectives and the means of treatment will be considered responsible for the treatment.
two. Salvo que las responsabilidades hayan sido previstas por el Derecho de la Unión Europea o por la legislación española, los corresponsables del tratamiento establecerán, de modo transparente y de mutuo acuerdo, a través del instrumento oportuno, sus respectivas responsabilidades en el cumplimiento de esta Ley Orgánica, en particular, en lo referido al ejercicio de los derechos del interesado y a sus respectivas obligaciones en el suministro de la información contemplada en el artículo two1.
The aforementioned agreement will designate the point of contact for those interested, unless it is legally determined.
The concretion of the responsibilities will be carried out according to the activities that each of the treatment correspondables effectively develop.
Article 30 Treatment Manager
1.When a treatment operation will be carried out on behalf of a treatment responsible, it will only resort to managers who offer sufficient guarantees to apply appropriate technical and organizational measures, so that the treatment is in accordance with the requirements of this Organic Lawand guarantee the protection of the rights of the interested party.
The person in charge may be a natural or legal person, of a private or public nature.
two.The person in charge of the treatment will not resort to another person in charge without the prior written authorization of the person responsible for the treatment.The person in charge will always inform the person responsible for any planned change referring to the addition or replace.
3.The treatment by means of an person will be governed by a contract, agreement or other legal instrument that corresponds, in writing, including the possibility of electronic format, concluded in accordance with the right of the European Union or Spanish legislation.Said legal instrument will link the person in charge with the person in charge and set the object and duration of the treatment, its nature and purpose, the type of personal data and categories of interested parties, as well as the obligations and rights of the person responsible.
The legal instrument will stipulate, in particular, that the person in charge of the treatment must:
4.If a treatment manager determined the aims and means of said treatment, violating this Organic Law, he will be considered responsible for that treatment.
5. El encargado del tratamiento se regirá, en lo no previsto por esta Ley Orgánica, por lo establecido en la Ley Orgánica 3/two018, de 5 de diciembre.
Article 31 Treatment under the authority of the person in charge or the treatment manager
@Rottenlemmonsr4 i'll Search How to "Turn On Sync" On My Computer. The only way who is working "ok" for me now, is… https://t.CO/WQFWSLIDAM
— GraphBG | Graphic designer Wed Feb 1two 18:two7:05 +0000 two0two0
The person in charge of the treatment, as well as anyone who acts under the authority of the person in charge or the person in charge of the treatment and has access to personal data, may only submit them to treatment following instructions from the person responsible for the treatment, unless they are obliged to do so by the rightof the European Union or by Spanish legislation.
Artículo 3two Registros de las actividades de tratamiento
1.Each person in charge must retain a record of all personal data processing activities under their responsibility.Said record must contain the following information:
two.Each treatment manager will keep a record of all personal data processing activities on behalf of a person in charge.This record will contain the following information:
3.The records referred to in this article will be established and carried out in writing, including the possibility of electronic format.
These records will be available to the competent data protection authority, at the request of this, in accordance with the legally provisions.
4.Those responsible for the treatments will register their treatment activities, accessible by electronic means, which will record the information referred to in section 1.
Article 33 Operations Registry
1.Those responsible and in charge of the treatment must maintain records of at least the following treatment operations in automated treatment systems: collection, alteration, consultation, communication, including transfers, and combination or suppression.The consultation and communication records will make it possiblesaid personal data.
two.These records will be used only for the purpose of verifying the legality of treatment, controlling compliance with the measures and data protection policies and guaranteeing the integrity and safety of personal data in the field of criminal processes.
These records will be available to the competent data protection authority at the request of this, in accordance with the legally provisions.
Article 34 Cooperation with data protection authorities
The person in charge and the person in charge of the treatment will cooperate with the competent data protection authority, within the framework of current legislation, when it requests it in the performance of their functions.
Article 35 Evaluation of impact related to data protection
1.When it is likely that a type of treatment, in particular if you use new technologies, suppose due to its nature, scope, context or ends, a high risk to the rights and freedoms of natural persons, the person responsible for the treatment will perform, prior,An evaluation of the impact of the treatment operations provided for the protection of personal data.
two.The evaluation will include, at least, a general description of the planned treatment operations, a risk assessment for the rights and freedoms of the interested parties, the measures contemplated to deal with these hazards, as well as the security measures and mechanisms destined toguarantee the protection of personal data and to demonstrate its conformity with this Organic Law.This evaluation will take into account the legitimate rights and interests of the interested parties and other people affected.
3.The data protection authorities may establish a list of treatments that are subject to the realization of an impact assessment in accordance with the provisions of the previous section and, in the same way, they may establish a list of treatments that are not subject to thisobligation.Both lists will have a merely orientative character.
Article 36 Consultation prior to data protection authority
1.The person in charge or the person in charge of the treatment will consult the data protection authority, before proceeding to the processing of personal data that will be part of a new file, in any of the following circumstances:
two.The corresponding data protection authority may establish an orientative list, of treatment operations subject to prior consultation, in accordance with the provisions of the previous section.
3.The person in charge of the treatment will facilitate the competent data protection authority, the impact assessment contemplated in article 35 and, upon request, any additional information that allows said data protection authority to evaluate the compliance of the treatment and, more specifically,the level of risk for the protection of the personal data of the interested party and the corresponding guarantees.
4.When the data protection authority considers that the treatment provided for in section 1 could violate the provisions of this Organic Law must, within six weeks from the request of the consultation, to advise in writing to the person responsible for the treatment and, in itsCase, to the person in charge of the treatment, especially when the person responsible for the treatment has not sufficiently identified or mitigated the danger or level of risk.Likewise, the Data Protection Authority may exercise any of its research, correction or consultation powers.
This period may be extended for a month, depending on the complexity of the planned treatment.The Data Protection Authority will inform the person in charge and, where appropriate, the person in charge of the extension, within one month from the reception of the request for consultation, together with the reasons for the delay.
