Law Library Stacks

Back to Online Privacy Law

*A 2017 updated version of this report is available

Among the EU countries, Spain has some of the strictest legislation on personal data protection. It has transposed all of the EU Directives related to this matter. Spanish law has even been successfully challenged before the European Court of Justice (ECJ) for imposing additional requirements in its domestic legislation regarding the release of personal data without the consent of the data subject. Spain’s data protection agency has been very active and responsive to citizens’ complaints and imposes heavy fines on violators of data protection laws.

Spain has recently been engaged in “right to be forgotten” litigation with Google. Although Google obtained a positive ruling from a Spanish court on jurisdictional grounds, the court did not address the right to be forgotten. That issue went to the ECJ for an advisory opinion, which will be binding on all EU Member countries when issued.

I. Legal Framework

The 1978 Spanish Constitution[1] provides for the protection of personal and family privacy,[2] stating that the law must set limitations on the use of information technology in order to guarantee the honor as well as the personal and family privacy of individuals and the full exercise of their rights.[3] This provision constitutes the framework and basis for Spanish legislation on data protection, which in 1978 was a novel concept unlikely to be found in a constitutional norm.[4]

In 1999, Spain enacted an Organic Law on the Protection of Personal Data  (Ley Orgánica de protección de datos de carácter personal, LOPDP)[5] to transpose the European Union (EU) Data Privacy Directive (Directive 95/46).[6] The LOPDP governs personal and family privacy, and guarantees and protects fundamental rights and freedoms with respect to the processing of personal information.[7] In 2007, Spain enacted an implementing regulation to the LOPDP that also serves to transpose Directive 95/46: the Regulation on the Development of the Organic Law on the Protection of Data (Reglamento de desarollo del la Ley Orgánica 15/1999, de protección de datos de carácter personal, RLOPDP),[8] which aims to bring more legal certainty to the data protection regime, particularly on issues that over the years have proven to be in need of further regulatory implementation.[9]

In 2007, Spain enacted Law 25/2007 on the Retention of Data Generated or Processed in Connection with Electronic or Public Communications Networks,[10] to transpose European Directive 2006/24/EC, on Telecommunications Data Retention.[11] On March 30, 2012, Spain transposed Directive 2002/58/CE (the E-Privacy Directive) as amended by Directive 2009/136,[12]  when it passed Royal Decree 13/2012,[13] introducing the European regulation of “cookies” into domestic law, as discussed further in section II(B) of this report.

Back to Top

II.  Current Law

A.    Scope of Application

The LOPDP applies to personal data stored in a physical medium susceptible of being processed and the use of such data in the public or private sectors.[14] This law applies as long as

  • the data controller carries out his activities in Spain;
  • the person responsible for the data processing is not located in Spain but is subject to Spanish law under international rules; or
  • the person is not established in the EU but is using processing means located in Spain, unless such means are used only for transit.[15]

The LOPDP includes provisions for setting up a national data protection agency, the Agencia Española de Protección de Datos (AEPD), whose functions are discussed in section III, as the enforcement agency with the authority to hear complaints on personal data protection matters and to impose sanctions.[16]

Protected personal data are defined in both the LOPDP[17] and the RLOPDP[18] as any information presented in any alphanumeric, graphic, photographic, acoustic, or any other format related to identified or identifiable individuals.[19] Files in private ownership containing personal data may be created when it is necessary to carry out the legitimate business and purpose of the person or entity owning them, provided the safeguards required under the LOPDP are met.[20]

The following types of data are excluded from protection:

  • Data created or kept by an individual for personal use related to his or her private or family life
  • Data  related  to  classified  material,  which  is  subject  to  special  data  protection legislation
  • Data related to investigations of terrorism and organized crime.[21]

B.  Right to Consent

The processing of data and their transfer to third parties are allowed only with the prior consent of the data subject,[22] except under certain statutorily described circumstances that include the following:

  • authorization by a regulation with the force of law, or under EU law, and in particular
  • in pursuit of the legitimate interest of the data controller or the recipient, as long as the interest or fundamental rights and liberties of the data subject are not affected; or
  • when the processing or transfer of data is necessary for the data controller to comply with his or her legal obligations;[23]
  • collection to carry out public administration duties under regulations having the force of law or EU legislation;
  • collection by the data controller in compliance with a contract or pre-contract, or in the course of a business, employment, or administrative relationship to which the data subject is a party and for which the collection of data is needed;[24]
  • processing for the benefit of the data subject’s life or health;
  • required transfer for the development, performance, or control of a legal relationship;
  • transfer intended for the ombudsman, the Office of the Public Prosecutor, judges, courts, or the Spanish Court of Audits, or to the Autonomous Communities authorities with similar functions to that of the ombudsman or the Spanish Court of Audit; or
  • transfer between public administration entities, as long as (a) data is processed for historical, statistical, or scientific purposes; (b) personal data has been collected or obtained by one public administration entity to be provided to another; or (c) the communication of personal data is done in fulfillment of identical powers or powers related to the same matters.[25]

