Spanish Data Protection Update


In this update:


The Spanish Data Protection Agency issues a guide on Privacy Impact Assessment

Further to the Spanish Data Protection Agency ("SDPA"), a Privacy Impact Assessment (PIA) is, an "analysis of the risks that a certain information system, product or service may entail for the fundamental right of data protection and, after that analysis, looking for the best way to manage the identified risks, to adopt the appropriate measures to eliminate or mitigate them." The SDPA has published a guide with the aim to promote PIAs and a "privacy proactive culture", giving a reference procedure to evaluate and prevent privacy risks".

The SPDA believes that carrying out a PIA provides additional guarantees and promotes users and consumers' confidence. They also allow companies to identify and correct possible risks at the early stages of a project, avoiding future costs and even potential privacy rights breaches. The company's reputation will also avoid the negative consequences that privacy infringements could have to its reputation.

There is currently no legal obligation under Spanish law to perform a PIA however the current version of the European Proposal for a new Data Protection Regulation includes the obligation to carry out a data protection impact assessment prior to developing processing operations that are considered risky. Nevertheless, the Guide explains that implementing PIAs may be taken into account by the SDPA as an important element to evaluate if the processing operations are diligent and compliant which, in the framework of a data breach or a sanctioning procedure, may be regarded as a mitigation measure.

The Guide specifically recommends carrying out a PIA prior to processing operations related to Big data, Internet of Things or the development and construction of smart cities; when minors' personal data are being processed, particularly if they are under fourteen; when privacy invasive technologies are used such as, video surveillance or when an international transfer of data is necessary. The SPDA also recommends PIAs if a massive and systematic processing of specially protected data is to be performed, or when non dissociated or non-anonymized data are being processed with statistical, historical or scientific investigation purposes. PIAs are also advisable when a large number of people are affected by processing operations and in those cases in which there is an accumulation of personal data. A PIA is also recommended if the way the data subjects are going to be contacted might be considered especially intrusive, if data are to be assigned to third parties and if profiling activities are to be carried out. Finally, it is also recommended when existent information is to be enriched by collecting new categories of data or the existing data are used for different purposes, particularly if those uses are more intrusive or unexpected for the affected subjects.

The SDPA has also underlined that the scope of the PIA will depend on the envisaged specific data processing operation. Thus the system designed by the Guide should be adapted to the particular needs and characteristics of each sector and each organization. As stated by the SDPA "not every PIA needs to be carried out with the same intensity and the same depth. While some cases allow a least exhaustive and formal procedure, in other situations additional actions would be required to address the complexity or importance of the existing risks".

According to the SDPA a PIA project should include the following phases:

1. Need analysis: evaluation of the convenience of carrying out a PIA.

2. Project and information flows description: In depth analysis of the project to identify the category of data processed, the data users, information and data flows and the technologies used for the processing.

3. Risk identification: Analysis of the possible risks for data protection and privacy, evaluation of the probability of those risks materializing and the assessment of the damage they could cause.

4. Management of risks: Decision on the controls and measures to be implemented to eliminate, mitigate, transfer or accept the identified risks.

5. Regulations compliance analysis: Verification of the compliance with data protection legal requirements, both general and sector-based.

6. Final report: Issuing a detailed report summarizing the identified risks and the proposed solutions to mitigate or eliminate them. This report should be generally addressed to the direction of the organization carrying out the PIA.

7. Implementation of recommendations: The decision regarding the recommendations given in the final report and the actions to be taken shall be reported to the direction of the organization. An allocation of resources and the appointment of a person responsible of implementing them are necessary.

8. Review and feedback: Analysis of the final result to control the effectiveness of the PIA and to check if there are any new risks. These results are used as feedback regarding the PIA and to update it when necessary.

The Guide gives numerous examples of risks that the processing operations may entail and the possible mitigations. For instance, in order to mitigate risks associated with the use of cookies or other tracking technologies, the SDPA advises using the least invasive type of cookies, to inform the users about their use and purposes as well as to respect the users' preference regarding cookies and tracking technologies.

