LOPD in Spain for Software and Data Protection
The principal function of many of the software programs used in the day to day management of most businesses involves the storage and processing of personal data. In this sense, software and data protection are two concepts that are inextricably linked. This inevitable connection between the software programs and data protection is reflected in Development of the Organic Law on Data Protection, (LOPD), approved by Royal Decree 1720/2007 of December 21, which provides in Additional Provision One, that:
Software products used for the automatic processing of personal data must include in their technical description the level of security which it provides, whether basic, medium or high, in accordance with the provisions of Title VIII of this regulation.
The provisions of the LOPD impose a Technical Suitability obligation on the creator of the software. Consider health professionals, amongst others, who have an obligation to keep records of health data: if they are to employ a means of managing their client´s data base, more than likely it will be through the installation of a software program?
But this rule also has other readings
- If the software used by a company is not licensed and illegal copies are used, the guarantee given by the manufacturer that the product purchased contains the level of protection required to comply with the LOPD cannot be enforced
- Or, if a company is unaware of the type of software installed, it may not be possible to know if it meets the level of protection required
The risks of using illegal software
A lot has been published about the risks involved in not complying with Data Protection Legislation and the importance of providing penalties for violators. However, the effects of the LOPD may be rendered ineffective by the use of illegal software.
It is said that the LOPD is not a law of results, but a law of procedural requirements. It forces the Data Holder to demonstrate the use of all available means to prevent the misuse of the personal data for which they are responsible. We can imagine that in the case of disclosure of health data, as has been reported several times in the media recently, if it was discovered that the programs used for the storing and processing of the data were illegal copies, the company’s credibility in defending their activities would automatically be compromised.
Article 45.4 of the LOPD provides that the amount of the penalty imposed is calculated according to degree of intent and any other circumstances that are relevant to determine the level of culpability of the offending company. If the degree of intent is low then the sanctioning body can set the amount of the penalty at the lower end of the scale.
However, if in the course of investigation it is found that the company has used illegal software for the storage and processing of the complainant’s personal data it would be difficult to prove that the Data Holder concerned has acted properly and with due care and attention. The use of illegal software implies a breach of the security obligations with which the data controller must comply.
The Need to Audit Software
Even if a company is aware of and compliant with rules intellectual property and uses only legal software, it is possible that users of its computer systems could install unauthorized copies. The company would then be responsible for the acts of its employees and needs to be vigilant about such violations. Therefore, the best way to prevent this from happening is to perform regular software audits and ensure that all installed programs are fully licensed.
Thus we return to what was said at first, about the intimate connection between software and data protection, the implementation of a data protection system being an important step achieved by auditing software and monitoring unlicensed copies.
In this respect Article 88 of the Regulation of Development of the LOPD states that the audit must contain a description of its scope, with detailed specification of the protected resources, what is to be understood as resources and any component of information systems which includes by implication all software programs.
Thus, implementation of the LOPD can also be used as a means of auditing the type of software installed in computer systems and determining the degree of legality by checking that all programs installed have a license.
According to the rules of legal protection of software in Spain, use, reproduction, distribution, export and storage of computer programs without the appropriate authorization of the owner creates civil and criminal liabilities for companies as legal entities and their managers or agents as individuals.
The Criminal Code of 1995 defines breaches of Intellectual Property Rights in Article 270 and prescribes penalties of imprisonment for up to four, disqualification from professional practice for up to five years as well as fines of up to €288,000.
In addition the Law provides that the extension of civil liability derived from infringements of Intellectual Property rights is governed by the provisions of the Copyright Act in relation to the cessation of the unlawful activity and compensation for damages. In the event of conviction, the judge or court may order the publication of the infringement, at the infringer’s expense, in an official newspaper.
The regulatory framework provides procedures that offer manufacturers of computer programs a means of pursuing infringements of their Intellectual Property Rights. In civil matters, Article 732 of Law 1/2000, the Civil Procedure Act, establishes the right to carry out an investigation of potential violations without requiring a prior hearing. This type of action is in addition to other precautionary measures established by Royal Legislative Decree 1/1996.
In criminal cases, prosecution of intellectual property infringements is provided for in Articles 270 and is facilitated through the Expedited Procedure, in particular the right of carrying out investigations of potential violations of the accused without a prior hearing by means of the Entry and Search Warrant regulated by Articles 546 and 785, and in accordance with Law 38/2002 of Partial Reform of the Criminal Procedure Act. This introduces the possibility of Entry and Search Warrants being carried out without evidence of prior breaches of Intellectual Property Right which facilitates and speeds up the prosecution of infringements intellectual property rights.
As computer programs by their nature allow for the easy removal of records and digital evidence, procedural law provides mechanisms to carry out an investigation of potential violations of the defendant without prior notification, thus allowing for the preservation of evidence and a greater chance of obtaining civil and criminal convictions.
Thus it can be seen that the use of illegal software makes compliance with the spirit and the letter of Data Protection legislation extremely difficult.
This article is not considered as legal advice