New inspections procedure of the national data protection authority
Intellectual Property, Privacy, New Technologies and Legal Advertising
On December 31, 2020, Resolution No. 322/2020 of the Access to Public Information Agency (“AAPI” or “Agency”) was published, approving a new inspection procedure to assess the level of compliance of controllers and processors with current data protection regulations.
Furthermore, the procedure provides for two types of inspections. On the one hand, the planned ones, which are carried out annually, according to objective selection criteria that determine a group of data controllers that will be investigated. On the other, the spontaneous ones, which the Agency can initiate at its discretion, if it becomes aware of an alleged illegal activity. Although all inspections will be preceded, in principle, by a notification and a documentary request to the investigated person, said notification may be omitted if the Agency considers that it may affect the course of the investigation. In this case, the inspectors may appear directly at the address of the controller or processor.
Lastly, it should be noted that the AAPI may require a judicial authorization in advance when it could reasonably foresee that it will not obtain the necessary cooperation from the person under investigation or if it is deemed convenient for the inspection. It may also require such authorization if the person under investigation refuses to cooperate with the inspectors.
In short, the new inspection procedure modernizes old provisions of the National Direction for the Protection of Personal Data and confers new powers on the Agency, in line with the more relevant procedures of data protection authorities, such as that of the Information Commissioner’s UK Office.