Tag Archives: personal data

Exam scripts are partly personal data and other practical findings of the CJEU in Nowak

Posted on December 31, 2017 | 1 comment

The Court of Justice of the European Union (CJEU) gave its judgment in Case C-434/16 Nowak on 20 December 2017, and it is significant from several points of view:

It provides a good summarized description of what constitutes “personal data”, referring to both objective and subjective information, regardless of its sensitivity, and it also details what the “related to” criterion from the legal definition of personal data means;
It *almost* departs from its YS jurisprudence on the concept of personal data;
It applies the interpretation that the Article 29 Working Party gave to the “related to” criterion in its Opinion on personal data from 2007, highlighting thus the weight that the interpretation of data protection law given by the European DPAs might have;
It establishes that written answers submitted by a candidate during an exam are personal data of the candidate (this is relevant for all education services providers);
It also establishes that the questions of the exam do not fall in the category of “personal data” – hence, not the entire exam script is considered personal data, but only the answers submitted by the candidate;
It establishes that the comments reviewers make on the margins of one’s written answers to an exam are personal data of the person being examined, while also being personal data of the reviewer;
It establishes that exam scripts should only be kept in an identifiable form only as long as they can be challenged.

This comment looks closer at all of these findings.

Facts of the Case

Mr Nowak was a trainee accountant who requested access to his exam script from the Institute of Chartered Accountants of Ireland (CAI), after failing the examination. He first challenged the results of the exam with no success. He then submitted a subject access request to the CAI, asking to receive a copy of all his personal data held by the CAI. He obtained 17 documents, but the exam script was not among them.

Mr Nowak brought this to the attention of the Irish Data Protection Commissioner (DPC) through an email, arguing that his exam script was also his personal data. The DPC answered by email that exam scripts “would not generally constitute personal data”. Mr Nowak submitted then a formal complaint with the DPC against the CAI. The official response of the DPC was to reject the complaint on the ground that it is “frivolous or vexatious” (the same reason used to reject the first complaint of Max Schrems challenging the EU-US Safe Harbor scheme).

Mr Nowak then challenged this decision of the Irish DPC in front of the Circuit Court, then the High Court and then the Court of Appeal, which all decided against him. Finally, he challenged the decision of the Court of Appeal at the Supreme Court who decided to stay proceedings and send questions for a preliminary ruling to the CJEU, since the case required interpretation of EU law – in particular, how should the concept of “personal data” as provided for by EU Directive 95/46 be interpreted (a small procedural reminder here: Courts of last instance are under an obligation to send questions for a preliminary ruling to the CJEU in all cases that require the interpretation of EU law, per Article 267 TFEU last paragraph).

Questions referred

The Supreme Court asked the CJEU two questions (in summary):

Is information recorded in/as answers given by an exam candidate capable of being personal data?
If this is the case, then what factors are relevant in determining whether in a given case such information is personal data?

Pseudonymised data is personal data

First, recalling its Breyer jurisprudence, the Court establishes that, for information to be treated as personal data, it is of no relevance whether all the information enabling the identification of the data subject is in the hands of one person or whether the identifiers are separated (§31). In this particular case, it is not relevant “whether the examiner can or cannot identify the candidate at the time when he/she is correcting and marking the examination script” (§30).

The Court then looks at the definition of personal data from Directive 95/46, underlying that it has two elements: “any information” and “related to an identified or identifiable natural person”.

“Any information” means literally any information, be it objective or subjective

The Court recalls that the scope of Directive 95/46 is “very wide and the personal data covered … is varied” (§33).

“The use of the expression ‘any information’ in the definition of the concept of ‘personal data’ … reflects the aim of the EU legislature to assign a wide scope to that concept, which is not restricted to information that is sensitive or private, but potentially encompasses all kinds of information, not only objective but also subjective, in the form of opinions and assessments, provided that it ‘relates’ to the data subject.” (§34)

Save this paragraph, as it is a new jurisprudential source of describing what constitutes personal data – it is certainly a good summary, in line with the Court’s previous case-law (see an excellent overview of the Court’s approach to the definition of personal data here, p. 40 – 41). It makes clear that, for instance, comments on social media, reviews of products/companies, ratings and any other subjective assessments are personal data, as long as they relate to an identified or identifiable individual. This is also true for any sort of objective information (think shoe number), regardless of whether it is sensitive or private, as long as it relates to an identified or identifiable individual.

“Related to” must be judged in relation to “content, purpose or effect/consequences”

The condition for any information to be considered personal data is that it relates to a natural person. According to the Court, this means that “by reason of its content, purpose or effect, (it) is linked to a particular person” (§35). The Court thus applies the test developed by the Article 29 Working Party in its 2007 Opinion on the concept of personal data. Ten years ago, the DPAs wrote that “in order to consider that the data ‘relate’ to an individual, a ‘content’ element OR a ‘purpose’ element OR a ‘result’ element should be present” (2007 Opinion, p. 10).

The Court now adopted this test in its case-law, giving an indication of how important the common interpretation given by data protection authorities in official guidance is. However, the Court does not directly refer to the Opinion.

Applying the test to the facts of the case, the Court showed that the content of exam answers “reflects the extent of the candidate’s knowledge and competence in a given field and, in some cases, his intellect, thought processes, and judgment” (§37). Additionally, following AG Kokott’s Opinion, the Court also pointed out that “in the case of a handwritten script, the answers contain, in addition, information as to his handwriting” (§37).

The purpose of the answers is “to evaluate the candidate’s professional abilities and his suitability to practice the profession concerned” (§38) and the consequence of the answers “is liable to have an effect on his or her rights and interests, in that it may determine or influence, for example, the chance of entering the profession aspired to or of obtaining the post sought” (§39).

Comments of reviewers are two times personal data

The test is then applied to the comments of reviewers on the margin of a candidate’s answers. The Court showed that “The content of those comments reflects the opinion or the assessment of the examiner of the individual performance of the candidate in the examination, particularly of his or her knowledge and competences in the field concerned. The purpose of those comments is, moreover, precisely to record the evaluation by the examiner of the candidate’s performance, and those comments are liable to have effects for the candidate” (§43).

It is important to note here that complying with only one of the three criteria (content, purpose, effects) is enough to qualify information as “relating to” an individuals, even if the Court found in this particular case that all of them are met. This is shown by the us of “or” in the enumeration made in §35, as shown above.

The Court also found that “the same information may relate to a number of individuals and may constitute for each of them, provided that those persons are identified or identifiable, personal data” (§45), having regard to the fact that the comments of the examiners are personal data of both the examiners and the “examinee”.

Information can be Personal data regardless of whether one is able to rectify it or not

It was the Irish DPC that argued that qualifying information as “personal data” should be affected by the fact that the consequence of that classification is, in principle, that the candidate has rights of access and rectification (§46). The logic here was that if data cannot be rectified, it cannot be considered personal – just as exam answers cannot be rectified after the exam finished.

The Court (rightfully so) disagreed with this claim, following the opinion of the Advocate General and contradicting its own findings in Case C-141/12 YS (see a more detailed analysis of the interaction between the two judgments below). It argued that “a number of principles and safeguards, provided for by Directive 95/46, are attached to that classification and follow from that classification” (§47), meaning that protecting personal data goes far beyond the ability to access and rectify your data. This finding is followed by a summary of the fundamental mechanisms encompassed by data protection.

Data protection is a web of safeguards, accountability and individual rights

Starting from recital 25 of Directive 95/46 (yet again, how important recitals are! Think here of Recital 4 of the GDPR and the role it can play in future cases – “The processing of personal data should be designed to serve mankind”), the Court stated that:

“…the principles of protection provided for by that directive are reflected, on the one hand, in the obligations imposed on those responsible for processing data, obligations which concern in particular data quality, technical security, notification to the supervisory authority, and the circumstances under which processing can be carried out, and, on the other hand, in the rights conferred on individuals, the data on whom are the subject of processing, to be informed that processing is taking place, to consult the data, to request corrections and even to object to processing in certain circumstances” (§48).

The Court thus looks at data protection as a web of accountability, safeguards (reflected in technical security measures, data quality, conditions for lawful processing data) and rights conferred to the individuals.

In this case, not considering exam answers personal data just because they cannot be “corrected” after the exam would strip this information from the other web of protections, such as being processed on a legitimate ground, being retained only for the necessary period of time and so on. The Court does not phrase this finding this way, but it states that:

“Accordingly, if information relating to a candidate, contained in his or her answers submitted at a professional examination and in the comments made by the examiner with respect to those answers, were not to be classified as ‘personal data’, that would have the effect of entirely excluding that information from the obligation to comply not only with the principles and safeguards that must be observed in the area of personal data protection, and, in particular, the principles relating to the quality of such data and the criteria for making data processing legitimate, established in Articles 6 and 7 of Directive 95/46, but also with the rights of access, rectification and objection of the data subject, provided for in Articles 12 and 14 of that directive, and with the supervision exercised by the supervisory authority under Article 28 of that directive” (§49).

Furthermore, the Court shows that errors in the answers given to an exam do not constitute “inaccuracy” of personal data, because the level of knowledge of a candidate is revealed precisely by the errors in his or her answers, and revealing the level of knowledge is the purpose of this particular data processing. As the Court explains, “[i]t is apparent from Article 6(1)(d) of Directive 95/46 that the assessment of whether personal data is accurate and complete must be made in the light of the purpose for which that data was collected” (§53).

Exam scripts should only be kept in an identifiable form as long as they can be challenged

The Court further explained that both exam answers and reviewers’ comments can nevertheless be subject to “inaccuracy” in a data protection sense, “for example due to the fact that, by mistake, the examination scripts were mixed up in such a way that the answers of another candidate were ascribed to the candidate concerned, or that some of the cover sheets containing the answers of that candidate are lost, so that those answers are incomplete, or that any comments made by an examiner do not accurately record the examiner’s evaluation of the answers of the candidate concerned” (§54).

Also, the Court also admitted the possibility that “a candidate may, under Article 12(b) of Directive 95/46, have the right to ask the data controller to ensure that his examination answers and the examiner’s comments with respect to them are, after a certain period of time, erased, that is to say, destroyed” (§55).

Another finding of the Court that will be useful to schools, universities and other educational institutions is that keeping exam scripts related to an identifiable individual is not necessary anymore after the examination procedure is closed and can no longer be challenged: “Taking into consideration the purpose of the answers submitted by an examination candidate and of the examiner’s comments with respect to those answers, their retention in a form permitting the identification of the candidate is, a priori, no longer necessary as soon as the examination procedure is finally closed and can no longer be challenged, so that those answers and comments have lost any probative value” (§55).

The Court distances itself from the findings in C-141/12 YS, but still wants to keep that jurisprudence alive

One of the biggest questions surrounding the judgment in Nowak was whether the Court will follow AG’s Opinion and change it’s jurisprudence from C-141/12 YS. In that judgment, the Court found that the legal analysis used by the Dutch Ministry of Immigration in a specific case of asylum seekers is not personal data, and the main reason invoked was that “[i]n contrast to the data relating to the applicant for a residence permit which is in the minute and which may constitute the factual basis of the legal analysis contained therein, such an analysis … is not in itself liable to be the subject of a check of its accuracy by that applicant and a rectification under Article 12(b) of Directive 95/46” (§45).

The Court further noted: “In those circumstances, extending the right of access of the applicant for a residence permit to that legal analysis would not in fact serve the directive’s purpose of guaranteeing the protection of the applicant’s right to privacy with regard to the processing of data relating to him, but would serve the purpose of guaranteeing him a right of access to administrative documents, which is not however covered by Directive 95/46.” Finally, the finding was that “[i]t follows from all the foregoing considerations … that the data relating to the applicant for a residence permit contained in the minute and, where relevant, the data in the legal analysis contained in the minute are ‘personal data’ within the meaning of that provision, whereas, by contrast, that analysis cannot in itself be so classified” (§48).

Essentially, in YS the Court linked the ability of accessing and correcting personal data with the classification of information as personal data, finding that if the information cannot be corrected, then it cannot be accessed and it cannot be classified as personal data.

