Cloud Compliance Center

Spain

Select a Topic
Quick Links
Start Comparison

SPAIN

This content was last reviewed around May 2023.

Cloud Neutral

1. Are financial institutions legally permitted to use cloud services?

Yes, if the institution meets all the applicable legal requirements for the use of cloud services.

2. Are there any rules that apply to cloud use by financial institutions (e.g., rules regarding outsourcing or the use of cloud services)?

Yes, this is governed both at a national level and EU level through the following regulatory legislation.

National level

Credit institutions:

  • Royal Decree 84/2015, dated 13 February, on the implementation of Act 10/2014, dated 26 June, on the organization, supervision and solvency of credit institutions
  • Circular 2/2016, dated 2 February, of the Bank of Spain, to credit institutions, on supervision and solvency

Investment firms:

  • Royal Decree 217/2008, dated 15 February, on the legal regime applicable to investment firms and other entities that provide investment services
  • Commission Delegated Regulation (EU) 2017/565 of 25 April 2016 supplementing Directive 2014/65/EU of the European Parliament and of the Council as regards organisational requirements and operating conditions for investment firms and defined terms for the purposes of that Directive

Management companies:

  • Act 35/2003, dated 4 November, on Collective Investment Undertakings
  • Royal Decree 1082/2012, dated 13 July, approving the implementation regulation of Act 35/2003, dated 4 November, on collective investment undertakings
  • Act 22/2014, dated 12 November, regulating venture capital entities, other closed ended investment undertakings and management companies

Insurance undertakings:

  • Act 20/2015, dated 14 July 2015, on the regulation, supervision and solvency of insurance and reinsurance undertakings
  • Royal Decree 1060/2015, dated 20 November 2015, on the regulation, supervision and solvency of insurance and reinsurance undertakings

EU level

  • European Banking Authority Guidelines on outsourcing arrangements (EBA/GL/2019/02)
  • European Securities and Markets Authority Guidelines on outsourcing to cloud service providers (ESMA 50-164-4285)
  • EU Guidelines on ICT and security risk management (EBA/GL/2019/04)
  • European Insurance and Occupational Pensions Authority Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002)
  • EU regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No. 1060/2009, (EU) No. 648/2012, (EU) No. 600/2014 and (EU) No. 909/2014

3. Are there any specific contractual requirements for cloud outsourcing?

According to both the Spanish regulatory legislation and EU level legislation , the rights and obligations of the parties entering an outsourcing agreement should be clearly allocated and set out in a written agreement, which, where it affects critical or important functions, must at least include the following, among others:

  • A clear description of the outsourced function to be provided
  • The start date and end date, where applicable, of the agreement and the notice periods for the service provider and the financial institution
  • The governing law of the agreement
  • The parties' financial obligations
  • Whether the sub-outsourcing of a critical or important function, or material parts thereof, is permitted and, if so, the conditions that the sub-outsourcing is subject to
  • The locations (i.e., regions or countries) where the critical or important function will be provided and/or where relevant data will be kept and processed, including the possible storage location, and the conditions to be met, including a requirement to notify the financial institution if the service provider proposes to change the locations
  • Where relevant, provisions regarding the accessibility, availability, integrity, privacy and safety of relevant data
  • The right of the institution or payment institution to monitor the service provider's performance on an ongoing basis
  • The agreed service levels, which should include precise quantitative and qualitative performance targets for the outsourced function to allow for timely monitoring so that appropriate corrective action can be taken without undue delay if the agreed service levels are not met
  • The reporting obligations of the cloud service provider to the financial institution, including the communication by the provider of any development that may have a material impact on the service provider's ability to effectively carry out the critical or important function in line with the agreed service levels and in compliance with applicable laws and regulatory requirements and, as appropriate, the obligations to submit reports on the internal audit function of the cloud service provider
  • Whether the cloud service provider should take out mandatory insurance against certain risks and, if applicable, the level of insurance cover requested
  • The requirements to implement and test business contingency plans
  • Provisions that ensure the data owned by the financial institution can be accessed in the case of the insolvency, resolution or discontinuation of business operations of the service provider
  • The obligation of the service provider to cooperate with the competent authorities and resolution authorities of the financial institution, including other persons appointed by them
  • A clear reference to the national resolution authority's powers, if applicable.
  • The unrestricted right of the financial institution and competent authorities to inspect and audit the service provider regarding, in particular, the critical or important outsourced function
  • Termination rights
  • The requirement for the cloud service provider to have a contingency plan to maintain its activity and limit the entity's losses in the event of serious incidents

