Data protection in Spain: overview
A Q&A guide to data protection in Spain.
This Q&A guide gives a high-level overview of data protection rules and principles, including obligations on the data controller and the consent of data subjects; rights to access personal data or object to its collection; and security requirements. It also covers cookies and spam; data processing by third parties; and the international transfer of data. This article also details the national regulator; its enforcement powers; and sanctions and remedies.
Please note: this Q&A was written before the ruling of the ECJ concerning the validity of the EU-US Safe Harbor framework. Therefore, the answers referring to safe harbours do not reflect the ruling.
This article is part of the global guide to data protection. For a full list of contents, please visit www.practicallaw.com/dataprotection-guide.
The Data Protection Act (Law 15/1999 on the protection of personal data) implemented Directive 95/46/EC on data protection (Data Protection Directive). It protects individuals with regard to the processing of personal data and the free movement of data.
The Regulation developing the Data Protection Act was approved by Royal Decree 1720/2007 of 21 December (Data Protection Regulations).
There are no sector-specific laws regulating the processing of personal data, but there are regulations that contain specific provisions on personal data processing (for example, Law 26/2006 on insurance and reinsurance intermediation). The most relevant regulations are the:
Spanish Information Society Services Act (Law 34/2002 on information society services and e-commerce).
Spanish General Telecommunications Act (Law 9/2014).
In addition, specific legal provisions apply to the processing of:
Files regulated under the electoral regime legislation.
Files used exclusively for statistical purposes and protected by legislation on public statistical functions.
Files for storing data contained in personal classification reports referred to in the armed forces personnel legislation.
Files derived from the Civil Registry and the Central Registry of Convicts and Fugitives.
Files from video and audio recordings obtained by law enforcement agencies using video cameras.
Scope of legislation
The Data Protection Act and the Data Protection Regulations apply to data controllers and data processors. See Question 6 for further details on the territorial scope of application.
A data controller is any natural or legal person, whether public or private, or administrative body that makes decisions on the purpose, content and use of personal data processing.
Data processors process data on behalf of data controllers as a result of a relationship that links them. A data processor's scope for action is limited by the service it provides to the data controller.
The Data Protection Act and the Data Protection Regulations apply to the processing of personal data.
Data processing means any operation or procedure (whether automated or not) for the collection, recording, storage, elaboration, modification, blocking or erasure of data. It also includes disclosure of data resulting from communications, queries, interconnections or transfers.
The Data Protection Act and the Data Protection Regulations apply to:
Data processing carried out in the context of the activities of an establishment of the data controller in Spain. Where this is not the case, but the data controller uses a data processor established in Spain, the data processor must comply with the provisions on security measures established in the Data Protection Regulations.
Data processing carried out by a data controller not established in Spain but in a place where Spanish law applies by virtue of international public law.
Data processing carried out by a data controller not established in the European Union but using means located in Spain, unless such means are used only for transit purposes. In this case, the data controller must appoint a representative established in Spain.
Registration of personal data files is required before processing. Data controllers must register their data files with the General Data Protection Registry.
The Data Protection Act and the Data Protection Regulations define data files as sets of structured personal data that can be accessed according to specific criteria, regardless of how the data is generated, stored, organised or accessed. One data file can be composed of several databases (whether automated or non-automated).
Registration is completed through a standard notification form available on the Data Protection Agency's website. Data controllers must complete this form describing, among other aspects:
The purposes of the data file.
The categories of personal data it contains.
Any data disclosures.
The security level applied to the personal data.
Any international transfer to third countries.
Registration must be updated whenever there are changes to the data files affecting the information notified to the Data Protection Agency (including removal of the data file).
Main data protection rules and principles
Main obligations and processing requirements
Under the Data Protection Act and the Data Protection Regulations, data controllers must comply with several obligations, including:
Complying with the principles of data quality.
Informing data subjects about data processing on collection.
Obtaining data subjects' consent to process their data.
Registering personal data files.
Implementing security measures to protect personal data, including drafting a security document.
Attending to data subjects' rights of access, rectification, cancellation and opposition.
Entering into data processing agreements with data processors.
Keeping personal data confidential.
As a rule, consent from data subjects is required. Consent must be informed (see Question 12). Depending on the circumstances, it can be implied, express (for example, for health data) or written (for example, for data revealing ideology).
