Data protection and cybersecurity laws in Spain

Data protection

1. Local data protection laws and scope

Organic Law 3/2018 of 5 December on the Processing of Personal Data and Guarantee of Digital Rights (hereinafter Organic Law 3/2018) (“Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y Garantía de los Derechos Digitales”): a) adapts the Spanish legal system to the GDPR, b) regulates the exercise of the fundamental right to data protection, protected by Art. 18(4) of the Spanish Constitution, in accordance with GDPR and this Organic Law, and c) regulates the guarantee of the digital rights of citizens, including processing of personal data in the context of employment (eg surveillance systems, geolocation devices and the right to privacy in the use of digital devices).

The law provides an interpretation of some of the broader concepts in the GDPR. It came into effect on 7 December 2018 and repealed, except for some provisions in the political and judicial sector, the Organic Law 15/1999 of 13 December on the Protection of Personal Data any other law or regulation contrary to GDPR.

This law: 

  1. applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data which form part of a filing system or are intended to form part of a filing system; 
  2. does not apply to the processing of personal data:
    1. by a natural person in the course of a purely personal or household activity;
    2. when the data processing is carried out within the framework of activities which fall within the scope of Chapter 2 of Title V of the TEU;
    3. for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, including the safeguarding against and the prevention of threats to public security (Directive (EU) 2016/680);
    4. related to deceased individuals (with some exceptions); or
    5. subject to the regulation on the protection of classified information.

Unless otherwise proved, it is presumed that the following processing are lawful:

  • the processing of contact details of natural persons providing their services in a legal entity and individual entrepreneurs that provide their services for a legal person is covered by the legitimate interest legal basis, subject to certain requirements (Art. 19);
  • the processing of personal data related to the breach of pecuniary, financial or credit obligations through common credit information systems is lawful, subject to certain requirements (Art. 20);
  • processing activities derived from any kind of corporate structural change transaction (transformation to a different legal form, merger, acquisition, division, global assignment of assets and liabilities and international relocation of registered office); to the extent that the processing is necessary for the success of the transaction and the continuity of the service. If the transaction does not finally take place, the transferee shall immediately erase the data, regardless of any other retention period that might legally apply (Art. 21);
  • video surveillance: natural or legal persons, public or private, may carry out the processing of images through camera systems or video cameras in order to preserve the safety of people and property, as well as their facilities, subject to certain requirements (Art. 22);
  • whistleblowing schemes: creation and maintenance of information systems through which a private entity may be made aware of, even anonymously, the commission within it or by third contracting parties of acts or behaviours which may be contrary to the applicable general or sectoral legislation (whistleblowing schemes) is lawful, subject to certain requirements. The employees and third parties shall be informed about the existence of such information systems (Art. 24).

Other relevant laws on data protection for specific sectors/processing activities/type of personal data are:

  • Telecommunications and electronic communications: Law 9/2014 of 9 may General Telecommunications (“Ley 9/2014, de 9 de mayo, General de Telecomunciaciones”). This law regulates, among other, the processing of personal data in the telecommunications sector, rights on data protection or users and subscribers, and traffic and location data, as well).
  • Payment services: Royal Decree-Law 19/2018 of 23 November of payment services and other urgent financial measures (“Real Decreto-ley 19/2018, de 23 de noviembre, de servicios de pago y otras medidas urgentes en materia financiera”). This Royal Decree-Law regulates the processing of personal data in the payment services sector.
  • Insurance sector: Royal Decree-Law 3/2020 of 4 February on urgent measures transposing into Spanish law various European Union directives in the field of public procurement in certain sectors; private insurance; pension plans and funds; taxation and tax litigation (“Real Decreto-ley 3/2020, de 4 de febrero, de medidas urgentes por el que se incorporan al ordenamiento jurídico español diversas directivas de la Unión Europea en el ámbito de la contratación pública en determinados sectores; de seguros privados; de planes y fondos de pensiones; del ámbito tributario y de litigios fiscales”). This Royal Decree-Law regulates the processing of personal data in the insurance sector and sets up certain requirements for the processing of several entities that may participate in the processing (insurance companies, brokers, etc).
  • Prevention of occupational risks: Law 31/1995 of 8 November on the Prevention of Occupational Risks (“Ley 31/1995, de 8 de noviembre, de Prevención de Riesgos Laborales”). This Law sets up a duty for the employer to protect workers against occupational risks and guarantee the safety and health of all workers at their service in aspects related to work. In particular, in the context of the Covid-19 pandemic, the worker must inform his/her employer in case of suspected contact with the virus, in order to safeguard his/her own health and that of other workers in the workplace through appropriate measures.
  • Processing and public access to official documents: Access to official public documents that contain personal data shall be governed by the Law 19/2013 of 9 December on transparency, access to public information and good governance (“Ley 19/2013, de 9 de diceimbre, de transparencia, acceso a la Información pública y buen gobierno”), by the GDPR and the Organic Law 3/2018.
  • Clinical information and documentation: Law 41/2002 of 14 November regulating patient autonomy and rights and obligations regarding clinical information and documentation (in Spanish “Ley 41/2002, de 14 de noviembre, básica reguladora de la autonomía del paciente y de derechos y obligaciones en materia de información y documentación clínica”). This Law regulates the processing of personal data concerning health and sets up the minimum data retention period.
  • Processing of personal data carried by Courts of Justice: The processing of data carried out on the occasion of the processing by the Courts of Justice of the proceedings of which they are competent, as well as that carried out within the management of the “Judicial Office”, shall be governed by the provisions of the GDPR and Organic Law 3/2018, without prejudice to the provisions of Organic Law 6/1985 of 1 July on the Judicial Power (“Ley Orgánica 6/1985, de 1 de julio, del Poder Judicial”, when applicable.
  • Consent of minors: The processing of personal data based on consent: a) is possible for minors over 14 years of age, and b) for minors under 14 years of age, is only lawful if consent is given by the parent or guardian.

2. Data protection authority

  • Agencia Española de Protección de Datos (AEPD) (Spanish Data Protection Agency)
    www.aepd.es

There are three regional authorities with competences in relation to data processing carried out by regional and local public bodies:

There is one authority with competences in relation to data processing carried out by courts acting in their judicial capacity:

3. Anticipated changes to local laws

Even though there are no anticipated changes to local laws, the following Draft Bills may be relevant: 

  • Organic Law on the protection of personal data for the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties (“Proyecto de Ley Orgánica de Protección de Datos Personales tratados para fines de prevención, detección, investigación y enjuiciamiento de infracciones penales y de ejecución de sanciones penales”). The purpose of this Organic Law is to adopt the transposition measures to comply with Directive (EU) 2016/680.
  • Draft bill on distance working (“Proyecto de Ley de trabajo a distancia”). Article 17 of the Project of Law includes the right to intimacy and data protection according to the Organic Law 3/2018. This article includes two relevant provisions: a) the use of telematic means and monitoring of works by means of automatic devices shall ensure the right to intimacy and data protection, considering the principles of proportionality (“idoneidad”), necessity and proportionality of the means used; b) businesses should establish criteria for the use of digital devices, respecting in all cases the minimum standards of privacy protection in accordance with social customs and legally and constitutionally recognised rights.

4. Sanctions & non-compliance

Administrative sanctions:

The AEPD has enforcement powers for administrative procedures only. Administrative sanctions for private data controllers and processors may consist of a fine or reprimand, according to the GDPR.

Public authorities and bodies established in Spain and listed in Art. 77 of the Organic Law 3/2018, when acting as data controllers or processors, shall be sanctioned with a reprimand (instead of a fine).

For the purposes of the prescription of infringements, in its Articles 72 to 74, the law classifies the infringements as very serious, serious and minor. In these articles, the law specifies some actions considered as infringements, in addition to the ones included in Article 83 of the GDPR.

In addition to the graduation criteria established in article 83.2 of the GDPR, the Organic Law 3/2018 add other criteria as for example: the continued nature of the infringement, the linking of the offender´s activity with the processing of personal data, the benefits obtained from the commission of the infringement, the possibility that the conduct of the person concerned might have led to the commission of the offence and/or the existence of a merger by absorption following the commission of the infringement, which cannot be attributed to the merging entity (art. 76).

Criminal sanctions:

There are no criminal sanctions in the Organic Law 3/2018.

Others:

Individual (material or non-material) damages must be requested in the competent jurisdiction. In this case, the civil jurisdiction is competent for these claims.

