Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain - Data Protection Overview
Back

Spain - Data Protection Overview

November 2022

1. Governing Texts

The General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') has been implemented with the Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) ('the LOPDGDD').

1.1. Key acts, regulations, directives, bills

Some of the new developments contained in the LOPDGDD are:

  • the LOPDGDD allows data controllers to provide the information required by Article 13 of the GDPR through a layer system. This is not an obligation but a mere recommendation;
  • regarding the processing of personal data of minors, the LOPDGDD sets the minimum age at 14 years old. Consent granted by a minor under 14 will not be valid and consent from parents or guardians will be required;
  • consent of a data subject is not enough to legitimise the processing of special categories of data if the main purpose is to identify an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data;
  • regarding the implementation of systems for the recording of internal complaints (i.e. whistleblowing systems), anonymous reports are now allowed;
  • the LOPDGDD includes a list of cases in which entities must appoint a data protection officer ('DPO') (for example entities that operate networks and provide electronic communications services, education centres, and public or private universities). The appointment of a DPO must be registered before the Spanish data protection authority ('AEPD') even in cases where such appointment is not mandatory;
  • the LOPDGDD contains a list of new rights that apply in the work environment:
    • the right to privacy in the use of digital devices in the work environment;
    • the right to digital disconnection;
    • the right to privacy in the case of video monitoring and sound recording devices in the workplace; and
    • the right to privacy in case of location tracking systems used in the workplace.

1.2. Guidelines

The AEPD has issued guidelines including on the following issues:

Additionally, the AEPD has issued several GDPR facilitation tools (available in Spanish here and in English here).

Furthermore, the AEPD has issued lists of activities which require ('Blacklist') or does not require ('Whitelist') a Data Protection Impact Assessment ('DPIA'):

Notably, the European Data Protection Board ('EDPB') has published the following Opinion for Spain:

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

There are no national law variations from the GDPR.

2.2. Territorial scope

There are no national law variations from the GDPR.

2.3. Material scope

There are no national law variations from the GDPR.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AEPD is the main regulatory authority.

3.2. Main powers, duties and responsibilities

The AEPD supervises the implementation of, and compliance with, the LOPDGDD by all data controllers and processors. Moreover, the AEPD examines the sanction procedure in case of an infringement of the data protection legislation, as well as any claims filed by data subjects. The AEPD is also the authority who imposes fines on data controllers and/or processors when they do not comply with the data protection legislation.

4. Key Definitions

Data controller: No national variations from the GDPR.

Data processor: No national variations from the GDPR.

Personal data: No national variations from the GDPR.

Sensitive data: No national variations from the GDPR.

Health data: No national variations from the GDPR.

Biometric data: No national variations from the GDPR.

Pseudonymisation: No national variations from the GDPR.

5. Legal Bases

5.1. Consent

There are no national law variations from the GDPR.

5.2. Contract with the data subject

There are no national law variations from the GDPR.

5.3. Legal obligations

There are no national law variations from the GDPR.

5.4. Interests of the data subject

There are no national law variations from the GDPR.

5.5. Public interest

There are no national law variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no national law variations from the GDPR.

5.7. Legal bases in other instances

In relation to the processing of personal data for statistical purposes:

  • according to Law 12/1989, of 9 May, on the Public Statistical Function (only available in Spanish here), the processing of personal data for statistical purposes shall be lawful only if based on an express and voluntary consent of the data subject; and
  • the competent bodies for the public statistical function can deny a data subject's request for exercising the rights referred to in Articles 15 to 22 of the GDPR when the data is protected by the statistical secrecy guarantees provided by the Spanish legislation.

Processing of personal data for archiving purposes in the public interest is subject to Law 16/1985, of 25 June, on the Spanish Historical Heritage (only available in Spanish here) and other related regulations.

In relation to the processing of personal data for scientific or historical research purposes:

  • data subject requests made in accordance with Articles 15, 16, 18, and 21 of the GDPR may be rejected:
    • when they are exercised before the researchers that use anonymised personal data;
    • when the requests refer to the results of the research; or
    • when the research is carried out in the public interest, concerning public safety, defence, or national security; and
  • when the processing of personal data is carried out for scientific research purposes in the public interest:
    • it is mandatory to carry out a DPIA;
    • the scientific research shall be subject to quality standards;
    • it is mandatory to implement any measures in order to guarantee that the researchers do not access to the identification data of the data subjects; and
    • it is mandatory to appoint a legal representative when the clinical trial sponsor is not located in the EU.

6. Principles

There are no national law variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no specific requirement in Spain for data processing notifications.