Unless the law requires express consent, the Data Protection Regulations establish that data controllers can inform data subjects of the processing they intend to carry out and give them 30 days to oppose it. This way of obtaining consent is subject to limitations (for example, a data controller cannot request the same consent again until a year has passed).
Consent from a parent or guardian is needed for children under 14 years of age.
Data subjects' consent is not required when:
Data is collected by a public administration when exercising its functions.
Data refers to the parties to an administrative, employment or business contract or pre-contract, provided the data is necessary for its performance.
The purpose of the data processing is to protect the data subject's vital interest.
The data processing is necessary to satisfy a legitimate interest pursued by the data controller (or a third party to whom the data is disclosed), provided that the data subject's fundamental rights and freedoms are not overridden.
Special rules apply to certain types of data, particularly to sensitive data. Sensitive data includes the following categories:
Ideology, trade union membership, religion and beliefs. As a rule, this data can only be processed with the data subject's express written consent.
Racial origin, health and sex life. As a rule, this data can only be processed on general interest grounds established by law, or with the data subject's express consent.
Data related to administrative or criminal infringements, which can only be processed by the competent public administrations.
Data on ideology, trade union membership, religion, beliefs, racial origin, health and sex life can be processed when necessary for medical prevention or diagnosis, providing healthcare or medical treatment, or managing health services, provided that the processing is carried out by a healthcare professional bound by professional secrecy, or any another person subject to an equivalent obligation. This data can also be processed when necessary to protect a vital interest of the data subject or other person if the data subject is physically or legally unable to give consent.
As a rule, data on ideology, trade union membership, religion, beliefs, racial origin, health and sex life is subject to the high-level security measures established by the Data Protection Regulations.
Rights of individuals
When collecting personal data, data subjects must be informed of:
The existence of a data file or data processing.
The data controller's identity and address (or that of its representative if the processing is carried out by a data controller not established in the EU but using means located in Spain, unless such means are used only for transit purposes).
The purpose of the processing.
The data recipients, identifying them by name and address and specifying the purpose of the data transfer.
How the data subject can exercise his rights of access, rectification, cancellation and opposition.
Whether answering the questions is mandatory or voluntary (unless the information can be clearly inferred from the nature of the personal data requested or the circumstances in which the data is collected).
The consequences of providing the data or refusing to do so (unless the information can be clearly inferred from the nature of the personal data requested or the circumstances in which the data is collected).
Data subjects have the following rights:
Right of access. Data subjects are entitled to request information on whether their personal data is processed, the purpose of the processing, the source of their data and any data transfers, as well as information on specific data, data included in a specific file, or all the data that is subject to processing.
Right to rectify incomplete or inaccurate data.
Right of cancellation. Data subjects can request deletion of inappropriate or excessive data (see Question 14).
Right to oppose the data processing in specific scenarios established by law (for example, to oppose receiving commercial communications).
Right to challenge decisions that have a legal effect on them or that affect them significantly when the decision is exclusively based on automated data processing carried out to evaluate aspects of their personality (for example, work performance and credit).
Right to consult the General Data Protection Registry.
Right to claim protection of their rights from the Data Protection Agency when they have been denied by the data controller.
Right to be indemnified for damages caused by infringement.
Data subjects have a right to request the deletion of their data.
Data controllers must cancel personal data when it is no longer necessary or relevant to the purpose for which it was collected. Cancellation means that the data cannot be used and must be blocked to impede its processing. It is kept available for public administrations, judges and courts to deal with any liabilities resulting from the processing until these liabilities expire. After any applicable liabilities expire, the data must be deleted.
Data controllers and data processors must implement security measures to protect personal data against accidental or unlawful destruction, accidental loss, alteration or unauthorised disclosure or access.
The Data Protection Regulations set out specific minimum security measures to be implemented by controllers and processors, establishing three cumulative security levels: basic, medium and high. The applicable measures depend on the nature of the data (for example, sensitive data is subject to all three levels of security).
The security measures established by the Data Protection Regulations include specifications on:
Identification and authentication.
Management of documents and media.
All measures must be described in a security document that also specifies the obligations of any employees, agents and contractors accessing the data files, and the structure of the files, including a description of the systems processing them.
There is no requirement to notify data security breaches under the Data Protection Act or the Data Protection Regulations. Acknowledging guilt for a specific breach will be taken into consideration by the Data Protection Agency when imposing penalties. Notifying data subjects can also reduce civil liability.