By contrast, following AG Kokott’s analysis, in Nowak the Court essentially states that classifying information as personal data must not be affected by the existence of the rights to access and rectification – in the sense that the possibility to effectively invoke them should not play a role in establishing that certain information is or is not personal data: “the question whether written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers should be classified as personal data cannot be affected … by the fact that the consequence of that classification is, in principle, that the candidate has rights of access and rectification, pursuant to Article 12(a) and (b) of Directive 95/46” (§46).

However, the Court is certainly not ready to fully change its jurisprudence established in YS, and even refers to its judgment in YS in a couple of paragraphs. In the last paragraphs of Nowak, the Court links the ability to correct or erase data to the existence of the right of accessing that data (but not to classifying information as personal data).

The Court states that: “In so far as the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers are therefore liable to be checked for, in particular, their accuracy and the need for their retention… and may be subject to rectification or erasure…, the Court must hold that to give a candidate a right of access to those answers and to those comments… serves the purpose of that directive of guaranteeing the protection of that candidate’s right to privacy with regard to the processing of data relating to him (see, a contrario, judgment of 17 July 2014, YS and Others, C‑141/12 and C‑372/12, EU:C:2014:2081, paragraphs 45 and 46), irrespective of whether that candidate does or does not also have such a right of access under the national legislation applicable to the examination procedure”.

After previously showing an ever deeper understanding of data protection in its Nowak judgment, the Court sticks to some of its findings from YS, even if this meant perpetuating a confusion between the fundamental right to respect for private life and the fundamental right to the protection of personal data: “it must be recalled that the protection of the fundamental right to respect for private life means, inter alia, that any individual may be certain that the personal data relating to him is correct and that it is processed in a lawful manner” (§57 in Nowak and §44 in YS). Lawful processing of personal data and the right to keep personal data accurate are, in fact, enshrined in Article 8 of the EU Charter – the right to the protection of personal data, and not in Article 7 – the right to respect for private life.

Obiter dictum 1: the curious insertion of “exam questions” in the equation

The Court also does something curious in these last paragraphs. It simply states, after the paragraphs sending to the YS judgment, that “the rights of access and rectification, under Article 12(a) and (b) of Directive 95/46, do not extend to the examination questions, which do not as such constitute the candidate’s personal data” (§58). The national court did not ask about this specific point. AG Kokott also does not address this issue at all in her Opinion. This might have been raised during the hearing, but no context is provided to it. The Court simply states that “Last, it must be said…” and follows it with the finding regarding test questions.

While it is easy to see that questions of a specific test, by themselves, are not personal data, as they do not relate with regard to their content, purpose or effect to a specific individual, the situation is not as clear when the questions are part of the “solved” exam sheet of a specific candidate. The question is: “Are the answers of the test inextricably linked to the questions?” Imagine a multiple choice test, where the candidate only gains access to his/her answers, without obtaining access to the questions of that test. Accessing the answers would be unintelligible. For instance, EPSO candidates have been trying for years to access their own exam sheets held by the EPSO agency of the European Union, with no success. This is exactly because EPSO only provides access to the series of letters chosen as answers from the multiple choice test. Challenges of this practice have all failed, including those brought to the attention of the former Civil Service Tribunal of the CJEU (see this case, for example). This particular finding in Nowak closes the barely opened door for EPSO candidates to finally have access to their whole test sheet.

Obiter dictum 2: reminding Member States they can restrict the right of access

With an apparent reason and referring to the GDPR, the CJEU recalls, as another obiter dictum, under the same “it must be said” (§58 and §59), that both Directive 95/46 and the GDPR “provide for certain restrictions of those rights” (§59) – access, erasure etc.

It also specifically refers to grounds that can be invoked by Member States when limiting the right to access under the GDPR: when such a restriction constitutes a necessary measure to safeguard the rights and freedoms of others (§60,§61), or if it is done for other objectives of general public interest of the Union or of a Member State (§61).

These findings are not followed by any other considerations, as the Court concludes with a finding that had already been reached around §50: “the answer to the questions referred is that Article 2(a) of Directive 95/46 must be interpreted as meaning that, in circumstances such as those of the main proceedings, the written answers submitted by a candidate at a professional examination and any comments made by an examiner with respect to those answers constitute personal data, within the meaning of that provision” (§62).

If you want to have a look at a summary of AG Kokott’s excellent Conclusions in this case and then compare them to the judgment of the Court, click here. The Court did follow the Conclusions to a great extent.

1 Comment

Posted in CJEU case-law, Comments

Tagged data protection, definition of personal data, exam scripts, GDPR and education, Irish Data Protection Commissioner, Nowak, personal data, retention period of tests, right to access your own exam, right to erasure, right to obtain a copy of a test

Exam scripts and examiner’s corrections are personal data of the exam candidate (AG Kokott Opinion in Nowak)

Posted on July 31, 2017 | 1 comment

AG Kokott delivered her Opinion on 20 July in Case C-434/16 Nowak v Data Protection Commissioner, concluding that “a handwritten examination script capable of being ascribed to an examination candidate, including any corrections made by examiners that it may contain, constitutes personal data within the meaning of Article 2(a) of Directive 95/46/EC” (Note: all highlights in this post are mine).
This is a really exciting Opinion because it provides insight into:

the definition of personal data,
the purpose and the functionality of the rights of the data subject,
the idea of abusing data protection related rights for non-data protection purposes,
how the same ‘data item’ can be personal data of two distinct data subjects (examiners and examinees),
what constitutes a “filing system” of personal data processed otherwise than by automated means.

But also because it technically (even if not literally) invites the Court to change its case-law on the definition of personal data, and specifically the finding that information consisting in a legal assessment of facts related to an individual does not qualify as personal data (see C-141/12 and C-372/12 YS and Others).

The proceedings were initially brought in front of the Irish Courts by Mr Nowak, who, after failing an exam organised by a professional association of accountants (CAI) four times, asked for access to see his exam sheet on the basis of the right to access his own personal data. Mr Nowak submitted a request to access all his personal data held by CAI and received 17 items, none of which was the exam sheet. He then submitted a complaint to the Irish Data Protection Commissioner, who decided not to investigate it, arguing that an exam sheet is not personal data. The decision not to investigate on this ground was challenged in front of a Court. Once the case reached the Irish Supreme Court, it was referred to the Court of Justice of the EU to clarify whether an exam sheet falls under the definition of “personal data” (§9 to §14).

Analysis relevant both for Directive 95/46 and for the GDPR

Yet again, AG Kokott refers to the GDPR in her Conclusions, clarifying that “although the Data Protection Directive will shortly be repealed by the General Data Protection Regulation, which is not yet applicable, the latter will not affect the concept of personal data. Therefore, this request for a preliminary ruling is also of importance for the future application of the EU’s data protection legislation” (m.h.).

The nature of an exam paper is “strictly personal and individual”

First, the AG observes that “the scope of the Data Protection Directive is very wide and the personal data covered by the Directive is varied” (§18).

The Irish DPC argued that an exam script is not personal data because “examination exercises are normally formulated in abstract terms or relate to hypothetical situations”, which means that “answers to them are not liable to contain any information relating to an identified or identifiable individual” (§19).

This view was not followed by the AG, who explained that it is incongruent with the purpose of an exam. “In every case“, she wrote, “the aim of an examination — as opposed, for example, to a representative survey — is not to obtain information that is independent of an individual. Rather, it is intended to identify and record the performance of a particular individual, i.e. the examination candidate” (§24; m.h.). Therefore, “every examination aims to determine the strictly personal and individual performance of an examination candidate. There is a good reason why the unjustified use in examinations of work that is not one’s own is severely punished as attempted deception” (§24; m.h.).

What about exam papers identified by codes?

In a clear indication that pseudonymized data are personal data, the AG further noted that an exam script is personal data also in those cases where instead of bearing the examination candidate’s name, the script has an identification number or bar code: “Under Article 2(a) of the Data Protection Directive, it is sufficient for the existence of personal information that the data subject may at least be indirectly identified. Thus, at least where the examination candidate asks for the script from the organisation that held the examination, that organisation can identify him by means of the identification number” (§28).

Characteristics of handwriting, personal data themselves

The AG accepted the argument of Mr Nowak that answers to an exam that are handwritten “contain additional information about the examination candidate, namely about his handwriting” (&29). Therefore, the characteristics of the handwriting are personal data themselves. The AG explains that “a script that is handwritten is thus, in practice, a handwriting sample that could at least potentially be used at a later date as evidence to determine whether another text was also written in the examination candidate’s writing. It may thus provide indications of the identity of the author of the script” (§29). According to the AG, it’s not relevant whether such a handwriting sample is a suitable means of identifying the writer beyond doubt: “Many other items of personal data are equally incapable, in isolation, of allowing the identification of individuals beyond doubt” (§30).

Classifying information as ‘personal data’ is a stand alone exercise (does not depend on whether rights can be exercised)

The Irish DPC argued that one of the reasons why exam scripts are not personal data in this case is because the “purpose” of the right to access and the right to rectification of personal data precludes them to be “personal data” (§31). The DPC is concerned that Recital 41 of Directive 95/46 specifies that any person must be able to exercise the right of access to data relating to him which is being processed, in order to verify in particular the accuracy of the data and the lawfulness of the processing. “The examination candidate will seek the correction of incorrect examination answers”, the argument goes (§31).

AG Kokott rebuts this argument by acknowledging that the classification of information as personal data “cannot be dependent on whether there are specific provisions about access to this information” or on eventual problems with rectification of data (§34). “If those factors were regarded as determinative, certain personal data could be excluded from the entire protective system of the Data Protection Directive, even though the rules applicable in their place do not ensure equivalent protection but fragmentary protection at best” (§34).

Even if classification information as “personal data” would depend in any way on the purpose of the right to access, the AG makes it clear that this purpose is not strictly linked to rectification, blocking or erasure: “data subjects generally have a legitimate interest in finding out what information about them is processed by the controller” (§39). This finding is backed up by the use of “in particular” in Recital 41 of the Directive (§39).

The purpose of processing and… the passage of time, both relevant for obtaining access, rectification

After clarifying that it’s irrelevant what an individual wants to do with their data, once accessed (see also the summary below on the ‘abuse of rights’), AG Kokott explains that a legitimate interest in correcting an “exam script”-related data is conceivable.

She starts from the premise that “the accuracy and completeness of personal data pursuant to Article 6(1)(d) must be judged by reference to the purpose for which the data was collected and processed” (§35). The AG further identifies the purpose of an exam script as determining “the knowledge and skills of the examination candidate at the time of the examination, which is revealed precisely by his examination performance and particularly by the errors in the examination” (§35). “The existence of errors in the solution does not therefore mean that the personal data incorporated in the script is inaccurate”, the AG concludes (§35).

Rectification could be achieved if, for instance, “the script of another examination candidate had been ascribed to the data subject, which could be shown by means of, inter alia, the handwriting, or if parts of the script had been lost” (§36).

The AG also found that the legitimate interest of the individual to have access to their own data is strengthened by the passage of time, to the extent that their recollection of the contents of their answer is likely to be considerably weaker a few years after the exam. This makes it possible that “a genuine need for information, for whatever reasons, will be reflected in a possible request for access. In addition, there is greater uncertainty with the passing of time — in particular, once any time limits for complaints and checks have expired — about whether the script is still being retained. In such circumstances the examination candidate must at least be able to find out whether his script is still being retained” (§41).

Is Mr Nowak abusing his right of access under data protection law?

AG Kokott recalls CJEU’s case-law on “abuse of rights” and the double test required by the Court to identify whether there had been any abuse of rights in a particular case (C-423/15 Kratzer and the case-law cited there at §38 to §40), which can be summed up to (§44):

i) has the purpose of the EU legislation in question been misused?

ii) is the essential aim of the transaction to obtain an undue advantage?

The DPC submitted during the procedure that if exam scripts would be considered personal data, “a misuse of the aim of the Data Protection Directive would arise in so far as a right of access under data protection legislation would allow circumvention of the rules governing the examination procedure and objections to examination decisions” (§45).