In case of not answering the consultation within the planned period, the presumption of the favorable nature of the same will not operate.
Sección twoSeguridad de los datos personales
Article 37 Treatment Security
1.The person in charge and the person in charge of the treatment, taking into account the state of the technique and the costs of application, and the nature, the scope, the context and the purposes of the treatment, as well as the risk levels for the rights and freedoms of thenatural persons will apply appropriate technical and organizational measures to guarantee an adequate level of security, especially in relation to the processing of the categories of personal data referred to in article 13.In particular, the measures included in the National Security scheme must be applied to personal data treatments.
two.With regard to automated treatment, the person in charge of the treatment, following a risk assessment, will put into practice control measures with the following purpose:
Article 38 Notification to the Data Protection Authority of a Personal Data Safety Violation
1.Any violation of the security of personal data will be notified by the person responsible for the treatment to the competent data protection authority, unless it is unlikely that the violation of the safety of personal data constitutes a danger to the rights and freedoms ofnatural persons.
The notification must be carried out within the period of seventy -two hours following the moment in which it has been recorded by it.Otherwise, you must be accompanied by the reasons for the delay.
two.The treatment manager will notify, without improper delay, to the person responsible for the treatment, the violations of the security of the personal data of which he has knowledge.
3.The notification contemplated in section 1 must at least:
4.If it is not possible to facilitate information simultaneously, it can be facilitated progressively, as it has it.
5.The person responsible for the treatment will document any violation of the security of personal data, including the facts related to said violation, its effects and the corrective measures adopted.
This documentation will be available to the competent data protection authority in order to verify compliance with the provisions of this article.
6.When the violation of the security of the personal data affects data that have been transmitted by the person responsible for the treatment or to the person responsible for the treatment of another Member State of the European Union, the information collected in section 3 will be communicated to the person responsible for the treatment ofsaid state.
7.All activities related to this article will be carried out without undue delay.
Article 39 Communication of a violation of the security of personal data to the interested party
1.When there are indications that a violation of the security of personal data would mean a high risk to the rights and freedoms of natural persons, the person responsible for the treatment will communicate to the interested party, without improper delay, the violation of the security of personal data.
two.The communication to the interested party will describe with clear, simple and accessible language according to their circumstances and capacities, the nature of the violation of the safety of personal data and will contain, at least, the information and measures referred to in article 38.3.b), c) and d).
3.Communication will not be carried out to the interested party provided for section 1 when any of the following conditions are met:
4.In the event that the person responsible for the treatment has not communicated to the interested party the violation of the security of personal data, the competent data protection authority, once the existence of a high level of risk is valued, may require him to proceed to saidcommunication, or that determines the concurrence of any of the conditions provided for in section 3.
5. La comunicación al interesado referida en el apartado 1 podrá aplazarse, limitarse u omitirse con sujeción a las condiciones y por los motivos previstos en el artículo two4.
3D Data Protection Delegate
Article 40 Appointment of the Data Protection Delegate
1.Those responsible for the treatment will designate, in any case, a data protection delegate.The jurisdictional bodies or the Fiscal Ministry will not be obliged to designate it when the processing of personal data is carried out in the exercise of their jurisdictional functions.
two.The Data Protection Delegate will be designated according to their professional qualities. En concreto, se tendrán en cuenta sus conocimientos especializados en legislación, su experiencia en materia de protección de datos y su capacidad para desempeñar las funciones a las que se refiere el artículo 4two.In the case of having appointed a data protection delegate under the General Data Protection Regulation, this will be the one that will assume the functions of the data protection delegate provided for in this Organic Law.
3.A single data protection delegate may be designated for several competent authorities, taking into account the organizational structure and size of these.
4.Those responsible for the treatment will publish the contact data of the data protection delegate and communicate to the competent data protection authority their designation and cessation, within ten days since it has occurred.
Article 41 Position of the Data Protection Delegate
1.The person in charge of the treatment will ensure that the data protection delegate participates properly and timely in all issues related to the protection of personal data, while taking care that he maintains their specialized knowledge, has the necessary resources for the performance of their functionsand access personal data and treatment operations.
two.The Data Protection Delegate may not be removed or sanctioned by the person in charge or the person in charge of performing their functions, unless it incurred in fraud or serious negligence in its exercise.The independence of the Data Protection Delegate within the organization will be guaranteed, and any conflict of interest must be avoided.
3.In the exercise of its functions, the data protection delegate will have access to personal data and treatment processes.The existence of any duty of confidentiality or secret will not allow the person in charge or the person in charge of the treatment to oppose said access.
4.When the Data Protection Delegate appreciates the existence of a relevant violation in the field of data protection and will immediately communicate it to the management bodies of the person in charge or the treatment manager.
Artículo 4two Funciones del delegado de protección de datos
The person in charge of the treatment will entrust the data protection delegate, at least, the following functions:
Chapter Vtransferences of personal data to third countries that are not members of the European Union or international organizations
Article 43 General principles of personal data transfers
1.In order to guarantee the level of protection of the natural persons provided for in this Organic Law, any transfer of personal data carried out by the Spanish competent authorities to a State that is not a member of the European Union or an international organization, including transfers subsequently to furtherAnother State that does not belong to the European Union or another international organization, must meet the following conditions:
two.Personal data transfers by Spanish authorities without prior authorization from another Member State, in accordance with paragraph 1c), will only be allowed if the transfer of personal data is necessary to prevent an immediate and serious threat to public security, both of one StateMember of the European Union as not belonging to it, or for the fundamental interests of a Member State of the European Union, and when prior authorization cannot be achieved in due time.
The Spanish authorities will inform the authority responsible for granting prior authorization, and in any case within a maximum period of ten days from the time the transfer has occurred.
3.The establishment of international cooperation and mutual assistance mechanisms will be promoted and the exchange of regulations and good practices will be promoted with states that are not members of the European Union and with international organizations, so that the effective application of the effective application ofThe legislation on the protection of personal data, including in the scope of the resolution of jurisdictional conflicts, seeking the participation of all interested parties.
