I OVERVIEW

Data protection and privacy are distinct rights under Spanish law, but both are deemed fundamental rights derived from respect for the dignity of human beings. They are primarily based on the free choice of individuals to decide whether to share with others (public authorities included) information that relates to them (personal data) or that belongs to their private and family life, home and communications (privacy). Both fundamental rights are recognised in the Lisbon Treaty (the Charter of Fundamental Rights of the European Union) and the Spanish Constitution of 1978. Data protection rules address, inter alia, security principles and concrete measures that are helpful to address some cybersecurity issues, in particular, because specific cybersecurity legislation (which not only covers personal data and private information but rather any information) is new and not sufficiently developed yet.

Spain has an omnibus data protection framework law along the lines of the EU approach, and applies it both to the private and public sectors. However, some personal data or some processing activities may require specific protection such as certain financial, e-communications or health-related data or processing activities. There are several codes of conduct for data protection that have been approved in different sectors but, in general terms, they merely adjust the general obligations to the specific needs of the relevant sector or organisation.

The rights to data protection and privacy are not absolute and, where applicable, must be balanced with other fundamental rights or freedoms (e.g., freedom of information or expression) as well as other legitimate interests (e.g., intellectual property rights, public security and prosecution of crimes).

In the case of data protection, this balance must be assessed by the organisation and could be challenged before the Spanish Data Protection Authority (DPA), which is in charge of supervising the application of the regulations on data protection (see Section III.i). Privacy infringements must be claimed before the (civil or criminal) courts.

The DPA was created in 1993, and has been particularly active in its role of educating organisations and the general public on the value of data protection and of imposing significant sanctions. In 2016 alone, the DPA received 10,523 claims from individuals and authorities, and issued and published 654 sanctioning resolutions. These sanctions are published on its website, which is used by the media, among others, as an important source of data protection information.

II THE YEAR IN REVIEW

The publication of the first draft of the new Data Protection Law implementing Regulation (EU) 2016/679 (the General Data Protection Regulation, or GDPR) has been the most relevant milestone on data protection in recent months. The draft is nevertheless expected to change and will not receive final approval before May 2018 at the earliest. Regarding the implementation of the Security of Network and Information Systems Directive (the NIS Directive), the Spanish government has just announced that a draft royal decree is being prepared, although its content is not yet publicly available (see Section IX).

Finally, as a consequence of the Google Spain v. Costeja (Google Spain) case in 2014 before the Court of Justice of the European Union (CJEU) (regarding the ‘right to be forgotten’), the DPA has continued to initiate certain proceedings on this matter; several judicial rulings of relevance on a national level (mainly from the Spanish Supreme Court) have been issued in Spain modulating the concept of ‘establishment’ and the rules regarding jurisdiction and applicable law set out by the CJEU in Google Spain (see Section VII.ii).

iii REGULATORY FRAMEWORK

i Privacy and data protection legislation and standards

The legal framework for the protection of personal data in Spain is regulated by the Lisbon Treaty; Article 18(4) of the Spanish Constitution; and Law 15/1999 of 13 December on the Protection of Personal Data (the DP Law), as developed by Royal Decree 1720/2007 of 21 December (RD 1720/2007) (together, the DP Regulations). As a consequence of the GDPR’s approval, the DP Regulations are currently subject to review. The first draft of the new DP Law was published in July 2017; however, the regulatory process remains at a very preliminary stage. Its final approval would ideally occur in May 2018, although the director of the DPA has recently acknowledged that the deadline is tight.

Sector-specific regulations may also contain data protection provisions, such as the E-Commerce Law 34/2002 (LISS), the General Telecommunications Law 9/2014 (GTL), anti-money laundering legislation and the regulations on biomedical research.

Privacy rights are mainly regulated by Law 1/1982 of 5 May on civil protection of the rights to honour, personal and family privacy, and an individual’s own image, and by the Spanish Criminal Code.

