Global Data and Cyber Handbook

Spain

Select a Topic
Start Comparison
Security Requirements and Breach Notification
Jump to
Security Requirements and Breach Notification Start Comparison
Do data privacy laws or regulations impose obligations to maintain information security controls to protect personal data from unauthorized access or processing?

[Last reviewed: January 2025]

Yes.

☒   general obligation to take appropriate / reasonable technical, physical and/or organizational security measures

☒   obligation to take specific security measures e.g., encryption

☒   reasonable security controls

☒   encryption

According to the Regulation implementing the previous Data Protection Act, which has not been expressly repealed and, as we understand, is still applicable, encryption is mandatory in cases of processing of sensitive data.

Do other laws or regulations impose obligations to protect systems from cyberattack?

[Last reviewed: January 2025]

☒   public company obligations (e.g., duties to maintain sufficient information security measures or ensure operational resilience to cyberattacks?)

☒   network information security requirements (broader than telecommunications)

☒   financial services requirements

☒   telecommunication requirements

☒   providers of critical infrastructure

      digital or connected (IoT) products

☒   other: in general applicable to the entities that are within the scope of the cybersecurity regulations in Spain, which is also determined specifically on a sector-specific basis, and in general to data controllers to avoid unlawful access to their systems as part of the compliance with their personal data protection obligations imposed by the GDPR.

Has there been regulatory activity – including enforcement action, investigations, regulatory guidance or other public statements by the regulator – relating to cybersecurity by the following regulators in the last 12 months?

   Data privacy

   Securities or public company

     financial services

The national regulator of financial services (i.e., National Securities Market Commission or “CNMV”) has published a report on the outcome of the self-assessment on the preparedness of financial entities with respect to DORA, which includes recommendations, expectations, regulatory highlights and references to more technical support materials that may be of assistance in the implementation of DORA.

Likewise, 2024 has been a year in which numerous companies, multinationals and public sector organizations have suffered cyber-attacks, with several of these entities being fined by the Spanish Data Protection Agency for millions of Euros for negligence and insufficient protection against this type of data breach.

Does data privacy or cybersecurity law impose obligations to make notifications about personal data security breaches?

[Last reviewed: January 2025]

Yes.

"Personal data breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored or otherwise processed. Breaches within the scope of the cybersecurity regulations also need to be notified to the competent cybersecurity authorities.

Controllers/Owners have to notify:

[Last reviewed: January 2025]

☒   data protection authorities

  • In case of a perso nal data breach, unless the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons
  • Without undue delay and, where feasible, not later than 72 hours after having become aware of it

☒   cybersecurity authorities – depending on the different characteristics of the affected entity by the breach and the severity of the incident, different thresholds may apply in terms of timing to notify the relevant authorities.

☒   affected individuals

  • Without undue delay
  • If a personal data breach is likely to result in a high risk to the rights and freedoms of natural persons, unless any of the following conditions are met:
  • the controller has implemented technical and organizational protection measures and those measures were applied to the personal data affected by the personal data breach, in particular those that render the personal data unintelligible to any person who is not authorized to access it, such as encryption
  • the controller has taken subsequent measures that ensure that the high risk to the rights and freedoms of the data subjects is no longer likely to materialize

☒   other

There shall be public communication or similar measures whereby the data subjects are informed in an equally effective manner (instead of informing the data subjects individually) if the communication to the data subject would involve disproportionate effort.

Processors/Agents have to notify:

[Last reviewed: January 2025]

☒   controller/ owner

  • In case of a personal data breach irrespective of a risk to the rights and freedoms of the data subjects
  • Without undue delay after becoming aware of it

☒   cybersecurity authorities – potentially depending on the circumstances of the breach and their regulatory obligations

Are there any additional sector-specific or non-personal data security breach notification requirements?

[Last reviewed: January 2025]

Yes.

☒   public company obligations (e.g., to notify security incidents that may materially affect an investor's decision)

☒   cybersecurity authorities

   health regulatory requirements (e.g., to notify incidents affecting safety of medical devices)

☒   financial services requirements

☒   telecommunication requirements

☒   providers of critical infrastructure

☒   other

In accordance with Royal Decree-Law 12/2018, of 7 September, on the security of networks and information systems (implementing the NIS Directive in Spain), operators of essential services shall notify incidents that may have significant disruptive effects on these services. Royal Decree 43/2021, of 26 January, developing Royal Decree-Law 12/2018, of 7 September, on security of networks and information systems also develops the practical requirements relevant in this context.

Details regarding the identified data security breach notification requirements

Article 63.3. of General Telecommunications Law 11/2022 provides that operators operating networks or providing publicly available electronic communications services shall notify the Ministry of Industry, Energy and Tourism of security breaches or loss of integrity that have had a significant impact on the operation of the networks or services.

In addition, Article 60.2 of the same law states that in the event of a particular risk of a breach of the security of the public network or of the electronic communications service, the operator operating the network or providing the electronic communications service shall inform subscribers of that risk and of the measures to be taken.

In the event of a breach of personal data, the operator of publicly available electronic communications services shall notify the Spanish Data Protection Agency of such breach without undue delay. If the violation of data could negatively affect the privacy or personal data of a subscriber or individual, the operator shall also notify the subscriber or individual of the violation without undue delay.

The notification of a violation of personal data to a subscriber or individual affected will not be necessary if the provider has proven to the satisfaction of the Spanish Data Protection Agency that it has applied appropriate technological protection measures and that these measures have been applied to the data affected by the breach of security. Such protection measures could be those that make the data incomprehensible to any person who is not authorized to access them.

Without prejudice to the provider's obligation to inform affected subscribers or individuals, if the provider has not already notified the subscriber or individual of the violation of personal data, the Spanish Data Protection Agency may require it to do so, once the possible adverse effects of the violation have been evaluated.

The notification to the subscriber or individual shall at least describe the nature of the breach of personal data and the contact points where further information can be obtained and shall recommend measures to mitigate the possible adverse effects of such breach. The notification to the Spanish Data Protection Agency shall also describe the consequences of the violation and the measures proposed or adopted by the provider with respect to the violation of personal data.

Operators shall keep an inventory of personal data breaches, including the facts related to such breaches, their effects and the measures adopted in this respect, which is sufficient to enable the Spanish Data Protection Agency to verify compliance with the notification obligations regulated in this section. The format and content of the inventory may be established by royal decree.

The violation of personal data shall be understood as the violation of security that causes the accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access of personal data transmitted, stored or otherwise processed in connection with the provision of a publicly accessible electronic communications service.