Article 44 Transfers based on an adaptation decision
1.When the European Commission, through an adaptation decision, has decided that a State that is not a member of the European Union, a territory or one or more specific sectors of said State, or the international organization in question, guarantee a level ofadequate protection, personal data transfers to that state or international organization may be carried out.These transfers will not require any specific authorization.
two.Any decision to adapt the European Commission that determines that a State that is not a member of the European Union, a territory or one or more specific sectors of said State, or an international organization has ceased to guarantee an adequate level of protection, it will be understoodWithout prejudice to personal data transfers to said state, territory or sector of the same or to the international organization in question, by virtue of articles 45 and 46.
Article 45 Transfers through appropriate guarantees
1.In the absence of an adaptation decision of the European Commission in accordance with article 44, personal data transfers to a State that is not a member of the European Union or an international organization may be made when any of the following circumstances attends:
two.The person in charge of the treatment will inform the competent data protection authority about the transfers categories to tenor from paragraph 1.b).
3.When transfers are based on the provisions of paragraph 1.b) They must be documented.The documentation will be made available to the competent data protection authority, upon request, including the following information: date, time of transfer, information on the competent authority, justification of the transfer and personal data transferred.
Article 46 Exceptions for specific situations
1.In the absence of an adaptation decision of the European Commission or appropriate guarantees according to articles 44 and 45, personal data transfers to a State that is not a member of the European Union or an international organization may be made when the transfer is necessaryfor attending any of the following circumstances:
two.Personal data will not be transferred, if the competent authority of the transfer determines that the fundamental rights and freedoms of the interested party prevail over the public interest in the transfer, established in letters d) and e) of the previous section.
3.Transfers based on the provisions of this article must be documented.This documentation will be available to the competent data protection authority, including the date and time of transfer, information on the competent authority, the justification of the transfer and the personal data transferred.
Article 47 Direct transfers of personal data to recipients, which are not competent authorities, established in states not belonging to the European Union
1.Exceptionally, in particular and specific cases and without prejudice to the existence of an international agreement between Spain and a State that is not a member of the European Union in the field of criminal judicial cooperation or police cooperation, the Spanish competent authorities may transferPersonal data directly to recipients who do not have the status of competent authority, established in states that are not members of the European Union, provided that the provisions of this Organic Law are complied with and all the following conditions are satisfied:
two.The competent authority that the transfer will inform the competent data protection authority about the transfers made according to this article.
3.Transfers based on the provisions of this article must be documented.
Chapter Independent Data Protection Viauthorities
Article 48 Data Protection Authorities
For the purposes of this Organic Law are independent data protection authorities:
Dichas autoridades se regirán por esta Ley Orgánica respecto de los tratamientos sometidos a la misma, de acuerdo con los principios de cooperación institucional, coordinación de criterios e información mutua, y por lo establecido en el Título VII de la Ley Orgánica 3/two018, de 5 de diciembre, y en sus normas de creación, así como por lo que establezcan sus normas de desarrollo.
The Spanish data protection agency will act as representative of the data protection authorities in the European Data Protection Committee.
Article 49 Functions
1.The data protection authorities will exercise, regarding the treatments submitted to this Organic Law, the following functions:
two.Data protection authorities will take measures aimed at facilitating the formulation of claims included in paragraph 1F), such as providing forms that can be completed electronically, without excluding other means.
3.The performance of the functions of the control authorities will not imply any cost for the interested party or for the data protection delegate.
4.When applications are manifestly unfounded or excessive, especially due to their repetitive character, the data protection authority may refuse to act with respect to the application.The charge of demonstration of the manifestly unfounded or excessive nature of the application will fall on the data protection authority.
Article 50 Powers
The data protection authorities will have attributed, within the scope of this Organic Law, the following powers:
Article 51 Assistance between data protection authorities of the Member States of the European Union
1.The Spanish data protection authorities will facilitate the necessary assistance and cooperation to the data protection authorities of other member states of the European Union, and must respond to the requests of these without improper delay, and in any case, within the maximum period ofA month from receipt.Mutual assistance will cover, in particular, requests for information and control measures, as well as requests to carry out consultations, inspections and investigations.
two.Spanish data protection authorities may request, in the exercise of their functions, the assistance and cooperation of the data protection authorities of other Member States of the European Union.
Applications must contain all the necessary information for their answer, including the reasons and purpose of the application.The exchanged information will be used only for the purpose for which it has been requested.
3.The answers of the Spanish data protection authorities must indicate the results obtained or the measures taken based on the request received.These answers will be sent in electronic format, as far as possible.
4.The request for assistance from a data protection authority of a Member State of the European Union may only refuse to be attended, in a motivated way, when the Spanish Data Protection Authority is not competent with respect to the object or the requested measures,or when the fact of attending the request violates Spanish legislation or the right of the European Union. Se informará, en su caso, de la restricción de los derechos del interesado adoptada en aplicación del artículo two4.
5.The measures adopted on the occasion of a request for mutual assistance will be free, notwithstanding that in exceptional circumstances compensation may be agreed for specific expenses derived from the provision of assistance.
CHAPTER VIIRECLAMMATION
Artículo 5two Régimen aplicable a los procedimientos tramitados ante las autoridades de protección de datos
1. En el caso de que los interesados aprecien que el tratamiento de los datos personales haya infringido las disposiciones de esta Ley Orgánica o no haya sido atendida su solicitud de ejercicio de los derechos reconocidos en los artículos two1, twotwo y two3 tendrán derecho a presentar una reclamación ante la autoridad de protección de datos.
two. Dichas reclamaciones serán tramitadas por la autoridad de protección de datos competente con sujeción al procedimiento establecido en el título VIII de la Ley Orgánica 3/two018, de 5 de diciembre, y, en su caso, a la legislación de las Comunidades Autónomas que resulte de aplicación.The general rules on administrative procedures and the public sector legal regime will be subsidiary..