7.2. Data transfers

There are no national law variations from the GDPR.

7.3. Data processing records

There are no national law variations from the GDPR.

7.4. Data protection impact assessment

The Spain Blacklist provides that the following types of processing operations require a DPIA:

  • processing that involves profiling or the evaluation of subjects, including the collection of the subject's data in multiple areas of their life (work performance, personality, and behaviour), covering various aspects of their personality or habits;
  • processing that involves automated decision-making or that makes a significant contribution to such decision-making, including any kind of decision that prevents data subjects from exercising a right or accessing a product or service or forming part of a contract;
  • processing that involves the observation, monitoring, supervision, geo-location, or control of the interested party in a systematic and extensive manner, including the collection of data and metadata via networks, applications, or in publicly accessible areas, as well as the processing of unique identifiers that allow the identification of users of services of the information society, such as web services, interactive TV, mobile applications, etc.;
  • processing that involves the use of special categories of data as referred to in Article 9(1) of the GDPR;
  • data concerning criminal convictions and offences as referred to in Article 10 of the GDPR, or data that allow the financial situation or solvency to be determined, or that allow personal information in relation to special categories of data to be determined or deduced;
  • processing that involves the use of biometric data for the purpose of uniquely identifying a natural person;
  • processing that involves the use of genetic data for any purpose;
  • processing that involves the use of data on a large scale. In order to determine whether processing can be considered to be on a large scale, the criteria laid down in the Article 29 Working Party's ('WP29's') Guidelines on Data Protection Officers must be taken into account;
  • processing that involves the association, combination, or linking of records in databases from two or more data processing events with different aims or by different controllers;
  • data processing regarding vulnerable subjects or those who are at risk of social exclusion, including the data of persons aged under 14, older people with any kind of disability, the disabled, persons who access social services, and the victims of gender-related violence, as well as their descendants and persons who are in their guardianship or custody;
  • processing that involves the use of new technologies or an innovative use of consolidated technologies, including the use of technologies on a new scale, for a new purpose, or in combination with others, in a manner that entails new forms of data collection and usage that represents a risk to people's rights and freedoms; and
  • data processing that prevents interested parties from exercising their rights, using a service, or executing a contract, such as for example processing where data have been compiled by a controller distinct from the controller who is to process them, and any of the exceptions regarding the information that ought to be provided to the interested parties under Article 14(5)(b), (c), and (d) of the GDPR apply.

Furthermore, the Spain Whitelist provides that the following types of processing operations do not require a DPIA:

  • processing carried out strictly under the guidelines established or authorised previously, by way of circulars or decisions issued by supervisory bodies, specially the AEPD, whenever the processing has not changed since it was authorised;
  • processing carried out strictly under the guidelines of codes of conduct approved by the European Commission or by supervisory bodies, specially the AEPD, whenever a full DPIA has already been carried out within a context of a validated code of conduct, and is implemented with the measures and safeguards defined in the DPIA;
  • processing that is necessary in order to comply with a legal requirement or to complete a mission being carried out in the public interest or in the exercise of official authority vested in the controller, provided that there is no duty to carry out a DPIA within the legal mandate itself, whenever a full DPIA has already been performed;
  • processing carried out by self-employed personnel who work on an individual basis in the exercise of their professional duties, specially physicians, healthcare professionals, or lawyers, notwithstanding that it may be required when the processing carried out complies, in a significant way, with two or more criteria established in the list of types of data processing that require impact evaluation relative to data protection published by the AEPD;
  • processing carried out in relation to the internal administration of personnel working at small to medium-sized enterprises, in order to face processing operations mandatory by law for the purposes of accounting, human resources management, payroll management, social security, and safety in the workplace, but never in relation to customer data;
  • processing carried out by owners' associations and sub-associations in multioccupancy properties, as these are defined at Article 2 (a), (b), and (d) of Law 49/1960, of July 21, on Horizontal Property (only available in Spanish here); and
  • processing carried out by professional colleges and non-profit associations in connection with the data of their associates members and donors of the data controllers listed therein concerning the management of their personal data, and in the performance of their tasks, provided that the processing does not extend to sensitive data such as those referred to in Article 9(1) of the GDPR and that Article 9(2)(d) of the GDPR does not apply.

The AEPD has issued the following resources to assist with undertaking a DPIA:

Penalties

In accordance with Article 83(4) of the GDPR, the processing of personal data without having carried out a DPIA is considered a serious violation and will have a two-year statutory limitation period (Article 73(t) of the LOPDGDD).