In addition, the public administration may only transfer data collected from publicly available sources to private data controller’s files when such a transfer is allowed by a regulation having the force of law.[26]

Royal Decree 13/2012[27] regulates the use of “cookies,” defined as devices or features that allow for web browsing while also allowing access to the private information of the user. Data hidden in cookies is exchanged among web users’ hard drives and website servers. The Decree aims to ensure that users are safeguarded with proper information and appropriate tools to protect their privacy.[28] The Decree amends Law 34/2002 on Services of the Information Society and E-commerce,[29] providing that the service provider has two ways of obtaining the required consent from the user in order to use cookies: (1) through an opt-in consent that must be released after the user has been given adequate information about the cookies; or (2) through a preset consent in the browser’s settings or any other application.[30] This Spanish transposition of Directive 2009/136 is stricter than the Directive itself, in that it requires express consent by the user.[31]

C.   Right to Consult the General Data Protection Register

Individuals have the right to access the General Data Protection Register (see below, section III) free of charge to verify the records of their personal data, the purpose for which they were collected and stored, and the identity of the controller.[32]

D.  Right to Challenge Data Processing

Data subjects have the right to not be bound by a decision with legal consequences for them, or which significantly affects them, and which is solely based on data processed to assess certain aspects of the person’s personality.[33]

A data subject may challenge any administrative and private decision based on an assessment of his behavior if such an assessment is based only on personal data that includes a definition of the person’s personality or characteristics.[34] In this case, the data subject has the right to obtain information about the criteria used by the data controller in processing the personal data in question.[35]

E.  Right of Access

A data subject has the right to obtain, free of charge, information about how his personal data that is subject to processing was obtained, as well as how such data has been and will be used or communicated to others.[36]

F.  Right to Correct and Erase

If the personal data is inaccurate or incomplete, or has been processed in violation of the LOPDP, the data subject has the right to have it corrected or erased by the data controller within ten days of the request.[37]

Erased data will be blocked and kept only at the discretion of the public administration entities, judges, and courts, for the purpose of establishing possible liabilities deriving from processing, while the statute of limitations for such liability is still running. After this period expires the data must be deleted.[38]

G.  Right to Seek Redress and Damages

In the case of violations of the LOPDP, data subjects are entitled to file complaints with the AEPD[39] and to seek compensation for damages.[40]

H.  Notifications

Data controllers must report to the AEPD the creation of personal data files,[41] the name of the controller, the purpose of the file, the type of data included, security measures taken, and any domestic or international transfers intended to be performed (see also below, section III).[42]

The first transfer of data must be reported to the data subject, indicating the purpose of the transfer and the name of the recipient (with a few exceptions listed under article 11 of the LODPD)[43]

Personal data contained in a “promotional census”[44] or in publicly accessible sources, such as the lists of members of professional associations whose files are open to the public, public registries, telephone directories, newspapers, official gazettes, and the media, should be limited to the information necessary to meet the needs for which the list was created. The inclusion of additional data by the entities responsible for managing these sources requires the consent of the data subject, which may be revoked at any time.[45]

Data subjects are entitled to require the entity responsible for keeping such lists to note in the list, free of charge, that their data is not to be used for advertising or market research purposes.[46] Data subjects also have the right to have their personal data removed from the promotional census list, free of charge, by the entity responsible for keeping such data.[47]

I.  Sensitive Personal Data

Under the Spanish Constitution, no one may be required to reveal his or her ideology, religion, or beliefs.[48] Therefore, individuals must be notified of their right to refuse to provide such information when requested.[49]

Personal data that include a person’s ideology, trade union membership, religion, and beliefs may be processed only with the written consent of the data subject. Exceptions to this principle are member data files kept by political parties, trade unions, churches, religious institutions or communities, and associations, foundations, and other nonprofit organizations with a political, philosophical, religious, or trade union purpose. However, the transmittal of such data always requires the data subject’s prior consent.[50] Files created with the sole purpose of storing personal data revealing ideology, trade union membership, religion, beliefs, racial or ethnic origin, or sex life are forbidden.[51]