Personal data and private data are not synonymous. Personal data are any kind of information (alphanumeric, graphic, photographic, acoustic, etc.) concerning an identified or identifiable natural person, irrespective of whether or not this information is private. However, data regarding ideology, trade union membership, religion, beliefs, racial origin, health or sex life as well as criminal and administrative offences are deemed more sensitive and require specific protection.

Protecting personal data is achieved by allocating specific duties to both ‘controllers’ (i.e., those who decide on the data processing purposes and means) and ‘processors’ (i.e., those who process the data only on behalf of a controller to render a service).

The DPA is the entity in charge of supervising compliance with the data protection duties imposed by the DP Regulations (fair information, legitimate ground, security, notification, proportionality and quality, etc.).2 The DPA has carried out ex officio audits of specific sectors (including online recruitment procedures, TV games and contests, hotels, department stores, distance banking, hospitals, schools, webcams and mobile apps). However, the DPA’s activity in terms of individual compliance investigations has significantly increased over the past 10 years, as has the number of fines imposed. Indeed, failure to comply with the DP Regulations may result in the imposition of administrative fines ranging from €900 to €600,000 per infringement depending on the gravity of the offence (and regardless of whether civil or criminal offences are also committed, if applicable). Neither harm nor injury is required (i.e., the infringement itself suffices for the offender to be deemed liable), but the lack of any harm or injury is considered an attenuating circumstance to grade the amount of the administrative fine. However, harm or injury will be required to claim damages arising from breaches of data protection rights before civil and criminal courts.

ii General obligations for data handlers

Data controllers (irrespective of whether or not they handle the personal data) and data processors must comply with specific obligations set out in the DP Regulations.

Obligations of data controllers
  • a Any personal data file should be registered (as well as any modifications to it) with the DPA;
  • b data subjects from whom personal data are requested must be provided beforehand with information about the processing of their personal data;
  • c as a general rule, controllers must obtain the prior consent of the data subject to any processing activity – including (intra-group) transfers. Furthermore, explicit consent is required for certain processing activities involving ‘sensitive’ data (such as health-related data) or consisting of direct marketing;
  • d there are few exemptions to the need to obtain the data subject’s prior consent, such as when the processing of the personal data is unavoidable to perform a contract that the data subject has executed with the data controller; or when the data controller engages a third-party services provider that, to perform its services, needs to access or otherwise process personal data held by the data controller, in which case a written agreement with a minimum legally prescribed content (a processing agreement) must be executed. The legitimate interest of the controller or a third party is not expressly recognised by the DP Law as a legitimate ground for the processing of personal data but, according to the judgment in Case C-468/2010, the CJEU has set out the direct applicability in Spain of Article 7(j) of EU Directive 95/46/EC, allowing the processing of that data subject’s personal data as is necessary to pursue a legitimate interest of the data controller or of the third party or parties to whom those data are disclosed;
  • e when the recipient is not located in the EU or EEA (or in a country whose regulations afford an equivalent or adequate level of protection identified by the European Commission or the DPA), the prior authorisation of the DPA must be obtained, unless a legal exemption applies;
  • f controllers should adopt specific security measures; and
  • g data subjects have a right to access all data relating to them, and to rectify and cancel data the processing of which does not comply with the data protection principles, in particular, when data are incomplete or inaccurate or excessive in relation to the legitimate purpose of its processing. Data subjects are also entitled to object to certain processing activities that do not require their consent or are made for direct marketing purposes.
Obligations of data processors

Data processors must:

  • a execute the above-mentioned processing agreement with the relevant data controller;
  • b implement the above-mentioned security measures;
  • c process data only to provide the agreed services to the controller and in accordance with its instructions;
  • d keep the data confidential and not disclose it to third parties (subcontracting is not prohibited but is subject to specific restrictions), even for storage; and
  • e upon termination of the services, return or destroy the data, at the controller’s discretion.