The AG considers that “any alleged circumvention of the procedure for the examination and objections to the examination results via the right of access laid down by data protection legislation would have to be dealt with using the provisions of the Data Protection Directive” and she specifically refers to the restrictions to the right of access laid down in Article 13 of the Directive with the aim “to protect certain interests specified therein” (§46). She also points out that if restricting access to exam scripts can’t be circumscribed to those exceptions, than “it must be recognised that the legislature has given precedence to the data protection requirements which are anchored in fundamental rights over any other interests affected in a specific instance” (§47).

The AG also looks at the exceptions to the right of access under the GDPR and finds that it is more nuanced than the Directive in this regard. “First, under Article 15(4) of the regulation, the right to obtain a copy of personal data is not to adversely affect the rights and freedoms of others. Second, Article 23 of the regulation sets out the grounds for a restriction of data protection guarantees in slightly broader terms than Article 13 of the Directive, since, in particular, protection of other important objectives of general public interest of the Union or of a Member State pursuant to Article 23(1)(e) of the regulation may justify restrictions” (§48).

However, it seems that she doesn’t find the slight broadening of the scope of exemptions in the GDPR as justifying the idea of an abuse of right in this particular case.

The AG also argues that “on the other hand, the mere existence of other national legislation that also deals with access to examination scripts is not sufficient to allow the assumption that the purpose of the Directive is being misused” (§49). She concludes that even if such misuse would be conceivable, the second limb of the “abuse of rights” test would not be satisfied: “it is still not apparent where the undue advantage lies if an examination candidate were to obtain access to his script via his right of access. In particular, no abuse can be identified in the fact that someone obtains information via the right of access which he could not otherwise have obtained” (§50).

Examiner’s correction on the exam script are the examinee’s personal data and his/her own personal data at the same time

The AG looks into whether any corrections made by the examiner on the examination script are also personal data with respect to the examination candidate (a question raised by some of the parties), even though she considers that the answer will not impact the result of the main proceedings (§52, §53).

It is apparent that the facts of this case resemble the facts of YS and Others, where the Court refused extension of the right of access to the draft legal analysis of an asylum application on the grounds that that did not serve the purpose of the Data Protection Directive but would establish a right of access to administrative documents. The Court argued in YS that such an analysis “is not information relating to the applicant for a residence permit, but at most information about the assessment and application by the competent authority of the law to the applicant’s situation” (§59; see YS and Others, §40). The AG considers that only “at first glance” the cases are similar. But she doesn’t convincingly differentiate between the two cases in the arguments that follow.

However, she is convincing when explaining why the examiner’s corrections are “personal data”. AG Kokott explains that the purpose of the comments made by examiners on an exam script is “the evaluation of the examination performance and thus they relate indirectly to the examination candidate” (§61). It does not matter that the examiners don’t know the identity of the examination candidate who produced the script, as long as the candidate can be easily identified by the organisation holding the examination (§60 and §61).

The AG further adds that “comments on an examination script are typically inseparable from the script itself … because they would not have any informative value without it” (§62). And it is “precisely because of that close link between the examination script and any corrections made on it”, that “the latter also are personal data of the examination candidate pursuant to Article 2(a) of the Data Protection Directive” (§63).

In an important statement, the AG considers that “the possibility of circumventing the examination complaint procedure is not, by contrast, a reason for excluding the application of data protection legislation” (§64). “The fact that there may, at the same time, be additional legislation governing access to certain information is not capable of superseding data protection legislation. At most it would be admissible for the individuals concerned to be directed to the simultaneously existing rights of information, provided that these could be effectively claimed” (§64).

Finally, the AG points out “for the sake of completeness” that “corrections made by the examiner are, at the same time, his personal data”. AG Kokott sees the potential conflict between the right of the candidate to access their personal data and the right of the examiners to protect their personal data and underlines that the examiner’s rights “are an appropriate basis in principle for justifying restrictions to the right of access pursuant to Article 13(1)(g) of the Data Protection Directive if they outweigh the legitimate interests of the examination candidate” (§65).

The AG considers that “the definitive resolution to this potential conflict of interests is likely to be the destruction of the corrected script once it is no longer possible to carry out a subsequent check of the examination procedure because of the lapse of time” (§65).

An exam script forms part of a filing system

One last consideration made by AG Kokott is whether processing of an exam script would possibly fall outside the scope of Directive 95/46, considering that it does not seem to be processed using automated means (§66, §67).

The AG points out that the Directive also applies to personal data processed otherwise than by automated means as long as they form part of a “filing system”, even if this “filing system” is not electronically saved (§69).

“This concept covers any structured set of personal data which is accessible according to specific criteria. A physical set of examination scripts in paper form ordered alphabetically or according to other criteria meets those requirements” (§69), concludes the AG.

Conclusion. What will the Court say?

The Conclusions of AG Kokott in Nowak contain a thorough analysis, which brings several dimensions to the data protection debate that have been rarely considered by Courts – the self-standing importance of the right of access to one’s own data (beyond any ‘utilitarianism’ of needing it to obtain something else), the relevance of passage of time for the effectiveness of data protection rights, the limits of the critique that data protection rights may be used to achieve other purposes than data protection per se, the complexity of one data item being personal data of two different individuals (and the competing interests of those two individuals).

The Court will probably closely follow the Conclusions of the AG for most of the points she raised.

The only contentious point will be the classification of an examiner’s corrections as personal data of the examined candidate, because following the AG will mean that the Court would reverse its case-law from YS and Others.

If we apply the criteria developed by AG Kokott in this Opinion, it is quite clear that the analysis concerning YS and their request for asylum is personal data: the legal analysis is closely linked to the facts concerning YS and the other asylum applicants and the fact that there may be additional legislation governing access to certain information (administrative procedures in the case of YS) is not capable of superseding data protection legislation. Moreover, if we add to this the argument that access to one’s own personal data is valuable in itself and does not need to satisfy other purpose, reversing this case-law is even more likely.

The only arguable difference between this case and YS and Others is that, unlike what the AG found in §62 (“comments on an examination script are typically inseparable from the script itself… because they would not have any informative value without it”), it is conceivable that a legal analysis in general may have value by itself. However, a legal analysis of particular facts is void of value when applied to different individual facts. In this sense, a legal analysis can also be considered inseparable from the particular facts it assesses. What would be relevant in classifying it as personal data would then remain the identifiability of the person that the particularities refer to…

I was never convinced by the argumentation of the Court (or AG Sharpston for that matter) in YS and Others and I would welcome either reversing this case-law (which would be compatible with what I was expecting the outcome of YS to be) or having a more convincing argumentation as to why such an analysis/assessment of an identified person’s specific situation is not personal data. However, I am not getting my hopes high. As AG Kokott observed, the issue in the main proceedings can be solved without getting into this particular detail. In any case, I will be looking forward to this judgement.

(Summary and analysis by dr. Gabriela Zanfir-Fortuna)

1 Comment

Posted in CJEU case-law, Comments, Europe, GDPR, News

Tagged access to an exam script, AG Kokott, an exam script is personal data, CJEU, data protection, definition of personal data, definition of personal data under the GDPR, do I have access to my own exam paper, Nowak, personal data, pseudonymized data, what is a filing system, YS and Other

CJEU case to follow: purpose limitation, processing sensitive data, non-material damage

Posted on February 24, 2017 | Leave a comment

A new case received by the General Court of the CJEU was published in the Official Journal of the EU in February, Case T-881/16 HJ v EMA.

A British citizen seeks to engage the non-contractual liability of the European Medicines Agency for breaching data protection law. The applicant claims that “the documents in his personal file, which were made public and accessible to any member of staff of the European Medicines Agency for a period of time, were not processed fairly and lawfully but were processed for purposes other than those for which they were collected without that change in purpose having been expressly authorised by the applicant”.

Further, the applicant claims that “the dissemination of that sensitive data consequently called into question the applicant’s integrity, causing him real and certain non-material harm”.

The applicant asks the Court to “order the defendant to pay the applicant the symbolic sum of EUR 1 by way of compensation for the non-material harm suffered”.

Even if in the published summary there is no mention of the applicable law, it is clear that Regulation 45/2001 is relevant in this case – the data protection regulation applicable to EU institutions and bodies (EMA is an EU body). The rules of Regulation 45/2001 are fairly similar to those of Directive 95/46.

(Thanks dr. Mihaela Mazilu-Babel for bringing this case to my attention)

***

Find what you’re reading useful? Please consider supporting pdpecho.

Leave a comment

Posted in Europe, News

Tagged Case T-881/16, CJEU, European Medicines Agency, HJ v EMA, Mihaela Mazilu-Babel, non-material damage, personal data, privacy, processed fairly and lawfully, purpose limitation, Regulation 45/2001, sensitive data

What’s new in research: full-access papers on machine learning with personal data, the ethics of Big Data as a public good

Posted on November 25, 2016 | Leave a comment

Today pdpecho inaugurates a weekly post curating research articles/papers/studies or dissertations in the field of data protection and privacy, that are available under an open access regime and that were recently published.

Source: http://www.androidauthority.com

This week there are three recommended pieces for your weekend read. The first article, published by researchers from Queen Mary University of London and Cambridge University, provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

The second article is the view of a researcher specialised in International Development, from the University of Amsterdam, on the new trend in humanitarian work to consider data as a public good, regardless of whether it is personal or not.

The last paper is a draft authored by a law student at Yale (published on SSRN), which explores an interesting phenomenon: how data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. The paper underlines that the US privacy law system lacks protection for individuals whose data are sold in this scenario and proposes a solution.

1) Machine Learning with Personal Data (by Dimitra Kamarinou, Christopher Millard, Jatinder Singh)

“This paper provides an analysis of the impact of using machine learning to conduct profiling of individuals in the context of the EU General Data Protection Regulation.

We look at what profiling means and at the right that data subjects have not to be subject to decisions based solely on automated processing, including profiling, which produce legal effects concerning them or significantly affect them. We also look at data subjects’ right to be informed about the existence of automated decision-making, including profiling, and their right to receive meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing.

The purpose of this paper is to explore the application of relevant data protection rights and obligations to machine learning, including implications for the development and deployment of machine learning systems and the ways in which personal data are collected and used. In particular, we consider what compliance with the first data protection principle of lawful, fair, and transparent processing means in the context of using machine learning for profiling purposes. We ask whether automated processing utilising machine learning, including for profiling purposes, might in fact offer benefits and not merely present challenges in relation to fair and lawful processing.”

The paper was published as “Queen Mary School of Law Legal Studies Research Paper No. 247/2016″.

2) The ethics of Big Data as a public good: which public? Whose good? (by Linnet Taylor)

“International development and humanitarian organizations are increasingly calling for digital data to be treated as a public good because of its value in supplementing scarce national statistics and informing interventions, including in emergencies. In response to this claim, a ‘responsible data’ movement has evolved to discuss guidelines and frameworks that will establish ethical principles for data sharing. However, this movement is not gaining traction with those who hold the highest-value data, particularly mobile network operators who are proving reluctant to make data collected in low- and middle-income countries accessible through intermediaries.

This paper evaluates how the argument for ‘data as a public good’ fits with the corporate reality of big data, exploring existing models for data sharing. I draw on the idea of corporate data as an ecosystem involving often conflicting rights, duties and claims, in comparison to the utilitarian claim that data’s humanitarian value makes it imperative to share them. I assess the power dynamics implied by the idea of data as a public good, and how differing incentives lead actors to adopt particular ethical positions with regard to the use of data.”

This article is part of the themed issue ‘The ethical impact of data science’ in “Philosophical transactions of the Royal Society A”.

3) What Happens When an Acquaintance Buys Your Data?: A New Privacy Harm in the Age of Data Brokers (by Theodore Rostow)

“Privacy scholarship to date has failed to consider a new development in the commercial privacy landscape. Data brokers have begun to sell data products to individual consumers interested in tracking the activities of love interests, professional contacts, and other people of interest. This practice creates an avenue for a new type of privacy harm — “insider control” — which privacy scholarship has yet to recognize.

