Key Benefits:
Title VI of Organic Law 5/1992, of October 29, of Regulation of Automated Treatment of Personal Data, has configured the Data Protection Agency as the independent entity to guarantee the compliance with the forecasts and mandates set out therein.
Some aspects of this entity have been subject to regulation in the Law itself, which has not, however, exhausted the matter and has entrusted the Government with the regulation of the organic structure and the approval of the Statute of the Agency Data Protection.
By means of this provision it is necessary to complete the double mandate by integrating the structure of the entity into its own Statute.
In its virtue, on the proposal of the Ministers of Justice and for the Public Administrations, in agreement with the Council of State and after deliberation of the Council of Ministers at its meeting of the day of March 26, 1993,
D I S P O N G O:
Single item.
In accordance with the provisions of Article 34.2 and the final provision of the Organic Law 5/1992, of 29 October, of Regulation of the Automated Treatment of Personal Data, the Statute of the Data Protection Agency, the text of which is inserted below.
Single additional disposition.
By the Ministry of Economy and Finance, the necessary appropriations will be provided for the installation and operation of the Data Protection Agency, as long as the first budget of expenditure and revenue of the same.
Single end disposition.
This Royal Decree will enter into force on the twentieth day of its publication in the "Official Gazette of the State".
Dado en Madrid a 26 de marzo de 1993.
JOHN CARLOS R.
The Minister of Relations with the Courts
and the Government Secretariat,
VIRGILIO ZAPATERO GOMEZ
DATA PROTECTION AGENCY STATUTE
Chapter I
General provisions
Article 1. The Data Protection Agency.
1. The Agency for Data Protection is a body governed by public law as provided for in Article 6 (5) of the recast text of the General Budget Law, adopted by Royal Decree No 1091/1988 of 23 September 1988, which has the the purpose of ensuring compliance and application of the provisions of the Organic Law 5/1992 of 29 October of Regulation of the Automated Treatment of Personal Data.
2. The Data Protection Agency acts with the full independence of the Public Administrations in the exercise of its functions and relates to the Government through the Ministry of Justice.
Article 2. Legal framework.
1. The Data Protection Agency has its own legal personality and full public and private capacity.
2. The Data Protection Agency shall be governed by the following laws and regulations:
(a) Title VI of the Organic Law 5/1992, of 29 October, of Regulation of Automated Treatment of Personal Data.
(b) This Statute and other provisions for the development of Organic Law 5/1992.
(c) In the absence of the foregoing, and for the exercise of its public functions, the procedural rules contained in Law 30/1992, of 26 November, of the Legal Regime of Public Administrations and of the Procedure Common Administrative.
(d) The precepts of the General Budget Law, recast text approved by Royal Legislative Decree 1091/1988, of 23 September, which are applicable.
e) How many other provisions are applicable.
3. The Agency shall perform its duties through the Director, to the effect that the acts of the Director are considered acts of the Agency.
4. The acts adopted by the Director in the exercise of the Agency's public functions deplete the administrative route. They may be brought against the administrative and administrative resources resulting from them.
Chapter II
Data Protection Agency Functions
Article 3. Functions.
1. It is for the Data Protection Agency to exercise the functions conferred on it by Article 36 of the Organic Law 5/1992.
2. For this purpose, the Data Protection Agency may be directly responsible for the holders and persons responsible for any personal data files.
Article 4. Relationships with those affected.
1. The Data Protection Agency shall inform the persons of the rights that the Law recognizes in relation to the automated processing of their personal data and to this effect it will be able to promote campaigns of dissemination, using the means of social communication.
2. The Agency shall address the requests addressed to it by the persons concerned and shall resolve the complaints made by them, without prejudice to the remedies available.
Article 5. Cooperation in the elaboration and implementation of standards.
The Data Protection Agency shall collaborate with the competent bodies as regards the normative development and application of the rules that have an impact on the law of the Organic Law 5/1992, and to this effect:
a) It will inform preceptively the draft general provisions of the development of the Organic Law.
b) It will inform preceptively any bills or regulations that have an impact on the own matter of the Organic Law.
c) It will dictate precise instructions and recommendations for adapting automated treatments to the principles of Organic Law.
d) It will dictate recommendations for the implementation of laws and regulations regarding data security and file access control.
