I OVERVIEW

As opposed to many other countries, the Spanish legal system does not regulate discovery, in the sense of a process involving the obligation to preserve information in light of a reasonable expectation of litigation, and disclose that information at the request of a third party in the context of potential or actual court proceedings. Spanish legislation does not even set out a discovery (or similar) process to preserve and disclose a broad range of information or data.

Spain filed reservations under Article 23 of the 1970 Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters to expressly exclude the execution of letters of request issued for the purpose of obtaining pretrial discovery of documents, which indicates the absence of a 'discovery culture' in the country.

Contrary to the uniform and general discovery process in place in other jurisdictions, under Spanish law, data preservation obligations result from sectoral regulation, and their scope is limited to specific documents and content. Data disclosure obligations arising from a third party's request can only result from a judicial order issued by a court within litigation proceedings (meeting the requirements applicable in each jurisdiction) and, exceptionally, in the case of criminal proceedings, from dawn raids and document seizures ordered by a criminal court.2

These preservation and disclosure obligations are strengthened by the consequences attached in the event of breach, which range from procedural consequences (i.e., reassessment of evidence) to administrative and even criminal sanctions, depending on the circumstances of the specific infringement.

In addition to the absence of a discovery process and governing framework, sectoral laws regarding data collection and data disclosure do not refer to electronically stored information (ESI) expressly (except for criminal procedure regulations). However, it is assumed that this category of information falls within the scope of terms such as 'data' or 'documents', which are most commonly used by the legislature.

Finally, as a result of having no discovery process, the cases in which courts and other parties have had to deal with a vast amount of data have been rare until very recently. Thus, digital forensics and legal professional privilege have not developed to the same extent as in other jurisdictions. However, this has started to change, as expansive information requests, new technologies and internal investigations are becoming more commonplace (see Section V).

II YEAR IN REVIEW

The laws that refer to data preservation and disclosure obligations, especially the former, are in constant development and consequently so are the provisions.

For example, the amendment to the Anti-Money Laundering and Terrorist Financing Law of 28 April (Law 10/2010) by Decree-Law 11/2018 of 31 August broadened the scope of legal and natural persons obliged to comply with its provisions (including data preservation obligations). As a result, online gambling providers are now obligated to preserve data as established in the amended Article 2.1.u (in addition to other individuals and legal entities already subject to the anti-money laundering obligations, such as credit institutions, investment firms, audit firms, accounting companies and tax advisers). The amendment has also altered the wording of Article 2.1.o, which now refers to natural persons who, on behalf of a third party, found a company, act as directors or secretaries to the board of directors of a legal entity or act as external advisers, provide a registered office or a trust, or act as shareholders in a company that is not listed on a regulated EU market. Nevertheless, the practical consequences of this amendment (the introduction of the clause 'on behalf of a third party') remain unclear and have yet to be determined by administrative authorities or case law.

Although the period to preserve relevant documents is still 10 years, there is now an obligation to destroy all documents after this period. The amendment has also limited the individuals or entities entitled to access the preserved documents after the first five years to only the corporate organisms in charge of internal control within the company.

III CONTROL AND PRESERVATION

Spanish legislation does not have a rule setting out a general obligation to preserve data prior to anticipated judicial proceedings (through a litigation hold notice).

The most similar requirement in this respect is that established by Article 30.1 of the Commercial Code, which creates a general obligation for entrepreneurs to preserve accounting files, correspondence, documentation and supporting documents (such as invoices) related to their business activity for six years, which begins from the last day of the company's fiscal year. It has, however, been interpreted that the aim of this obligation is to provide hard copies of the information registered in the company's accounts and that, consequently, this preservation obligation does not apply to all documentation or correspondence within the company. The ambiguity of the term 'entrepreneur' has led to the interpretation that this obligation is imposed on the legal entity as a whole, and not on specific natural persons within it.

