Spain: Data Protection & Cyber Security

The In-House Lawyer Logo

This country-specific Q&A provides an overview to data protection and cyber security laws and regulations that may occur in Spain.

This Q&A is part of the global guide to Data Protection & Cyber Security. For a full list of jurisdictional Q&As visit

  1. Please provide an overview of the legal framework governing privacy in your jurisdiction (e.g., a summary of the key laws, who is covered by them, what sectors, activities or data do they regulate, and who enforces the laws enforced)?

    General framework:

    REGULATION (EU) 2016/679 OF THE EUROPEAN PARLIAMENT AND OF THE COUNCIL of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive 95/46/EC (GDPR): This regulation applies, in general, to all entities and organisations, wherever their location is, processing personal data of natural persons (data subjects) residing in the European Union and to those companies in the EU, regardless the location of the processing. Regarding companies located outside the EU, the activities must be related to the cases listed by the GDPR for being within the scope of the regulation. This regulation is mandatory and directly applicable in all EU Member States, which means that a national law introducing them is not required in order for them to take full effect. Nonetheless, almost all Member States have passed a law developing the aspects in which the GDPR leaves room for regulation applicable in their jurisdiction.

    Article 18 and 20.4 of the Spanish Constitution: The supreme law of the Spanish legal system dedicates these articles to provide a general scope for the right of honour, personal and family privacy and self-image and acknowledge them as fundamental rights within the Spanish legal system. Also, it ensures the existence of limits to these rights on respect for the rights of freedom of expression and information.

    Organic Law 1/1982, of 5 May, on the civil protection of the right to honour, to personal and family privacy and to one's own image: It develops the civil protection of the fundamental rights of honour, personal and family privacy and one's own image against any kind of interference or illegitimate intrusions and establishes limits to the right of one’s own image in cases when a relevant historical, scientific or cultural interest predominates.

    Organic Law 3/2018 of 5 December on the Protection of Personal Data and the guarantee of digital rights (LOPD): The development of the GDPR in Spain has been carried out through this organic law, which introduces some nuances to its provisions and develops the content of the GDPR when possible, establishing, for instance, specific rules for the appointment of the Data Protection Officers (DPO), the sanctioning process and its duration and the processing of employee data by their employers. The Spanish legislator has also included, among the rules on data protection, the recognition of a new catalogue of digital rights.

    Specific frameworks:

    (Labour relations field) Royal Legislative Decree 2/2015 of 23 October 2015 approving the consolidated text of the Workers' Statute Act (Workers' Statute Act), which establishes the basic framework of the labour relationships and limits the employer's power of control and supervision over employees in respect of their privacy, setting the standards for practising inspections and monitoring the activity of the employees (articles 18 and 20).

    (Health sector) Law 41/2002, of 14 November, which regulates patient autonomy and rights and obligations regarding clinical information and documentation: This law regulates the common period of retention of all clinical information about the patients and lays down certain requirement for the exercise of the right of access by patients to their clinical records. It should be taken into account that each region in Spain may have their own regulations in respect of the retention period of the patient’s information, which will prevail over this law.

    (Telecommunications Sector) Law 9/2014, of 9 May, General Telecommunications: This Law provides several measures to guarantee the protection of personal data and privacy in relation to unsolicited communications, traffic and location data and subscriber directories.

    (information society services and electronic commerce) Law 34/2002, of 11 July, on information society services and electronic commerce (LSSI), which sets out the requirements for the sending of commercial communications by electronic means. Consequently to the principle of normative speciality, these rules apply in preference to the GDPR and LOPD.

    There are some regulations and directives that will have a direct effect in the privacy regulatory scope when they are passed and, if necessary, transposed into national legislation:

    • Organic Law (draft) on the use of the data from the Passenger Name Registration for prevention, detection, investigation and prosecution of terrorist offences and serious crimes which is transposed from the Directive (EU) 2016/681, of 27 April 2016, with the same name.
    • Proposal for a Regulation on Privacy and Electronic Communications, which would repeal the present Privacy and Electronic Communications Directive of 2002 and would particularise and complement the latter including the requirement of consent to the use of cookies and opt-outs.
  2. Are there any registration or licensing requirements for entities covered by these laws and, if so, what are the requirements? Are there any exemptions?

