Stage of legislative progress 
Eg. pre-consultation, in consultation

The GDPR Implementation Act has not been enacted yet. Spanish Data Protection Draft Bill was published on the 24th November 2017. 
Please find a link to the Spanish version of the Spanish Data Protection Draft Bill here
(no English version available).

Notwithstanding the aforementioned, the Spanish government has urgently enacted a Royal Decree-Law with the purpose of partially adapting Spanish legislation to the GDPR. This Royal Decree-Law mainly regulates the procedure the Spanish Data Protection Authority shall follow for investigating GDPR infringements and imposing sanctions.

Approach to implementation 
Eg. amendments to existing law, total repeal of old laws

Organic Law 15/1999 will be repealed and replaced by the future Data Protection Act. 

Timescale for implementation 
Eg. pre-consultation, in consultation

The approval and enactment of the Spanish Data Protection Act was expected before the 25th May. However, the draft bill is now in the phase where amendments to the bill proposed by different political groups are being discussed.

The steps required for the approval of the Spanish Data Protection Draft Bill will be:

  1. Once the amendments are discussed, the Commission will draft a report and a final version of the bill after voting the amendments. Both the final version of the bill and the report will be sent to be approved by an absolute majority.
  2. Once the draft bill obtains the absolute majority of the Parliament, the Senate will have to approve the draft bill by majority for the bill to be passed.

Areas where Member States must have local laws:

Personal data and freedom of expression 



The Spanish Data Protection Draft Bill only provides administrative fines.

Spanish Royal Decree-Law provides the statute of limitations for data protection infringements (between 1 and 3 years) and the statute of limitations for fines (also between 1 and 3 years) imposed as a consequence of the infringement of the data protection legislation.


Areas where Member States may have local laws:

Professional secrecy 

Article 5 of the Spanish Data Protection Draft Bill states that the data controller, data processor and any person involved in any phase of the data processing are subject to the duty of confidentiality even once the data subject relationship with the data controller or processor is finished.

Additionally, Article 28.2. a) of the Spanish Data Protection Draft Bill provides that  the data controller and data processor shall take into account any loss of confidentiality of data bound by professional secrecy and implement appropriate technical and organisational measures to ensure and to be able to demonstrate that the processing is performed in accordance with the GDPR.

Scientific, historical or statistical purposes 

Article 25 - regarding processing of personal data for statistical purposes:
a) it will be lawful only if the information is required by an EU rule or by the statistical programming rules;
b) the Spanish Government Statistics Act provides that processing of special category data for statistical purposes must be based on the express and voluntary consent of the data subject; 
c) If statistical secrecy guarantees under Spanish legislation apply, competent bodies for the public statistical function can deny data subject rights in Articles 15 to 22 of the GDPR .
Article 26 - processing of personal data for archiving purposes in the public interest is subject to the Spanish Historical Heritage Act and other related regulations.

The draft Bill does not provide information about the processing for scientific or historical research purposes. 


Article 24 of the Spanish Data Protection Bill addresses whistleblowing and introduces for the first time the possibility for anonymous reporting. The provision regulates the whistleblowing systems in the private sector, as well as the creation and maintenance of procedures that provide safe channels for staff or other informants to report wrongdoings in companies. In light of the above, given that the information processed is sensitive and that leaks or unauthorised disclosure may have adverse consequences both for the whistleblowers and the individuals accused, companies are required by the Bill to take special care over the technical and organisational measures needed to mitigate the risks and ensure data security. Moreover, the Bill provides that whistleblowing data shall only be stored for a maximum of 3 months (unless the personal data was necessary for the investigation, in which case it could be stored longer).

Article 22 of the Bill allows CCTV recordings for the supervision of employees as part of the employment relationship. This provision regulates the processing of personal data with regards to video surveillance, and also provides that employers can process their employees' data obtained from video surveillance to monitor the employees, as long as this monitoring complies with Spanish Labour laws and employees are informed about video surveillance. The Bill provides that video surveillance footage shall only be stored for a maximum of 1 month (unless longer retention is justified as part of an ongoing investigation).

Personal data of deceased persons 

Even though the Spanish Data Protection Draft Bill does not apply to the personal data of deceased persons, Article 3 of the referred draft bill provides that the heirs of deceased are entitled to access, request deletion and rectification of data before the respective data controllers and processors, unless the deceased person would have prohibited it or an applicable law states so. Executors can also act as heirs. If heir is minor or disabled then Public Prosecutor can act on their behalf.

Children online

The Draft Bill lowers to the age of consent to 13 years old. Article 7 of the Spanish Data Protection Draft Bill states that minors above 13 years old can effectively give their consent for the processing of their personal data. The processing of personal data from children under 13 requires the consent from parents or guardians.

Special rules for special categories of data

Genetic, biometric or health data

Article 9 Data Protection Draft Bill, the law may enable the processing of data concerning health when required for the management of health care systems or the execution of an insurance contract to which the data subject is party.
Data Protection Draft Bill does not provide regulation for genetic and biometric data.

Designation of a Data Protection Officer

Article 34 of the Spanish Data Protection Bill requires the appointment of a DPO in specific circumstances even if the GDPR does not require it. The companies that are required to appoint a DPO under the Bill are:

a) official associations of professionals and general councils of professionals;
b) educational centres offering regulated studies;
c) entities operating electronic communications networks and offering electronic communication services, as stated by the General Telecommunications Law, processing personal data on a large scale;
d) information society services providers carrying out data subjects' profiling activities on a large scale;
e) banks, credit unions and the Official Credit Institute;
f) private financial credit institutions;
g) insurance and reinsurance companies;
h) investment services companies;
i) energy and natural gas distributors and marketers;
j) entities in charge of creditworthiness data files and in charge of fraud prevention data files;
k) entities carrying out advertising and commercial research activities based on the data subjects' preferences or carrying out data subjects' profiling activities;
l) health facilities legally obliged to keep patients' medical histories;
m) entities carrying out business/credit reports regarding individuals;
n) eentities offering gambling and gaming services by electronic, informatics, telematics or interactive means; and
o) private security companies and entities offering detective services.

The bill also regulates the DPO's intervention procedure in case of a complaint is brought before the supervisory authority.

National identification numbers/any other identifier of general application





Any other areas under discussion
I. Credit Information Systems
Article 20 of the Spanish Data Protection Draft Bill regulates credit information systems. The processing of personal data by credit information systems in relation to a breach of financial, monetary or credit obligations will be lawful as long as the following (including but not limited) requirements are met: 
a) The data has been provided by the creditor;
b) The data is related to a true, due and payable doubt;
c) The creditor has informed the data subject in their agreement or when claiming the payment about the possibilities of the debtor to be included in these lists; and
d) The data is kept in the system during a 5 years period and only as long as the breach is not remedied.

II. Data Processing Agreements
The Spanish Royal Decree-Law provides that data processing agreements executed before the 25th May 2018, will continue to be effective during its term; in case of data processing agreements of indeterminate length, they will be effective until 25 May 2022.

III. Blocking of Personal Data
The draft allows data controllers to block personal data when the data subject has previously exercised the rectification or erasure right. Thus, the data controller may keep such personal data duly blocked during the statute of limitations of any liabilities that may arise as a consequence of the processing.