The GDPR has added certain mandatory content for a processing agreement to be valid (see Article 28.3 of the GDPR). Although the duties of the GDPR will not become mandatory until May 2018, the DPA has publicly encouraged data controllers subject to Spanish law to start implementing the GDPR rules regarding processing agreements before 2018.

iii Specific regulatory areas

The DP Regulations apply to any personal data, but they provide for reinforced protection of data related to children (the verifiable consent of the minor’s parents is required) and health-related data (express consent and specific security measures are required as a general rule). Specific rules also apply to the information processed by solvency and credit files, and to the processing of data for video surveillance or access control purposes.

In addition, certain information is also protected by sector-specific regulations. This is the case for, inter alia:

  • a financial information that is subject to banking secrecy rules (Law 10/2014 of 26 June 2014 on the regulation, supervision and solvency of credit institutions);
  • b the use (for purposes other than billing) and retention of traffic and location data (GTL);
  • c the sources of information and intra-group disclosures to comply with regulations concerning anti-money laundering and combating the financing of terrorism, and restrictions on the transparency principle in relation to data subjects (Law 10/2010 of 28 April on the prevention of money-laundering and financing of terrorism);
  • d the use of genetic data or information contained in biological samples (Law 14/2007 of 3 July on biomedical research);
  • e information used for direct-marketing purposes (LISS);

f the outsourcing of core financial services to third parties (Royal Decree 84/2015 of 13 February developing Law 10/2014, and Bank of Spain Circular 2/2016 on the supervision and solvency of credit institutions, which adapts the Spanish legal regime to EU Directive 2013/36/EU and EU Regulation 575/2012); and

  • g the use of video-surveillance cameras in public places (Law 4/1997 of 4 August governing the use of video recording in public places by state security forces).
iv Technological innovation

Technology has created specific issues in the privacy field, including:

  • a Online tracking and behavioural advertising: as a general rule, explicit prior consent is required. The DPA has permitted the application of a legitimate-interest justification to (offline) advertising activities – as provided in the GDPR; however, the DPA does not consider that online behavioural advertising or profiling activities can be based on the existence of a legitimate interest.
  • b Location tracking: in the past few months, the DPA has issued several resolutions and opinions regarding the use of geolocation tools. In those resolutions, the DPA considers that the use of this technology in work environments may be reasonable and proportionate, but only subject to certain circumstances (mainly, that specific information has been provided to data subjects on its use and purposes).
  • c Use of cookies: as a general rule, explicit prior consent is required for installing cookies or similar devices on terminal equipment. In 2017, the DPA initiated 62 investigations and issued nine sanctioning resolutions regarding cookies (there are numerous resolutions issuing warnings but not imposing economic sanctions).
  • d Biometrics: traditionally, the processing of biometric data has not been considered ‘sensitive’ and, therefore, the DPA has made no specific requirements in this area. The implementation of the GDPR in Spain implies a change in the concept of biometrics and we are currently awaiting the DPA’s guidelines in this regard.
  • e Big-data analytics: in April 2017, the DPA published guidelines on big-data projects. The guidelines were drafted on the basis of the GDPR’s requirements.
  • f Anonymisation, de-identification and pseudonymisation: the DPA has been working on adopting an official position regarding the use of ‘anonymous’ data and open data in big-data projects. As a result, the DPA published guidelines at the end of 2016 on the protection of personal data related to the reuse of public-sector information and guidelines on anonymisation techniques.
  • g Internet of things and artificial intelligence: the DPA has not adopted an official position regarding the internet of things and artificial intelligence.
  • h Data portability: the DPA recently published a legal report on, among other issues, the data portability right. The DPA admits that the portability right includes not only data subjects’ current data, but also their former data (either provided by them or inferred from the contractual relationship); however, the information obtained from the application of profiling techniques (e.g., algorithms) would not be subject to portability. Although the DPA’s legal reports are not binding, they are highly useful since they reflect the DPA’s doctrinal tendency.
  • i Right of erasure or right to be forgotten: the right to be forgotten in relation to search engines is actively pursued both by Spanish data subjects and the DPA. Notably, Google Spain,3 in which the CJEU’s ruling recognised the right to be forgotten, was initiated in Spain and the Spanish DPA had a significant role in the case. There are several DPA resolutions issued every year recognising the right of Spanish individuals to be forgotten and also setting out certain exceptions to the applicability of the right.
  • j Data-ownership issues: to date, there is no Spanish legislation that specifically regulates the question of ownership of data. Notwithstanding this, several regulations exist that may have an impact on data ownership including, among others, data protection legislation, copyright law (which regulates rights over databases) or even unfair competition rules.