7.5. Data protection officer appointment

The LOPDGDD requires data controllers to appoint a DPO in specific circumstances even if the GDPR does not require it. Companies that are required to appoint a DPO under the LOPDGDD are:

  • professional associations and their general councils;
  • teaching centres that offer education at any of the levels established in the legislation regulating the right to education, including public and private universities;
  • entities that operate electronic communications networks and provide electronic communications services in accordance with the provisions of their specific legislation, when they habitually and systematically process personal data on a large scale;
  • information society service providers carrying out data subject profiling activities on a large scale;
  • entities included in Article 1 of Law 10/2014, of 26 June 2014, on the Regulation, Supervision and Solvency of Credit Institutions (as amended), namely, banks, savings banks, credit unions, and the Official Credit Institute;
  • credit financial institutions;
  • insurance and reinsurance entities;
  • investment service companies, regulated by stock market legislation;
  • electric power distributors and natural gas distributors;
  • entities that develop advertising and commercial prospecting activities, including those of commercial and market research, when they carry out treatments based on the preferences of those affected or carry out activities that involve the preparation of profiles of them;
  • health facilities legally obliged to keep patients' medical histories (health professionals acting on their own as freelance are excluded);
  • entities carrying out business/credit reports regarding individuals;
  • entities offering gambling and gaming services by electronic, informatics, telematics, or interactive means;
  • private security companies; and
  • sports federations when processing underage individuals' personal data.

Role

Under Article 36(2) of the LOPDGDD, a DPO cannot be dismissed or penalised unless they commit fraud or gross negligence in their exercise. Additionally, the DPO must report directly to the highest level of management.

A DPO may intervene when a complaint is made against a controller or processor to a supervisory authority. Prior to submitting the complaint to the supervisory authority, the DPO, when they have been designated, may intervene and communicate to the complainant the organisation's response within two months of the receipt of the complaint (Article 37(1) of the LOPDGDD).

The AEPD, or the corresponding regional data protection authority, i.e. the Catalan Data Protection Authority ('APDCAT'), the Basque data protection agency ('AVPD'), and the Council of transparency and data protection in Andalusia, may forward the complaint to the DPO before attending to it (Article 37(1) of the LOPDGDD). The DPO has one month to reply to the complaint (Article 37(2) of the LOPDGDD).

Professional qualifications

The AEPD has issued the Certification Scheme Guidelines, a non-compulsory DPO certification scheme, which verifies that a DPO meets the professional qualifications and knowledge required to practice the profession. Although certification is not mandatory to be able to practice as a DPO, and the profession can be exercised without being certified under this or any other scheme, the Certification Scheme Guidelines note that the AEPD has considered it necessary to offer a reference point to the market on the contents and elements of a certification mechanism that can serve as a guarantee to accredit the qualification and professional capacity of DPO candidates.

The Certification Scheme Guidelines state that only those accredited by the National Accreditation Entity ('ENAC') can issue certificates to DPOs, and includes a list of organisations that have been accredited or are in process of being accredited.

Notification

The LOPDGDD also allows organisations to voluntarily appoint a DPO. However, if appointed, it will be mandatory to notify the AEPD of such appointment.

The LOPDGDD requires data controllers to inform the AEPD or, as the case may be, the regional data protection authorities, of the designations, appointments, and dismissals of DPOs within a period of ten days (Article 34(3) of the LOPDGDD).

The DPO notification with the AEPD can be made via an online form (only available in Spanish here). There is also an online form for notifying the APDCAT (only available in Catalan here), and the AVPD (only available to access in Spanish here).

The AEPD and the regional authorities have an obligation under Article 34(4) of the LOPDGDD to maintain, within the scope of their respective competencies, an updated list of DPOs that will be accessible by electronic means (the AEPD's list is only available in Spanish here).

Finally, if a data subject files a claim before the AEPD, the latter may first address the DPO in order to obtain an answer to the claim.

7.6. Data breach notification

There are no national law variations from the GDPR.

7.7. Data retention

There are no national law variations from the GDPR.

7.8. Children's data

Whereas the GDPR establishes a minimum age of 16 years for the processing of children's data based on the child's own consent, the LOPDGDD, pursuant to the enablement provided in the GDPR itself, according to which Member States may provide by law for a lower age provided that such lower age is not below 13 years, sets the age of the child at 14 years for the processing of data based on the child's consent.

7.9. Special categories of personal data

Processing of special categories of personal data

According to the LOPDGDD, the consent of the data subject will not be sufficient for processing data where the main purpose is to identify that individual's ideology, trade union membership, religion, sexual orientation, beliefs, or racial or ethnic origin. This is to prevent discrimination. Consequently, additional grounds are needed in order to process this type of personal data.

