We have analysed the new project that was published recently, and we observe the changes with respect to the version of November 24, 2017
In this sense, the new version of the Draft Law on Data Protection is novel since, in addition to introducing some changes dedicated to the transposition of the GDPR, it introduces a new title related to the "new digital rights", in which they are subject to regulation rights and freedoms associated with the Internet environment such as the network neutrality and universal access, or the rights to security and digital education, as well as the right to be forgotten, portability and e-testament. Particularly noteworthy is the recognition of the right to disconnect within the framework of the right to privacy in the use of digital devices in the workplace and the protection of children on the Internet. It also highlights the guarantee of freedom of expression and the right to rectify information on the digital media.
In relation to the changes dedicated to the transposition of the GDPR, we highlight the following:
* The list of data controllers and processors which will have the obligation to designate a Data Protection Officer is extended, and now includes sports federations when dealing with children`s data. It should be noted, with regard to health centers, that professionals who exercise their activity individually are exempted.
* The age at which one is able to give consent is fixed at 14 years and not 13 as on the previous draft.
* The information is enabled through a layered information system as recommended by the Spanish Data Protection Authority in its Guide on the duty to inform.
* It defines what the data limitation should consist of. According to the new text, it is about the "identification and reservation of the same, adopting technical and organizational measures, to prevent its processing, including its visualization, except for the provision of data to judges and courts, the Public Prosecutor`s Office or the competent Public Administrations, in particular of the data protection authorities, for the requirement of possible responsibilities derived from the processing and only for the term of prescription of the same ones ".
* Regarding the sanctioning procedure and its duration, three cases are differentiated:
* The intentional reversion of an anonymization procedure is added as a very serious infraction.
* In setting the amount of the fine, several factors will be taken into account such as the existence of a DPO, as well as the submission to alternative dispute resolution mechanisms. In setting the amount of the fine, several factors will be taken into account such as the existence of a DPO, as well as the submission to alternative dispute resolution mechanisms.