Research work: analyze the new European data protection regulations to ensure compliance with the information collected.
INTRODUCTION
The SECURHOME project aims to develop and validate a device that can detect, through artificial intelligence (AI) techniques, if a person is at risk or not through their daily activity at home. To do this, you should analyze your daily behavior through the study of its movement, sound, temperature, use of certain appliances, etc. The device using these artificial intelligence techniques will learn the user's behavior and possible variations that may occur. In this way it will adapt to your lifestyle and it will be possible to prevent any eventuality. If the device detects any contingency, it will send alerts to previously configured family members and to the nearest health care center. In this way an agile and strategic method of attention for the user will be achieved, thus avoiding having to resort to some type of direct communication for their alert. To achieve these ends, it is essential to collect and process a large amount of personal data and determine patterns of behavior in that person's home. Therefore, the project poses very important challenges in the field of Law, especially for privacy.
From a legal point of view, we are dealing with a processing of personal data and this means that the regulations that regulate this very specific matter must be applied. Since May 25, 2018, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data has already been applied. the free circulation of these data and repealing Directive 95/46 / EC (hereinafter RGPD). This European Regulation involves very important changes in relation to the processing of personal data and also new responsibilities and obligations for those who collect and use this personal data: those responsible and those in charge of processing. In addition, as of December 7, 2018, Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights, is in force in Spain, which adapts and completes the Spanish legal system. RGPD. On the other hand, it is also necessary to focus on all these issues taking into account that several fundamental rights are involved, particularly the right to protection of personal data included in Article 18.4 of the Spanish Constitution, in Article 8 of the Charter of Fundamental Rights of the European Union and Article 8 of the European Convention for the Protection of Human Rights of 1950.
To develop the SECURHOME Device it is necessary to collect personal data, that is, information about an identified or identifiable natural person that will serve to study the behavior of users of the device and in this way detect alterations in these behaviors to prevent and react to any eventuality . This collection and analysis of personal information constitutes a processing of personal data as defined in Article 4 of the RGPD and our research work will focus on identifying the legal requirements applicable to such data processing. This work, among other issues, will require determining the nature and category of the personal data collected, the purpose or purposes compatible with the use of such data, the conditions for the consent of the holders of personal data and the applicable security measures. This last aspect, that of security, is of vital importance in the field of the Internet of Things, in which the evaluation of the risks inherent in the processing of personal data is presented as an essential prerequisite.
When we talk about the Internet of Things (IoT) we refer to those infrastructures that, through sensors incorporated in certain everyday devices collect, store, submit to treatment and transfer personal data. These systems are associated with unique identifiers which allow them to interact with other sensors and devices through their networking capabilities. We are in the field of so-called "ubiquitous" computing, which, as the Working Group on Data Protection of the European Union has pointed out (Opinion 8/2014 on the recent evolution of the Internet of objects) is based "on the principle of the extensive treatment of the data through these sensors designed to communicate data inadvertently and exchange them in a fluid way ". The device that is intended to be developed through the SECURHOME project would be oriented, not exclusively, but fundamentally to what is called "Quantified Self", that is, devices designed to record and analyze information about habits and lifestyles. The IoT poses several important challenges in relation to personal data, which is why it is very important to apply the legal framework for the protection of EU data, especially after the entry into force of the RGPD and the new Spanish law. Through our research we intend to analyze the application of personal data legislation to an Internet of Things device in real life, to try to determine what will be the greatest challenges in its application and, at the same time, provide an example Real how RGPD can improve the protection of privacy through IoT devices.
II. THE FUNDAMENTAL RIGHT TO THE PROTECTION OF PERSONAL DATA
The collection and analysis of personal data, as well as the possible uses of the same or the result of the treatment to which they are subjected has a direct impact, not only on the effective enjoyment of fundamental rights, but also on the dignity and autonomy of people. The idea of dignity, which lies at the foundation of human rights, is a complex concept that has evolved over time. The idea of human dignity has been completed from the negative notion of the right not to suffer vexations, with positive elements such as the notions of human self-availability and self-determination, which are concretized in the positive affirmation of the full development of the personality1. The development of information and communication technologies has brought new risks to the rights and freedoms of people, their autonomy and dignity. During the last decades it has become clear that one of the greatest threats to the dignity, freedom and rights of citizens came from the ability to accumulate personal information. The interrelation of personal information will allow the obtaining of the profile of anyone and will serve to adopt decisions that affect him without people being "taken into account or consulted"2. The treatment of personal data "makes possible a de facto surveillance of the daily life of the individual"3, by allowing the registration of a series of data that are separately unimportant, but properly related to obtain the profile of a person. In addition, the processing of information about people enables their social classification and the adoption of certain decisions that affect them. In this way we find that "our individual and social life run (...) the risk of being subject to what Frosini has rightly called" permanent universal judgment4.
The concern for the collection of personal data and the loss of their control appears at the same time that technological development allowed the automation of the processing of personal data. Due to its own conception, the technological development produced since the second half of the 20th century made the right to privacy insufficient to respond to specific threats and dangers for the dignity of persons, their freedom, the right not to be discriminated against or the exercise of other fundamental rights, enclosing the possibilities of automated processing of personal information and therefore, from the seventies, begins the construction of a new fundamental right. The fundamental right to the protection of personal data is contained in article 18.4 of the Constitution that establishes that the law will limit the use of information technology to guarantee the honor and personal and family privacy of citizens and the full exercise of their rights. It corresponded to the Constitutional Court its interpretation in order to outline the concept and the principles and rights that would form part of the essential and inalienable content of the right to the protection of personal data.
For our Constitutional Court, Article 18.4 of the Constitution establishes a fundamental right autonomous and different from the right to privacy, "a new constitutional guarantee, as a form of response to a new form of concrete threat to the dignity and rights of people (...) an institute that is, in itself, a fundamental right or freedom, the right to freedom from potential aggressions to the dignity and freedom of the person arising from an illegitimate use of mechanized data processing, what the Constitution calls "information technology"5. Subsequently, in judgment 292/2000, of November 30, established that, unlike the right to privacy, which has as a function to protect against any invasion that may occur in the area of personal and family life that the person wishes to exclude from the knowledge of others, "the fundamental right to data protection seeks to guarantee that person or n power of control over their personal data, about their use and destination, with the purpose of preventing their illicit and harmful traffic for the dignity and right of the affected person". The object of protection of the right to the protection of personal data will not be reduced exclusively to the protection of the intimate data of the person, "but to any type of personal data, whether intimate or not, whose knowledge or use by third parties may affect their rights, whether or not they are fundamental, because their purpose is not only individual privacy, but for this there is the protection that art. 18.1 EC grants, but the personal data ". The data covered are all those that identify or allow the identification of a person, that is, that can be related to a specific individual, either directly or indirectly; because any of these data can "serve for the preparation of their ideological, racial, sexual, economic or any other profile, or (...) for any other utility that in certain circumstances constitutes a threat to the individual".
The right to the protection of personal data is also guaranteed within the scope of the Council of Europe, by Article 8 of the Rome Convention of November 4, 1950, for the Protection of Human Rights and Fundamental Freedoms consecrated the right to respect for private and family life. This precept is completed with the regulation of the Convention 108 of the Council of Europe, of January 28, 1981, for the Protection of Persons with Respect to the Automated Treatment of Personal Data. In its interpretation and application the paper has been fundamental of the European Court of Human Rights (ECHR).
