Privacy in Spain: overview

A Q&A guide to privacy in Spain.

The Q&A guide gives a high-level overview of privacy rules and principles, including what national laws regulate the right to respect for private and family life and freedom of expression; to whom the rules apply and what privacy rights are granted and imposed. It also covers the jurisdictional scope of the privacy law rules and the remedies available to redress infringement.

To compare answers across multiple jurisdictions, visit the Privacy Country Q&A tool.

This article is part of the global guide to data protection. For a full list of contents, please visit

Albert Agustinoy Guilayn and Alejandro Negro Sala, Cuatrecasas, Gonçalves Pereira


1. What national laws (if any) regulate the right to respect for private and family life and freedom of expression?

Article 18 of the Spanish Constitution recognises the right to respect for private and family life. This right has been further developed by:

  • From a civil standpoint, Law 15/1999 on personal data protection (and its secondary regulation) and Law 1/1982 on civil protection of the right to honour, to personal and family privacy and of the right of self-image.

  • From a criminal perspective, by the Criminal Code (contained in Law 10/1995).

While the rights to honour, personal and family privacy, and self-image are expressly recognised in the Constitution, the right to personal data protection (right to privacy) was introduced as consequence of the impact that technical developments have had on the processing of personal data.

The right to freedom of expression is set out in Article 20 of the Constitution and has been developed through case law from the Spanish Constitutional Court. No other regulations enshrine this fundamental right, except for some specific laws relating to the so-called "conscience clause" (see Question 3) and the right to ask for rectification of incorrect or inaccurate information published in the media.

The Spanish Criminal Code also protects freedom of expression.

2. Who can commence proceedings to protect privacy?

Proceedings for breach of personal data protection or privacy can be commenced by:

  • The affected individuals. Rights granted by law only vest in living individuals and cannot be used by entities.

  • Third parties (either individuals or entities) who become aware of a breach of the data protection law. In these cases, third parties can only request that the Spanish Data Protection Agency start administrative proceedings which can lead to sanctions.

  • The Data Protection Agency can also act ex officio should it become aware of any infringement of the law.

Proceedings to protect honour, self-image and private and family life can be commenced by:

  • The affected individuals and/or entities. Entities can file an action for infringement of their honour and intimacy rights.

  • In the event that the affected individual has passed away, proceedings can be brought by:

    • the individual or entity specifically appointed by the individual's last will and testament;

    • the individual's spouse, descendants, ascendants or siblings that were alive when the affected individual passed away; or

    • the public prosecutor.

Finally, proceedings to ensure protection of freedom of expression can be commenced by:

  • The affected individuals and/or entities.

  • Journalists (under the conscience clause).

  • (In connection with the right of rectification), the representatives of the affected individual or entity or the heirs of the affected individual (or their representatives).

3. What privacy rights are granted and imposed?

Individuals have the right to be informed in advance of how their personal data is going to be processed and to consent to the processing before it takes place. In certain cases, consent is not necessary. Individuals must be informed about:

  • The identity and contact details of the person or entity responsible for processing the data (the data controller).

  • The purpose of the data processing.

  • Whether the data will be assigned to third parties.

  • Which rights are granted by law and how they can be exercised. In particular, the right to access data, amend incorrect or inaccurate data, request cancellation or oppose or object to the processing of data. These rights have been increased as a result of recognition by the Court of Justice of the European Union (ECJ) of the right to be forgotten (C-131/2012, Google Spain, S.L. and Google Inc. versus AEPD and Mario Costeja González).

The right to private and family life granted under Law 1/1982 covers actions aimed at protecting image, voice, name, honour and private life (including family life) from unauthorised use.

There is an exception for using an image belonging to a public person (such as a politician or celebrity). Images of public persons can be recorded and/or used if certain conditions are met (essentially, if used in cartoons or recorded in public spaces or during public events), and the image can be used without consent when recording events of public relevance.

In addition, Spanish courts ruled that under certain conditions and taking into account all interests, freedom of expression can prevail over rights granted under Law 1/1982, particularly if there is a public interest.

Finally, freedom of expression grants the right to:

  • Issue opinions, thoughts and/or ideas by any means.

  • Freely produce or create literature and/or artistic, technical or scientific works.

  • Academic liberty.

  • Freely communicate and receive truthful information by any means.

The right to freely communicate information covers the conscience clause for journalists. The clause gives the right to terminate the relationship between the journalist and the media company for which he is working (under certain circumstances) or to object to producing information that is contrary to the ethical principles of communication.

As part of the on-going development of freedom of expression, a new right has been approved granting the right to any individual or entity to ask for the rectification of incorrect or inaccurate information that may be harmful.

4. What is the jurisdictional scope of the privacy law rules?

Spanish courts have interpreted privacy and freedom of expression in the light of international regulations and rules such as the European Convention on Human Rights and decisions from the European Court of Human Rights.

