+34 958 63 01 14 [email protected]

In Spain, Personal data protection is regarded as a topic of the utmost importance. Article 18.4 of the Spanish constitution of 1978 says:

The law will limit the use of information technology in order to guarantee honour, personal and family intimacy of citizens and all their rights.

The first organic law explicitly dealing with data protection appeared only in 1992 with law 5/92 of 29th October.  This law was later amended with Organic law 15/1999 of 13th December.  Later on the constitutional tribunal deemed few paragraphs of this law unconstitutional in sentence 292/2000. The last amendment of the law is the Royal decree 1720/2007. This is a complex document expressed in 158 articles.

In 1993 the “Agencia Española de Protección de Datos” (Spanish Data protection Agency) was created in order to control and enforce these laws in Spain. Autonomic agencies were created as well in Madrid, Cataluña and the Basque country.

Territorial scope of application

With the internationalisation of data hosting, with distributed hosting and cloud hosting it is not always clear where the data is physically stored.  Nevertheless, Spanish legislation will apply when:

  1. When storage and processing is carried out as part of the activities of an organisation registered in Spain.
  2. When the entity responsible for the processing is not registered in Spain but is subject to Spanish law according international law regulations.
  3. When the entity responsible for the processing is not established on European Union territory but it is using storage and processing facilities situated in Spain.  This does not apply if such facilities are used solely for transit purposes.

Data protection is a serious matter

Spain is the country within the EU with the highest rate of complaints related to data protection.  It is also the country with the most severe fines.  For example, minor sanctions can range between 60.01€ to 6,101.21€ while serious sanctions can range between 6,101.21€ to 30,506.05€.  For extremely serious cases the sanctions can range between 30,506.05€ to 60,012.10€.

It does not matter how harsh the fines are, many companies especially small businesses in Spain, still do not comply fully with Data protection laws.

A business has the duty to inform people

When a business or an organization collects personal data, be it with a form on a web page or with any other data collection method, it must inform the individual explicitly beforehand of the following:

  1. The existence of a file collecting his data, the objectives of storing the data and the recipients of this information.
  2. The mandatory or the optional character of the information collected.
  3. The consequences of providing or not providing the data.
  4. The rights to access, rectify, delete or oppose the data stored.
  5. The identity of the individual responsible of the treatment and the storage of the data or his representative.

If the personal information has been collected indirectly, there is the obligation to inform the person within 3 months from the initial data storage.

If the information has been collected from “freely available sources” (for example telephone directories or professional registers) and the objective is publicity or market research, the company is obliged to inform the person of the 5 points above, when they make contact.

Web sites will have to include a privacy statement (or links to it) explaining the 5 points above, at the bottom of any form collecting personal information.

Data with special protection

The Spanish constitution states that nobody has to provide information about his ideology, religion, trade-union membership, political party membership or beliefs.  When asking for this data it must be stated that the person has the right to refuse. The person has to give written consent.

Files maintained by political parties, trade unions, churches, religious confessions or non-profit organizations with a political, philosophical, or religious objectives, do not need to have written consent but nevertheless still require consent regarding member’s data.

Treatment of administrative and criminal infractions data is explicitly forbidden.  Only authorised public administrations have the right to store this kind of data.

Treatment of data regarding racial origin, health information or sexual preferences is restricted to medical organizations and/or health professionals. Understandably, in cases of medical emergency the patient’s consent is not mandatory.

Data confidentiality and communication to 3rd parties

Data confidentiality is compulsory and any transfer to a 3rd party will need not only the consent from the individual but an explanation of why this transfer is necessary.  The individual will be able to revoke consent at any time.

Consent is not required in cases where data is collected from freely available sources.

Communication of personal data to third parties without the consent of the data owner, is one of the most common and serious infractions. The types of infractions can be extremely diverse.  Examples are the sale of client databases to other companies or links in web pages similar to “recommend this page to a friend”.

This last example is controversial, but shows how important the protection of privacy is.  Several Spanish websites were fined for these kinds of links as the “friend” would receive an unsolicited marketing email from the website: in practice unsolicited emails (Spam).

Transfer of personal information embedded in third party cookies (cookies are small text files storing information in the web browser) to third parties is also regulated and this will be the subject of a specific article as there is a new EU regulation for this.

Security measures

Organisations or businesses collecting personal information are obliged to protect the data from unauthorised access or unauthorised alteration.  In case of a security breach (on a web site database for example) the organisation will be held liable for damages.

Depending on the type of information handled the law is considering 3 levels of security:

  • Basic security, for any information or process dealing with personal information.
  • Medium security, for any information related to personal financial information or administrative and criminal infractions.
  • High security, for data collected without consent by police forces under the scope of an investigation, data related to ideology, religion, trade-union membership, political party membership, beliefs, racial origin and sexual behaviour.

The law states which security measures must be employed, but in most cases businesses will only handle data related to basic security.  In these cases and without going into the details businesses will have to:

  • Designate a person responsible for data security and privacy
  • Make sure that the employees act responsibly and know exactly what data they are allowed to access under the scope of their functions and how to handle the data.
  • Deploy a control system preventing access from unauthorized persons.
  • Safely and regularly backup the data.

These are general guidelines and not definitive statements of law. All questions about the law’s applications should be directed to a Spanish Lawyer. For additional information please refer to https://www.velascolawyers.com/articles