iv INTERNATIONAL DATA TRANSFER AND DATA LOCALISATION

According to the DP Regulations, data transfers from Spain to (or access by) recipients located outside the EEA require the prior authorisation of the DPA, unless the recipient ensures an ‘adequate’ level of protection as recognised by the European Commission (or the DPA) or the transfer can be based on a statutory exemption.4 The draft of the new DP Law does not include the DPA’s authorisation as a mandatory requirement (the new DP Law would be aligned with the GDPR).

Irrespective of the authorisation requirement, all international data transfers outside the EEA must be notified to the DPA for registration.

The authorisation of the DPA will be granted if the data exporter (controller or processor) provides adequate safeguards, such as by executing the European Commission’s standard contractual clauses for data transfers or other clauses such as the standard contractual processor-to-processor clauses, approved by the DPA in 2012 to enable the subcontracting of non-EEA subcontractors by service providers established in Spain. In Spain, data transfer agreements must be previously authorised by the DPA, even if they are based on any of these clauses.

Spanish law also allows the DPA to grant authorisation based on binding corporate rules (BCRs) adopted within a group. Spain is a mutual recognition procedure (MRP) country; thus, the BCRs approved by the leading data protection authority of any MRP country must be recognised in Spain. The granting of the authorisation entails per se that the BCRs become legal obligations and, as such, may be enforced by the data subjects and the DPA. In any event, ‘authorised BCRs’ do not replace any obligation under the DP Regulations. To date, the DPA has authorised 16 BCRs related to the financial, insurance, consulting, pharma and technology sectors.

Turning to data localisation, there are no specific restrictions in Spain; however, along with the DP Regulations (which may impose restrictions on disclosing data to foreign government agencies and foreign courts, as explained in Section VI), there are specific laws imposing requirements that could be understood as ‘restrictive measures’, including, among others, tax regulations (Royal Decree 1619/2012 of 30 November on invoicing obligations), gambling regulations (Royal Decree 1613/2011) and specific public administration regulations (Law 9/1968 of 5 April on secrecy pertaining to official issues, Law 38/2003 of 17 November on subsidies and Law 19/2013 of 9 December on transparency and access to public information).

v COMPANY POLICIES AND PRACTICES

Privacy and security policies

Organisations that process personal data are not required to have ‘general’ privacy policies, but they are useful for compliance with the information duties regarding processing activities (see Section III.ii). In addition, employees must be informed of the applicable security rules, and organisations must create and keep up to date a security document and a record of incidents (see Section IX).

Privacy officers

A chief privacy officer is not mandatory, but in practice this role is indispensable so that the controller or the processor can comply with the DP Regulations, in particular when the organisation is complex or the data processed are sensitive or private. In addition, one of the factors that may mitigate the liability in terms of breach is to have accountable data protection programmes, which necessarily entails the existence of the chief privacy officer. In any event, organisations must appoint a person responsible for the security measures for specific processing activities (in particular, but without limitation, the processing of data related to the rendering of financial services or of sensitive data).

In May 2018, when the GDPR obligations enter into force, several Spanish data controllers shall be required to appoint a data protection officer according to Article 37 of the GDPR. Although the draft of the new DP Law remains at a very preliminary stage, it expands the number of cases in which the appointment of a data protection officer will be mandatory.

