Data Law Nav­ig­at­or | Spain

In­form­a­tion on Data Pro­tec­tion and Cy­ber Se­cur­ity laws from CMS ex­perts

< back to Overview

The content will be periodically updated by our lawyers but, given the constantly evolving laws in this area, we cannot guarantee the content is complete and accurate.

Jump directly to Cyber Security
 

Data Protection

Last updated 9 October 2018

Risk Scale

*Please note that, in addition to increasing the risk of sanctions, in Spain the risk of class actions leading by consumers’ associations is likely as these associations are very active, although it is not totally clear at this stage whether these associations will eventually be deemed to be entitled to represent the data subjects in data protection court proceedings.

Laws

  • Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (GDPR)
  • Law 15/1999, of 13 December, on the Protection of Personal Data (LOPD). (Only applicable to the extent that it has not been repealed by the GDPR)
  • Royal Decree 1720/2007, of 21 December, implementing the Law 15/1999, of 13 December, on the Protection of Personal Data (RD LOPD). (Only applicable to the extent that it has not been repealed by the GDPR)
  • Law 34/2002, of 11 July, on Information Society Services and Electronic Commerce (LSSI).General telecommunications Law 9/2014, of 9 May 2014.
  • Royal Decree-Law 5/2018, of 27 July 2018, on urgent measures to adapt Spanish law to the European Union regulations on data protection (RDL 5/2018).

Authority

Agencia Española de Protección de Datos (AEPD). https://www.aepd.es/

If applicable: stage of legislative development of GDPR 

On 10 November 2017, the Spanish Government published a Draft Bill (Draft Bill) to reform the current Spanish LOPD, which implemented Directive 95/46/EC. The aim of the new legislation is to bring the Spanish data protection regime up to the General Data Protection Regulation's (GDPR) standards and to provide an interpretation to some of the broader concepts in the GDPR.

Currently there is a Draft Bill being processed in the Spanish Parliament. For the purposes of this questionnaire all answers provided are based on the Draft Bill (Draft Bill) published by the Ministry of Justice in November 2017. However, please note that the definitive enacted legislation could differ dramatically from the Draft Bill once the parliamentary procedure is complete.

If applicable: local derogations as permitted by GDPR 

The following local derogations, as permitted by the GDPR, have been expressly included in the Draft Bill:

  • Unless there is proof to the contrary, it is presumed that the processing of contact details of natural persons and individual entrepreneurs that provide their services for a legal person is covered by the legitimate interest legal basis, subject to certain requirements.
  • Unless otherwise proved, it is presumed that the processing of personal data related to the breach of pecuniary, financial or credit obligations through common credit information systems is lawful, subject to certain requirements.
  • Unless proved to the contrary, processing activities derived from any kind of corporate structural change transaction (transformation to a different legal form, merger, acquisition, division, global assignment of assets and liabilities and international relocation of registered office), will be presumed lawful to the extent that the processing is necessary for the success of the transaction and the continuity of the service. If the transaction does not finally take place, the transferee shall immediately erase the data, regardless of any other retention period that might legally apply.
  • According to the Draft Bill, the processing of personal data for the purpose of avoiding the sending of commercial communications to those who have stated their refusal or objection to their receipt is lawful.
  • According to the Draft Bill, the exercise of a right more than once during a period of six months, may be considered repetitive, for the purposes set out in article 12.5 of the GDPR.
  • According to the Draft Bill, the processing based on compliance of a legal obligation may only be regarded as well-founded where this is provided for by a rule of EU law or by a specific law, which may determine the general conditions of processing and the categories of data processed, as well as the transfers that may be made to comply with the legal obligation. The law may also impose special conditions for the processing such as the adoption of additional security measures. For the processing based on the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller to be well-founded, it has to arise from a power conferred by law.
  • The Draft Bill prohibits processing special category of data based only on the consent of the data subject when the main purpose of the processing is identifying revealing racial or ethnic origin, political opinions, sexual orientation religious or philosophical beliefs, or trade union membership. Regarding grounds of substantial public interest, the Draft establishes that the processing based on this legal basis should be covered by a law.
  • The creation and maintenance of information systems through which a private entity may be made aware of, even anonymously, the commission within it or by third contracting parties of acts or behaviours which may be contrary to the applicable general or sectoral legislation (whistle blowing schemes) is lawful, subject to certain requirements. The employees and third parties shall be informed about the existence of such information systems.
  • Processing and public access to official documents: the access to official public documents which contain personal data, shall be governed by the Law 19/2013, of 9 December, on transparency, access to public information and good governance.
  • Processing in the context of employment: Preliminary Draft Bill refers to the processing of employees’ data through surveillance systems to exercise the control function over employees as established in the Workers’ Statute.
  • After 25 May 2018 data processing agreements in force will extend their validity until the agreed date of termination, with a maximum period of 4 years from 25 May 2018. Where contracts have foreseen the renewal upon termination, either by mutual agreement or automatically if parties do not object to it, the data processing agreement shall be adapted to GDPR prior to the renewal but never after 25 May 2022. Where the contract has an indefinite duration, adaption of the contract shall take place before 25 May 2022. [Please note that, in practice, since the Draft Bill has not been passed before25 May 2018, it is expected that this provision is amended or removed from the final text of the law to be approved.]

