Data Protection in Spain: Difference between revisions
(Translated and updated history) |
m (Fixed typo) |
||
(11 intermediate revisions by 2 users not shown) | |||
Line 5: | Line 5: | ||
| colspan="2" |[[File:es.png|center|250px]] | | colspan="2" |[[File:es.png|center|250px]] | ||
|- | |- | ||
|Data Protection | |Data Protection Authorities:||[[AEPD (Spain)]], [[APDCAT (Catalonia)]], [[DBEB/AVPD (Basque Country)]], [[CTPDA (Andalusia)]], CGPJ | ||
|- | |- | ||
|National Implementation Law (Original):||[https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales] | |National Implementation Law (Original):||[https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales] | ||
Line 20: | Line 20: | ||
|} | |} | ||
The current Spanish Data Protection Act is the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales | The current Spanish Data Protection Act is the [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 ''Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD)''] (Organic Law 3/2018 regarding the Protection of Personal Data and guarantees of digital rights). | ||
The [[AEPD (Spain)|AEPD]] (''Agencia Española de Protección de Datos'') is the Data Protection Authority competent for the private sector and partially for the public sector in Spain. | |||
There are three other independent regional data protection authorities in Spain for the public sector: the [[APDCAT (Catalonia)|Catalan Data Protection Authority]] (''Autoritat Catalana de Protecció de Dades'' or unofficially ''Autoridad Catalana de Protección de Datos''), the [[DBEB/AVPD (Basque Country)|Basque Data Protection Authority]] (''Datuak Babesteko Euskal Bulegoa'' or ''Agencia Vasca de Protección de Datos'') and the [[CTPDA (Andalusia)|Andalusian Data Protection Authority]] (''Consejo de Transparencia y Protección de Datos de Andalucía''). | |||
==Legislation== | ==Legislation== | ||
===History=== | ===History=== | ||
The right to data protection is constitutionally enshrined in art. 18.4 of the [https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229 Spanish Constitution]: "''The law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights''". | The right to data protection is constitutionally enshrined in art. 18.4 of the [https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229 Spanish Constitution]: "''The law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights''". | ||
Subsequently, the Spanish Constitutional Court, in | Subsequently, the Spanish Constitutional Court, in Judgements [https://hj.tribunalconstitucional.es/en/Resolucion/Show/4276 292/2000] and [https://hj.tribunalconstitucional.es/en/Resolucion/Show/2383 254/1993], confirmed it as an autonomous right, independent of the rights to intimacy [privacy], honour and image, conferring it a broader sphere, not only in terms of the legal object protected, but also because it attributes subjects a range of powers, since the right to data protection guarantees the power to control their data. | ||
Spain is a party to the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108), drawn up in Strasbourg. It was signed on 28 January 1981 and ratified by Spain on the 31 January 1984, entering into force on 1 October 1985. | Spain is a party to the [https://www.coe.int/en/web/conventions/full-list?module=treaty-detail&treatynum=108 European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108)], drawn up in Strasbourg. It was signed on 28 January 1981 and ratified by Spain on the 31 January 1984, entering into force on 1 October 1985. | ||
The first data protection law was [https://www.boe.es/buscar/doc.php?id=BOE-A-1992-24189 Ley Orgánica 5/1992, de 29 de octubre, de regulación del tratamiento automatizado de los datos de carácter personal] (Organic Law 5/1992 of 29 October 1992 on the Regulation of the Automated Processing of Personal Data) (LORTAD), which defined the basic principles and recognised the legal protection of the constitutional right. Its late drafting was positive as it was able to pick up aspects from other countries, although it contemplated several exceptions. | The first data protection law was [https://www.boe.es/buscar/doc.php?id=BOE-A-1992-24189 Ley Orgánica 5/1992, de 29 de octubre, de regulación del tratamiento automatizado de los datos de carácter personal] (Organic Law 5/1992 of 29 October 1992 on the Regulation of the Automated Processing of Personal Data) (LORTAD), which defined the basic principles and recognised the legal protection of the constitutional right. Its late drafting was positive as it was able to pick up aspects from other countries, although it contemplated several exceptions. | ||
