Data privacy enhanced with new regulations
The Ministry of Transport, Communications and Information Technology has released the executive regulation of the Personal Data Protection Law, as outlined in Ministerial Decision No 34/2024.
The regulation aims to establish a comprehensive framework for the procedures, controls, conditions and legal timelines for personal data protection, in line with Royal Decree No 6/2022.
Key highlights of the regulation include the mandatory requirement of obtaining a permit prior to processing personal data, as stipulated in Article 5 of the law. Special emphasis is placed on safeguarding children's personal data, alongside outlining clear procedures for data subjects to exercise their rights.
The regulation mandates obtaining a processing permit, detailing the application process - including submission of a personal data protection policy - and outlining measures to address data breaches. Permits are valid for up to five years, with specific guidelines for renewal, amendment and cancellation.
It necessitates obtaining explicit consent from a child's guardian before processing their data, underscoring the protection of vulnerable data subjects.
Rights of personal data owners are clearly defined, encompassing the revocation of consent, modification, access to processed data, data portability and erasure, except where necessary for national preservation. Additionally, data subjects must be notified of any personal data breaches and the consequent actions taken.
Controllers and processors are bound by several obligations, including obtaining express consent from data subjects, adhering to child data processing controls, and maintaining transparency through a visible personal data protection policy. They must also ensure confidentiality, retain processing documents, establish a personal data processing activities record, appoint a Personal Data Protection Officer, and comply with extraterritorial data transfer controls.
In the event of a data breach, controllers are required to notify the ministry within 72 hours, potentially followed by notifying affected data subjects if the breach poses serious harm or risks.