The Spanish Data Protection Agency's annual report for 2013 (hereinafter, the "Report"), has recently been published and is available in Spanish at:

The Report contains statistics on all proceedings carried out before the Spanish Data Protection Agency (hereinafter, the “SDPA”) last year, rulings of the National and Supreme Court, sanctions imposed, international data transfers that have been authorized and other highlighted matters. Please find below some of the key findings and figures:

SDPA's proceedings

Preliminary proceedings and sanctions/warnings

The majority of preliminary proceedings and sanctioning procedures ending in sanction or warning in 2013 relate to the telecommunications sector. This sector was the object of 2,256 preliminary proceedings[1] and 317 sanctions/warnings[2]. These figures represent 28.71% of the total preliminary proceedings and 38.56% of the total procedures ending in sanction or warning, respectively.

The second biggest offending sector in terms of preliminary proceedings and procedures ending in sanction or warning is the financial sector, with 1,566 preliminary proceedings and 62 sanctions/warnings[3]. These figures represent respectively 19.93% of the total preliminary proceedings and 7.54% of the total procedures ending in sanction or warning.

The third biggest offending sector is CCTV surveillance services, with 918 preliminary proceedings and 176 sanctions/warnings[4]. These figures represent 11.68% of the total preliminary proceedings and 21.41% of the total procedures ending in sanction or warning, respectively.

It should be highlighted that while massive sending electronic commercial communications activities (spamming) are placed the seventh in terms of number of preliminary proceedings (344 preliminary proceedings in 2013 which amount to 4.38% of the total procedures), they are placed the fourth in terms of procedures ending in sanction or warning (59 procedures which amount to 7.18% of the total).

Distribution of fines

Fines imposed in 2013 amounted to € 22,339,440 (this implies and increase of 6.10% compared to the total value of the fines imposed in 2012).

The telecommunications sector received fines for the highest amount (€ 15,035,008 which represent 67.30% of the total amount in fines), followed by companies providing and commercializing energy and water (€2,084,901 which represent 9.33% of the total), financial sector (€1,811,501 which represent 8.11% of the total), internet services (€1,276,403 which represent 5.71%) and finally by massive sending of electronic commercial communications –spamming- (€ 526,010 which represent 2.35% of the total).

Access, rectification, cancellation and opposition rights ("ARCO rights"), and "right to be forgotten"

The number of claims for lack of observance of the ARCO rights before the SDPA (“tutela de derechos”) has slightly decreased (-8.94%). In 2013 the majority of claims refer to the cancellation right, followed by the claims related to the right of access.

Data files registration

In 2013 the total number of data files registered before the SDPA amounted 3,375,059. Of such amount 3,228,777 files refer to private companies.

Judgments of the National and Supreme Courts

In 2013, the National Court (the body that reviews SDPA's resolutions in first instance) passed 274 judgements on appeals to SDPA's resolutions and the Supreme Court passed 12 resolutions (7 judgements and 5 orders) on appeals to the National Court's judgements confirming or nullifying SDPA's resolutions.

Regarding the judgments of the National Court, 53 resolved against the resolution of the SDPA nullifying it and 33 resolved against the resolution of the SDPA partially. However, the SDPA points out that out of the 33 appeals that were resolved partially in favour of the appellant, 9 implied only a decrease of the economic fine.

Regarding the judgments of the Supreme Court, it is necessary to point out that the number of appeals has declined sharply as a result of reforms introduced in 
administrative proceedings in 2013. Thus, judgments entered in 2013 are now only a third of those issued in 2012.

International transfers of personal data

The international data flows in a globalized world maintain their upward trend with a total of 170 authorizations from the Spanish Data Protection Agency in 2013. The most common destinations are still South America, USA and India.

The Report highlights increasing international data transfers bound for India, which has almost doubled in one year (42 versus 27) amounting to a total of 179.

The vast majority of international transfers (72%) aim to provide services by entities located in third countries (controller- processor transfers), indicating the growing importance of offshoring services in the current technological environment.

The need to provide flexible models for data transfer to third countries is highlighted in the report. As an evidence, data exporters are tending to provide safeguards that differ from the EU standard contractual clauses: 10 applications for authorization (9 completed and granted in 2012) were based on the guarantees provided by the Binding Corporate Rules (BCR's), and 7 applications covered by the standard contractual clauses drafted by the Spanish Data Protection Agency (SDPA) to cover processor to sub-processor transfers).


The report highlights the publication of the Guide on the use of Cookies (the “Guide”) in April. The Guide is the first document in Europe on this topic which has been jointly developed by the Data Protection Authority and the representatives of the industry. The Guide includes some important guidelines about the use of Cookies such as a description of the types of Cookies and their purposes, the role of the different entities that access to the information collected, SDPA's requirements in relation to the use of cookies, sanctions for infringements and consent requirements. The SDPA concludes that (i) a two layers system may be used to obtain consent, (ii) in order to consider that a valid consent is granted, users shall be informed on the type of cookies, their purposes and identity of third party providers.

The SPDA highlights also the publications of two guidelines on the use of cloud computing:Guide for clients using services of Cloud Computing and Guidelines for providers of Cloud Computing.

The Guide for clients explains the legal role of the parties involved, noting that the client acts as a data controller and the provider of cloud computing services as a data processor.

Guidelines for providers of cloud computing declares that providers shall inform diligently and in a transparent manner about the nature of its services and the guarantees to be implemented for to fulfilment of Spanish Data Protection regulations.

Coordination with other data protection authorities

On September 19th, 2013 the SDPA issued a sanctioning resolution stating that Google collected and processed personal data unlawfully and imposed the Internet giant a penalty of €900.000. This SDPA resolution followed a coordinated multinational investigations carried out by EU data protection authorities in relation to Google's new privacy policy.

The report also mentions that in 2013 two additional preliminary proceedings were initiated against Google: one for failure to comply with cookies regulations in a group of companies and the other against Google Inc for lack of information about storage and use of cookies.