Article 6. Statistical files.
The Data Protection Agency shall exercise control of compliance with the provisions of Articles 4, 7 and 10 to 22 of Law 12/1989 of 9 May of the Civil Statistics Service, and in particular:
a) It shall inform in a prescriptive manner the content and format of the questionnaires, census sheets and other data collection documents for statistical purposes.
b) Dictate on the processes of automated collection and processing of personal data for statistical purposes.
c) Report on the draft laws requiring mandatory data and their compliance with the provisions of Article 7 of the Law on the Public Statistical Function.
(d) Dictate the security conditions of files that are exclusively statistical purposes.
Article 7. Advertisement of the automated files.
The Data Protection Agency shall ensure that the existence of the automated files of personal data is published, to which effect it will publish and disseminate an annual catalogue of the files entered in the Register General Data Protection, with the expression of information under the provisions of Article 36 (j) of Organic Law 5/1992, determine the Director.
Article 8. Annual memory.
1. The Data Protection Agency shall draw up an annual report on the application of the Organic Law 5/1992 and the other laws and regulations on data protection, which shall include, in addition to the necessary information on the Operation of the Agency:
a) A relationship of the type codes deposited and entered in the General Data Protection Register.
b) An analysis of the legislative, jurisprudential and doctrinal trends of the different countries in terms of data protection.
c) An analysis and assessment of data protection issues at national level.
2. The Annual Report shall be forwarded by the Director to the Minister of Justice for further submission to the General Courts.
Article 9. International relations.
1. It is for the Data Protection Agency to cooperate with international bodies and bodies of the European Communities in the field of data protection.
2. The Agency shall provide assistance to the authorities designated by the States Parties to the Council of Europe Convention of 28 January 1981 on the protection of persons with regard to the automated processing of personal data, for the purposes referred to in Article 13 of the Convention.
Article 10. Schengen Information System.
1. The Data Protection Agency shall exercise the control of personal data entered in the Spanish national part of the Schengen Information System (SIS) database.
2. The Director of the Agency shall designate two representatives for the Common Data Protection Control Authority of the Schengen Information System.
Chapter III
Data Protection Agency Organs
Section 1. Organic structure of the Data Protection Agency
Article 11. Organic structure.
The Data Protection Agency is structured in the following organs:
1. The Director of the Data Protection Agency.
2. The Advisory Board.
3. The General Register of Data Protection, the Data Inspection and the General Secretariat, as hierarchically dependent organs of the Director of the Agency.
Section 2. The Director of the Data Protection Agency
Article 12. Address functions.
1. The Director of the Data Protection Agency directs the Agency and has its representation.
2. It is for the Director of the Data Protection Agency to issue resolutions and instructions requiring the exercise of the Agency's functions, in particular:
(a) Resolve in a reasoned manner on the provenance or provenance of the inscriptions to be practiced in the General Data Protection Register.
b) Require those responsible for private ownership files to address deficiencies of the type codes.
(c) Motivately resolve, prior to the report of the person responsible for the file, the origin or the origin of the refusal, in whole or in part, of the access to the automated police or tax files.
(d) Authorize temporary or final transfers of data that have been subject to automated processing or collected for that purpose, to countries whose legislation does not offer a level of protection equivalent to that of the Law Organic 5/1992 and the present statute.
e) To convene regularly the competent bodies of the Autonomous Communities for the purpose of institutional cooperation and coordination of criteria or procedures for action.
f) To obtain from the various Public Administrations the information necessary for the performance of their duties.
g) Request from the corresponding bodies of the Autonomous Communities, as referred to in Article 40 of the Organic Law 5/1992, the information necessary for the performance of their functions, as well as to facilitate the information to be requested for identical purposes.
(h) Adopt interim and interim measures requiring the exercise of the Agency's sanctioning power in relation to those responsible for the private files.
i) Start, boost instruction, and resolve sanctioning files for private file managers.
