By accessing the website of the Spanish Directorate of Traffic (DGT), 24 million drivers can consult information about the remaining points. To review your personal history, simply provide your ID number, your driver’s license extension date, and your email address. The Spanish Agency for Data Protection (AEPD) considers that insufficient information means that the system is not sufficiently secure because the confidentiality of user data is not fully guaranteed. I mean, anyone with a little patience and skill can access our history and use that information to their advantage.

The Data Protection Agency warns the DGT that it is violating the Organic Law on Data Protection and orders it to protect the information on drivers more strictly. The DGT, however, has ignored the request. Although he admits that the system has “holes”, he points out that “from a legal point of view” there is no obligation to change it. No one has yet replaced the identity of the driver. It's still there. If this ever happens, what measures would be taken? What sanctions would be imposed on the DGT, or the corresponding administration? Who would punish him? And in the meantime, who can compel DGT to apply effective protection measures?

“As a national entity, it is the responsibility of the Spanish Data Protection Agency to declare the infringements committed by the DGT”, says Román Intxaurtieta, legal advisor of the Basque Data Protection Agency (DBEB). As a public entity, no economic penalty may be applied to the DGT: “The purpose of declaring violations is to eliminate inappropriate behavior and ensure that it does not continue to occur in the future. This will not be achieved by fines, because it would be absurd for the administration to raise money in the administration itself.” In cases where there is a clear violation, the administration may be required to be financially responsible for the negligent protection of personal information contained in its files. In the words of Intxaurtieta, “the non-application of economic sanctions does not imply the absence of responsibility and compensation, since the person responsible will be the worker who has done the damage and can be subject to disciplinary measures; in terms of compensation, there is the path of patrimonial responsibility that the affected person can exercise before the administration or through the judicial process.” The right to data protection – vis-à-vis the administration – is guaranteed by

local agencies or the Spanish AEPD. In the Basque Country, the Basque Data Protection Agency is responsible for monitoring the data processing carried out by the Basque public administrations. On the other hand, the treatments carried out by private entities of the Southern Basque Country are controlled by the Spanish Agency. Private companies may be subject to financial penalties. It is precisely in this sense that the task of controlling data protection receives the most criticism. The administration does not pay for the violations committed (money), and private entities do; non-compliance with the law does not entail economic costs for the administration. In the eyes of the population, moreover, little can be done to control and denounce the management of the administration. It is an unknown field for many.

“One of the tasks of the Basque Data Protection Agency is to make this fundamental right known to the public,” says Intxaurtieta. “In general, people think that the loss of privacy is not such a serious thing, but if we explain to citizens the consequences that the misuse of data can bring, interest is aroused in them, and from that moment on, they demand more and more information on the subject.” The citizen knows when his right is violated: “I am referring to concepts such as file, processing, transfer, personal data, the person responsible and the agent, and the basic principles in this field,” explains Intxaurtieta, “such as information, consent, and data quality or security.”

Get me off the phone books.

In the words of the legal adviser of the RGPD, “it is essential to spread the culture of data”. He explains when people can reach them: “On the one hand, you can file complaints against the Basque public administrations if you consider that they have not respected the fundamental right to data protection. On the other hand, you can request our protection if you consider that your rights of access, rectification or cancellation have not been complied with.” There are other rights, such as the

right to consult the Data Protection Registry, the right to indemnify, the right to withdraw from telephone guides and the right not to receive unwanted advertising. The basic data contained in the telephone catalogues may be obtained without the consent of the data subject. Our name, surname and address appear in the telephone service subscriber catalogues, and unless you request to be removed from them, these data can be consulted and used by anyone. If you wish, we reserve the right to request that all or part of our data be removed from the subscriber catalogues free of charge.

“We are trying to help the people,” she said. “We provide you with the information you need about this fundamental right, about the resources available to you, we ask the administrations to satisfy the rights of people and we publish the files that the administrations have declared through the Registry, among others.”

What data can administrations exchange?

The authorities collect a lot of information about us. More and more procedures can be initiated through the Internet: tax returns, specific requests in local corporations (e.g. municipalities), declarations for employee contributions, public records... Sometimes it is legitimate for administrations to exchange the collected data with each other. “It’s very difficult to make an exhaustive list,” says Intxaurtieta. “Some cases are very clear: when some law says that exchanges can be made; when both administrations (assignee and assignor) have competences on the same subject (as in the case of social services); or when the Public Prosecutor’s Office, judges, courts, the Ombudsman or the Court of Public Accounts request data from the administrations.” However, in most cases, it is mandatory for the interested parties to express their consent in the first place by specifying the general rules. When it comes to specially protected data (ideology, religion, beliefs, trade union membership, race, health and sex life) the requirements for data processing are stricter.