The General Telecommunications Act establishes an obligation on telecoms operators to notify the Data Protection Agency without delay of any personal data breach. This Act defines personal data breaches as any security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access to personal data transmitted, stored or processed in connection with the provision of a publicly available electronic communications service.
Processing by third parties
When a company processes personal data by providing a service to the data controller, the data processing must be regulated by contract, specifying that the processor must:
Process the data only in accordance with the data controller's instructions.
Not apply or use the data for purposes other than those established in the contract.
Not communicate the data to third parties.
Implement the appropriate security measures.
Data processors can communicate the data to others when authorised by the data controller. The Data Protection Regulations establish the conditions under which the main data processor can sub-contract part of the services rendered to the data controller if the sub-contractor can also process the data.
This requirement does not apply when the only purpose of the device installed in the users' equipment is to transfer information via electronic communication networks, or when using the device is necessary to provide a service expressly requested by the user.
Under the Data Protection Agency's guidelines (which are not mandatory but should be followed by information society service providers/data controllers since they reflect how the Agency interprets the rules) users must be informed of cookies (and equivalent devices) using two layers:
The first layer (usually a pop-up) must briefly inform the user about the cookies, identifying their purpose and whether they are first or third party cookies. This layer must include an accept button or warn users that a specific action (like continuing to use the site) will imply acceptance of the cookies. It must also include a link to the second layer.
The second layer must include detailed information about cookies: definition, types of cookies and their purpose, how to disable or eliminate them and reject their use, and identification of third parties when third party cookies are used.
Recipients must consent to receiving electronic commercial communications. An opt-out is valid for communications relating to first party products or services similar to those initially requested by the customer. An opt-in is required when communications relate to third party products or services, or products or services other than those initially requested by the customer.
International transfer of data
Transfer of data outside the jurisdiction
International data transfers are transfers to countries whose level of protection has not been declared adequate by the relevant authorities (any country outside the European Economic Area (EEA) with some exceptions). Such transfers must be notified to the Data Protection Agency and authorised by its director, regardless of whether the data importer belongs to the same group as the data exporter.
Authorisation can be obtained using the Model Contracts for the transfer of personal data to third countries approved by the European Commission.
The Data Protection Agency must receive the contract and confirm that the parties' representatives have sufficient power to sign it. The Agency has up to three months from the date it receives the request to issue and communicate its decision.
Data Protection Agency authorisation is not necessary in the following cases (although it must still be notified of the international data transfer):
When the transfer results from the application of an international treaty to which Spain is party.
When the transfer is meant to provide or request international judicial aid.
When the transfer is necessary for medical prevention or diagnosis, or providing healthcare or medical treatment or for managing healthcare services.
When the transfer relates to money transfers made according to their specific legislation.
When the data subject has unequivocally given consent to the data transfer (if the data subject has no real option to oppose the transfer (which is usually the case with employees) consent will not be valid).
When the transfer is necessary for the performance of a contract between the data subject and the data controller or to adopt pre-contractual measures at the data subject's request.
When the transfer is necessary to execute or perform a contract concluded or to be concluded, between the data controller and a third party in the interest of the data subject.
When the transfer is necessary or legally required to protect the public interest.
When the transfer is necessary for the recognition, exercise or defence of a right in a legal proceeding.
Data transfer agreements
See Question 20.
The Data Protection Agency has approved standard contractual clauses that regulate international data transfer from a data processor established in Spain to data sub-processors established in countries whose level of protection is not adequate. In this case, to obtain the Data Protection Agency's authorisation, the data processor must also provide the Data Protection Agency with an agreement between the data processor and the data controller under which the latter authorises the sub-contracting and the international data transfer.
See Question 20.
Enforcement and sanctions
The Data Protection Agency is responsible for imposing sanctions for non-compliance and it is entitled to inspect data files and request any information necessary to perform its functions. The Data Protection Agency's inspectors can ask to see documents and data and examine them wherever they are located, as well as check out the physical equipment and software used to process data by accessing the premises where it is installed.
Data protection infringements can be classified as:
Minor infringements. These are subject to fines ranging from EUR900 to EUR40,000.
Serious infringements. These are subject to fines ranging from EUR40,001 to EUR300,000.
Very serious infringements. These are subject to fines ranging from EUR300,001 to EUR600,000.
Sanctions are graduated in proportion according to the following circumstances:
Continuous nature of the infringement.
Volume of processing.
Connection between the infringer's activity and the data processing.
Infringer's business/activity volume.