Personal data that include information on racial origin, health, or sex life may only be collected, processed, and transferred when a law so requires on public interest grounds, or with the specific consent of the data subject.[52] This data may also be processed if it is necessary for preventive or diagnostic medical needs, medical care or treatment, or management of health-care services, and only if such data are processed by a health-care professional bound by professional secrecy or any other person also subject to an equivalent obligation of secrecy,[53] or if the processing of the data is needed to protect the vital interests of the data subject (or another person, if the data subject is physically or legally incapable of giving his consent).[54]

Personal data on criminal or administrative offenses may be included in files of public administration entities only under the conditions established under their regulations.[55]

J.  Protection of Minors

Until the passage of the RLOPDP in 2007, there was no specific reference to the protection of the personal data of minors in Spanish law.[56] The RLOPDP now requires the consent of parents or legal representatives in order to process the personal data of minors under the age of fourteen.[57] The personal data of minors older than fourteen may be processed with the minor’s consent, except when the law specifically requires the parent’s or legal representative’s assistance in providing such data.[58]

The RLOPDP prohibits the gathering of information about parents or any other family members through the minor.[59]

When dealing with the processing of data on minors, the information addressed to them should be provided in a simple and easy language.[60] It is the data controller’s responsibility to verify the minor’s age and the authenticity of the consent given by the parent, guardian, or legal representative.[61]

The law requires social media and other online services to provide an efficient technology to securely identify the age of the users. However, the reality is that these systems are not yet generally available and minors are constantly at risk of having their consent obtained in violation of the law.[62]

K.  Data Retention

With regard to data retention, Law 25/2007 on the Retention of Data Generated or Processed in Connection with Electronic or Public Communications Networks,[63] transposes European Directive 2006/24, on Telecommunications Data Retention.[64] The new law regulates the retention of data related to electronic communications and public communications networks in order to detect, investigate, and prosecute serious crimes.[65] Law 25/2007 lists the types of data that must be kept in order to identify both ends of the communication and the date and time, duration, and type of service and equipment to be used; the law requires the retention of these utilization data but not the retention of content data (those disclosing the content of the communication).[66] The data must be retained for a period of twelve months, which may be reduced or adjusted according to the type of data involved.[67] The Law also sets restrictions as to the competent authorities to whom the data may be transferred. These authorities are members of the security forces, customs authority agents, and National Center of Intelligence staff who perform judicial police duties.[68]

Law 25/2007 has generated opposition from different groups, such as European Digital Rights (EDRI)[69] and XS4ALL,[70] who filed a complaint, maintaining that the retention of data on national security grounds often violates basic human rights such as the privacy of individuals.[71]

L.  Data Security

The data controller and the data processor are required to adopt technical and organizational measures needed for the security of personal data and to prevent its alteration, loss, or unauthorized processing or access, considering the state of the art, the nature of the data stored, and the risks to which they are exposed.[72]

Personal data may not be recorded in files that do not meet the security safeguards required by the regulations.[73] Security measure regulations are covered in detail in Title VIII of the RLOPDP.[74]

M. Infractions

Data controllers and processors are subject to penalties that vary depending on the type of infraction.[75] Article 44 of the LOPDP classifies the infractions. It may be translated as follows:

Article 44. Types of Infractions

1. The infractions are classified as minor, serious, and very serious.

2.  Minor infractions are:

a)  Failure to respond, for formal reasons, to a data subject’s request for rectification or cancellation of personal data subject to processing.

b)  Failure to provide information as requested by the Spanish Agency for Data Protection [AEPD] in the exercise of its legally assigned functions, concerning non- substantive aspects of data protection.

c)  Failure to request the entry of a file of personal data in the General Data Protection Register, unless this constitutes a serious infraction.

d)  Commencing the collection of personal data of data subjects without providing them the required information as specified in article 5 of the present law.

e)  Failure to fulfill the secrecy requirements as established in article 10 of the present law , unless this constitutes a serious infraction.[76]

3. Serious infractions are:

a)  Creation of public-ownership files, or initiation of the gathering of personal data for [the creation of] such files—without the proper authorization [having been]published in the Boletin Oficial del Estado or an equivalent official gazette.

b)  Creation of private-ownership files, or initiation of the gathering of personal data for such files, for purposes different from those that constitute the legitimate objective of the enterprise or entity [involved].

c)  Collection of personal data without obtaining the specific consent of the data subjects, when such consent is required.

d)  Use or processing of personal data in violation of the LOPDP and implementing regulations when this does not constitute a very serious infraction.

e)  Impeding or obstructing the exercise of the rights of access and objection of data subjects, and refusing to provide requested information.

f)   Maintaining inexact personal data or failing to effectuate the correction or deletion of such data from the files that are legally required when the rights of persons who are protected by the present law (LOPDP) are affected.

