- the right to privacy in the use of digital devices in the work environment;
- the right to digital disconnection;
- the right to privacy in the case of video monitoring and sound recording devices in the workplace; and
- the right to privacy in case of location tracking systems used in the workplace.
1.2. Guidelines
The AEPD has issued guidelines including on the following issues:
- CCTV recording operations (only available in Spanish here);
- Data protection guide for citizens (only available in Spanish here);
- Risk Management and Impact Assessment in the Processing of Personal Data (June 2021);
- Guide for compliance with the duty to inform (only available in Spanish here);
- Guide on Personal Data Breach Management and Notification;
- Guidelines for the drafting of contracts between controllers and processors (only available in Spanish here);
- Guidelines for Data Protection by Default;
- Guide on Use of Cookies (January 2021)and 2023 updated version (only available in Spanish here);
- Guidelines on notifying DPO's to the AEPD (only available in Spanish here);
- Guidelines on the DPO certification scheme (only available in Spanish here) ('the Certification Scheme Guidelines');
- Section 5 of GDPR FAQs (only available in Spanish here);
- The DPO Handbook, issued jointly with the Italian data protection authority ('Garante'), the Croatian Personal Data Protection Agency ('AZOP'), the Bulgarian Commission for Personal Data Protection ('CPDP'), and the Polish data protection authority ('UODO');
- Practical Guide for Analysis of Risks in the Processing of Personal Data Subject under the GDPR (only available in Spanish here);
- Guide on the GDPR for data controllers (only available in Spanish here);
- Guidelines on the adaptation of processing operations incorporating Artificial Intelligence to the GDPR (only available in Spanish here);
- Requirements for Audits of Treatments that include IA (only available in Spanish here);
- Guidelines on the validation of cryptographic systems in data protection (only available in Spanish here) and
- An approach to data spaces from a GDPR perspective (only available in Spanish here).
Additionally, the AEPD has issued several GDPR facilitation tools (only available in Spanish here).
Furthermore, the AEPD has issued lists of activities which require ('Blacklist') or does not require ('Whitelist') a Data Protection Impact Assessment ('DPIA'):
- Spain DPIA Blacklist ('Spain Blacklist'); and
- Spain DPIA Whitelist ('Spain Whitelist').
Notably, the European Data Protection Board ('EDPB') has published the following Opinion for Spain:
- Opinion 6/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR);
- Opinion 12/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR); and
- Opinion 1/2020 on the Spanish data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR.
1.3. Case law
2. Scope of Application
2.1. Personal scope
There are no national law variations from the GDPR.
2.2. Territorial scope
There are no national law variations from the GDPR.
2.3. Material scope
There are no national law variations from the GDPR.
3. Data Protection Authority | Regulatory Authority
3.1. Main regulator for data protection
The AEPD is the main regulatory authority.
3.2. Main powers, duties and responsibilities
The AEPD supervises the implementation of, and compliance with, the LOPDGDD by all data controllers and processors. Moreover, the AEPD examines the sanction procedure in case of an infringement of the data protection legislation, as well as any claims filed by data subjects. The AEPD is also the authority who imposes fines on data controllers and/or processors when they do not comply with the data protection legislation.
4. Key Definitions
Data controller: No national variations from the GDPR.
Data processor: No national variations from the GDPR.
Personal data: No national variations from the GDPR.
Sensitive data: No national variations from the GDPR.
Health data: No national variations from the GDPR.
Biometric data: No national variations from the GDPR.
Pseudonymisation: No national variations from the GDPR.
5. Legal Bases
5.1. Consent
There are no national law variations from the GDPR.
5.2. Contract with the data subject
There are no national law variations from the GDPR.
5.3. Legal obligations
There are no national law variations from the GDPR.
5.4. Interests of the data subject
There are no national law variations from the GDPR.
5.5. Public interest
There are no national law variations from the GDPR.
5.6. Legitimate interests of the data controller
There are no national law variations from the GDPR.