The jurisprudence of the Court of Justice of the European Union (CJEU), which has played an important role in the field of personal data protection since the entry into force of the Directive on the protection of personal data, must also be taken into account. staff, 95/46 / CE6 and, subsequently, with the Treaty of Lisbon that would incorporate, into Union law, the Charter of Fundamental Rights of the European Union. In this context, both the European Court of Human Rights and the Court of Justice of the European Union have been carrying out a fundamental task of interpreting and consolidating the fundamental right to the protection of personal data in their respective fields. The European Court of Human Rights has established, repeatedly, that Article 8 of the European Convention of Human Rights presents negative elements, of not doing, prohibiting unjustified interference by the Public Authorities in the right to data protection personal, but on the other, part, has considered that this right have a strong positive content that would materialize in the obligation of the States to adopt all reasonable and adequate measures to protect the rights of Article 8 of the Convention. This double obligation, negative and positive, guarantees the protection of people against arbitrary interference by States, but also provides protection against the actions of private entities or individuals. The Court of Justice of the European Union has carried out a fundamental task of interpreting EU law on the protection of personal data from the perspective of fundamental rights, not only defining the limits of the processing of personal data in the field of human rights. public administrations and private entities, but also establishing the necessary consideration of the different interests in conflict, often legitimate and opposed.
III. APPLICABLE SOURCE SYSTEM
The applicable source system that should be taken into account in the development of the SECURHOME device will be the following:
• Article 18.4 EC and Article 8 of the Charter of Fundamental Rights of the EU.
• REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016, concerning the protection of natural persons with regard to the processing of personal data and the free circulation of these data and by which repeals Directive 95/46 / EC (General Data Protection Regulation).
• L.O. 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights.
• Council of Europe Convention 108, of January 28, 1981, for the protection of individuals with respect to the automatic processing of their personal data and Article 8 of the European Convention for the Protection of Human Rights and Fundamental Freedoms of 1950.
IV. GENERAL CONSIDERATIONS ON THE RGPD
Being a Community Regulation:
a) It is obligatory in all its elements; It is endowed with a general scope and is directly applicable in the Member States of the EU.
b) In all cases in which it provides specific rules, the Regulation applies; In those cases in which it is allowed to specify some content, the Member States may develop them. The Spanish legislator, taking into account these authorizations to the Member States in the regulation of certain matters "when they must be specified, interpreted or, exceptionally, restricted (...) insofar as necessary for reasons of coherence and understanding "(preamble of LO 3/2018) has approved the aforementioned LO 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights.
c) In case of contradiction between the European Regulation and the Spanish regulations PREVALECE the Regulation.
The Regulation has entered into force on May 25, 2016 and is applicable in Spain from May 25, 2018.
The purpose of the General Data Protection Regulation is to protect the fundamental rights and freedoms of natural persons and, in particular, their right to the protection of personal data set out in Article 8 of the Charter of Fundamental Rights of the European Union and ensure the free circulation of such data within the EU. This is reflected in the first article and in the Preamble7 of the RGPD. It states that "the processing of personal data must be designed to serve humanity." The approval of the Regulation is placed in a context in which "rapid technological evolution and globalization have posed new challenges for the protection of human rights. personal data ", both because of the magnitude of the collection and exchange of personal data, which has increased significantly, but also because both private companies and public authorities use personal data on an unprecedented scale when making their activities.
V. SCOPE OF APPLICATION
Articles 2 and 3 of the RGPD establish its scope of application, that is, the set of personal data treatments to which its rules will apply.
A) Territorial scope:
From the point of view of its territorial competence, the Regulation applies:
a) The processing of personal data in the activities of an establishment of the person responsible or of the person in charge in the Union, regardless of whether the treatment takes place in the Union or not.
b) To the processing of personal data of interested parties residing in the Union by a person in charge or manager not established in the Union, when the treatment activities are related to:
- the supply of goods or services to those interested in the Union, regardless of whether they are required to pay them, or
- control of their behavior, insofar as it takes place in the Union.
B) Scope of material application:
The RGPD is applied to the total or partially automated processing of personal data, as well as to the non-automated processing of personal data contained or intended to be included in a file. Personal data is any information about an identified or identifiable natural person ("the interested party"), that is, any information about any person whose identity can be determined, directly or indirectly, "in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, psychological, economic, cultural or social identity of said person "(Article 4 RGPD). The consideration of personal data, will have any information that allows us to relate it to a specific physical person. The RGPD applies to both computerized data files and personal data contained in manual files. The personal data protection rules will be extended to the personal data contained in public or private files, automated or not8.
VI. THE LEGAL DEFINITIONS COLLECTED IN THE RGPD
Traditionally, the rules on personal data protection have included among their precepts the fundamental definitions to be able to understand the scope of their rules, as well as to be able to apply them correctly. Let's see the most relevant to understand the functioning of the mechanisms of protection of personal data.
a) Personal data: all information about an identified or identifiable natural person ("the interested party"); Any person whose identity can be determined, directly or indirectly, will be considered an identifiable physical person. The consideration of personal data, will have any information that allows us to relate it to a specific individual, regardless of the greater or lesser complexity of the operation that leads to it, except in cases in which such identification requires deadlines or excessive activities. In addition, it will not be necessary that the data allow to find out the name of the affected person, but it will be enough for the registered data to reveal their DNA, their social origin, economic level, etc., in a way that allows us to determine who they are. This concept of extended identification is of great importance when it comes to protecting the privacy of people by preventing, to a large extent, their indirect identification.
b) Processing: any operation or set of operations performed on personal data or personal data sets, either by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, diffusion or any other form of authorization of access, collation or interconnection, limitation, suppression or destruction (Article 4.3 RGPD).
c) File: any structured set of personal data, accessible according to certain criteria, whether centralized, decentralized or distributed functionally or geographically (Article 4.6).
d) Responsible for the treatment: the natural or legal person, public authority, service or other body that, alone or together with others, determines the purposes and means of treatment (Article 4.7).
e) Responsible for processing: the natural or legal person, public authority, service or other body that processes personal data on behalf of the data controller (Article 4.8).
f) Profiling: any form of automated processing of personal data consisting of using personal data to assess certain personal aspects of a natural person, in particular to analyze or predict aspects related to professional performance, economic situation, health, personal preferences, interests , reliability, behavior, location or movements of said natural person (article 4.4).
VII. PRINCIPLES RELATED TO TREATMENT
The legislation on protection of personal data, both Spanish and European regulations, tries to conjure up the risks that for the rights of individuals imply the treatment of their personal data and at the same time guarantee the interests, public or private that would legitimize the treatment. This objective is achieved, first, through the establishment of a series of guarantees in the form of limits, requirements and ways in which personal information can and should be obtained, recorded and treated and in the form of subjective rights that provide effective content to the previous precautions and with what will be achieved an effective system of protection of the fundamental rights of citizens. The European Regulation (EU) 2016/679 integrates both types of guarantees under the denomination of principles relating to treatment and the rights of individuals in its Chapters II and III, respectively. These sets of guarantees are completed with the obligations foreseen for the person in charge and the person in charge of the treatment of Chapter IV.
Article 5 of the RGPD regulates the basic principles that must be respected in the collection, treatment, use and storage of personal data; principles that reproduces, to a great extent, the LO 3/20189: They are the following:
a) Principle of legality, loyalty and transparency: the data will be treated in a lawful, loyal and transparent manner in relation to the interested party. Personal data must be collected without deceit or falsehood on the part of the requestor, prohibiting the use of fraudulent, unfair or illegal means. From this principle derives "the need for the personal data collected in any file to be obtained by lawful means, and in this way its use by the affected parties is known, and those responsible for obtaining it are responsible for complying with this obligation"10. For its part, the principle of transparency is especially important in the RGPD. In the Regulation the references to the principle are constant, at least in its expository part. Many are considering that they include the obligation to provide the interested party in a simple way, easily accessible and in a clear language, all the information relevant to him in the process of processing his data. The principle of transparency is closely linked to the right to receive complete, clear and simple information related to all relevant aspects of a personal data treatment and the possible consequences that could derive from that treatment. In this sense, we can highlight the obligation to inform the interested party about the elaboration of profiles or about the adoption of automated decisions (article 22 RGPD).
