The Spanish Data Protection Agency (SDPA) has the power to initiate inspections ex officio, investigate complaints and conduct sectoral investigations, and initiate sanctioning administrative proceedings that might end up with a fine being imposed. The SDPA can also order the suspension of processing and/or transfer of data, as well as the destruction of data and other similar actions in the event of very serious infringements or infringement of fundamental rights. The resolutions of the SPDA may be appealed to the Spanish National Court. Fines for minor infringements range between €900 and €40,000; for serious infringements between €40,001 and €300,000); and very serious infringements €300,001 and €600,000. Within the relevant range of fines, the amount can be increased or reduced depending on the damages caused, the benefit obtained, the level of intentionality, etc. The SDPA may, “on an exceptional basis”, put the commencement of the sanctioning administrative proceedings on hold and issue a warning to the offender and require evidence of corrective measures within a given deadline, subject however, to the following criteria being met:
- The facts must constitute a minor or serious infringement under the Spanish data protection Act (Act); and
- The offender has not been previously sanctioned or warned.
Likewise, under a literal construction of the Act, the “warning system” is arguably configured as “optional” for the SDPA and it would be difficult to argue that a company has an enforceable right to be “warned” (instead of fined), even if the required conditions to be “warned” are satisfied.
Individuals can bring a civil action to court in order to obtain compensation for damages arising out of personal data infringements. The amount to be imposed by the courts would depend on the seriousness of the rights infringed and the damages suffered by individuals. Individuals have to prove or evidence the effective harm caused. Also, a data protection infringement may sometimes entail damages for breach of image, intimacy or honor fundamental rights following a specific civil proceeding for violation of such fundamental rights.
Neither Spanish data protection laws and regulations nor the Spanish Criminal Code specifically foresee any criminal liability linked to a breach of personal data protection laws. However, the Criminal Code provides that, anyone who violates the privacy of a third party in order to discover secrets or, without the third party’s consent, seizes his/her papers, letters, email messages, any other documents or personal belongings, or intercept his/her transmissions or uses technical devices to listen to, transmit, record or reproduce sound or images, or any other communication signal, shall be punished with imprisonment penalties ranging from 1 to 4 years and daily fines ranging between 12 and 24 months. Similar penalties apply to those who, without being authorized, use, modify, etc. a third party’s personal or familiar data registered in a file. Such fines would be increased if the violation relates to sensitive data (ideology, religion, beliefs, health, racial origin, sexual preferences or relates to minors). Eventually, although we have not seen it in practice, it may not be totally discarded that a very serious infringement carried out with a high degree of intentionality may be considered as falling within the aforementioned criminal infringements.
Selected Enforcement Actions / General Comments
Fines have been imposed for various activities, including, but not limited to: deceptive or fraudulent data collection; failure to inform data subjects; transfer of data without consent; transfer between companies in a group without consent; data leaks on the Internet; sending unsolicited advertising and emails without consent; and non-compliance with destruction of media containing personal data. Some examples of recent enforcement action in Spain include:
- In 2009, a telephony operator was fined €420,000 for unlawful disclosure of data to debt recovery companies;
- In 2007, a television production company was fined €1.08M for leaking personal data via the Internet, and related violations;
- In 2012, an asset solvency services company was fined €50,000 for failing to inform data subjects of processing; I Between 2008 and 2011, several companies were fined €300,000 for transferring personal data without consent;
- In 2010, a telecommunications company was fined €40,000 for international data transfer between companies in a group without consent;
- Since 2003, several fines of €30,000 were imposed for sending unsolicited advertising without respecting the data subjects’ right to cancel.
- More recently, the SDPA has adopted a more discreet approach to administrative sanctions and is usually imposing the lowest possible fine of each category (minor, serious, very serious) unless the infringement was intentional or caused by data controller’s gross negligence. In this regard, see some examples of recent (in 2014) key cases below:
- Two companies fined €3,000 for using cookies on their websites in breach of the applicable cookies rules.
- Company fined €1,500 for a minor infringement concerning the duty to inform upon data collection through a website contact form.
- Company fined €40,000 for a serious infringement related to employee health data.
- Company acting as data processor fined €6,000 for breaching the consent rule while engaging in marketing on behalf of a supply company (the data controller) without duly obtaining the consent of the covered customers.