5. Registration / notification / authorisation

Registration or notification of processing or filing systems are not provided for by Organic Law 3/2018.

Registration is required for:

  • Binding Corporate Rules (BCRs) authorised by the Spanish Data Protection Agency. In 2020 the Spanish Data Protection Agency authorised BCRs;
  • Codes of Conduct. In 2020 the Spanish Data Protection Agency registered the code of conduct for the processing of personal data in marketing and there are another 13 codes of conduct registered for several sectors such as health, e-commerce, insurance, health research and universities.

The following notifications must be sent to the competent data protection authority:

  • Appointment, modification or deletion of the appointment of the Data Protection Officer (DPO) according to Art. 37(7) of the GDPR;
  • Data breaches according to Art. 33 of the GDPR.

Prior authorisation is required for international data transfers to countries or international organisations without an adequacy decision of the Commission or appropriate safeguard. This authorisation is subject to the opinion of the European Data Protection Board (EDPB), according to the GDPR.

6. Main obligations and processing requirements

The following requirements, where applicable, should be considered:

  • Transparency and information: On transparency and information to the data subject, when personal data: a) are collected from him/her, Organic Law 3/2018 states that the controller may provide, as a minimum, some information on the processing of personal data (identity of the controller and, where applicable its representative; purposes of the processing and exercise of data subject´s rights (Arts. 15 to 22 of the GDPR) and indicate an electronic address or any other means which would allow access to additional information (Art. 11(1)); and b) not have been obtained from him/her, the controller may provide, as a minimum, some information on the processing of personal data (categories of personal data processed and sources of the personal data) and indicate an electronic address or any other means which would allow access to additional information (Art. 11(2)).
  • Personal data concerning administrative infringements: The processing of personal data concerning administrative infringements and sanctions can only be carried out by competent bodies for the investigation and sanctioning procedure and that the processing is limited to the data strictly necessary for the purpose of the processing. Otherwise, the processing of this personal data: a) shall require the data subject´s consent or a law that authorises their processing, or b) may be carried out by lawyers or solicitors when the purpose is to collect the information provided by their clients for the exercise of their functions (Art. 27).
  • Record of processing activities of public authorities and bodies: Public authorities and bodies listed in Art. 77 Organic Law 3/2018 shall publish their record of processing activities. This record shall include the information set up in Art. 30 of the GDPR and the legal basis (Art. 31).
  • Blocking of personal data: The data controller shall be obliged to block the data when they are rectified or deleted. The blocking of data consists of the identification and reservation of the data, adopting technical and organisational measures to prevent their processing, including their visualisation, except for making the data available to judges and courts, the Public Prosecutor´s Office or the competent Public Administrations, in particular the data protection authorities, for the enforcement of possible liabilities arising from the processing and only for the period of limitation of the same. Once this period has elapsed, the data shall be deleted.

7. Data subject rights

There are some deviations from the GDPR on the rights of access, rectification, suppression and restriction.

Access: Based on Art. 12(5) of the GDPR the exercise of this right on more than on occasion during six-month period may be considered repetitive unless there is a legitimate cause of this.

If the data subject chooses a means other than the one offered by the controller for access that entails a disproportionate cost, the request shall be considered excessive and the subject shall pay for the excess costs.

Rectification: If required, the data subject shall include the documentation justifying the inaccuracy or incompleteness of personal data processed.

Suppression: If suppression derives from the opposition right according to Art. 21(2) of the GDPR, the data controller shall store core personal data of the data subject for avoiding future processing with the purpose of direct marketing.

Restriction of processing: The Organic Law 3/2018 specifies that restriction should be clearly stated in the data controller´s information systems. 

The Organic Law 3/2018 also regulates in its Title X, on the guarantee of digital rights, the right to be forgotten (Art. 94) and data portability in social networks (arts. 94 and 95). Whereas the right to be forgotten applies to the processing of personal data wholly or partly by automated means and to the processing other than by automated means of personal data that form part of a filing system or are intended to form part of a filing system, the right to data portability in social networks does not. It means that the Spanish Data Protection Agency is competent regarding the right to be forgotten, but not on the right on data (other than personal data) portability in social networks.

The data subject´s rights (Arts. 15 to 22 of the GDPR) may be exercised directly or through a legal or voluntary representative. In case of minors age 14, parents or guardians may exercise rights on their behalf and in their name.