b) Principle of limitation of the purpose. Article 5 of the RGPD establishes that personal data "will be collected for specific, explicit and legitimate purposes, and will not be subsequently processed in a manner incompatible with said purposes. The further processing of personal data for purposes of archiving in the public interest, scientific and historical research purposes or statistical purposes will not be considered incompatible with the initial purposes. "According to this, the data can only be collected and treated in accordance with a legitimate and determined purpose and, therefore, data may not be collected for purposes contrary to law or public order, and must be respectful of constitutional values and fundamental rights. . Nor will personal data be collected for the fulfillment of imprecise or inconclusive objectives and, ultimately, personal data may not be used in a manner incompatible with the purposes for which they were collected. The fulfillment of this requirement also prevents that, once the personal data have been used for the legal purpose for which they were collected, they can be reused for the fulfillment of objectives different from those that motivated their request and registration. In this sense we have to put this principle in relation to the right to suppress Article 17 of the RGPD which states that the interested party will have the right and the person responsible for the treatment, the correlative duty to suppress without undue delay personal data when "they are no longer necessary". in relation to the purposes for which they were collected or otherwise treated. "Finally, the principle of limitation of purpose prohibits that they be subsequently processed in a way incompatible with those purposes. However, there is an exception and that is when they are treated in accordance with the requirements of art. 89.1 of the RGPD for purposes of archiving in the public interest, scientific and historical research purposes or statistical purposes shall not be considered incompatible with the initial purposes.
c) Principle of minimization of data: the data will be adequate, pertinent and limited to what is necessary in relation to the purposes for which they are treated. That is, the data must "serve" for the purpose for which they are obtained so that there is a clear connection between the information that is collected and the objective for which it is requested. Therefore, they will not be able to request or register more personal data than strictly necessary to carry out the mission in question or fulfill the purpose legitimately entrusted to the public body or private company requesting.
d) Principle of accuracy: the data will be accurate and, if necessary, updated; All reasonable measures shall be taken so that personal data that are inaccurate with respect to the purposes for which they are treated are deleted or rectified without delay11. This principle is developed in the Organic Law 3/2018, on the Protection of Personal Data and the guarantee of digital rights12.
e) Principle of limitation of the conservation period: the personal data will be maintained in a way that allows the identification of the interested parties during the time necessary for the purposes of the treatment. They may be kept for longer periods provided they are exclusively for the purpose of archiving in the public interest, scientific or historical research purposes or for statistical purposes, without prejudice to the application of the appropriate technical and organizational measures imposed by this Regulation in order to protect the rights and freedoms of the interested party. This principle is directly related to the principle of limitation of purpose and the right to the deletion or "deletion" of data when they are no longer necessary for the legitimate purpose that justified their collection and treatment. Finally, article 13.2 RGPD establishes that the person responsible for the treatment must inform about the expected period during which the personal data will be stored or, "when it is not possible, the criteria used to determine this term".
f) Principle of integrity and confidentiality (security): personal data will be treated in such a way as to ensure adequate security of personal data, including protection against unauthorized or illegal treatment and against loss, destruction or accidental damage, through the application of appropriate technical or organizational measures.
The importance of the principle of security, in order to guarantee the rights of those affected, is increasingly important. At the same time there has been a spectacular development of the processing capabilities of computers, in microelectronics and software, the development of Internet and cloud computing, which has allowed the proliferation of powerful computer systems and easy to use, "the risks that threaten the data stored and processed by them and, consequently, the citizens to whom this data concerns," have increased"13 because the means are greater to" go through "the security barriers of a file. Therefore, security measures must be improved and adapted to these advances. Security is one of the aspects that are part of the content of the fundamental right and "becomes an essential element in the protection of people through the protection of their data and the treatments of which they are a part"14. Without security, there is no possible control over the information that concerns us.
The concept of security must cover both the confidentiality of information and the availability and integrity of information15. This principle must be necessarily related to the following principle, proactive responsibility and to the security obligations established in Article 32 of the RGPD. The latter establishes that "taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of the people. physical, the person in charge and the person in charge of the treatment will apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which in its case includes, among others:
• pseudonymization and encryption of personal data;
• the ability to guarantee the permanent confidentiality, integrity, availability and resilience of treatment systems and services;
• the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;
• a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment. "
Finally, this principle will require a general duty of confidentiality regarding personal information on the part of the person in charge and the person in charge of the treatment and of all those persons who intervene in any phase of the treatment. This duty must subsist even after the relationship with the controller has ended; terms in which article 5 of the Organic Law 3/2018 is also pronounced.
g) Principle of proactive responsibility: the controller will be responsible for compliance with these principles and able to demonstrate it. This principle is developed in Article 24 of the RGPD by establishing the general obligation of the controller to apicate the appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with the Regulation, taking into account the nature, the scope, context and purposes of the treatment as well as the risks of varying probability and severity for the rights and freedoms of natural persons. GT29 in understands that this principle had two main elements:
"(I) the need for the controller to take appropriate and effective measures to apply data protection principles;
ii) the need to demonstrate, if required, that adequate and effective measures have been taken; thus, the person responsible for data processing must provide evidence of (i)."16
The Spanish Agency for Data Protection points out that, in practical terms, this principle requires that organizations analyze what kind of data they are dealing with, with what purposes they do it and what type of treatment operations they carry out. After this analysis they must "explicitly determine how they will implement the measures that the RGPD envisages, making sure that these measures are adequate to comply with them and that they can demonstrate them to the interested parties and to the supervisory authorities"17 .
VIII. BASIS FOR THE TREATMENT LICITUDE
Before entering into the regulation of the RGPD, foreseen in article 6 and following, we must remember that, within the scope of the European Union, the fundamental right to the protection of personal data is expressly included in the eighth article of the Bill of Rights Fundamentals of the European Union of December 7, 2000. Under the heading "protection of personal data", it states that:
"one. Everyone has the right to the protection of personal data that concerns them.
2. These data will be treated fairly, for specific purposes and on the basis of the consent of the affected person or by virtue of another legitimate basis provided by law. Everyone has the right to access the collected data that concerns them and their rectification.
3. Respect for these rules will be subject to the control of an independent authority.
Therefore, the starting point to understand and interpret the bases for a treatment of personal data is lawful established in the Charter itself: the consent of the interested party or other legitimate basis provided by the Law.
Article 6 of the RGPD establishes the bases for licit treatment. In our case the first of the assumptions must apply, that is, the processing of the data necessary for the development of the SECURHOME device must be based on the consent of the interested party, for one or several specific purposes. Therefore, we must stop at the requirements and in the form in which the consent of the interested party must be provided. The Regulation defines it as "any expression of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or clear affirmative action, the processing of personal data that concern him". This means that no Tacit or omitted forms of consent or based on inaction are allowed.
The GT29 points out that consent can only be an adequate legal basis for the treatment of personal data "if the interested party is offered control and a real capacity of choice with respect to whether he wishes to accept or reject the offered conditions or reject them without suffering any damage . When requesting consent, the controller is obliged to assess whether said consent will fulfill all the requirements for obtaining a valid consent. If it is obtained in full compliance with the RGPD, the consent is a tool that gives the interested parties control over whether the personal data that concerns them will be treated or not. If this is not the case, the control of the interested party will be merely illusory and the consent will not be a valid legal basis for the treatment, which will turn this treatment activity into an illicit activity"19.
The consent is the manifestation of the will of the interested party and must comply with the following elements or conditions:
1º. It must be free. That consent is free "implies a true choice and control for those interested"20. For the GT29 the consent will be free when there is control and a real choice on the part of the interested parties, "if the subject is not really free to choose because he feels obliged to give his consent or he will suffer negative consequences if he does not give it, then the consent can not be considered valid. " Nor will it be valid if it were "included as a non-negotiable part of the general conditions, it is assumed that it has not been freely given", or if "the interested party can not deny or withdraw his consent without prejudice"21. In these terms, section 3 of article 6 of the Organic Law 3/2018 specifically states that "the execution of the contract may not be subject to the consent of the data subject for the treatment of personal data for purposes unrelated to maintenance, development or control of the contractual relationship. "
2nd. The consent must be informed. As already explained, the main purpose of the RGPD is to guarantee the right to the protection of personal data. The requirement of consent, as our Constitutional Court has indicated, forms part of the group of faculties that make up that right and forms part of its essential content; therefore, "the rights of the affected party to consent to the collection and use of their data and to know the data thereof are characteristic elements of the constitutional definition of the fundamental right to the protection of personal data"22. That is, it is up to the owner of the data to determine which of their data can be registered and treated, by whom and for what and for this it is essential that previously the information requirement has been complied with in the terms established by the Regulation itself. . It is important to insist on the idea that it is an indispensable condition for the interested party to be able to give consent, the prior fulfillment of the content of the right to information in the data collection23. Well, to be able to authorize the processing of your data, you must know the consequences that will derive from it, as well as the characteristics and nature of the treatment or its purpose, since through consent people have the possibility to determine the level of protection of the personal information that concerns them, which makes it necessary that they be provided in a conscious and informed manner, knowing what the scope of their actions will really be. In addition, consent is given under specific conditions and for certain purposes, conditions and purposes that the interested party must know previously.
