A few days ago, the Spanish Data Protection Agency (AEPD) published the 2020 Report. It is the “official” picture of how the year has been in terms of personal data protection. It would not be accurate to say that this is the situation, because it is clear that not everything that happens in this sector is registered there, but at least it does exhaustively list the activities carried out by this institution.
It is interesting for the figures, the outstanding trends and the most relevant decisions and procedures of the year. And, of course, to observe whether or not we have improved and data protection is moving forward on the right track.
Logically, the year has been marked by the unexpected and exceptional nature of the pandemic, which has had a brutal impact on the sector. We have been talking about teleworking, digitalization, virtual healthcare, management of particularly sensitive data, such as health data... and the way in which all this has been handled has been different, as we know. There are those who have adapted well, those who had their work done, those who have saved it as best they could and those who have been absolutely overwhelmed, unable to cope with the circumstances that COVID-19 has demanded, also in terms of personal data protection regulations.
In general, it can be said that there are no major developments in the broad panorama. The number of complaints remains slightly below 12,000 and the topics that cause them refer, most frequently, to internet services (16%), improper insertion in delinquency files (15%), video surveillance (12%), reception of advertising (except spam) (7%) and debt collection (6%).
There are indeed more sanctioning resolutions (16% more than the previous year), although only 172 were subject to a financial sanction. The most frequent areas in sanctioning procedures are video surveillance (24%), internet services (19%), Public Administrations (10%) and telecommunications (7%). It is significant that video surveillance is increasingly present in these rankings of infractions/sanctions. This is probably due to the increasing use of this technology, whether in workplaces, on the street or also among individuals and small businesses, but the truth is that something is not being done well.
However, the sectors most penalized with fines are financial institutions/creditors (more than 5 million euros) and telecommunications (over a million). Both account for 76% of the overall amount of penalties, which in 2020 was also 27% higher than in 2019.
One last fact to highlight. In Spain, more than 65,000 data protection delegates have already been officially notified, but the public administration is “stuck”. Provincial councils, town halls and local entities are still far from the total number of people responsible for local administration in Spain who must have a DPO. There is still a long way to go.