U.S. privacy laws fail to protect consumers from the possibility of insider control. Apart from two noteworthy frameworks that might offer paths forward, none of the viable reforms offered by privacy scholars would meaningfully limit consumers’ vulnerability. This Note proposes changes to existing privacy doctrines in order to reduce consumers’ exposure to this new harm.”

This paper was published as a draft on SSRN. According to SSRN, the final version will be published in the 34th volume of the Yale Journal on Regulation.

***

Find what you’re reading useful? Please consider supporting pdpecho.

Leave a comment

Posted in Academic Resource

Tagged Algorithms, Artificial Intelligence, Christopher Millard, cloud computing, data brokers, data ethics, Data Privacy, data protection, Dimitra Kamarinou, EU, European Union, Fairness, GDPR, General Data Protection Regulation, Jatinder Singh, Lawfulness, Linnet Taylor, Logic, Machine Learning, personal data, privacy, Theodore Rostow, Transparency

CJEU: CCTV camera in family home falls under the Data protection directive, but it is in principle lawful

Posted on December 11, 2014 | 1 comment

CJEU gave its decision today in Case C-212/13 František Ryneš – under the preliminary ruling procedure. The press release is available here and the decision here.

Facts

A person who broke the window of the applicant’s home and was identified by the police with the help of the applicant’s CCTV camera complained that the footage was in breach of data protection law, as he did not give consent for that processing operation. The Data Protection Authority fined the applicant, and the applicant challenged the DPAs decision in front of an administrative court. The administrative court sent a question for a preliminary ruling to the CJEU.

Video image is personal data

First, the Court established that “the image of a person recorded by a camera constitutes personal data because it makes it possible to identify the person concerned” (para. 22).

In addition, video surveillance involving the recording and storage of personal data falls within the scope of the Directive, since it constitutes automatic data processing.

Household exception must be “narrowly construed”

According to the Court, as far as the provisions of the Data protection directive govern the processing of personal data liable to infringe fundamental freedoms, they “must necessarily be interpreted in the light of the fundamental rights set out in the Charter (see Google Spain and Google, EU:C:2014:317, paragraph 68)”, and “the exception provided for in the second indent of Article 3(2) of that directive must be narrowly construed” (para. 29).

In this sense, the Court emphasized the use of the word “purely” in the legal provision for describing the personal or household activity under this exception (para. 30).

Such processing operation is most likely lawful

In one of the last paragraphs of the decision, the Court clarifies that “the application of Directive 95/46 makes it possible, where appropriate, to take into account — in accordance, in particular, with Articles 7(f), 11(2), and 13(1)(d) and (g) of that directive — legitimate interests pursued by the controller, such as the protection of the property, health and life of his family and himself, as in the case in the main proceedings” (para. 34).

This practically means that, even if the household exception does not apply in this case, and the processing operation must comply with the requirements of the Data protection directive, these requirements imply that a CCTV camera recording activity such as the one in the proceedings is lawful.

NB: The Court used a non-typical terminology in this decision – “the right to privacy” (para. 29)

1 Comment

Posted in Comments, Europe

Tagged C-212/13, CCTV, cctv and data protection, data protection case-law, directive 95/46, household exception, personal data, right to personal data, right to privacy, Rynes

Spain: ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data

Posted on January 13, 2013 | Leave a comment

ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data

This is an unofficial translation that has been updated according to the changes operated
in the Act after the Sentence 292/200 of the Spanish Constitutional Court

Please note that the only legally binding text

is that published in the Spanish Official Journal2

I. General provisions

OFFICE OF THE HEAD OF STATE
23750 ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data.
JUAN CARLOS I
KING OF SPAIN

To whom it may concern.

Know ye that Parliament has passed, and I approve, the following Organic Law.

TITLE I

General provisions

Article 1. Subject
This Organic Law is intended to guarantee and protect the public liberties and fundamental
rights of natural persons, and in particular their personal and family privacy, with regard to the
processing of personal data.

Article 2. Scope
1. This Organic Law shall apply to personal data recorded on a physical support which makes
them capable of processing, and to any type of subsequent use of such data by the public and
private sectors.

This Organic Law shall govern any processing of personal data:
a) When the processing is carried out on Spanish territory as part of the activities of an
establishment belonging to the person responsible for the processing.
b) When the person responsible for the processing is not established on Spanish territory but is
subject to Spanish law pursuant to the norms of public international law.
c) When the person responsible for the processing is not established on the territory of the
European Union and is using for the processing means situated on Spanish territory, unless such
means are used solely for transit purposes.
2. The system of protection of personal data laid down by this Organic Law shall not apply to:
a) Files maintained by natural persons in the exercise of purely personal or household activities.
b) Files subject to the legislation on the protection of classified materials.
c) Files established for the investigation of terrorism and serious forms of organised crime.
However, in such cases, the person responsible for the file shall previously inform the Data
Protection Agency of its existence, its general characteristics and its purpose.
3. The following processing of personal data shall be governed by the specific provisions, and
by any special provisions, of this Organic Law:3
a) Files regulated by the legislation on the electoral system.
b) Those used solely for statistical purposes and protected by central or regional government
legislation on public statistical activities.
c) Those intended for the storage of the data contained in the personal assessment reports
covered by the legislation on the personnel regulations of the armed forces.
d) Those contained in the Civil Register and the Central Criminal Register.
e) Thos deriving from images and sound recorded by videocameras for the security forces in
accordance with the relevant legislation.

Article 3. Definitions
The following definitions shall apply for the purposes of this Organic Law:
a) Personal data: any information concerning identified or identifiable natural persons.
b) File: any structured set of personal data, whatever the form or method of its creation, storage
organisation and access.
c) Processing of data: operations and technical processes, whether or not by automatic means,
which allow the collection, recording, storage, adaptation, modification, blocking and
cancellation, as well as assignments of data resulting from communications, consultations,
interconnections and transfers.
d) Controller: natural or legal person, whether public or private, or administrative body which
determines the purpose, content and use of the processing.
e) Data subject: the natural person who owns the data undergoing the processing referred to in
(c) above.
f) Dissociation procedure: any processing of personal data carried out in such a way that the
information obtained cannot be associated with an identified or identifiable person.
g) Processor: the natural or legal person, public authority, service or any other body which
alone or jointly with others processes personal data on behalf of the controller.
h) Consent of the data subject: any free, unequivocal, specific and informed indication of his
wishes by which the data subject consents to the processing of personal data relating to him.
i) Assignment or communication of data: any disclosure of data to a person other than the data
subject.
j) Sources accessible to the public: those files which can be consulted by anyone, which are not
subject to restrictive legislation, or which are subject only to payment of a consultation fee. Only
the following shall be considered to be sources accessible to the public: the publicity register,
telephone directories subject to the conditions laid down in the relevant regulations, and the lists
of persons belonging to professional associations containing only data on the name, title,
profession, activity, academic degree, address and an indication of his membership of the
association. Newspapers, official gazettes and the media shall also be considered sources with
public access.4

TITLE II

Principles of data protection

Article 4. Quality of the data
1. Personal data may be collected for processing, and undergo such processing, only if they are
adequate, relevant and not excessive in relation to the scope and the specified, explicit and
legitimate purposes for which they were obtained.
2. Personal data subjected to processing may not be used for purposes incompatible with those
for which they were collected. Further processing of the data for historical, statistical or
scientific purposes shall not be considered incompatible.
3. Personal data shall be accurate and updated in such a way as to give a true picture of the
current situation of the data subject.
4. If the personal data recorded prove to be inaccurate, either in whole or in part, or
incomplete, shall be erased and officially replaced by the corresponding rectified or
supplemented data, without prejudice to the rights granted to data subjects in Article 16.
5. Personal data shall be erased when they have ceased to be necessary or relevant for the
purpose for which they were obtained or recorded.
They shall not be kept in a form which permits identification of the data subject for longer than
necessary for the purposes for which they were obtained or recorded.
On a regular basis, the procedure shall be determined by which, exceptionally, it is decided to
keep the entire set of particular data, in accordance with the specific legislation, because of their
historical, statistical or scientific value.
6. Personal data shall be stored in a way which permits the right of access to be exercised,
unless lawfully erased.
The collection of data by fraudulent, unfair or illicit means is prohibited.

Article 5. Right of information in the collection of data
1. Data subjects from who personal data are requested must previously be informed explicitly,
precisely and unequivocally of the following:
a) The existence of a file or personal data processing operation, the purpose of collecting the
data, and the recipients of the information.
b) The obligatory or voluntary nature of the reply to the questions put to them.
c) The consequences of obtaining the data or of refusing to provide them.
d) The possibility of exercising rights of access, rectification, erasure and objection.
e) The identity and address of the controller or of his representative, if any.
Where the controller is not established on the territory of the European Union, and he is using
for the processing means situated on Spanish territory, he must, unless these means are being
used for transit purposes, designate a representative in Spain, without prejudice to any action
which may be taken against the controller himself.
2. Where questionnaires or other forms are used for collection, they must contain the warnings
set out in the previous paragraph in a clearly legible form.5
3. The information set out in subparagraphs (b), (c) and (d) of paragraph 1 shall not be required
if its content can be clearly deduced from the nature of the personal data requested or the
circumstances in which they are obtained.
4. Where the personal data have not been obtained from the data subject, he must be informed
explicitly, precisely and unequivocally by the controller or his representative within three months
from the recording of the data – unless he has been informed previously – of the content of the
processing, the origin of the data, and the information set out in (a), (d) and (e) of paragraph 1
of this Article.
5. The provisions of the preceding paragraph shall not apply where explicitly provided for by
law, when the processing is for historical, statistical or scientific purposes, or when it is not
possible to inform the data subject, or where this would involve a disproportionate effort in the
view of the Data Protection Agency or the corresponding regional body, in view of the number
of data subjects, the age of the data and the possible compensatory measures.
The provisions of the preceding paragraph shall also not apply where the data come from
sources accessible to the public and are intended for advertising activity or market research, in
which case each communication sent to the data subject shall inform him of the origin of the
data, the identity of the controller and the rights of the data subject.

Article 6. Consent of the data subject
1. Processing of personal data shall require the unambiguous consent of the data subject, unless
laid down otherwise by law.
2. Consent shall not be required where the personal data are collected for the exercise of the
functions proper to public administrations within the scope of their responsibilities; where they
relate to the parties to a contract or preliminary contract for a business, employment or
administrative relationship, and are necessary for its maintenance or fulfilment; where the
purpose of processing the data is to protect a vital interest of the data subject under the terms of
Article 7(6) of this Law, or where the data are contained in sources accessible to the public and
their processing is necessary to satisfy the legitimate interest pursued by the controller or that of
the third party to whom the data are communicated, unless the fundamental rights and freedoms
of the data subject are jeopardised.
3. The consent to which the Article refers may be revoked when there are justified grounds for
doing so and the revocation does not have retroactive effect.
4. In the cases where the consent of the data subject is not required for processing personal
data, and unless provided otherwise by law, the data subject may object to such processing
when there are compelling and legitimate grounds relating to a particular personal situation. In
such an event, the controller shall exclude the data relating to the data subject from the
processing.

Article 7. Data with special protection
1. In accordance with the provisions of Article 16(2) of the Constitution, nobody may be
obliged to state his ideology, religion or beliefs.
If, in relation to such data, the consent referred to in the following paragraph is sought, the data
subject shall be warned of his right to refuse such consent.
2. Personal data which reveal the ideology, trade union membership, religion and beliefs may be
processed only with the explicit and written consent of the data subject. Exceptions shall be files
maintained by political parties, trade unions, churches, religious confessions or communities, and 6
associations, foundations and other non-profit-seeking bodies with a political, philosophical,
religious or trade-union aim, as regards the data relating to their associates or members, without
prejudice to the fact that assignment of such data shall always require the prior consent of the
data subject.
3. Personal data which refer to racial origin, health or sex life may be collected, processed and
assigned only when, for reasons of general interest, this is so provided for by law or the data
subject has given his explicit consent.
4. Files created for the sole purpose of storing personal data which reveal the ideology, trade
union membership, religion, beliefs, racial or ethnic origin or sex life remain prohibited.
5, Personal data on criminal or administrative offences may be included in files of the competent
public administrations only under the circumstances laid down in the respective regulations.
6. Notwithstanding the provisions of the preceding paragraphs, the personal data referred to in
paragraphs 2 and 3 of this Article may be processed when such processing is necessary for
purpose of preventive medicine or diagnosis, the provision of medical care or treatment, or the
management of health-care services, provided such data processing is effected by a health
professional subject to professional secrecy or by another person also subject to an equivalent
obligation of secrecy.
The data referred to in the preceding subparagraph may also be processed when this is
necessary to safeguard the vital interests of the data subject or another person in the event that
the data subject is physically or legally incapable of giving his consent.