In addition, the following derogations have been expressly included in RDL 5/2018:

  • During the course of the preliminary investigation proceedings or during the proceedings for the exercise of the sanctioning power, the AEPD may, on reasonable grounds, agree on provisional measures necessary and proportionate to safeguard the fundamental right to data protection and, in particular, those provided for in Article 66 (1) of Regulation (EU) 2016/679, the precautionary blocking of data and the immediate obligation to comply with the right requested.
    • Where the AEPD considers that the continued processing of personal data, their communication or international transfer would seriously undermine the right to the protection of personal data, it may order the data controllers or those responsible for processing to block the data and to cease processing and, if they fail to comply with these mandates, to freeze them.
  • According to RD-L 5/2018, the DPO from the sanctioning regime.
  • RD-L 5/2018 includes a transitory provision that sets out that, if none of the parties to a data processing agreement request its renewal for compliance with the GDPR, the LOPD compliant data processing agreement will remain valid until 25 May 2022 (for indefinite term agreements) or until its expiration date (for fixed term agreements). This is to say that, in principle and according to this law, only if so requested by each of the parties, renewing or amending this provision will be required.

Please note that additional derogations may apply according to specific sectorial legislation, but such derogations have not been expressly included in the Draft Bill.

Scope

Draft Bill intends to adapt the current Spanish legislation on data protection to the GDPR standards, protecting the constitutional right to personal data protection pursuant to article 18.4 of the Spanish Constitution.  

As in the GDPR, Draft Bill applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system.

This regulation does not apply to the processing of personal data:

  • by a natural person in the course of a purely personal or household activity; 
  • by the Central State Administration when carrying out activities which fall within the scope of Chapter 2 of Title V of the TEU;
  • for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Directive (EU) 2016/680).
  • Processing of data related to deceased individuals (with some exceptions).
  • subject to the regulation on the protection of classified information

RD-L 5/2018 empowers the AEPD and provides a sanctioning procedure.

Penalties/enforcement

The AEPD has enforcement powers (administrative procedures only). Under the new Draft Bill, infractions are those acts and conducts described in article 83 of the GDPR.

Additionally, the Draft Bill sets up what may be considered very serious, serious and minor infringements, establishing a statute of limitations of three, two and one year respectively.

In addition to the graduation criteria established in article 83.2 of the GDPR, the Draft Bill add new criteria as for instance the continued nature of the infringement, the linking of the offender´s activity with the processing of personal data, benefits obtained from the commission of the infringement, the possibility that the conduct of the person concerned might have led to the commission of the offence and/or the existence of a merger by absorption following the commission of the infringement, which cannot be attributed to the merging entity.