(j) To initiate the opening of disciplinary proceedings in cases of breaches by bodies responsible for public administration files.
k) Authorize the entry in the premises where the files are found, in order to proceed to the relevant inspections, without prejudice to the application of the rules that guarantee the inviolability of the domicile.
Article 13. Management functions.
1. It also corresponds to the Director of the Data Protection Agency:
(a) Award and formalise contracts that require the management of the Agency and monitor its compliance and enforcement.
b) Approve expenses and order payments within the limits of the Agency's expenditure budget appropriations.
c) Exercise the financial and economic control of the Agency.
d) Schedule the management of the Agency.
e) Develop the Agency's preliminary draft budget.
f) Propose the Agency's employment relationship.
g) Approve the Agency's Annual Memory.
h) Order the convening of the Advisory Council meetings.
2. The Director may delegate to the Secretary-General the performance of the tasks referred to in points (a), (b), (d), (e) and (f) of the previous paragraph.
Article 14. Appointment and mandate.
1. The Director of the Data Protection Agency shall be appointed by the Government, through Royal Decree, on a proposal from the Minister of Justice, from among the members of the Advisory Board.
2. The Director of the Data Protection Agency shall enjoy the same honors and treatment as the Undersecretaries.
3. The term of office of the Director of the Data Protection Agency shall be four years from his appointment and shall only cease for the reasons provided for in Article 15 of this Statute.
Article 15. Cessation and separation.
1. The Director of the Data Protection Agency shall cease in the performance of his duties for the expiration of his or her mandate or, in advance, at his or her own request.
2. The Government may only agree to the separation of the Director of the Data Protection Agency before the expiry of the term of his/her term of office in the following cases:
a) Serious failure of the duties of the office.
b) Overcoming for the exercise of their functions.
c) Incompatibility.
d) Conviction for intentional crime.
The separation will be agreed upon by the Government, through Royal Decree on the proposal of the Minister of Justice, on the basis of an investigation of the case, in which the remaining members of the Advisory Council will be heard.
3. The position of Director of the Agency for Data Protection is subject to the incompatibilities that are provided for in the high charges by Law 25/1983 of December 26.
Article 16. Independence.
1. The Director of the Data Protection Agency shall carry out his duties with absolute dedication, full independence and total objectivity.
2. The Director shall not be subject to an imperative mandate, nor shall he receive any instructions of authority.
Article 17. Remuneration.
1. The Director of the Data Protection Agency shall receive the remuneration of the Deputy Secretaries in the General Budget of the State.
2. The remuneration shall be incompatible with the collection of pension liabilities or any public and compulsory social security scheme, with such perceptions remaining on hold during the term of office.
Section 3. The Advisory Board
Article 18. The Advisory Board.
1. The Advisory Board of the Data Protection Agency, established by Article 37 of the Organic Law 5/1992, of 29 October, is a collegiate body of advice from the Director of the Data Protection Agency.
2. The Advisory Board shall issue a report on all matters submitted to it by the Director of the Data Protection Agency and may make proposals on matters relating to the matters of competence of the Agency.
Article 19. Proposal and appointment.
1. The members of the Advisory Board shall be proposed as follows:
a) The Congress of Deputies will propose, as Vocal, a Deputy.
b) The Senate will propose, as Vocal, a Senator.
(c) The Minister of Justice shall propose to the Vocal of the General Administration of the State.
(d) The Autonomous Communities shall decide, by agreement adopted by a simple majority, the Vocal to propose.
e) The Spanish Federation of Municipalities and Provinces will propose to the Local Administration Vocal.
f) The Royal Academy of History will propose, as a Vocal, a member of the Corporation.
g) The Council of Universities will propose to a Vocal expert in the field of higher education teaching bodies and researchers with accredited knowledge in the automated processing of data.
(h) The Consumer and Users ' Council will propose, by means of terna, to the user and consumer Vocal.
i) The Higher Council of Chambers of Commerce, Industry and Navigation will propose, through a third party, the private file sector Vocal.