    In general, compliance with the privacy regulations doesn’t require any registration or licensing of those entities which are affected by the previous laws, without prejudice to the obligation of registration for other reasons. The only case in which the organization shall submit a communication or registration to a public organization in relation with its obligations on data protection is the registration of the Data Protection Officer (DPO) in the competent data protection authority, which in Spain is the Agencia Española de Protección de Datos (AEPD). The DPO is regulated in section 4 of the GDPR, and it is compulsory for public authorities, except courts acting in their judicial capacity, and entities whose core activities require regular and systematic monitoring of data subjects or processing of special categories of data on a large scale. Nevertheless, any organization can decide to voluntarily designate a DPO, who will be subject to all the requirements and obligations established by the GDPR.

  3. How do these laws define personally identifiable information (PII) versus sensitive PII? What other key definitions are set forth in the laws in your jurisdiction?

    The definition of the personally identifiable information is established in the GDPR, article 4, where personal data are deemed any information relating to an identified or identifiable natural person. On the other hand, sensitive PII is defined, in article 9 GDPR, as any information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or union membership, and the processing of genetic data, biometric data for the purpose of uniquely identifying a natural person, data concerning health or data concerning a natural person’s sex life or sexual orientation.

    All the key definitions for the purposes of the GDPR are set out in article 4, where is defined also the concepts of genetic data, biometric data and data concerning health.

    In Spain, the previous personal data protection law (Organic Law 15/1999, of 13 December) already used the same definition of "personal data", which was established by the Directive 95/46/CE, now repealed by the GDPR.

    With regard to the concept of health, the GDPR defines it as any «personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status». This definition should be considered in relation to recital 35 of the GDPR, where it is supplemented including information relating to the past, current or future physical or mental health status, disease risk, medical history, genetic and biological data or samples, among others.

    This concept of health is broader than the one defined by the Spanish previous data protection law, the only legal text where a legal definition of this concept could be found, although it was not an own definition for “health data”, since that definition was given by the repealed Directive 95/46/EC. Moreover, Spanish law regulating patient autonomy gives only definitions for Medical information and history, which is very limited and exclusive to health centers and services. Therefore, the definition given by the has to be used in more general terms.

  4. Are there any restrictions on, or principles related to, the general processing of PII – for example, must a covered entity establish a legal basis for processing PII in your jurisdiction or must PII only be kept for a certain period? Please outline any such restrictions or “fair information practice principles” in detail?

    The GDPR establish the regulatory framework of data protection for all EU member states, establishing different principles related to the processing of personal data. These principles are: a) lawfulness, fairness and transparency in relation to the data subject; b) purpose limitation under which all data processed shall be collected for specified, explicit and legitimate purposes; c) data minimisation according to which all data shall be adequate, relevant and limited to the purposes for which they are processed; d) accuracy and data updating; e) storage limitation of the data for no longer than is necessary for the purposes for which they are processed; and f) integrity and confidentiality, ensuring appropriate security of the personal data;

    Encompassing the previous principles, the GDPR includes two guidelines which shall be respected by all entities in the processing of data, which are ‘accountability’ and ‘privacy by design and by default’, according to which the Controllers shall observe the regulations on data protection from the beginning of any operation and shall be able to demonstrate compliance with them.

    Spanish legislation on data protection applies the same principles of the GDPR.

  5. Are there any circumstances where consent is required or typically used in connection with the general processing of PII and, if so, are there are rules relating to the form, content and administration of such consent?

    Consent is one of the legitimate grounds for data processing established in article 6 GDPR, so the Controller will only be able to process data on the basis of the consent of the data subject when this is the most appropriate ground for a particular data processing activity.

    The requirements for a valid consent are established in article 7 GDPR, which are the same in Spanish privacy legislation: it should be demonstrable by the Controller, and it must be freely given by the data subject, specific, informed, unambiguous and, when consent is given for a plurality of purposes, it must be specifically and unequivocally stated for all of them. Moreover, the recital 32 of the GDPR states that consent should be given by a clear affirmative act, so tacit consent is excluded.

  6. What special requirements, if any, are required for processing sensitive PII? Are there any categories of PII that are prohibited from collection?

