What format and content should the register-book of internal investigations have?

In the absence of regulatory development, it becomes difficult to determine what the exact content of the register-book should be. However, from the report of the Spanish Data Protection Agency (AEPD) on the draft law, we can deduce that the obligations relating to the internal information system (and specifically the limitation of the retention period of personal data) is independent of the personal data that may have been reflected in the register, which is subject to specific guarantees, particularly the fact that it can only be accessed by virtue of a judicial resolution. The AEPD assessed very positively this specific guarantee in the access provided by art. 26 of Law 2/2023 since it makes it possible to make the necessary deletion of personal data in internal information systems, subject to a wider access regime, compatible with the deadlines set out by law with the obligation to keep the aforementioned register, in which a wider conservation period is established that can reach 10 years.

In accordance with this assessment, we can deduce that the content of the register-book must contain sufficiently broad and expressive information, if we take into account the access by judicial resolution, of the information received and of the internal investigations that have been carried out, guaranteeing in any case confidentiality in the terms provided for by law.