Spain - Data Breach Guide

Spain

1.1 In the event of a data breach affecting residents of your country, is there any legal obligation or requirement to notify either: a) affected individuals or b) a regulator such as a data protection authority (DPA)?

    Yes. According to Articles 33 and 34 of the GDPR any data breach affecting the personal data of residents in Spain must be notified to the affected individuals and the DPA.

    Specific breach notification requirements apply to providers of public electronic communications services.

    1.2 Under what conditions must such notification(s) be given, including: a) what types of data must be breached to trigger notification, b) whether the entity must be a data controller or data processor in your country for such obligations to apply?

      Please refer to the chapter on the European Union.

      1.3 For such notification(s), is there any required or suggested: a) content of the notice, b) time period in which notice must be given, or c) method of giving notice, such as regular mail, email, web-posting or publication?

        As referred in clause 1.1, notification to both DPA and the affected individuals must be done pursuant to the provisions of Articles 33 and 34 of the GDPR.

        In that respect, notification to the DPA must be made through an electronic form to be completed through the electronic platform of the Spanish DPA. This form shall include the following information: (a) nature of the breach, describing the categories of affected data as well as the number of affected individuals; (b) name and contact data of the data protection officer – or similar person of contact within the notifying entity –; (c) description of the potential consequences of the breach; and (d) summary of the measures taken in order to manage the breach as well as of the actions adopted for minimizing the impact of the breach. Notification to the DPA must take place within the three-day term following the detection of the breach.

        Notification to the affected individuals shall take place as quickly as possible, and shall include the information included in points (b) to (d) as described in the previous paragraph. This notification will not be required in case: (i) the data affected by the breach have been made unreadable to any third party; (ii) measures have been taken for ensuring that the risks deriving from the breach have been neutralized; and (iii) executing it demands a disproportionate effort, in which case a public communication (e.g. an announcement included in the website of the affected entity) should suffice.

        1.4 What are the penalties, fines or risks in failing to notify, either by the DPA or in litigation?

          Under Article 73(r) of the Spanish Data Protection Law, failure to notify the DPA of a security breach is considered as a severe breach. Similarly, Article 73(h) of the said law defines failure to notify any such situation to the affected individuals as a severe breach as well, if the affected entity had been required to do so by the DPA. If no such requirement has existed, pursuant to Article 74(ñ) of the Spanish Data Protection Law, failure to notify to the affected individuals is deemed as a non-severe breach. The corresponding sanctions will be imposed pursuant to the criteria defined in Article 83 of the GDPR. To this end, please refer to the chapter on the European Union.

          1.5 Even if there is no current legal obligation to do so, or if there is no data controller or data processor in your country, is notification to individuals recommended in the event of a data breach of residents in your country (such as in credit card data breaches)?

            As indicated in previous responses, notification to the DPA and affected individuals is mandatory in Spain.

            1.6 What are the applicable data protection laws or guidelines within your country?

              The main national data protection law is Organic Law 3/2018, dated December 5, on the Protection of Personal Data and Digital Rights.

              1.7 Contact information for Data Protection Authority

                Name:

                Spanish Data Protection Authority (Agencia Espanola de Proteccion de Datos)

                Address:

                C/ Jorge Juan 6, 28001 Madrid, Spain

                Telephone:

                +34 90 1100 099

                Fax:

                +34 91 2663 517

                Email:

                See website

                Website:

                www.agpd.es

                For more information, contact:

                Name:

                Albert Agustinoy

                Firm:

                Cuatrecasas

                Address:

                Avenida Diagonal 191, 08018 – Barcelona (Spain)

                Telephone:

                +34 93 2905 585

                Fax:

                +34 93 2905 569

                Email:

                albert.agustinoy@cuatrecasas.com

                Website:

                www.cuatrecasas.com