With the exception of Article 30.1, the regulations on the control and preservation of data are numerous and dispersed. They are only applicable to certain natural and legal persons on the grounds of their professional activity, and only affect certain documents and information. Among the most relevant is Article 25 of Law 10/2010, which establishes an obligation to preserve all data that corroborates compliance with that Law's anti-money laundering obligations. As a result, this preservation responsibility extends to:

  1. all documents related to compliance with know-your-client obligations;
  2. data supporting the actual circumstances of the transactions carried out with the client; and
  3. all documents supporting the actual implementation of internal controls with regard to a client and the communications made to the anti-money laundering authorities regarding a client or transactions with the client (e.g., any report submitted to those authorities in relation to suspicious transactions).

The obligation to preserve this documentation is imposed on legal and natural persons subject to anti-money laundering obligations listed in Article 2 of Law 10/2010 (including credit institutions and investment firms).

Documents referred to by this Law must be preserved for 10 years from the end of the business relationship with the client (Article 25), and it is compulsory to destroy these documents after that period, as previously explained.

Stock market regulations (primarily the Market Abuse Regulation3 and the Spanish Stock Market Law4) create additional obligations involving the preservation of all documents related to market soundings5 (including any correspondence and recording of these communications) and insider lists6 for five years.

The banking and financial field is also subject to numerous preservation obligations. The Stock Market Law requires that entities that participate in the securities and investment market perform and store suitability tests to corroborate the fitness of a specific client to invest in a particular product (and which must be safeguarded for five years), as well as samples of the entity's advertising campaigns (although it does not set forth a specific period to conserve this data), among other documentation. There are also supplementary obligations imposed on credit institutions by regulatory entities (e.g., the Bank of Spain) that refer to, for example, the contractual documentation of transactions entered into by these entities (Circular 5/2017 of 27 June).

As a final example, telecommunication companies are also obligated to preserve all data relating to electronic communications or the use of public telecommunication networks for 12 months (Article 5 of Law 25/2007 of 18 October).

From a privacy standpoint, in any of the above-mentioned situations (or in a similar case of preservation of data), in the event that the records contain personal data as defined by the EU General Data Protection Regulation (GDPR),7 this personal data must be erased when no longer necessary for the legitimate purposes for which it was obtained or processed, which the data subject was informed of and provided consent for (when required). Erasure must lead to the data being blocked (i.e., maintained solely at the disposal of the authorities for the purpose of determining any potential liability arising from the processing, and only for the time during which the liability may arise). When the liability expires, the data must be deleted. Therefore, the period during which personal data can be stored must be determined on a case-by-case basis, taking into account the type of personal data and the purposes for which that data is being processed, as well as any possible Spanish legal and statutory requirements.

The sole mention of the preservation of ESI can be found in Article 588 octies of the Criminal Procedural Law. This Article allows a public prosecutor and the judicial police to order any legal or natural person to preserve and protect data or specific information stored in an IT system until the necessary judicial order to permit the seizure and inspection of this data is issued (as explained in Section IV).

IV REQUESTS AND SCOPE

One party (i.e., a legal or natural person) cannot force another party to disclose documents in a pretrial situation (or in a trial) without the intervention of a court. The obligation to provide data in judicial proceedings only arises from a judicial request and in the context of a court case.

Furthermore, as opposed to discovery procedures, the judicial request cannot consist of a general demand for information. Spanish regulations and case law limit the scope of judicial orders to avoid massive requests of data in court proceedings. This approach is reflected in Article 328.1 of the Civil Procedural Law, which refers to the right of a party to judicial proceedings to request that the counterparty disclose documents. Despite establishing a highly generic obligation to provide information in judicial proceedings (as per the request of a counterparty), this Article nevertheless limits the scope of the party's request to documents that (1) are not available to the requesting party and (2) are related to the subject matter of the proceedings or to the efficacy of the evidence (this limitation on data requests is applicable to all judicial proceedings that fall under Spanish jurisdiction). In addition, according to Article 328.2 of the Civil Procedural Law, the requesting party has to provide the court with a copy of the requested document or, if this does not exist, a description of its content with as much detail as possible.