5.7. Legal bases in other instances
In relation to the processing of personal data for statistical purposes:
- according to Law 12/1989, of 9 May, on the Public Statistical Function (only available in Spanish here), the processing of personal data for statistical purposes shall be lawful only if based on an express and voluntary consent of the data subject; and
- the competent bodies for the public statistical function can deny a data subject's request for exercising the rights referred to in Articles 15 to 22 of the GDPR when the data is protected by the statistical secrecy guarantees provided by the Spanish legislation.
Processing of personal data for archiving purposes in the public interest is subject to Law 16/1985, of 25 June, on the Spanish Historical Heritage (only available in Spanish here) and other related regulations.
In relation to the processing of personal data for scientific or historical research purposes:
- data subject requests made in accordance with Articles 15, 16, 18, and 21 of the GDPR may be rejected:
- when they are exercised before the researchers that use anonymised personal data;
- when the requests refer to the results of the research; or
- when the research is carried out in the public interest, concerning public safety, defence, or national security; and
- it is mandatory to carry out a DPIA;
- the scientific research shall be subject to quality standards;
- it is mandatory to implement any measures in order to guarantee that the researchers do not access to the identification data of the data subjects; and
- it is mandatory to appoint a legal representative when the clinical trial sponsor is not located in the EU.
6. Principles
There are no national law variations from the GDPR.
7. Controller and Processor Obligations
7.1. Data processing notification
There is no specific requirement in Spain for data processing notifications.
7.2. Data transfers
There are no national law variations from the GDPR.
7.3. Data processing records
There are no national law variations from the GDPR.
7.4. Data protection impact assessment
The Spain Blacklist provides that the following types of processing operations require a DPIA:
- processing that involves profiling or the evaluation of subjects, including the collection of the subject's data in multiple areas of their life (work performance, personality, and behavior), covering various aspects of their personality or habits;
- processing that involves automated decision-making or that makes a significant contribution to such decision-making, including any kind of decision that prevents data subjects from exercising a right or accessing a product or service or forming part of a contract;
- processing that involves the observation, monitoring, supervision, geo-location, or control of the interested party in a systematic and extensive manner, including the collection of data and metadata via networks, applications, or in publicly accessible areas, as well as the processing of unique identifiers that allow the identification of users of services of the information society, such as web services, interactive TV, mobile applications, etc.;
- processing that involves the use of special categories of data as referred to in Article 9(1) of the GDPR;
- data concerning criminal convictions and offenses as referred to in Article 10 of the GDPR, or data that allow the financial situation or solvency to be determined, or that allow personal information in relation to special categories of data to be determined or deduced;
- processing that involves the use of biometric data for the purpose of uniquely identifying a natural person;
- processing that involves the use of genetic data for any purpose;
- processing that involves the use of data on a large scale. In order to determine whether processing can be considered to be on a large scale, the criteria laid down in the Article 29 Working Party's ('WP29's') Guidelines on Data Protection Officers must be taken into account;
- processing that involves the association, combination, or linking of records in databases from two or more data processing events with different aims or by different controllers;
- data processing regarding vulnerable subjects or those who are at risk of social exclusion, including the data of persons aged under 14, older people with any kind of disability, the disabled, persons who access social services, and the victims of gender-related violence, as well as their descendants and persons who are in their guardianship or custody;
- processing that involves the use of new technologies or innovative use of consolidated technologies, including the use of technologies on a new scale, for a new purpose, or in combination with others, in a manner that entails new forms of data collection and usage that represents a risk to people's rights and freedoms; and
- data processing that prevents interested parties from exercising their rights, using a service, or executing a contract, such as for example processing where data have been compiled by a controller distinct from the controller who is to process them, and any of the exceptions regarding the information that ought to be provided to the interested parties under Article 14(5)(b), (c), and (d) of the GDPR apply.
