Home

Internal

Global

Contatto

Rödl & Partner ha prestato la propria consulenza per il perfezionamento dell'acquisizione del Gruppo italiano FGV da parte di Hettich |

In tutto il mondo

Utilizziamo cookie tecnici per personalizzare il sito web e offrire all’utente un servizio di maggior valore. Chiudendo il banner e continuando con la navigazione verranno installati nel Suo dispositivo i cookie tecnici necessari ai fini della navigazione nel Sito. L’installazione dei cookie tecnici non richiede alcun consenso da parte Sua. Ulteriori informazioni sono contenute nella nostra Cookie Policy.

The “Data Locking” obligation under the Spanish Data Protection Act

published on 28 June 2021 | reading time approx. 5 minutes

Under the principle of data storage limitation of the General Data Protection Regulation 2016/679 (hereinafter, “GDPR”), data controllers ought to guarantee that the data subject’s personal data shall be retained for a strict minimum period of time, and in any case, for no longer than is necessary for the purposes for which the personal data are processed (art. 5.1(e) GDPR). Thereafter, where the data controller has no further legal grounds to preserve the personal data for a longer period of time (e.g. labour or tax obligations under national law), it shall proceed to the deletion of the data.

Whilst said principle is common to all jurisdictions in Europe where the GDPR is applicable, the current Spanish Data Protection Act 3/2018 (hereinafter, “LOPDGDD”) includes a unique obligation inherent to the proactive responsibility principle, where the data controller must preserve or storage the personal data for a period of time that exceeds the purposes of the initial processing.

The notion of data locking under article 32 LOPDGDD, constitutes a particular, legal and automatic consequence of the erasure of personal data (Kuschewsky, M. (2012) Data Protection & Privacy: Jurisdictional Comparisons. London: Thomson Reuters, p. 154), which provides that the controller shall lock the personal data of the data subject, under the following conditions:

Firstly, the data locking obligation arises in the context where the controller rectifies or erases the personal data (in this regard, article 17.3 GDPR stipulates that the exercise of the right of erasure shall not take place, where the controller is legally obliged, by virtue of the national law of the Member State, to process such personal data). At this point, the controller cannot physically nor automatically erase the data, but shall effectively lock and restrict its access as if they were deleted.
Secondly, as for the form of retention or preservation, the controller must implement a set of technical and organizational measures to prevent the (active) processing of the data, including its visualization. According to the report elaborated in 2019 by the Spanish Data Protection Agency’s (hereinafter, the “AEPD” or “Agency”, indistinctly) (Spanish Data Protection Agency (AEPD). “Plazos de conservación y bloqueo de datos”, Legal Report, reference nº: 00148/2019. Available at this link), these measures require, in practice, a restriction to access the locked data by any staff whom, in ordinary circumstances, would be allowed to process them. Therefore, the data must only be accessible to the maximum responsible or person in charge of responding to requests or claims, emanating from judicial or administrative inquiries.
Thirdly, the purpose of the preservation of the data during the locked period is its availability and accessibility, at the request or demand of, exclusively, Courts and Tribunals, the Public Prosecutor’s Office, Public Authorities and/or, particularly, data protection authorities, and for the sole purpose of attending potential liabilities arising out of or in relation to the prior processing. In any case, the concept of data locking constitutes an obligation of the controller, yet, it cannot be perceived as a right of the data subject. According to a judgement of the Spanish National Court in 2006 (SAN 3522/2006), the data subjects cannot exercise their right of access to personal data (under previous article 15 of the Spanish Data Protection Act 15/1999, “LOPD”) regarding data that have been duly locked, as the limit of such digital right is precisely “(…) the personal data undergoing processing” (previous article 15.1 LOPD). In that order, granting access to the data would entail the processing thereof by the controller, which contravenes the precise purpose of this concept: to prevent any further processing, and restricting its access exclusively to the authorized public authorities under art. 32.2 LOPDGG.
And, lastly, as for the period of time to which the data shall be locked, the controller shall preserve the data only for the prescriptive period or statute of limitation of potential claims which may arise out of or in relation to the processing of such personal data. In the report elaborated in 2019 by the AEPD, the Agency included a non-exhaustive list of the conservation periods and prescriptive periods of some legal actions. For example, companies must preserve tax and accounting records (that include personal data) for four (4) years, as a result of the statute of limitation regarding tax liabilities. However, under Spanish Tax Law, a locked period of ten (10) years may be justified, where the Tax Agency has the power to investigate such records, in light of a different prescriptive period for tax compensations.

In any case, after this period, the controller must proceed to the complete erasure of the personal data.

On more a practical note, a clear example of data locking can be found in a resolution of August 2020, where the AEPD imposed a sanction of 50.000€ to a credit institution (the “Bank”) who, during the alleged data locking period, retained the data in an active filing system during 16 years, which remained accessible to all the staff employed at the institution, who were in charge of client services (Spanish Data Protection Agency (AEPD). Resolution 28th of August, 2020, reference nº: PS/00076/2020, available at this link).

The data subject in question had ceased being a client at the Bank in 2002, however, in 2019, the data subject decided to become again a client to resolve a family inheritance matter. When managing the (new) incorporation, the Bank’s staff claimed that the data subject was still registered as a client, under its previous address in 2002. As the Bank was unable to explain why the personal data was still being stored after more than 16 years, the data subject filed a claim with the AEPD, who sanctioned the Bank for the infringement of the principle of purpose limitation under art. 5.1.(b) GDPR.

Though the Bank alleged that the data was kept lawfully under the data locking obligation, the AEPD found that “locked data cannot be accessible to the staff employed at the bank (…)”. In this case, the bank had exceeded the purpose to which this data has to be stored, which may exclusively be “accessible to Courts and Tribunals, the Public Prosecutor’s Office, Public Authorities and/or, in particular, data protection agencies”.

Nevertheless, this particular and unique legal obligation of the Spanish Data Protection Act has not been exempt from criticism. In this regard, the concept of data locking is not considered a novelty, being already present in the previous Spanish Data Protection Act 15/1999 (LOPD). However, during the amendment process of the current LOPDGDD, some parliamentary representatives viewed the inclusion of article 32 as superfluous, where, the legal basis for retaining or storing data, in the event of deletion or rectification of personal data –ex officio by the controller or due to the exercise of the data subject’s rights—, for the purpose of defence or exercise of legal claims, had already been included by the GPDR under articles 17.3(e) and 18.2. Moreover, others may argue that the data locking obligation collides with the principle of limitation of purpose: the addition of article 32 may be viewed as a legal imposition that supersedes the obligations and processing grounds established by the GDPR, which provides no more guarantees to the data subjects than those in place, yet it increases the regulatory burden on Spanish controllers in comparison to those in the rest of the Member states.

Finally, bearing in mind that the storage of all personal data must be limited to a strict minimum, a suitable data retention policy can ensure compliance with the aforementioned provisions, including a legal justification for those periods that exceed the purposes of the initial processing. In that order, and insofar the LOPDGDD is applicable to the controller, the latter shall have to implement the appropriate measures to distinguish both filing systems (i.e. a separation between locked data versus the data that are being processed), as well as identifying which business activities may suppose a risk of liability claims in its processing, to determine the adequate locked period for each activity.

Written by the Spanish Data Protection Team