    In general, processing of sensitive data is prohibited by the GDPR, although this provision is not applicable when one of the exceptions established in article 9.2 occurs. Among others: when the data subject gave their consent, the process is covered by law, the data are manifestly made public by the data subject or its processing is necessary for the purposes of carrying out the obligations and exercising specific rights of the controller.

    In Spanish legislation (LOPD) it is established the prohibition on consenting data processes exclusively consisting of storage of identifying information about certain categories of specially protected data, so its treatment will only be legitimate if it is within the exceptions provided by the GDPR.

  7. How do the laws in your jurisdiction address children’s PII?

    Although the GDPR states in its recital 38 the necessity to implement specific protection rules with regard to children personal data, it only regulates child's consent in relation to information society services, establishing the minimum age of 16 years for a minor to be able to give a valid consent. Member States may provide for a lower age as long as it is not lower than 13 years old.

    The Spanish LOPD has set the minimum age at 14. The data processing of minors under fourteen years of age based on consent will only be lawful if the holder of parental authority or guardianship gives his/her consent for this processing. They will also be able to exercise in the name and representation of the minors the rights of access, rectification, cancellation, opposition or any other that could correspond to them.

  8. Are owners or processors of PII required to maintain any internal records of their data processing activities or to establish internal processes or written documentation? If so, please describe how businesses typically meet these requirements.

    The Spanish LOPD refers to the GDPR in relation to the recording of their data processes, which will be a requirement for organizations employing more than 250 persons and those with fewer employees, but which may carry out data processes likely to result in a risk to the rights and freedoms of data subjects, they are not occasional, or includes special categories of data. This record shall include the information listed in article 30 GDPR.

    The Spanish law adds, for certain public entities or related to the public sector listed in article 77.1 LOPD, the obligation to make this recording public and accessible by electronic means.

  9. Are consultations with regulators recommended or required in your jurisdiction and in what circumstances?

    As a general obligation of the Controllers or Processors, a prior consultation with the Data protection authority is established when a data processing, after having been analyzed under a data protection impact assessment (DPIA), results in a high risk in the absence of measures taken by the controller to mitigate the risk.

  10. Do the laws in your jurisdiction require or recommend conducting risk assessments regarding data processing activities and, if so, in what circumstances? How are these risk assessments typically carried out?

    No official list of processes subject to the requirement of conducting risk assessments on data protection has been released by the Spanish authority, although there is a draft list submitted that relates to the offering of goods or services to data subjects, the monitoring of their behavior in several Member States and/or and the substantial affectation of the free movement of personal data within the Union. This draft list was examined by the European Data Protection Board and the AEPD will have to communicate the final decision to the Board amending or maintaining its draft list for its inclusion in the corresponding register.

    Nevertheless, the Spanish authority has published two guidelines in order to help Controllers to carry out general risk assessments and data protection impact assessments, available only in Spanish language:

  11. Do the laws in your jurisdiction require appointment of a data protection officer, or other person to be in charge of privacy or data protection at the organization? What are the data protection officer’s legal responsibilities?

    According to the Spanish law, data controllers and data processors shall appoint a data protection officer in the cases provided for in Article 37.1 of Regulation (EU) 2016/679 and, in any case, in the case of the entities of the article 34 LOPD.

  12. Do the laws in your jurisdiction require providing notice to individuals of the business’ processing activities? If so, please describe these notice requirements (e.g. posting an online privacy notice).

    The principle of transparency of the GDPR implies the obligation for the companies to give detailed information about the processing of the data to the person affected by it. Article 13 and 14 GDPR establish the minimum content of the information to be provided where personal data are collected from the data subject and when the personal data has not been obtained from them.

    In Spanish LOPD, the duty of information will be fulfilled if the Controller provides the affected person with the following information: The identity of the data controller and its DPO, if applicable; the purpose of the treatment; the possibility to exercise the rights set out in Articles 15 to 22 of GDPR and an e-mail address or other means that allows easy and immediate access to the rest of the information.

  13. Do the laws in your jurisdiction apply directly to service providers that process PII, or do they typically only apply through flow-down contractual requirements from the owners?