Article 8. Data on health
Without prejudice to the provisions of Article 11 on assignment, public and private health-care
institutions and centres and the corresponding professionals may process personal data relating
to the health of persons consulting them or admitted to them for treatment, in accordance with
the provisions of the central or regional government legislation on health care.

Article 9. Data security
1. The controller or, where applicable, the processor shall adopt the technical and
organisational measures necessary to ensure the security of the personal data and prevent their
alteration, loss, unauthorised processing or access, having regard to the state of the art, the
nature of the data stored and the risks to which they are exposed by virtue of human action or
the physical or natural environment.
2. No personal data shall be recorded in files which do not meet the conditions laid down by
rules regarding their integrity and security, as well as the rules governing the processing centres,
premises, equipment, systems and programs.
3. Rules shall be laid down governing the requirements and conditions to be met by the files and
the persons involved in the data processing referred to in Article 7 of this Law.

Article 10. Duty of secrecy
The controller and any persons involved in any stage of processing personal data shall be
subject to professional secrecy as regards such data and to the duty to keep them. These
obligations shall continue even after the end of the relations with the owner of the file or, where
applicable, the person responsible for it.7

Article 11. Communication of data
1. Personal data subjected to processing may be communicated to third persons only for
purposes directly related to the legitimate functions of the transferor and transferee with the
prior consent of the data subject.
2. The consent required under the previous paragraph shall not be required:
a) when the transfer is authorised by a law.
b) when the data have been collected from publicly accessible sources.
c) when the processing corresponds to the free and legitimate acceptance of a legal relationship
whose course, performance and monitoring necessarily involve the connection between such
processing and files of third parties. In that case, communication shall be legitimate to the extent
of the purpose justifying it.
d) when the communication to be effected is destined for the Ombudsman, the Office of Public
Prosecutor, judges, courts or the Court of Auditors in the exercise of the functions assigned to
them. Not shall consent be required when the communication is destined to regional government
authorities with functions analogous to the Ombudsman or the Court of Auditors.
e) when the transfer is between public administrations and concerns the retrospective
processing of the data for historical, statistical or scientific purposes.
f) when the transfer of personal data on health is necessary for resolving an emergency which
requires access to a file or for conducting epidemiological studies within the meaning of central
or regional government health legislation.
3. Consent for the communication of personal data to a third party shall be null and void when
the information given to the data subject does not enable him to know the purpose for which the
data whose communications is authorised will be used or the type of activity of the person to
whom it is intended to communicate them.
4. Consent for the communication of personal data may also be revoked.
5. The person to who personal data are communicated is obliged, by the mere fact of the
communication, to abide by the provisions of this Law.
6. If the communication is preceded by a depersonalisation procedure, the provisions of the
preceding paragraphs shall not apply.

Article 12. Access to data on behalf of third parties
1. Access to data by a third party shall not be considered communication of data when such
access is necessary for the provision of a service to the data controller.
2. Processing on behalf of third parties shall be regulated in a contract which must be in writing
or in any other form which allows its performance and content to be assessed, it being expressly
laid down that the processor shall process the data only in accordance with the instructions of
the controller, shall not apply or use them for a purpose other than that set out in the said
contract, and shall not communicate them to other persons even for their preservation.
The contract shall also set out the security measures referred to in Article 9 of this Law, which
the processor is obliged to implement.
3. Once the contractual service has been provided, the personal data must be destroyed or
returned to the controller, together with any support or documents contain personal data
processed.
4. If the processor uses the data for another purpose, communicates them or uses them in a
way not in accordance with the terms of the contract, he shall also be considered as the
controller and shall be personally responsible for the infringements committed by him.8

TITLE III

Rights of persons
Article 13. Challenging assessments
1. Citizens have the right not to be subject to a decision with legal consequences for them, or
which significantly affects them, and which is based processing of data intended to assess
certain aspects of their personality.
2. The data subject may challenge administrative acts or private decisions which involve an
assessment of his behaviour, the only basis for which is the processing of personal data which
provides a definition of his characteristics or personality.
3. In that case, the data subject shall have the right to obtain information from the controller on
the assessment criteria and program used in the processing on the basis of which the decision
containing the act was adopted.
4. An assessment of the behaviour of citizens based on data processing shall have conclusive
force only at the request of the data subject.

Article 14. Right to consult the General Data Protection Register
Anyone may consult the General Data Protection Register to learn about the existence of
personal data, their purpose and the identity of the controller. The General Register shall be
open to public consultation free of charge.

Article 15. Right of access
1. The data subject shall have the right to request and obtain free of charge information on his
personal data subjected to processing, on the origin of such data and on their communication or
intended communication.
2. The information may be obtained by simply displaying the data for consultation or by
indicating the data subjected to processing in writing, or in a copy, fax or photocopy, whether
certified a true copy or not, in legible and intelligible form, and without using keys or codes
which require the use of specific devices.
3. The right of access referred to in this Article may be exercised only at intervals of not less
than twelve months, unless the data subject can prove a legitimate interest in doing so, in which
case it may be exercised before then.

Article 16. Right of rectification or cancellation
The controller shall be obliged to implement the right of rectification or cancellation of the data
subject within a period of ten days.
2. Rectification or cancellation shall apply to data whose processing is not in accordance with
the provisions of this Law and, in particular, when such data are incorrect or incomplete.
3. Cancellation shall lead to the data being blocked and maintained solely at the disposal of the
public administrations, judges and courts, for the purpose of determining any liability arising
from the processing, and for the duration of such liability. On expiry of such liability, they shall
be deleted.9
4. If the data rectified or cancelled have previously been communicated, the controller shall
notify the person to whom they have been communicated of the rectification or cancellation. If
the processing is being maintained by that person, he shall also cancel the data.
5. Personal data shall be kept for the periods set out in the relevant provisions or, where
applicable, in the contractual relations between the person or body responsible for the
processing (“the controller”) and the data subject.

Article 17. Objection, access, rectification or cancellation procedure
1. The procedures for exercising the right of objection, access, rectification and cancellation
shall be established by regulation.
2. No consideration shall be demanded for the exercise of the rights of objection, access,
rectification or cancellation.

Article 18. Supervision of rights
1. Acts contrary to the provisions of this Law may be the subject of complaints by data subjects
to the Data Protection Agency in the form laid down by regulation.
2. A data subject who is denied, either wholly or partially, the exercise of the rights of
objection, access, rectification or cancellation, may bring this to the attention of the Data
Protection Agency or, where applicable, to the competent body in each Autonomous
Community, which must decide on the admissibility or inadmissibility of the denial.
3. The maximum period within which a decision on the ownership of data must be reached shall
be six months.
4. An appeal may be lodged against the decisions of the Data Protection Agency.

Article 19. Right to damages
1. Data subjects who, as a result of failure to comply with the provisions of this Law on the part
of the controller or processor, suffer damage to their possessions or rights, shall have the right
to damages.
2. Where the files are in public ownership, liability shall be established in accordance with the
legislation regulating the liability of public administrations.
3. In the case of files in private ownership, the case shall be heard by the civil courts.

TITLE IV

Sectoral provisions

CHAPTER I

Files in public ownership

Article 20. Creation, modification or deletion
1. Files of the public administrations may only be created, modified or deleted by means of a
general provision published in the Boletín Oficial del Estado or in the corresponding official
gazette.10
2. The provisions for the creation or modification of files must indicate:
a) The purpose of the file and its planned use.
b) The persons or bodies on which it is planned to obtain personal data or which they are
obliged to submit data.
c) The procedure for collecting the personal data.
d) The basic structure of the file and a description of the personal data included in it.
e) The intended transfers of personal data and, where applicable, the intended transfers of data
to third countries.
f) The officials in the administrations responsible for the file.
g) The services or units with which the rights of access, rectification, cancellation and objection
may be exercised.
h) The security measures, indicating the basic, medium or high level required.
3. The provisions on the deletion of files shall lay down the fate of the files or, where applicable,
the timetables to be adopted for their destruction.

Article 21. Communication of data between public administrations
1. Personal data collected or drawn up by public administrations in the performance of their
tasks shall not be communicated to other public administrations for the exercise of different
powers or powers relating to other matters unless the communication is for the purpose of
subsequent processing for historical, statistical or scientific purposes.
2. Personal data which a public administration obtains or draws up on behalf of another
administration may be communicated.
3. Notwithstanding the provisions of Article 11.2.b), communication of data obtained from
sources accessible to the public shall apply to files in private ownership only with the consent of
data subject or when a law stipulates otherwise.
4. In the cases provided for in paragraphs 1 and 2 of this Article, the consent of the data
subject referred to in Article 11 of this Law shall not be required.

Article 22. Files of the security forces
1. The files created by the security forces and containing personal data which, because they
were collected for administrative purposes, must be recorded permanently, shall be subject to
the general rules of this Law.
2. Collection and processing, for police purposes, of personal data by the security forces
without the consent of the data subjects shall be limited to those cases and categories of data
necessary for the prevention of a genuine threat to public safety or for the suppression of crime;
such data shall be stored in special files established for the purpose, which must be classified
according to their degree of reliability.
3. The data referred to in paragraphs 2 and 3 of Article 7 may be collected and processed only
in cases in which it is absolutely essential for the purposes of a specific investigation, without
prejudice to checks on the legality of the administrative action or the obligation to consider any
applications made by the data subjects falling within the remit of the bodies responsible for the
administration of justice.
4. Personal data stored for police purposes shall be cancelled when they are not necessary for
the investigations for the purposes of which they were stored.11
To this end, special consideration shall be given to the age of the data subject and the nature of
the data stored, the need to maintain the data until the conclusion of a specific investigation or
procedure, a final judgment, and in particular an acquittal, a pardon, rehabilitation and the expiry
of liability

Article 23. Exceptions to the rights of access, rectification and cancellation
1. The controllers of files containing the data referred to in paragraphs 2, 3 and 4 of the
preceding Article may deny access, rectification or cancellation in the light of the risks which
might arise for the defence of the state or public safety, the protection of the rights and liberties
of third parties, or for the needs of investigations under way.
2. Controllers of files in the public finance sector may also deny exercise of the rights referred to
in the previous paragraph when this impede administrative actions aimed at ensuring fulfilment of
tax obligations, and particularly when the data subject is under investigation.
3. A data subject who is denied, either wholly or partially, exercise of the rights referred to in
the preceding paragraphs may bring this to the notice of the Director of the Data Protection
Agency, or of the competent body in each Autonomous Community in the case of files
maintained by its own police forces, or the tax authorities of the Autonomous Communities,
which must establish the admissibility or inadmissibility of the denial.

Article 24. Other exceptions to the rights of data subjects
The provisions of paragraphs 1 and 2 of Article 5 shall not apply to the collection of data when
informing the data subject would affect national defence, public safety or the prosecution of
criminal offences.

