Publicacion Informativa de la Agencia Española de Proteccion de Datos

Publicacion Informativa de la Agencia Española de Proteccion de Datos en Ingles, adjuntamos la direccion, pues creemos es de importancia.


https://www.agpd.es/portalweb/canaldocumentacion/publicaciones/common/pdfs/AEPD_en.pdf

THE SPANISH DATA PROTECTION AGENCY (AEPD in the
Spanish acronym) is the public law authority overseeing compliance
with the legal provisions on the protection of personal
data, enjoying as such an absolute independence from the
Public Administration.

CITIZENS AS A PRIORITY

The AEPD is of the understanding that its functions must always
be conducted with a priority objective, that of guaranteeing the
protection of individual rights.

Accordingly, it undertakes actions specifically aimed at enhancing
citizens' capacity to effectively contribute to that protection.

In particular, the following could be pointed out:

Dissemination of its activities and of the right to
the protection of personal data

Information is a key element in fostering awareness among citizens
of their right to the protection of personal data. Bearing
this in mind and with the purpose of satisfying the increasing
demand for information and extending its public dissemination
actions, the AEPD has intensified its relations with the media,
increasing its personnel and material means dedicated to dissemination.
As a result of this strengthening, there has been an increase in
the demand for information by different media and in the
impact of such information. In this respect, in 2007, approximately
450 requests for interviews and information and about 850
impacts were counted in written and digital media.

Direct assistance in response to citizens' queries

The number of queries submitted to the AEPD's Citizen
Assistance Service clearly continues on an uptrend, with a 30%
increase in 2007 (in total, there were 47,741 queries).
From a qualitative standpoint, focusing on citizens' major doubts
and concerns, the issues that are most frequently queried have
to do with:
The scope of application of the system of guarantees of the
LOPD (Organic Act on Data Protection);
Functions of the AEPD;
Queries on the exercise of rights, especially the rights of
access and cancellation;
The obligation that entities collecting data have of informing
citizens of their rights and where they may exercise them.
There was also an important increase in the number of hits on
the AEPD website www.agpd.es, totalling 2,230,120 ( 47%).

Procedures to protect rights of individuals: of
access, to rectify, to cancel and to object

Citizens not only want to know what their rights are, they also
want the effective exercise of those rights to be guaranteed,
either directly by the data controllers or by requesting the intervention
of the AEPD. There was a substantial increase in the
number of requests for the protection of rights, with a 54%
increase in the number of requests for protection that were met
(879 altogether), where the rights to cancel (62%) and of access
(32%) were sought most often.

GUARANTEEING EFFECTIVE COMPLIANCE WITH THE
ORGANIC ACT ON DATA PROTECTION (LOPD)

This Organic Act is the basis of the Spanish system for guaranteeing
the right to protect personal data. The adequate compliance
by all of the agents involved is an essential instrument for
better protecting the rights of citizens. The following aspects
could be enphasized:

Registry of filing systems

The evolution of the data on the filing systems registered at the
Data Protection General Registry (RGPD) is considered a significant
reference point regarding compliance with the LOPD. The evolution of the registrations has continued upwards, reaching
in 2007 a number of more than one million filing systems registered
(1,017,266 entries in total), with the largest increases in
privately-owned filing systems, particularly those of small and
medium-sized companies and independent professionals, which
were the sectors where traditionally substantial flaws have appeared
in terms of compliance with the LOPD.