2. The proposals will be elevated to the Government through the Minister of Justice.
3. The members of the Advisory Board shall be appointed and, where appropriate, terminated by the Government.
Article 20. Deadline and vacancies.
1. Members of the Advisory Board will serve for four years.
2. The following assumptions are excepted from the above paragraph:
a) Appointment of the Vocal as Director of the Data Protection Agency.
b) Early Renunciation of the Vocal.
c) Loss of the condition that enabled the Vocal to be proposed, in the assumptions provided for in points (a), (b), (f) and (g) of paragraph 1 of the previous article.
d) Proposal for a cessation of the institutions, bodies, corporations or organizations referred to in the previous article.
3. Vacancies occurring within the Advisory Board before the expiry of the period referred to in paragraph 1 shall be covered within the month following the date on which the vacancy occurred, in accordance with the procedure laid down in the Article previous and for the time to complete the mandate of who caused the vacancy to be filled.
4. The members of the Advisory Board shall not receive any remuneration, without prejudice to the payment of duly justified expenditure which causes them to exercise their function.
Article 21. Renewal of the Advisory Board.
1. Before the end of the term of office of the members of the Advisory Council, the Government, through the Minister of Justice, shall require the institutions, bodies, corporations and organisations referred to in Article 19 of this Statute to the names of the persons they propose for a new term of office in the Advisory Council, which shall be made within the month following the formulation of the said requirement.
2. After the deadline for completing the requirement has elapsed, the Government will proceed, without further formalities, to appoint as members of the Advisory Council to the proposed ones, who will take possession of their condition on the same date as the expiration of the deadline. the previous term of office of the members of the Council.
Article 22. Operation.
1. In the absence of specific provisions of this Statute, the Advisory Board shall adjust its action, as far as it applies, to the provisions of Chapter II of Title II of Title II of Law No 30/1992 of 26 November 1992 on the Public Administrations and the Common Administrative Procedure.
2. The Consultative Council shall adopt its agreements in plenary.
3. He shall act as chairman of the Advisory Board of the Director of the Data Protection Agency.
4. He shall act as secretary of the Advisory Council, with a voice and without a vote, the holder of the General Secretariat of the Data Protection Agency. In the case of vacancy, absence or illness, the Secretary-General appointed by the Director of the Agency shall act as secretary-general to that effect.
5. The Advisory Board shall meet when the Director of the Agency so decides, which shall, in any event, convene once every six months. It shall also meet at the request of the majority of its members.
6. The Secretary shall convene the meetings of the Advisory Board of the Director of the Agency and shall forward the call to the members of the Council.
7. The Advisory Council shall be validly constituted, on the first call, if the President, the Secretary and half of the members of the Council are present, and, on the second call, if the President, the Secretary and the Chair are present. third part of the members of the Council.
Section 4. The General Data Protection Register
Article 23. The General Data Protection Registry.
The General Register of Data Protection is the organ of the Data Protection Agency to which it is responsible to ensure that the existence of the automated files of personal data, with a view to making possible exercise of the rights of information, access, rectification and cancellation of data regulated in Articles 13 to 15 of the Organic Law 5/1992, of October 29.
Article 24. Inscribable files.
1. Automated files containing personal data and of which they are the holders shall be recorded in the Register:
a) The General Administration of the State.
b) Social Security entities and agencies.
c) The autonomous agencies of the State, whatever their classification.
(d) State companies and public sector entities referred to in Article 6 of the General Budget Law.
(e) The Administrations of the Autonomous Communities and their Historical Territories, as well as their entities and dependent bodies, without prejudice to the registration of the records referred to in Article 40.2 of the Law Organic 5/1992.
f) The entities that make up the Local Administration and the entities and bodies that are dependent on it.
g) Other legal persons, as well as private, natural or legal persons.
2. In the entries for the registration of the files of public ownership, the information contained in the general arrangement of creation or modification of the file, in accordance with the provisions of Article 18.2 of the Organic Law, shall be included in any case. 5/1992, 29 October.