CHAPTER II

Files in private ownership

Article 25. Creation
Files in private ownership containing personal data may be created when it is necessary for the
success of the legitimate activity and purpose of the person, undertaking or body owning them
and the guarantees laid down by this Law for the protection of persons are respected.12

Article 26. Notification and entry in the register
1. Any person or body creating files of personal data shall first notify the Data Protection
Agency,
2. Detailed rules shall be established for the information to be contained in the notification,
amongst which must be the name of the controller, the purpose of the file, its location, the type
of personal data contained, the security measures, with an indication of whether they are of
basic, medium or high level, any transfers intended and, where applicable, ant intended transfers
of data to third countries.
3. The Data Protection Agency must be informed of any changes in the purpose of the
computer file, the controller and the address of its location.
4. The General Data Protection Register shall enter the file if the notification meets the
requirements.
If this is not the case, it may ask for the missing data to be provided or take remedial action.
5. If one month has passed since submitting the application for entry without the Data Protection
Agency responding, the computer file shall, for all accounts and purposes, be considered
entered in the Register.

Article 27. Communication of transfers of data
1. When making the first transfer of data, the controller must communicate this to the data
subjects, also indicating the purpose of the file, the nature of the data transferred and the name
and address of the transferee.
2. The obligation set out in the preceding paragraph shall not apply in the case provided for in
paragraphs 2.c), d) and e) and 6 of Article 11, nor when the transfer is forbidden by law.

Article 28. Data included in sources accessible to the public
1. Personal data contained in the publicity register or in the lists of persons belonging to
professional associations referred to in Article 3.j) of this Law must be limited to those that are
strictly necessary to fulfil the purpose for which each list is intended. The inclusion of additional
data by the bodies responsible for maintaining these sources shall require the consent of the
data subject, which may be revoked at any time.
2. Data subjects shall have the right to require the body responsible for maintaining the lists of
professional associations to indicate, free of charge, that their data may not be used for the
purposes of publicity or market research.
Data subjects shall have the right to have all the personal data contained in the publicity register
excluded, free of charge, by the bodies entrusted with maintaining those sources.
A reply to the application for exclusion of the unnecessary information or for inclusion of the
objection to the use of the data for the purposes of publicity or distance selling must be given
within ten days in the case of information provided via telematic consultation or communication,
and in the following edition of the list regardless of the medium on which it is published.
3. Publicly accessible sources published in the form of a book or on any other physical support
shall cease to be an accessible source when the new edition is published.
If an electronic version of the list is obtained by telematic means, it shall cease to be a publicly
accessible source within one year from the moment it was obtained.
4. Data contained in guides to telecommunications services available to the public shall be
governed by the relevant legislation.13

Article 29. Provision of information services on creditworthiness and credit
1. Providers of information services on creditworthiness and credit may process only personal
data obtained from registers and sources accessible to the public and set up for that purpose or
based on information provided by the data subject or with his consent.
2. Processing is also allowed of personal data relating to the fulfilment or non-fulfilment of
financial obligations provided by the creditor or by someone acting on his behalf. In such cases
the data subjects shall be informed, within a period of thirty days from the recording, of those
who have recorded personal data in files, with a reference to the data included, and they shall
be informed of their right to request information on all of them under the conditions laid down by
this Law.
3. In the cases referred to in the two paragraphs above, and at the request of the data subject,
the data controller shall communicate to him the data, together with any assessments and
appreciations made about him during the previous six months and the name and address of the
person or body to whom the data have been disclosed.
4. Only those personal data may be recorded and transferred which are necessary for assessing
the economic capacity of the data subjects and which, in the case adverse data, do not go back
for more than six years, always provided that they give a true picture of the current situation of
the data subjects.

Article 30. Processing for the purpose of publicity and market research
1. Those involved in compiling addresses, disseminating documents, publicity, distance selling,
market research or other similar activities shall use names and addresses or other personal data
when they feature in sources accessible to the public or when they have been provided by the
data subjects themselves or with their consent.
2. When the data come from sources accessible to the public, in accordance with the provisions
of the second paragraph of Article 5.5 of this Law, each communication sent to the data subject
shall indicate the origin of the data and the identity of the controller, as well as the rights
available to the data subject.
3. In exercising the right of access, data subjects shall have the right to know the origin of their
personal data and the rest of the information referred to in Article 15.
4. Data subjects shall have the right to object, upon request and free of charge, to the
processing of the data concerning them, in which case they shall be deleted from the processing
and, at their mere request, the information about them contained in the processing shall be
cancelled.

Article 31. Publicity register
1. Those intending to be involved, either permanently or occasionally, in compiling addresses,
disseminating documents, publicity, distance selling, market research or other similar activities,
may request from the National Statistical Institute or the equivalent bodies in the Autonomous
Communities a copy of the publicity register comprising data on the surnames, forenames and
domiciles contained in the electoral roll.
2. Each publicity register list shall be valid for one year. Thereafter, the list shall lose its validity
as a publicly accessible source.14
3. The procedures by which data subjects may request not to be included in the publicity
register shall be governed by regulation. Amongst these procedures, which shall be free of
charge for the data subjects, shall be the census document. Every quarter, an updated list of the
publicity register shall be published, leaving out the names and addresses of those who have
asked to be excluded.
4. A consideration may be required for providing the above list on a digital medium.

Article 32. Standard codes of conduct
1. By means of sectoral agreements, administrative agreements or company decisions, publicly
and privately-owned controllers and the organisations to which they belong may draw up
standard codes of conduct laying down the organisation conditions. The operating rules, the
applicable procedures, the safety standards for the environment, programs and equipment, the
obligations of those involved in the processing and use of personal information, as well as the
guarantees, within their remit, for exercising the rights of the individual in full compliance with the
principles and provisions of this Law and its implementing rules.
2. These codes may or may not contain detailed operational rules for each particular system and
technical standards for their application.
If these codes are not incorporated directly into the code, the instructions or orders for drawing
them up must comply with the principles laid down in the code.
3. The codes must be in the form of codes of conduct or of good professional practice, and
must be deposited or entered in the General Data Protection Register and, where appropriate,
in the registers set up for this purpose by the Autonomous Communities, in accordance with
Article 41. The General Data Protection Register may refuse entry when it considers that the
code does not comply with the legal and regulatory provisions on the subject. In such a case,
the Director of the Data Protection Agency must require the applicants to make the necessary
changes.

TITLE V

International movement of data

Article 33. General rule
1. There may be no temporary or permanent transfers of personal data which have been
processed or which were collected for the purpose of such processing to countries which do
not provide a level of protection comparable to that provided by this Law, except where, in
addition to complying with this Law, prior authorisation is obtained from the Director of the
Data Protection Agency, who may grant it only if adequate guarantees are obtained.
2. The adequacy of the level of protection afforded by the country of destination shall be
assessed by the Data Protection Agency in the light of all the circumstances surrounding the
data transfer or category of data transfer. Particular consideration shall be given to the nature of
the data, the purpose and duration of the proposed processing operation or operations, the
country of origin and country of final destination, the rules of law, both general and sectoral, in
force in the third country in question, the content of the reports by the Commission of the
European Union, and the professional rules and security measures in force in those countries.

Article 34. Derogations15
The provisions of the preceding paragraph shall not apply where:
a) The international transfer of personal data is the result of applying treaties or agreements to
which Spain is a party.
b) The transfer serves the purposes of offering or requesting international judicial aid.
c) The transfer is necessary for medical prevention or diagnosis, the provision of health aid or
medical treatment, or the management of health services.
d) Where the transfer of data is related to money transfers in accordance with the relevant
legislation.
e) The data subject has given his unambiguous consent to the proposed transfer.
f) The transfer is necessary for the performance of a contract between the data subject and the
controller or the adoption of precontractual measures taken at the data subject’s request.
g) The transfer is necessary for the conclusion or performance of a contract concluded, or to be
concluded, in the interest of the data subject, between the controller and a third party.
h) The transfer is necessary or legally required to safeguard a public interest. A transfer
requested by a tax or customs authority for the performance of its task shall be considered as
meeting this condition.
i) The transfer is necessary for the recognition, exercise or defence of a right in legal
proceedings.
j) The transfer takes place at the request of a person with a legitimate interest, from a public
register, and the request complies with the purpose of the register.
k) The transfer takes place to a Member State of the European Union or to a country which the
Commission of the European Communities, in the exercise of its powers, has declared to ensure
an adequate level of protection.

TITLE VI

Data Protection Agency

Article 35. Nature and legal status
1. The Data Protection Agency is a body under public law, with its own legal personality and
unlimited public and private legal capacity, which acts fully independently of the public
administrations in the performance of its tasks. It shall be governed by the provisions of this
Law and in a Statute of its own to be approved by the Government.
2. In the exercise of its public functions, and until such time as this Law and its implementing
provisions are adopted, the Data Protection Agency shall act in conformity with Law 301992 of
26 November on the Legal Status of Public Administrations and the Common Administrative
Procedure. Its acquisitions of assets and contracts shall be governed by private law.
3. The posts in the bodies and services belonging to the Data Protection Agency shall be filled
by officials of the public administrations and by staff recruited to this end, in accordance with the
functions assigned to each post. The staff is obliged to keep secret any personal data of which
they acquire knowledge in the performance of their task.
4. For the performance of its tasks, the Data Protection Agency shall have the following assets
and resources:
a) The annual appropriations from the General Government Budget.16
b) The goods and assets making up its resources, and any interest from them.
c) Any other resources legally assigned to it.
5. Each year the Data Protection Agency shall draw up and approve the corresponding
preliminary draft budget and send it to the Government for incorporation, with due regard to its
independence, into the General Government Budget.

Article 36. The Director
1. The Director of the Data Protection Agency manages and represents the Agency. He shall be
appointed from amongst the members of the Consultative Council, by Royal Decree, for a
period of four years.
2. He shall exercise his functions fully independently and objectively and shall not be subject to
any instructions thereby.
The Director shall in all cases take note of any proposals the Consultative Council may make to
him in the exercise of its functions.
3. The Director of the Data Protection Agency may be removed from office before the end of
the period set out in paragraph 1 only at his own request or on the instructions of the
Government, after an investigation in which the other members of the Consultative Council must
be consulted, for serious infringement of his obligations, inability to exercise his functions,
incompatibility or conviction for a criminal offence.
4. The Director of the Data Protection Agency shall be considered as occupying a senior post
and shall be governed by the special services régime if he was previously exercising a pubic
function. If a member of the judicial or tax career bracket is appointed to the post, he shall also
be governed by the special services administrative régime.

Article 37. Functions
The functions of the Data Protection Agency are as follows:
a) To ensure compliance with the legislation on data protection and ensure its application, in
particular as regards the rights of information, access, rectification, objection and cancellation of
data.
b) To issue the authorisations provided for in the Law or in its regulatory provisions.
c) To issue, where applicable, and without prejudice to the remits of other bodies, the
instructions needed to bring processing operations into line with the principles of this Law.
d) To consider the applications and complaints from the data subjects.
e) To provide information to persons on their rights as regards the processing of personal data.
f) To require controllers and processors, after having heard them, to take the measures
necessary to bring the processing operations into line with this Law and, where applicable, to
order the cessation of the processing operation when the cancellation of the files, when the
operation does not comply with the provisions of the Law.
g) To impose the penalties set out in Title VII of this Law.
h) To provide regular information on the draft general provisions set out in this Law.
i) To obtain from the data controllers any assistance and information it deems necessary for the
exercise of its functions.
j) To make known the existence of files of personal data, to which end it shall regularly publish a
list of such files with any additional information the Director of the Agency deems necessary.17
k) To draw up an annual report and submit it to the Ministry of Justice.
l) To monitor and adopt authorisations for international movements of data, and to exercise the
functions involved in international cooperation on the protection of personal data.
m) To ensure compliance with the provisions laid down by the Law on Public Statistics with
regard to the collection of statistical data and statistical secrecy, to issue precise instructions, to
give opinions on the security conditions of the files set up for purely statistical purposes, and to
exercise the powers referred to in Article 46.
n) Any other functions assigned to it by law or regulation.

Article 38. Consultative Council
The Director of the Data Protection Agency shall be assisted by a Consultative Council made
up of the following members:
One member of the Congress of Deputies, proposed by the Congress.
One member of the Senate, proposed by the Senate.
One member of the central administration, proposed by the Government.
One member of the local administration, proposed by the Spanish Federation of Municipalities
and Provinces.
One member of the Royal Academy of History, proposed by the Academy.
One expert in the field, proposed by the Supreme Council of Universities.
A representative of users and consumers, to be selected according to a method to be laid down
by regulation.
One representative of each Autonomous Community which has set up a data protection agency
on its territory, to be proposed in accordance with the procedure laid down by the Autonomous
Community concerned.
One representative of the private file sector, to be proposed according to the procedure laid
down by regulation.
The Consultative Council shall operate in accordance with the regulations laid down for that
purpose.