    The GDPR regime applies to any service provider who accesses personal information in the course of providing a service to a Controller, regardless of whether or not a formal data processing agreement (DPA) has been signed. However, the signing of this type of contract is a mandatory legal requirement for this type of relationship, so its absence implies that the obligations of the parties regarding data protection will not be well defined. Consequently, in case of infringement of the data protection obligations by any of the parties, the non-existence of this contract may lead to co-liability and/or higher penalties.

  14. Do the laws in your jurisdiction require minimum contract terms with service providers or are there any other restrictions relating to the appointment of service providers (e.g. due diligence or privacy and security assessments)?

    Data Processing for processors acting on behalf Controllers shall be governed by a contract or other legal act, according to article 28 of GDPR, whose content shall include the obligations listed in the previous article. The Spanish LOPD adds a stipulation that can be included in this contract by which the processor is able to process, on behalf of the Controller, the requests formulated by the data subjects in relation with their rights.

    The Spanish authority (AEPD) has released a model of contract between Controllers and Processors which can be used as an indicative model for the parties. It does not have the status of standard clauses for the purposes of article 28.8 of the GDPR. It is only available in Spanish language:

  15. Is the transfer of PII outside the jurisdiction restricted? If so, please describe these restrictions and how businesses typically comply with them (for example, does cross-border transfer of PII require notification to or authorization form a regulator?)

    Transfers of personal data to third countries or international organizations are restricted and they shall take place only if they are subject to the conditions laid down in chapter 5 of the GDPR which grant a sufficient level of protection of natural persons affected by the processing.

    A transfer of personal data to third countries or international organizations only will be acceptable if a) the Commission has decided that the third country or territory ensures an adequate level of protection; b) in the absence of a decision on adequacy, only with the provision of appropriate safeguards by the controller or processor. These safeguards may be, without requiring any specific authorization from a supervisory authority: legally binding and enforceable instruments between public authorities or bodies, binding corporate rules for company groups, the adoption of standard data protection clauses adopted or approved by the Commission, approved codes of conduct together with binding and enforceable commitments and certification mechanisms also together with binding and enforceable commitments, both pursuant to articles 40 and 42 GDPR. On the other hand, the parties can also sign contractual clauses or, if applicable provisions to be inserted into administrative arrangements, although they will be subject to the authorization from the competent supervisory authority.

  16. What security obligations are imposed on PII owners and on service providers, if any, in your jurisdiction?

    There is not an official list of security measures established by any regulations, so companies shall analyse their particularities to define the security measures applicable to them. Controllers can apply the international or national security standards, like ISOs, although it is not a compulsory requirement.

    For small businesses, the Spanish cyber security institute, an organisation related to the government whose objective is the development of cyber security and the digital trust of citizens, regularly publishes guidelines for entities to help them observe the minimum security measures to protect their information.

  17. Does your jurisdiction impose requirements of data protection by design or default?

    The controllers shall, in order to comply with the principle of privacy by design and by default, implement appropriate technical and organisational measures appropriate to the risk detected of loss, alteration, unauthorised disclosure of, or access to personal data transmitted, stored or otherwise processed.

    Moreover, the concept of "privacy by design" refers to the need to consider the guarantees of the RGPD from the start of any operation or process, planning ahead for the adoption of measures to ensure that only the necessary data are processed and for the time required. In this regard, the recital 78 of the GDPR states that Controllers which process personal data and creators of products, services and applications based on the processing of personal data, «should be encouraged to take into account the right to data protection […]and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.». On the other hand, "privacy by default" measures are intended to imply that organizations, by default, only process the necessary personal data for the fulfilment of the purposes for which they were gathered. This refers to the amount and the type of data collected, the processing organizations do, the time of retention of the same and the access allowed to them.

    In Spain these principles imply a change of approach in the compliance with data protection regulations, since, with the previous regulations, the entities processing personal data had to follow a series of rigid guidelines regarding security measures which were established by the Administration. For the time being, no rules establishing minimum security measures or standards applicable to data processing have been established by Spanish regulations, although any organization processing personal data must justify the adequacy of the measures effectively applied.

