DPA: Spanish DPA. Agencia Española de Protección de Datos (AEPD) KEY WORDS: memory 2015, Spanish cooperation, Regional cooperation

Transcription

1 1. W PHAEDRA II - IMPROVING PRACTICAL AND HELPFUL CO-OPERATION BETWEEN DATA PROTECTION AUTHORITIES II DPA: Spanish DPA. Agencia Española de Protección de Datos (AEPD) TITLE: Spanish DPA publishes the Annual Memory of 2015 DATE: June 2016 KEY WORDS: memory 2015, Spanish cooperation, Regional cooperation WEBSITE:lhttp:// mon/memorias/2015/memoria_aepd_2015.pdf ABSTRACT: On June 21 st, 2016, the Spanish DPA presented the Annual Memory of The Memory explains exhaustively the activity and functioning of the various areas of the institution, it summarizes the most important trends, decisions and procedures of the year and analyses present and future challenges in the field of data protection. More importantly, it gives an overview of the cooperation in which the Agency has engulfed during the year The AEPD has, inter alia, signed a new collaboration agreement, participated to events and seminars, intervened in EU Working Parties or sent experts for evaluation missions. Moreover, its international cooperation does not preclude the Agency from cooperating with other regional Spanish DPAS (Catalan Authority of Data Protection, Basque Agency of Data Protection). ASSESSMENT The AEPD cooperates actively in the international framework through various means: 1. Working Parties: Ø Article 29 Working Party (GT29): the AEPD has assisted in Brussels to 5 ordinary Plenary Sessions of the GT29 and to 1 extraordinary Plenary Session. Moreover, it has also participated to 17 subgroup meetings. Ø Working Party on Information Exchange and Data Protection (DAPIX): representatives from the AEPD were able to cooperate with their counterparts 12 times in the Council of the European Union in 2015.

2 2. Area of police and judicial cooperation Ø Schengen Evaluations: the AEPD develops an active role by sending experts to evaluation missions. Experts have participated in 2015 in the evaluation of Austria and Germany. Ø Schengen Information System (SIS) Supervision Coordination Group: the Spanish DPA is engaged with the activities carried out by this group in Brussels, for instance: agreement on a joint cooperation framework and audit of the alerts issued in the SIS II or review of the procedures of access rights to data included in the SIS. Ø Europol Joint Supervisory Body (JSB): the AEPD has participated in the reviewing of the activities of Europol: it took an active role in the annual audit of Europol and in the compliance of the agreement between the EU and the USA on the processing and transfer of financial messaging data from the EU to the USA. The AEPD was present in 5 meetings of the JSB in Brussels and in The Hague. Ø Eurojust Joint Supervisory Body (JSB): the AEPD participated with its experts in The Hague in the auditing of Eurojust. Later, it participated to advisory activities regarding the technical implementation of the recommendations set out by the audit. Ø Visa Information System and Eurodac coordinated supervision: the AEPD participated to the activities of joint supervision of these bodies in Brussels. 3. Conferences and Seminars Ø Spring Conference of European Data Protection Authorities: the AEPD participated in Manchester (UK) to this conference. Ø International Conference of Data Protection and Privacy Commissioners: the AEPD not only participated in Amsterdam to this conference, it also took the role of coordinator along with the Swiss Authority of Data Protection- of a new Working Party in charge of studying the links between privacy and international humanitarian action. Ø Privacy Global Conference organized by the International Association of Privacy Professionals (IAPP): this Conference held in Washington DC was an opportunity for the AEPD to meet with representatives of the US Administration and the Federal Trade

3 Commission as well as with eminent American privacy experts. The director of the AEPD was invited to participate in one of the panels treating the Right to be forgotten. Ø Ibero-American Data Protection Network: the AEPD has actively participated in numerous forums, inter alia: the XIII Ibero-American Meeting on Data Protection (Lima), Freedom of expression and personal data protection Forum (Mexico DF), III International Data Protection Congress (Medellín, Colombia), Ø Participation to other International Conferences, Meetings, etc: Iberian Meeting on Data Protection held in Lisbon, Data protection and massive data processing Workshop held in Madrid, Big Data Code of Ethics Meeting held in Paris, and many others. 4. Agreements The President of the Spanish DPA signed in October 2015 a collaboration agreement with the President of the INAI (the Mexican National Institute of Transparency, Access to Information and Personal Data Protection ) and the President of the Data Protection Ibero- American Network. This agreement was an extension of the former agreement. A commitment was reached to formalize a new more comprehensive agreement during the 2016 XIV Ibero-American Meeting. At a national level, the AEPD has cooperated with the Spanish Autonomous Communities by: Ø Promoting cooperation procedures with regional authorities: The Transparency and Data Protection Council of Andalucía was created. Ø Collaborating in the sharing of Data Protection records: the AEPD maintains its cooperation with the Catalan Authority of Data Protection and Basque Agency of Data Protection with regards to the Data Protection recors. Ø Participating in Workshops and meetings with Regional DPAS. ORIGINAL TEXT 171 pages in Spanish: s/2015/memoria_aepd_2015.pdf