RD-L 5/2018 sets out the sanctioning procedure/ powers as follows:

Chapter I regulates the competent personnel for the exercise of investigative powers.  It should be noted in this respect that, in accordance with Article 1, not only the officials of the AEPD may carry out this activity, but also other officials when they have been expressly authorised to do so.

Chapter II deals with other relevant procedural issues. For example, it delimits the perimeter of sanctionable subjects, expressly excluding the DPO and including certification bodies and accredited bodies for the supervision of codes of conduct, together with controllers and processors and their representatives. 

On the other hand, the statute of limitations for infringements and sanctions is determined as follows: (i) two years for serious infringements and three years for very serious ones; (ii) one year for sanctions of up to 40,000 Euros, two years for those that exceed that figure but are below 300,000 Euros, and three years for those that are set above that amount.

Chapter III empowers the AEPD both to protect the exercise of the rights by the data subjects and to investigate alleged infractions of the RGPD. In addition, Chapter III contains the minimum content of the decision by means of which the sanctioning procedure is initiated by an adequate and sufficient legal basis.

Registration / notification 

In addition to registration of the DPO, as required under the GDPR, under Article 26 LOPD, there used to be notification formalities before the AEPD Register, for any person or organisation intended to process personal data.

This obligation was voided after the fully application of the GDPR.

Notification of security incidents is required to take place by using the electronic site of the AEPD. Communications by any other channel will be rejected.

Main obligations and processing requirements

(i) Information obligations and (ii) data subjects’ consent or legal basis for the processing, mirroring under the Draft Bill the obligations set out in (i) articles 13 and 14 GDPR and (ii) articles 6 to 10 GDPR. The AEPD has published additional guidelines on the obligations of data controllers under GDPR. Guidelines are available here (only available in Spanish).

Data subject rights

As in the GDPR, Data subject have the rights to: 

  • information and transparency;
  • access;
  • rectification and erasure (“Right to be forgotten”);
  • restriction of processing;
  • data portability;
  • object; the
  • right not to be subject to a decision based solely on automated processing, including profiling.

Processing by third parties

Draft Bill directly refers to Article 28.3 GDPR. The AEPD has published additional guidelines on the contracts binding on the processor. Guidelines are available here (only available in Spanish).

Transfers out of country

Under the Draft Bill, rules applicable to the international transfer of data reflects the rules included in the Chapter V GDPR.

Data Protection Officer

Draft Bill sets out the same criteria under article 37 GDPR in relation to DPO appointment obligations. However, the Draft Bill sets out, for avoidance of any doubt, particular entities which must appoint a DPO, including the following: professional associations; educational centres; entities operating networks and providing electronic communication services; information society providers; credit institutions and/or financial companies; insurance companies; investment service companies; energy distributors and traders; entities responsible for files related to financial solvency and creditworthiness; companies developing marketing and commercial research activities; health centres; gambling operators that operate though electronic means; or private security companies.

Draft Bill sets out that DPOs are not personally responsible for non-compliance with the GDPR. As the GDPR, the Draft Bill makes it clear that it is the controller or the processor who is required to ensure and to be able to demonstrate that processing is performed in accordance with the law. Data protection compliance is the responsibility of the controller or the processor.

Additionally, it is stablished a term of ten days for controllers and processors to notify appointments and removals of DPOs to the AEPD, both when the appointment is mandatory and when it was made voluntarily.

Draft Bill specifies that the AEPD and the regional data protection authorities will maintain an actualized list of DPOs that will be accessible by electronic means. 

Finally, the Draft Bill regulates the intervention of the DPO in case of complaint before a data protection authority; the data subject may address first to the DPO, so the DPO has the possibility of reaching a decision before going to the AEPD (it is established a maximum period of two months from receipt of the complaint).

Security

Under current LOPD and RD LOPD, data controllers and processors must take appropriate technical and organisational measures against unauthorised or unlawful access or processing, and against accidental loss or destruction of, or damage to, personal data. 