Line 40: | Line 38: | ||
===National constitutional protections=== | ===National constitutional protections=== | ||
Art. 18.4 of the Spanish Constitution states: "''The law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights''". | |||
This article is found in Section I of Chapter II of Title I of the Constitution, which confers reinforced constitutional prerogatives on it, such as the need for its content to be developed by Organic Law (Article 81 of the Constitution), and citizens may seek summary and preferential judicial protection without the need for it to have been developed legislatively, as well as binding all public authorities (Art. 53 of the Constitution). | |||
===National GDPR implementation law=== | ===National GDPR implementation law=== | ||
Line 46: | Line 46: | ||
====Age of consent==== | ====Age of consent==== | ||
Article 7 | Article 7.2 LOPDGDD states that the minimum age for consent in Spain is 14 years. | ||
====Freedom of Speech==== | ====Freedom of Speech==== | ||
Art. 85 LOPDGDD states that everyone has a right to free speech online. No further development of Art. 85 GDPR has taken place in the LOPDGDD. | |||
====Employment context==== | ====Employment context==== | ||
The LOPDGDD contains provisions regarding "digital rights" in the employment context. Art. 87 LOPDGDD regulates the protection of intimacy of workers when using work devices. Art. 88 LOPDGDD stipulates that workers have a right to digital disconnection. Art. 89 LOPDGDD establishes the rules for video and audio surveillance at the work place. Art. 90 LOPDGDD provides for rules regarding the use of geolocation systems tracking workers. Further rules might be established by collective agreements. | |||
The violation of the rights of Arts. 87 - 90 LOPDGDD does not necessarily imply a data protection violation. As long as no personal data is concerned, remedy for the violation of said rights would need to be sought through labour law legislation. For that reason one may argue that Art. 88 GDPR has only been partially developed. | |||
====Research==== | ====Research==== | ||
'' | The ''disposición adicional decimoséptima'' of the LOPDGDD provides specific rules for processing health data for research purposes. Among other aspects, the use of pseudonymised data is considered lawful, if the data is pseudonymised by someone else than the research team. | ||
====Other relevant national provisions | ====Other relevant national provisions==== | ||
'' | Arts. 19 - 27 LOPDGDD contain relevant provisions for certain data processing operations, such as video surveillance, credit reporting systems or commercial merger operations. | ||
As of today (July 2022) the use of the national identification number is common for everyday transactions in Spain. In order to avoid its publication in (public) administrative proceedings together with the full name of the person it identifies, only four digits of the numbers shall be published (''Disposición adicional séptima'' of LOPDGDD). | |||
===National ePrivacy Law=== | ===National ePrivacy Law=== | ||
'' | The [https://eur-lex.europa.eu/eli/dir/2002/58/2009-12-19 ePrivacy Directive] was transposed by the ''[https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758 Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico] (LSSI)'' (Law 34/2002 of 11 July 2002 on information society services and electronic commerce). | ||
Frequent references in data protection are made to [https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758&p=20201112&tn=1#a21 Article 21] of the LSSI. It regulates sending commercial messages through electronic means and establishes, as a general rule, that consent is necessary for such messages. | |||
[https://www.boe.es/buscar/act.php?id=BOE-A-2002-13758&p=20201112&tn=1#a22 Article 22.2] of the LSSI establishes the rules for cookies and comparable technologies. Cookies and similar technologies need consent in order to be installed, except for cookies that are strictly necessary for providing explicitely requested information society services. | |||
==Data Protection | ==Data Protection Authorities== | ||
The Spanish Data Protection | There various different data protection authorities in Spain, being the ''Agencía Española de Protección de Datos'' (AEPD) the most prominent one. The competence of the regional data protection authorities is regulated in Article 57 of the LOPDGDD. | ||
==== Agencia Española de Protección de Datos - AEPD ==== | |||
The Spanish Data Protection Agency (''Agencia Española de Protección de Datos'') is the data protection authority competent for the privat sector and partially the public sector in Spain. | |||