A similar approach can be found in the specific regulation that was introduced in 2017 in relation to the civil process to claim for damages for infringements of EU or national competition law (Article 283 bis (a) to (k) of the Civil Procedural Law).8 The amended regulation aims to broaden access to evidence within these cases by setting out a process to request the disclosure of data. However, this new process still requires the intervention of a court to issue the judicial order to gather the relevant documents and information. In addition, the new regulation on these specific proceedings does not permit a general request of information similar to discovery. In fact, the party's request has to meet different requirements that may limit the scope of the data demanded. In this regard, at the moment of issuing the judicial order, the court has to verify the proportionality of the request, taking into account the following criteria:

  1. the extent to which the claim or defence is supported by available facts and evidence justifying the request to disclose evidence;
  2. the scope and cost of disclosure, especially for any third parties concerned, including preventing non-specific searches for information that is unlikely to be of relevance for the parties in the procedure; and
  3. whether the evidence, the disclosure of which is sought, contains confidential information, especially concerning any third parties, and what arrangements are in place for protecting this information. Furthermore, the requesting party will have to bear the costs of obtaining the evidence, which are quantified on a case-by-case basis. For this purpose, the court can order the party to provide a guarantee.

In criminal proceedings, further limitations apply, as an investigated party (whether a legal or natural person) cannot be instructed to disclose data because of its right against self-incrimination. Judicial requests can therefore only be addressed to third parties (or, at most, to parties to the proceedings that might be held civilly, but not criminally, liable for the alleged offence9). To obtain data from an investigated natural or legal person, the court must order a dawn raid and issue an order for the seizure of documents;10 this approach is also subject to limits set forth by the Criminal Procedural Law (Articles 545 to 578), with the most notable limitations being the prohibition to carry out futile inspections or seize documents that are not deemed necessary for the investigation of the offence.

Additional limits set out in the Criminal Procedural Law require that investigative actions be agreed by the court in a judicial writ that is well grounded. Based on the Articles mentioned above, the judicial order must identify the specific premises where the raid will be carried out, the authority that will be in charge of the inspection and whether the raid will be performed only during the day or also at night. The court's order must be notified to the affected individual, who has a right to be present (or represented) during the inspection. All documents seized during the raid must be numbered by the judicial secretary and minutes will be drafted describing how the raid was carried out and listing the documentation that was seized.

In addition to these traditional judicial ways of obtaining data, the Criminal Procedural Law was amended in 2015 to include a detailed regulation on technological investigative measures.11 Within the amended legislation, Article 588 sexies (a) to (c) addresses the inspection of ESI. According to these provisions, the seizure of computers, devices for telephone or electronic communication, or devices for mass storage of information, as well as access to electronic data repositories, must be properly justified by the corresponding court in a judicial order setting out the reasons for agreeing to the request to access that data. The court's order must also set out the scope of the seizure and the necessary measures to be implemented for the preservation of the data.

According to these articles, the scope of the seizure can be broadened during the course of the inspection to access other devices on which relevant data might be stored, insofar as this possibility has been previously authorised by the court or, otherwise, and in the event of urgency, provided that the judicial authority is immediately informed during the subsequent 24 hours. The court must then confirm or revoke the inspection in the 72 hours following that communication.

Article 588 sexies c (4) authorises the judicial police, in urgent cases, to directly examine the seized devices, provided that this inspection is essential and that they communicate the circumstance to the judicial authorities in the subsequent 24 hours, setting out the reasons for the inspection, its scope, how it was carried out and the results. The court must then confirm or revoke the inspection in the 72 hours following that communication.

The enforcement of the preservation and disclosure obligations described above is enhanced by civil and criminal regulations. Civil regulations establish that failure to preserve or disclose documents requested in litigation must be taken into account by the court when assessing the evidence. To that extent, Article 329 of the Civil Procedural Law establishes that a party's refusal to produce any documents requested within judicial proceedings will entitle the court to accept the requesting party's interpretation of the content of those documents as accurate.

With respect to criminal enforcement measures, the Criminal Code prescribes sanctions for specific unlawful acts that are contrary to the preservation and disclosure of data within judicial proceedings.

