Global Data and Cyber Handbook

Spain

Select a Topic
Start Comparison
Key Data & Cybersecurity Laws
Jump to
Key Data & Cybersecurity Laws Start Comparison
How are data and cybersecurity laws/regulations implemented?

[Last reviewed: January 2025]

   omnibus – all personal data

☒   sector-specific

E.g., telecoms, public healthcare sector, insurance

☒   constitutional

What are the key data privacy laws and regulations?

[Last reviewed: January 2025]

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

  • EU General Data Protection Regulation
  • Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights
  • Royal Decree 1720/2007, of 21 December, by which the Regulation of development of the Organic Law 15/1999, of 13 December, of protection of personal data is approved
  • Law 11/2022, of 28 June, General of Telecommunications
  • Organic Law 7/2021, of 26 May, on the protection of personal data processed for the purposes of prevention, detection, investigation and prosecution of criminal offenses and the execution of criminal sanctions

 

What are the key cybersecurity laws and regulations?

[Last reviewed: January 2025]

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

Spanish law:

  • Law 8/2011, of 28 April, on the measures for the protection of the critical infrastructures
  • Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems
  • Royal Decree 43/2021, of 26 January, developing Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems

Spain is currently in the process of drafting the NIS2 Directive implementation regulation in Spain. A first draft bill of the implementation has been made available in January 2025 and the following steps for the final approval of the law are expected to be completed in a short period of time.

What are the key laws and regulations relating to non-personal data?

Last review date: January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

  • Law 11/2022, of 28 June, General of Telecommunications
Are new or material changes to those key data and cybersecurity laws anticipated in the near future?

[Last reviewed: January 2025]

Yes.

The implementation in the Spanish legal framework of the NIS2 Directive is currently in process. A first draft bill of the implementation has been made available in January 2025 and the following steps for the final approval of the law are expected to be completed in a short period of time. In this first draft bill, which may be subject to changes, the regulation foresees among other provisions that the individuals members of the management bodies of the essential and important entities shall be jointly and severally liable for the infringements committed by these entities (i.e. with respect to a fine), as well as the requirement for subject entities to appoint a person (or body) “responsible for the information security” (in Spanish, “responsable de seguridad de la información”).

The Whistleblower Directive (Directive EU 2019/1937) was implemented in the Spanish legal framework through Law 2/2023, of 20 February, regulating the protection of whistleblowers and is fully in force at the moment.

Currently, a draft bill for an Organic Law for the protection of minors in digital environments ("Draft Bill") within the context of its plan to safeguard the health, welfare and safety of children and adolescents in Spain is being negotiated. The Draft Bill introduces new rules, but most importantly amends other regulations currently in force, including the Organic Law 3/2018, on data protection and digital rights by increasing the age to provide consent for the processing of personal data from 14 to 16 years old.

{{ $store.state.loadingScreen.message }} ...