Privacy impact assessments

Privacy impact assessments are not mandatory under the DP Regulations. Therefore, Spanish data controllers will not be obliged to carry them out until May 2018. However, the DPA has been encouraging the adoption of privacy impact assessments in certain cases (e.g., big-data projects) since 2014. In particular, in 2014, the DPA published guidelines on privacy impact assessments. The DPA is currently working on a new version of these guidelines, which is intended to be published at the end of 2017.

Work councils

Any employee representative in the organisation is entitled to issue a non-binding report before the implementation of new methods of control of the work. Although it is unclear what qualifies as a ‘method of control’ of the work, it is advisable to inform the works council of the implementation of new methods (e.g., whistle-blowing systems) and offer their members the possibility of issuing the above-mentioned non-binding report before its implementation.

vi DISCOVERY AND DISCLOSURE

Non-EU laws are not considered a legal basis for data processing, in particular regarding transfers to foreign authorities and especially if they are public authorities. This current approach is consistent with Article 6.3 of the GDPR.

E-discovery and any enforcement requests based on these laws require a complex case-by-case analysis from a data protection, labour and criminal law point of view (and other sector-specific regulations, such as bank secrecy rules).

From a data protection point of view, under the current DP Regulations, the main issues to be assessed include the need to obtain DPA authorisation, the lack of proportionality of requests, and whether information or consent is required. Some of these requirements (e.g., DPA authorisation) are expected to change once the new DP Law is approved. From labour and criminal law perspectives, privacy (rather than data protection) must be guaranteed.

In this regard, the international principles drawn up by the Sedona Conference have proven useful, in particular because Spain has filed reservations under Article 23 of the 1970 Hague Convention on the Taking of Evidence Abroad in Civil or Commercial Matters that essentially prohibit all pretrial document discovery.5

vii PUBLIC AND PRIVATE ENFORCEMENT

i Enforcement agencies

The DPA is the independent authority responsible for the enforcement of the DP Regulations6 and the data protection provisions of the LISS and the GTL.

Among other powers and duties, the DPA has powers that include the issuing of (non-binding) legal reports, recommendations, instructions and contributions to draft rules; powers of investigation; and powers of intervention, such as ordering the blocking, erasing or destruction of unlawful personal data, imposing a temporary or definitive ban on processing, warning or admonishing the controller or processor, or imposing administrative fines (fines are only imposed on private sector entities). The DP Regulations establish three classifications of infringements (and their correlative administrative fines): minor, serious and very serious. The fines for minor infringements are between €900 and €40,000; for serious infringements they are between €40,001 and €300,000; and for very serious infringements, the fines are between €300,001 and €600,000.

Disciplinary procedures start ex officio, but generally stem from a complaint submitted by any person (e.g., the data subject, consumer associations, competitors or former employees). These procedures must be settled within six months, and no other party may intervene in the proceedings. If a data subject considers him or herself to have been harmed by the conduct, he or she may claim damages (if duly evidenced) before the civil courts. The alleged infringer is entitled to lodge an appeal against the resolution either before the DPA itself (within one month) and, if not successful, before the administrative courts (within two months), or directly before the administrative courts (within two months).

The DPA will decide the final administrative fine, taking into account the mitigating and aggravating factors described in the law. In very limited cases, the DPA may decide not to start any penalty proceedings but to warn the liable entity, setting a term within which the entity must adopt corrective measures and evidence their implementation.

The DPA is very active: in addition to ex officio inspections of specific sectors (always announced in advance), in 2016 (the most recent official statistics published by the DPA): 10,583 investigations were carried out (18.49 per cent less than in 2015); 654 sanctioning resolutions were issued (15.61 per cent less than in 2015); and the fines amounted to approximately €14.2 million (3.48 per cent more than in 2015). Most of the sanctions imposed on the private sector were for lack of consent and breach of the quality principle. The statistics show that the telecommunications, e-commerce and financial sectors are the top three sectors in terms of sanctions.

ii Recent enforcement cases

The following are the most significant enforcement issues to have arisen in Spain in the period 2016–2017.