3º. The consent will be specific. The consent will be given for one or several specific, specific and determined purposes. This requirement must be connected necessarily with the principle of limitation of the treatment of article 5.1 of the RGPD and, thus, for the consent to be valid, the specific, explicit and legitimate purpose for the intended treatment must be previously determined. On the other hand, if consent is sought for several purposes, each of them must be specified and "the interested party must choose whether or not to provide it in relation to each of them"24; in similar terms it is included in the second section of article 6 of the Organic Law 3/2018.
4th The consent will be unequivocal. The RGPD establishes in article 4 that the consent is the manifestation of the "unequivocal will" by which the interested party accepts, either by means of a declaration or a clear affirmative action, the treatment of personal data that concern him. "Therefore, to give consent validly this will require a performance by the interested party. GT29 notes that "a" clear affirmative action "means that the interested party must have acted deliberately to consent to that particular treatment"25. It will be the responsibility of the controller to demonstrate that he has obtained the consent fulfilling the requirements of the RGPD. Article 7.1 establishes that "when the treatment is based on the consent of the interested party, the person in charge must be able to show that he consented to the processing of his personal data."
In certain cases, the RGPD requires that the consent, in addition to being unambiguous, must be explicit; for example, for the treatment of sensitive data as established in art. 9 or in the case of the adoption of automated decisions in accordance with the provisions of article 22.
The consent will be revocable at any time, although it will not produce retroactive effects.
IX. SENSITIVE DATA
Sensitive information refers to matters that are intimately linked to the core of the personality and human dignity. There are several groups or categories of data that, for various reasons, require maximum protection, given the directly compromised that would be the dignity and freedom of people for their illegitimate use. In the RGPD these special categories of data are contained in article 9 of the RGPD, which prohibits "the processing of personal data that reveal ethnic or racial origin, political opinions, religious or philosophical convictions, or union affiliation, and the processing of genetic data, biometric data aimed at univocally identifying a natural person, health-related data or data related to sexual life or sexual orientation of a natural person ". Its regulation presents some novelties with respect to the previous regulations. First, two new categories of sensitive data are included: genetic data and biometric data aimed at identifying a person unequivocally.
The RGPD does not establish an absolute prohibition on the processing of personal data and several exceptions are included in section 2 of article 9. Of all of them for the development of our project, the first of them is especially relevant:
1) When the interested party grants "his explicit consent for the processing of such personal data with one or more of the specified purposes, except when the law of the Union or of the Member States establishes that the prohibition mentioned in paragraph 1 can not be raised by the interested party ".
The Organic Law 3/2018 in its Article 9 states for the purposes of Article 9.2.a) of Regulation (EU) 2016/679, in order to avoid discriminatory situations, the sole consent of the affected party will not suffice to lift the prohibition of treatment of data whose main purpose is to identify their ideology, union affiliation, religion, sexual orientation, beliefs or racial or ethnic origin. However, this shall not prevent the processing of said data under the other circumstances contemplated in Article 9.2 of Regulation (EU) 2016/679, when appropriate.
X. INTERESTED RIGHTS
In accordance with the jurisprudence of the Constitutional Court, the essential content of the fundamental right to the protection of personal data is constituted "by a bundle of powers consisting of diverse powers that impose on others correlative duties26. This bundle of powers that are part of the essential content of the right to the protection of personal data are specified in the RGPD, in its articles 12 and following.
1. The principle of transparency and the right to be informed
Article 5 of the RGPD includes, within the principles of treatment, the principle of transparency stating that personal data will be "treated in a lawful, fair and transparent manner in relation to the interested party (" legality, loyalty and transparency "). The objective of this principle must be to guarantee the interested party in an effective way that "he / she is aware of the logic to which the treatment of his / her personal data obeys"27 so that he / she can truly have a real power of disposition over them. principle and in accordance with the provisions of Article 12 RGPD, the data controller will take the necessary measures to provide the interested party with all information indicated in articles 13 and 14, any communication in accordance with the rights set forth in chapter III of the RGPD, as well as in the event that a data breach occurs in accordance with the provisions of art. 34. Such information should be provided in a concise, transparent, intelligible and easily accessible manner, with clear and simple language, in particular any information specifically addressed to a child. In this last case, if the information is addressed to children, the language used must be adapted so that it is easily understood (Considering 58).
The information, in accordance with the provisions of Article 12 of the RGPD, will be provided in writing or by other means, including through electronic means, for example, through a website. It may also be provided orally when requested by the interested party and provided that the identity of the interested party is proven by other means. The information that must be provided to the interested parties pursuant to articles 13 and 14 may also be transmitted through standardized icons that provide an easily visible, intelligible and clearly readable view of the planned treatment as a whole (Article 12.7 ). The principle of transparency is closely linked to the right to receive complete, clear and simple information regarding all the relevant aspects of a personal data treatment and the possible consequences that could derive from that treatment. Articles 13 and 14 of the RGPD detail the content of the right to information, when personal data is obtained from the interested party or when obtained from third parties.
If the data is obtained directly from the interested party, the following information must be provided:
- the identity and contact details of the person in charge (or their representative); - contact details of the data protection officer, if any; - the purposes and legal basis of the treatment. If the treatment is based on a legitimate interest of the person in charge or of a third party, it must inform you of that point; - about the recipients of personal data; - if a transfer of personal data is to be made to a third country or international organization, of all matters related to it. - the period during which the personal data will be kept or, if it is not possible to know it, the criteria used to determine this period;
- that you have the right to access, rectify, delete your personal data in accordance with the provisions of the RGPD. Also, that they have the right to limit their treatment, or to oppose it and the portability of the data;
- who has the right to withdraw consent at any time, without this having retroactive effects;
- that you have the right to file a claim with a supervisory authority; - whether it is obligatory or not to provide the data and the consequences of the refusal to provide it when the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract; - the existence of automated decisions, including the preparation of profiles.
When the data is not obtained from the interested party, it must inform him / her of all the previous issues and in addition to the categories of data that are treated and the source from which the personal data originate and, where appropriate, if they come from public access sources (Article 14).
The time to provide information to the interested party varies depending on whether the data was obtained directly from him or not. The information must be made available to the interested parties at the moment in which the data are requested, prior to the collection or registration, if the data is obtained directly from the interested party. In the event that the data is not obtained from the interested party, the person in charge will inform you within a reasonable time that may not be longer than one month from the collection of personal data or at the time of the first communication. to the interested party, when the data was collected to send him some communication. If it is planned to communicate the data to a third party, at the latest at the time of the first communication.
2. The right of access
The right of access is a central element of the right to the protection of personal data. It is included, together with the right of rectification, in the content of Article 8 of the Charter of Fundamental Rights EU. When the interested party exercises his right of access, the person responsible for the treatment must confirm, first of all, whether or not they are treating their data28. If you are treating them, you must provide them with access to their data and information about their treatment that is practically the same as that established in articles 13 and 14 for the right to information, with the exception of the reference to the legal basis of the treatment and the legitimate interest29 . However, to the extent that the CJEU30 has been recognizing the right of access an instrumental function in relation to the other rights recognized in the RGPD, we should understand including those extremes since this right "has to materialize in a way that allows us to verify to the interested party that the treatment complies with the law and, where appropriate, exercise the rights from 16 to 22"31.