Inspection & sanction procedures

The greater degree of compliance with and awareness of the
regulations on data protection that arises from the above figures
does not mean that there has been a reduction of the AEPD'S
activities in terms of sanctions handed down for breaches of
the LOPD.
This has surely been enhanced by the greater awareness among
citizens of the guarantees to which they are entitled, as mentioned
above. This circumstance has led to an increase in the claims
for alleged breaches of the LOPD.
Thus, in 2007, the procedures iniciated as a result of complaints
lodged by citizens or due to an initiative of the Director of the
AEPD rose by around 7% to a total of 1,263.
The largest number of inspections had to do with telecommunication
companies and financial institutions, followed by videosurveillance,
with an increase of over 400% compared to the
previous year.
In terms of exercising the power to impose sanctions, in 2007,
the Spanish Data Protection Agency resolved 399 sanction procedures,
which represents an increase by 32.5% over the previous
year. In terms of financial penalties, the aggregate volume
of the fines imposed by the AEPD was € 19.6 million.
The figures provided above attest to the consolidation of the
increase in the AEPD'S inspection and penalisation activities
compared to previous years. The year 2007, however, stands
out for a distinct characteristic related to the exercise of its
authority to impose penalties: there has been an increase in
the number of decisions to put an end to the proceedings and
in the number of complaints that have been rejected, but also
the overall number of the sanctions that have been imposed
declined by nearly 20% compared to the previous year.
An initial appraisal of these data leads to a very important conclusion:
there is a greater awareness of the LOPD and the subjects
that are obliged by it are more diligent in terms of compliance.
However, it will be necessary to compare the figures for
the coming years to see the true scope of this trend.


ENHANCING THE LEGAL FRAMEWORK FOR DATA
PROTECTION

The AEPD encourages the adoption of rules that are meant to fill
in or complete the legal framework for data protection, and it
also contributes to ensuring that the right to data protection is
treated correctly in the legal provisions adopted with purposes
that have no specific relation to data protection:

Approval in 2007 of the Regulation implementing
the Organic Act on Data Protection
The need to approve the Regulation for the implementation of
the LOPD as an instrument aimed at obtaining greater levels of
legal certainty in the application of the Act led to the publication
of Royal Decree 1720/2007, of 21 December, approving the
Regulation for the Implementation of the Organic Act on the
Protection of Personal Data.
The approval of the Regulation is the end of a long process featuring
a great deal of transparency and participation, with a
large range of companies contributing with their remarks.
The Regulation is meant to satisfy the following purposes:
To increase the legal certainty;
To reflect in the legal provisions the consolidated criteria in
the implementation of the LOPD both via Decisions of the
AEPD and especially in view of case law;
To respond to the concerns of the European Commission
regarding the transposition of Directive 95/46/EC;
To incorporate legislative policy criteria and complete the regulatory
implementation of the novelties introduced in the LOPD.

Issue of reports

Together with the approval of the Regulation, the AEPD has continued
working on the goal of achieving greater legal security,
both via mandatory advisory opinions on provisions of a general
nature being foreseen and answering the queries that citizens
and companies may have submitted to its Legal Department.
The number of advisory reports issued in 2007 in response to the
queries made by Public Administration bodies and private entities
totalled 555. In addition, the Legal Department issued 77
mandatory advisory opinions concerning general provisions
being foreseen .
It should be stressed that, in recent years, there has been an
increasing complexity in the issues that have been submitted to
the AEPD's consideration, with a decline in the number of very
simple queries, due to the important dissemination task that has
been carried out.


INTERNATIONAL CO-OPERATION


Many of the important topics affecting data protection are of an
international scope, to the same extent that there has been a
globalisation in the movement of individuals, goods, services
and capital. In addition, there is the fact that certain concerns,
for instance those relating to security or the fight against terrorism,
reach well beyond national boundaries.
This important international dimension is present in all of the
activities of the AEPD, which has been and continues to be present
and well involved in a number of international forums.


CO-OPERATION WITH THE DATA PROTECTION
AGENCIES OF THE AUTONOMOUS COMMUNITIES


When performing its functions, the Spanish Data Protection
Agency relies on clear and effective mechanisms for co-ordinating
and collaborating with the Data Protection Agencies of the
Autonomous Communities of Catalonia, the Basque Country
and Madrid, in order to ensure the equality of all citizens in
terms of their right to protect their personal data.


