Stage of legislative progress 
Eg. pre-consultation, in consultation

The Spanish Data Protection Act ("SDPA") in force as of December 7 2018.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Repeals Organic Law 15/1999 and all those legal precepts that conflict with the GDPR established in the Royal Decree 1720/2007, approving the Development Regulation of the Organic Law 15/1999.

Timescale for implementation 
Eg. pre-consultation, in consultation

7 December 2018.

Areas where Member States must have local laws:

Personal data and freedom of expression 

The SDPA does not include any legal precept that conciliates freedom of expression with data protection. There is only a reference to freedom of expression in the article 85 regarding the right to freedom of expression in internet that everyone has.


The SDPA only provides administrative fines. It also provides statute of limitations for data protection offenses (1 to 3 years depending on the offense) and the statute of limitations for fines (also between 1 and 3 years).


Areas where Member States may have local laws:

Professional secrecy 

Article 5 of the SDPA states that the data controller, data processor and any person involved in any phase of the processing are subject to a duty of confidentiality even once the data subject relationship with the data controller or processor is over.

Additionally, Article 28.2. a) of the SDPA provides that both the controller and the processor shall take into account the potential loss of confidentiality of personal data subject to professional confidentiality in order to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.

Scientific, historical or statistical purposes 

Article 25 of the SDPA states that:

a) The processing of personal data carried out by the bodies entrusted with competences related to the exercise of the public statistical function shall be subject to the provisions of their specific legislation, as well as of GDPR and of this SDPA;

b) the communication of data to the competent bodies in statistical matters shall only be understood to be covered by the public interest in cases in which the statistics for which the information is required are required by a EU law or are included in the legally foreseen statistical programming instruments (the legislation establishes certain instruments by means of which the statistical function is to be carried out. In Spain, in the production of statistics for State purposes, the same standardised system of concepts, definitions, statistical units, classifications, nomenclatures and codes shall be applied, making comparability, integration and analysis of the data and the results obtained feasible, for this, the state and autonomous statistical services may establish agreements to homogenise statistical instruments).

c) Spanish Government Statistics Act : processing of special category of data for statistical purposes must be based on express and voluntary consent of the data subject;

d) If the statistical secrecy guarantees provided for under Spanish legislation apply (statistical secrecy obliges statistical services not to disclose, in any case, personal data whatever their origin is), competent bodies for the public statistical function can deny data subject rights set forth in Articles 15 to 22 of the GDPR .

Article 26 - processing of personal data for archiving purposes by the public administrations and in the public interest is subject to the Spanish Historical Heritage Act and other related regulations.


Article 24 of the SDPA addresses whistleblowing and introduces the possibility of anonymous reporting. It regulates whistleblowing systems in the private sector, as well as the creation and maintenance of procedures that provide safe channels for staff or other informants to report wrongdoing in companies. Given that the information processed is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistleblowers and the individuals accused, companies are required to take special care over the technical and organisational measures needed to mitigate the risks and ensure data security. The Act provides that whistleblowing data shall only be stored for a maximum of 3 months (unless the personal data was necessary for the investigation, in which case it could be stored longer).

Article 22 of the SDPA allows the use of CCTV systems for security purposes.

Article 89 regulates the use of video and voice recording systems in the field of employment. These systems can be used for the supervision and monitoring of employees' compliance with their duties, as long as the monitoring activities comply with Spanish Labour laws and employees are informed of their existence.

Article 87 of the SDPA recognises employees' right to privacy and use of digital devices in the workplace: It states that:
a. Workers shall have a right to privacy when using digital devices provided by their employers.
b. Employers may access such devices with the purpose of verifying workers' fulfilment of their obligations and in order to verify the integrity of the devices.
c. Employers shall establish criteria for the use of such devices (workers' representatives shall participate in deciding these criteria). Acceptable uses need to be specified and the employer needs to put in place enough guarantees to protect the employees privacy, who need to be duly informed of such acceptable uses.

Article 88 of the Act recognises employees' right to digital disconnection - internal policies regulating this shall be put in place with the collaboration of the workers' representatives.

