[Last reviewed: January 2025]
The Spanish Data Protection Agency has the responsibility of supervising the application of data protection regulations in Spain.
The regional data protection authorities, in Catalonia, Andalusia and Bask Country, are competent in relation to the following data processing activities:
As regards to non-personal data, the Data Act provides that each Member State may designate new authorities or existing authorities to apply and enforce the regulation. In Spain, no formal designation has taken place at the moment.
As regards the cybersecurity regulators, there are several competent authorities in Spain depending on the sector, the public or private nature of the entity and other criteria (among other, the Secretary of State for Digital Progress or the Ministry of Defence, through the National Cryptologic Center).
[Last reviewed: January 2025]
☒ Moderately active as regards the cybersecurity regulator
☒ Very active as regards the data privacy regulator
[Last reviewed: January 2025]
The Spanish Data Protection Agency has focused its enforcement activities over the past years in the following sectors: advertising, telecommunications, financial institutions, insolvency registers, unlawful contracting and employment matters. The fines imposed in those areas have suffered a consistent increase in the past years and remain the key areas for enforcement.
We expect the data protection authorities to carry out audits related to innovative topics such as artificial intelligence ("AI"). In the context of the AI Sandbox in Spain, while also focusing on the degree of compliance with other data controllers' compliance measures from an internal standpoint such as the adequate performance of data privacy impact assessments, the appointment of the DPO when necessary and the review of the DPO's role and suitability for such role, such focus is in line with the EDPB coordinated action, or the need to undertake appropriate Privacy Impact Assessments ("PIAs"). We also expect an increase in claims related to cybersecurity and data breaches as well as cross-border data transfers.
In relation to cybersecurity, the Spanish government approved on 29 March 2022 an agreement approving the National Cybersecurity Plan. This plan foresees more than 150 initiatives for the next three years and its main objective is to intensify surveillance and respond to contingencies in the cyberspace.
Last review date: January 2025
Regulatory investigations or direct enforcement activity by data or cyber regulators are:
☒ Increasing
Class actions/group actions under data or cyber regulation are:
☒ Rare
[Last reviewed: January 2025]
There are:
☒ administrative remedies /civil penalties applied by regulators and law enforcement
Depending on the infringement, the administrative fines would be:
Regarding the civil actions, the data subject might claim damages in court. However, note that in Spain, damages need to be proven before the Courts; thus, the final remedy will depend on the Court's decision.
☒ criminal penalties from regulators and law enforcement
Article 197, paragraph 1, of the Criminal Code punishes anyone who intends to discover another person's secrets by seizing their papers, letters, e-mails or other personal documents, intercepting their telecommunications or using any technical device or means of recording or reproducing sound or image.
The second paragraph of the same article punishes three different types of behavior:
☒ private remedies
Individuals may, for example:
In addition to the above, the data subject has the right to mandate certain organizations (e.g., consumer protection bodies) to lodge a complaint and to exercise certain rights on their behalf. They may even lodge a complaint with the supervisory authority, independently of the data subject's mandate.
☒ other
If data subjects have private remedies, what form can these remedies take?
☒ individual personal actions
☒ representative actions (e.g., brought by a consumer / data privacy body or the supervisory authority)