The RD LOPD sets out exhaustive security measures to ensure a level of security appropriate to the nature of the data in relation to the following categories:

  • Basic security measures must be applied to all data. These measures include, for instance, access control to data by employees. 
  • Medium security measures must be applied to data that, for instance, allows data controllers to profile data subjects. These measures include, for instance, the execution of data privacy audits every two years and the appointment of a Security responsible within the organisation.
  • High security measures are applicable to special categories of data (gender violence, health, sexual life…). These measures include, for instance, encryption when communicating personal data.

The Draft Bill eliminates this above described security measures system. Controllers and processors shall implement the security measures provided by Article 32, but there is not a check list as per current RD LOPD.

Breach notification

Draft Bill does not refer explicitly to the legal obligation to notify personal data security breaches (to data subjects or the data protection authority). However, failure to comply with such obligations under articles 33 and 34 GDPR has been included as an infringement (serious or minor) under the Preliminary Draft Bill. 

The AEPD has published additional guidelines on management and notification of data breaches. Guidelines are available here (only available in Spanish).

Direct marketing

  • Electronic commercial communications (opt-in system) through email are governed by the LSSI. In this regard, AEPD has issued a report which expressly states that the LSSI, because of its special character, prevails over the data protection regulation. In accordance with Article 21.1 LSSI, sending electronic commercial communications through email is forbidden unless requested or expressly authorised by the data subject (including legal persons).
    • Companies must always include an easy and free procedure that allows the data subject to object the use of its personal data for electronic commercial communications.
  • Commercial communications by regular mail or phone are governed by the GDPR, excluding legal persons. 
    • The Draft Bill provides that where personal data are processed for the purposes of direct marketing, the data subject should have the right to object to such processing.

Cookies

Article 22 LSSI sets out that cookies may be used in the recipients’ computers or equipment when data subjects have given their consent once they have been fully and clearly informed on the purpose of those technologies and especially on their use for data processing, as per the requirements established in the LOPD.

Despite the previous provision, the AEPD has recently settled (only available in Spanish) that after the fully application of the GDPR, consent requirements for the use of Cookies should be those established in the GDPR.

Useful links

Web page of the AEPD (only available in Spanish): https://www.aepd.es/index.html  

 

Cyber Security

Last updated 9 October 2018

Laws and regulations

Pursuant to the National Security Strategy, which includes cybersecurity among its twelve action fields, the Spanish National Cybersecurity Strategy was adopted in 2013. This Strategy a number of principles, objectives and lines of action to guarantee national security in the cyberspace, and creates a specific organizational structure composed of different bodies under the direction of the Prime Minister.

On this basis, there is not a single regulation but several rules make up the Spanish cybersecurity regulatory framework. The Cybersecurity Law Code, published by the Spanish Official Journal in cooperation with the Spanish Cybersecurity National Institute (INCIBE), collates the main legislation related to information security and the protection of cyberspace, among which, it is worth mentioning the following: 

National security

  • Law 36/2015, of 28 September, on National Security (National Security Law).
    • Order PRA/33/2018, of 22 January, publishing the Agreement of the National Security Council regulating the National Cybersecurity Council (National Cibersecurity Council)
  • Order PRA/116/2017, of 9 February, publishing the Agreement of the National Security Council implementing the mechanisms to ensure the integrated operation of the National Security System (NSS Mechanisms Order).
  • Royal Decree 1008/2017, of 1 December, approving the National Security Strategy 2017. (National Security Strategy)
  • Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the field of e-Government scope (e-Government National Security Scheme).
  • Royal Decree 4/2010, of 8 January, regulating the National Interoperability Scheme in the field of e-Government (e-Government National Interoperability Scheme).
  • Order PRE/2740/2007, of 19 September, approving the Regulation on the Information Security Evaluation and Certification Scheme (Regulation on the Information Security Evaluation and Certification Scheme).