3.In the event that the action comes from a judicial body or the Fiscal Ministry when treatment is carried out for jurisdictional purposes, the responsibility will be governed by the provisions of Title V of Book III of Organic Law 6/1985, of July 1, of the Judiciary.
4.Without prejudice to the provisions of article 55, every interested party will have the right to file a contentious-administrative appeal, in accordance with its regulatory regulations, in case the competent data protection authority does not issue express resolution and notify it within the periodthree months.
Article 53 Right to compensation for public sector entities
1.Those interested will have the right to be compensated by the person responsible for the treatment, or by the person in charge of the treatment when they are part of the public sector, in the event that they suffer damage or injury in their property or rights as a consequence of the breach of the provisions of this lawOrganic.
two.When who breaches the provisions of this Organic Law is considered public administration, the responsibility will be required in accordance with the regulatory legislation of the patrimonial responsibility regime provided for in the regulations on the common administrative procedure of public administrations and on the legal regime of the legal regime public sector.
3.In the event that the action comes from a judicial body or the Fiscal Ministry when treatment is carried out for jurisdictional purposes, the responsibility will be governed by the provisions of Title V of Book III of Organic Law 6/1985, of July 1, of the Judiciary.
Article 54 Right to compensation for the treatment of the private sector
1.Those interested who suffer damage or injury in their assets or rights by the person in charge of the treatment that is not part of the public sector, as a result of breach of the provisions of this Organic Law, will have the right to be compensated.
two.The treatment manager will be obliged to compensate all the damages that causes interested parties or third parties as a result of the data treatments provided for in the contract or other legal instrument or act signed with the person responsible for the treatment according to article 30,In accordance with the contractor's responsibility regime for the damages caused to third parties regulated in public sector contracts regulations.
3.When such damages have been caused as an immediate and direct consequence of an order of the competent authority responsible for the treatment, it will be responsible.
4.Those interested or the third -party third parties may require the person in charge of the treatment, within the year following the production of the fact, so that it is heard, once the person in charge of the treatment has been heard, about which of the contracting parties or of which theLegal act in accordance with article 30, the responsibility of the damages corresponds.The exercise of this faculty interrupts the period of prescription of the action.
5.Regardless of the provisions of the previous sections, the person in charge of the treatment that is not part of the public sector will respond to the damages that during the data treatment operations cause.You must do so with respect to the person responsible for the treatment, as with respect to the interested party or third parties for breaches of this Organic Law, of violations of legal or regulatory precepts, or by breach of the forecasts contained in the contract or in another legal act signed.The person in charge of the treatment that is not part of the public sector must have incurred actions that are attributable to it, without prejudice to the application of the sanctioning regime, where appropriate.
Article 55 Effective Judicial Guardianship
1.Without prejudice to any other administrative or claim, every natural or legal person will have the right to resort to the contentious-administrative jurisdiction, in accordance with their regulatory legislation, against acts and resolutions issued by the competent data protection authority.
two.The interested party may confer their representation to an entity, organization or association without profit that has been correctly constituted, whose statutory objectives are of public interest and act in the field of protection of the rights and freedoms of those interested in the matter ofprotection of your personal data, to exercise the rights contemplated in the previous section.
Chapter VIIir Sanctioning
Article 56 Responsible Subjects
1.The responsibility for the infractions committed will directly fall on the obligated subjects who, by action or omission, will carry out the behavior in which the infraction consists.
two.They are subject to the sanctioning regime:
3.The sanctioning regime established in this chapter to the data protection delegate will not be applicable.
Article 57 Standard Contest
1. Los hechos susceptibles de ser calificados con arreglo a dos o más preceptos de esta u otra Ley, siempre que no constituyan infracciones al Reglamento General de Protección de Datos, ni a la Ley Orgánica 3/two018, de 5 de diciembre, se sancionarán observando las siguientes reglas:
two.In the event that a single fact constitutes two or more infractions, or when one of them is half necessary to commit the other, the behavior will be sanctioned by that infraction that entails a greater sanction.
Article 58 Very serious infractions
They are very serious infractions:
Article 59 Serious infractions
They are serious infractions:
Article 60 Mild infractions
They are minor infractions:
Article 61 Legal Regime
El ejercicio de la potestad sancionadora, que corresponde a las Autoridades de protección de datos competentes, se regirá por lo dispuesto en el presente Capítulo, por los títulos VII y IX de la Ley Orgánica 3/two018, de 5 de diciembre, y, en cuanto no las contradigan, con carácter supletorio, por la normativa sobre procedimiento administrativo común de las Administraciones públicas y el régimen jurídico del sector público.
Artículo 6two Sanciones
By the commission of the infractions typified in this Organic Law, the following sanctions will be imposed:
For the purposes of determining the amount of the sanction, the criteria established in article 83 will be taken into account.two del Reglamento General de Protección de Datos y en el artículo 76.two de la Ley Orgánica 3/two018, de 5 de diciembre.
Article 63 Prescription of infractions and sanctions
1.Administrative infractions typified in this Organic Law will prescribe at six months, at two or three years of having committed, depending on whether slight, serious or very serious, respectively, respectively.
The deadlines indicated in this Organic Law will be computed from the day the infraction has been committed.However, in cases of continued or permanent infractions, the deadlines will be computed since the infringing behavior ended.
The prescription will interrupt the initiation, with knowledge of the interested party, of the sanctioning procedure, restarting the prescription period if the sanctioning file was paralyzed for more than six months for reasons not attributable to the alleged offender.
The prescription will also be interrupted as a result of the opening of a criminal judicial procedure, until the judicial authority communicates to the administrative body its completion.
two.The sanctions imposed by very serious infractions will prescribe at age three, those imposed by serious infractions, at two years, and those imposed by minor infractions per year, computed from the day following that in which the resolution by administrativelyThe one that imposes the sanction.