g)   Violation of the duty to maintain secrecy of the personal data introduced into files that contain data related to the perpetration of administrative or criminal offenses, the Public Treasury, financial services, provision of “patrimonial solvency” [financial solvency] and credit services, as well as other files that contain a collection of personal data that would be sufficient to “obtain an evaluation” [form a profile] of the personality of the individual.

h)  Keeping files, premises, programs, or hardware containing personal data without the required security measures as statutorily prescribed.

i)   Failure to provide the AEPD with the notifications required by this Law or its implementing provisions as well as failure to notify this agency in a timely manner of the number of documents and information that it should receive or that it should require for the se purposes.

j)  Obstructing inspections.

k)  Failure to enter a file of personal data in the General Register of Protected Data [GDP Register] upon the Director of the AEPD’s request.

l)  Failure to provide information required under articles 5, 28, and 29 of this Law, when the data has been obtained from a person other than the data subject.[77]

4.  Very serious infractions are:

a)  Fraudulent or misleading collection of data.

b)  Unauthorized communication or transfers of personal data,

c)   Collection and processing personal data referred to in article 7(2) without the express consent of the data subject; collection and processing of the data referred to in article 7(3) without statutory authorization or express consent of the data subject or violation of the prohibition contained in article 7(4) when it is required under the law, or obtaining and processing data in violation of the LOPDP.

d)  Failure to stop the illegitimate use of processing of personal data operations when required to do so by the Director of the AEPD or by those with rights of access thereto.

e)  Transfer of personal data, either temporarily or permanently, of data that were the object of processing or had been collected in order to submit them to processing to countries with no comparable level of data protection safeguards without  the authorization of the Director of the AEPD.

f)  Illegitimate [Improper] handling of personal data or with disregard [contempt] of the principles and guarantees that are applicable, when acting in this manner results in the impediment or an attempt against the exercise of fundamental rights.

g)  Breach of the duty of secrecy regarding personal data referred to in article 7(2) and (3) as well as data collected for police use without the data subject’s consent.

h)  Systematically preventing or failing to comply with the exercise of the rights of access, correction, erasure , or objection.

i)  Systematic failure to comply with the duty to make the required notification of the entry of personal data in a file.[78]

N.  Penalties

Violations of the LOPDP are punished with fines that are adjusted on a regular basis.[79] Minor infractions are punished with a fine of €601–60,101 (about US$750–75,800), serious infractions with a fine of €60,000–300,000 (about US$75,700–378,500), and very serious infractions with a fine of €300,000–600,000 (about US$378,500–757,000).[80]

Penalties are applied according to the nature of the right that has been affected, the volume of the processing operations carried out, the profits obtained, the intentional nature of the offense, the repetition of the offense or recidivism of the offender, the damage caused to the data subjects and to third parties, and any other consideration relevant to determining the degree of illegality and culpability of the specific wrongdoing.[81]

The Director of the AEPD may also require data controllers to end the use or illegal transfer of data, in cases of very serious infractions. If the violation persists, the AEPD may, through a reasoned decision, block the files in order to restore the rights of the data subjects.[82]

In addition to the administrative fines that may be imposed under the LOPDP, the 1995 Criminal Code also addresses crimes dealing with violations of privacy involving the processing of personal data, such as

  • collecting personal data in violation of someone’s privacy by illegally intercepting electronic communications, messages, files, or other communication signals;
  • the unauthorized misappropriation, use, or alteration of confidential information or personal data kept in electronic files, whether public or private, to the detriment of the data subject or a third person; and
  • transferring illegally obtained personal data.[83]

These offenses are punished with terms of imprisonment ranging from one to five years and a fine.[84]

Aggravated sanctions of up to seven years imprisonment apply in the following cases:

  • Transfers of data illegally obtained by the personal data controller or data processor;
  • The collection and transfer of personal data revealing the data subject’s ideology, religion, beliefs, health, racial origin, or sexual orientation, or if the victim is a minor or disabled; or
  • The above-mentioned illegal data transfers and collection when done for profit[85]

O.  Civil Liability

Data subjects who suffer damage to their property or rights as a consequence of violations of the LOPDP by the data controller or processor have the right to compensation.[86] Compensation is governed by the Civil Code,[87] which provides that the person who, by action or omission, causes damage to others by fault or negligence is liable for the damage.[88]

Back to Top

III. Spain’s Data Protection Agency

The Agencia Española de Protección de Datos (AEPD) was created under the LOPDP[89] as an independent administrative agency with a budget provided in the general national budget[90] to oversee compliance with personal data protection laws.