The SDPA's Guide also contains a series of questions which allow entities to check their level of legal compliance, regarding aspects such as the transparency of data processing or security measures. The Guide also encloses templates to organize data on information flows and risk identification and management, as well as another template of the PIA's final report.

The Official Agency of the Official State Gazette (AEBOE) has published the "Code on the Right to be forgotten"

The AEBOE has recently published a compendium of legislation on the right to be forgotten (the "Code") which summarizes the relevant regulations that may affect such right that has been recognized by the European Court of Justice on its judgement on the Google case issued in May 2014.

The right to be forgotten is defined in the Code as the right to safeguard one's reputation. The introduction to the legal compilation states that with the broad use of internet and social media ensuring that the right to be forgotten is respected is of paramount importance.

The right to be forgotten is not specifically regulated in Spain, but it may be considered already protected by data protection laws, and civil legislation on the protection of honour and self-image. The introduction to the Code mentions how the right to be forgotten may also be the object of civil court proceedings that may refer to varied purposes including injunction measures and the allocation of compensations.

The Code is not envisaged as a formal compilation but as a mere working tool with the aim to summarise all regulations that affect or regulate the right to be forgotten. It includes the following categories of laws:

1. Spanish Constitution (Part-Inclusive)
2. Personal Data Protection Regulations
3. Information Society
4. Civil law
5. Criminal Legislation
6. Regulation of Administration of Justice
7. Regulation of Public Administration
8. Regulation of Minors
9. Sanitary Regulations
10. Regulation of Official Gazettes
11. Regulation of Pardons
12. Regulation of State Security Forces and Bodies
13. Prison Regulation
14. Telecommunications Rules
15. Regulations on Consumers and Users
16. Social Security Regulation
17. Regulation about Publication of Traffic Penalties 

To see the full text of the Code (only available in Spanish), please click here.

Spanish Data Protection Agency’s Annual Report for 2013 

The Spanish Data Protection Agency's annual report for 2013 (hereinafter, the "Report"), has recently been published and is available in Spanish at:

The Report contains statistics on all proceedings carried out before the Spanish Data Protection Agency (hereinafter, the “SDPA”) last year, rulings of the National and Supreme Court, sanctions imposed, international data transfers that have been authorized and other highlighted matters. Please find below some of the key findings and figures:

SDPA's proceedings
Preliminary proceedings and sanctions/warnings

The majority of preliminary proceedings and sanctioning procedures ending in sanction or warning in 2013 relate to the telecommunications sector. This sector was the object of 2,256 preliminary proceedings[1] and 317 sanctions/warnings[2]. These figures represent 28.71% of the total preliminary proceedings and 38.56% of the total procedures ending in sanction or warning, respectively.

The second biggest offending sector in terms of preliminary proceedings and procedures ending in sanction or warning is the financial sector, with 1,566 preliminary proceedings and 62 sanctions/warnings[3]. These figures represent respectively 19.93% of the total preliminary proceedings and 7.54% of the total procedures ending in sanction or warning.

The third biggest offending sector is CCTV surveillance services, with 918 preliminary proceedings and 176 sanctions/warnings[4]. These figures represent 11.68% of the total preliminary proceedings and 21.41% of the total procedures ending in sanction or warning, respectively.

It should be highlighted that while massive sending electronic commercial communications activities (spamming) are placed the seventh in terms of number of preliminary proceedings (344 preliminary proceedings in 2013 which amount to 4.38% of the total procedures), they are placed the fourth in terms of procedures ending in sanction or warning (59 procedures which amount to 7.18% of the total).

Distribution of fines

Fines imposed in 2013 amounted to € 22,339,440 (this implies and increase of 6.10% compared to the total value of the fines imposed in 2012).

The telecommunications sector received fines for the highest amount (€ 15,035,008 which represent 67.30% of the total amount in fines), followed by companies providing and commercializing energy and water (€2,084,901 which represent 9.33% of the total), financial sector (€1,811,501 which represent 8.11% of the total), internet services (€1,276,403 which represent 5.71%) and finally by massive sending of electronic commercial communications –spamming- (€ 526,010 which represent 2.35% of the total).

