[Last reviewed: January 2025]

The Spanish Data Protection Agency has the responsibility of supervising the application of data protection regulations in Spain.

The regional data protection authorities, in Catalonia, Andalusia and Bask Country, are competent in relation to the following data processing activities:

• Those carried out by entities that are members of the public sector of the corresponding Autonomous Region or of the Local Entities included in its territorial scope
• Those carried out by individuals or legal entities for the exercise of public functions in matters that fall within the competence of the corresponding Autonomous Government or Local Administration
• Those that are expressly provided, as the case may be, in the respective Statutes of Autonomy

As regards to non-personal data, the Data Act provides that each Member State may designate new authorities or existing authorities to apply and enforce the regulation. In Spain, no formal designation has taken place at the moment.

As regards the cybersecurity regulators, there are several competent authorities in Spain depending on the sector, the public or private nature of the entity and other criteria (among other, the Secretary of State for Digital Progress or the Ministry of Defence, through the National Cryptologic Center).

[Last reviewed: January 2025]  

☒ Moderately active as regards the cybersecurity regulator           

☒ Very active as regards the data privacy regulator

[Last reviewed: January 2025]

The Spanish Data Protection Agency has focused its enforcement activities over the past years in the following sectors: advertising, telecommunications, financial institutions, insolvency registers, unlawful contracting and employment matters. The fines imposed in those areas have suffered a consistent increase in the past years and remain the key areas for enforcement.

We expect the data protection authorities to carry out audits related to innovative topics such as artificial intelligence ("AI"). In the context of the AI Sandbox in Spain, while also focusing on the degree of compliance with other data controllers' compliance measures from an internal standpoint such as the adequate performance of data privacy impact assessments, the appointment of the DPO when necessary and the review of the DPO's role and suitability for such role, such focus is in line with the EDPB coordinated action, or the need to undertake appropriate Privacy Impact Assessments ("PIAs"). We also expect an increase in claims related to cybersecurity and data breaches as well as cross-border data transfers.

In relation to cybersecurity, the Spanish government approved on 29 March 2022 an agreement approving the National Cybersecurity Plan. This plan foresees more than 150 initiatives for the next three years and its main objective is to intensify surveillance and respond to contingencies in the cyberspace.

Last review date: January 2025

Regulatory investigations or direct enforcement activity by data or cyber regulators are:

☒         Increasing

Class actions/group actions under data or cyber regulation are:

☒         Rare

[Last reviewed: January 2025]

There are:

☒   administrative remedies /civil penalties applied by regulators and law enforcement

Depending on the infringement, the administrative fines would be:

• up to EUR 10 million, or in the case of an undertaking, up to 2 % of the total worldwide annual turnover of the preceding financial year, whichever is higher, or
• up to EUR 20 million or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher

Regarding the civil actions, the data subject might claim damages in court. However, note that in Spain, damages need to be proven before the Courts; thus, the final remedy will depend on the Court's decision.

☒   criminal penalties from regulators and law enforcement

Article 197, paragraph 1, of the Criminal Code punishes anyone who intends to discover another person's secrets by seizing their papers, letters, e-mails or other personal documents, intercepting their telecommunications or using any technical device or means of recording or reproducing sound or image.

The second paragraph of the same article punishes three different types of behavior:

• Seizing, using or modifying, without authorization, reserved personal data recorded in computer, electronic or telematic files or in any other type of public or private file
• Accessing such data without authorization
• Altering or using such data to the detriment of the owner of the data or a third party

☒   private remedies

Individuals may, for example:

• file complaints with the data protection authorities – this could entail the imposition of fines to the company but no damages for the individual
• claim damages for material or non-material damages

In addition to the above, the data subject has the right to mandate certain organizations (e.g., consumer protection bodies) to lodge a complaint and to exercise certain rights on their behalf. They may even lodge a complaint with the supervisory authority, independently of the data subject's mandate.

☒   other

If data subjects have private remedies, what form can these remedies take?

☒   individual personal actions

☒   representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)

Last reviewed: January 2025

☒   Unclear