Furthermore, the Spain Whitelist provides that the following types of processing operations do not require a DPIA:
- processing carried out strictly under the guidelines established or authorized previously, by way of circulars or decisions issued by supervisory bodies, especially the AEPD, whenever the processing has not changed since it was authorized;
- processing carried out strictly under the guidelines of codes of conduct approved by the European Commission or by supervisory bodies, especially the AEPD, whenever a full DPIA has already been carried out within the context of a validated code of conduct, and is implemented with the measures and safeguards defined in the DPIA;
- processing that is necessary in order to comply with a legal requirement or to complete a mission being carried out in the public interest or in the exercise of official authority vested in the controller, provided that there is no duty to carry out a DPIA within the legal mandate itself, whenever a full DPIA has already been performed;
- processing carried out by self-employed personnel who work on an individual basis in the exercise of their professional duties, especially physicians, healthcare professionals, or lawyers, notwithstanding that it may be required when the processing carried out complies, in a significant way, with two or more criteria established in the list of types of data processing that require impact evaluation relative to data protection published by the AEPD;
- processing carried out in relation to the internal administration of personnel working at small to medium-sized enterprises, in order to face processing operations mandatory by law for the purposes of accounting, human resources management, payroll management, social security, and safety in the workplace, but never in relation to customer data;
- processing carried out by owners' associations and sub-associations in multioccupancy properties, as these are defined in Article 2 (a), (b), and (d) of Law 49/1960, of July 21, on Horizontal Property (only available in Spanish here); and
- processing carried out by professional colleges and non-profit associations in connection with the data of their associates members and donors of the data controllers listed therein concerning the management of their personal data, and in the performance of their tasks, provided that the processing does not extend to sensitive data such as those referred to in Article 9(1) of the GDPR and that Article 9(2)(d) of the GDPR does not apply.
The AEPD has issued the following resources to assist with undertaking a DPIA:
- a DPIA tool (only available in Spanish here);
- Template for Data Protection Impact Assessment Report (DPIA) for Private Sector; and
- Model DPIA report for public administrations (only available to download in Spanish here).
Penalties
In accordance with Article 83(4) of the GDPR, the processing of personal data without having carried out a DPIA is considered a serious violation and will have a two-year statutory limitation period (Article 73(t) of the LOPDGDD).
7.5. Data protection officer appointment
The LOPDGDD requires data controllers to appoint a DPO in specific circumstances even if the GDPR does not require it. Companies that are required to appoint a DPO under the LOPDGDD are:
- professional associations and their general councils;
- teaching centers that offer education at any of the levels established in the legislation regulating the right to education, including public and private universities;
- entities that operate electronic communications networks and provide electronic communications services in accordance with the provisions of their specific legislation, when they habitually and systematically process personal data on a large scale;
- information society service providers carrying out data subject profiling activities on a large scale;
- entities included in Article 1 of Law 10/2014, of 26 June 2014, on the Regulation, Supervision and Solvency of Credit Institutions (as amended), namely, banks, savings banks, credit unions, and the Official Credit Institute;
- credit financial institutions;
- insurance and reinsurance entities;
- investment service companies, regulated by stock market legislation;
- electric power distributors and natural gas distributors;
- entities that develop advertising and commercial prospecting activities, including those of commercial and market research, when they carry out treatments based on the preferences of those affected or carry out activities that involve the preparation of profiles of them;
- health facilities legally obliged to keep patients' medical histories (health professionals acting on their own as freelance are excluded);
- entities carrying out business/credit reports regarding individuals;
- entities offering gambling and gaming services by electronic, informatics, telematics, or interactive means;
- private security companies; and
- sports federations when processing underage individuals' personal data.
Role
Under Article 36(2) of the LOPDGDD, a DPO cannot be dismissed or penalized unless they commit fraud or gross negligence in their exercise. Additionally, the DPO must report directly to the highest level of management.
A DPO may intervene when a complaint is made against a controller or processor to a supervisory authority. Prior to submitting the complaint to the supervisory authority, the DPO, when they have been designated, may intervene and communicate to the complainant the organization's response within two months of the receipt of the complaint (Article 37(1) of the LOPDGDD).