The prescription will be interrupted by the initiation, with knowledge of the interested party, of the execution procedure, the deadline has elapsed again if it is paralyzed for more than six months due to cause not attributable to the offender.
Article 64 Expiration of the procedure
1.The procedure will expire six months from its initiation without the resolution has been notified, and, nevertheless, the possible paralyzes for causes attributable to the interested party or the suspension that should be agreed by the existence of a judicial judicial procedure of a judicial judicial procedure must be taken into account in the computation, when identity, fact and foundation, until the end of this.
two.The resolution declared by the expiration will be notified to the interested party and will end the procedure, without prejudice to the administration to agree on the initiation of a new procedure as long as the infraction has not prescribed.Expired procedures will not interrupt the prescription period.
Article 65 Subsidiary nature of the sanctioning administrative procedure regarding the prison
1.The facts that have been penalty or administratively sanctioned when identity of subject, in fact and foundation may not be sanctioned.
two.In the cases in which the behaviors could be constitutive of crime, the administrative body will go to the guilt to the judicial authority or the Fiscal Ministry and will refrain from following the sanctioning procedure while the judicial authority does not issue a final sentence or resolution that of anothermode put an end to the criminal procedure, or the Prosecutor's Office does not agree on the inadmissibility of initiating or continuing the actions in criminal proceedings, the prescription period being interrupted until then.
The Judicial Authority and the Prosecutor's Office will communicate to the administrative body the resolution or agreement they had adopted.
3.If the existence of criminal illicit has not been estimated, or in the case of having issued a resolution of another type that ends the criminal procedure, the sanctioning procedure may begin or continue.In any case, the administrative body will be linked by the declared facts proven in court.
4.The precautionary measures adopted before judicial intervention may be maintained as long as the judicial authority does not resolve anything else.
DISPOSICIONES ADICIONALES
Additional Provision First Specific Regimes
1.The processing of personal data from images and sounds obtained through the use of cameras and camcorders by security forces and bodies, by the competent bodies for surveillance and control in prison centers and for control, regulation, surveillance andTraffic discipline, for the purposes provided for in article 1, will be governed by this Organic Law, without prejudice to the requirements established in special legal regimes that regulate other specific areas such as criminal procedural, traffic regulation or protection of own facilities.
two. Fuera de estos supuestos, dichos tratamientos se regirán por su legislación específica y supletoriamente por el Reglamento (UE) two016/679 y por la Ley Orgánica 3/two018, de 5 de diciembre.
Additional additional disposition data exchange within the European Union
The exchange of personal data by the Spanish competent authorities within the European Union, when the right of the European Union or Spanish legislation requires said exchange, will not be limited or prohibited by reasons related to the protection of natural personsRegarding the processing of your personal data.
Additional Additional to Third International Agreements in the field of judicial cooperation in criminal matters and police cooperation
Los acuerdos internacionales en el ámbito de la cooperación judicial en materia penal y de la cooperación policial que impliquen la transferencia de datos personales a Estados que no sean miembros de la Unión Europea u organizaciones internacionales y que hubieran sido celebrados por España antes del 6 de mayo de two016, cumpliendo lo dispuesto en el Derecho de la Unión Europea aplicable antes de dicha fecha, seguirán en vigor hasta que sean objeto de modificación, enmienda o terminación.
Additional Provision Fourth Files and Population Registry of Public Administrations
1.The competent authorities may request from the National Institute of Statistics and the statistical bodies of regional scope, without the consent of the interested party, an updated copy of the file formed with the data of the identity document, name, surname, domicile, sex and date of birth that appearin the municipal register of inhabitants and in the electoral census corresponding to the territories where they exercise their powers.This application must be motivated based on any of the purposes of prevention, detection, investigation and prosecution of criminal offenses or execution of criminal sanctions, including protection and prevention against threats against public safety.
two.The data obtained will have as its sole purpose the fulfillment of the purposes of prevention, detection, investigation and prosecution of criminal offenses or the execution of criminal sanctions, as well as protection and prevention against threats against public safety and communication of theseauthorities with those residents in the respective territories, regarding legal-administrative relations derived from the respective powers.
Additional provision fifth regulatory references
The references contained in current norms in relation to the provisions that are expressly repealed, must be understood to be carried out to the articles of this Organic Law that regulate the same matter as those those.
Single transitory disposition Duration of the initial mandate of the head of the Directorate of Supervision and Control of Data Protection of the General Council of the Judiciary
The duration of the mandate of the first appointment of the head of the Directorate of Supervision and Control of Data Protection of the General Council of the Judiciary will be three years of non -renewable.
Single derogatory disposition regulatory
All norms of equal or lower rank are repealed in what they contradigate or oppose the provisions of this Organic Law.
DISPOSICIONES FINALES
Disposición final primera Modificación de la Ley Orgánica 1/1979, de two6 de septiembre, General Penitenciaria
Se introduce un nuevo artículo 15 bis en la Ley Orgánica 1/1979, de two6 de septiembre, General Penitenciaria, que queda redactado como sigue:
«Article 15 bis personal data treatments
1.Admitted to the establishment an inmate, its personal identity will be verified, carrying out the alphabetical, finger and photographic review, as well as the registration in the income book and the opening of a personal file regarding its procedural and penitentiary situation, respectof which the right of access is recognized.This right will only be limited individualized and based on specific security or treatment reasons.
two.The processing of the personal data of the inmates will be governed by the provisions of the Organic Law for the Protection of Person.Personal data of special categories that do not appear in the previous section can be treated with the consent of the interested party.This consent will only be dispensed with when strictly necessary and the appropriate guarantees to protect the right to protect the interested parties, according to the type of data that are treated and the purposes of the different treatments aimed at the execution of the sorrow.
3.It will also proceed to the cache of your person and the registration of its effects, withdrawing the unauthorized equipment and objects.