In the case of personal data, interpretations made by the Data Protection Agency have broadened some of the rights granted to affected individuals and the obligations on data controllers. For example, Spanish regulations apply to data controllers based abroad as a result of installation and use of cookies on computers in Spain. In addition, there is now recognition of the right to be forgotten, granting individuals the right to ask search engines to delete links in their search results to third parties' websites containing personal information.

5. What remedies are available to redress the infringement of those privacy rights?

Privacy and freedom of expression rights can be enforced both under civil and criminal law. In addition, certain administrative proceedings can be filed before the Data Protection Agency to ensure the protection of basic rights.

Civil actions allow individuals or entities to obtain remedies ordering cessation of infringement and awarding damages. In criminal proceedings, the individuals or entities can ask the judge to impose the penalties applicable under the Penal Code along with any civil remedies.

Under administrative proceedings, an individual who has unsuccessfully exercised his basic rights before the data controller (see Question 3) can seek protection from the Data Protection Agency. The Data Protection Agency will start specific administrative proceedings aimed at verifying whether the relevant legal conditions have been met and order, if necessary, the data controller to comply with the relevant rights.

6. Are there any other ways in which privacy rights can be enforced?

Privacy rights can also be protected though administrative proceedings conducted before Data Protection Agency by the entities or individuals mention above in Question 2. The Data Protection Agency is legally entitled to control the enforcement of personal data regulations and is empowered to monitor the exercise of rights granted to individuals or impose fines and ancillary sanctions if a breach is detected (for example, ceasing the international transfer of personal data).

Commencing proceedings before the Data Protection Agency does not prevent individuals from subsequently requesting compensation for the infringement of their rights. Any further claim must be pursued through the court.


Contributor profiles

Albert Agustinoy Guilayn, Partner

Cuatrecasas, Gonçalves Pereira

T +34 932 905 585
F +34 932 905 569

Professional qualifications. Bachelor of Laws, Universitat de Barcelona, 1996; Masters in Community Law, Universitat Autònoma de Barcelona, 1997; Master (LLM) in Comparative, European and International Laws, Université Robert Schuman, Strasbourg, France

Areas of practice. Gaming and gambling; intellectual property; media; data protection; sports; leisure.

Recent transactions

  • Acting as global adviser in Spain for global gaming and gambling companies such as Playtech, PokerStars, 888, Gamesys, William Hill, Interwetten, Eurostar Mediagroup, Dafabet, SKS 365, PAF, Rank Group or Betfair, on all relevant areas of Spanish law, including gambling and gaming law, IT law, intellectual property, personal data protection, and advertising.
  • Advising the World Intellectual Property Organization on appointments as a panellist, charged with deciding on numerous alternative dispute resolution procedures relating to generic domain names and .es domain names.

Languages. Spanish, English, French

Professional associations/memberships. Panellist for domain-name dispute resolution of the World Organization of Intellectual Property, the National Arbitration Forum and the Spanish High Council of Chambers of Commerce.


  • Domain name law and practice (2015).
  • La regulación del juego electrónico (2011).
  • Nombres de dominio. Normativa internacional, comunitaria y española comentada (2008).
  • Derecho y nuevas tecnologías (2005).
  • Régimen jurídico de los nombre de dominio (2002).

Alejandro Negro Sala, Counsel

Cuatrecasas, Gonçalves Pereira

T +34 915 247 717
F +34 915 247 124

Professional qualifications. Bachelor of Laws, Universidad Autónoma de Madrid; Master in Legal Consultancy for Businesses, Instituto de Empresa, Madrid

Areas of practice. Intellectual and industrial property, media and data protection; technology, media and telecommunications; corporate compliance; food and beverages; pharmacy, health products and biotechnology.

Recent transactions

  • Advising Banco Popular, Liberbank and Banco Mare Nostrum (BMN) on IT outsourcing services agreements.
  • Advising Microsoft on IT and data protection issues.

Languages. Spanish, English

Professional associations/memberships. Member of LES (Licensing Executives Society) and DENAE.


  • Más protección para los alimentos con nombre y apellidos (2015).
  • Sourcing World (2015) Thomson Reuters.
  • Outsourcing (2014) Getting the Deal Through.

{ "siteName" : "PLC", "objType" : "PLC_Doc_C", "objID" : "1248021226531", "objName" : "Privacy in Spain overview", "userID" : "2", "objUrl" : "", "pageType" : "Resource", "academicUserID" : "", "contentAccessed" : "true", "analyticsPermCookie" : "2-40e00097:15b10fc9c28:-239", "analyticsSessionCookie" : "2-40e00097:15b10fc9c28:-238", "statisticSensorPath" : "" }