Data Protection

Data protection in Spain © iStock image
Data protection in Spain

Data Protection

If you are living, working or running a business, club, association, community or any other organisation in Andalucia, you are advised to understand data protection law as it applies to you.

“Everyone has the right to respect for his private and family life, his home and his correspondence” according to the European Convention for the Protection of Human Rights.

Information relating to individuals is called ‘personal data’ and it can be anything that identifies an individual. It is collected and used in many aspects of our everyday life, for example signing up for gym membership, opening a bank account, buying an aeroplane ticket.



This data may of course be subsequently be used for other purposes and shared with other parties and with the advancement of computers and the Internet personal  data to be used and moved with ever greater ease.

EU Data Protection Directive

For this reason the European Union published the Data Protection Directive (95/46/EC) which was intended to remove the obstacles to the free movement of data without diminishing the protection of personal data. The member states were required to bring their national legislation in line with the provisions of the directive. This was followed by the adaptive General Data Protection Regulations (GDRP) which came into force on the 25th May 2018. 

In Spain this was first introduced has been done by means of the “Ley Orgánica 15/1999, de 13 de diciembre de Protección de Datos de Carácter Personal” ("B.O.E." núm. 298, de 14 de diciembre de 1999) which came into force on the 14th January 2000. This was known as the LOPD. By 25th May 2018 all entities were also reguired to adapt their data protection polocias in line with the General de Protección de Datos or RGPD

The original EU directive requires that each member state must provide a supervisory authority. One of the primary responsibility of this authority is to maintain an updated public register so that the public has access to the names of all data controllers and the type of processing they do.

The Spanish Supervisory Authority is the Agencia Española de Protección de Datos in Madrid. They publish a comprehensive website at  which includes a section on “English Resources”.


Under GDPR / RGPD a "Delegado de Protection de Datos" (DPD) repleced the Data Controller. This is the person who is responsible for the data in any kind of organisation – be it a club, a small business, a multinational company or simply a community of property owoners. Many readers will not realise they are actually data controllers.  A club secretary would be the controller of data about club members. A company would be the data controller about their clients and their employees.  ALL files containing  personal data must be registered in Spain with the Agencia Española de Protección de Datos. Forms for doing this can be downloaded from their website.

Delegados are required to observe several principals and adhere to the data processing rules of the member state where he or she is established. Even if the data processed belongs to individuals of other states or even if the data is stored abroad, as is often the case in Internet operations.

Data controllers are also required to produce security documents for every list of personal data their organisation controls. For example, for a list of members’ personal information or a document containing employee payment details, the Data Controller would have to produce a special document that describes the information and rates it as high, medium or low in accordance with the data protection law’s description of how sensitive the information actually is and how it must be handled.

Data Collection and Processing

Data must be relevant and not excessive in relation to the purpose for which it is  processed. Data must be accurate and where necessary kept up to date. Data Controllers are required to provide reasonable measures for data subjects to rectify incorrect data.

Data that identifies individuals must not be kept longer than necessary.

Personal data can only be processed if the data subject has given his or her consent and if the data  processing is necessary for the performance of a contract or to enter into a contract.

As a Data Subject you have certain rights. You have the right to be informed of any data processing where you are the subject , to be informed of the identity of the Data Controller, the purpose for the data processing and  the recipients of the data.

You have the right of access to data about yourself. You are entitled to approach any Data Controller to know whether he or she is processing data that concerns you, to receive a copy of the data and be given any available information about their sources.

Under GDPR is in no longer necessary to register the existance of Data Files with the agency. 

What can you do if your rights are violated?

The first step is to contact the organisation who appears to be the source of the violation in order to find out who the Data Controller is. 

For example  a company gave information about your telephone number and email address to another company and as a result you are receiving unsolicited calls or emails.    If the personal data was collected for billing purposes only, and you did not consent to further transfer of your data then you are entitled to object to this transfer. You should write to the provider clearly stating your complaint. The website of the Agencia Española de Protección de Datos contains standard letters for this purpose. If you do not receive a satisfactory answer you should contact Agencia directly.

 Almost every company and club will have a personal data file that should be registered with the Agencia Española de Protección de Datos. So far only about 500 organisations in Marbella have registered data files. Hopefully this article will help prompt readers to consider seriously their data protection policy.

Useful information  Sources

European Commission Data Protection Website

Spanish Supervisory Authority,
Agencia Española de Protección de Datos,
C/ Jorge Juan, 6
28001-Madrid  s
Tel. 901 100 099


Living in Andalucia