3. The right of rectification
As in the case of the previous right, the right of rectification is expressly mentioned in Article 8.2 of the Charter of Fundamental Rights of the European Union. It is included in Article 16 of the RGPD, which states that "the interested party shall have the right to obtain, without undue delay, the rectifier of the inaccurate personal data concerning him / her. Taking into account the purposes of the treatment, the interested party will have the right to complete personal data that are incomplete, including by means of an additional declaration. "This means that once the erroneous data has been identified, the data is corrected, updated or updated. complete so that it responds to the reality of its owner.
4. Right to suppression or right to be forgotten
The right to digital oblivion is a direct manifestation of the principles of proportionality (minimization of data) and purpose (limitation of purpose), which requires the cancellation of personal data that are no longer necessary for the realization of the determined purpose that motivated its collection and treatment. For the simple passage of time can make an initially legitimate data processing inadequate. This is what the CJEU has understood. In its judgment of May 13, 2014 (Google Spain case).
Article 17 RGPD establishes the right of the interested party to obtain, without undue delay, the delegate of personal data concerning him. The controller will be obliged to eliminate them without undue delay, in the following cases:
- When they are no longer necessary in relation to the purposes for which they were collected or otherwise treated or when they have been illicitly treated;
- When the interested party withdraws the consent and this is not based on another legal basis or when it opposes the treatment;
- If there is a legal obligation to suppress them;
- When personal data has been obtained in relation to the offer of services of the information society.
The obligation to suppress the personal data of the interested party when any of the above circumstances is completed with a second obligation whose compliance is very important in an online environment. In the second section of article 17 it is established that when the data controller has made the data public and is in compliance with the RGPD obliged to suppress the data, taking into account the available technology and the cost of its application, it will adopt reasonable measures, including technical measures, with a view to informing those responsible who are dealing with the personal data of the interested party's request to delete any link to such personal data, or any copy or replica of them. It is not possible to control the data itself if the right to delete them permanently in the network is not guaranteed and for that reason it is not enough with their disappearance from the web master (the main responsible), but it is necessary to establish this second obligation, directed to third parties of the interested party's request to "delete any link, copy or reproduction thereof, when certain circumstances occur, in order that they may not be accessible through the Internet"32.
The right to deletion is not an absolute right, paragraph 3 of article 17 establishes that the provisions of the previous sections will not apply when the treatment is necessary:
a) to exercise the right to freedom of expression and information;
b) for the fulfillment of a legal obligation that requires the treatment of data imposed by the Law of the Union or of the Member States that applies to the data controller, or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person in charge;
c) for reasons of public interest in the field of public health in accordance with article 9, paragraph 2, letters h) and i), and section 3;
d) for the purpose of archiving in the public interest, scientific or historical research purposes or statistical purposes, in accordance with article 89, paragraph 1, to the extent that the right indicated in section 1 could make it impossible or seriously hinder achievement of the objectives of said treatment, oe) for the formulation, exercise or defense of claims.
5. The right to limitation of treatment
The art. 18 of the RGPD includes the right of the interested party to obtain from the person responsible the limitation of the processing of their data when certain circumstances exist. The limitation of treatment means that, at the request of the interested party, the treatment operations that in each case would correspond will not be applied to your personal data. The limitation of the treatment is defined in art. 4 of the RGPD as "the marking of personal data kept in order to limit its treatment in the future".
It can be requested in the following cases:
- The interested party has exercised the right of rectification and has challenged the accuracy of the data, during the period that allows the person responsible to verify it; - The interested party has exercised the right of opposition and the person in charge is in the process of determining whether the request should be met.
- The treatment is illegal, which would determine the deletion of the data, but the interested party is opposed to it.
- The data is no longer necessary for the treatment, which would also determine its deletion, but the interested party requests the limitation because it needs them for the formulation, exercise or defense of claims.
These are cases in which, essentially, "the treatment of the data is unlawful, and therefore the interested party needs to maintain the proof of such breach so that it does not disappear, or the interested party needs to keep personal data , even after the purpose of the treatment has been fulfilled, to present, exercise or defend in claims"33.
The second section of article 18 requires that, when the processing of personal data is limited, said data may only be subject to treatment, with the exception of its conservation, in the following cases34:
- with the consent of the interested party;
- for the formulation, exercise or defense of claims;
- to protect the rights of another physical or legal person;
- to guarantee an important public interest of the Union or of a Member State.
Finally, any interested person who has obtained the limitation of the treatment will have to be informed by the person responsible before the limitation is lifted.
6. Obligation to notify regarding the rectification or deletion of personal data or the limitation of treatment
Once these rights have been made effective, the controller must communicate any rectification or deletion of personal data or limitation of treatment to each of the recipients to whom the personal data have been communicated, unless it is impossible or requires a disproportionate effort (Article 19). It will also inform the interested party about said addressees, if so requested.
7. Right to data portability
One of the novelties introduced by the RGPD is the right contained in Article 20. The Organic Law 3/2018 is included in Article 17 with a direct referral and without specifications to the aforementioned RGPD precept. It is an autonomous right and different from the arc rights and whose antecedent can be found in Spain in the right to digital portability in the field of telephony. According to the RGPD itself (recital 68), the raison d'etre of this new right is "to further strengthen the control over its own data, when the processing of personal data is carried out by automated means".
Article 20 of the RGPD establishes that the interested party shall have the right to receive from the data controller the personal data that concern him in a structured, commonly used and mechanical reading format, and to transmit them to another responsible person. The interested party may also require that personal data be transmitted directly from responsible to responsible, if it is technically possible.
It may be exercised:
• When the treatment is carried out by automated means;
• When the treatment is based on consent or a contract;
• When the interested party requests it with respect to the data that has been provided to the person responsible and that concerns him, including the data derived from the interested party's own activity.
This right does not exclude the right to deletion of data from Article 17 of the RGPD.
8. Right of opposition
In art. 21 the right of the interested party to oppose the processing of their data is guaranteed in several cases35.
In the first place, for reasons related to the particular situation of the interested party when the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the controller (Article 6.1.e of the RGPD) or when the treatment is necessary for the satisfaction of legitimate interests pursued by the controller or by a third party (article 6.1.f of the RGPD), including the elaboration of profiles on the basis of said provisions. In this case, the right of opposition is not an absolute right36 since, in this case, the person in charge of the file will be able to continue treating the data when it demonstrates legitimate compelling reasons for the treatment that prevail over the interests, rights and freedoms of the interested party. , or for the formulation, exercise or defense of claims. However, it is important to bear in mind that, in recital 69 of the RGPD, it must be held responsible for demonstrating that its compelling legitimate interests prevail over the interests or fundamental rights and freedoms of the interested party.
Second, for reasons related to the particular situation, may object to the processing of your personal data for scientific or historical research purposes or statistical purposes in accordance with the provisions of art. 89.1 of the RGPD, unless the treatment is necessary for the fulfillment of a mission performed for reasons of public interest.
Third, it may oppose the processing of data for direct marketing purposes, and including the elaboration of profiles insofar as it is related to said marketing.
9. Development of profiles and automated individual decisions
The European Regulation regulates the creation of profiles and the right not to be the subject of decisions based solely on automated processing. Previously this issue was regulated in the Directive 95/46 / CE and on this the Council of Europe had pronounced itself in the Recommendation (2010) 13 on the protection of the persons with respect to the automated treatment of personal data in the context of the creation of profiles of the Committee of Ministers of the Council of Europe37. Article 22 of the Regulation guarantees the right of the person concerned not to be the subject of a decision based solely on automated processing, including the elaboration of profiles38, which produces legal effects on him or which significantly affects him in a similar way, taking into account the above principles . We are not facing an absolute right, establishing a series of exceptions, although it is not necessary to address them at this time.