→ Details see [[AEPD (Spain)]] | → Details see [[AEPD (Spain)]] | ||
==== Autoritat Catalana de Protecció de Dades - APDCAT ==== | |||
For the the public sector of Catalonia competence lies with the Catalan Data Protection Authority (''Autoritat Catalana de Protección de Dades''). | |||
→ Details see [[APDCAT (Catalonia)]] | |||
==== Datuak Babesteko Euskal Bulegoa | Agencia Vasca de Protección de Datos - DBEB/AVPD ==== | |||
For the the public sector of the Basque Country competence lies with the Basque Data Protection Authority (''Datuak Babesteko Euskal Bulegoa | Agencia Vasca de Protección de Datos''). | |||
→ Details see [[DBEB/AVPD (Basque Country)]] | |||
==== Consejo de Transparencia y Protección de Datos de Andalucía - CTPDA ==== | |||
For the the public sector of Andalusia competence lies with the Transparency and Data Protection Council of Andalusia (''Consejo de Transparencia y Protección de Datos de Andalucía''). | |||
→ Details see [[CTPDA (Andalusia)]] | |||
CGPJ | ==== Dirección de Supervisión y Control de Protección de Datos del Consejo General del Poder Judicial - CGPJ ==== | ||
For the processing of personal data for jurisdictional purposes the Directorate of Supervision and Data Protection of the General Board of the Judicial Power (''Dirección de Supervisión y Control de Protección de Datos del Consejo General del Poder Judicial'') is competent.<ref>https://acf.poderjudicial.es/cgpj/es/Temas/Direccion-de-supervision-y-control-de-proteccion-de-datos/</ref> | |||
The use of personal data in the context of courts is regulated in [https://www.boe.es/buscar/act.php?id=BOE-A-1985-12666&p=20220629&tn=1#cibis Article 236 bis - decies of the Organic Law of the Judicial Power] (''Ley Orgánica del Poder Judicial''). | |||
==Judicial protection== | ==Judicial protection== | ||
Judicial protection of the right to data protection is granted both by judicial supervision of the data protection authorities (Art. 78.1 GDPR), as well as by the possibility to bring actions directly in court (Art. 79 GDPR). | |||
==== Decisions of the AEPD ==== | |||
Against the decisions that put an end to administrative proceedings, which are issued by the Director of the AEPD (48.6 LOPDGDD), a voluntary ''recurso de reposición'' may be lodged before the Director of the AEPD within a period of one month following the notification of the decision (Art. 123, Art. 124 of [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565&p=20220713&tn=1#s3-4 Law 39/2015]). | |||
Alternatively, the decision may be directly appealed before the Contentious-Administrative Chamber (''Sala de lo Contencioso-Administrativo'') of the Audiencia Nacional within two months from the notification of the decision (Art. 25, Art. 46.1 and ''Disposición adicional cuarta''.5 of [https://www.boe.es/buscar/act.php?id=BOE-A-1998-16718 Law 29/1998]). It is necessary to be represented by a lawyer and a ''procurador''. | |||
Appeals against the decision of the Audiencia Nacional are competence of the Supreme Court (''Tribunal Supremo'') ([https://www.boe.es/buscar/act.php?id=BOE-A-1998-16718&p=20220713&tn=1#a86 Art. 86.1] of [https://www.boe.es/buscar/act.php?id=BOE-A-1998-16718 Law 29/1988]). | |||
==== Decision of other Data Protection Authorities ==== | |||
Against the final decision of other data protection authorities a voluntary ''recurso de reposición'' may be lodged within one month following the notification of the decision before the authority that issued the decision. The general administrative legal framework (as in Art. 123, Art. 124 of [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565&p=20220713&tn=1#s3-4 Law 39/2015]) provides for this possibility. | |||
Alternatively, the decision may also be appealed in the competent court, which in most cases would be a first instance administrative court (Art. 8 of [https://www.boe.es/buscar/act.php?id=BOE-A-1998-16718 Law 29/1998]), within two months from the notification of the decision (Art. 25, Art. 46.1 of [https://www.boe.es/buscar/act.php?id=BOE-A-1998-16718 Law 29/1998]). In first instance administrative courts only a lawyer is mandatory, a ''procurador'' is not (Art. 23 of [https://www.boe.es/buscar/act.php?id=BOE-A-1998-16718 Law 29/1998]). | |||
==== Civil Proceedings ==== | |||
Under Art. 79 GDPR, civil (and other) proceedings can be brought directly against a controller. The civil procedure is mainly regulated in the [https://boe.es/buscar/act.php?id=BOE-A-2000-323 Law 1/2000, of 7 January, on Civil Proceedings] (''Ley 1/2000, de 7 de enero, de Enjuiciamiento Civil''). | |||