The AEPD’s functions are as follows:

  • Enforcement of data protection legislation
  • Issuance of authorizations required by law
  • Issuance of instructions for processing operations to comply with the standards of the LOPDP
  • Consideration of applications and complaints from the data subjects
  • Provision of information on the rights related to personal data processing
  • Ensuring controllers’ compliance with the LOPDP and, when applicable, ordering termination of processing or deleting the files that have been processed in violation of the LOPDP
  • Imposing administrative sanctions under the LOPDP
  • Providing information on the draft regulations implementing the LOPDP
  • Gathering information and assistance from the data controllers deemed necessary for the fulfillment of its duties
  • Informing the public about the existence of personal data files
  • Publication of an annual report for the Ministry of Justice
  • Monitoring and issuing authorizations for international movements of data
  • Ensuring compliance with the collection of statistical data and issuing instructions and  advisory  opinions  on  the  security  conditions  of  the   files   set   up   for statistical purposes[91]

In addition, the AEPD maintains a General Data Protection Register. It records data files maintained by the public and private sectors, required authorizations, and sectoral best practice agreements.[92] These records must be kept up-to-date.[93]

 The AEPD provides direct assistance in response to citizens’ questions or concerns about their rights. According to statistics it recently released, there has been an increase in the number of requests for protection, including requests to enforce the right to cancel and the right to access.[94] In 2007, investigations initiated based on complaints filed by individuals or upon the initiative of the Director of the AEPD increased by 7% to a total of 1,263 compared to the previous year.[95] Inspections conducted were mostly related to telecommunications companies and financial institutions, with an increase of over 400% over previous years.[96] In 2007, the AEPD imposed 399 sanctions with a total of €19.6 million (about US$24.65 million) in fines.[97]

Back to Top

IV. Court Decisions

A.  Right to Be Forgotten

The so-called “right to be forgotten” is an issue that has been the subject of an increasing number of complaints and lawsuits in Spain. On February 23, 2012, a civil lower court of Amposta, Tarragona, dismissed a claim against Google Spain by Alfacs Vacances SL concerning the right to be forgotten, which sought to prevent Google from displaying images of burned bodies from an accident that had occurred in the late 1970s.[98]

Alfacs Vacances SL is a Spanish company that operates a campground in Tarragona. In 1978, the campground was hit by a deadly gas explosion; more than two hundred people died and others were seriously wounded by a tanker truck loaded with flammable liquid that went up in flames on the highway just in front of the campground.[99] The owners of the campground had no responsibility for or connection with the accident. However, in spite of the fact that the explosion occurred more than thirty years ago and that Alfacs was acquitted of any liability, the photos from the accident continued to show up near the top of the first page of Google Search results for the Alfacs campground (Alfaques, in Spanish), including disturbing photos of burned corpses.[100]

In June 2011, Alfacs filed suit against Google Spain SL, Google’s Spanish subsidiary, requesting damages and an immediate halt to the way in which Google displayed search results, claiming that it was damaging Alfacs’s business reputation and discouraging new clients.[101] Because the company actually operating the search engine is Google Inc., and Google Spain SL’s activity is restricted to marketing and advertising services, Google Spain alleged a lack of standing to be sued.   The judge accepted this contention and dismissed the case for lack of standing.  However, because Google Spain won on jurisdictional grounds, the court decision did not address the substantive underlying issue of the right to be forgotten, which is of paramount importance not only for Spain but for all EU countries.[102]

In March 2012, the Audiencia Nacional (High Court) of Spain filed a request with the European Court of Justice (ECJ) for clarification on the jurisdictional issue involving privacy complaints against Google and all other search engines.[103] Google maintains that privacy complaints should be filed in California, the location of its headquarters, and that its activities are therefore out of reach of the Spanish data protection law.  However, the Spanish court’s position is that the protection of a fundamental right may not depend on the place where the search engine operator has chosen to locate its technology processing operations.[104] The matter is still pending before the ECJ.[105]

The AEPD used the same reasoning when it examined the complaint of an individual whose name appears on the Internet linked to a judicial decision ordering the seizure of his property for debts he owed to Social Security. In 2009, he unsuccessfully requested the newspaper La Vanguardia, where the information was published, as well as Google to remove his personal information, because the debt problem was resolved long ago and the information had no current relevance whatsoever.[106]

In response to the AEPD’s call for removal, La Vanguardia responded that the information was provided upon the request of the Ministry of Labor and therefore they were legally required to keep it. The AEPD agreed with the newspaper. Google also refused to remove the information, stating that it is only subject to US law and that Google Spain is not involved in data processing but only in the sale of advertising on its Spanish webpage.[107]

