Penalty System of the Spanish Law on Protection of Personal Information
The correct treatment of the Personal Information must be a priority for those responsible for the files and those in charge of handling this Information given that the Organic Law 15/1999, of December 13 on the Protection of Personal Information ( “LOPD”) establishes a strict penalty regime for for public administrations.
This article focuses on all of those subjects responsible in the eyes of the law who must exercise strict control over the treatment of Personal Information.
1. Types of offences and sanctions
The LOPD penalty system classifies the offences as minor, serious, or very serious and imposes fines ranging from 900 to 40,000 Euros for committing the first offence;fines ranging from 40,001 to 300,000 Euros for committing the second offence; and fines ranging from 300,001 to 600,000 Euros for serious offences.
2. Behaviour constituting an offence
Having noted the severity of the punishments above, the behaviour resulting in these offences includes the following: ,
a) Light offences
The LOPD considers four circumstances of light offences, namely (i) the non-remission of the Spanish Agency of Data Protection (“AEPD”) and the foreseen notifications in this Law or in their rules of development; (ii) the non-application of the registration of the file of Personal Information in the General Registry of the Protection of Information; (iii) the incompletion of the Duty of Information to the affected party regarding the treatment of his or her Personal Information when the Information is in demand in the affected party’s own interest; and (iv) the transmission of the Information to a person in charge of handling the Information without completing the formal duties established in Article 12 of this Law.
b) Serious Offences
Regarding serious offences, the LOPD establishes 11 assumptions that range, among others, from the creation of the files of public title without the necessary authorization to the treatment of Personal Information without the prior obtaining of the consent of the affected party (when necessary), passing by the impediment or obstacle of the ARCO rights of the affected parties (access, alteration, cancellation and opposition) or determined acts of non collaboration or obstruction of the activity of AEPD
Very serious offences
The following events may result in serious offences: (i) the collection of Information of a deceptive or fraudulent form; (ii) the treatment or transfer of the determined Personal Information under determined circumstances; (iii) not to stop the illicit treatment of Information after the Director of the Spanish Agency of the Protection of Information has received a request; (iv) the international transfer of the Personal Information bound for countries that do not provide a comparable level of protection without the prior authorization of the Director of the Spanish Agency of Protection of Information; except when the transferconforms with this Law and its regulations of development, this said authority is not necessary.
3. Grounds of the penalties and the warning
The majority of illegal behavior having been put forth, our attention comes to the broad framework that establishes the regulation for the result of a fine. The LOPD has an open list of criteria that allow the punishing body (the AEPD) to alter the fine in accordance with the level of intention, the continued nature, the amount of business or activity of the offender, etc, as in determined assumptions that allow the establishment of the quantity of the fine applying the relative scale to the type of offences that immediately precedes in seriousness (from very serious to serious and from serious to minor).
Finally, the punishing body an warn the offender as an exception, avoiding the giving of a fine, under a series of conditions: (i) that the facts indicated a minor offence or a serious one, and (ii) that the offender had not been punished or warned in the past.
Nicolás Melchior