8. Processing by third parties

In addition to the GDPR the following provisions must be considered when a data processor acts on behalf of a data controller.

If agreed in the contract or other legal act with the data controller, the processor may manage on behalf of the controller the requests of data subjects´ rights (Art. 12(3) Organic Law 3/2018).

According to Art. 33(3) of the Organic Law 3/2018 if there is a legal provision on the retention of personal data, the data processor shall return the personal data to the data controller that shall ensure their retention while the obligation is applicable.

The data processor may retain personal data, duly blocked, for as long as any liability arises from its relationship with the data controller.

For third parties (data processors) providing a service under concession, management entrustment or contract that involves the processing of personal data to a Public Administration, the security measures shall correspond to those of the originating Public Administration and shall comply with the National Security Scheme (Esquema Nacional de Seguridad) (First Additional Provision of the Organic Law 3/2018 on the security measures in the public sector).

Finally, for any data processing agreement (contract or other legal act) entered into prior to 25 May 2018 pursuant to the provisions of Article 12 of the repealed Organic Law 15/1999, shall remain in force until the expiry date indicated therein and, in the event of having been agreed indefinitely, until 25 May 2022.

During these periods, either party may require the other to modify the contract so that it complies with the provisions of Article 28 GDPR and Article 33 Organic Law 3/2018.

9. Transfers out of country

There are no derogations from the GDPR.

10. Data Protection Officer

Organic Law 3/2018 sets out the same criteria under Article 37 GDPR in relation to DPO appointment obligations. However, the Organic Law 3/2018 (Art. 34) sets out, for avoidance of any doubt, the obligation of particular entities to appoint a DPO, including the following: professional associations; educational centres; entities operating networks and providing electronic communication services; information society providers; credit institutions and/or financial companies; insurance companies; investment service companies; energy distributors and traders; entities responsible for files related to financial solvency and creditworthiness; companies developing marketing and commercial research activities; health centres; gambling operators that operate though electronic means; or private security companies; sports federations when processing minors’ data.

Organic Law 3/2018 sets out that DPOs are not personally responsible for non-compliance with the GDPR (Art. 70.2). As in the case of the GDPR, the Organic Law 3/2018 makes it clear that data protection compliance is the responsibility of the controller or the processor and, as stated in the GDPR, they must ensure and be able to demonstrate it.

Additionally, it established a term of ten days for controllers and processors to notify appointments, modifications and removals of DPOs to the AEPD or the regional data protection authorities, both when the appointment is mandatory and when it was made voluntarily (Art. 34.3).
Organic Law 3/2018 specifies that the AEPD and the regional data protection authorities will maintain an updated list of DPOs that will be accessible by electronic means (Art. 34.4).
On 10 January 2020 the AEPD released an updated version (v.1.4) of the Certification Scheme of Data Protection Officers. Under this version the DPOs may use the certification mark, and the training entities must include certain information on the training programme on their websites. This certification is voluntary for DPOs. It was adopted as “a valid tool for the objective, impartial assessment of the competence of an individual to carry out a specific activity”.

The Organic Law 3/2018 also regulates the intervention of the DPO in the event of a complaint before a data protection authority; the data subject may first address the DPO, so the DPO can reach a decision before going to the AEPD (a maximum of two months from receipt of the complaint) (Arts. 37 and 65.4).

11. Security

Public Administrations and third parties (data processors) providing a service under concession, management entrustment or contract that involves the processing of personal data to a Public Administration, shall comply with the National Security Scheme (Esquema Nacional de Seguridad), approved by Royal Decree 3/2010 of 8 January 2010.

12. Breach notification

There are no derogations from the GDPR.

There is an electronic proceeding for communicating data breaches to the AEPD (only available in Spanish). It does require an electronic certificate or Cl@ve PIN, a PIN code that enables identification and signing for many of the procedures with the Public Administrations or other public entities, as in this case.

The Spanish Data Protection Agency published a guide on personal data breaches and notifications (available here).

13. Direct marketing

Electronic commercial communications via email: Electronic commercial communications (opt-in system) via email are governed by the Law 34/2002 of 11 July 2020 on information society services and electronic commerce (“LSSI”). As a best practice, the AEPD recommends using a “double opt-in” mechanism to demonstrate consent.