3. In the entries for the registration of the files of private ownership, in any case, the information contained in the notification of the file except for the security measures, as well as the changes of purpose of the file, of responsible and the location of the file.
4. The entries for the registration of any personal data files shall include the data relating to the files necessary for the exercise of the rights of information, access, rectification and cancellation.
Article 25. Documents and documents entered.
The following acts and documents shall be entered in the General Data Protection Register:
(a) Authorisations for the transfer of personal data to other countries, in cases where, within the meaning of Article 32 of the Organic Law 5/1992 of 29 October, the transfer of authorisation is required prior to the Director.
(b) Type codes produced under the provisions of Article 31 of Organic Law 5/1992.
Article 26. Registration and certifications.
1. It is for the General Data Protection Registry to instruct the records of the registration of the automated files of private and public ownership.
2. It also corresponds to the General Data Protection Register:
a) Inform the modification and cancellation files for the contents of the seats.
b) To instruct the authorization files for international data transfers.
c) To rectify the material errors of the seats.
d) Exorder certifications from seats.
e) Publish an annual relationship of the reported and enrolled files.
Section 5. The Data Inspection
Article 27. The Data Inspection.
1. The Data Inspectorate is the organ of the Data Protection Agency which is responsible for the functions inherent in the exercise of the power of inspection, which is attributed to the Agency by Article 39 of the Organic Law 5/1992 of 29 October 1992.
2. Officials carrying out inspection duties shall be considered to be a public authority in the performance of their duties, and shall be obliged to keep secret of the information they know in the exercise of the said functions, even after they have ceased on the same.
Article 28. Inspecting functions.
1. In particular, it is up to the Data Inspectorate to carry out inspections, periodic or circumstantial, ex officio or at the request of the affected, of any files, of public or private ownership, in the premises where the files are found and the corresponding computer equipment, and for that purpose it may:
a) Browse the information media that contains the personal data.
b) Browse physical equipment.
c) Require program pass and examine relevant documentation in order to determine, if necessary, the algorithms of the processes of the data being the object.
d) Browse the data transmission and access systems.
e) Conduct audits of computer systems with a view to determining their compliance with the provisions of the Organic Law 5/1992.
f) Require the display of any other relevant documents.
g) Require the submission of all accurate information for the exercise of the inspecting functions.
2. The person responsible for the file shall be obliged to allow access to the premises in which the files and computer equipment are displayed on display by the official of the authorization issued by the Director of the Agency. Where such premises have the legal status of domicile, the inspection must also comply with the rules guaranteeing its inviolability.
Article 29. Instructional functions.
It is for the Data Inspectorate to exercise the acts of instruction relating to the sanctioning files referred to in Article 12.2.h) of this Statute.
Section 6. The General Secretariat
Article 30. Support and execution functions.
Corresponds to the General Secretariat:
a) Develop the reports and proposals that the Director asks for.
b) Notify Director resolutions.
c) Exercise the Secretariat of the Advisory Board.
d) Manage the personal and material resources attached to the Agency.
e) Understanding the economic and administrative management of the Agency's budget.
f) Take the inventory of goods and rights that are integrated into the Agency's heritage.
g) Managing matters of a general nature not attributed to other bodies of the Agency.
Article 31. Other functions.
It also applies to the General Secretariat:
a) Forming and updating a documentation fund on legislation, case law, and doctrine on the protection of personal data and any related matters.
b) Edit the official repertoires of files entered in the General Register of Data Protection, the Agency's annual Memories and any publications of the Agency.
c) Organise conferences, seminars and any international and interregional cooperation activities on data protection.
(d) Facilitate the information referred to in Article 4.1 of this Statute.
CHAPTER IV
Economic, wealth and personnel regime
Section 1. Economic regime
Article 32. Economic resources.
The economic resources of the Data Protection Agency will include:
(a) The allocations to be made annually from the General State Budget.
(b) The grants and contributions that are granted in their favour, from specific funds of the European Economic Community.
c) Revenue, ordinary and extraordinary income from the exercise of its activities.
