The State of Communication and Privacy Law in Spain (2020)

  1. Is there a data protection law?
    yes iconyes

    Spain is subject to the EU’s Data Protection Reform package. This package contains the General Data Protection Regulation 2016/679, and Police Directive 2016/680 on the processing of personal data for authorities responsible for preventing, investigating, detecting, and prosecuting crimes. In 2018, Spain adopted its new data protection law, Organic Law 3/2018 based upon the GDPR. However, as Spain has not implemented the Police Directive yet, part of the repealed law remains in force with regard to personal data processing for law enforcement activities.

    See more
  2. Is there a data protection authority?
    yes iconyes

    The Spanish Data Protection Agency was founded in 1994 and it is an independent body.

  3. Does the data protection law apply to law enforcement activities?

    Spain is subject to the EU’s Data Protection Reform package, which contains the GDPR and the Police Directive 2016/680 on the processing of personal data for authorities responsible for preventing, investigating, detecting, and prosecuting crimes. Spain has not implemented the Police Directive 2016/680 yet. Still, provisions regarding law enforcement activities within the country’s previous data protection law (Organic Law 15/1999) remain applicable to personal data processing in criminal investigation and prosecution.

    See more
  4. What are the criteria, if any, for the transfer of personal data to third countries under their data protection law?

    Spanish data protection law follows the GDPR. The GDPR primarily applies to controllers and processors located in the European Economic Area (EEA) with some exceptions. However, the GDPR restricts the transfer of personal data outside the EEA unless the third country guarantees an adequate level of personal data protection. Alternatively, a controller or processor may transfer personal data to a third country that does not comply with the adequacy requirements if the controller or processor provides appropriate safeguards.

    See more
  5. The Criminal Procedure Act (Ley de Enjuiciamiento Criminal) requires that the interception of communication be authorized by a judge (juez de instrucción), except in case of emergencies. A judge can request the interception either ex officio or following an initiative by the Judicial Police or public prosecutor.

    Interception of communication - Prior judicial order is required.

    Access to the contents of communications - Prior judicial order is required.

    Access to metadata - Prior judicial order is required.

    Access to subscriber data - Prior judicial order is required, except for specific cases authorized by law.

    Location data - Prior judicial order is required.

    See more
  6. What’s the factual basis to access communications data?

    The factual basis for accessing communications data in Spain includes:

    Content and Metadata: Article 588, bis a, 1, 2, 3, 4, 5 of the Criminal Procedure Act.

    Subscriber data: Article 588 bis, a, and Article 588, ter k, ter l, and ter m of the Criminal Procedure Act.

    For details on the above articles,

    See more
  7. For interception (content and data associated with the communication): Judicial Police or public prosecutors.

    For retained traffic data: Judicial Police or officials performing judicial police functions, and the National Intelligence Center.

    For details on the above authorities,

    See more
  8. Does the country have provisions about access to data in cases of emergency?
    yes iconyes

    In cases of emergency, the interception of communications can be ordered, in an exceptional manner, by the Minister of Home Affairs (_ministro del interio_r) and the Secretary of State for Homeland Security. Those emergency powers are authorized when the investigations are related to armed gangs or terrorist crimes, and there are likely reasons that make the planned measure essential.

    See more
  9. Is there any data retention mandate?
    yes iconyes

    The Mandatory Data Retention Act compels telecom operators to retain traffic data (who communicates with whom, for how long, from where). The obligation to retain data extends to unsuccessful calls, those that have been made successfully but without an answer, or when there has been an intervention by any of the operators involved in the call.

    See more
  10. Are there any rules that authorize the use of malware?

    A competent judge may authorize the use of identification data and codes, as well as the installation of software which allows, remotely via a telecommunications system, long-distance examination of the content of a computer, electronic device, information system, computer mass storage system, or database without the knowledge of its owner or user, as long as it is done in pursuit of the investigation of specific crimes stipulated by the Criminal Procedure Act.

    See more
  11. Is there any law that compels companies to provide direct access to their internal servers for law enforcement purposes?
    no

    We did not find any provision in the law that authorizes this kind of access in criminal investigations.

  12. Does the law compel companies to assist law enforcement agencies in their investigations?

    Spanish law mandates that a broad set of companies and persons provide investigating agents with the necessary assistance for carrying out interception orders (art. 588 ter e) and malware installation (art. 588 septies b). Likewise, those companies and persons are obliged to provide the necessary assistance so the collected data and information can be examined and understood.

    See more
  13. Does the State report on the number of requests to access communications data?
    no

    To the best of our knowledge, the Spanish State does not publish reports on the number of requests to access communications data.

  14. Is there any legal limitation that prohibits companies from publishing transparency reports?
    no

    To the best of our knowledge, no normative framework prohibits companies from publishing statistical data on the number of data requests made by the state in criminal or national security matters.

  15. Do telecommunication companies publish transparency reports?

    Telefónica-Movistar- YES

    Orange -Jazztel- Published its latest transparency report in 2018.

    Masmóvil- NO

    Ono Vodafone- Published its latest transparency report in 2016-2017.

    Telefónica-Movistar publishes yearly transparency reports. Orange released its latest transparency report in 2018 and its Spanish subsidiary, Jazztel, does not publish these reports. Masmóvil has not published any transparency reports. Ono Vodafone published its latest transparency report in 2016-2017.

    See more
  16. Can companies notify users about States’ data requests?

    Investigative measures (such as the interception of communication, malware, location tracking or access of communication data are secret by default. The obliged party carrying out the investigative measures must comply and is sworn to secrecy or risk committing a crime of disobedience.

    See more