The Data Protection Authority published the bill to replace the Personal Data Protection Law

The Data Protection Authority published the final draft of the bill to reform the current Personal Data Protection Law. The final text of the bill is available here (in Spanish).

This bill had been subject to public consultation during September and October. According to the official reports issued by the Data Protection Authority, over 170 contributions to the preliminary draft were filed during the public consultation process.

Some of the most significant changes to the text of the Preliminary Draft were:

• It releases data processors from the obligation of justifying the need to collect personal data, leaving this obligation solely in charge of data controllers.
• It incorporates the principle of preeminence, according to which it is the interpretation most favorable to the data subject that will prevail when there are doubts about the interpretation and application of the law.
• It identifies measures to demonstrate compliance with the principle of accountability.
• It replaces the obligation to carry out a detailed assessment on the existence of legitimate interest for the obligation to carry out a detailed, prior, and documented analysis.
• It expressly establishes that the burden of proof in demonstrating the existence of legitimate interest, when this is the legal basis adopted for the processing, lies with the data controller.
• It adds the condition of express consent, among other things (in line with that required under the current Personal Data Protection Law).
• It allows minors under thirteen years of age the possibility of giving –together with the consent of their legal representatives– their permission for the processing of their personal data to be processed.
• It establishes specific rules for processing personal data for statistical and scientific purposes.
• It extends the deadline for notifying security incidents to the Data Protection Authority from 48 to 72 hours. The notification must be sent in all cases, not only when they constitute a risk to the rights of the data subjects. It also broadens the obligation to notify data subjects of any security incident and not only those involving high risks.
• It clarifies the scope of the concepts of partially automated or semi-automated decisions.
• It incorporates the right to limit data processing.
• It expressly recognizes data subjects the possibility of claiming before the courts for damages caused for not complying with the law.
• It clarifies the obligation of data processors to inform the Data Protection Authority if security incidents occur and to appoint a DPO, when appropriate.
• It releases data processors from the obligation of responding to requests from data subjects, limiting it to only notifying the data subject of the notice given to the data controller.
• It releases data processors from the obligation of adopting privacy design and privacy by default mechanisms, keeping only data controllers in charge of them.
• It eliminates the obligation of carrying out privacy impact assessments when processing data of minors.
• It limits the responsibilities of the DPO, releasing it from the responsibility of receiving communications and responding to data subjects.
• It creates the Federal Council for Transparency and Protection of Personal Data.

For more information about the main changes introduced by the Preliminary Draft, please click here.