Yes. The EU National competent authorities are responsible for supervising outsourcing and, to this end, financial institutions must have available, on request, all appropriate information necessary to oversee their compliance. As such, the Bank of Spain/European Central Bank, the National Securities Market Commission and the Directorate General of Insurance and Pension Funds have a direct audit right regarding financial institutions' outsourcing arrangements.

The Criminal Procedure Act has been updated to meet the new technological environment. It authorizes the interception of almost any kind of communication and affords access to the electronic data generated as a consequence of, among others, the provision of an information society service or telematic communication of a similar nature.

The Spanish General Telecommunications Act allows for the lawful interception of certain communications when judicially authorized.

From a data protection perspective and under newly adopted standard contractual clauses, cloud service providers acting as data importers are subject to specific obligations relating to the disclosure of personal data to public authorities of countries outside the European Economic Area. Cloud service providers, when acting as data importers, should notify data exporters when they receive a legally binding request for disclosure of personal data from a public authority. Furthermore, data importers must verify that the requesting authority is authorized to make such a request and, if they consider such a request is unlawful, they must challenge it.