Business data under new Spanish Regulations

09 September 2008

Rocio Serrano

The new Regulation on Data Protection (RD 1720/2007 of 21 December), which came into force on 19 April 2008 has effected several significant changes in relation to the treatment of business contact data, and details relating to sole traders.

The most notable of these changes can be seen in Sections 2 and 3 of Article 2 of the new Regulation.  Article 2.2 states that “the Regulation shall not be applied to data processing regarding legal entities or to files that only record data of individuals providing services on behalf of these legal entities, as long as these files only comprise the name and surname(s) of such individuals, their functions or jobs, their postal or e-mail address and their professional telephone and fax numbers”.

There are certain conditions that need to be met before these files can be said to fall outside the scope of the data protection regulations:


  1. the data collected and processed must be the data that is essential to identify the individual in his capacity as a service provider in the legal entity. The information collected should not go beyond  the information  listed in Article 2.2;

  2. the data must have been filed for incidental or secondary purposes.   The primary aim of the processing should be to use the data to contact and enter into a direct relationship with the legal entity in which the individual provides his/her services. (When the controller contacts the individual in order to offer them goods or services for private purposes, the individual’s data shall be classified as personal data); and

  3. the individual who is contacted must have been acting in a business or professional capacity at all times.

Under Article 2.3, “data relating to sole traders, when referring to them as traders, industrialists or ship owners” also falls outside the scope of data protection regulations.

There are certain conditions that must be met in order to determine whether the data actually relates to sole traders:


  1. the individual whose data are collected and processed and who is contacted must be classified as a sole trader or a professional under the Spanish Commerce Code;

  2. the controller may only process data relating to the sole trader which are strictly linked to the sole trader’s professional or business activity (for example, if the name and surname of the sole trader matches that of  the business premises or the trademark of certain goods or services, those data fall out of the scope of data protection regulations as the choice of product name is the result of a free decision of the sole trader); and

  3. the processing may only be carried out in order to collect and keep information on the company run by the sole trader and not on the individual who incorporated that company.

In summary, we believe that the provisions in the new Regulation are a favourable inclusion since they have given legal effect to the criteria recommended by the Spanish Data Protection Agency in its last guidance. This therefore provides legal certainty in the field of data protection. In addition, since most Spanish companies only process business data, which are now excluded from the scope of the data protection regulations, it should now be easier for those companies to comply with Spanish law.