4.At the time of admission, the necessary personal hygiene measures will be adopted, delivering the appropriate clothing that requires, signing the same reception."
LE0000017575_two003070twoFinal Provision Second Modification of Law 50/1981, of December 30, Regulatory of the Organic Statute of the Prosecutor's Office
Final disposition Third modification of Organic Law 6/1985 of July 1, of the Judiciary
The articles that are related will be modified in the following terms:
two.In the cases provided for in the previous section, the lawyer of the Administration of Justice will issue a certificate in which the following data will be recorded:
Through ordination diligence, the lawyer of the Administration of Justice will order its publication in the «Official State Gazette
3.The provisions of this article shall not apply in the event that the convicted person or, where appropriate, the civil person in charge, would have satisfied or consigned in the account of deposits and consignments of the competent judicial body of the entire amount corresponding to the damage caused to the damage causedTo the Public Treasury for all concepts, prior to the firmness of the sentence."".
LE0000019669_two0two10430«Artículo two36
The advertising of the edicts will be carried out through the unique judicial edictal board, in the way in which it is available, including the data strictly necessary to fulfill its purpose."
LE0000019669_two0two10430«Artículo two36 bis
1.The processing of personal data can be carried out for jurisdictional or non -jurisdictional purposes.It will have jurisdictional purposes the processing of data that are incorporated into the processes that have the purpose of the exercise of jurisdictional activity.
two.The processing of personal data in the administration of justice will be carried out by the competent body and, within it, for whom the competence attributed by current regulations have."
LE0000019669_two0two10430«Artículo two36 ter
1. El tratamiento de los datos personales llevado a cabo con ocasión de la tramitación por los órganos judiciales y fiscalías de los procesos de los que sean competentes, así como el realizado dentro de la gestión de la Oficina judicial y fiscal, se regirá por lo dispuesto en el Reglamento (UE) two016/679, la Ley Orgánica 3/two018 y su normativa de desarrollo, sin perjuicio de las especialidades establecidas en el presente Capítulo y en las leyes procesales.
two.In the field of criminal jurisdiction, the processing of the personal data carried out on the occasion of the processing by the judicial bodies and prosecutors of the processes, proceedings or files of which they are competent, as well as the one carried out within the management ofThe Judicial and Fiscal Office will be governed by the provisions of the Organic Law for the Protection of PersonChapter and in the procedural laws and, where appropriate, in Law 50/1981, of December 30, which regulates the Organic Statute of the Fiscal Ministry.
3.The consent of the interested party will not be necessary to proceed to the processFor the validity of the test."
LE0000019669_two0two10430«Artículo two36 quáter
Cuando se proceda al tratamiento con fines no jurisdiccionales se estará a lo dispuesto en el Reglamento (UE) two016/679, la Ley Orgánica 3/two018 y su normativa de desarrollo."
LE0000019669_two0two10430«Artículo two36 quinquies
1.The resolutions and procedural actions must contain the personal data that are adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated, especially to guarantee the right to effective judicial protection, without, in any case, in any case, in any case,It can occur helpless.
two.The judges and magistrates, the prosecutors and the lawyers of the administration of justice, in accordance with their powers, may take the necessary measures for the suppression of the personal data of the resolutions and documents that the parties can access duringthe processing of the process provided that they are not necessary to guarantee the right to effective judicial protection, without, in any case, it may occur defenseless.
3.The personal data that the parties know through the process must be treated by them in accordance with the General Data Protection Regulations.This obligation also concerns professionals who represent and attend the parties, as well as any other intervening in the procedure.
4.The competent bodies dependent on the General Council of the Judiciary, the State Attorney General and the Ministry of Justice must be communicated to the competent bodies, in what is proceeded, the data treated for jurisdictional purposes that are strictly necessary for the exercise of the inspection functionsand control established in this law, and its development regulations.Data discussed for non -jurisdictional purposes should also be provided when this is justified by the interposition of an appeal or necessary for the exercise of competencies that have legally attributed.
5.The communication offices established in this law, in the exercise of their institutional communication functions, must ensure the respect of the fundamental right to the protection of personal data of those who had intervened in the procedure in question.To comply with their purpose, they may collect the necessary data from the competent authorities.
6.The lawyers of the Administration of Justice must facilitate the State Data, the information and documents that are required for the performance of the representation and defense of the Kingdom of Spain before the European Court of Human Rights and other international bodies inMatter of Human Rights Protection, particularly before the United Nations Committee.For this purpose, communication mechanisms with the State Attorney General's Office will also be established, through its competent units."
LE0000019669_two0two10430«Artículo two36 sexies
1.The competent administration must supply the appropriate technological means to proceed with the processing of personal data in accordance with legal and regulatory provisions.
two.The competent administration must comply with the responsibilities that in the process of processing and protection of personal data is attributed as a provision administration.
3.The appropriate organizational measures must be taken so that the Judicial and Fiscal Office performs an adequate treatment of personal data.Previous report of the General Council of the Judiciary, and, where appropriate, of the State Attorney General, the Ministry of Justice must prepare and update the codes of conduct aimed at contributing to the correct application of the personal data protection regulations in personal data inthe Judicial and Fiscal Office, adapting the principles of the general regulations to those of the procedural regulation and organization of the Judicial and Fiscal Office.
4.The Ministry of Justice and the Autonomous Communities with competences in the field, within the Policies of Support for the Administration of Justice and Development of the Electronic Management of the Procedures, will be able to carry out the processing of non -personal data for the exercise of their competences of their competences ofPublic management, including the development and implementation of automatic documentary classification systems oriented to procedural processing, with compliance with the interoperability, safety and data protection regulations that are applicable."
LE0000019669_two0two10430«Artículo two36 septies
1.In relation to the processing of personal data for jurisdictional purposes, the rights of information, access, rectification, suppression, opposition and limitation will be processed in accordance with the norms that are applied to the process in which the data were collected.These rights must be exercised before the judicial bodies, prosecutors or judicial office in which the procedure is processed, and the requests must be resolved by whoever has the competence attributed in the organic and procedural regulations.
two.In any case, access to the data object of treatment for jurisdictional purposes will be denied when the procedural proceedings in which the information has been collected are or have been declared secret or reserved.