  18. Do the laws in your jurisdiction address security breaches and, if so, how does the law define “security breach”?

    The Spanish LOPD refers to the GDPR in relation to the definition and regulation of security breaches, which are breaches «of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed». It is necessary, therefore, that the "breach" referred to in the RGPD, while being a type of security incident, is applied only to the extent that it affects personal data.

  19. Under what circumstances must a business report security breaches to regulators, to individuals, or to other persons or entities? If breach notification is not required by law, is it recommended by the regulator and what is the typical custom or practice in your jurisdiction?

    The notifications of security breaches to the competent control authority are compulsory when they may result in a risk to the rights and freedoms of natural persons, according to article 33 GDPR, which in the case of Spain is the Spanish Data Protection Agency (AEPD). Only when the security breach may result in a high risk to the persons affected, the controller shall communicate the personal data breach to the data subjects, following the rules established in article 34 GDPR.

  20. Do the laws in your jurisdiction provide individual rights, such as the right to access and the right to deletion? If so, please provide a general description on what are the rights, how are they communicated, what exceptions exist and any other relevant details.

    The right to access and deletion are granted by the GDPR and the LOPD as well as other individual rights: the right to obtain the rectification of his/her inaccurate personal data; the right to be forgotten, which is a specialty of the right of deletion; the right to obtain from the controller restriction of processing in certain circumstances; the right to receive the personal data concerning him or her in a «structured, commonly used and machine-readable format» in order to transfer them to another controller; the right to object, because of his or her particular situation, to processing of his/her personal data; and, finally, the right not to be subject to a decision based solely on automated processing, including profiling, which produces legal effects or similarly significantly affects him or her.

    All this rights are subject to limitations, which are foreseen in their specific articles. However, the main limitation on the exercise of these rights is the prohibition on affecting data of third parties in the exercise of these rights.

  21. Are individual rights exercisable through the judicial system or enforced by a regulator or both? When exercisable through the judicial system, does the law in your jurisdiction provide for a private right of action and, if so, in what circumstances? Are individuals entitled to monetary damages or compensation if they are affected by breaches of the law? Is actual damage required or is injury of feelings sufficient?

    The infringement of the data protection provisions is subject to fines, which are enforced by Data Protection Authorities, which in Spain is the AEPD. The GDPR also establishes that such economic penalties may be replaced by warnings, so that the offenders take the corrective measures indicated on them, although this is an exceptional measure. All competent authorities have the discretionary power to graduate the fines, depending on the nature of the facts. However, the decisions of the AEPD may be appealed, in which case, the appellant party must lodge it with the competent courts.

    The GDPR also grants the right to claim compensation to any person who has suffered damage (material or moral) as a result of an infringement of the Regulations from the controller or processor. This compensation shall be claimed before the competent courts and it is without prejudice to the right of the data subject to submit a claim to the AEPD for such infringement.

    When claiming a compensation for damages, the Spanish judicial system requires that the damage is actual and caused by actual and certain damage.

  22. How are the laws governing privacy and data protection enforced? What is the range of fines and penalties for violation of these laws? Can PII owners appeal to the courts against orders of the regulators?

    GDPR establishes the general framework of penalties that should be observed in case of infringements of the data protection legislation. In Spain, the AEPD is the entity with powers of control, supervision, inspection and coercion in relation to data protection obligations. Data subjects can submit their claims to this entity in the event that their rights and privacy have been affected, although they will not be able to claim compensation for any damages they may have suffered. In this case, data subjects must sue the offending company in court to claim the appropriate compensation.

    Regarding the range of fines established in the GDPR, it sets the administrative fines for the infringements listed in article 83.4 GDPR up to 10.000.000 EUR, or in the case of an undertaking, up to 2% of the total worldwide annual turnover of the preceding financial year, whichever is higher. On the other hand, the serious infringements listed in article 84.5 GDPR, would be subject to administrative fines up to 20.000.000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher. In each individual case, all fines should be effective, proportionate and dissuasive.

    In the Spanish administrative system, infringements are divided into three categories: very serious, serious and minor. Therefore, the sanctioning regime established by the LOPD makes this distinction, although the fines will be determined according to the GDPR criteria, depending on the particularities of each case.

  23. Does the law include any derogations, exclusions or limitations other than those already described? Please describe the relevant provisions.

