The legal framework for the protection of personal data in Spain is regulated by the Lisbon Treaty, Article 18(4) of the Spanish Constitution, the GDPR and Spanish Basic Law 3/2018, of 5 December, on data protection and digital rights guarantees.
Neither the GDPR nor Basic Law 3/2018 contain specific provisions regarding e-discovery and information governance. Sector-specific regulations also do not contain any data protection provisions on these matters.
For the discovery process to take place lawfully, the processing of personal data must be legitimate and satisfy one of the grounds set out in Article 6 of the GDPR (and, if the information in question is sensitive personal data, a ground for processing under Article 9 of the GDPR must also exist).
Article 6.1(c) of the GDPR establishes that processing must be lawful if it is necessary for compliance with a legal obligation to which the controller is subject. However, non-EU laws are not considered, as such, a legal basis per se for data processing, in particular regarding transfers to foreign authorities and especially if they are public authorities. In this regard, the Spanish Data Protection Authority understood in its report 2011-0469 that US civil procedure law cannot be included within the concept of 'law' that legitimates data processing. This approach is consistent with Article 6.3 of the GDPR, which states that the basis for the processing referred to in point (c) of this Article must be laid down by the EU law or Member State law to which the controller is subject. Therefore, e-discovery and any enforcement requests based on these laws require a complex case-by-case analysis from a data protection standpoint.
In addition, personal data transfers to countries that do not ensure an equivalent level of protection are permitted only if the controller or processor has provided appropriate safeguards, and on the condition that enforceable data subject rights and effective legal remedies for data subjects are available, unless a legal exception to Article 49 of the GDPR applies.
These derogations have been analysed in the Guidelines on Article 49 of Regulation 2016/679 adopted by the European Data Protection Board. According to this joint position, Article 49(1)(e) (which states that the transfer could be deemed legitimate to the extent that it is necessary for the establishment, exercise or defence of legal claims) may cover a range of activities; for example, in the context of a criminal or administrative investigation in a third country (e.g., antitrust law, corruption, insider trading or similar situations), where the derogation may apply to a transfer of data for the purpose of an individual defending himself or herself, or for obtaining a reduction or waiver of a fine legally foreseen (e.g., in antitrust investigations). Data transfers for the purpose of formal pretrial discovery procedures in civil litigation may also fall under this derogation. It can also cover actions by the data exporter to institute procedures in a third country (e.g., commencing litigation, seeking approval for a merger). Notwithstanding this, the derogation cannot be used to justify the transfer of personal data on the grounds of the mere possibility that legal proceedings or formal procedures may be brought in the future.
In addition to the above, according to the data minimisation principle, personal data must be adequate, relevant and limited to what is necessary in relation to the purposes for which it is disclosed. For that reason, the Spanish Data Protection Authority encourages – when feasible – the anonymisation of information (or pseudonymisation, as the case may be).
Finally, the disclosure of personal data would require providing prior notice of the possibility of personal data being transferred to and processed by foreign authorities. If the recipients are established in non-equivalent countries, specific information on the existence of an international transfer must also be provided.