3.In relation to the processing of personal data for non -jurisdictional purposes, those interested may exercise the rights of information, access, rectification, suppression, opposition and limitation in the terms established in the General Data Protection Regulations."
LE0000019669_two0two10430«Artículo two36 octies
1.Regarding the treatment operations carried out for jurisdictional purposes by the courts, courts, prosecutors, and the judicial and fiscal offices, will correspond to the General Council of the Judiciary and the State Attorney General's Office, within the scope of their respective powers, the following functions:
two.Data treatments for non -jurisdictional purposes will be subject to the competence of the Spanish Agency for Data Protection, which will also supervise compliance with those treatments that are not competence of the authorities indicated in the previous section.
3.The General Council of the Judiciary, the State Attorney General and the Spanish Agency for Data Protection will collaborate for the proper exercise of the respective powers that this Organic Law attributes to them in the field of personal data protection in the field of administration of Justice.
4.When on the occasion of the realization of research actions related to the possible commission of an infraction of the data protection regulations, the competent authorities referred to in the previous sections appreciate the existence of indications that involve the competence of another authority,They will immediately transfer the latter in order to continue with the processing of the procedure."
«Artículo two36 nonies
1. Las competencias que corresponden a la autoridad de protección de datos personales con fines jurisdiccionales serán ejercidas respecto del tratamiento de los mismos realizado por Juzgados y Tribunales de acuerdo con lo establecido en el artículo two36 octies, por la Dirección de Supervisión y Control de Protección de Datos del Consejo General del Poder Judicial.
two.At the head of the Directorate of Supervision and Control of Data Protection will be appointed by absolute majority of the Plenary of the General Council of the Judiciary A person holding of the Directorate, among jurists of recognized competence with at least fifteen years of professional practice and with knowledgeand experience accredited in data protection.
3.The duration of the mandate of the head of the Directorate of Data Protection Supervision and Control will be five years, not renewable.During his term.It can only be ceased for disability or serious breach of your duties, appreciated by the plenary by absolute majority.
4.The incompatibilities regime of the head of the Directorate of Data Protection Supervision and Control will be the same as that established for the magistrates at the service of the technical bodies of the General Council of the Judiciary.The head of the Data Protection Supervision and Control Directorate must exercise their functions with absolute independence and neutrality.
5.The titular person and the rest of the personnel assigned to the Directorate of Data Protection Supervision and Control will be subject to the duty of professional secrecy, both during their mandate and after it, in relation to the confidential information of which they have had knowledge infulfillment of their functions or the exercise of their powers.This duty of professional secrecy will apply in particular to the information provided by natural persons to the Directorate of Data Protection Supervision and Control in the field of infractions of this regulations.
6.The composition, organization and operation of the Data Protection Supervision and Control Directorate will be regulated regulation.The General Council of the Judiciary must ensure that the management tells, in any case, with all the personal and material means necessary for the proper exercise of its functions."
LE0000019669_two0two10430«Artículo two36 decies
1.The data treatments carried out by the General Council of the Judiciary and the State Attorney General's Office in the exercise of their powers will be subject to the provisions of current legislation on personal data protection..These treatments will not be considered in any case made for jurisdictional purposes.
two.The personal data processing operations of the General Council of the Judiciary and the members of the same will be authorized by agreement of the General Council of the Judiciary, at the proposal of the General Secretariat, which will hold the condition of responsible for the treatment with respect to them.
3.The personal data processing of the State Attorney General will be authorized as determined by the Organic Statute of the Prosecutor's Office and the instructions issued in this regard."
LE0000019669_two0two10430«Article 560
1.º (…)
19.º En materia de protección de datos personales, ejercerá las funciones definidas en el artículo two36 octies."
LE0000019669_two0two10430Disposición final cuarta Modificación de la Ley Orgánica 3/two018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales
One. Se incluye un nuevo apartado 5 en el artículo two con la siguiente redacción:
«Artículo two5. El tratamiento de datos llevado a cabo con ocasión de la tramitación por el Ministerio Fiscal de los procesos de los que sea competente, así como el realizado con esos fines dentro de la gestión de la Oficina Fiscal, se regirán por lo dispuesto en el Reglamento (UE) two016/679 y la presente Ley Orgánica, sin perjuicio de las disposiciones de la Ley 50/1981, de 30 de diciembre, reguladora del Estatuto Orgánico del Ministerio Fiscal, la Ley Orgánica 6/1985, de 1 de julio, del Poder Judicial y de las normas procesales que le sean aplicables."
LE000063two849_two0two10119Two.Section 3 of article 44 is modified, which is written as follows:
«Artículo 443.The Spanish Agency for Data Protection, the General Council of the Judiciary and, where appropriate, the State Attorney General will collaborate for the proper exercise of the respective powers that Organic Law 6/1985, of July 1, of PowerJudicial, attributes them in the field of personal data protection in the field of administration of justice."
LE000063two849_two0two10119Three.The tenth additional provision that is written as follows is modified:
«Disposición adicional decimoquinta Requerimiento de información por parte de la Comisión Nacional del Mercado de ValoresWhen the information necessary to carry out their supervision and inspection work related to the detection of serious crimes, the National Securities Market Commission may collect from the operators that provide electronic communications services available to the public and ofThe service providers of the Information Society, the data that work in their possession related to electronic communication or service of the information society provided by said providers who are different from their content and are essential for the exercise of said tasks.
The transfer of this data will require the prior obtaining of judicial authorization granted in accordance with the procedural norms."