Spanish civil proceeding are divided in two phases: (i) declarative proceedings, (ii) executional proceedings. Execution can be sought once a final declarative decision has been issued. | |||
===== Declarative proceedings ===== | |||
The proceedings are usually brought were the controller has its domicile (Art. 51 of Law 1/2000). However, for the (civil) protection of fundamental rights, such as the right to data protection, the court of the domicile of the data subject is competent (Art. 52.1.6 of Law 1/2000). | |||
It is necessary to be represented by a lawyer and a ''procurador'' if the litigation value or amount in dispute is € 2000 or higher (Art. 23, Art. 31 of Law 1/2000). The same is true for actions that are subject to the ordinary procedure (''juicio ordinario'') (Art. 23, Art. 31 of Law 1/2000). | |||
Natural persons are not subject to any fee for filing a civil lawsuit (Art 4.2.a of [https://www.boe.es/buscar/act.php?id=BOE-A-2012-14301 Law 10/2012]). | |||
The European Commission, the AEPD and the regional data protection authorities may intervene in lawsuits regarding the GDPR (Art. 15 bis. 3 of Law 1/2000). | |||
===== Execution ===== | |||
If a final (favorable) decision has been issued in declarative proceedings, execution of this decision can be sought in the same court that issued this decision (Art. 545 of Law 1/2000). | |||
==== Criminal Law ==== | |||
Some aspects of the right to data protection are also protected by the [https://www.boe.es/buscar/act.php?id=BOE-A-1995-25444 Criminal Code] (''Código Penal'') in Arts. 197 - 201. | |||
===Constitutional Court=== | ===Constitutional Court=== | ||
The Constitutional Court can act to protect the right to data protection contained in Art. 18.4 of the Spanish Constitution. Access to the Constitutional Court in individual cases is difficult. |
Latest revision as of 09:09, 30 July 2024
Data Protection in Spain | |
---|---|
Data Protection Authorities: | AEPD (Spain), APDCAT (Catalonia), DBEB/AVPD (Basque Country), CTPDA (Andalusia), CGPJ |
National Implementation Law (Original): | Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales |
English Translation of National Implementation Law: | [n/a English Translation] |
Official Language(s): | Spanish; Regional: Basque, Catalan, Galician |
National Legislation Database(s): | https://www.boe.es/ |
English Legislation Database(s): | n/a |
National Decision Database(s): | http://www.poderjudicial.es/search/index.jsp |
The current Spanish Data Protection Act is the Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD) (Organic Law 3/2018 regarding the Protection of Personal Data and guarantees of digital rights).
The AEPD (Agencia Española de Protección de Datos) is the Data Protection Authority competent for the private sector and partially for the public sector in Spain.
There are three other independent regional data protection authorities in Spain for the public sector: the Catalan Data Protection Authority (Autoritat Catalana de Protecció de Dades or unofficially Autoridad Catalana de Protección de Datos), the Basque Data Protection Authority (Datuak Babesteko Euskal Bulegoa or Agencia Vasca de Protección de Datos) and the Andalusian Data Protection Authority (Consejo de Transparencia y Protección de Datos de Andalucía).
Legislation
History
The right to data protection is constitutionally enshrined in art. 18.4 of the Spanish Constitution: "The law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights".
Subsequently, the Spanish Constitutional Court, in Judgements 292/2000 and 254/1993, confirmed it as an autonomous right, independent of the rights to intimacy [privacy], honour and image, conferring it a broader sphere, not only in terms of the legal object protected, but also because it attributes subjects a range of powers, since the right to data protection guarantees the power to control their data.
Spain is a party to the European Convention for the Protection of Individuals with regard to Automatic Processing of Personal Data (Convention No. 108), drawn up in Strasbourg. It was signed on 28 January 1981 and ratified by Spain on the 31 January 1984, entering into force on 1 October 1985.
The first data protection law was Ley Orgánica 5/1992, de 29 de octubre, de regulación del tratamiento automatizado de los datos de carácter personal (Organic Law 5/1992 of 29 October 1992 on the Regulation of the Automated Processing of Personal Data) (LORTAD), which defined the basic principles and recognised the legal protection of the constitutional right. Its late drafting was positive as it was able to pick up aspects from other countries, although it contemplated several exceptions.