Article 39. The General Data Protection Register
1. The General Data Protection Register is a body incorporated into the Data Protection
Agency.
2. The following shall be entered in the General Data Protection Register:
a) Files owned by the public administrations.
b) Files in private ownership.
c) The authorisations referred to in this Law.
d) The codes of conduct referred to in Article 32 of this Law.
e) Data relating to files which are necessary for the exercise of the rights of information, access,
rectification, cancellation and objection.
3. The procedures for entering the files in public and private ownership in the General Data
Protection Register, the content of the entry, its modification, cancellation, complaints and 18
appeals against the corresponding decisions, and other related matters, shall be laid down by
regulation.

Article 40. Powers of inspection
1. The supervisory authorities may inspect the files referred to in this Law and obtain any
information they require for the performance of their tasks.
To this end, they may require the disclosure or transmission of documents and data and examine
them at their place of storage, inspect the hardware and software used to process the data, and
obtain access to the premises on which they are located.
2. In the performance of their tasks, the officials carrying out the inspection referred to in the
preceding paragraph shall be deemed to be a public authority.
They shall be obliged to keep secret any information acquired in the exercise of the
aforementioned functions, even after they have ceased to exercise them.

Article 41. Corresponding bodies of the Autonomous Communities
1. The functions of the Data Protection Agency set out in Article 37, with the exception of those
referred to in paragraphs j), k) and l), and in paragraphs f) and g) as regards international
transfers of data, as well as in Articles 46 and 49 relating to its specific powers, shall, when they
concern files of personal data created and administered by the Autonomous Communities and
by local government within its territory, be exercised by the corresponding bodies in each
Community, which shall be deemed to be supervisory authorities guaranteed full independence
and objectivity in the performance of their task.
2. The Autonomous Communities may create and maintain their own registers of files for the
exercise of the powers assigned to them.
3. The Director of the Data Protection Agency may regularly meet the corresponding bodies in
the Autonomous Communities for the purposes of institutional cooperation and coordination of
the criteria or operating procedures. The Director of the Data Protection Agency and the
corresponding bodies in the Autonomous Communities may ask each other for the information
needed for the exercise of their functions.

Article 42. Files of the Autonomous Communities for which the Agency has sole
responsibility
1. When the Director of the Data Protection Agency establishes that the maintenance or use of
a particular file of the Autonomous Communities contravenes any provision of this Law for
which it has sole responsibility, he may require the corresponding administration to adopt the
corrective measures specified by him within the period laid down by him.
2. If the public administration in question does not comply with the requirement, the Director of
the Data Protection Agency may challenge the decision taken by that administration.

TITLE VII

Infringements and penalties

Article 43. Controllers19
1. Controllers and processors shall be subject to the penalties set out in this Law.
2. In the case of files for which the public administrations are responsible, the provisions of
Article 46(2) shall apply to the procedure and penalties.
Article 44. Types of infringement
1. Infringements shall be classified as minor, serious and very serious.
2. The following shall be minor infringements:
a) Failure to respond, for formal reasons, to a request by a data subject for the rectification or
cancellation of personal data subject to processing, when that request is justified in law.
b) Failure to provide the information requested by the Data Protection Agency in the exercise of
the functions assigned to it by law, with regard to non-substantive aspects of data protection.
c) Failure to request the entry of the file of personal data in the General Data Protection
Register, where this does not amount to a serious infringement.
d) Collection of personal data on data subjects without providing them with the information set
out in Article 5 of this Law.
e) Failure to respect the duty of secrecy set out in Article 10 of this Law, where this does
amount to a serious infringement.
3. The following shall be serious infringements:
a) Creating files in public ownership, or initiating the collection of personal data for such files,
without the authorisation published in the Boletín Oficial del Estado or the corresponding
official gazette.
b) Creating files in private ownership, or initiating the collection of data for such files, for
purposes other than the legitimate purposes of the undertaking or body.
c) Collecting personal data without obtaining the explicit consent of the data subjects, where this
has to be obtained.
d) Processing personal data or subsequently using them in infringement of the principles and
guarantees laid down in this Law, and failure to respect the protection laid down by the
implementing provisions, where this does not amount to a very serious infringement.
e) Preventing or hindering the exercise of the rights of access and objection, and refusing to
provide the information asked for.
f) Maintaining incorrect personal data or failure to rectify or cancel such data when legally
obliged if the citizens’ rights protected by this Law are affected
g) Breach of the duty of secrecy for personal data incorporated into files containing data on the
commission of administrative or criminal offences, public finance, financial services, provision of
creditworthiness and credit services, as well as other files containing a set of personal data
sufficient to obtain an assessment of the personality of the individual.
h) Maintaining files, premises, programs or hardware containing personal data without the
security required by regulations.
i) Failure to send the Data Protection Agency the notifications laid down in this Law or in its
implementing provisions, and not providing it, on time, with any documents and information due
to it or which it may require to that end.
j) Impeding inspections.
k) Failure to enter a file of personal data in the General Data Protection Register when this has
been required by the Director of the Data Protection Agency.20
l) Failure to comply with the duty of information laid down in Articles 5, 28 and 29 of this Law,
when the data have been obtained from a person other than the data subject.
4. The following shall be very serious infringements:
a) The misleading or fraudulent collection of data.
b) Communication or transfer of personal data other than in cases where these are allowed.
c) Obtaining and processing the personal data referred to in paragraph 2 of Article 7 without
the explicit consent of the data subject; obtaining and processing the data referred to in
paragraph 3 of Article 7 when not covered by a law or when the data subject has not given his
explicit consent, or breaching the prohibition contained in paragraph 4 of Article 7.
d) Failure to cease the illegitimate use of personal data processing operations when required to
do so by the Director of the Data Protection Agency or by the persons owning the rights of
access.
e) The temporary or final transfer of personal data which have been subjected to processing, or
which have been collected for such processing, to countries which do not provide a comparable
level of protection, without the authorisation of the Director of the Data Protection Agency.
f) Processing personal data illegally or in breach of the principles and guarantees applying to
them, when this prevents or infringes the exercise of fundamental rights.
g) Breach of the duty to maintain the secrecy of the personal data referred to in paragraphs 2
and 3 of Article 7, as well as of data obtained for police purposes without the consent of the
data subjects.
h) Systematically impeding or failing to comply with the exercise of the rights of access,
rectification, cancellation or objection.
i) Systematic failure to comply with the duty to notify the inclusion of personal data in a file.

Article 45. Penalties
1. Minor infringements shall be punished by a fine of Ptas 100 000 to 10 000 000.
2. Serious infringements shall be punished by a fine of Ptas 10 000 000 to 50 000 000.
3. Very serious infringements shall be punished by a fine of Ptas 50 000 000 to 100 000 000.
4. The amount of the penalties shall be graded taking account the nature of the personal rights
involved, the volume of the processing operations carried out, the profits gained, the degree of
intentionality, repetition, the damage caused to the data subjects and to third parties, and any
other considerations of relevance in determining the degree of illegality and culpability of the
specific infringement.
5. If, in the light of the circumstances, there is a qualified diminution of the culpability of the
offender or of the illegality of the action, the body applying the penalties shall determine the
amount of the penalty by applying the scale for the category of penalties immediately below that
for the actual case in question.
6. In no case shall a penalty be imposed which is higher than that laid down in the Law for the
category covering the infringement to be punished.
7. The Government shall regularly update the amount of the penalties in accordance with
changes in the price indices.

Article 46. Infringements by public administrations21
1. When the infringements referred to in Article 44 are committed in files for which the public
administrations are responsible, the Director of the Data Protection Agency shall issue a
decision setting out the measures to be adopted to terminate or correct the effects of the
infringement. This decision shall be notified to the data controller, the body to which he is
responsible, and to the data subjects, if any.
2. The Director of the Agency may also propose that disciplinary proceedings be initiated. The
procedure and penalties to be applied shall be those laid down in the legislation on disciplinary
proceedings in public administrations.
3. Decisions on the measures and proceedings referred to in the preceding paragraphs shall be
communicated to the Agency.
4. The Director of the Agency shall communicate to the Ombudsman the proceedings and
decisions taken within the terms of the preceding paragraphs.

Article 47. Time limits
1. The time limits for pursuing infringements shall be three years for very serious infringements,
two years for serious infringements and one year for minor infringements.
2. The time limits shall start to run on the day on which the infringement was committed,
3. The time limits shall be interrupted when the person concerned is informed of the initiation of
the infringement procedure, and the time limit shall recommence if the procedure is held up for
more than six months for reasons for which the alleged offender cannot be held responsible.
4. Penalties imposed for very serious infringements shall expire after three years, those imposed
for serious infringements after two years, and those imposed for minor infringements after one
year.
5. The time limits for penalties shall start to run from the day after the decision imposing the
penalty comes into force.
6. The time limits shall be interrupted when the person concerned is informed of the initiation of
the execution procedure, and shall recommence if the procedure is held up for more than six
months for reasons for which the offender cannot be held responsible.

Article 48. Penalty procedure
1. The procedure for determining infringements and imposing the penalties referred to in this
Title shall be laid down by regulation.
2. The decisions of the Data Protection Agency or the corresponding body in the Autonomous
Community shall exhaust the administrative procedure.
Article 49. Power to immobilise files
In cases of very serious infringement, involving the use or illicit transfer of personal data in which
the exercise of the rights of citizens and the free development of the personality guaranteed by
the Constitution and the laws are seriously impeded or otherwise affected, the Director of the
Data Protection Agency may, in addition to imposing a penalty, require the controllers of files
personal data in both public and private ownership to terminate the use or illicit transfer of the
data. If there is no response to this requirement, the Data Protection Agency may, on the basis
of a reasoned decision, immobilise such files for the sole purpose of restoring the rights of the
data subjects.22
First additional provision. Existing files
Files and computer processing operations, whether or not entered in the General Data
Protection Register, must comply with this Organic Law within three years of its entry into
force. Within this period, files in private ownership must be communicated to the Data
Protection Agency, and the public administrations responsible for files in public ownership must
approve the relevant provision regulating the files or adapt the existing provision.
In the case of files and data processing operations which are not computerised, compliance with
this Organic Law and the obligation in the preceding paragraph must be achieved within twelve
years from 24 October 1995, without prejudice to the exercise of the rights of access,
rectification and cancellation by the data subjects.

Second additional provision. Population files and registers of public administrations
1. Central Government and the administrations of the Autonomous Communities may request
from the National Statistical Institute, without the consent of the data subject, an updated copy
of the file comprising data on the surname, forenames, domicile, sex and date of birth contained
in the municipal censuses of inhabitants and the electoral roll for the territories in which they
exercise their powers, for the creation of population files or registers.
2. The purpose of the population files or registers shall be communication between the various
bodies in each public administration and data subjects resident in the respective territories, in
relation to the legal and administrative relations deriving from the respective remits of the public
administrations.

Third additional provision. Processing of files from the repealed Laws on Vagrants and
Malefactors and on Riskiness and Social Rehabilitation
The files specifically established under the repealed Laws on Vagrants and Malefactors and on
Riskiness and Social Rehabilitation, and containing data of whatever sort which might affect the
security, reputation, privacy or image of individuals, may not be consulted without the explicit
consent of the data subjects or unless fifty years have passed since their date of collection.
In the latter case, the Central Government shall, unless there is proof of the death of the data
subjects, make the documentation available to requesters after deleting from it the data referred
to in the preceding paragraph using the technical procedures appropriate to each case.