The DPA has carried out numerous disciplinary proceedings related to the use of video-surveillance systems (170) and the disclosure of data to solvency and credit agencies (141). The DPA has also issued several resolutions assessing the application of the legitimate interest justification7 (e.g., in cases in which companies must comply with legal duties such as those related to the avoidance of conflicts of interest).

In addition, the number of proceedings carried out by the DPA against non-Spanish controllers has also increased. In fact, the DPA is participating in coordinated activities with other EU authorities to investigate companies that are based in the United States but carry out intensive processing activities in the EU.

Finally, the National Court recently handed down two judgments (dated 11 May 2017 and 19 June 2017) upholding the appeals lodged by Google Inc challenging specific DPA resolutions on the right to be forgotten; the judgments declared the DPA resolutions to be void. The first case related to specific negative comments regarding the professional performance of a doctor that were posted by a patient on a website; the second case assessed whether information related to the election of a politician in 2011 should or should not be removed. These represent the first judgments issued by the National Court regarding DPA resolutions issued against Google Inc in its role as a data controller.

iii Private litigation

Data subjects may claim damages arising from the breach of their data protection rights before the civil courts. Claims for civil damages usually involve pecuniary or moral damages, or both, linked to the violation of honour (such as the improper disclosure of private information) and privacy rights (such as the dissemination of private images). In general, indemnities granted to date have been exceptional and have not exceeded €3,000 (with limited exceptions such as one awarding €20,000).

There are no specific class actions for data protection matters. However, consumer class actions have been used by consumer organisations to request that specific data protection clauses be overturned on the basis that they breach the DP Regulations.

viii CONSIDERATIONS FOR FOREIGN ORGANISATIONS

The application of the DP Regulations for foreign organisations is triggered by either the existence of a data processor or processing equipment in Spain or, according to Google Spain, the existence of an establishment in Spain the activity of which is inextricably linked to that of the foreign organisation.

In addition, online tracking and marketing activities addressed to the Spanish market may trigger the application of the data protection provisions of the LISS as well as the consumer regulations (only if consumers resident in Spain are involved), irrespective of where the organisation is established.

The major compliance issues that foreign organisations face relate to transfers outside the EEA, the information and consent rules, and security measures. However, the future application of the GDPR in Spain should facilitate foreign organisations’ compliance with local data protection requirements.

ix CYBERSECURITY AND DATA BREACHES

The approval in July 2016 of the NIS Directive was the most significant cybersecurity milestone in recent years. It marks the first instance of EU-wide rules on cybersecurity. The NIS Directive has not yet been implemented into Spanish law, although the government recently announced that a draft royal decree is being prepared (the content of which is not publicly available). Until implementation occurs, the regulation of cybersecurity matters in Spain will remain diffuse and insufficient, particularly in light of the steady rise in cybersecurity attacks involving Spanish organisations and infrastructure, such as the WannaCry and Petya cyberattacks. Furthermore, as a consequence of these recent attacks, the number of cybersecurity certifications has also increased. However, there has yet to emerge a clear market leader.

The DPA has also been highly active in relation to cybersecurity matters. Following the above-mentioned global attacks, the DPA published a post regarding ransomware attacks and how to guard against them. Among other recommendations, the DPA made the following key points: (1) companies should have a complex security plan for the protection of their networks (including a training plan for staff and the continuous updating of all software programs used by the company – especially those used for anti-virus purposes); (2) they should have an action plan for how to react in the event of an attack; and (3) they should have a remedial plan to be implemented once the attack is contained.