Pursuant to EU Guidelines on ICT and security risk management (EBA/GL/2019/04), to ensure continuity of ICT services, financial institutions should ensure that contracts and service level agreements with cloud service providers include the following:

  • Appropriate and proportionate information security-related objectives and measures including: requirements such as minimum cybersecurity requirements; specifications on the financial institution's data life cycle; any requirements regarding data encryption, network security and security monitoring processes; and the location of data centers
  • Operational and security incident handling procedures including escalation and reporting

EU regulation of the European Parliament and of the Council on digital operational resilience for the financial sector and amending Regulations (EC) No 1060/2009, (EU) No 648/2012, (EU) No 600/2014 and (EU) No 909/2014 will also be relevant when considering contractual requirements for cloud outsourcing.

4. When does cloud outsourcing fall within the scope of the rules?

The European Banking Authority Guidelines on outsourcing arrangements (EBA/GL/2019/02) ("EBA Guidelines") should be considered when assessing whether an outsourcing agreement relates to a function that is considered critical or important, and the factors that a financial institution should consider, together with the outcome of the risk assessment.

Under the European Securities and Markets Authority Guidelines on outsourcing to cloud service providers (ESMA 50-164-4285) ("ESMA Guidelines"), in line with the EBA Guidelines, "cloud outsourcing arrangement" is defined as an arrangement of any form, including delegation arrangements, between the following:

  • A firm and a cloud service provider by which that provider performs a function that would otherwise be undertaken by the firm itself
  • A firm and a third-party that is not a cloud service provider, but that relies significantly on such a provider to perform a function that would otherwise be undertaken by the firm itself (In this case, a reference to a cloud service provider in these guidelines should be read as referring to such third party.)

The ESMA Guidelines define a cloud service provider as a third party delivering cloud services under a cloud outsourcing arrangement.

According to the European Insurance and Occupational Pensions Authority Guidelines on outsourcing to cloud service providers (EIOPA-BoS-20-002) ("EIOPA Guidelines"), the undertaking should establish whether an arrangement with a cloud service provider falls under the definition of outsourcing pursuant to the Solvency II Directive . Within the assessment, consideration should be given to the following:

  1. Whether the operational function or activity outsourced is performed on a recurrent or an ongoing basis.
  2. Whether this operational function or activity would normally fall within the scope of operational functions or activities that would be performed by the undertaking during its regular business activities, even if the undertaking has not done so in the past

Where an arrangement with a service provider covers multiple operational functions or activities, the undertaking should consider all aspects of the arrangement within its assessment.

In cases where the undertaking outsources operational functions or activities to service providers that are not cloud service providers, but rely significantly on cloud infrastructures to deliver their services (for example, where the cloud service provider is part of a sub-outsourcing chain), the arrangement for such outsourcing falls within the scope of the EIOPA Guidelines.

In the context of EU regulation of the European Parliament and of the Council on digital operational resilience for the financial sector, 2022/2554, ("DORA Regulation"), cloud outsourcing falls within the scope of the DORA Regulation when it is considered to be an information and computer technology third-party service provided to regulated financial entities.

5. Does the outsourcing need to be notified to the regulator?

Yes.

Credit institutions:

  • Important outsourcing: The firm that is outsourcing must submit a prior communication to the Bank of Spain, at least two months in advance from the effective date of the agreement.
  • Non-important outsourcing: Although no notification period is envisaged for non-important outsourcing, the Bank of Spain should be informed immediately whenever a non-important outsourcing becomes important.

Payment institutions:

  • Important outsourcing: The institution must submit a prior communication to the Bank of Spain, at least one month in advance from the effective date of the agreement.
  • Non-important outsourcing: Non-important outsourcing, or any modification thereof, must be notified to the Bank of Spain by the payment institution within one month from the effective date of the agreement.
  • Investment firms and management companies: Pursuant to European Securities and Markets Authority Guidelines on outsourcing to cloud service providers (ESMA 50-164-4285), investment firms and management companies should notify in writing the National Securities Market Commission in a timely manner of any planned cloud outsourcing arrangements that concern a critical or important function. Similarly, they should also notify their competent authority of those cloud outsourcing arrangements that concern a function that was previously classified as non-critical or non-important and has since become critical or important.

Insurance undertakings: Insurance undertakings must give prior notice to the Directorate General of Insurance and Pension Funds of the outsourcing of critical or important functions or activities, as well as of any subsequent significant change in relation to those functions or activities.