4 ENGLISH VERSION Google Translate AEDP Memory 2015 (Summary) Improper insertion in files delinquency and illegal employment, main claims raised before the AEPD The Agency has published its report for 2015 Report, where an increase of 15,70% is observed in the number of complaints and claims settled. The sectors most penalized in 2015 have been telecommunications, financial institutions, and supply and marketing of energy and water. Queries raised before the AEPD rose more than 10% in 2015, surpassing the 218,000 issues. The right of cancellation remains the most exercised by citizens, which prioritize their data to be deleted when requested. Madrid, June 21, The Spanish Data Protection Agency (AEPD) has today published its Annual Report 2015, which comprehensively reflects the activity and operation of the various areas of the institution, the most important trends, decisions and most important of the year procedures and a thorough analysis of the present and future challenges in the field of data protection. The analysis of the annual activity reflects an increase in the number of complaints and claims settled. Thus in 2015 they have been resolved 10,871 complaints compared with 9,404 settled in 2014 ( %). As for the claims of citizens to exercise their rights of access, rectification, cancellation and opposition (ARCO), 2,113 have been resolved in 2015 compared to 1,818 in 2014 (+16,23). These data show that there has been an average increase in the resolution of complaints and denunciations of 15,70% compared to With regard to complaints and claims raised before the AEPD by citizens in 2015, they received a Total 10,571, a figure that represents a consolidation over previous years after the surge in Improper insertion in files delinquency and illegal employment are among the main complaints raised before the Spanish Data Protection Agency by citizens. One in three affected reported to the AEPD issues related to the field of delinquency, in particular the

5 inclusion in common files, the claim for unpaid debts or irregular recruitment services offered by telecommunications operators, financial institutions and energy companies. In connection with these behaviors it is necessary that undue influence inclusion in default files produces negative effects especially for those affected by that businesses should exercise extreme diligence before reporting inaccurate information. In this respect, the Strategic Plan of the Agency, of which the main lines are included in the report includes a series of actions focused on both work with companies to improve their data protection policies in this area as to guide citizens about what you can do to claim their rights. These measures, on which the AEPD is already working include, in addition to meetings with the main offenders sectors to address the deficiencies and audit the implementation of solutions, an update of the sector plan officially on data control telephone recruitment, development of a Guide for filing complaints and claims in telecommunications, collaboration with governments and social organizations aimed at protecting consumers and users, and the development of practical information sheets for citizens. As regards the proceedings initiated resolved at the request of citizens who come to the agency claiming the protection of their rights -habiéndolo previously exercised before the controller, who has not denied or respondido- rank first cancellation procedures (1329) followed, in order, of the provisions relating to (608), opposition (130) and rectification (97). These figures show, once again, that citizens prioritize stop entities treat your personal information when requested. In the case of guardianship proceedings by the so-called right to oblivion against search engines, from the judgment of the Court of Justice of the European Union in 2014, the Agency has issued 371 resolutions, in which estimated the request of the citizen 157 occasions and dismissed in 82. in 131 cases the petition was declared inadmissible because the complainants had not previously directed the seeker requesting the cancellation of the data as required by law. In 2015 almost 220,000 queries raised by citizens through different channels (+10.6 compared to 2014), of which we must highlight the rise of the questions through the Electronic Office of the Agency, was attended one increase of 23.6% over the previous year. These data show the growing acceptance of citizens to stay in contac to with the Administration using electronic

6 services. In this regard it should also be mentioned that more than 90% of the notifications of General Data Protection Register are made through Internet. Following the registration of files in the registry by the obligors, it ended 2015 with more than 4.1 million registered files, representing an increase of almost 10% over the end of the previous year. Of these, 3,950,620 files are privately owned (96.17%) and publicly owned 157,324 (3.82%). The law firm of AEPD last year issued 485 reports that responded to queries raised both by government bodies (305) and private entities (180). As for mandatory reports, those that aim to integrate the principles and guarantees the fundamental right to data protection in sectoral regulations, the Agency conducted in 2015 a total of 146. As for the judgments of the High Court relapse appeals against decisions of the AEPD, the total of 201 judgments in 2015, 76% confirmed the criteria of the Agency on the merits. Declarative infringement resolutions have fallen by 5% and total economic sanctions imposed in 2015 has decreased by 19.35% (13,712,621 euros) compared to The main causes of this decline lies down ( -8.7%) in the infringements found with economic sanctions and the use of the figure of the warning (+ 26%) for cases in which no financial penalty to be mainly individuals and SMEs imposed on the criteria apply decrease of guilt and unlawfulness required under the law, and the requirement of not having been previously sanctioned or ready against. The Larger penalties were awarded to telecommunications companies (51% of total), financial institutions (17%) and companies responsible for the supply and marketing of energy or water (8.7%), followed by the infringements found by electronic communications - spam- trade (6.5%). From these figures, compared to 2014, it is remarkable the easing of sanctions imposed on telecommunications companies (-34%) or to those of the aforementioned supplies (-35%). On the other hand, the sanctions declared volume in 2015 up 18.7% over 2014 in the case of financial institutions and 39% in the case of violations by spam. In the case of Public Administration, in 2015 there has been a rise of 11.7% in the number of declared violations, an increase of 30% in the determined procedures, i.e. 78 settled procedures have resulted in 57 statements infringement.

7 The Agency presented in November 2015 its Strategic Plan , having received in the public consultation phase almost 400 contributions from citizens, responsible treatment, experts in data protection and public and private organizations. In the actions carried out during 2015 and included in the report include prevention actions in education and child protection, with the launch of several communication channels for young people, parents and teachers; a new version of the web You decide on the Internet; and materials such as guides not get entangled in internet aimed at minors, and Guide them on the internet for parents and teachers. Also, in late 2015, the Agency established a Unit for admissibility of complaints of citizens, specifically responsible for analyzing the complaints received to allow, in a short time span since its introduction, indicate the evidence on which collaboration the claimant is required to support the claim, providing information on how they can get them. The creation of this Unit aims to improve the management and care to citizens.