Article 90 of the Act recognises employees' right to privacy against the use of geolocation systems in the workplace and allows the employers to use geolocation systems for the supervision of employees, as long as this processing complies with Spanish Labour laws and employees are informed about it.

Personal data of deceased persons 

The SDPA does not apply to the personal data of deceased individuals. However, Article 3 provides that heirs are entitled to access, request deletion and rectification of the relevant data from data controllers and processors, unless deletion or rectification was prohibited by the deceased individual or by applicable law. Executors can also act as heirs. If an heir is a minor or disabled then the Public Prosecutor can act on their behalf.

Article 96 of the SDPA sets certain specific rules on how information society services' providers shall address the heirs' right of access.

Children online

14 years old (Article 7 of the SDPA)

Special rules for special categories of data
In order to avoid discriminatory situations, the consent of the data subject shall not be sufficient to lift the prohibition on the processing of this type of data when the principal purpose of this processing is to identify his or her ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin.

Additionally, the SDPA states that the processing of special categories of personal data based in the public interest, for the purposes of preventive or occupational medicine or public interest in the area of public health shall be based on a standard with the rank of law, and this law could establish additional requirements for their security and confidentiality.

Genetic, biometric or health data

Article 9 of the SDPA also addresses the processing of health data.Such data may be processed when required for the management of health care systems or the execution of an insurance contract to which the data subject is party.

Designation of a Data Protection Officer

Article 34 of the SDPA states that a controller/processor shall appoint a DPO as provided by article 37(1) of the GDPR and includes a list of industries covered by article 37(1):

• official professional associations and their General Councils;
• educational centres offering regulated studies as provided by the Spanish Right to Education Act and public and private universities;
• entities operating electronic communications networks and offering electronic communication services, as stated by the General Telecommunications Law, processing personal data on a large scale;
• information society services providers carrying out data subject profiling activities on a large scale;
• banks, credit unions and the Official Credit Institute;
• private financial credit institutions;
• insurance and reinsurance companies;
• investment services companies subject to the stock market legislation;
• energy and natural gas distributors and marketers;
• entities in charge of creditworthiness data files and in charge of fraud prevention data files;
• entities carrying out advertising and commercial research activities based on the data subjects' preferences or carrying out data subjects' profiling activities;
• health facilities legally obliged to keep patients' medical histories (health professionals acting on their own as freelance are excluded);
• entities carrying out business/credit reports regarding individuals;
• entities offering gambling and gaming services by electronic, informatics, telematics or interactive means;
• private security companies; and
• sports federations when processing underage individuals' personal data.

National identification numbers/any other identifier of general application





Any other areas under discussion

Other relevant issues regulated in the SDPA:

I. Credit Information Systems
Article 20 of the SDPA regulates the credit information systems. The processing of personal data by credit information systems in relation to a breach of financial, monetary or credit obligations will be lawful as long as the following requirements are met:
a) The data have been provided by the creditor;
b) The data relate to a true, due and payable debt;
c) The creditor has informed the data subject in their agreement, or when claiming the payment, about the possibility the debtor will be included in these lists; and
d) The data is kept in the system during a 5 year period and only as long as the breach is not remedied.
These records can only be consulted by persons with a contractual relationship with the affected individual, or persons from whom the individual had requested financial assistance.

II. Data Processing Agreements
The Spanish Data Protection Act provides that data processing agreements executed before the 25th May 2018, will remain in force until their expiry; in case of data processing agreements of indeterminate length, they will be effective until May 25 2022.

III. Blocking of Personal Data
The Spanish Data Protection Act obliges controllers to block personal data when the data subjects exercise their right of rectification or erasure. The blocking of data entails the implementation of measures in order to restrict the processing only to the transfer to competent authorities where necessary.

The SDPA includes a set of digital rights for individuals:
- The right to rectification on the Internet (Article 85): social media (and similar) service providers must implement protocols to enable users to exercise their right to rectify information published by other users on the Internet;
- The right to update information publishedin digital media (Article 86): when an individual has exercised the right to rectifyinformation such media must show a warning stating that some information does not correctly reflect an individual's status.