6. What are the potential consequences for breaching financial services rules on cloud outsourcing?

From a Spanish regulatory and legislative perspective, potential consequences for any noncompliance with relevant local law will vary depending on the severity of the breach.

A failure to notify the outsourcing of "important operational functions" may constitute a "very severe" or "severe" administrative offense under Spanish prudential legislation, which could result in certain statutory penalties, for example:

  • Fines
  • Cease-and-desist orders
  • Public or private censures

7. Are there any data privacy and/or data security laws that would apply?

Yes.

Data privacy:

  • Regulation (EU) 2016/679 of the European Parliament and of the Council, dated 27 April, on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC
  • Spanish Organic Act 3/2018, dated 5 December, on Personal Data Protection and Digital Rights Safeguard

Data security:

  • Royal Decree-Law 12/2018, dated 7 September, on the security of networks and information systems
  • Act 8/2011, dated 28 April, establishing measures for the protection of critical infrastructures (The Act foresees several obligations on operators of critical infrastructures. Owner/operators of critical infrastructure have specific obligations to implement security measures to guarantee the comprehensive security of their critical infrastructure.)
  • Royal Decree 43/2021, dated 26 January, developing Royal Decree-Law 12/2018, dated 7 September, on network and information systems security
  • Directive (EU) 2022/2555 of the European Parliament and of the Council, dated 14 December, on measures for a high common level of cybersecurity across the Union, amending Regulation (EU) No. 910/2014 and Directive (EU) 2018/1972, and repealing Directive (EU) 2016/1148

8. Are there any restrictions under local data protection laws that would impact the overseas hosting of data?

According to Royal Decree-Law 14/2019, dated 31 October, on urgent measures for reasons of public safety in the areas of e-government, public sector procurement and telecommunications, the information and communication systems used for collection, storage, processing and management of electoral roll data , as well as data from users of the national health system and data concerning regional taxes, must be located within the EU.

Data transfer restrictions apply where the data recipient is located outside the European Economic Area (EEA). According to the Regulation (EU) 2016/679 of the European Parliament and of the Council, dated of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (GDPR) and the Spanish Organic Act 3/2018, dated 5 December, on Personal Data Protection and Digital Rights Safeguard ("Spanish LOPD"), any transfer of personal data outside the EEA qualifies as an international data transfer and can only be carried out where certain conditions are met (e.g., where the international data transfer is carried out on the basis of an adequacy decision, with appropriate safeguards, consent, etc.). The legal instrument used to carry out an international data transfer in accordance with GDPR will depend on the circumstances of each case and the location of the data recipient.

9. Does a cloud service provider need a financial services authorization or license to provide cloud services?

A financial services authorization is not required but, according to Royal Decree-Law 12/2018, cloud computing service providers (as digital service providers) must communicate to the competent authority their activity within three months from starting their activity, for information purposes.

10. Is express consent from customers or other data subjects required before moving data to the cloud?

Express consent is not required from a general data protection perspective. Under Spanish financial legislation, to the extent customer data is encrypted (and, therefore, inaccessible), sharing/hosting/processing and moving data to the cloud would not entail a breach of the confidentiality and nondisclosure obligation.

11. Are there any local laws that require a cloud service provider to be able to access the data it hosts?

No.

12. Are there any local laws that would require a cloud service provider to disclose the data it hosts to any third parties in any circumstances (including regulatory or law enforcement authorities)?

Yes. The EU National competent authorities are responsible for supervising outsourcing and, to this end, financial institutions must have available, on request, all appropriate information necessary to oversee their compliance. As such, the Bank of Spain/European Central Bank, the National Securities Market Commission and the Directorate General of Insurance and Pension Funds have a direct audit right regarding financial institutions' outsourcing arrangements.

The Criminal Procedure Act has been updated to meet the new technological environment. It authorizes the interception of almost any kind of communication and affords access to the electronic data generated as a consequence of, among others, the provision of an information society service or telematic communication of a similar nature.

The Spanish General Telecommunications Act allows for the lawful interception of certain communications when judicially authorized.

From a data protection perspective and under newly adopted standard contractual clauses, cloud service providers acting as data importers are subject to specific obligations relating to the disclosure of personal data to public authorities of countries outside the European Economic Area. Cloud service providers, when acting as data importers, should notify data exporters when they receive a legally binding request for disclosure of personal data from a public authority. Furthermore, data importers must verify that the requesting authority is authorized to make such a request and, if they consider such a request is unlawful, they must challenge it.

Quick Links
{{ $store.state.loadingScreen.message }} ...