Cybercrime

  • Organic Law No. 10/1995, of 23 November, of the Criminal Code (Criminal Code).
  • Organic Law No. 5/2000, of 12 January, regulating the criminal liability of minors (part-inclusion).
  • Royal Decree of 14 September 1882 approving the Code of Criminal Procedure (part-inclusion).

Computer Security Incident Response Team

  • Law No. 34/2002, of 11 July, on information society services and e-commerce (LISSEC).
  • Royal Decree No. 421/2004, of 12 March, regulating the National Cryptology Center (CCN Regulation).

Critical infrastructure

  • Law No. 8/2011 of 28 April, of 28 April, implementing measures for the protection of critical infrastructures (CIP Law).
  • Royal Decree No. 704/2011, of 20 May, approving the Regulation on the protection of critical infrastructures (CIP Regulation).
  • Decision of the State Secretariat for Security, of 8 September 2015, approving the new minimum content of the Operator’s Security Plans and the Specific Protection Plans (Decision on the Operator’s Security Plans and Specific Protection Plans).
  • Royal Decree-Law 12/2018 of 7 September on the security of networks and information systems (RD-L 12/2018).

Network and information systems

  • Forthcoming implementation of Directive (EU) 2016/1148 of the European Parliament and of the Council of 6 July 2016 concerning measures for a high common level of security of network and information systems across the Union (NIS Directive). 
  • Royal Decree-Law 12/2018 of 7 September on the security of networks and information systems (RD-L 12/2018).

Telecommunications and users

  • General Telecommunications Law No. 9/2014, of 9 May (Telecoms Act).
  • Royal Decree No. 424/2005 of 15 April 2005, approving the Regulation on the conditions for the provision of electronic communication services, universal service and users’ protection (the Universal Service Regulation).
  • Royal Decree No. 381/2015 of 14 May 2015, establishing measures against unauthorised traffic and irregular traffic for fraudulent purposes in electronic communications (the Unauthorised and Irregular Traffic Regulation).
  • Commission Regulation (EU) No. 611/2013 of 24 June 2013 on the measures applicable to the notification of personal data breaches under Directive 2002/58/EC of the European Parliament and of the Council on privacy and electronic communications (EU Data Breach Notification Regulation).
  • Law 59/2003, of 19 December, on electronic signatures.
  • Law 25/2007, of 18 October, on the conservation of data relating to electronic communications and public communications networks.

Data protection

  • Regulation (EU) No. 2016/679 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation (GDPR)).
    • Organic Law No. 15/1999 of 13 December 1999 on the Protection of Personal Data (Data Protection Act) and Royal Decree No. 1720/2007 of 21 December 2007, approving the regulations implementing Organic Law No. 15/1999 (the Data Protection Regulation), currently under review in order to adapt and develop the GDPR in the areas that are left to EU member states. From 25 May 2018, the GDPR and new Data Protection Act, if already adopted, shall be fully applicable.

Application

National Security Law: regulates (i) the basic principles, the higher Public Administration bodies, authorities and main components of National Security; (ii) the National Security System and the management, organization and coordination thereof; (iii) crisis management; and (iv) the contribution of resources to National Security. It includes cybersecurity among the areas of particular concern to National Security. This Law applies to public administrations and, on the terms set out therein, to natural persons and legal entities.

eGovernment National Security Scheme: regulates the security policy to be applied in the use of electronic means in the context of the public sector, laying down the basic principles and minimum requirements for a proper protection of information to be applied by Public Administrations. It does not cover information systems regulated by official secrets regulations.

eGovernment National Interoperability Scheme: regulates the criteria and recommendations in terms of security, preservation and standardization of information, formats and applications to be considered by the Public Administrations to ensure an adequate level of interoperability of the data, information and services they manage, and to avoid citizens’ discrimination on grounds of their technological choices. 

CIP Law: sets out the framework for the protection of critical infrastructures, introducing measures and obligations for the public and the private sectors. It promotes the coordination and involvement of public administrations and managing bodies or owners of the infrastructures providing essential services. The strategic sectors covered by the Law are Administration, Space, Nuclear Industry, Chemical Industry, Research Facilities, Water, Energy, Health, Information & Communication Technologies (ICT), Transport, Food, and Financial & Tax System.