In this regard, AEPD has issued a report that expressly states that the LSSI, because of its special character, prevails over the data protection regulation. In accordance with Article 21(1) LSSI, sending electronic commercial communications through email is forbidden unless requested or expressly authorised by the data subject (including legal entities). 
As an exception to the previous rule, commercial communications may be sent as well if there is a previous contractual relationship and personal data, lawfully obtained, are used for sending commercial communication on products or services of the sender that are similar to those initially contracted with the customer (“soft-in consent”).

Companies must always include an easy and free procedure that allows the data subject to object to the use of his or her personal data for electronic commercial communications sent via email.

Commercial communications by regular (postal) mail or phone are governed by Organic Law 3/2018, excluding legal entities: When carrying out direct marketing communications, it is required to first consult the advertising exclusion systems to avoid processing the data of data subjects who have opposed or refused this use of their personal data. This consultation is not required when the data subject has given his or her consent to receive the communication to whoever intends to carry out it.

14. Cookies and adtech

Article 22 Law 34/2002 of 11 July 2020 on information society services and electronic commerce (“LSSI”) sets out that cookies may be used in the recipients’ computers or equipment when data subjects have given their consent once they have been fully and clearly informed of the purpose of those technologies and especially on their use for data processing, as per the requirements established in the data protection law.

Despite the previous provision, the Spanish Data Protection Agency (AEPD) has settled that after the full application of the GDPR, consent requirements for the use of cookies should be those established in the GDPR.

The AEPD has published additional guidelines on cookies and similar technologies (ie local shared objects or flash cookies) adapted to the GDPR, Organic Law 3/2018 and EDPB Guidelines 5/2020 on consent under the GDPR. Guidelines are available at the AEPD´s webpage (available here).

15. Risk scale

Severe

The Spanish Data Protection Agency has released several guidelines or other publications on topics such as cookies and data breaches. For guidelines in English, please, visit the following links:

  • Guide on use of cookies (available here);
  • Technologies and Data Protection in Public Administrations (available here);
  • Guidelines for Data Protection by Default (available here);
  • Guide to Privacy by Design (available here);
  • Guidelines for social distancing and access control apps due to COVID-19 (available here);
  • FAQ COVID-19 (available here);
  • Technologies in the fight against COVID-19. A cost-benefit analysis (available here);
  • Introduction to 5G technologies and their risk in terms of privacy (available here);
  • GDPR compliance on processing that embeds Artificial Intelligence, an introduction (available here);
  • Audit requirements for Personal Data Processing Activities involving AI (available here);
  • Recommendations to protect personal data in situations of mobility and telecommuting (available here).

Cybersecurity

1. Local cybersecurity laws and scope

The National Cyber Security Strategy was adopted in 2019 (developing the forecast of the 2017 National Security Strategy and updating the previous version adopted in 2013). The aim of the current version of the Strategy is to promote a secure and reliable cyberspace. The Strategy provides five specific goals and seven lines of action, such as boosting cyber security for citizens and companies or contributing to international cyberspace security.

On this basis, there is not a single regulation but several rules that make up the Spanish cybersecurity regulatory framework. The Cybersecurity Law Code, published by the Spanish Official Journal in cooperation with the Spanish Cybersecurity National Institute (INCIBE), collates the main legislation related to information security and the protection of cyberspace, of which the following is most relevant:

National Security Law:

  • Law 36/2015 of 28 September on National Security (National Security Law).
  • Order PRA/33/2018 of 22 January publishing the Agreement of the National Security Council regulating the National Cybersecurity Council 
  • Order PRA/116/2017 of 9 February publishing the Agreement of the National Security Council implementing the mechanisms to ensure the integrated operation of the National Security System (NSS Mechanisms Order).

Public sector:

  • Royal Decree 3/2010, of 8 January, regulating the National Security Scheme in the field of e-Government scope (national Security Scheme).
  • Royal Decree 4/2010, of 8 January, regulating the National Interoperability Scheme in the field of e-Government (National Interoperability Scheme).
  • Order PRE/2740/2007, of 19 September, approving the Regulation on the Information Security Evaluation and Certification Scheme (Regulation on the Information Security Evaluation and Certification Scheme).