Among these, the Criminal Code sanctions procedural fraud, which consists of the manipulation of evidence to be used in a party's interest, or any other commission of fraud within the context of judicial proceedings leading to confusion in court that results in a judicial decision that is contrary to the economic interests of the other party to the proceedings or any third party (Article 250(1)(7) of the Criminal Code). Natural persons convicted of this criminal offence will be sanctioned with imprisonment for one to six years and with a fine ranging from €360 to €144,000. For legal persons, the sanction consists of a fine determined with regard to the economic amount subject to this fraud (which will be multiplied three to five times, depending on the circumstances of the specific offence).

Nevertheless, Spanish case law has clarified that 'mere concealment of information' is not criminal,12 even when the concealed information is 'relevant', as this omission cannot be equal to actually deliberately misleading the Court.13 Therefore, this criminal offence, as interpreted by the courts, does not result in a general obligation to preserve and disclose data.

It is also a criminal act to conceal, alter or disable the corpus delicti, the outcome of the offence or the instruments used to commit it, with the purpose of impeding the discovery of the criminal offence (Article 451(2)). According to Spanish case law, these concealing actions are sanctioned when carried out (1) knowing (and not only suspecting or assuming) the existence of the offence that is sought to be concealed; (2) by someone who has not been involved in the commission of the concealed offence; and (3) provided that the action of concealing is performed after the perpetration of the concealed offence.14 The sentence of imprisonment to be imposed in these cases ranges from six months to three years.

Finally, the Criminal Code also punishes disobedience toward authorities (Article 556), provided that:

  1. the order challenged is final, direct and explicit, and imposes on the individual an obligation to perform (or refrain from performing) a specific action;
  2. the compelled individual actually knows the content of the order;
  3. the individual voluntarily disregards the order; and
  4. the act of disobedience is particularly serious.

However, case law does not require that the authority should previously warn the individual about the potential criminal consequences of his or her actions, although it is common practice to give notice to the concerned individual. For disobeying the authorities, the Criminal Code establishes a penalty of imprisonment for three months to one year or, alternatively, a fine ranging from €360 to €216,000.

Therefore, failure to comply with a judicial order to disclose specific data could, theoretically, be sanctioned as an act of disobedience (assuming that the aforementioned legal requirements are met in the specific case). In fact, court orders reiterating a prior judicial order (e.g., a request to disclose specific documentation) frequently warn the corresponding party of their potential criminal liability for the commission of the act of disobedience if they fail to comply with the order.

This criminal offence is rare in practice. Nevertheless, there are some precedents in case law that should be taken into consideration as they specifically refer to disobedience in connection with a court's order for documentation. For instance, the Criminal Section of the Supreme Court confirmed the conviction of a company's director and shareholder for an act of disobedience consisting of failure to disclose the company's accounting files.15 In its ruling, the Court concluded that the refusal to disclose information or provide documentation ordered by a judge in civil proceedings does not exclude the application of Article 556 of the Criminal Code, regardless of the additional civil consequences that might result from this unlawful behaviour.

These criminal sanctions are in addition to the potential liabilities regarding administrative authorities for the infringement of the applicable obligations to preserve or disclose specific data established in the sectoral regulation referred to in this section.

Privacy regulations should also be taken into account before disclosing documents that may contain personal data, particularly the minimisation and proportionality principles, which require that this data should only be disclosed when it is deemed necessary – with special consideration if sensitive data is involved (e.g., health-related information) – and to assess whether the information can be disclosed anonymously.

V REVIEW AND PRODUCTION

As explained in Section I, broad requests for information are rare in Spanish proceedings; thus, the use of advanced technologies for gathering, controlling and reviewing data has not been as necessary in practice as it is in other countries. However, there have been several examples of this type of request in recent years.