Telecoms Act: main piece of legislation governing the provision of electronic communications networks and services. Among other regulatory obligations, electronic communications operators are subject to a number of security requirements aimed at ensuring the secrecy of communications, the protection for personal data and the integrity and security of networks and services.

RD-L 12/2018: The purpose of this piece of legislation is to regulate the security of the networks and information systems used to provide essential services and digital services, establishing the criteria for identifying the main operators that provide them, as well as a system for notifying incidents that may affect them. On the other hand, it regulates the institutional framework for cooperation between the Spanish authorities and cooperation bodies in this area, at an EU level.

The parties bound by this RDL are, on the one hand, the operators of essential services (services necessary for the maintenance of basic social functions, within the framework of one of the strategic sectors defined in the annex to Law 8/2011 establishing measures for the protection of critical infrastructures) and, on the other, the providers of digital services, as defined in Law 34/2002 on Information Society Services and Electronic Commerce.

Digital service providers incorporated as micro or small enterprises are exempted from the application of this rule. Operators or providers who employ fewer than 50 workers and whose annual turnover or balance sheet does not exceed 10 million euros have this status.   

Authority

The National Security Law designates the following as national security competent authorities: (i) Parliament and Senate; (ii) Government (http://www.lamoncloa.gob.es); (iii) Prime Minister (http://www.lamoncloa.gob.es/presidente/Paginas/index.aspx; (iv) Ministers (http://www.lamoncloa.gob.es/gobierno/Paginas/index.aspx); (v) National Security Council (http://www.dsn.gob.es/es/sistema-seguridad-nacional/consejo-seguridad-nacional; and (vi) Government Representatives in Autonomous Communities and Cities (http://www.seat.mpr.gob.es/portal/delegaciones_gobierno/delegaciones.html). In addition, the National Security Law sets out the so-called National Security System, a group of authorities, bodies, resources and proceedings that allow the competent authorities to exercise their duties. The structure of the National Security System includes the Prime Minister, who manages the System with the assistance of the National Security Council, the National Security Department and the support bodies of the National Security Council.

The CIP Law designates the following bodies as agents of the so-called Critical Infrastructures Protection System: (i) State Secretary for Security (http://www.interior.gob.es/el-ministerio/funciones-y-estructura/secretaria-de-estado-de-seguridad); (ii) National Center for the Protection of Critical Infrastructures (CNPIC; http://www.cnpic.es/); (iii) certain competent Ministries and bodies with regard to each relevant strategic sector; (iv) Autonomous Communities and Cities; (v) Government Representation Offices; (vi) Local Authorities; (vii) National Commission for the Protection of Critical Infrastructures; and (viii) Interdepartmental Working Party for the Protection of Critical Infrastructures. These institutions and authorities have responsibilities regarding the proper operation of essential services or regarding citizens’ security.

RD-L 12/2018 sets out that the competent authorities are as follows: 

a)    For operators of essential services:

In the event that they have been designated as critical operators in accordance with Law 8/2011, of 28 April, and its implementing regulations, regardless of the strategic sector in which such designation is made: The Secretary of State for Security, Ministry of Domestic Affairs, through the National Centre for Infrastructure Protection and Cybersecurity (CNPIC, in its Spanish acronym).

In the event that they are not critical operators: the corresponding sectoral authority for the subject matter, as determined by regulation.

b)    For digital service providers: The Secretariat of State for Digital Advancement, Ministry of Economy and Enterprises.

c)    For operators of essential services and providers of digital services that are not critical operators but fall within the scope of application of Law 40/2015, of October 1, on the Legal Regime of the Public Sector: The Ministry of Defense, through the National Cryptologic Centre.

From a telecoms regulation perspective, the Ministry of Energy, Tourism and Digital Agenda (www.minetad.gob.es) and the Spanish Data Protection Agency (AEPD; www.agpd.es) are responsible for enforcing the relevant obligations.