10. Procedure for its exercise and limits on the rights of the interested party
Article 12 of the RGPD establishes that the data controller will facilitate the interested party to exercise their rights. The exercise of these rights will be free, as a general rule and must be made within the deadline determined by the RGPD: the responsible party must inform the interested party of their request within one month (two more months in the case of specially complex applications) , must notify this extension within the first month). If the person in charge decides not to comply with an application, he / she must also inform the interested party within one month of its presentation and informing him / her of the reasons for not acting and the possibility of submitting a claim to a control and exercise authority. Judicial actions.
The rights of the interested party are not absolute and Article 23 provides that they may be limited by Union or Member State law in order to safeguard certain important values.
XI. THE RESPONSIBLE AND THE MANAGER OF THE TREATMENT: ITS OBLIGATIONS.
The RGPD distinguishes two different figures in the use of personal data, on the one hand, the person in charge and, on the other, the person in charge of processing. Responsible for the file is the individual or legal entity, public or private nature or administrative body that alone or together with others, determine the purposes and means of treatment. It is the person who directs and controls the personal data files and each one of the operations and treatments to which they are subjected. The person in charge of the treatment is the one who treats the personal data on behalf of the controller. It can also be a natural or legal person, public authority, service or body and it is irrelevant that the data processing is done exclusively or jointly with other people in charge of the treatment.
Both the controller and the processor are bound by each and every one of the provisions of the RGPD. Many of these duties are deducted from the content of the rights of those affected, but others have been expressly regulated in the Regulation and some of them are included in the new law on the protection of personal data. In the RGPD, specific obligations are established for those responsible for the treatment. Among others: maintain a record of treatment activities, determine the security measures applicable to the treatments performed or designate a Data Protection Delegate in the cases provided by the RGPD.
1. GENERAL OBLIGATIONS
The art. 24 of the RGPD establishes that, taking into account the nature, scope, context and purposes of the treatment, as well as the risks of different probability and severity for the rights and freedoms of natural persons, the controller will apply technical and appropriate organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with this Regulation. These measures will be reviewed and updated as necessary. As we have seen, Article 5 of the Regulation includes the principle of proactive responsibility, such as the need for the controller to apply appropriate technical and organizational measures in order to guarantee and be able to demonstrate that the treatment is in accordance with the Regulation. On the other hand, article 28 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and the guarantee of digital rights, develops this obligation by establishing that those responsible and in charge, taking into account the provisions of the Regulation ( UE) 2016/679, will determine the appropriate technical and organizational measures that must be applied in order to guarantee and prove that the treatment is in accordance with the aforementioned regulation, with the organic data protection law, its implementing regulations and applicable sector legislation .
2. PROTECTION OF DATA FROM DESIGN AND DEFAULT.
Article 25 of the RGPD includes the principle of privacy from the design and by default stating that:
a) Taking into account the state of the art, the cost of the application and the nature, scope, context and purposes of the treatment, as well as the risks of varying probability and seriousness involved in the treatment of the rights and freedoms of natural persons , the controller will apply, both at the time of determining the means of treatment and at the time of the treatment itself, appropriate technical and organizational measures, such as pseudoanimization, designed to effectively apply the principles of data protection, such as minimization of data, and integrate the necessary guarantees in the treatment, in order to comply with the requirements of this Regulation and protect the rights of the interested parties.
b) The controller will apply the appropriate technical and organizational measures in order to guarantee that, by default, only the personal data necessary for each of the specific purposes of the processing will be processed. This obligation shall apply to the amount of personal data collected, the extent of its treatment, its term of conservation and its accessibility. Such measures will guarantee in particular that, by default, personal data will not be accessible, without the intervention of the person, to an indeterminate number of natural persons.
c) A certification mechanism as established in the RGPD may be used as evidence of compliance with these obligations.
The principle of privacy from the design appears in the nineties promoted by Ann Cavoukian, Commissioner of Information and Privacy of Ontario and would extend to a "trilogy" of applications that would encompass information technology systems, business practices responsible and the physical design and infrastructure in network39. This philosophy is based on 7 fundamental principles40: proactive, non-reactive; privacy as the default configuration or privacy by default41; embedded privacy, total functionality; extreme-to-extreme security; visibility and transparency and respect for the privacy of users.
Privacy from design is presented as "an essential way to exercise self-determination, the tool to facilitate the application of the Law in accordance with its principles" 42. It is based on the idea that the protection of personal data and rights related to private life must be incorporated into the construction of information systems, businesses, devices, applications, etc., evaluating "all processes and information flows planned in the system, analyzing its implications in privacy from a holistic, preventive point of view and with a focus beyond the current legal framework"43.
3. RECORD OF TREATMENT ACTIVITIES
Each responsible person and each person in charge of the treatment will keep a record of the treatment activities carried out under their responsibility (Article 30 RGPD). The record must contain information regarding the name and contact details of the person responsible, and, if there are any, the co-responsible person, the representative of the person responsible, and the data protection officer, for the purposes of processing, the categories of interested persons and personal data, the categories of the recipients of the data, including those of third countries or international organizations; if possible, the deadlines set for the deletion of the different categories of data, as well as a general description of the technical and organizational safety measures. This obligation is completed with that of the processor to keep a record of all categories of treatment activities carried out on behalf of a person in charge. In this sense, article 31 of the Organic Law 3/2018 establishes that "the registry, which may be organized around structured data sets, shall specify, according to its purposes, the treatment activities carried out and the other circumstances established. in the aforementioned regulation. " Paragraph 5 of Article 30 of the RGPD establishes an exception to this obligation by reason of the size of the company or organization so that companies or organizations that employ less than 250 people are not required, unless the treatment may involve a risk to the rights and freedoms of the interested parties, is not occasional, or includes special categories of data (sensitive data of article 9 or data related to convictions and criminal offenses referred to in article 10).
4. COOPERATION WITH THE CONTROL AUTHORITY
The RGPD establishes the obligation for the controller and the processor to cooperate with the control authority that requests it in the performance of their duties. Article 52 of the new law on the protection of personal data specifies who should collaborate with the Spanish Agency for Data Protection and in what cases and in what way in the exercise of its powers of investigation and prior audit.
5. OBLIGATIONS RELATING TO THE SECURITY OF PERSONAL DATA
5.1. The security obligation.
There are several obligations that the Regulation imposes on the person in charge and the person in charge of security treatment to enforce the principle of confidentiality and security of the information in article 5 of the REGPD. First, as we have already studied, appropriate technical and organizational measures will be applied to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of the treatment, as well as risks of variable probability and severity for the rights and freedoms of natural persons. Among other measures will include:
- pseudonymization and encryption of personal data;
- the ability to guarantee the permanent confidentiality, integrity, availability and resilience of treatment systems and services;
- the ability to restore the availability and access to personal data quickly in the event of a physical or technical incident;
- a process of regular verification, evaluation and assessment of the effectiveness of technical and organizational measures to ensure the safety of treatment.
In order to establish an adequate level of security, the risks of data processing must be taken into account, especially as regards the destruction, loss or accidental or unlawful alteration of personal data transmitted, conserved or otherwise processed, or communication or unauthorized access to said data. On the other hand, adherence to a code of conduct or a certification mechanism may serve as an element to demonstrate compliance with the established security requirements in the RGPD.
Section 5 of Article 32 also establishes that the person in charge and the person in charge of processing must take measures to ensure that any person acting under the authority of the person in charge or in charge and having access to personal data can only process said data following instructions from the responsible, unless required to do so by Union or Member State law.
This obligation is complemented by the duty of confidentiality in the Organic Law 3 / 2018. Article 5 of the new law on the protection of personal data establishes a general obligation of confidentiality for the person responsible, the person in charge or for any other person who intervenes in any phase of the processing of personal data. The duty of confidentiality is compatible with the duty of professional secrecy in accordance with its applicable regulations. The obligations of confidentiality or professional secrecy will be maintained even when the relationship of the obligor with the person in charge or in charge of the treatment has ended.
5.2. The obligation to notify security violations.
Another obligation related to the security of personal data is the notification of a violation of the security of personal data to the control authority. In case of violation of the security of personal data, the controller will notify the AEPD without undue delay and, if possible, no later than 72 hours after it has been recorded, unless it is unlikely that such breach of security constitutes a risk to the rights and freedoms of natural persons. If the notification does not meet the 72-hour deadline, it must be accompanied by an indication of the reasons for the delay.
