On 14 September 2007, the head of the Spanish Data Protection Agency (the “SDPA”), Mr. Artemi Rallo, presented the SPDA’s 2006 annual report to Congress. The annual report, available in Spanish at , contains statistics on all the processes monitored by the SDPA last year. Some of the key findings and figures are reproduced below:
Fines, sanctions and enquiries
The fines imposed in 2006 amounted to over €24,400,000.
The majority of the enquiries were related to the Telecommunications sector with approximately 30% (447 inspections) of all enquiries conducted in this sector. 161 of the enquiries were as a result of fraud at the time of contracting. As a result of the inspections in this Sector, 77 sanctions were imposed, representing 25% of the total number of sanctions imposed by the SDPA in 2006.
The second biggest sector offender (in terms of finalised inspection procedures) was the financial sector, with 371 inspections, (26% of the total inspections). 73% of these inspections were related to the wrong inclusion of names in debtor files. As a result of these inspections, 66 sanctions were imposed in this sector (21% of the total number of sanctions).
The sanctions and inspections relating to other Sectors were as follows:
Public administrations sector; 109 inspections, (7% of the total number of inspections);
The advertising sector: 53 inspections and 29 sanctions;
Spam: 56 inspections and 14 sanctions;
Health care sector: 42 inspections and 10 sanctions;
Internet services sector: 31 inspections and 7 sanctions;
Insurance sector: 15 inspections and 6 sanctions.
Notifications to the SDPA
In 2006, the SDPA received 815,093 notifications (around 685 per day). This figure represents a 25% increase from the previous year.
Initiated procedures in 2006
In 2006 1,282 enquiries or investigations were initiated, an increase of 11% compared to 2005. The majority of these investigations (1,201) were initiated by the SDPA as a consequence of a lawsuit by a person or legal entity. Additionally, 556 procedures of “safeguarding legal rights” (“tutela de derechos”) were initiated.
In 2006, the SDPA received around 35,800 requests for advice, either by telephone, in writing or in person. However, the majority of contacts with the SDPA, (more than 1,500,000), were made through its website. Most requests submitted to the department of assistance were related to personal rights (51.54%) and to the scope of application of the Spanish National Law on Data Protection (13.50%).
In 2006, the SDPA produced 553 legal reports which helped to clarify the SDPA’s position in relation to a number of issues including the concept of controller and processor, the disclosures of data, international transfers of data, sensitive data and the implementation of whistleblowing schemes in companies.
The average growth in legal reports per year in the last five years is 40%.
In 2006, the SDPA issued Instruction 1/2006 on processing personal data obtained by video cameras set up for surveillance purposes and insisted that the draft regulation developing Spanish Law on Data Protection should be approved in the next months.
During 2006 the SDPA authorised 133 transfers of personal data to countries without the same level of protection as the EU. On this matter, it is worth noting that the SDPA has included a new step in the process of obtaining authorisation to transfer data, consisting of making public some information related to the transfer and the companies involved. The purpose of this new step is to give third parties an opportunity to raise concerns about the transfer. However, confidential information must remain inaccessible.