Access, rectification, cancellation and opposition rights ("ARCO rights"), and "right to be forgotten"

The number of claims for lack of observance of the ARCO rights before the SDPA (“tutela de derechos”) has slightly decreased (-8.94%). In 2013 the majority of claims refer to the cancellation right, followed by the claims related to the right of access.

Data files registration

In 2013 the total number of data files registered before the SDPA amounted 3,375,059. Of such amount 3,228,777 files refer to private companies.

Judgments of the National and Supreme Courts

In 2013, the National Court (the body that reviews SDPA's resolutions in first instance) passed 274 judgements on appeals to SDPA's resolutions and the Supreme Court passed 12 resolutions (7 judgements and 5 orders) on appeals to the National Court's judgements confirming or nullifying SDPA's resolutions.

Regarding the judgments of the National Court, 53 resolved against the resolution of the SDPA nullifying it and 33 resolved against the resolution of the SDPA partially. However, the SDPA points out that out of the 33 appeals that were resolved partially in favour of the appellant, 9 implied only a decrease of the economic fine.

Regarding the judgments of the Supreme Court, it is necessary to point out that the number of appeals has declined sharply as a result of reforms introduced in
administrative proceedings in 2013. Thus, judgments entered in 2013 are now only a third of those issued in 2012.

International transfers of personal data

The international data flows in a globalized world maintain their upward trend with a total of 170 authorizations from the Spanish Data Protection Agency in 2013. The most common destinations are still South America, USA and India.

The Report highlights increasing international data transfers bound for India, which has almost doubled in one year (42 versus 27) amounting to a total of 179.

The vast majority of international transfers (72%) aim to provide services by entities located in third countries (controller- processor transfers), indicating the growing importance of offshoring services in the current technological environment.

The need to provide flexible models for data transfer to third countries is highlighted in the report. As an evidence, data exporters are tending to provide safeguards that differ from the EU standard contractual clauses: 10 applications for authorization (9 completed and granted in 2012) were based on the guarantees provided by the Binding Corporate Rules (BCR's), and 7 applications covered by the standard contractual clauses drafted by the Spanish Data Protection Agency (SDPA) to cover processor to sub-processor transfers).


The report highlights the publication of the Guide on the use of Cookies (the “Guide”) in April. The Guide is the first document in Europe on this topic which has been jointly developed by the Data Protection Authority and the representatives of the industry. The Guide includes some important guidelines about the use of Cookies such as a description of the types of Cookies and their purposes, the role of the different entities that access to the information collected, SDPA's requirements in relation to the use of cookies, sanctions for infringements and consent requirements. The SDPA concludes that (i) a two layers system may be used to obtain consent, (ii) in order to consider that a valid consent is granted, users shall be informed on the type of cookies, their purposes and identity of third party providers.

The SPDA highlights also the publications of two guidelines on the use of cloud computing: Guide for clients using services of Cloud Computing and Guidelines for providers of Cloud Computing.

The Guide for clients explains the legal role of the parties involved, noting that the client acts as a data controller and the provider of cloud computing services as a data processor.

Guidelines for providers of cloud computing declares that providers shall inform diligently and in a transparent manner about the nature of its services and the guarantees to be implemented for to fulfilment of Spanish Data Protection regulations.

Coordination with other data protection authorities

On September 19th, 2013 the SDPA issued a sanctioning resolution stating that Google collected and processed personal data unlawfully and imposed the Internet giant a penalty of €900.000. This SDPA resolution followed a coordinated multinational investigations carried out by EU data protection authorities in relation to Google's new privacy policy.

The report also mentions that in 2013 two additional preliminary proceedings were initiated against Google: one for failure to comply with cookies regulations in a group of companies and the other against Google Inc for lack of information about storage and use of cookies.

[1] "Preliminary proceedings" include inspection actions started ex officio or further to a claim, claims that were not admitted by the SDPA, and incomplete claims that were not remedied within the term established by the SDPA.

[2] As opposed to 2,652 preliminary proceedings and 289 sanctions/warnings in 2012

[3] As opposed to 1,077 preliminary proceedings and 77 sanctions/warnings in 2012

[4] As opposed to 1.271 preliminary proceedings and 276 sanctions/warnings in 2012