The person in charge of the treatment must also notify the person responsible of the breaches of the security of the personal data of which he / she has knowledge without undue delay. In those cases in which it is likely that the violation of the security of personal data entails a high risk for the rights and freedoms of natural persons, the data controller must communicate it to the interested party without undue delay in a clear and simple language, unless any of the exceptions provided in article 33 of RGPD.
6.EVALUATION OF IMPACT RELATED TO THE PROTECTION OF DATA
The RGPD establishes for the controller the obligation to carry out, before the treatment, an evaluation of the impact of the treatment operations on the protection of personal data in those cases in which it is probable that a type of treatment involves a high risk for the rights and freedoms of natural persons (Article 35). In certain cases, the impact evaluation will be mandatory: when dealing with sensitive data, in the processes of profiling or in cases of large-scale monitoring in areas of public access. If the impact evaluation shows that the treatment would involve a high risk if the responsible party does not take measures to mitigate it, it should consult the supervisory authority before proceeding to the processing of personal data.
The impact analysis of privacy is "a study that describes the flows of private information within a system or project and analyzes the possible impacts of such processes on the privacy of its users"44 and must include at least the following areas of analysis : information on the system or project, applicable regulatory framework, characterization of the information processed, reasons and purposes of the collection of information and uses of information, internal and external sharing, identifying all processes, use and privacy policies, security of the registration information, and, finally, the retention periods and safe disposal procedures45.
The Regulation establishes a minimum content for impact evaluations, which must include a general description of the planned treatment operations, with an assessment of the necessity and proportionality of the treatment operations with respect to their purpose, an assessment of the risk, the measures contemplated to face the risk, including guarantees, security measures and mechanisms to guarantee the protection of personal data taking into account the legitimate rights and interests of the interested parties and other affected persons. This regulation could have consequences on the security of personal data since it will be the person responsible who decides "the measures to be implemented based on an evaluation carried out by the same"46.
PROTECTION OF DATA AND THE INTERNET OF THINGS: SECURHOME
1Vid. P.REZ LU.O, Antonio E.: Derechos humanos, Estado de Derecho y Constituci.n, novena edici.n, Tecnos, Madrid, 2005, p. 318.
2HEREDERO HIGUERAS, Manuel: “La inform.tica y el uso de la informaci.n personal”, en RIBERO y SANTODOMINGO: Introducci.n a la inform.tica jur.dica”, Fundesco, Madrid, 1986, p. 35.
3HEREDERO HIGUERAS, Manuel: La inform.tica y el uso de la informaci.n personal, ob. cit., p. 34.
4P.REZ LU.O, Antonio E.: Vittorio Frosini y los nuevos derechos de la sociedad tecnol.gica, en Informatica e Diritto, 1-2, Edizioni Scientifiche Italiane, 1992, p. 104.
5STC 254/1993, de 20 de julio, fundamento jur.dico 6.. En el mismo sentido, entre otras, STC 11/1998, de 13 de enero, 94/1998 y 202/1999, de 8 de noviembre.
6DIRECTIVA 95/46/CE DEL PARLAMENTO EUROPEO Y DEL CONSEJO de 24 de octubre de 1995 relativa a la protecció de las personas físicas en lo que respecta al tratamiento de datos personales y a la libre circulación de estos datos.
7Especialmente en los Considerando 4,5, 6 y 7.
8El párrafo segundo del art.culo 2 del RGPD se.ala taxativamente los tratamientos a los que no resulta de aplicación las previsiones contenidas en el mismo.
9Título II, art.culos 4 y siguientes.
10Sentencia de la Audiencia Nacional de 22 septiembre 2011.
11Según este principio corresponder. al responsable del tratamiento asegurarse de la exactitud de los datos, es decir, que responde a la situaci.n real del interesado. Así lo han entendido los tribunales españoles; entre otras vid. STS 13/2013, de 29 de enero o SSAN de 19 de abril de 2002, de 21 mayo 2013 y de 24 junio 2014.
12Artículo 4. Exactitud de los datos
1. Conforme al art.culo 5.1.d) del Reglamento (UE) 2016/679 los datos ser.n exactos y, si fuere necesario, actualizados.
2. A los efectos previstos en el art.culo 5.1 d) del Reglamento (UE) 2016/679, no ser. imputable al responsable del tratamiento, siempre que .ste haya adoptado todas las medidas razonables para que se supriman o rectifiquen sin dilación, la inexactitud de los datos personales, con respecto a los fines para los que se tratan, cuando los datos inexactos:
a) Hubiesen sido obtenidos por el responsable directamente del afectado.
b) Hubiesen sido obtenidos por el responsable de un mediador o intermediario en caso de que las normas aplicables al sector de actividad al que pertenezca el responsable del tratamiento establecieran la posibilidad de intervención de un intermediario o mediador que recoja en nombre propio los datos de los afectados para su transmisón al responsable. El mediador o intermediario asumir. las responsabilidades que pudieran derivarse en el supuesto de comunicaci.n al responsable de datos que no se correspondan con los facilitados por el afectado.
c) Fuesen sometidos a tratamiento por el responsable por haberlos recibido de otro responsable en virtud del ejercicio por el afectado del derecho a la portabilidad conforme al art.culo 20 del Reglamento (UE) 2016/679 y lo previsto en esta Ley Orgánica.
d) Fuesen obtenidos de un registro p.blico por el responsable..
13CUEVA CALABIA, Jos. L.: "La LORTAD y la seguridad de los sistemas automatizados de datos personales". En Actualidad Informática Aranzadi, n.mero 13, octubre, Aranzadi, 1994, p. 7.
14REBOLLO DELGADO, Lucrecio y SERRANO P.REZ, M. Mercedes: Introducci.n a la protección de datos, ob. cit.,p. 139.
15Vid. DEL PESO NAVARRO, Emilio, RAMOS GONZ.LEZ, Miguel A., DEL PESO RUIZ, Margarita y DEL PESO RUIZ, Mar: Nuevo Reglamento de protección de datos de carácter personal: Medidas de seguridad, Ediciones D.az de Santos, 2012, especialmente p. 309 y ss.
16El GT29 considera que, por ejemplo, se podr.an aplicar las siguientes medidas: medidas revisión interna, evaluación, establecimiento de políticas escritas y vinculantes de protección de datos para asegurar el cumplimiento de los criterios de calidad de datos; establecimiento de procedimientos que garanticen la identificación correcta de todas las operaciones de tratamiento de datos y el mantenimiento de un inventario de operaciones de tratamiento; nombramiento de un responsable de protecci.n de datos (en el RGPD el delegado de protección de datos); realizaci.n de evaluaciones de impacto sobre la privacidad en circunstancias espec.ficas; formaci.n a los miembros del personal, en especial a los directores de recursos humanos y a los administradores de tecnologías de la información; establecimiento de un mecanismo interno de tratamiento de quejas; etc. Dictamen 3/2010 sobre el principio de responsabilidad del GT29, p. 9,12 y 13.
17Gu.a del RGPD para responsables de tratamiento.
18Definición que reproduce el art.culo 6 de la Ley Org.nica 3/2018.
19Directrices sobre el consentimiento en el sentido del Reglamento (UE) 2016/679, adoptadas el 28 de noviembre de 2017 y revisadas por última vez y adoptadas el 10 de abril de 2018, p. 6.
20VALDECANTOS, M.: “El consentimiento como base legitimadora del tratamiento en el Reglamento Europeo de protección de datos”, Actualidad Civil n. 5, mayo de 2018.
21Directrices sobre el consentimiento en el sentido del Reglamento (UE) 2016/679, adoptadas el 28 de noviembre de 2017 y revisadas por última vez y adoptadas el 10 de abril de 2018, p. 6-8.
22STC 292/2000, de 30 de noviembre, fundamento jur.dico octavo.