Courts have started to prepare more extensive information requests, especially in the context of competition proceedings and in corporate criminal litigation, where companies are commonly expected to provide much more information than natural persons. In addition to this evolving approach, internal investigations – alien to the legal system until only very recently (and still unregulated) – are gaining importance in the field of criminal enforcement, leading to extensive data review activities, which are characteristic of these investigations. New technology has also played an important role in this change. Electronic storage of information implies that massive amounts of data are now seized during dawn raids and added to the criminal file for analysis by the court and the parties to the proceedings. In response, the practice of digital forensics, which makes it possible to process enormous amounts of data, has slowly developed in Spain over the past decade and is being used more frequently.

Experience shows that when dealing with these kinds of situations, lawyers tend to involve a forensics company to ensure proper preservation and review of the data. However, law firms are still in charge of directing the investigation and making the strategic decisions, and the intervention of an attorney remains necessary for the investigation to be subject to legal privilege. These forensics companies have implemented some of the international techniques for the analysis of information (e.g., software tools to carry out key-word searches and corporate intelligence resources). However, use of predictive coding and email threads is not yet widespread.

The experience has been similar with regard to legal privilege. The limited content of judicial requests for information (together with the fact that internal investigations have not played an important role thus far) has traditionally implied that legal privilege is not as frequently challenged in Spain as in other countries. Therefore, discussions about the exact scope of this privilege have not been common, so its limits are not as defined as in other jurisdictions. However, this is likely to change now that the scope of judicial demands has expanded and internal investigations are gaining more importance.

Notwithstanding these potential future changes, the current situation regarding legal privilege is as follows: the right to claim privilege is acknowledged by Article 5 of the Code of Conduct for Spanish Lawyers, together with Article 32.1 of the Lawyers' General Statute and Article 524.3 of the Basic Law on the Judiciary. The scope of this privilege extends to:

  1. all facts known by a lawyer from a client as a result of his or her involvement in providing legal advice (Article 5.1);
  2. any confidential information or proposal received by the lawyer from the client, counterparties in the case and other professional colleagues, as well as any data or document received by the lawyer as a result of his or her professional activity (Article 5.2); and
  3. any communication exchanged between the lawyer and his or her client, or with the counterparties or their lawyers, which, in addition, cannot be recorded unless previously consented to by all participants (Article 5.4).

The law does not expressly refer to the work-product doctrine, although it is generally accepted that the protection of legal privilege also extends to these documents, which involve the relaying of facts by the client and legal advice on the matter.

With regard to the exceptions to legal privilege, there are some particularities affecting in-house lawyers, lawyers advising on transactions that are subject to Law 10/2010 and tax advisers.

The extension of legal privilege to in-house lawyers remains a matter of debate as Spanish legislation and European rulings are not entirely aligned. According to the Court of Justice,16 in-house lawyers and external lawyers have distinct situations given the hierarchical integration of the former within the company that employs him or her. As a result, the principle of equal treatment is not infringed by the fact that legal professional privilege is not acknowledged in relation to in-house attorneys. However, none of the Spanish regulations previously referred to makes a distinction between the two types of lawyers. On these grounds, the Administrative Section of the Supreme Court has stated that confidential documents exchanged between an in-house lawyer and his or her company are also subject to legal professional privilege pursuant to the same conditions applicable to external lawyers' communications.17 Notwithstanding this, the Supreme Court does limit legal professional privilege and considers that this has not been infringed when the documents or correspondence exchanged between the lawyer and the client that are disclosed do not affect the lawyer's right to defend the client (i.e., when the disclosure of this information has no impact on the client's exercise of his or her right to defence). In any case, in practice, the European Commission's approach to this matter is also taken into consideration by Spanish lawyers and Spanish case law is expected to develop in this field.