Critical Infrastructure:

  • Law 8/2011 of 28 April implementing measures for the protection of critical infrastructure (CIP Law).
  • Royal Decree 704/2011 of 20 May approving the Regulation on the protection of critical infrastructure (CIP Regulation).
  • Decision of the State Secretariat for Security, of 8 September 2015, approving the new minimum content of the Operator’s Security Plans and the Specific Protection Plans (Decision on the Operator’s Security Plans and Specific Protection Plans).

Network and Information System Security:

  • Royal Decree-Law 12/2018 of 7 September on Network and Information System Security.
  • Royal Decree-Law 8/2020 of 17 March 2020 on urgent extraordinary measures to deal with the economic and social impact of COVID-19.
  • Royal Decree 43/2021 of 26 January developing Royal Decree-Law 12/2018 of 7 September on Network and Information System Security.

Telecommunications (Telecoms):

  • Law 9/2014 of 9 May General Telecommunications (Telecoms Act).
  • Royal Decree 424/2005 of 15 April 2005 approving the Regulation on the conditions for the provision of electronic communication services, universal service and users’ protection (the Universal Service Regulation).
  • Royal Decree 381/2015 of 14 May 2015 establishing measures against unauthorised traffic and irregular traffic for fraudulent purposes in electronic communications (the Unauthorised and Irregular Traffic Regulation).
  • Law 25/2007 of 18 October on the conservation of data relating to electronic communications and public communications networks.

2. Anticipated changes to local laws

No changes at the local level before adoption at the EU level of the proposed NIS2 Directive, but it should be considered the draft bill on 5G Cybersecurity: the purpose of the future Law is to regulate the security requirements for the deployment and operation of electronic communications networks and the provision of electronic communications services based on 5G technology. The Law will be applicable to: operators of electronic communication networks and services based on 5G; suppliers; manufacturers and providers of terminal equipment and connected devices; corporate users who have the right to use the public radio domain that they use to operate networks or to provide self-provisioned services with specific capabilities based on 5G technology. The Law includes obligations, infractions and fines up to EUR 20m.

3. Application 

National Security Law: regulates (i) the basic principles, the higher Public Administration bodies, authorities and main components of National Security; (ii) the National Security System and the management, organisation and coordination thereof; (iii) crisis management; and (iv) the contribution of resources to National Security. It includes cybersecurity among the areas of particular concern to National Security. This Law applies to public administrations and, on the terms set out therein, to natural persons and legal entities.

National Security Scheme: regulates the security policy to be applied in the use of electronic means in the context of the public sector, laying down the basic principles and minimum requirements for a proper protection of information to be applied by Public Administrations. It does not cover information systems governed by official secrets regulations.

National Interoperability Scheme: regulates the criteria and recommendations in terms of security, preservation and standardisation of information, formats and applications to be considered by the Public Administrations to ensure an adequate level of interoperability of the data, information and services they manage, and to avoid citizens’ discrimination on grounds of their technological choices.

CIP Law: sets out the framework for the protection of critical infrastructure, introducing measures and obligations for the public and the private sectors. It promotes the coordination and involvement of public administrations and managing bodies or owners of the infrastructure providing essential services. The strategic sectors covered by the Law are administration, space, nuclear, chemicals, research facilities, water, energy, health, ICT, transport, food, and financial services & tax.

Network and Information System Security: the Royal Decree-Law 12/2018 and its regulation transposed the NIS Directive into the Spanish legal system and set up the legal framework for cybersecurity for operators of essential services and digital service providers. The Royal Decree-Law 12/2018 applies to the provision of: a) essential services dependent on networks and information services included in the strategic sectors defined in the annex of the CIP Law, and b) digital services (online marketplace, online search engine and cloud computing service). Operators of electronic communications networks and services are subject to this legal framework when established in Spain. Operators of electronic communications networks and services and trusted electronic service providers that are not designated as critical operators under CIP Law and digital service providers in the case of micro or small enterprises are out of the scope of the Royal Decree-Law 12/2018.

Telecoms Act: the main piece of legislation governing the provision of electronic communications networks and services. Among other regulatory obligations, electronic communications operators are subject to a number of security requirements aimed at ensuring the secrecy of communications, the protection of personal data, and the integrity and security of networks and services.

