Frequently asked questions on data protection

What is the fundamental right to data protection?

Constitutional Court Ruling 292/2000 states that, “the content of the fundamental right to data protection consists of a power of disposal and control over personal data that empowers the individual to decide which of those data to provide to a third party, be it the State or a private individual, or which of those data this third party may collect, and that also allows the individual to know who possesses those personal data and for what purpose, being able to oppose such possession or use”.

What is meant by personal data?

The Supreme Court has defined it in its judgment of 29 November 2018 as follows: ‘The concept of “personal data” encompasses “any information relating to an identified or identifiable natural person”.This judgment thus interprets Article 2(a) , of Directive 95/46 (LCEur 1995, 2977). Other judgments converging with this definition are: Cases C-465/00 , C-138/01 and C-139/01 Österreichischer Rundfunk and Others [2003] ECR I-4989, paragraph 64; Case C-524/06 Huber [2008] ECR I-9705, paragraph 43; and Case C-553/07 Rijkeboer [2009] ECR I-3889, paragraph 42).

Is a telephone number personal data?

The telephone number, on its own, cannot be considered personal data in accordance with the Supreme Court ruling of 17 September 2008.

Is voice personal data?

The voice of a person constitutes personal data, as can be deduced from the definition provided in Article 3 of the Organic Law on the Protection of Personal Data, as any information concerning an identified or identifiable natural person, which determines the need for the data controller to obtain the consent of the data subject, in the terms required in Article 6 of the aforementioned legal text.

The voice, insofar as it constitutes a sound record of a person that provides information concerning that person, falls within the definition of “personal data” referred to in Article 2.3 a) of Organic Law 15/1999, of 13 December, on the Protection of Personal Data.

What is consent for the purpose of transferring or selling personal data?

“Consent of the data subject’ means any freely given, specific, informed and unambiguous indication of his or her agreement, either by a statement or by a clear affirmative action, to the processing of personal data relating to him or her”.

Does the data protection regulation apply only to natural persons or also to legal persons?

According to Supreme Court Ruling No. 547/2023 of 4 May, the regulation on personal data protection is restricted to natural persons and does not include legal persons.

The purpose of Organic Law 3/2018 of 5 December (RCL 2018, 1629) on Data Protection and the aforementioned Regulation is the protection of data relating to natural persons, as is clear from its articles, which expressly refer to natural persons, so that legal persons, which are excluded from its scope of application, cannot be included in its scope of application.

This leads us to interpret (…) the rule (…) in the sense that the specific regime foreseen for data in relation to the commission of administrative offences refers exclusively to natural persons.)in the sense that the specific regime envisaged for data in relation to the commission of administrative offences refers exclusively to natural persons, in accordance with the nature of the fundamental right to data protection as control of the flow of information concerning each person ( STC 11/1998, of 13 January) which guarantees, finally, the right of each citizen to control their personal data ( STC 292/2000, of 30 September [sic]) and whose content is specified in “the power of disposal and control over personal data that empowers the individual to decide which of these data to provide, be it the State or a private individual, or which can be collected by this third party, and also allows the individual to know who possesses these personal data and for what purpose, being able to oppose this possession or use” (STC 76/2019, of 22 May).

Si te ha interesado este artículo no dudes en leer:

Software Protection in Spain: Legal and Practical Aspects

Software protection in Spain is an issue of great relevance for software creators and developers.

What is considered to be exclusively personal or domestic data processing (for the purposes of the exclusion from protection of the LOPD)?

• Under what circumstances (or to what extent) can a person’s voice be considered as personal data under Article 3 LOPD in conjunction with Article 5 R LOPD – now Article 4(1) of the General Regulation (EU)?

There are two legal requirements for the opt-out clause to come into play, (1) that the data processing is carried out by a private individual and (2) that it is carried out in the context of an exclusively private or domestic activity. This has been declared by the Supreme Court in the Order of 14 June 2019.

• In what terms should the balancing provided for in Article 7(f) of Directive 95/46/EC – now Article 6(1)(f) of the General Regulation (EU) – be carried out between the legitimate interest of the data controller and the protection of the data subject’s personal data?

Data processing carried out by a company in the course of its commercial activity cannot be considered as falling within the case of exclusion from data protection on the grounds that it concerns exclusively personal or domestic activities, even if the service provided by the company consists of facilitating a relationship between natural persons.

The commercial interests of a company responsible for a data file must yield to the legitimate interest of the data subject in the protection of the data.

Does keeping a personal address and telephone book violate data protection regulations?

Correspondence and the keeping of an address directory constitute, in the light of recital 12 of Directive 95/46, “exclusively personal or domestic activities”, even if they incidentally affect or may affect the private life or privacy of other persons.

May a telephone service operator offer subscriber data in directories and information services published by providers other than that operator?

The response of the CJEU Judgment of 27 October 2022: It is very clear.

• It cannot unless it has consent. And by consent he means the consent referred to in Article 4(11) of the General Data Protection Regulation.
• The ‘consent’ of the subscriber of a telephone service operator is therefore required in order for that subscriber’s personal data to be included in publicly available directories and directory enquiry services published by providers other than that operator, such consent being given either to that operator or to one of those providers, a request by a subscriber for the removal of his personal data from publicly available directories and directory enquiry services constitutes recourse to the ‘right of erasure’ within the meaning of that article.

Is there consent if the user signs the contract consenting to the processing of personal data?

The Courts (ECJ 2020 of 11 November 2020) are being extraordinarily restrictive:

• It is for the data controller to demonstrate that the data subject has given his or her consent to the processing of his or her personal data by active behaviour and that he or she has received, in advance, information regarding all the circumstances surrounding such processing, in an intelligible and easily accessible formulation using clear and plain language, enabling him or her to determine without difficulty the consequences of such consent, so as to ensure that the consent is given in full knowledge of the facts.

How can the data controller prove this?

Consent cannot be proven where …

• the box relating to such a clause has been ticked by the data controller prior to the signature of the contract, or where
• the contractual provisions of such a contract are likely to mislead the data subject as to the possibility of concluding the contract in question despite his or her refusal to consent to the processing of his or her data, or where
• the free choice to object to such collection and retention is unduly hindered by that controller by requiring the data subject, in order to refuse to give consent, to complete an additional form stating that refusal.

Can a company oblige an employee to provide the company with the employee’s telephone number and email address, and has the employee agreed to these conditions?

The Supreme Court Judgment of 21 September 2015, considered the clause – contractual type that provides the company with the employee’s telephone number and email address to be contrary to the right to the protection of personal data, because “given the circumstances – it is about the moment of access to a scarce asset such as employment – it can be understood that the consent on this matter is not completely free and voluntary”.

If you liked this article, you may also find it interesting to read the following one:

Data protection for startups