Moreover, the LOPDGDD states that processing of special categories of personal data in accordance with Article 9(2)(g), (h), and (i) of the GDPR must be based on a law, which could establish additional requirements regarding their security and confidentiality.

Processing of criminal convictions data

The processing of such data for purposes other than the prevention, investigation, detection, or prosecution of criminal offences, or enforcements may only be carried out when covered by a rule with statutory force and effect or by EU law. In other cases, processing of such data may only be carried out by lawyers and procurators, provided that the purpose of the same is to collect the information provided by clients for performance of their functions.

7.10. Controller and processor contracts

There are no national variations from the GDPR.

8. Data Subject Rights

8.1. Right to be informed

Data controllers may provide the information required by Article 13 of GDPR through a layer system. The first layer shall contain, as a minimum, the following:

  • the identity of the data controller (and the identify of its representative, where applicable);
  • a simple description of the purposes for which the data will be processed;
  • the possibility of exercising the data privacy rights;
  • a reference to the fact that the personal data will be processed for profiling (where applicable); and
  • a link to the second layer of information. The second layer must contain further information as required by Article 13 of the GDPR.

The layer system can also be used when the personal data has not been obtained from the data subject (Article 14 of the GDPR), in which case it will be mandatory to include in the first layer of information:

  • the categories of personal data concerned; and
  • the source from which the personal data originates.

Moreover, the LOPDGDD states that data controllers need to inform the data subjects not only about the possibility of exercising their rights, but also about the mechanism for exercising such rights (for example, via email).

8.2. Right to access

There are no national variations from the GDPR.

8.3. Right to rectification

There are no national variations from the GDPR.

8.4. Right to erasure

The LOPDGDD allows data controllers to block personal data when data subjects have previously exercised their rights to rectification or erasure. Thus, the data controller may keep such personal data duly blocked during the statutory limitation period of any liabilities that may arise as a consequence of the processing.

8.5. Right to object/opt-out

There are no national variations from the GDPR.

8.6. Right to data portability

There are no national variations from the GDPR.

8.7. Right not to be subject to automated decision-making

There are no national variations from the GDPR.

8.8. Other rights

Not applicable. 

9. Penalties

The LOPDGDD classifies data protection infringements as minor, serious, or very serious, and specifies the statutory limitation period that is one, two, and three years, respectively.

Regarding the sanctions amount, the LOPDGDD refers to the provisions set out in the GDPR.

9.1 Enforcement decisions

The AEPD imposed two sanctions on Caixabank in its resolution published in January 2021 (only available in Spanish here), for infringing the GDPR, which are relevant due to the considerable amount of the penalty. Specifically, a sanction of €4 million was imposed for the bank's lack of compliance with the requirements for obtaining valid consent from users, and another sanction of €2 million for unlawful processing of personal data due to the fact that the bank imposed customers' consent for the processing of their data in the framework contract.

In addition, the AEPD issued, on 27 July 2021, its decision in proceeding PS/00120/2021 (only available in Spanish here), fining Mercadona, S.A. €2.52 million, following the conclusion of the AEPD's investigation into the use of facial recognition systems carried out in Mercadona's establishments for the purpose of detecting the individuals with criminal convictions or restraining orders. In particular, the decision highlights, among other things, that the processing of biometric data through the facial recognition system did not only occur in relation to the identification of individuals with convictions or criminal offences, but rather affected any customer who walked into the supermarkets, including children, as well as Mercadona's employees.

Furthermore, the AEPD published, on 1 February 2022, its decision in Proceeding No. PS/00001/2021 (only available in Spanish here), in which it imposed a fine of €3.94 million on Vodafone España, S.A.U., violation of Articles 5(1)(f) and 5(2) of the GDPR for not implementing appropriate security measures to prevent fraudulent replication of SIM cards, and not being able to prove that Vodafone implemented such measures.

The AEPD published, on 18 May 2022, its decision in proceeding PS-00140-2020 (only available in Spanish here), in which it imposed a fine of €10 million on Google LLC for the violation of Articles 6 and 17 of the GDPR following two complaints and subsequent investigation from the AEPD.

In particular, the AEDP noted that the complaints concerned the transfer of requests related to the removal of content from Google's various products and platforms, such as the Google search engine and YouTube, to a third party, the 'Lumen Project'. Specifically, the AEPD explained that to enable the removal of content, Google required users that used the relevant forms to accept the transfer of copies of content removal requests to 'lumendatabase.org', on which they would, subsequently, be published.