The AEPD, or the corresponding regional data protection authority, i.e. the Catalan Data Protection Authority ('APDCAT'), the Basque data protection agency ('AVPD'), and the Council of transparency and data protection in Andalusia, may forward the complaint to the DPO before attending to it (Article 37(1) of the LOPDGDD). The DPO has one month to reply to the complaint (Article 37(2) of the LOPDGDD).
Professional qualifications
The AEPD has issued the Certification Scheme Guidelines, a non-compulsory DPO certification scheme, which verifies that a DPO meets the professional qualifications and knowledge required to practice the profession. Although certification is not mandatory to be able to practice as a DPO, and the profession can be exercised without being certified under this or any other scheme, the Certification Scheme Guidelines note that the AEPD has considered it necessary to offer a reference point to the market on the contents and elements of a certification mechanism that can serve as a guarantee to accredit the qualification and professional capacity of DPO candidates.
The Certification Scheme Guidelines state that only those accredited by the National Accreditation Entity ('ENAC') can issue certificates to DPOs, and include a list of organisations that have been accredited or are in the process of being accredited.
Notification
The LOPDGDD also allows organizations to voluntarily appoint a DPO. However, if appointed, it will be mandatory to notify the AEPD of such an appointment.
The LOPDGDD requires data controllers to inform the AEPD or, as the case may be, the regional data protection authorities, of the designations, appointments, and dismissals of DPOs within a period of ten days (Article 34(3) of the LOPDGDD).
The DPO notification with the AEPD can be made via an online form (only available in Spanish here). There is also an online form for notifying the APDCAT (only available in Catalan here), the Council of transparency and data protection in Andalusia (only available in Spanish here) and the AVPD (only available to access in Spanish here).
The AEPD and the regional authorities have an obligation under Article 34(4) of the LOPDGDD to maintain, within the scope of their respective competencies, an updated list of DPOs that will be accessible by electronic means (the AEPD's list is only available in Spanish here).
Finally, if a data subject files a claim before the AEPD, the latter may first address the DPO in order to obtain an answer to the claim.
7.6. Data breach notification
There are no national law variations from the GDPR.
7.7. Data retention
There are no national law variations from the GDPR.
7.8. Children's data
Whereas the GDPR establishes a minimum age of 16 years for the processing of children's data based on the child's own consent, the LOPDGDD, pursuant to the enablement provided in the GDPR itself, according to which Member States may provide by law for a lower age provided that such lower age is not below 13 years, sets the age of the child at 14 years for the processing of data based on the child's consent.
7.9. Special categories of personal data
Processing of special categories of personal data
According to the LOPDGDD, the consent of the data subject will not be sufficient for processing data where the main purpose is to identify that individual's ideology, trade union membership, religion, sexual orientation, beliefs, or racial or ethnic origin. This is to prevent discrimination. Consequently, additional grounds are needed in order to process this type of personal data.
Moreover, the LOPDGDD states that processing of special categories of personal data in accordance with Article 9(2)(g), (h), and (i) of the GDPR must be based on a law, which could establish additional requirements regarding their security and confidentiality.
Processing of criminal convictions data
The processing of such data for purposes other than the prevention, investigation, detection, or prosecution of criminal offenses, or enforcement may only be carried out when covered by a rule with statutory force and effect or by EU law. In other cases, processing of such data may only be carried out by lawyers and procurators, provided that the purpose of the same is to collect the information provided by clients for the performance of their functions.
7.10. Controller and processor contracts
There are no national variations from the GDPR.
8. Data Subject Rights
8.1. Right to be informed
Data controllers may provide the information required by Article 13 of GDPR through a layer system. The first layer shall contain, as a minimum, the following:
- the identity of the data controller (and the identify of its representative, where applicable);
- a simple description of the purposes for which the data will be processed;
- the possibility of exercising the data privacy rights;
- a reference to the fact that the personal data will be processed for profiling (where applicable); and
- a link to the second layer of information. The second layer must contain further information as required by Article 13 of the GDPR.
The layer system can also be used when the personal data has not been obtained from the data subject (Article 14 of the GDPR), in which case it will be mandatory to include in the first layer of information:
- the categories of personal data concerned; and
- the source from which the personal data originates.
