Current regulatory context v/s Personal Data Bill
In the current regulatory context, there is no regulation of the privacy compliance program, however, the Bill introduces and regulates such concept as a compliance mechanism, detailing its contents and benefits. The adoption of a compliance program may result in a mitigating factor against possible sanctions for infringements by the Agency.
Therefore, there are important differences between the current regulation and the Bill:
| Law 19.628 | Data Protection Bill |
|---|---|
| There is no reference to self-regulation or implementation of compliance or infringement prevention models. | Compliance programs are regulated as an infringement prevention mechanism, detailing their minimum contents and the benefits of having one. The fulfillment by the person responsible of the duties of direction and supervision of the certified compliance program, may constitute a mitigating circumstance. |
What is an Infringement Prevention Model?
The data protection infringement prevention model is a self-regulatory mechanism, consisting of a compliance program, by which organizations adopt a series of procedures and obligations in order to comply with regulations and prevent the commission of infringements.
Are they mandatory or voluntary?
The adoption of an infringement prevention model is a voluntary option for the data controller, and its development and implementation within organizations is not mandatory.
However, it should be considered that the data controller has an obligation to take action to prevent infringements. Implementing a compliance program can be a good mechanism for meeting that general obligation.
What should an Infringement Prevention Model contain?
The content of these compliance programs is regulated in the Data Protection Bill. They must contain at least the following elements:
- Identification of the type of information involved, territorial scope, category, class or types of data or databases that are administered, and the characterization of the holders.
- Identification of the activities or processes, whether habitual or sporadic, in which the risk of commission of infringements is generated or increased.
- Establishment of protocols, rules and specific procedures that allow the persons involved in the activities or processes, to program and execute their tasks or duties in a way that prevents the commission of the aforementioned iinfringements.
- Reporting mechanisms to the authorities in case of contravening the law.
- Existence of internal administrative sanctions, as well as procedures for reporting or punishing responsibilities.
- Appointment of a DPO, establishing his/her means and powers.
Compliance Program Monitoring
The adherence to the compliance program must be adopted as an express obligation, either through the (i) employment contracts or services agreement of the workers, employees or service providers of the person in charge, as well as the third parties that carry out the treatment; or, (ii) in the RIOHS.
National Registry of Sanctions and Compliance
The Data Protection Bill establishes the creation of a public National Registry, administered by the Agency, that will record the certified prevention models and the data controllers who have adopted them, as well as those revoked; and sanctions imposed on data controllers who have infringed the law. The annotations will remain accessible to the public for a period of 5 years.
Incentives for the adoption of compliance programs
The diligent fulfillment of the duties of direction and supervision of the certified compliance programs constitutes a mitigating circumstance, which must be considered by the Agency when determining the amount of the fines in case of infringement. Likewise, regulation and compliance by companies is a tool that strengthens the corporate image, the ethics within the company and helps to avoid possible sanctions.