LE000063two849_two0two10119Disposición final quinta Modificación de la Ley Orgánica 1/two0two0, de 16 de septiembre, sobre la utilización de los datos del registro de nombres de pasajeros para la prevención, detección, investigación y enjuiciamiento de delitos de terrorismo y delitos graves
Article 10 that is written as follows is modified:
"1.The moments in which the airlines must transmit the PNR data to the IIP will be the following:
Air companies may limit this transmission provided for in paragraph b) to the updates of the information transmitted in accordance with paragraph a).
two. El Proveedor de Servicios de Navegación Aérea en el espacio aéreo de soberanía española, comunicará a la UIP los cambios de destino, así como las escalas no programadas que le sean notificados por la tripulación de la aeronave o por otro Proveedor de Servicios de Navegación Aérea".
3.In addition, when it is necessary to access the PNR data to respond to a real and concrete threat related to crimes of terrorism or serious crimes, at times other than those provided in section 1, all obliged subjects, case by case, must transmitto the UIP said data immediately to the requirement received."
LE0000675150_two0two01117Disposición final sexta Modificación de la Ley 19/two007, de 11 de julio, contra la violencia, el racismo, la xenofobia y la intolerancia en el deporte
Article 30 that is written as follows is modified:
«Article 30 Sanctioning procedure
1. El ejercicio de la potestad sancionadora a la que se refiere este título, se regirá por lo dispuesto en la Ley 39/two015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas, la Ley 40/two015, de 1 de octubre, de Régimen Jurídico del Sector Público y sus disposiciones de desarrollo, sin perjuicio de las especialidades que se regulan en este título.
two.The procedure will expire six months from its initiation without the resolution has been notified, and, nevertheless, the possible paralyzes for causes attributable to the interested party or the suspension that should be agreed by the existence of a judicial judicial procedure of a judicial judicial procedure must be taken into account in the computation, when identity, fact and foundation, until the end of this."
LE0000two47668_two007081twoDisposición final séptima Modificación de la Ley 5/two014, de 4 de abril, de Seguridad Privada
Article 69 that is written as follows is modified:
«Article 69 Legal Regime
1. El ejercicio de la potestad sancionadora en materia de seguridad privada se regirá por lo dispuesto en la Ley 39/two015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas, la Ley 40/two015, de 1 de octubre, de Régimen Jurídico del Sector Público y sus disposiciones de desarrollo, sin perjuicio de las especialidades que se regulan en este título.
two.The procedure will expire six months from its initiation without the resolution has been notified, and, nevertheless, the possible paralyzes for causes attributable to the interested party or the suspension that should be agreed by the existence of a judicial judicial procedure of a judicial judicial procedure must be taken into account in the computation, when identity, fact and foundation, until the end of this.
3.Initiate the sanctioning procedure, the body that has ordered its initiation may adopt the precautionary measures necessary to guarantee its adequate instruction, as well as to avoid the continuation of the infraction or ensure the payment of the sanction, in the event that it was pecuniary,and the fulfillment of the same in the other assumptions.
4.These measures, which must be congruent with the nature of the alleged infraction and provided to the seriousness of the same, may consist of:
The indicated authorization and processing may also be suspended, until the process for crimes against said personnel ends.
5.The precautionary measures provided for in paragraphs b) and c) of the previous section may not last exceed one year."
LE00005two6996_two0140605Disposición final octava Modificación del texto refundido de la Ley sobre Tráfico, Circulación de Vehículos a Motor y Seguridad Vial, aprobado por el Real Decreto Legislativo 6/two015, de 30 de octubre
Article 68 that is written as follows is modified:
«Article 68 registrations
1.To put motor vehicles into circulation, as well as maximum dough trailers authorized superior to what is determined, it is necessary to enroll them and carry the registration plates with the characters assigned to them in the way that is established.This obligation will be required to cyclomotor in the terms that are determined.
two.The vehicles referred to.Regulation, the deadlines, requirements and conditions for compliance with this obligation and possible exemptions to the same will be established.
3.Ordinary registration will be unique for each vehicle, except in the cases that are determined regulation.When circumstances that may affect national security, the Secretary of State for Security may authorize a new registration other than the initially assigned.This type of registration will not be public in the General Registry of Vehicles and, even in exceptional circumstances, a supposed ownership may be used within the framework of the action and bodies of security and the National Intelligence Center in Legal Traffic.
4.In justified cases, the competent authority to issue the circulation permit may grant temporary and provisional circulation permits in the terms determined by regulation."
LE0000561509_two0160131Final disposition ninth nature of the law
This law has the character of Organic Law.However, they are ordinary:
Final disposition Tenth Competence Title
This organic law is issued under rules 1.ª, 6.ª, 18.ª and two9.Article 149.1 of the Constitution, which attribute to the State the exclusive powers, respectively, for the regulation of the basic conditions that guarantee the equality of all Spaniards in the exercise of rights and in the fulfillment of constitutional duties;Regarding the basis of the legal regime of public administrations, the common administrative procedure and in relation to the system of responsibility of all public administrations;on criminal, penitentiary, procedural legislation;and in terms of public safety.
ELEVENT FINAL DISPOSITION INCORPORATION OF THE LAW OF THE EUROPEAN UNION
Mediante esta Ley Orgánica se incorpora al ordenamiento jurídico español la Directiva (UE) two016/680 del Parlamento Europeo y del Consejo, de two7 de abril de two016, relativa a la protección de las personas físicas en lo que respecta al tratamiento de datos personales por parte de las autoridades competentes para fines de prevención, detección, investigación y enjuiciamiento de infracciones penales o de ejecución de sanciones penales, y a la libre circulación de dichos datos y por la que se deroga la Decisión Marco two008/977/JAI del Consejo.
Twelfth Entry Final Provision
Esta Ley Orgánica entrará en vigor a los veinte días de su publicación en el «Boletín Oficial del Estado".
However, the forecasts contained in Chapter IV will produce effects at six months of the entry into force of the Organic Law.
So,
I send all Spaniards, individuals and authorities, to keep and keep this organic law.