Notifications data security breaches - Spain

By Alexander Benalal, Ana María Rodríguez Costas


The legislation

The Data Protection Directive is implemented in Spain through the Organic Law 15/1999, of 13 December, on Protection of Personal Data (the “LOPD”). Its data security provisions mirror those of the Data Protection Directive and will be further developed by a regulation which has already been announced and which is likely to come into force this year. Security measures are regulated by Royal Decree 994/1999, of 11 June on Security Measures (the “Security Measures Regulations”).
The E-Communication Directive is implemented in Spain through Law 32/2003, of 3 November on Telecommunications (the “Telecommunications Act”) and Royal Decree 424/2005 of 15 April on the conditions necessary to provide Electronic Communications Services (the “ECS Regulation”).

What is the technological standard for electronic communications networks in Spain?

The third chapter of the Telecommunications Act states that a service provider must take appropriate technical and organisational measures to safeguard the security of its network and the provision of its services in order to guarantee the necessary level of protection of personal data. If a particular risk arises threatening the security of the public network of electronic communications, the operator exploiting such network or providing the electronic communications service shall inform its customers about the risk and the measures that should be implemented to mitigate this.

The ECS Regulation develops this further stating that in addition to the provisions of the Telecommunications Act, if a particular risk to security arises, the operator must state the possible costs of the preventative measures to be implemented.

Please note that additionally service providers (as is the case with every entity holding personal data) must implement certain security measures contained in the Security Measures Regulations. The Security measures will vary depending on the kind of data that is processed. For example:

  • All data files must implement a basic level of security measures which, among other things must include the adoption of a “Security Document” that contains a summary of all the applicable security measures. The Security Measures Regulations set out some of the information that must be in the Security Document. All individuals having access to the data or information systems must comply with the Security Document.

  • Data files that contain sufficient information to provide information about a data subject’s personal circumstances (such as information held by companies which provide information services relating to financial solvency and creditworthiness and financial services operators), as well as data files containing information about administrative or criminal offences and those related to the provision of financial services must implement a medium level of security measures. In addition to the basic measures described above there are obligations such as scheduling periodic audits in order to verify compliance with the Security Document.

  • Data files containing sensitive data must implement high level security measures, which in addition to the basic and medium security measures requires additional safeguards. One example of this is that the personal data must be encrypted (or made unintelligible by another means) in order to guarantee that the information cannot be manipulated as it is distributed through telecommunications networks.

The draft secondary regulation of the LOPD which has not yet been approved, but is likely to be approved this year, states that network and electronic communications service providers of traffic and location data should apply a high level of security.

Who must disclose security breaches in Spain?

Both the Telecommunications Act and the ECS Regulation refer to the “operator exploiting such network or providing the electronic communications service”.

What must they disclose and when?

Article 34 of the Telecommunications Act states that if a particular risk to security exists, the operator shall inform its customers about:

  • the nature of the risk; and

  • the measures that need to be implemented.

Article 62 of the ECS Regulation adds that the operator or service provider shall, when the risk falls outside of the measures that it is obliged to adopt, inform the customers about the different solutions and the cost of implementing them.

Both the Telecommunications Act and the ECS Regulation state that security is not to be regarded as being compromised if communications are intercepted under a legal order.

To whom must they disclose the information?

The legislation referred to above does not specify if “customers” mean all the customers of these operators or only those customers affected by the risk.

The Spanish response to the Commission’s proposal

The Industry, Tourism and Trade Minister submitted his response to the Commission’s proposal last month. In relation to security and protection of consumers he affirmed that the most important objective of the new legal framework is to try to ensure effective protection of consumers and also to assure access to essential services.

In his opinion, it is important to increase the transparency between operators and consumers, and also to specify the security measures that operators shall implement in order to improve the current situation.

Likely impact of the Commission’s proposal in Spain

The most important innovation introduced by the Commission’s proposal is the obligation that providers must inform customers about breaches in security. The current situation is not very different as they must already inform customers about the risks to security.