Moreover, the LOPDGDD states that data controllers need to inform the data subjects not only about the possibility of exercising their rights, but also about the mechanism for exercising such rights (for example, via email).
8.2. Right to access
There are no national variations from the GDPR.
8.3. Right to rectification
There are no national variations from the GDPR.
8.4. Right to erasure
The LOPDGDD allows data controllers to block personal data when data subjects have previously exercised their rights to rectification or erasure. Thus, the data controller may keep such personal data duly blocked during the statutory limitation period of any liabilities that may arise as a consequence of the processing.
8.5. Right to object/opt-out
There are no national variations from the GDPR.
8.6. Right to data portability
There are no national variations from the GDPR.
8.7. Right not to be subject to automated decision-making
There are no national variations from the GDPR.
8.8. Other rights
9. Penalties
The LOPDGDD classifies data protection infringements as minor, serious, or very serious, and specifies the statutory limitation period that is one, two, and three years, respectively.
Regarding the sanctions amount, the LOPDGDD refers to the provisions set out in the GDPR.
9.1 Enforcement decisions
The AEPD imposed two sanctions on Caixabank in its resolution published in January 2021 (only available in Spanish here), for infringing the GDPR, which are relevant due to the considerable amount of the penalty. Specifically, a sanction of €4 million was imposed for the bank's lack of compliance with the requirements for obtaining valid consent from users, and another sanction of €2 million for unlawful processing of personal data due to the fact that the bank imposed customers' consent for the processing of their data in the framework contract.
In addition, the AEPD issued, on 27 July 2021, its decision in proceeding PS/00120/2021 (only available in Spanish here), fining Mercadona, S.A. €2.52 million, following the conclusion of the AEPD's investigation into the use of facial recognition systems carried out in Mercadona's establishments for the purpose of detecting the individuals with criminal convictions or restraining orders. In particular, the decision highlights, among other things, that the processing of biometric data through the facial recognition system did not only occur in relation to the identification of individuals with convictions or criminal offences, but rather affected any customer who walked into the supermarkets, including children, as well as Mercadona's employees.
Furthermore, the AEPD published, on 1 February 2022, its decision in Proceeding No. PS/00001/2021 (only available in Spanish here), in which it imposed a fine of €3.94 million on Vodafone España, S.A.U., violation of Articles 5(1)(f) and 5(2) of the GDPR for not implementing appropriate security measures to prevent fraudulent replication of SIM cards, and not being able to prove that Vodafone implemented such measures.
The AEPD published, on 18 May 2022, its decision in proceeding PS-00140-2020 (only available in Spanish here), in which it imposed a fine of €10 million on Google LLC for the violation of Articles 6 and 17 of the GDPR following two complaints and subsequent investigation from the AEPD.
In particular, the AEDP noted that the complaints concerned the transfer of requests related to the removal of content from Google's various products and platforms, such as the Google search engine and YouTube, to a third party, the 'Lumen Project'. Specifically, the AEPD explained that to enable the removal of content, Google required users that used the relevant forms to accept the transfer of copies of content removal requests to 'lumendatabase.org', on which they would, subsequently, be published.
On 28 July 2023 the AEPD fined Open Bank, S.A. €2.5 million (decision only available in Spanish here) for infringing Articles 25 and 32 GDPR on data protection by design and security of personal data processing respectively. According to the AEPD, the options offered by the Open Bank to prove the origin of various amounts received in a complainant's bank account (submitting the information by email, post or in person at any of Open Bank's offices in Madrid), in compliance with anti-money laundering regulations, did not incorporate any security measures, as no encryption mechanism. The AEPD states that 'e-mail cannot be considered an appropriate means of guaranteeing a level of security appropriate to the risk in the sending of documentation containing personal data provided under Chapter II of Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing (available in Spanish here) (unofficial English translation available here), which require special protection, considering the regulation on the prevention of money laundering, the nature of the processed data and the GDPR.
