New inspections procedure of the national data protection authority

Bruchou & Funes de Rioja - January 12, 2021
Intellectual Property, Privacy, New Technologies and Legal Advertising


On December 31, 2020, Resolution No. 322/2020 of the Access to Public Information Agency (“AAPI” or “Agency”) was published, approving a new inspection procedure to assess the level of compliance of controllers and processors with current data protection regulations.

The purpose of the procedure is to audit, investigate and control the activities of data controllers and processors. All legal aspects of personal data processing operations would be covered in the inspection: legality, data quality, prior information, security and confidentiality, local and international data transfers, procedures to guarantee the rights of the data subjects. Likewise, modern data privacy aspects are taken into account in the inspections: the existence of a privacy impact assessment, the terms and conditions and/or the privacy policy of the controller and/or processor, the action of the data protection officer and the protocols for reporting security incidents to data subjects and the supervisory authority.

Furthermore, the procedure provides for two types of inspections. On the one hand, the planned ones, which are carried out annually, according to objective selection criteria that determine a group of data controllers that will be investigated. On the other, the spontaneous ones, which the Agency can initiate at its discretion, if it becomes aware of an alleged illegal activity. Although all inspections will be preceded, in principle, by a notification and a documentary request to the investigated person, said notification may be omitted if the Agency considers that it may affect the course of the investigation. In this case, the inspectors may appear directly at the address of the controller or processor.

Lastly, it should be noted that the AAPI may require a judicial authorization in advance when it could reasonably foresee that it will not obtain the necessary cooperation from the person under investigation or if it is deemed convenient for the inspection. It may also require such authorization if the person under investigation refuses to cooperate with the inspectors.

In short, the new inspection procedure modernizes old provisions of the National Direction for the Protection of Personal Data and confers new powers on the Agency, in line with the more relevant procedures of data protection authorities, such as that of the Information Commissioner’s UK Office.