Urgent update: data protection and the state of alarm

It incorporates the interpretative criteria of:

• The Agencia Española de Protección de Datos [Data Protection Spanish Agency], at the website communication Notificación de brechas de seguridad de los datos personales durante el estado de alarma de 2 d’abril de 2020 [Security leaks’ notification of personal data during the state of alarm].

• The Juridical Cabinet of Catalan Government in Nota sobre l’aplicació de les disposicions addicionals tercera i quarta del Reial decret 463/2020,[Note about the entry on force of the third and fourth additional disposals of the Royal Decree 463/2020, of March 14th], for what it is declared the state of alarm for the management of the situation of sanitary crisis realted to the COVID-19.

The COVID-19’s sanitary crisis and the pandemia’s fast spread evolution has given place to the state of alarm by means of the Royal Decree 463/2020, of March 14th.
The state of alarm is one of the three states of emergency foreseen at the article 116 of the Spanish Constitution, together with the state of exception and the state of siege. This regulation is included in the Organic Law 4/1981, of  June 1st.
According to the article 4.b) of the Organic Law 4/1981, of  June 1st, the Government can declare the state of alarm across the entire or part of the national territory, when it is produces a severe alteration of the normality owed to sanitary crisis such the epidemics.
The Royal Decree 463/2020, of March 14th, establishes the adoption of several procedures with an initial length of 15 natural days that has been already lengthened by the Government until the 00:00 of the day 12th of April by regulations of the RoyalDecree 476/2020, of March 27th.

One of the areas that this adoption has impact is the public administration for what the Royal Decree foresees the suspension and stoppage of the terms for the processing of the procedures of the entities of the public sector.
The computation will restart at the moment that miss force the Royal Decree or its extensions.

El Reial decret considera entitats del sector públic les següents:

The Royal decree considers a public sector entity the following ones:

a) Any public organism and entity of public right public linked to the public administration.

b) Private right entities linked to the public administration.

c) Public universities.

Notification of security violation to the officer authority

The article 33 GDPR foresees a term of 72 hours for the notification to controller authority of security violations or leaks of personal data that constitute a risk for the rightss and the liberties of the people. If the notification is not produced in a term of 72 hours, it has to detail the reason of delay.
The Data Protectoin Spanish Agency released a communication on April the 2nd considering the suspension of terms foreseen in the third additional willingness of the Royal Decree 463/2020 does not affect at the debenture to notify the rapes of security that affect at personal data. Of chord with this, the managers and attendants of treatment, at fulfillment of the article 33 RGPD, are obliged to notify at the authority of control at the term of 72 hours, the rapes of security of the personal data that constitute a risk for the royalties and the liberties of the physical persons, without damage that at case of not having at this term of all the necessary information, can later magnify it by means of an additional notification.
Likewise, the managers have to take the necessary sizes that are necessary to eschew grave damages at the royalties and liberties of the persons affected by the violation, including, if escau, the communication of a rape of the security of the personal data at the interested foreseen at the article 34 RGPD, when the rape suppose a tall risk for the royalties and liberties of the interested.

References

AEPD. (2020). [Online]: Notificación de brechas de seguridad de los datos personales durante el estado de alarma. Extret el 7 d’abril de 2020 de https://www.aepd.es/es/prensa-y-comunicacion/blog/notificacion-de-brechas-deseguridad-de-los-datos-personales-durante-el
Departament de la Presidència. (2020). [Online]: Instruccions i informes jurídics en relació a la situació generada pel COVID-19. Extret el 7 d’abril de 2020 de  https://presidencia.gencat.cat/ca/ambits_d_actuacio/organsconsultius/gabinet_juridic/instruccions-i-informes-juridics-covid-19/