THE AEPD & EMERGING RISKS


The protection of personal data has to adapt to the continuous
evolution of economic and social relations, as well as to rapid
technological changes. It is necessary that those changes be
anticipated and that answers be provided to allow citizens to
safeguard their right to privacy with respect to situations such
as:

The undue use of personal data on the Internet.

The main novelties that have been raised in relation to the protection
of personal data have arisen in the area of the services
provided via the Internet.
The development of these services has extended citizens' possibilities
in terms of exchanging and obtaining information, as
well as facilitating access to it whilst jeopardising the traditional
criteria for guaranteeing privacy and hence making an urgent
updating necessary.
On the one hand, it is apparent that the service offer of Internet
search engines entails a massive and selective processing of
users' data, the implications of which are often not known by
those users.
On the other hand, the AEPD has answered new complaints
relating to the possibility of citizens reacting against information
provided by a third party on an Internet forum or message board
without their consent or against other services such as YouTube.
It should also be specifically noted that there have been instances
of files containing personal data being found in P2P networks,
particularly in e-Mule, giving rise to penalties being imposed
due to infringements of the LOPD.
The AEPD, acknowledging the new possibilities with which citizens
are provided as a result of the development of Internet services,
has faced the challenge of adapting the guarantees set
out in the data protection provisions to these new situations,
especially in terms of the possibility of reacting against the global
dissemination of personal information.

Generalisation of video-surveillance systems

The substantial increase of video-surveillance in recent years is
largely due to citizens' initiatives in the quest towards a surveillance
society. The filing systems registered with the RGPD, which
declare that safety reasons are behind their video-surveillance,
are proof of this trend.
The registered filing systems have gone from 67 in 2003 and
700 in 2006 to 5,026 en 2007 ( 618% over the previous year).
The initial data for 2008 ratify the intensity of this trend.
At the same time, there has been an important reaction
against this practice as shown by the increase in the number
of complaints relating to video-surveillance. The inspections
involving video-surveillance have grown by 412.5% and as a
result, this matter accounts for the third largest number of
inspections.

Rising control of labour activities

The development of new technologies used in the workplace,
such as video-surveillance, the use of biometric data, electronic
mail and access to the Internet, among others, as well as the
implementation of internal whistleblowing systems, has intensified
the debate on the limits and guarantees that should accompany
the exercise of powers of control.

Intensification of international data flows

The Agency has recorded an important increase in the number
of international data transfers via notifications of filing systems
to the RGPD (8,838 transfers were declared).
It is necessary to apply a measure of caution when dealing with
international data flows that allow transfers from countries with
adequate levels of protection to other countries lacking such
levels. Hence, the monitoring of international data transfers
represents a priority for the AEPD, especially when business delocalisation
is involved.
In light of the challenges that have been described above and
building on the practical experience it has accumulated, the
AEPD has set forth a number of recommendations for policy
makers with the purpose of encouraging initiatives and actions
that will foster an effective guarantee of the fundamental right
to data protection in certain areas deserving a singular or specific
attention, specified in the following actions:
Developing procedures allowing copyright protection in a
manner compatible with the fundamental right to data protection;
Regulating the anonymized publication of judgements passed
by Courts of Law;
Regulating internal whistleblowing systems available to workers
within companies, outlining the activities in which it
may be necessary to establish these systems and guaranteeing
the confidentiality of those reporting and the rights of
those being reported on;
Development of specific public policy plans for the protection
of minors on the Internet;
Increased caution in order to prevent the undesirable
exchange of sensitive personal data on the Internet via P2P
networks;
Fostering of self-regulation among the media to guarantee
privacy and the protection of personal data, by encouraging
more respect for the usage in relation to the data protection
provisions;
Citizen guideline actions regarding the use of guarantees of
confidentiality for the recipients of emails;
Plan for the Fostering of Good Practices in terms of guaranteeing
privacy in Official Gazettes and Journals, by adopting
measures that, without affecting their purpose, will limit the
gathering of personal information by Internet search engines;
Local Strategy aimed at conforming the installation of traffic
control cameras to the provisions on the protection of personal
data.