GDPR enforcement in Spain

The Spanish Data Protection Agency, (the AEPD), has a reputation as one of the more active EU data protection regulators. During 2022, it continued its high volume of activity, imposing 283 sanctions amounting to almost €23m in fines.

Key areas of focus in 2022

Identity fraud

Identity fraud in contracting processes stands out as a continuing area of focus for the AEPD as it has been since 2020, when it carried out an audit on distance contracting of services in the telecommunications and energy sectors.

This type of fraud continues to grow exponentially and especially affects large companies that carry out high volume distance contracting processes.

Some of the modalities of this type of offences, such as SIM Swapping, cause serious economic damage to those affected. In 2020, the AEPD fined the four largest telephone operators in Spain nearly €6m for not being sufficiently diligent in verifying the identity of those requesting a duplicated SIM card.

The problem is complex as the use of robust identification systems (such as biometrics or the issuing of copies of identity documents) was also subject to sanctions by the AEPD throughout 2022, where they were found to breach the data minimisation principle.

The banking sector has not been subject to significant sanctions for this type of fraud to date, however, it was subject to fines amounting to €1.5m in 2022, mainly related to the lack of transparency or the lawfulness of the processing of personal data.

Security Measures

Failings related to the lack of security measures also gave rise to relevant fines in the banking sector. Two of them, amounting to €70,000 and €48,000, respectively, are worth mentioning. The AEPD said that, even though isolated, a mistake made by the bank which resulted in a breach of confidentiality (a data subject having access to personal data of another person in the first case, and giving access to a third party contract in the second), was an infringement of both the principle of integrity and confidentiality (Article 5.1.f GDPR) and the obligation to implement appropriate security measures under Article 32 GDPR. Special attention was given to the fact that the affected data subjects who lodged a complaint with the AEPD had alerted the sanctioned companies to no avail.

In addition, in a recent judgement, the Spanish Supreme Court shed some light on the interpretation of the security obligations under Article 32 GDPR. It stated that the obligation of the controller and the processor to implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk is an obligation of means and not of results. This suggests that as long as the controller or the processor is able to prove that it implemented security measures taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, there will not be a breach of Article 32 in the event of a data breach.

Consent and profiling for commercial purposes

Although consent has traditionally been the default lawful basis for data controllers, since the advent of the GDPR and enhanced consent standards, it is often used where other legal bases are not applicable. The requirements for valid consent set out in the GDPR have been the subject of numerous judgements by national supervisory authorities and the European Data Protection Board (EDPB).

The AEPD has also considered the issue of consent and, in September 2022, it imposed a fine of €3m on a financial institution for failure to get valid consents for profiling. The AEPD emphasised the requirement to separate purposes, and the need for the data subject to grasp the implications of the processing as essential to fulfilling the requirement that consent be informed and specific. This reflects the EDPB's view that it is crucial for the controller to be able to demonstrate that data subjects understand exactly what they are consenting to.

The AEPD's decision demonstrates that this lawful basis is closely linked to the duty to provide information. Consent requirements also operate as a guarantee of the purpose limitation principle, by virtue of which personal data must be collected for specified, explicit and legitimate purposes. More specifically, for the purposes of profiling, the data subject must be able to understand the scope, implications, and consequences of the processing.

Even though level of the fines in this decision have been the subject of discussion, the AEPD placed particular emphasis on the fact that processing for the purposes of profiling is particularly intrusive for data subjects, as well as focusing on the negligence of the data controller, and on the significant number of affected individuals.

Google and the Lumen project

The highest penalty imposed by the AEPD in 2022, was on Google LLC, which was fined €10m for disclosing personal data to third parties without a valid lawful basis and hindering the exercise of data subjects’ right to erasure in relation to the Lumen Project.

This project was developed together with the Berkman Klein Center for Internet & Society, an entity from Harvard University established in the United States. It involved the transfer of personal data from the EU to the US, including requests for removal of online content made to Google through online forms, which are then published online.