As regards exceptions to legal privilege foreseen by anti-money laundering regulations, Law 10/2010 includes attorneys as professionals subject to the anti-money laundering obligations whenever they participate in the design or performance of, or provide advice on behalf of a client in, the sale of real estate or commercial entities; the management of funds, stocks or other assets; the opening and management of bank accounts or stock accounts; the setting up, functioning or management of companies or trusts, or similar entities; or whenever they act on behalf of a client in any financial or real-estate transaction.18 However, Article 22 of the same Law excludes lawyers from the obligation to report and cooperate with the authorities regarding the information they receive from their clients for the determination of their legal situation once the transaction has been carried out, or for their defence in judicial proceedings. According to the guidelines set forth by the General Council of Spanish Lawyers, the lawyer's advice will be subject to legal privilege when it is provided after the suspicious transaction has been performed, but the advice will not be subject to legal privilege if it takes place before the execution of the transaction and for the purpose of carrying this out.

Finally, legal tax advisers may also face challenges in future years as the ongoing amendments to the General Tax Law could limit the legal professional privilege of these lawyers. The purpose of the amendment is to incorporate the content of Directive (EU) 2018/22 of 25 May, on mandatory automatic exchange of information in the field of taxation in relation to reportable cross-border arrangements into Spanish legislation. This Directive expressly criticises the apparent contribution of intermediaries and tax advisers to their clients' concealment of funds abroad and requests that EU Member States pass the necessary laws to ensure that intermediaries report any cross-border transactions to the competent tax authorities that are deemed reportable in accordance with applicable EU and national tax legislation. The question of legal privilege now relies on whether the amended Spanish legislation will include legal advisers among these 'intermediaries' and if, as a result, communications exchanged between them and their clients would no longer benefit from legal privilege and could be requested in the context of judicial proceedings that could be initiated in the context of an investigation of a cross-border transaction. As the amendment to the Spanish legislation remains in the initial stage (the proposal has not yet been published), it is far too soon to anticipate what the final wording of the General Tax Law will be, or its practical consequences.

VI PRIVACY ISSUES

The legal framework for the protection of personal data in Spain is regulated by the Lisbon Treaty, Article 18(4) of the Spanish Constitution, the GDPR and Spanish Basic Law 3/2018, of 5 December, on data protection and digital rights guarantees.

Neither the GDPR nor Basic Law 3/2018 contain specific provisions regarding e-discovery and information governance. Sector-specific regulations also do not contain any data protection provisions on these matters.

For the discovery process to take place lawfully, the processing of personal data must be legitimate and satisfy one of the grounds set out in Article 6 of the GDPR (and, if the information in question is sensitive personal data, a ground for processing under Article 9 of the GDPR must also exist).

Article 6.1(c) of the GDPR establishes that processing must be lawful if it is necessary for compliance with a legal obligation to which the controller is subject. However, non-EU laws are not considered, as such, a legal basis per se for data processing, in particular regarding transfers to foreign authorities and especially if they are public authorities. In this regard, the Spanish Data Protection Authority understood in its report 2011-0469 that US civil procedure law cannot be included within the concept of 'law' that legitimates data processing. This approach is consistent with Article 6.3 of the GDPR, which states that the basis for the processing referred to in point (c) of this Article must be laid down by the EU law or Member State law to which the controller is subject. Therefore, e-discovery and any enforcement requests based on these laws require a complex case-by-case analysis from a data protection standpoint.

In addition, personal data transfers to countries that do not ensure an equivalent level of protection are permitted only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available, unless a legal exception to Article 49 of the GDPR applies.

These derogations have been analysed in the Guidelines on Article 49 of Regulation 2016/679 adopted by the European Data Protection Board. According to this joint position, Article 49(1)(e) (which states that the transfer could be deemed legitimate to the extent that it is necessary for the establishment, exercise or defence of legal claims) may cover a range of activities; for example, in the context of a criminal or administrative investigation in a third country (e.g., antitrust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of an individual defending himself or herself, or for obtaining a reduction or waiver of a fine legally foreseen (e.g., in antitrust investigations). Data transfers for the purpose of formal pretrial discovery procedures in civil litigation may also fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country (e.g., commencing litigation, seeking approval for a merger). Notwithstanding this, the derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.

In addition to the above, according to the data minimisation principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is disclosed. For that reason, the Spanish Data Protection Authority encourages – when feasible – the anonymisation of information (or pseudonymisation, as the case may be).

