An extract from The Privacy, Data Protection and Cybersecurity Law Review, 8th Edition

Public and private enforcement

i Enforcement agencies

The DPA is the independent authority responsible for the enforcement of the GDPR and DP Regulations5 and the data protection provisions of the LSSI and the GTL.

Among other powers and duties, the DPA has powers that include the issuing of (non-binding) legal reports, recommendations, instructions and contributions to draft rules; powers of investigation; and powers of intervention, such as ordering the blocking, erasing or destruction of unlawful personal data, imposing a temporary or definitive ban on processing, warning or admonishing the controller or processor, or imposing administrative fines (fines are only imposed on private-sector entities). It is worth noting that the Spanish Data Protection Law has further developed the general and rather vague sanctioning regime set out in the GDPR, by providing, on the one hand, three categories of infringements (minor, serious and very serious) which depend on the type and seriousness of the breach – rather than the mere two fine ranges set out in the GDPR – and, on the other hand, a detailed administrative sanctioning and investigation system and procedures.

Disciplinary procedures start ex officio, but generally stem from a complaint submitted by any person (e.g., the data subject, consumer associations, competitors or former employees).

The DPA is very active: in addition to ex officio inspections of specific sectors (always announced in advance), in 2020 (the most recent official statistics published by the DPA): 10,324 complaints from individuals were solved and the fines imposed amounted to approximately €8 million.

ii Recent enforcement cases

The following are the most significant enforcement issues to have arisen in Spain in 2020.

The DPA has carried out numerous disciplinary proceedings related to video-surveillance (94), internet services (73) and direct marketing by electronic means (17). The DPA has also issued several reports assessing the interpretation of both the GDPR and the New Spanish Data Protection Law and has published new automated tools to allow start-ups to comply with GDPR obligations and to facilitate data controllers to comply with their notification duties (in connection with data breaches) vis-a-vis the data subjects.

In addition, the number of proceedings carried out and sanctions imposed by the DPA against non-Spanish and non-EU controllers has also increased. The DPA has indicated that it has participated in 451 cases of cross-border cooperation and in 17 cases as leading authority.

On the other hand, it is worth noting is that the DPA imposed its highest-ever economic fines between December 2020 and March 2021. It issued three sanctioning resolutions fining Spanish banking and telecoms companies €5 million, €6 million and €8 million fines, respectively. Both data controllers and data processors should take good note of these resolutions since they provide useful recommendations to comply with the transparency and accountability principles in the context of subcontracting and analyse the contractual measures that should be implemented for international transfers of data.

iii Private litigation

Data subjects may claim damages arising from the breach of their data protection rights before the civil courts. Claims for civil damages usually involve pecuniary or moral damages, or both, linked to the violation of honour (such as the improper disclosure of private information) and privacy rights (such as the dissemination of private images). In general, indemnities granted to date have been exceptional and have not exceeded €3,000 (with limited exceptions such as one awarding €20,000). Notwithstanding this, recognition under the GDPR of the possibility to initiate class actions related to data protection matters has created a new framework and there is news in the market around the recent initiation by the Spanish consumers association of class actions against one of the largest social media platforms for alleged data protection infringements.