Following Directive 95/46/EC, the Ley Orgánica de Protección de Datos de Carácter Personal (Organic Law on Data Protection) (LOPD) was enacted in 1999, which has been fully applicable until the entry into force of the GDPR. In 2018 the new Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales came into force and three years later the Ley Orgánica 7/2021, de 26 de mayo, de protección de datos personales tratados para fines de prevención, detección, investigación y enjuiciamiento de infracciones penales y de ejecución de sanciones penales (Organic Law 7/2021 of 26 May on the protection of personal data processed for the purposes of the prevention, detection, investigation and prosecution of criminal offences and the execution of criminal penalties), that transposes Directive 2016/680.
National constitutional protections
Art. 18.4 of the Spanish Constitution states: "The law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights".
This article is found in Section I of Chapter II of Title I of the Constitution, which confers reinforced constitutional prerogatives on it, such as the need for its content to be developed by Organic Law (Article 81 of the Constitution), and citizens may seek summary and preferential judicial protection without the need for it to have been developed legislatively, as well as binding all public authorities (Art. 53 of the Constitution).
National GDPR implementation law
In Spain the GDPR is developed by the Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).
Age of consent
Article 7.2 LOPDGDD states that the minimum age for consent in Spain is 14 years.
Freedom of Speech
Art. 85 LOPDGDD states that everyone has a right to free speech online. No further development of Art. 85 GDPR has taken place in the LOPDGDD.
Employment context
The LOPDGDD contains provisions regarding "digital rights" in the employment context. Art. 87 LOPDGDD regulates the protection of intimacy of workers when using work devices. Art. 88 LOPDGDD stipulates that workers have a right to digital disconnection. Art. 89 LOPDGDD establishes the rules for video and audio surveillance at the work place. Art. 90 LOPDGDD provides for rules regarding the use of geolocation systems tracking workers. Further rules might be established by collective agreements.
The violation of the rights of Arts. 87 - 90 LOPDGDD does not necessarily imply a data protection violation. As long as no personal data is concerned, remedy for the violation of said rights would need to be sought through labour law legislation. For that reason one may argue that Art. 88 GDPR has only been partially developed.
Research
The disposición adicional decimoséptima of the LOPDGDD provides specific rules for processing health data for research purposes. Among other aspects, the use of pseudonymised data is considered lawful, if the data is pseudonymised by someone else than the research team.
Other relevant national provisions
Arts. 19 - 27 LOPDGDD contain relevant provisions for certain data processing operations, such as video surveillance, credit reporting systems or commercial merger operations.
As of today (July 2022) the use of the national identification number is common for everyday transactions in Spain. In order to avoid its publication in (public) administrative proceedings together with the full name of the person it identifies, only four digits of the numbers shall be published (Disposición adicional séptima of LOPDGDD).
National ePrivacy Law
The ePrivacy Directive was transposed by the Ley 34/2002, de 11 de julio, de servicios de la sociedad de la información y de comercio electrónico (LSSI) (Law 34/2002 of 11 July 2002 on information society services and electronic commerce).
Frequent references in data protection are made to Article 21 of the LSSI. It regulates sending commercial messages through electronic means and establishes, as a general rule, that consent is necessary for such messages.
Article 22.2 of the LSSI establishes the rules for cookies and comparable technologies. Cookies and similar technologies need consent in order to be installed, except for cookies that are strictly necessary for providing explicitely requested information society services.
Data Protection Authorities
There various different data protection authorities in Spain, being the Agencía Española de Protección de Datos (AEPD) the most prominent one. The competence of the regional data protection authorities is regulated in Article 57 of the LOPDGDD.
Agencia Española de Protección de Datos - AEPD
The Spanish Data Protection Agency (Agencia Española de Protección de Datos) is the data protection authority competent for the privat sector and partially the public sector in Spain.
→ Details see AEPD (Spain)
Autoritat Catalana de Protecció de Dades - APDCAT
For the the public sector of Catalonia competence lies with the Catalan Data Protection Authority (Autoritat Catalana de Protección de Dades).
→ Details see APDCAT (Catalonia)
Datuak Babesteko Euskal Bulegoa | Agencia Vasca de Protección de Datos - DBEB/AVPD
For the the public sector of the Basque Country competence lies with the Basque Data Protection Authority (Datuak Babesteko Euskal Bulegoa | Agencia Vasca de Protección de Datos).