Benefits obtained as a result of the infringement.
Degree of intention.
Nature of the damages caused to the data subjects or third parties.
Whether the infringer had adequate processing procedures and the infringement was the result of an anomaly, rather than lack of diligence.
Any other relevant circumstances to determine the degree of guilt.
Lower sanctions are imposed (for example, a serious infringement would be sanctioned as if it were a minor infringement) when:
Several of the above circumstances occur.
The infringer diligently rectifies the situation.
The infringer's behaviour may have induced the infringement.
The infringer spontaneously acknowledges its guilt.
There is a merger by absorption, and the infringement was committed before the merger and cannot be attributed to the absorbing company.
In some cases, after hearing the parties and considering the facts, the Data Protection Agency can replace fines with a warning giving the infringer time to prove that it has taken the necessary corrective measures. This applies if it is the first infringement and if it is not very serious.
When the infringement is serious or very serious and persisting with the data processing can cause serious damage to the data subjects' fundamental rights (particularly, data protection rights), the Data Protection Agency can order data controllers to cease processing. If this request is disregarded, the Data Protection Agency can decide to freeze the corresponding data files.
The Data Protection Agency is especially active in prosecuting infringements. In 2014, it resolved 12,173 claims and complaints, issued 872 sanctioning decisions, and imposed fines of EUR17.3 million.
Spanish Data Protection Agency (Agencia Española de Protección de Datos)
Main areas of responsibility. The Data Protection Agency is the national independent public authority responsible for ensuring compliance with data protection law. The Data Protection Agency's main functions are to interpret, apply and disseminate data protection law, maintain the General Data Protection Registry, safeguard citizens' data protection rights, and authorise international data transfers.
Description. The Data Protection Agency's official website. It contains relevant information, legislation, decisions, guidelines, forms and other documents. The legislation may be out-of-date and it is not binding, the Agency advises checking the Spanish official journals.
Description. Unofficial and non-binding English translation of the Data Protection Act, published by the Ministry of Justice.
Description. Unofficial and non-binding English translation of the Data Protection Regulations published by the Ministry of Justice.
Albert Agustinoy Guilayn, Partner
Cuatrecasas, Gonçalves Pereira
Professional qualifications. Bachelor of Laws, Universitat de Barcelona, 1996; Masters in Community Law, Universitat Autònoma de Barcelona, 1997; Master (LLM) in Comparative, European and International Laws, Université Robert Schuman, Strasbourg, France
Areas of practice. Gaming and gambling; intellectual property; media; data protection; sports; leisure.
- Acting as global adviser in Spain for global gaming and gambling companies such as Playtech, PokerStars, 888, Gamesys, William Hill, Interwetten, Eurostar Mediagroup, Dafabet, SKS 365, PAF, Rank Group or Betfair, on all relevant areas of Spanish law, including gambling and gaming law, IT law, intellectual property, personal data protection, and advertising.
- Advising the World Intellectual Property Organization on appointments as a panellist, charged with deciding on numerous alternative dispute resolution procedures relating to generic domain names and .es domain names.
Languages. Spanish, English, French
Professional associations/memberships. Panellist for domain-name dispute resolution of the World Organization of Intellectual Property, the National Arbitration Forum and the Spanish High Council of Chambers of Commerce.
- Domain name law and practice (2015).
- La regulación del juego electrónico (2011).
- Nombres de dominio. Normativa internacional, comunitaria y española comentada (2008).
- Derecho y nuevas tecnologías (2005).
- Régimen jurídico de los nombre de dominio (2002).
Alejandro Negro Sala, Counsel
Cuatrecasas, Gonçalves Pereira
Professional qualifications. Bachelor of Laws, Universidad Autónoma de Madrid; Master in Legal Consultancy for Businesses, Instituto de Empresa, Madrid
Areas of practice. Intellectual and industrial property, media and data protection; technology, media and telecommunications; corporate compliance; food and beverages; pharmacy, health products and biotechnology.
- Advising Banco Popular, Liberbank and Banco Mare Nostrum (BMN) on IT outsourcing services agreements.
- Advising Microsoft on IT and data protection issues.
Languages. Spanish, English
Professional associations/memberships. Member of LES (Licensing Executives Society) and DENAE.
- Más protección para los alimentos con nombre y apellidos (2015).
- Sourcing World (2015) Thomson Reuters.
- Outsourcing (2014) Getting the Deal Through.