The ECJ will render an opinion as to whether EU legislation may be applied to Google in this case, depending on whether search engines, when indexing information, are in fact processing personal data and whether or not data protection includes the right to be forgotten.[108] The response to the Spanish request on this issue will be applicable to all Member States of the EU and will certainly be considered in the context of discussions underway since January 2012 by the European Commission (EC) on draft legislation amending privacy protections in the EU to include the right to be forgotten.[109]

B.  Processing Data Without Consent: Legitimate Interest Requirement

On February 8, 2012, Spain’s Tribunal Supremo (TS) ruled on a case[110] in which various provisions of article 10 of the RLOPDP were challenged by the Federation of Electronic Commerce and Direct Marketing (Federación de Comercio Electrónico y Marketing Directo, FECEMD) and ADigital, because the data protection requirements of the Spanish regulation go beyond the EU data protection standards set out by article 7.f of EU Directive 95/46/.[111] The Spanish regulation requires that in order to process personal data without the data subject’s consent when such processing is necessary to pursue a legitimate interest of the data controller or of another person or persons to whom the data is disclosed, it is necessary not only to prove that the fundamental rights and freedoms of the data subject are protected, but also that the data should be available in a public source.[112]

The TS requested a preliminary ruling from the ECJ, which conclusively stated that article 7.f of Directive 95/46/EC precludes national legislation from establishing requirements for the processing of personal data without consent that go beyond those provided by EU legislation. The ECJ also expressly stated that article 7.f is directly applicable  in  EU Member States.[113] Based on the ECJ ruling, the TS declared article 10.2.b of the RLOPDP void. This article had listed the appearance of the data in a public source as an exception to the consent requirement for data processing (see above, sections II(B) and IV).[114]

Back to Top

V. Public and Scholarly Opinion

Although Spain is considered to have some of the strictest data protection legislation in Europe,[115] there are still many issues that remain unresolved. There is growing public concern about the right to be forgotten and the right to delete an Internet data trail, an issue that will soon be addressed at the EU level in order to formulate a common position.[116] The number of complaints by Spaniards about the treatment of their personal data online has increased by 75% per year, according to the Director of the AEPD.[117]

One of the main complaints by data controllers concerns the lack of a common approach taken among the national systems regarding the concept of consent, ranging from written consent to implied consent. This situation is especially troublesome in Internet data transfers in a cross- border environment. The lack of harmonization is one of the main recurring issues raised by private companies, because of the additional administrative costs incurred from the application of different rules.[118]

The protection of personal data is currently a hot topic in Spain. Although more awareness and information is needed, at least in Spain, the society at large is aware of the risks and issues involving the processing of their personal data.[119] A September 2009 poll released by the Center of Sociological Studies in Spain reveals a high level of distrust by Spaniards in the security of their personal data on the Internet.[120] According to the Director of the AEPD, the results of this poll and the recent increase in the number of claims and consultations with the AEPD show an increasing awareness of citizens about the value of their personal information and their rights.[121]

With regard to the trust that people have in the level of data security, 56.6% believe that security and privacy on the Internet is deficient, worse than data security offered by utility companies, banks, and businesses.[122] In addition, more than 70% of people believe that using the Internet facilitates intrusions into people’s privacy. Social media, texting, and chats are services most distrusted by people when it comes to the safety of their personal information.[123] More than 65% of Spaniards acknowledge that they never read the privacy policies of the websites they visit because they are unintelligible and not user friendly.[124]

This data suggests that there is an urgent need for online service providers to improve the level of security and privacy of users. To this end, the AEPD has been working with the major data processing companies and social media services to make sure that they adjust their business rules and procedures according to the standards set by data protection legislation.[125]

Back to Top

VI. Pending Reforms

Spain is currently awaiting the advisory opinion of the ECJ to clarify the scope of the right to be forgotten.[126] At the same time, the EU has been drafting stricter rules on data privacy, putting greater responsibility on companies such as Facebook to protect users’ information and threatening those who violate the rules with heavy fines, of up to 2% of the company’s yearly income. Once these rules are adopted, companies that are already processing data in Spain will not experience a great deal of change, because many of the new EU rules have already been in force in Spain under the LOPDP and RLOPDP.[127]

The EU proposal, which will become EU legislation in 2013 if approved by all EU Members and the European Parliament, aims to address new technologies that were developed after the current data protection legislation was adopted, in order to better protect consumers’ personal data and privacy.[128]

Back to Top

Prepared by Graciela Rodriguez-Ferrand
Senior Foreign Law Specialist
June 2012

[1] CONSTITUCIÓN ESPAÑOLA [C.E.], Oct. 31, 1978, BOLETÍN OFICIAL DEL ESTADO [B.O.E.] no. 311, Dec. 29, 1978,

[2] Id. art. 18.1.