Fourth additional provision. Amendment to Article 112.4 of the General Law on Taxation
“4. The processed personal data which must be transferred to the tax authorities in
accordance with the provisions of Article 111, of the preceding paragraphs of this
Article, or of other rules of equal standing, shall not require the consent of the data
subject. The provisions of paragraph 1 of Article 21 of the Organic Law on Personal
Data relating to public administrations shall also not apply to such matters.”

Fifth additional provision. Remit of the Ombudsman and similar regional government
bodies
The provisions of this Organic Law are without prejudice to the remit of the Ombudsman and
the similar bodies in the Autonomous Communities.23

Sixth additional provision. Amendment to Article 24.3 on the Law on the Regulation and

Supervision of Private Insurances

Article 24.3, second paragraph, of Law 30/1995 of 8 November, on the Regulation and
Supervision of Private Insurances, is amended as follows:
“Insurance bodies may create joint files containing personal data for the settlement of
accident claims and for actuarial statistical collaboration aimed at establishing rates of
premiums and the selection of risks, and for drawing up studies on insurance techniques.

The transfer of data to such files shall not require the prior consent of the data subject,
but the possible transfer of his personal data for the purposes indicated must be
communicated to the data subject, together with an explicit indication of the data
controller, so that the rights of access, rectification and cancellation laid down by law
may be exercised.

Joint files may also be created without the consent of the data subject for the purpose of
preventing insurance fraud. However, it will be necessary in such cases to make known
to the data subject, when the data are first introduced, who is responsible for the file
and the ways in which the rights of access, rectification and cancellation may be
exercised.
In all cases, data relating to health may be subjected to processing only with the explicit
consent of the data subject.”

First transitional provision. Processing operations under international agreements
The Data Protection Agency shall be the body responsible for the protection of natural persons
as regards the processing of personal data, with respect to the processing operations set up
under any international agreement to which Spain is a signatory and which assigns this power to
a national supervisory authority, unless a different authority is set up for this task in
implementation of the agreement.

Second transitional provision. Use of the publicity register
The procedures for drawing up the publicity register, for objecting to being entered in it, for
making it available to requesters, and for monitoring the lists disseminated, shall be governed by
regulation. The regulation shall lay down the time limits for implementation of the publicity
register.

Third transitional provision. Continuation in force of existing rules
Until such time as the arrangements set out in first final provision of this Law come into force,
the existing regulatory rules shall continue in force with their own ranking, and in particular Royal
Decrees 428/1993 of 26 March, 1332/1994 of 20 June, and 994/1999 of 11 June, unless they
are in conflict with this Law.
Single repealing provision. Repeal of rules24

Organic Law 5/1992 of 29 October regulating the computer processing of personal data is
hereby repealed.

First final provision. Authorisation for regulatory development
The Government shall approve or amend the regulatory provisions necessary for the application
and further development of this Law.

Second final provision. Precepts with the character of ordinary law
Titles IV, VI – except for the last indent of paragraph 4 of Article 36 – and VII of this Law, the
fourth additional provision, the first transitional provision, and the first final provision, shall have
the character of ordinary law.

Third final provision. Entry into force
This Law shall enter into force one month after its publication in the Boletín Oficial del Estado.

Therefore

I order all Spaniards, individuals and authorities, to uphold this Organic Law and to ensure that
it is upheld.

Madrid, 13 December 1999.

JUAN CARLOS R.

The Prime Minister

JOSÉ MARÍA AZNAR LÓPEZ

Leave a comment

Posted in News

Tagged data protection law in spain, organic law 15/1999, personal data, privacy, sentence 292/200 spanish constitutional court

Financial Supervisory Authority issues circular for Hungarian financial institutions on the use of cloud computing technologies

Posted on August 10, 2012 | Leave a comment

Márton Domokos writes for “The Privacy Advisor” that On 18 July, the Hungarian Financial Supervisory Authority-PSZÁF (HFSA) issued a circular for Hungarian financial institutions on the use of cloud computing technologies. It is the first time in Hungary that a regulatory authority issued such an opinion. The document outlines detailed proposals for financial institutions on data classification, pre-contracting tasks and the contents of the service agreement with the cloud provider.

Regulatory considerations

The HFSA expressly reminds the management, IT internal audit, compliance and legal departments of financial institutions that if the company is willing to use cloud computing services, they shall pay particular attention to the following.

Obtaining cloud services is considered as “outsourcing” under the Hungarian sector-specific regulations which results in the application of certain additional rules; e.g., notification to the HFSA, specific data processing obligations.
It is important to continuously monitor the changes in the regulations of the EU affecting cloud computing services, practices and best practice recommendations.
It is also essential to keep an eye on the Hungarian and EU data privacy provisions and practices—in particular to practices and resolutions concerning cross-border data transfers or data transfers to third countries.
The relationship between the master services agreement to be concluded and the related SLAs shall be harmonised.
Data classification

According to the HFSA, it is important to classify the data processed by the financial institution before determining which data can be transferred to the cloud at all. The circular states that it is not recommended to process bank secrets, personal data or other sensitive data in the public cloud and reminds that the physical storage or place of procession of data in the public cloud in particular, e.g., outside of the European Economic Area or the Safe Harbor, substantially influence the possibility of compliance with the EU data protection regulations.

Read the whole text HERE.

Leave a comment

Posted in News

Tagged cloud computing, cloud computing technologies, data classification, data protection, financial institutions in the cloud, HFSA, Hungarian Data Protection Agency, Márton Domokos, personal data, personal data protection, privacy, privacy in the cloud, the cloud, the right to privacy

DP history: Which was the first country to adopt a Data protection law?

Posted on August 10, 2012 | Leave a comment

Why did governments and legislatures thought that the personal information collected by different entities should be protected? When did they discover the society needs such regulations?

I will try to answer these questions in my new category “DP history”. I keep reposting news about countries which pass for the first time data protection legislation. But how about the ones that first discovered this need in their societies? So, I figured I should provide valuable information in this regard also.

I will start by answering the question “Which was the first country to adopt a Data Protection law?”.

The answer is Germany. Well, Germany was a “door opener” not only in nation-wide data protection regulation, but also in data protection law in general, as its land of Hesse adopted the first ever law with regard to the protection of personal data in 1970.

However, I will write today a few facts about the Federal law on the protection of personal data adopted by the German Parliament: Bundesdatenschutzgesetz.

It was as early as 1969 that the German Parliament requested the Government “to introduce without delay a statute regulating the computerized processing of personal information.”

The first draft of the Bill appeared in 1973, but it was not until November 10, 1976 that the Bundestag approved the Act on the Protection against the Misuse of Personal Data in Data Processing. The President of the Republic signed the definitive version on January 1, 1977.

However, in the intervening period a number of lander (German states) had passed laws on the protection of personal data as far as public bodies were concerned.

The Federal Act covers processing of personal data at Federal Level, at Land level to the extent that no Land regulation exists, and also data in the private sector.

So, it took about 8 years to transform the recognized need of protection personal data into law. But you will see tomorrow that in one European country it took 15 years! Why do you think such legislation was so problematic to be passed?

Source: A.C.M. Nugter, Transborder Flow of Personal Data within the EC, Springer, Olanda, 1990. You can find the book here:

Transborder Flow of Personal Data Within the EC (Computer/law series)

Leave a comment

Posted in DP History

Tagged A.C.M. Nugter, Bundesdatenschutzgesetz, data protection laws, German data protection law, German Federal Law, German Parliament, Hesse, personal data, privacy, Transborder Data Flow of Personal Data

The multibillion industry of selling our personal information

Posted on June 18, 2012 | 1 comment

Articles concerning the buying and selling of personal data come to my attention almost on a daily basis lately. For me this is a good thing as one of the hypothesis of my thesis is now the patrimonial value of personal data and its legal consequences – such as recognizing certain proprietary rights in personal data. However, for privacy and for the a bureaucratic-free society this is a completely bad thing.

I decided to create a new category in this blog which will collect all the information I gather from the media regarding the commercialization of aggregated personal information.

Today I read an article in The New York Times about Acxiom. I’ve never heard of that company before. Apparently, it is one of the biggest “data brokers” in the world. “Its servers process more than 50 trillion data “transactions” a year. Company executives have said its database contains information about 500 million active consumers worldwide, with about 1,500 data points per person. That includes a majority of adults in the United States.”

What is also interesting is that “For Acxiom, based in Little Rock, the setup is lucrative. It posted profit of $77.26 million in its latest fiscal year, on sales of $1.13 billion”. Hence, in one instance of the trade world, aggregated personal information values 1.13 billion dollar a year. So, is it just to talk about personal information as valuable goods? I believe it is, as it would be a non-sense declaring personal information values nothing, when one company in this world sells personal information for 1.3 billion dollar a year. However, the personal information sold is not merely personal information, but aggregated personal information. The legal regime of such transactions should, therefore, take into account also this reality.

What is even more interesting is the following statement from the same article: “Such large-scale data mining and analytics — based on information available in public records, consumer surveys and the like — are perfectly legal”. This affirmation involves two possible conclusions. First, if indeed they are legal, then the law has to be changed. Second, if they are not legal, then the existing law should be interpreted as such and applied against such companies. As far as I know, there is a right to privacy protected under American constitutional and tort law, even if it is not still very well developed in the sense of also covering information already made available to the public in certain circumstances or for certain purposes. But in a flexible common law system, this should not be a barrier of applying the right o privacy in such a manner.

Instead, the EU regulates more in depth the issue of processing even data previously made available to the public. So at least this is what I thought. I found out that Acxiom has several branches in EU, for instance in Germany, UK and Poland, just to name three. As far as I knew, EU data protection law forbids personal data processing without the consent of data subjects, unless the processing is provided by law or the processor, lato sensu, has a legitimate interest of processing it. I highly doubt that producing private profit for a big data company is a legitimate interest in the meaning of the 95/46 Directive. Hence, my assumption is that at least the European branches of this company have the consent of every single person whose data they sell for a particular transaction in a particular purpose. Because if they don’t have the data subjects’ consent and they are still legally functioning on the territory of the EU, than even the specialized European law of data protection is not good enough to prevent the invasion of privacy in this scenario.

1 Comment

Posted in News

Tagged 95/46 Directive, Acxiom, aggregated personal information, data protection, personal data, property rights in personal data

Tag Archives: personal data

CJEU case to follow: purpose limitation, processing sensitive data, non-material damage

CJEU: CCTV camera in family home falls under the Data protection directive, but it is in principle lawful

Spain: ORGANIC LAW 15/1999 of 13 December on the Protection of Personal Data

DP history: Which was the first country to adopt a Data protection law?

The multibillion industry of selling our personal information

Recent Posts

Archives

Tags roulette

Categories

RSS

Meta

Follow us via Email

Support pdpecho

EPIC.ORG news

EDRi

European Data Protection Supervisor

CNIL

ICO

Privacy Commissioner Canada

Tag Archives: personal data

Facts of the Case

Questions referred

Pseudonymised data is personal data

“Any information” means literally any information, be it objective or subjective

“Related to” must be judged in relation to “content, purpose or effect/consequences”

Comments of reviewers are two times personal data

Information can be Personal data regardless of whether one is able to rectify it or not

Data protection is a web of safeguards, accountability and individual rights

Exam scripts should only be kept in an identifiable form as long as they can be challenged

The Court distances itself from the findings in C-141/12 YS, but still wants to keep that jurisprudence alive

Obiter dictum 1: the curious insertion of “exam questions” in the equation

Obiter dictum 2: reminding Member States they can restrict the right of access

Share this:

Analysis relevant both for Directive 95/46 and for the GDPR

The nature of an exam paper is “strictly personal and individual”

What about exam papers identified by codes?

Characteristics of handwriting, personal data themselves

Classifying information as ‘personal data’ is a stand alone exercise (does not depend on whether rights can be exercised)

The purpose of processing and… the passage of time, both relevant for obtaining access, rectification

Is Mr Nowak abusing his right of access under data protection law?

Examiner’s correction on the exam script are the examinee’s personal data and his/her own personal data at the same time

An exam script forms part of a filing system

Conclusion. What will the Court say?

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Share this:

Recent Posts

Archives

Tags roulette

Categories

RSS

Meta

Follow us via Email

Support pdpecho