Key obligations

Critical infrastructure

Under the CIP Law, operators must cooperate with competent authorities to optimize the protection of the critical infrastructure they manage. This includes:

  • Cooperating in the performance of risk analysis
  • Preparing an Operator Security Plan and a Specific Protection Plan for each infrastructure considered critical
  • Appointing a Security Liaison Officer and a Security Officer for each critical infrastructure

Public Sector

The e-Government National Security Scheme lays down the minimum security requirements to be adopted by the public sector. Accordingly,

the higher bodies of public administrations must implement a security policy, articulating security ongoing management and complying with certain minimum requirements (among others, organisation and implementation of the security process, risk analysis and management, authorisation and access control; protection of premises, security by default and system integrity and update).

Under the e-Government National Interoperability Scheme, the security conditions applicable to the services of the Public Administrations which are available through electronic means and the measures to ensure the retention/preservation of electronic documents must be in accordance with data protection regulations, the e-Government National Security Scheme and the relevant legal instruments to be subscribed by the Public Administrations. 

RD-L 12/2018: 

Among the basic obligations imposed by the RDL, it is worth highlighting that of adopting adequate security measures to manage the risks that the networks and information systems used to provide services may face, as well as to minimize the impact of any incidents that may arise. In the case of operators of essential services, a notification obligation to the corresponding competent is established.

Article 7 imposes an obligation to communicate activities to digital service providers within three months from the beginning of their activity. The competent authority is the Secretariat of State for Digital Advancement of the Ministry of Economy and Enterprises.

With regards to security incident reporting obligations, essential operators should only notify the competent authority through a CSIRT (Incident Response Team) incidents that are likely to have significant disruptive effects on services. With respect to digital service providers, they will only be required to notify if they have access to the information necessary to assess the impact of the incident. It is also possible, in certain cases, for the competent authority to require operators or suppliers to notify the public or third parties of the incidents that have occurred.

A system is articulated to match the obligations in terms of security and communication that could affect these subjects according to the sectorial regulations that may be applicable to them, so that, even in relation to the application of the sanctioning regime regulated in the RDL, the provisions of the sectorial regulations prevail.

Telecoms

  • Adopting the technical measures required to ensure the secrecy of communications
  • Compliance with specific privacy obligations.
  • Managing security risks in an adequate manner to grant an adequate level of security and avoid or minimize the impact of security incidents
  • Guaranteeing the integrity of the networks to ensure the continuity of the services using such networks
  • Mandatory reporting of security incidents and data breaches
  • Guaranteeing as much availability as possible of publicly available telephony services through public communications networks in case of network catastrophic failure or of an event of force majeure, adopting all measures required to guarantee uninterrupted access to emergency services

Penalties/enforcement

Enforcement

The National Security Law, the CIP Law does not designate a specific authority for enforcement purposes. 

RD-L 12/2018 implementing the NIS Directive designates one or more competent authorities on the security of network and information systems, as above indicated.

The Ministry of Energy, Tourism and Digital Agenda and the AEPD are responsible for enforcing the electronic communications regulatory framework.

Penalties

The National Security Law and the CIP Law do not lay down a sanction regime for failing to comply with the provisions thereof.

The national legislation implementing the NIS Directive will determine the level of penalties for breach of the applicable obligations.

Under the Telecoms Act, the breach of the relevant obligations by operators may be sanctioned as follows:

  • If considered a minor breach, fines of up to fine of up to EUR 50,000.
  • If considered a serious breach, fines of up to EUR 2 million.
  • If considered a very serious breach, fines of up to EUR 20 million.

RD-L 12/2018 incorporates a sanctioning procedure with sanctions ranging from 100,000 to 1,000,000 euros, depending on the seriousness of the infringement.

The Spanish Criminal Code also punishes a number of cybercrimes including, for instance, illegal access to information systems, interception of data transmissions or computer damages.

Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)?

CERTSI (Security and Industry CERT; www.certsi.es) is the Response Capacity to Information Security Incidents of the Ministry of Energy, Tourism and Digital Agenda and the Ministry of Interior. It is the national CERT in charge of the prevention and mitigation of, and response to cyber incidents in the companies, citizens and critical infrastructure operators’ spheres. CERTSI is technically operated by the Spanish Cybersecurity National Institute (INCIBE), under the coordination of CNPIC and INCIBE. 

CNN-CERT is the Response Capacity to Incidents of the National Cryptology Center (www.ccn-cert.cni.es), which is part of the Intelligence National Center. It is responsible for improving cybersecurity in classified systems and systems of Public Administrations and strategic-interest organizations (i.e. those essential for national security and the whole Spanish economy).

Is there a national incident management structure for responding to cyber security incidents?

The National Security Law sets forth a procedure to manage crisis affecting National Security, including coordinated response to those threats. Cybersecurity is one of the areas of particular concern to National Security so a cyber incident should be dealt through this procedure when its effects, dimension, urgency and mainstreaming are severe enough to need intensified cooperation from competent public authorities. In these cases, the Prime Minister will coordinate response against the risk or threat by defining the nature and scope of the crisis, appointing, if necessary, an authority in charge of coordination, the range of powers the authority will be granted with for that purpose, and the human and material resources to be provided by other authorities to contribute towards the solution of the crisis. Government is obliged to inform the Congress immediately about the measures undertaken and of the crisis evolution.

Notwithstanding the foregoing, the management procedure to respond to cybersecurity incidents is generally dependant on the specific sector concerned. For instance, as regards critical infrastructures, response to and management of cyber incidents would be carried out in accordance with the applicable planning instruments (i.e. National Plan for the Protection of Critical Infrastructures, Sector Strategic Plans, Operator Security Plans, Operator Specific Protection Plans and Operational Support Plans). This information is classified so the content is not publicly available.

CERTSI provides a service to respond to cybersecurity incidents addressed to citizens, companies, personnel belonging to the academic and research network RedIRIS and strategic and critical infrastructure operators (in this last case, in coordination with CNPIC).

CNN-CERT provides a service to respond to cyber incidents experienced by classified systems and systems of the Spanish Public Administrations and of companies and organizations of strategic interest.

Other cyber security initiatives

Numerous recommendations, guidelines and codes of practice regarding cybersecurity have been issued by authorities and institutions including INCIBE, CERTSI or CNN-CERT. For instance:

  • INCIBE guidelines on cloud computing, ransomware, secure deletion on information, secure storage of information, management of security incidents, cybersecurity on e-commerce or security risk management.
  • CERTSI Guide on cybersecurity on wireless communications in industrial environments; Guide on Industrial Protocols Security – Smart Grids, or Situation of malware for Android.
  • CNN-CERT Principles and basic recommendations on cybersecurity, or Good Practice Reports on e-commerce, mobile devices, web browsers, ransomware or IoT.

Certain remarkable tools have been developed for detecting and managing security incidents such as SAT (https://www.ccn-cert.cni.es/gestion-de-incidentes/sistema-de-alerta-temprana-sat.html), LUCIA (https://www.ccn-cert.cni.es/gestion-de-incidentes/lucia.html) or  REYES (https://www.ccn-cert.cni.es/herramientas-de-ciberseguridad/reyes.html).

There are also different private initiatives to promote cybersecurity and the cooperation between the public and private sector in this field, such as ABUSES Forum (http://abuses.es/index.html.en), ISMS Forum Spain (www.ismsforum.es), National Forum for Digital Trust (http://www.agendadigital.gob.es/agenda-digital/FNCD/Paginas/foro-nacional-confianza-digital.aspx)  or the Circle of Technologies for the Defence and Security Foundation (https://fundacioncirculo.es/).

Useful links

 

< back to Overview

Authors

Martín Bartolomé
Bartolomé Martín
Counsel
Madrid