Report AEPD 2013
EXCEPTIONS OR LIMITATIONS OF THE RIGHTS OF PERSONS CONCERNED (AEPD 2023)
In accordance with article 20 of the rules of procedure the IMI, member states shall inform the Committee when their national legislation provides for derogations or limitations of the rights of persons concerned as set out in regulation, article 18, on the right to be informed on the processing of personal data and in article 19, on the rights of access, rectification and deletion of personal data.
In this regard, the Agencia española de protección noted the following a report from 2023:
1. Art. 18
Feedback from stakeholders and transparency is regulated in accordance with Chapter III (articles 12 to 14) of regulation (EU) 2016/679, general data protection (RGPD) and article 11 of the organic law 3/2018, personal data protection and guarantee of drm (LOPDGDD)
2. Art. 19
The exercise of the rights of citizens is regulated in accordance with Chapter III (articles 15-23) of regulation (EU) 2016/679, general data protection (RGPD) and chapter II (articles 12 to 18) of the organic law 3/2018, personal data protection and guarantee of drm (LOPDGDD)
3. Exceptions item 18
The additional provision fourteenth of organic law 3/2018, personal data protection and guarantee of drm (LOPDGDD) provides that the rules laid down in application of article 13 of directive 95/46/ec which had entered into force prior to 25 may 2018, and in particular articles 23 and 24 of the Organic Law 15/1999 of 13 december on the protection of Personal data (LOPD), remain valid as long as they are specifically modified, superseded or repealed.
Article 24 of the LOPD establishes that, when relevant to national defence, the public security or the persecution of criminal offences, does not apply to the stakeholders, who may be requested personal data the right to be prior information for precise and unambiguous, of:
a) the existence of a file or treatment of personal data, for the purpose of these and the recipients of information.
(b) Of The mandatory or optional nature of its response to the questions that they raised.
(c) Of the consequences of the data or the refusal to provide them.
(d) the possibility to exercise rights of access, rectification, cancellation and opposition.
(e) Of the identity and address of the person responsible for treatment, or his representative.
The exceptions provided for in article 24 are owned files.
It may be limited in other sectoral regulations among which are prescribed by law 10/2010, of 28 april, on the prevention of money-laundering and financing of terrorism, which transposes eu rules on this matter.
4. Exceptions item 19
The own RGPD establishes limitations on the exercise of rights specifically with regard to the right of removal (article 17.3) or the right of opposition (article 21.1).
With regard to the limitations they might make the national regulations, recital 4 RGPD of establishing a general framework, in the sense that the right to protection of personal data is not an absolute right, but must be considered in connection with its role in society and maintain the balance with other fundamental rights, in accordance with the principle of proportionality. The Recitals 45 to 56, 62 and 73, also justify certain circumstances in the area of limitation of the exercise of rights.
Article 23, the RGPD expressly establishes that the right of the union or member states from applying to the responsible or the person responsible for processing may limit, through legislative measures, the scope of obligations and of the rights set forth in articles 12 to 22, where such a limitation to respect the rights and freedoms and is a necessary step and provided in a democratic society to safeguard:
a) state security;
(b) the defence;
(c) public security;
(d) the prevention, investigation, detection and prosecution of criminal offences or the execution of criminal penalties, including protection against threats to public security and its prevention;
(e) other important objectives of general public interest of the union or a member state, including an economic or financial interest in the european or a member state, including fiscal, monetary, budgetary and public health and social security;
(f) the protection of the independence of judges and judicial procedures;
(g) the prevention, investigation, detection and prosecution of violations of rules of ethics in regulated professions;
(h) monitoring, inspection or regulations linked, even occasionally, with the exercise of public authority in the cases provided for in the letters a) to (e) and (g);
(i) the protection of the individual or the rights and freedoms of others;
(j) the implementation of civil suits.
In addition, the additional provision fourteenth of organic law 3/2018, personal data protection and guarantee of drm (LOPDGDD) provides that the rules laid down in application of article 13 of directive 95/46/ec which had entered into force prior to 25 may 2018, and in particular articles 23 and 24 of the Organic Law 15/1999 of 13 december on the protection of Personal data (LOPD), remain valid as long as they are specifically modified, superseded or repealed.
Paragraph 2 of article 23 provides the possibility of refuse to exercise these rights by those responsible for the files of public finances when hamper administrative actions aimed at ensuring tax compliance and, in any case, if the person concerned is being inspection activities.
Article 23.1 of the LOPD has been repealed by the current item 24.1 of the organic law 7/2021 of personal data protection treaties for the purpose of prevention, detection, investigation and prosecution of criminal offences and on the execution of criminal sanctions.
It may be limited in other sectoral regulations among which are prescribed by law 10/2010, of 28 april, on the prevention of money-laundering and financing of terrorism, which transposes eu rules on this matter.