23El art.culo 11 de la Ley 3/2018 regula la transparencia e información al afectado en los siguientes términos:
1. Cuando los datos personales sean obtenidos del afectado el responsable del tratamiento podr. dar cumplimiento al deber de informaci.n establecido en el art.culo 13 del Reglamento (UE) 2016/679 facilitando al afectado la informaci.n b.sica a la que se refiere el apartado siguiente e indic.ndole una direcci.n electr.nica u otro medio que permita acceder de forma sencilla e inmediata a la restante informaci.n.
2. La informaci.n b.sica a la que se refiere el apartado anterior deber. contener, al menos:
a) La identidad del responsable del tratamiento y de su representante, en su caso.
b) La finalidad del tratamiento.
c) La posibilidad de ejercer los derechos establecidos en los art.culos 15 a 22 del Reglamento (UE) 2016/679.
Si los datos obtenidos del afectado fueran a ser tratados para la elaboraci.n de perfiles, la informaci.n b.sica comprender. asimismo esta circunstancia. En este caso, el afectado deber. ser informado de su derecho a oponerse a la adopci.n de decisiones individuales automatizadas que produzcan efectos jur.dicos sobre .l o le afecten significativamente de modo similar, cuando concurra este derecho de acuerdo con lo previsto en el art.culo 22 del Reglamento (UE) 2016/679.
3. Cuando los datos personales no hubieran sido obtenidos del afectado, el responsable podr. dar cumplimiento al deber de informaci.n establecido en el art.culo 14 del Reglamento (UE) 2016/679 facilitando a aquel la informaci.n b.sica se.alada en el apartado anterior, indic.ndole una direcci.n electr.nica u otro medio que permita acceder de forma sencilla e inmediata a la restante informaci.n.
En estos supuestos, la informaci.n b.sica incluir. tambi.n:
a) Las categor.as de datos objeto de tratamiento.
b) Las fuentes de las que procedieran los datos.
24VALDECANTOS, M.: “El consentimiento como base legitimadora del tratamiento en el Reglamento Europeo de protecci.n de datos”, Actualidad Civil n. 5, mayo de 2018.
25Directrices sobre el consentimiento en el sentido del Reglamento (UE) 2016/679, adoptadas el 28 de noviembre de 2017 y revisadas por .ltima vez y adoptadas el 10 de abril de 2018, p. 18.
26STC 17/2013 de 31 enero.
27HERN.NDEZ CORCHETE, J.A.: “Transparencia en la informaci.n al interesado del tratamiento de sus datos personales y en el ejercicio de sus derechos”; en PI.AR MA.AS, J. L. (Dir.): Reglamento General de protecci.n de datos. Hacia un nuevo modelo europeo de privacidad, Editorial Reus, Madrid, 2016, p. 207.
28El derecho de acceso y las particularidades en relaci.n con su ejercicio est. previsto en el art.culo 13 de la Ley Org.nica 3/2018.
29Deber. informarle sobre: los fines del tratamiento; las categor.as de datos personales; los destinatarios, en particular destinatarios en terceros pa.ses u organizaciones internacionales; el plazo previsto de conservaci.n o, de no ser posible, los criterios utilizados para determinar este plazo; la existencia del derecho a solicitar la rectificaci.n o supresi.n o la limitaci.n del tratamiento de datos personales relativos al interesado, o a oponerse a dicho tratamiento; el derecho a presentar una reclamaci.n ante una autoridad de control; si los datos personales no se han obtenido del interesado, cualquier informaci.n disponible sobre su origen; la existencia de decisiones automatizadas, incluida la elaboraci.n de perfiles, a que se refiere el art.culo 22 (art.15 RGPD).
30STJUE C-553/07, Rotterdam v. Rijkeboer.
31HERN.NDEZ CORCHETE, J.A.: “Transparencia en la informaci.n al interesado del tratamiento de sus datos personales y en el ejercicio de sus derechos”, ob. cit., p. 224.
32ARENAS RAMIRO, M.nica: Reforzando el ejercicio del derecho a la protecci.n de datos personales: viejas y nuevas facultades, ob. cit., p. 334. Este es el sentido de esta segunda obligaci.n del responsable del tratamiento seg.n se expresa en el Considerando 66 del RGPD: “A fin de reforzar el .derecho al olvido. en el entorno en l.nea, el derecho de supresi.n debe ampliarse de tal forma que el responsable del tratamiento que haya hecho p.blicos datos personales est. obligado a indicar a los responsables del tratamiento que est.n tratando tales datos personales que supriman todo enlace a ellos, o las copias o r.plicas de tales datos. Al proceder ası́́, dicho responsable debe tomar medidas razonables, teniendo en cuenta la tecnolog.a y los medios a su disposici.n, incluidas las medidas t.cnicas, para informar de la solicitud del interesado a los responsables que est.n tratando los datos personales.”
33RECIO GAYO, M.: “Los nuevos y renovados derechos en Protecci.n de Datos en el RGPD, as. como sus limitaciones”, Actualidad Civil n.. 5, mayo 2018.
34Vid. .LVAREZ CARO, M..: “El derecho de rectificaci.n, cancelaci.n, limitaci.n del tratamiento, oposici.n y decisiones individuales automatizadas”, en PI.AR MA.AS, J. L. (dir.): Reglamento General de protecci.n de datos. Hacia un nuevo modelo europeo de privacidad, ob. cit., p. 235 y ss.
35En este sentido, RECIO GAYO, M.: “Los nuevos y renovados derechos en Protecci.n de Datos en el RGPD, as. como sus limitaciones”, Actualidad Civil n.. 5, mayo 2018.
36ÁLVAREZ CARO, M..: “El derecho de rectificaci.n, cancelaci.n, limitaci.n del tratamiento, oposici.n y decisiones individuales automatizadas”, en PI.AR MA.AS, J. L. (dir.): Reglamento General de protecci.n de datos. Hacia un nuevo modelo europeo de privacidad, ob. cit., p. 236.
37Tambi.n las Autoridades de Control de la UE en la Resoluci.n de Varsovia Resoluci.n de Varsovia sobre profiling de la de la XXXV Conferencia Internacional de Autoridades de Protecci.n de datos y Privacidad.
38En el Considerando 71 del Reglamento se ejemplifican varios tipos de perfiles posibles que consistirían en cualquier forma de tratamiento de los datos personales que evalúe aspectos personales relativos a una persona física, en particular para analizar o predecir aspectos relacionados con el rendimiento en el trabajo, la situación económica, la salud, las preferencias o intereses personales, la fiabilidad o el comportamiento, la situación o los movimientos del interesado, en la medida en que produzca efectos jurídicos en él o le afecte significativamente de modo similar.
39CAVOUKIAN, Ann: Privacy by Design. The 7 Foundational Principles Implementation and Mapping of Fair Information Practices, Information and Privacy Commissioner of Ontario, Canad., 2010.Puede consultarse en: https://www.iab.org/wp-content/IAB-uploads/2011/03/fred_carter.pdf.
40Ib.dem.
41MEG.AS TEROL, Javier: “Privacy by desing, construcci.n de redes sociales garantes de la privacidad”, en RALLO LOMBARTE, Artemi y MART.NEZ MART.NEZ, Ricard (coord..): Derecho y redes sociales, Civitas, Madrid, 2010, p. 320.
42LL.CER MATAC.S, Mar.a Rosa: La autodeterminaci.n informativa en la sociedad de la vigilancia: Ubiquitous Computing, ob. cit., p. 90.
43MEG.AS TEROL, Javier: “Privacy by desing, construcci.n de redes sociales garantes de la privacidad, ob. cit., p. 320.
44MEG.AS TEROL, Javier: “Privacy by desing, construcci.n de redes sociales garantes de la privacidad, ob. cit., p.322.
45Ib.dem, p. 323 y 324.
46ARENAS RAMIRO, M.nica: Reforzando el ejercicio del derecho a la protecci.n de datos personales, en RALLO LOMBARTE, Artemi y GARC.A MAHAMUT, Rosario: Hacia un nuevo Derecho europeo de protecci.n de datos, Tirant lo Blanch, Valencia, 2015,p. 354.
