The Spanish Data Protection Agency (SDPA) has issued a legal report examining different data processing issues raised by the Spanish Banking Association which assess the lawfulness under GDPR of different data processing activities carried out by such banks. In particular, the SDPA report analyzes data processing for "marketing, advertising and commercial communications purposes in line with the development of the business carried out by an entity of its own products and/or services" and differentiates between electronic and other communication channels: Commercial communications that are distributed via electronic channels, are subject to the GDPR as well as the Spanish Electronic Commerce Information Society Services Act. This Act contains an obligation to obtain the express consent of data subjects when carrying out marketing and advertising actions, unless such actions relate to "products or services of their own company that are similar to those originally contracted with the client." Commercial communications that are distributed via non-electronic channels are subject to the GDPR only. In order for them to fall under the legitimate interest processing ground, they must meet the following requirements: (i) the affected data subjects must remain customers of the company (ii) the products or services offered must be considered "similar" to those contracted by the customers. The application of legitimate interest to non-electronic distribution is a significant development of Spanish law (as before the legitimate interest test did not apply to these types of data). For more information, please contact Raul Rubio, Patricia Perez, Ignacio Vela, Alvaro Ubeda, Marta De Pablos, Cristina Monereo or Carmen Salazar.