As to criminal law, the Spanish Criminal Code was amended in 2010 to implement the Convention on Cybercrime and Council Framework Decision 2005/222/JHA on attacks against information systems. Specifically, this entailed the introduction of two new criminal offences:

  • a the discovery and disclosure of secrets – namely, the unauthorised access to data or applications contained in an IT system – by any means and infringing implemented security measures; and
  • b the intentional deletion, damage, deterioration, alteration or suppression of data, applications and electronic documents of third parties rendering them unavailable, as well as the intentional serious hindering or interruption of the functioning of an information system.

Other criminal offences that could be related to cybercrime were also modified (computer fraud, sexual offences, technological theft, and offences against intellectual and industrial property). The Criminal Code was amended again in March 2015. Specifically, aligned with European regulations on computer-related offences, the following new criminal offences are regulated: (1) intercepting data from information systems for the discovery and disclosure of secrets; and (2) creating computer programs or equipment for the purposes of discovering and disclosing secrets or committing damage to IT systems. Finally, legal entities can be held criminally liable for the above-mentioned offences.

Without prejudice to the above, there are no cybersecurity laws and requirements applicable to organisations ‘generally’, but rather a certain number of rules that address specific cybersecurity issues:

In 2012, the security breach notification regime was introduced in Spain through the GTL in line with Directive 2009/136/EC: the providers of public communications networks or publicly available electronic communications services must notify any security breaches, when personal data are involved, to both the data subjects and the DPA. In March 2014, the DPA approved an online system to notify security breaches. The requirements of the notification itself are those established in EU Regulation 611/2013. Since the notification of data breaches is not mandatory in general (except for the above-mentioned service providers), most of them remain unknown to the DPA and the public. One of those made public was the security breach suffered by BuyVip (which belongs to the Amazon group) in 2011, which involved the names, dates of birth, email addresses, phone numbers and shipping addresses of its customers. Although BuyVip was not subject to a notification duty in Spain, it decided to inform all its users of the security breach, and the notice went viral on the internet. The DPA then initiated an ex officio investigation, but the sanction imposed on BuyVip, if any, was not made public.

The LISS was amended in 2014 to establish specific obligations on cybersecurity incidents applicable to information society services providers, domain names registries and registrars. These obligations are twofold:

  • a to collaborate with the relevant computer emergency response teams to respond to cybersecurity incidents affecting the internet network (to this end, the relevant information – including IP addresses – must be disclosed to them, but ‘respecting the secrecy of communications’); and
  • b to follow specific recommendations on the management of cybersecurity incidents, which will be developed through codes of conduct (these have not yet been developed).

Operators of critical infrastructure8 (entities responsible for investments in, or day-to-day operation of, a particular installation, network, system, physical or IT equipment designated as such by the National Centre for Critical Infrastructure Protection (CNPIC) under Law 8/2011) are subject to specific obligations, such as providing technological assistance to the Ministry of Home Affairs, facilitating inspections performed by the competent authorities, and creating the specific protection plan and the operator’s security plan.

Furthermore, these operators must appoint a security liaison officer and a security officer. The security liaison officer requires a legal authorisation (issued by the Ministry of Home Affairs), and his or her appointment must be communicated to this Ministry. The security officer does not need a legal authorisation, but his or her appointment must nevertheless be communicated to the relevant government delegation or the competent regional authority.

Royal Decree 3/2010 establishes the security measures to be implemented by Spanish public authorities to ensure the security of the systems, data, communications and e-services addressed to the public, and they could apply by analogy. These security measures are classified into three groups: the organisational framework, which is composed of the set of measures relating to the overall organisation of security; the operational framework, consisting of the measures to be taken to protect the operation of the system as a comprehensive set of components organised for one purpose; and protection measures, focused on the protection of specific assets according to their nature, and the required quality according to the level of security of the affected areas. Spanish law does not directly address restrictions to cybersecurity measures.

Although cybersecurity requirements do not specifically refer to personal data (but rather to any kind of information), the security measures of RD 1720/2007 apply when personal data are involved, which distinguishes between three levels of security measures depending on the nature of the data.