4. Authority

Critical Infrastructure:

State Secretary for Security
http://www.interior.gob.es/el-ministerio/funciones-y-estructura/secretaria-de-estado-de-seguridad

National Centre for the Protection of Critical Infrastructure (CNPIC)
www.cnpic.es

Note: Other institutions and authorities have responsibilities for the proper operation of essential services or citizen security (ie competent Ministries and bodies with regard to each relevant strategic sector, autonomous communities and cities, etc).

Network and Information System Security:

National Centre for the Protection of Critical Infrastructures (CNPIC) (for critical operators)
www.cnpic.es

State Secretary for Digital Progress of Ministry of Economy and Enterprise (for digital service providers)
https://avancedigital.mineco.gob.es/

Telecoms:
Ministry of Energy, Tourism and Digital Agenda www.minetad.gob.es

5. Key obligations 

Critical infrastructure

Under the CIP Law, operators must cooperate with competent authorities to optimise the protection of the critical infrastructure they manage. This includes:

  • Cooperating in the performance of risk analysis;
  • Preparing an Operator Security Plan and a Specific Protection Plan for each infrastructure considered critical;
  • Appointing a Security Liaison Officer and a Security Officer for each critical infrastructure.

Public Sector

The National Security Scheme lays down the minimum security requirements to be adopted by the public sector. Accordingly, the higher bodies of public administrations must implement a security policy, articulating security ongoing management and complying with certain minimum requirements (among others, organisation and implementation of the security process, risk analysis and management, authorisation and access control; protection of premises, security by default and system integrity and update).

Under the National Interoperability Scheme, the security conditions applicable to the services of the Public Administrations which are available through electronic means and the measures to ensure the retention/preservation of electronic documents must be in accordance with data protection regulations, the National Security Scheme and the relevant legal instruments to be subscribed by the Public Administrations.

Network and Information System Security:

  • Operators of essential services and digital service providers shall:
    • take appropriate and proportionate technical and organisational measures to manage the risks posed to the security of the networks and information systems used;
    • take appropriate measures to prevent and minimise the impact of incidents affecting them.
  • Operators of essential services shall: 
    • notify the competent authority of incidents likely to have a significant disruptive effect on those services;
    • designate and inform the competent authority of the person, unit or collegiate body responsible for information security as the point of contact and technical coordination with the competent authority.

Telecoms

The operators of networks and services of electronic communications available to the public shall:

  • Adopt the technical measures required to ensure the secrecy of communications;
  • Comply with specific privacy obligations;
  • Manage security risks in an adequate manner to grant an adequate level of security and avoid or minimise the impact of security incidents;
  • Guarantee the integrity of the networks to ensure the continuity of the services using such networks;
  • Report security incidents and data breaches;
  • Guarantee as much availability as possible of publicly available telephony services through public communications networks in case of network catastrophic failure or of an event of force majeure, adopting all measures required to guarantee uninterrupted access to emergency services.

6. Sanctions & non-compliance 

Administrative sanctions: 

Enforcement

The National Security Law, the CIP Law does not designate a specific authority for enforcement purposes.

The Royal Decree-Law 12/2018 on Network and Information Systems Security designates as competent authority for enforcement purposes: (i) in the case of very serious infringements, the competent Ministry pursuant to article 9 (ii) in the case of serious and minor infringements, by the body of the competent authority determined by the regulations implementing this Royal Decree-Law.

The Ministry of Energy, Tourism and Digital Agenda is responsible for enforcing the electronic communications regulatory framework.

Penalties

The National Security Law and the CIP Law do not lay down a sanction regime for failing to comply with the provisions thereof.

Under Royal Decree 12/2018 on Network and Information Systems Security, the breach of the relevant obligations by operators may be sanctioned as follows:

  • If considered a minor breach, reprimand or fine of up to EUR 100,000.
  • If considered a serious breach, fines of up to EUR 500,000.
  • If considered a very serious breach, fines of up to EUR 1m.

Under the Telecoms Act, the breach of the relevant obligations by operators may be sanctioned as follows:

  • If considered a minor breach, fines of up to fine of up to EUR 50,000.
  • If considered a serious breach, fines of up to EUR 2m.
  • If considered a very serious breach, fines of up to EUR 20m.

