|
What
Needs to be Done Prior to Collection
Contact the data subject
Contact the Information Commissioner
Article 5 Right
of information in the collection of data
1. Data subjects
from who personal data
is requested must previously be informed explicitly,
precisely and unequivocally of the following:
a) The existence
of a file or personal data processing operation, the purpose of
collecting the data, and the recipients of the information.
b) The obligatory
or voluntary nature of the reply to the questions put to them.
c) The
consequences of obtaining the data or of refusing to provide
it.
d) The possibility
of exercising rights of access, rectification, erasure and
objection.
e) The identity
and address of the controller or of his representative, if any.
Where the
controller is not established on the territory of the European
Union, and he is using for the processing means situated on Spanish
territory, he must, unless these means are being used for transit
purposes, designate a representative in Spain, without prejudice to
any action which may be taken against the controller himself.
2. Where
questionnaires or other forms are used for collection, they must
contain the warnings set out in the previous paragraph in a clearly
legible form.
3. The information
set out in subparagraphs (b), (c) and (d) of paragraph 1 shall not
be required if its content can be clearly deduced from the nature of
the personal data requested or the circumstances in which
it
is obtained.
4. Where the
personal data have not been obtained from the data subject, he must
be informed explicitly, precisely and unequivocally by the
controller or his representative within three months from the
recording of the data - unless he has been informed previously - of
the content of the processing, the origin of the data, and the
information set out in (a), (d) and (e) of paragraph 1 of this
Article.
5. The provisions
of the preceding paragraph shall not apply where explicitly provided
for by law, when the processing is for historical, statistical or
scientific purposes, or when it is not possible to inform the data
subject, or where this would involve a disproportionate effort in
the view of the Data Protection Agency or the corresponding regional
body, in view of the number of data subjects, the age of the data
and the possible compensatory measures.
The provisions of
the preceding paragraph shall also not apply where the data comes
from sources accessible to the public and
is intended for advertising activity or market
research, in which case each communication sent to the data subject
shall inform him of the origin of the data, the identity of the
controller and the rights of the data subject.
Contact the Information Commissioner
Article 26
Notification and entry in the register
1. Any person or
body creating files of personal data shall first notify the Data
Protection
Agency,
2. Detailed rules
shall be established for the information to be contained in the
notification, amongst which must be the name of the controller, the
purpose of the file, its location, the type of personal data
contained, the security measures, with an indication of whether they
are of basic, medium or high level, any transfers intended and,
where applicable,
any intended transfers of data to third countries.
3. The Data
Protection Agency must be informed of any changes in the purpose of
the computer file, the controller and the address of its location.
4. The General
Data Protection Register shall enter the file if the notification
meets the requirements. If this is not the case, it may ask for the
missing data to be provided or take remedial action.
5. If one month
has passed since submitting the application for entry without the
Data Protection Agency responding, the computer file shall, for all
accounts and purposes, be considered entered in the Register.
|
