This article is the result of the debate produced in the Session: “Labor and data protection issues in Law 2/2023 of February 20 on the protection of the informante"
Article 5 of Law 2/2023, of February 20, regulating the protection of people who report on regulatory violations and the fight against corruption, states that the administrative body or governing body of each entity or body required by law, in addition to being responsible for the implementation of the internal information system, will have the status of person responsible for the processing of personal data in accordance with the provisions of the regulations on protection of personal data. It supposes, then, an attribution former legem of the status of data controller.
It is not idle to remember that this figure is defined by the General Data Protection Regulation with very precise contours. "Responsible for the treatment" or "controller": the natural or legal person, public authority, service or other body that, alone or jointly with others, determines the purposes and means of the treatment; if Union or Member State law determines the purposes and means of processing, the controller or the specific criteria for his appointment may be established by Union or Member State law;
On the one hand, there is an attribution of roles of a material nature based on the identification of the entity or subject with material decision-making capacity. On the other hand, when the law makes these decisions, it can also attribute to a specific subject the condition of responsible. This is not a controversial issue. What is debatable will be whether the legislator's choice is correct. On many occasions, with the freedom that academia grants us, we have criticized laboratory solutions. And this undoubtedly is since it can become inefficient or problematic for different reasons.
The first, and most elementary, returns us to the material approach. The law not only defines the ends and the means, it also promotes a certain management model. Its article 8, when regulating the designation and functions of the person in charge of the internal information system, identifies the person or collegiate body that, based on a statute of independence, will make ordinary management decisions. Statute that, far from being affected, would have been enriched by being attributed the status of data controller. And this for many different reasons.
The first since the transparency and reliability of the system, as well as its accessibility. Given the importance of his decision, it will usually be that the complainant carefully check the legal information including privacy policies: What will you understand when you read that the person responsible for the treatment is a "Board of Directors", with respect to which you will raise any type of communication? The caller did not obtain the privacy certification from the AEPD and could understand that the "information system" that was going to protect his identity is directed by those who he intended to denounce. If so, no one in their right mind would file a complaint. And although it will be affirmed that what "common sense" has little legal or rational value, when it is regulated it is worth putting yourself in the place of people who will not notice these dogmatic delicacies.
Even more absurd is the need to design a range of compliance measures designed to guarantee the indemnity of the information system. Not a single data protection rule indicates that access to an information system can be vetoed by the body to which the status of data controller is attributed. and this is the main consequence of this legal construction. Not one of the members of the Board or the people on your team should have access to the information system. And this raises a paradox when, in accordance with article 36.4 LOPDGDD, the person delegated for data protection notifies "the administrative and management bodies of the person in charge" of a potential infringement in this information system. The DPD does not make decisions, he only supervises, and the person in charge must investigate and correct the problems. This action may involve accessing the information system and its information. The technical decision that the Law incorporates places the ability to decide on data processing in a body to which, under certain conditions, access to information should be prohibited.
La data protection by design and by default is not only a legal laboratory task. It requires knowing, or at least emulating the management processes, even if it was in a design model, it doesn't work. Had a process map been configured with a clear scheme, it would be difficult to attribute such responsibility to the governing body. The natural space for such a task corresponds, naturally, to the compliance body.
This forces data protection delegates to consider at least two policies. First, make sure that the information about the treatment fulfills a function that is required of transparency, accessibility in its dimension of intelligibility. The communicator must understand that the "Council", even if it is responsible for the treatment, when it is "reported", will not access the information. The second is to design the internal methodology and shape the design of the information system that ensures that, in order to comply with the GDPR, we do not affect the duty tofidenciality of Law 2/2023.
Ricardo Martinez Martinez
Professor of Constitutional Law at the University of Valencia, director of the Microsoft-Universitat de Valencia Chair of Privacy and Digital Transformation and Academic Advisor of FIDE