[3] Id. art. 18.4.


[5] Ley Orgánica 15/1999, de 13 de diciembre, de protección de datos de carácter personal [LOPDP], B.O.E. no. 298, 43088, Dec. 14, 1999,

[6] Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the Protection  of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data, 1995 O.J. (L 281) 31,

[7] LOPDP art. 1.

[8] Real Decreto 1720/2007, de 21 de diciembre, por el que se aprueba el Reglamento de desarollo del la Ley Orgánica 15/1999, de protección de datos de carácter personal [RLOPDP], B.O.E. no. 17, 4103, Jan. 19, 2008,

[9] Id.

[10] Ley 25/2007, de 18 de octubre, de conservación de datos relativos a las comunicaciones electrónicas y a las redes públicas de comunicaciones, B.O.E. no. 251, 42517, Oct. 19, 2007,

[11] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54,
; Report from the Commission to the Council and the European Parliament: Evaluation Report on the Data Retention Directive (Directive 2006/24/EC), at 9–10, COM (2011) 225 final,

[12] Directive 2002/58/EC amended by Directive 2009/136/CE of the European Parliament and of the Council of 12 July 2002 Concerning the Processing of Personal Data and the Protection of Privacy in the Electronic Communications Sector (Directive on Privacy and Electronic Communications), 2002 O.J. (L 201) 37,

[13] Real Decreto 13/2012, de 30 de marzo, por el que se transponen directivas en materia de mercados interiores de electricidad y gas y en materia de comunicaciones electrónicas, y por el que se adoptan medidas para la corrección de las desviaciones por desajustes entre los costes e ingresos de los sectores eléctrico y gasista [Transposing EU Directive 2009/136], B.O.E. no. 78, 26876, Mar. 31, 2012,

[14] LOPDP art. 2.1.

[15] Id. art. 1.a–c.

[16] Id. art. 35.

[17] Id. art. 3.a.

[18] RLOPDP art. 5.1.f.

[19] Id.

[20] LOPDP art. 25.

[21] RLOPDP art. 4.

[22] LOPDP art. 11.1; RLOPDP art. 10.1.

[23] RLOPDP art. 10.2.a.

[24] RLOPDP art. 10.3.

[25] RLOPDP art. 10.4.

[26] LOPDP art. 11.2.b, in conjunction with LOPDP art. 21.3.

[27] Real Decreto 13/2012, de 30 de marzo, transposing EU Directive 2009/136, B.O.E. no. 78, 26876, Mar. 31, 2012,

[28] Id. art. 4.

[29] Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico, art. 22.2, B.O.E. no. 166, 25388, July 12, 2002,

[30] Javier Fernández-Samaniego, Spain Implements EU Regulation on Cookies, BIRD & BIRD (Apr. 26, 2012),

[31] Id.

[32] LOPDP art. 14.

[33] Id. art. 13.1.

[34] Id. art. 13.2.

[35] Id. art. 13.3.

[36] Id. art. 15.1.

[37] Id. art. 16.1–2.

[38] Id. art. 16.3.

[39] Id. art. 18.

[40] Id. art. 19.

[41] Id. art. 26.1.

[42] Id. art. 26.2.

[43] Id. art. 27.

[44] A promotional census is a database based on the information entered into the electoral census, including names and addresses of individuals, which is considered open to the public and may be used for commercial marketing purposes.  Id. arts. 3.j, 28.

[45] Id. art. 28.1.

[46] Id. art. 28.2.

[47] Id. art. 28.2, para. 2.

[48] 48 C.E. art. 16.2.

[49] LOPDP art. 7.1.

[50] Id. art. 7.2.

[51] Id. art. 7.4.

[52] Id. art. 7.3.

[53] Id. art. 7.6.

[54] Id. art. 7.6, para. 2.

[55] Id. art. 7.5.

(last visited June 8, 2012).

[57] RLOPDP art. 23.2.b, B.O.E. no. 17, 4103, Jan. 19, 2008,

[58] Id. art. 13.1.

[59] Id. art. 13.2.

[60] Id. art. 13.3.

[61] Id. art. 13.4.

[62] INTC/AEPDP, supra note 56, at 118.

[63] Ley 25/2007, de 18 de octubre, de conservación de datos relativos a las comunicaciones electrónicas y a las redes públicas de comunicaciones, B.O.E. no. 251, 42517, Oct. 19, 2007,

[64] Directive 2006/24/EC of the European Parliament and of the Council of 15 March 2006, on the Retention of Data Generated or Processed in Connection with the Provision of Publicly Available Electronic Communications Services or of Public Communications Networks and Amending Directive 2002/58/EC, 2006 O.J. (L 105) 54,

[65] Ley 25/2007 art. 1.