→ Details see DBEB/AVPD (Basque Country)
Consejo de Transparencia y Protección de Datos de Andalucía - CTPDA
For the the public sector of Andalusia competence lies with the Transparency and Data Protection Council of Andalusia (Consejo de Transparencia y Protección de Datos de Andalucía).
→ Details see CTPDA (Andalusia)
Dirección de Supervisión y Control de Protección de Datos del Consejo General del Poder Judicial - CGPJ
For the processing of personal data for jurisdictional purposes the Directorate of Supervision and Data Protection of the General Board of the Judicial Power (Dirección de Supervisión y Control de Protección de Datos del Consejo General del Poder Judicial) is competent.[1]
The use of personal data in the context of courts is regulated in Article 236 bis - decies of the Organic Law of the Judicial Power (Ley Orgánica del Poder Judicial).
Judicial protection
Judicial protection of the right to data protection is granted both by judicial supervision of the data protection authorities (Art. 78.1 GDPR), as well as by the possibility to bring actions directly in court (Art. 79 GDPR).
Decisions of the AEPD
Against the decisions that put an end to administrative proceedings, which are issued by the Director of the AEPD (48.6 LOPDGDD), a voluntary recurso de reposición may be lodged before the Director of the AEPD within a period of one month following the notification of the decision (Art. 123, Art. 124 of Law 39/2015).
Alternatively, the decision may be directly appealed before the Contentious-Administrative Chamber (Sala de lo Contencioso-Administrativo) of the Audiencia Nacional within two months from the notification of the decision (Art. 25, Art. 46.1 and Disposición adicional cuarta.5 of Law 29/1998). It is necessary to be represented by a lawyer and a procurador.
Appeals against the decision of the Audiencia Nacional are competence of the Supreme Court (Tribunal Supremo) (Art. 86.1 of Law 29/1988).
Decision of other Data Protection Authorities
Against the final decision of other data protection authorities a voluntary recurso de reposición may be lodged within one month following the notification of the decision before the authority that issued the decision. The general administrative legal framework (as in Art. 123, Art. 124 of Law 39/2015) provides for this possibility.
Alternatively, the decision may also be appealed in the competent court, which in most cases would be a first instance administrative court (Art. 8 of Law 29/1998), within two months from the notification of the decision (Art. 25, Art. 46.1 of Law 29/1998). In first instance administrative courts only a lawyer is mandatory, a procurador is not (Art. 23 of Law 29/1998).
Civil Proceedings
Under Art. 79 GDPR, civil (and other) proceedings can be brought directly against a controller. The civil procedure is mainly regulated in the Law 1/2000, of 7 January, on Civil Proceedings (Ley 1/2000, de 7 de enero, de Enjuiciamiento Civil).
Spanish civil proceeding are divided in two phases: (i) declarative proceedings, (ii) executional proceedings. Execution can be sought once a final declarative decision has been issued.
Declarative proceedings
The proceedings are usually brought were the controller has its domicile (Art. 51 of Law 1/2000). However, for the (civil) protection of fundamental rights, such as the right to data protection, the court of the domicile of the data subject is competent (Art. 52.1.6 of Law 1/2000).
It is necessary to be represented by a lawyer and a procurador if the litigation value or amount in dispute is € 2000 or higher (Art. 23, Art. 31 of Law 1/2000). The same is true for actions that are subject to the ordinary procedure (juicio ordinario) (Art. 23, Art. 31 of Law 1/2000).
Natural persons are not subject to any fee for filing a civil lawsuit (Art 4.2.a of Law 10/2012).
The European Commission, the AEPD and the regional data protection authorities may intervene in lawsuits regarding the GDPR (Art. 15 bis. 3 of Law 1/2000).
Execution
If a final (favorable) decision has been issued in declarative proceedings, execution of this decision can be sought in the same court that issued this decision (Art. 545 of Law 1/2000).
Criminal Law
Some aspects of the right to data protection are also protected by the Criminal Code (Código Penal) in Arts. 197 - 201.
Constitutional Court
The Constitutional Court can act to protect the right to data protection contained in Art. 18.4 of the Spanish Constitution. Access to the Constitutional Court in individual cases is difficult.