Privireal Home Page Privacy in Research, Ethics and Law
"examining the implementation of the Data Protection Directive 95/46/EC
in relation to medical research and the role of ethics committees"

Spain - Data Protection

History of Data Protection in SPAIN

Data protection is constitutionally enshrined in Spain. Article 18.4 of the Constitution states that 'the law shall restrict the use of informatics in order to protect the honour and the personal and family privacy of Spanish citizens, as well as the full exercise of their rights'.

This provision was further developed by Organic Law 5/1992 on the Regulation of the Automatic Processing of Personal Data. The Spanish Data Protection Agency was formally created by Royal Decree 428/1993 of 26 March.

Law 5/1992 was subsequently amended by Organic Law 15/1999 on the Protection of Personal Data. Organic Law 15/1999 implemented Directive 95/46/EC into Spanish law.

Summary of Data Protection in SPAIN

Title of Data Protection Legislation Organic law 15/99 of 13 December 1999 on the Protection of Personal Data - Unofficial translation
Name of supervisory authority Spanish Data Protection Authority
General Powers of supervisory authority
  • Article 37 of the Organic Law sets out the functions of the Data Protection Authority: "The functions of the Data Protection Agency are as follows:
  • a) To ensure compliance with the legislation on data protection and ensure its application, in particular as regards the rights of information, access, rectification, objection and cancellation of data.
    b) To issue the authorisations provided for in the Law or in its regulatory provisions.
    c) To issue, where applicable, and without prejudice to the remits of other bodies, the instructions needed to bring processing operations into line with the principles of thisLaw.
    d) To consider the applications and complaints from the data subjects.
    e) To provide information to persons on their rights as regards the processing of personal data.
    f) To require controllers and processors, after having heard them, to take the measures necessary to bring the processing operations into line with this Law and, where applicable, to order the cessation of the processing operation when the cancellation of the files, when the operation does not comply with the provisions of the Law.
    g) To impose the penalties set out in Title VI of this Law.
    h) To provide regular information on the draft general provisions set out in this Law.
    i) To obtain from the data controllers any assistance and information it deems necessary for the exercise of its functions.
    j) To make known the existence of files of personal data, to which end it shall regularly publish a list of such files with any additional information the Director of the Agency deems necessary.
    k) To draw up an annual report and submit it to the Ministry of Justice.
    l) To monitor and adopt authorisations for international movements of data, and to exercise the functions involved in international cooperation on the protection of personaldata.
    m) To ensure compliance with the provisions laid down by the Law on Public Statistics with regard to the collection of statistical data and statistical secrecy, to issue preciseinstructions, to give opinions on the security conditions of the files set up for purely statistical purposes, and to exercise the powers referred to in Article 46.
    n) Any other functions assigned to it by law or regulation."
  • Article 40 sets out the Authority's powers of inspection.
  • Who has standing to notify the supervisory authority of breaches? The data subject
    What are the penalties for data controllers if they breach the law? Article 45 of the Organic Law sets out the fines that can be levied on data controllers who breach the law. There is no mention of imprisonment in the Organic law, although the Spanish Criminal Code 1995 Articles 197-9 imprisonment is mentioned.
    Have any provisions been made for the processing of a national identification number or a general identifier, as per Article 8(7)? There are no provisions in the Spanish data protection law. The national identification number is regulated in the Decree of 12 August 1982 (see Article 4).
    Is it necessary to obtain consent before processing personal data, or are alternatives available even when obtaining consent would not be impracticable or inappropriate? It is probably necessary to get consent when is not impracticable or inappropriate.
    Does the Data Protection Legislation cover the deceased? No
    Who is able to indirectly identify the data subject? Anybody.

    Laws and Regulations

    Institutions