[66] Marcelo Corrales, Implementación de la Directiva 2006/24/CE en España, 23 REVISTA AYS 128 (June 2008),

[67] Ley 25/2007 art. 5.

[68] Id. art. 6.

[69] EDRI is a European privacy and civil rights organization.

[70] XS4ALL is a Dutch Internet service provider.

[71] Corrales, supra note 66, at 129.

[72] LOPDP art. 9.1, B.O.E. no. 298, 43088, Dec. 14, 1999,

[73] Id. art. 9.2.

[74] RLOPDP arts. 79–114, B.O.E. no. 17, 4103, Jan. 19, 2008,

[75] LOPDP arts. 43–44.

[76] Id. art. 44.2 (translation by the author).

[77] Id. art. 44.3 (translation by author).

[78] Id. art. 44.4 (translation by author).

[79] Id. art. 45.7.

[80] Id. art. 45.1–3.

[81] Id. art. 45.4.

[82] Id. art. 49.

[83] Ley Orgánica 10/1995, de 23 de noviembre, del Código Penal, art. 197, B.O.E. no. 281, 33987, Nov. 24, 1995,

[84] Id. art. 197.1–3.

[85] Id. art. 197.4–6.

[86] LOPDP art. 19.1.

[87] Real Decreto de 24 de julio de 1889 por el que se publica el Código Civil, as amended, art. 1902, B.O.E. no. 206, 249 July 25, 1889,

[88] Id.

[89] LOPDP art. 35.1.

[90] Id. art. 35.4.

[91] Id. art. 37.

[92] Id. arts. 39 & 32.

[93] RLOPDP arts. 60–64.

[94] Brochure, Spanish Data Protection Agency,
(last visited June 15, 2012).

[95] Id.

[96] Id.

[97] Id.

[99] Id.

[100] Id.

[101] Id.

[102] Id.

[103] España Lleva a Google al Tribunal Europeo por el ‘Derecho al Olvido’, EL PAÍS (Mar. 2, 2012),

[104] Id.

[106] EL PAÍS, supra note 103.

[107] Id.

[108] Id.

[109] Proposal for a Regulation of the European Parliament and of the Council On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 15, 2012), ¶,

[110] T.S., Sala Tercera, Feb. 8, 2012, Federación de Comercio Electrónico y Marketing Directo contra Real Decreto 1720/2007 c/ Administración General del Estado, la Asociación de Usuarios de la Comunicación y la Unión General de Trabajadores s/ Recurso Contencioso-Administrativo 25/08, available at

[111] Directive 95/46/EC, supra note 6, art. 7.f.

[112] Juan José García, Comentarios a la Sentencia del Tribunal Supremo de 8-2-2012 sobre Protección de Datos, ADARVE ABOGADOS, (last visited June 11, 2012).

[113] Javier Fernández-Samaniego & Antonio Creus, The Supreme Court Admits ‘Legitimate Interest’ as a Criterion for the Processing of Personal Data Without Consent, INTERNATIONAL ASSOCIATION OF PRIVACY PROFESSIONALS (Feb. 16, 2012),

[114] T.S., Sala Tercera, Feb. 8, 2012, Federación de Comercio Electrónico y Marketing Directo.

[116] Josh Halliday, Europe’s Highest Court to Rule on Google Privacy Battle in Spain, THE GUARDIAN (Mar. 1, 2011),

[117] Id.

[118] García, supra note 112.


[120] Press Release, Agencia Española de Protección de Datos, La AEPD Destaca la Alta Desconfianza de los Ciudadanos Españoles en la Seguridad de sus Datos en Internet [The AEPD underlines the high confidence of Spanish citizens in the safety of their Internet data] 1 (Sept. 2009),

[121] Id.

[122] Id.

[123] Id.

[124] Id.

[125] Id.

[126] La Audiencia Pregunta a la UE Cómo Actuar ante las Peticiones de Borrado de Datos en Internet [The Audience Asks How the EU Will Deal with the Requests for Deletion of Data on the Internet], EL MUNDO (Mar. 2, 2012),

[127] Antonio Viñal & Co. Abogados, The New EU Data Protection Proposal: Getting Ready with the Spanish Example, 4 AVCONEWS (Mar. 2012), available at

[128] Id; Proposal for a Regulation of the European Parliament and of the Council On the Protection of Individuals with Regard to the Processing of Personal Data and on the Free Movement of Such Data (General Data Protection Regulation), COM (2012) 11 final (Jan. 25, 2012),

Back to Top



Last Updated: 04/02/2018