In brief: data protection, privacy and cybersecurity in Spain

All the questions


Cybersecurity and data protection are becoming essential values ​​for society and, therefore, these two areas have undergone significant legal developments in recent years. In particular, a new cybersecurity law and a new national data protection law were adopted in the second half of 2018. Both laws are based on and reflect the corresponding European directive on the security of network and information systems. (the NIS Directive) and the General Data Directive. Privacy Policy (GDPR). Nevertheless, data protection and privacy rules are more consolidated in the EU and Spain than cybersecurity regulations, which are currently under development.

Data protection and privacy are separate rights under Spanish law, but both are considered fundamental rights arising from respect for the dignity of human beings. They are mainly based on the free choice of individuals to decide to share with others (including public authorities) information which concerns them (personal data) or which relates to their private and family life, their home and their communications. (private life). Both fundamental rights are recognized in the Treaty of Lisbon (the Charter of Fundamental Rights of the European Union) and the Spanish Constitution of 1978. The data protection rules deal, among other things, with security principles and concrete measures that are useful for solving certain cybersecurity problems; in particular, because the specific cybersecurity legislation (which covers not only personal data and private information, but rather all information) is not yet sufficiently developed.

Regarding data protection, the main rules are the GDPR and the Basic Law 3/2018, of December 5, on Data Protection and Guarantees of Digital Rights (the Spanish Data Protection Law). With the approval of this law, the old Spanish data protection laws and regulations have been repealed. On the other hand, Spain has transposed Directive 2016/680 through Basic Law 7/2021, of May 26, on the processing of personal data for the purposes of prevention, detection, investigation or prosecution. criminal offenses and the execution of criminal penalties.

In addition to the aforementioned legal regime, there are sector-specific regulations which also include provisions relating to data protection, since certain categories of personal data and certain processing activities may require specific protection, such as the processing of data of a personal nature in the financial, electronic communications or health-related sectors. There are several data protection codes of conduct for different sectors. Some of these codes have recently been revised and approved in accordance with GDPR and Spanish Data Protection Law.

The rights to data protection and privacy are not absolute and, where appropriate, must be balanced against other fundamental rights or freedoms (e.g. freedom of information or expression) as well with other legitimate interests (for example, intellectual property rights, public safety and criminal prosecution). In the case of data protection, this balance must be assessed primarily by the organization and the individuals, and public entities and other organizations can challenge the assessment before the Spanish Data Protection Authority (DPA), which is responsible for supervising the application of the regulations. on data protection (see section III.i). Privacy breaches must be brought before the courts (civil or criminal).

The DPA was established in 1993 and has been particularly active in its role of educating organizations and the general public on the value of data protection and in imposing significant penalties. The statutes of the DPA were approved in 2021 (by Royal Decree 389/2021 of June 1). According to the most accurate information available on the DPA’s website, in 2021 alone the DPA received 13,905 complaints from individuals, organizations and authorities (including authorities in other EU jurisdictions). EU) and imposed 258 economic fines within the private sector for a total of €35,074,800. These sanctions are published on the DPA website, which is used by the media (and others) as an important source of data protection information.

The year in review

At EU level, the creation of the digital single market is one of the most ambitious European projects. In this respect, certain European regulations (which apply directly in the Member States) have been approved this year (such as the law on data governance) or are awaiting final approval (laws on digital services and merchant services). Spanish legislation in this area has not changed much over the past year. The Spanish government is heavily involved in “Digital Spain 2025”, a plan that contains 48 measures to boost digital transformation in Spain. However, covid-19 has hampered their development.

Regarding the implementation of the NIS directive (see section IX), the Spanish government is currently reviewing national cybersecurity laws. On the other hand, a law on security in 5G technology was approved in March 2022.

Finally, at the time of writing this article, the DPA has issued a number of sanction resolutions in recent months by which it has imposed fines of several million euros on Spanish companies in the banking, telecommunications and energy in line with the principles of transparency, legitimacy and responsibility. , among others. In addition, the DPA also fined Google LLC (US-based) €10 million in connection with the right to erasure and the procedure for taking down content that Google makes available to users. in its various products.