The Spanish Criminal Code also punishes a number of cybercrimes including, for instance, illegal access to information systems, interception of data transmissions or computer damages.

7. Is there a national computer emergency response team (CERT) or computer security incident response team (CSIRT)? 

CSIRTs are incident response teams that analyse risks and monitor incidents on a national scale, disseminate alerts about them and provide solutions to mitigate their effects.

Under Royal Decree 12/2018 on Network and Information System Security, CSIRTs of reference are the following:

  • The CCN-CERT, of the National Cryptologic Centre;
  • The INCIBE-CERT, of the National Institute of Cybersecurity of Spain. INCIBE-CERT will be operated jointly by INCIBE and CNPIC in all matters relating to the management of incidents affecting critical operators;
  • ESPDEF-CERT, of the Ministry of Defence, which will cooperate with CCN-CERT and INCIBE-CERT in those situations that these require in support of operators of essential services and, necessarily, in those operators that have an impact on National Defence and that are determined by regulation.

8. National cybersecurity incident management structure

The National Security Law sets forth a procedure to manage crisis affecting National Security, including coordinated response to those threats. Cybersecurity is one of the areas of particular concern to National Security so a cyber incident should be dealt through this procedure when its effects, dimension, urgency and mainstreaming are severe enough to need intensified cooperation from competent public authorities. In these cases, the Prime Minister will coordinate response against the risk or threat by defining the nature and scope of the crisis, appointing, if necessary, an authority in charge of coordination, the range of powers the authority will be granted with for that purpose, and the human and material resources to be provided by other authorities to contribute towards the solution of the crisis. Government is obliged to inform the Congress immediately about the measures undertaken and of the crisis evolution.

Notwithstanding the foregoing, the management procedure to respond to cybersecurity incidents is generally dependant on the specific sector concerned. For instance, as regards critical infrastructures, response to and management of cyber incidents would be carried out in accordance with the applicable planning instruments (i.e. National Plan for the Protection of Critical Infrastructure, Sector Strategic Plans, Operator Security Plans, Operator Specific Protection Plans and Operational Support Plans). This information is classified so the content is not publicly available.

In 2019 Spain published a National Cybersecurity Incident Notification and Management Guide. The purpose of this guide is to provide information security managers with guidelines on reporting cybersecurity incidents to competent public authorities in each case. It establishes a detailed notification model based on a series of impact criteria and classifies incidents into five levels of danger (critical, very high, high, average and low). The Guide was released by the Ministry of the Interior. In 2020 an updated version of the Spanish National Guidelines for Reporting and Managing Cyber Incidents was published. The guidelines describe a one-stop-shop mechanism through an email or ticket sent to the corresponding CSIRT (INCIBE-CERT or CCN-CERT). The CSIRT, depending on the incident, shall indicate which is the competent authority for the reporting.

These guidelines include:

  • A uniform classification/taxonomy of cyber incidents;
  • The notification impacts and thresholds;
  • Metrics and indicators of reference recommended to measure the level of implementation and efficiency of the incident management process.

In addition to these guidelines, INCIBE-CERT has published an Appendix (“Cyber incident management procedure for the private sector and citizenry”), with the aim of providing support to task on management of cyber incidents and reporting.

9. Other cybersecurity initiatives 

Numerous recommendations, guidelines and codes of practice regarding cybersecurity have been issued by authorities and institutions including INCIBE, INCIBE-CERT or CNN-CERT. For instance:

  • INCIBE guidelines on cloud computing, ransomware, secure deletion on information, secure storage of information, management of security incidents, cybersecurity on e-commerce or security risk management.
  • INCIBE-CERT Guide on cybersecurity on wireless communications in industrial environments; Guide on Industrial Protocols Security – Smart Grids, or Situation of malware for Android.
  • CNN-CERT Principles and basic recommendations on cybersecurity, or Good Practice Reports on e-commerce, mobile devices, web browsers, ransomware or IoT.
  • National Cybersecurity Strategy (available here). 
  • Report on Cyber threats and Trends, 2020 edition (only available in Spanish here).
  • National Institute of Cybersecurity (Instituto Nacional de Ciberseguidad, INCIBE).
  • National Cryptologic Centre (Centro Criptológico Nacional, CCN).
Portrait ofJavier Torre de Silva
Javier Torre de Silva
Partner
Madrid