Implementation date for Telephony Data/IP Data
The Law does not make a distinction between Telephony Data and IP Data for these purposes. Therefore, the implementation date is the same for both types of data.
The Law entered into force on 9 November 2007.
Nevertheless, providers of electronic communications services and public communications networks have 6 months from the date the law entered into force to adapt their equipments and technical means to comply with these provisions.
Are there any specific security requirements?
Article 8 of the Law established the protection and security requirements. This Law refers to general personal data protection legislation (i.e. Act 15/1999, on Data Protection and Royal Decree 994/1999, on the Regulation on Security Measures). The current Regulation developing the Data Protection Act (which has been recently approved but that has not been published yet requires that traffic and location data is subject to security measures of medium level and to a particularly high level security measure. Therefore, if the draft regulation was finally approved with its current wording, operators will have to apply additional security measures to this kind of data.
Article 8 states that specifically authorised personnel that can access the personal data must be identified; they should adopt appropriate technical and organisational security measures in order to prevent data being misused, to prevent their destruction, loss, and unauthorised disclosure.
In particular, obligations related to (i) quality of the data; (ii) appropriate level of protection shall be as contained in the Act 15/1999 on Data Protection and other legislation developing.