Among other security measures, an incidents register must be established. In addition, public and private organisations that process specific personal data must appoint a security officer to monitor compliance with the personal data security requirements. No specific legal rules apply to this appointment. The skills of this security officer and the resources and powers allocated to him or her within the organisation must be appropriate to ensure that the organisation complies with the legally prescribed security requirements.

In addition to the above-mentioned laws, certain authorities with specific cybersecurity responsibilities have issued guidance, such as:

  • a the guidelines published by the Spanish National Institute of Cybersecurity (INCIBE) in 2015 regarding, inter alia:

• how companies should manage information leaks;

• cybersecurity on e-commerce;

• security-related risk management for companies; and

• protocols and network security in industrial control systems infrastructures;

  • b the publication by INCIBE in 2016 of a consolidated code of cybersecurity rules in Spain;
  • c the National Cybersecurity Strategy issued by the presidency in 2013;
  • d the strategy series on cybersecurity issued by the Ministry of Defence; and
  • e the Supervisory Control and Data Acquisition Guidelines issued by the CNPIC in collaboration with the National Cryptological Centre (CNN) in 2010.

The agencies and bodies with competences on cybersecurity are numerous:

  • a the CCN, which is part of the National Intelligence Centre;
  • b the CCN Computer Emergency Response Team;
  • c the CNPIC;
  • d the Cybersecurity Coordinator’s Office (which is part of the CNPIC);
  • e the Secretary of State for Telecommunications and Information Society; and
  • f INCIBE (previously known as the National Institute of Communication Technologies), which is the public sector company in charge of developing cybersecurity.

x OUTLOOK

Data protection is constantly evolving. In the past, it has been neglected by both private and public organisations or deemed an unreasonable barrier for the development of the economy. However, this trend has definitively changed in the past five years.

This change is mostly due to the sanctions imposed by the DPA, the role of data in the development of the digital economy (the ‘new oil’), the active voice of users in the digital environment (developing new social interactions and not only acting as consumers) and the fact that the European Commission and the European Parliament have definitively embraced a strong ‘privacy mission’. Decisions of the CJEU (such as declaring the Data Retention Directive 2006/24/EC invalid, also declaring the Safe Harbor scheme invalid, and the application of the Spanish data protection law to Google Inc through a wide and economic construction of the concept of ‘establishment’) have also sent out a clear message on the importance of data protection rules in Europe.

The adoption in 2016 of the GDPR constituted a significant milestone in the construction of a new data protection environment. In Spain, the government is working hard to approve the new DP Law before the mandatory deadline (May 2018). Although the GDPR is actually fairly similar to the current DP Regulations, as construed by the CJEU and the Article 29 Working Party, Spanish organisations are particularly concerned about the new fines (the applicable criteria for which would be similar to those used in antitrust regulations – a percentage of annual worldwide turnover), the accountability principle, the general security breach notification and the mandatory implementation of a data protection officer. Additional requirements regarding information and consent duties set out in the GDPR will also be a challenge for Spanish data controllers.

1 Leticia López-Lapuente and Reyes Bermejo Bosch are lawyers at Uría Menéndez Abogados, SLP.

2 The data protection right is enforced by the DPA at a national level with limited exceptions. For example, Catalonia and the Basque Country are regions that have regional data protection authorities with competence limited to the processing of personal data by the regional public sector.

3 Case C-131/12.

4 The DPA’s prior authorisation is not required in the cases set out in Article 26 of EU Directive 95/46/EC.

5 Article 23 specifically states that contracting states may declare, ‘at the time of signature, ratification or accession’, that they will not execute letters of request issued to obtain pretrial discovery of documents.

6 See footnote 2.

7 The legitimate interest justification is not expressly recognised by the DP Law.

8 The following infrastructure areas have been considered ‘critical’ by Law 8/2011 (which transposes Directive 2008/114/EC into Spanish law): administration, water, food, energy, space, the chemical industry, the nuclear industry, research facilities, health, the financial and tax system, ICT and transport.