    With regard to the material scope of the GDPR, it does not apply to the processing of personal data by a natural person in the course of a purely personal or household activity, so in case a natural person violates the privacy of a third party, none of the provisions of the GDPR would be applicable and national law should apply.

    Furthermore, it is significant the exclusion of the processing of personal data which concerns legal persons from the scope of the GDPR. It means that this Regulation does not cover the processing of the name and the form of the legal person and the contact details of the legal person. The previous Spanish data protection law, apart from the previous information, also did not cover the contact details of natural persons providing their services in the organizations, when consisting solely of their name and surname, their functions or position held. It also did not cover the details of individual entrepreneurs when referring to them in their capacity as traders. The application of the GDPR has meant that these data, which were previously excluded, are now subject to the protection of this regulation. However, the Spanish legislator has introduced in article 19 LOPD a presumption in relation to these data, which will be deemed to be covered by legitimate interest as a basis for their processing, unless proven otherwise and provided that a series of requirements are met.

  24. Please describe any restrictions on monitoring or profiling in your jurisdiction including the use of tracking technologies such as cookies – how are these terms defined and what restrictions are imposed, if any?

    The ‘Profiling’ that falls within the scope of the GDPR is understood as any form of automated processing of a data subject’s personal data in order to analyze or predict their performance at work, their economic situation, health, personal preferences, interests, reliability, behavior, location or movements.

    There are three ways of using profiles in practice: profiling, take decisions based on profiling, and take automated decisions based on profiling. Only when the last case «produces legal effects concerning him or her or similarly significantly affects him or her» the Controller should take into account certain requirements and measures established in article 22 GDPR. In general, the data subject has the right not to be subject to this kind of decisions, except if he or she has given his/her consent and when it is necessary to execute a contract, in which case suitable measures to safeguard the data subject’s rights will be necessary, or when it is authorized by the EU or a Member State law.

    Regarding monitoring, there has not been established a specific definition in the GDPR and it is only referred to as a data process in the case of systematic monitoring of a publicly accessible area on a large scale, one of the situations which require an impact assessment on data protection. In this sense, in the Guideline on Data Protection Impact Assessment elaborated by the extinguished Article 29 Working Party, the process “Systematic monitoring” appears as a risk criterion that should be considered when analyzing if a processing operation may result in a high risk, so it will have to be subject to a data protection impact assessment. This expression is defined as a «processing used to observe, monitor or control data subjects, including data collected through networks».

    The monitoring that must be taken into account for the purposes of the regulation, therefore, will be the one that implies the processing or collection of personal data in circumstances where data subjects may not be aware of who is collecting their data and how they will be used. For this reason, any processing of data involving the monitoring of an individual must respect the principles and rules of the GDPR.
    The use of tracking technologies through information society services, such as cookies, is regulated in Spain by the Law 34/2002 (LSSI), although it is intimately connected to privacy, so the GDPR and the Spanish LOPD have affected their regulation. The LSSI establishes the general obligation to inform and ask for the consent of the user for downloading and installing cookies on their computer. However, cookies that are strictly necessary to enable communication between the equipment and the network, provide a service expressly requested by the user, allow authentication or identification, provide security, play multimedia, load balancing, customize the user interface other similar functions are excluded from these obligations. In all other cases, informing and requesting consent in accordance with the GDPR will be required.

    Finally, when profiling and monitoring carried out by the Controller is likely to result in a high risk to the rights and freedoms of the data subjects it will be necessary to carry out an impact assessment on the protection of personal data of the activity, as well as appoint a DPO who will supervise compliance with the obligations on data protection.

  25. Please describe any laws addressing email communication or direct marketing?

    In Spain, the law that regulates email communications and direct marketing via electronic means is Law 34/2002, which requires prior consent of the recipient or the existence of a previous contractual relationship between the parties. These rules apply not only to communications whose recipients are natural persons, but to any kind of recipient, even communications sent to a legal person’s electronic address.

    Moreover, article 23 of the Spanish data protection law (LOPD) imposes an obligation to consult advertising exclusion lists before any direct marketing campaign. This consultation will not be necessary when the data subject gave their consent to the Controller for receiving this kind of communications.