Stage of legislative progress 
Eg. pre-consultation, in consultation

GDPR Implementation Act has not been enacted yet. Spanish Data Protection Draft Bill was published on the 24th November 2017.
Please find a link to the Spanish version of the Spanish Data Protection Draft Bill here
(no English version available).

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Organic Law 15/1999 will be repealed and replaced by the new Data Protection Act.

Timescale for implementation 
Eg. pre-consultation, in consultation

The approval and enactment of the Spanish Data Protection Act was expected before the 25th May. However, the draft bill is now in the phase where all political groups are able to propose amendments to the bill. The political parties have suggested at least 369 amendments to this draft bill. We are aware that the Spanish Data Protection Agency has declared that the draft bill will not enter into force before the 25th May.
The following steps required for the approval of the Spanish Data Protection Draft Bill will be:

  1. Once the amendments are presented, the Commission will take a final decision. This final decision will be sent to the Parliament to be debated and approved by absolute majority.
  2. Once the draft bill obtains the absolute majority of the Parliament, the Senate will have to approve the draft bill by majority.

Areas where Member States must have local laws:

Personal data and freedom of expression 



Spanish Data Protection Draft Bill only provides administrative fines.


Areas where Member States may have local laws:

Professional secrecy 

Article 5 of the Spanish Data Protection Draft Bill states that the data controller, data processor and any person involved in any phase of the data processing are subject to the duty of confidentiality even once the data subject relationship with the data controller or processor is finished.

Additionally, Article 28.2. a) of the Spanish Data Protection Draft Bill provides that the loss of confidentiality of data bound by professional secrecy shall be taken into account for the data controller and data processor to implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with the GDPR.

Scientific, historical or statistical purposes 

Article 25 - processing of personal data for statistical purposes:
a) will only be lawful only if the information is required by an EU rule or by the statistical programming rules;
b) Spanish Government Statistics Act : processing of special category data for statistical purposes must be based on express and voluntary consent of the data subject;
c) If statistical secrecy guarantees under Spanish legislation apply, competent bodies for the public statistical function can deny data subject rights in Articles 15 to 22 of the GDPR .
Article 26 - processing of personal data for archiving purposes in the public interest is subject to the Spanish Historical Heritage Act and other related regulations.

Draft Bill does not provide information about the processing for scientific or historical research purposes.


Article 24 of the Spanish Data Protection Bill addresses whistleblowing and introduces for the first time the possibility for anonymous reporting. The provision regulates the whistleblowing systems in the private sector, as well as the creation and maintenance of procedures that provide safe channels for staff or other informants to report wrongdoings in companies. In light of the above, given that the information processed is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistleblowers and the individuals accused, companies are required by the Bill to take special care over the technical and organisational measures needed to mitigate the risks and ensure data security. Moreover, the Bill provides that whistleblowing whistleblowing shall only be stored for a maximum of 3 months (unless the personal data was necessary for the investigation, in which case it could be stored longer).

Article 22 of the Bill allows CCTV recordings for the supervision of employees as part of the employment relationship. This provision regulates the processing of personal data with regards to video surveillance, and also provides that employers can process their employees' data obtained from video surveillance to monitor the employees, as long as this monitoring complies with Spanish Labour laws and employees are informed about video surveillance. The Bill provides that video surveillance footage shall only be stored for a maximum of 1 month (unless longer retention is justified as part of an ongoing investigation).

Personal data of deceased persons 

Even though the Spanish Data Protection Draft Bill does not apply to the personal data of deceased persons, Article 3 of the referred draft bill provides that the heirs of deceased are entitled to access, request deletion and rectification of data before the respective data controllers and processors, unless the deceased person would have prohibited it or an applicable law states so. Executors can also act as heirs. If heir is minor or disabled then Public Prosecutor can act on their behalf.

Children online

Draft Bill lowers to 13 years old. Article 7 of the Spanish Data Protection Draft Bill states that minors above 13 years old can effectively give their consent for the processing of their personal data. The processing of personal data from children under 13 requires the consent from parents or guardians.

Special rules for special categories of data
According to Article 9 of the Spanish Data Protection Draft Bill, individual's consent will not serve as legitimate ground for processing ideological, trade union membership, sexual orientation, religion, beliefs or ethnic origin data. Additional grounds are needed.
The Spanish Data Protection Draft Bill states that the exclusions for the processing of special categories of personal data contained in Article 9.2 g), h) and i) of the GDPR shall be based on a law, which could establish additional requirements for their security and confidentiality.

Genetic, biometric or health data

Article 9 Data Protection Draft Bill, the law may enable the processing of data concerning health when required for the management of health care systems or the execution of an insurance contract to which the data subject is party.
Data Protection Draft Bill does not provide regulation for genetic and biometric data.

Designation of a Data Protection Officer

Article 34 of the Spanish Data Protection Bill requires to appoint a DPO in specific circumstances even if the GDPR does not require it. The companies that are required to appoint a DPO under the Bill are:

a) official associations of professionals and general councils of professionals;
b) educational centers offering regulated studies;
c) entities operating electronic communications networks and offering electronic communication services, as stated by the General Telecommunications Law, processing personal data on a large scale;
d) information society services providers carrying out data subjects' profiling activities on a large scale;
e) banks, credit unions and the Official Credit Institute;
f) private financial credit institutions;
g) insurance and reinsurance companies;
h) investment services companies;
i) energy and natural gas distributors and marketers;
j) entities in charge of creditworthiness data files and in charge of fraud prevention data files;
k) entities carrying out advertising and commercial research activities based on the data subjects' preferences or carrying out data subjects' profiling activities;
l) health facilities legally obliged to keep patients' medical histories;
m) entities carrying out business/credit reports regarding individuals;
n) entities offering gambling and gaming services by electronic, informatics, telematics or interactive means; and
o) private security companies and entities offering detective services.

The bill also regulates the DPO's intervention procedure in case of a complaint is brought before the supervisory authority.

National identification numbers/any other identifier of general application





Any other areas under discussion
I. Credit Information Systems
Article 20 of the Spanish Data Protection Draft Bill regulates the credit information systems. The processing of personal data by credit information systems in relation to a breach of financial, monetary or credit obligations will be lawful as long as the following including but not limited requirements are met:
a) The data have been provided by the creditor;
b) The data are related to a true, due and payable doubt;
c) The creditor has informed the data subject in their agreement or when claiming the payment about the possibilities of the debtor to be included in these lists; and
d) The data are kept in the system during a 5 years period and only as long as the breach is not remedied.

II. Data Processing Agreements
The data processing agreements executed before the 25th May 2018, will be effective during the term contained therein; in case of data processing agreements of indeterminate length, they will be effective four years after they were entered into.

III. Blocking of Personal Data
The draft allows data controllers to block personal data when the data subject has previously exercised the rectification or erasure right. Thus, the data controller may keep such personal data dully blocked during the statute of limitations of any liabilities that may arise as a consequence of the processing.