(d) The income and products of the assets, rights and values of their assets.
e) The product of the disposal of your assets.
f) Other than legally allowed to be attributed to you.
Article 33. Accounting and control.
1. The Data Protection Agency shall adjust its accounts to the General Plan of Public Accounting and other provisions that are applicable, without prejudice to the obligation to report to the Court of Auditors through the Intervention General of State Administration, as provided for in the General Budget Law.
2. The annual exercise shall be computed by calendar years, beginning on the 1st of the month of January of each year.
3. The control of the economic and financial activities of the Agency shall be carried out in accordance with Article 17.1 of the General Budget Law, on a permanent basis.
Article 34. Budgets.
1. The Data Protection Agency shall annually draw up a preliminary draft budget, with the structure indicated by the Ministry of Economy and Finance, and forward it to the Ministry for further elevation to the Government in order to be integrated with due independence in the General Budget of the State.
2. Amendments to the Agency's budget shall be authorised by the Director in the case of internal amendments which do not increase the amount of the budget and are the result of the needs arising during the financial year.
3. The Agency shall be authorised by the Minister for Economic Finance when not exceeding 5 per 100 of its expenditure budget and by the Government in other cases.
Section 2. Heritage scheme
Article 35. Heritage.
1. The Data Protection Agency shall have its own assets, other than that of the State, consisting of the goods, rights and securities that it acquires for consideration or is transferred or donated to it by any person or entity.
2. The goods which the State ascribe to the Agency shall be affected by its service and shall retain the original legal status, and must be used exclusively for the purposes for which they are attached.
Article 36. Procurement and procurement.
1. The Data Protection Agency shall be governed by the provisions of private law with regard to acquisitions and disposal of goods.
2. The assets to be acquired by the Agency shall be integrated into their assets.
3. Contracts concluded by the Agency shall be governed by the provisions of private law, without prejudice to the award of contracts being agreed upon prior to advertising and promotion of competition.
Section 3. Staff scheme
Article 37. Relationship of jobs.
1. The Data Protection Agency shall propose to the competent bodies, through the Ministry of Justice, the employment relationship of the Agency.
2. The employment relationship shall comprise:
(a) Jobs to be carried out by official staff. The holders of the bodies referred to in Article 11.3 shall have the rank of Subdirector-General.
b) Jobs to be carried out by labour personnel, with the expression of the factors that, according to the tasks of each job, determine the impossibility of their performance by official staff.
3. The descriptions of the posts shall expressly indicate the obligation which, in accordance with Articles 10 and 39 of the Organic Law 5/1992 of 29 October, corresponds to the staff in respect of the observance of the confidentiality of the personal data, which the holders of each post are aware of in the performance of their tasks.
Article 38. Remuneration.
The remuneration of the Agency's staff and staff shall be in accordance with the provisions of the annual budget laws.
Article 39. Provision of jobs.
1. The Data Protection Agency shall provide the posts attached to the official staff in accordance with the law of the Civil Service.
2. The positions assigned to the workforce shall be provided by public notice and in accordance with the principles of equality, merit and capacity.
Additional disposition first. Deadline for making the nomination proposals.
Within one month of the entry into force of this Statute, the institutions, bodies, corporations and organizations referred to in Article 19 of this Statute shall communicate the names of the persons to whom the propose for appointment as members of the Advisory Board.
Additional provision second. Appointment of the members of the Advisory Board.
After the deadline set out in the first provision, the Government shall appoint without further processing to the members of the Advisory Council that have been proposed and shall appoint the Director of the Agency from among them.
Additional provision third. Files excluded.
1. In the terms and limits laid down in Articles 21.3 and 40 of the Organic Law 5/1992 of 29 October, the automatic files of personal data created or created are excluded from the scope of this Statute. managed by the Autonomous Communities.
2. The files referred to in Article 2 (2) and (3) of the Organic Law 5/1992 of 29 October of 29 October, except as provided for in this last paragraph for files which are not covered by this Regulation, shall also be excluded from the scope of this Statute. serve exclusively for statistical purposes.