The AEPD considered that this transfer could not be based on legitimate interest as Google had failed to demonstrate that its legitimate interests outweighed the rights and freedoms of individuals. In addition, the lack of information about the transfer meant that the data subject was not given the opportunity to object to the data transfer or the grounds on which it was made. Therefore, the transfer was deemed unlawful and non-compliant with Article 6 GDPR.

In addition, the supervisory authority said that the content removal forms provided to users to enable them to exercise their right to erasure, was confusing and that the erasure request system allowed Google to make arbitrary decisions. It also questioned whether it was possible to fully erase the data, considering that information on the content removal forms was subsequently published in Lumen's database.

Other AEPD action

The AEPD's focus has, of course, gone wider than the imposition of financial penalties. Its first code of conduct, the sectoral code of conduct for the pharmaceutic industry (available in Spanish here), was approved in February 2022 and it published a 'Guide for healthcare professionals', with the aim of clarifying the most frequent compliance questions for healthcare professionals.

Likewise, last November, the AEPD published the 'Basic guide to anonymisation' to provide an introduction and practical guidance to organisations without previous experience of anonymisation and de-identification, accompanied by a tool to carry out data anonymisation.

Lastly, at the end of 2022, the Spanish Supervisory Authority published a new tool to help data protection stakeholders assess when to notify a security breach. The need for a self-assessment tool arises from the high volume of notifications received by the AEPD on an annual basis, but the AEPD stressed that it does not provide a definitive assessment of whether or not an Article 33 breach notification is required. Ultimately the decision is up to the data controller or data processor.

Trends for 2023

2023 is expected to see a continuing focus on identity fraud and unsolicited advertising, especially among telecommunications companies, which this year are launching a new mediation system to speed up the resolution of advertising complaints. This has been promoted by the AEPD given this is one of the most frequent complaints it receives.

International data transfers are also likely to be a hot topic for the AEPD in 2023, as for other European supervisory authorities, with decisions regarding the transfer of personal data to the United States derived from the use of Google Analytics, not to mention the impending EU-US Data Privacy Framework.

Innovative technologies including the use of facial recognition or biometric fingerprinting techniques have been significantly increasing. Over the last few years, the Spanish supervisory authority has issued a variety of decisions referring to the use of biometric data for different purposes. More specifically, the AEPD distinguished between authentication and identification purposes, concluding that authentication does not involve the processing of special categories of data, whereas it does in the case of identification. This contrasted with the views of other authorities which led to the AEPD modifying its position to align with the European trend.

In fact, the most recent report issued in late January 2023, eliminates this distinction altogether and establishes that, in both cases, when using this technology and analysing its feasibility, special attention should be paid both to the specific purpose of such use and to the lawful basis under which the processing takes place. Consequently, it will be necessary that, national regulations expressly provide for the possibility of using biometric data for some of the exceptions of Article 9.2 to be applicable. Otherwise, the only option when carrying out the processing of biometric data would be to rely on the data subject’s consent, provided valid consent can be obtained.

With security breaches increasing exponentially, it is very likely that the AEPD will treat this as a priority area, not only in relation to the GDPR, existing and incoming EU legislation (such as the recent NIS2 and DORA), but also through sector guides, especially for the financial and insurance sectors. These new regulations not only affect these sectors, but also their supply chains, which will lead to an increase in security measures, as well as sanctions in the event of non-compliance.

Finally, following the January 2023 EDPB report in relation to cookie banners, it is worth mentioning the AEPD's lack of meaningful sanctions on the matter, and its view set out in its guideline on the use of cookies that it is not mandatory to include a button to reject all cookies alongside an 'accept all' button. This contrasts sharply with the views of the majority of EU regulators, and, in particular, those of the French supervisory authority which has focused heavily on the issue and recently issued substantial fines to Microsoft and Apple, among others on precisely this point. As a result, it is likely we will see the AEPD adapt its position on the issue of cookies in 2023.