Finally, the disclosure of personal data would require providing prior notice of the possibility of personal data being transferred to and processed by foreign authorities. If the recipients are established in non-equivalent countries, specific information on the existence of an international transfer must also be provided.

VII OUTLOOK AND CONCLUSIONS

Given the absence of an overarching process and regulation of discovery, the preservation and disclosure obligations applicable in a specific case vary significantly depending on the context in which the obligations are raised. Thus, determining the applicable obligations requires a case-by-case assessment that must take into consideration factors such as the business activity of the corresponding legal or natural person from whom the information is being sought.

In general, the consequences of failing to comply with these preservation and disclosure obligations also vary significantly depending on the circumstances of the infringement.

In addition to a lack of uniformity, discovery is a developing field in Spain that has evolved rapidly in recent years. A new legal framework and practice (especially regarding digital forensics) can be expected in coming years.


Footnotes

1 Enrique Rodríguez Celada is a counsel, Sara Sanz Castillo is a senior associate and Reyes Bermejo Bosch is a managing associate at Uría Menéndez Abogados, SLP.

2 Pursuant to Article 261(5) of the Spanish Civil Procedural Law, dawn raids can also be carried out in civil proceedings, at the pretrial stage, in the event that a prior request of data was disregarded and that the requested information was necessary (1) to obtain a medical file, (2) to determine the members of a group of consumers or users affected by a certain product, or (3) in the context of civil proceedings resulting from the infringement of industrial or intellectual rights to the extent set out by Article 250(1)(7) of the Spanish Civil Procedural Law.

3 Regulation (EU) No. 596/2014.

4 Law 4/2015 of 23 October.

5 Defined by Article 11.1 of the Market Abuse Regulation as 'the communication of information, prior to the announcement of a transaction, in order to gauge the interest of potential investors in a possible transaction and the conditions relating to it such as its potential size or pricing, to one or more potential investors'.

6 Defined by Article 18.1(a) of the Market Abuse Regulation as 'list of all persons who have access to inside information and who are working for them under a contract of employment, or otherwise performing tasks through which they have access to inside information, such as advisers, accountants or credit rating agencies'.

7 Regulation (EU) 2016/679 of the European Parliament and the Council of 27 April 2016. Article 4.1 of the GDPR states that personal data is 'any information relating to an identified or identifiable natural person ('data subject'); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person'.

8 This regulation amended the Civil Procedural Law pursuant to, among others, Directive 2014/104/EU of the European Parliament and of the Council of 26 November 2014 on certain rules governing actions for damages under national law for infringements of the competition law provisions of the Member States and of the European Union.

9 As opposed to other jurisdictions, in Spain, the payment of damages resulting from a criminal offence (i.e., civil liability) can be decided within criminal proceedings, together with the criminal liability deriving from the offence. It is the plaintiff's right to choose whether to proceed with the criminal case and civil action at the same time (in a single criminal trial) or not (thus, initiating first the criminal proceedings and, once these are terminated, the civil action before a civil court). The role of strictly civil respondents in criminal proceedings was historically held by legal entities, as criminal liability of corporations was not recognised in Spain until 23 December 2010. Up to that date, in criminal proceedings, legal entities could only be held civilly liable for offences perpetrated by their directors or employees; they could not be subject to criminal conviction.

10 According to Spanish law, a court can also order in a same writ a request of documents and a dawn raid and seizure of these documents to be carried out in the event that this data was not provided voluntarily at the court's request.

11 The amendment was carried out by Basic Law 13/2015 of 5 October, and has been in force since 6 December 2015.

12 Ruling 366/2012, of 3 May, of the Criminal Section of the Supreme Court.

13 Ruling 1899/2002, of 18 November, of the Criminal Section of the Supreme Court.

14 Ruling 178/2006, of 16 February, of the Criminal Section of the Supreme Court.

15 Ruling 136/20, of 18 February.

16 Ruling in Case C-550/07 P, Akcros Chemicals Ltd v. the European Commission.

17 Ruling 337/2018, of 12 February.

18 Article 2.1(n), Law 10/2010.