Privacy International defends the right to privacy across the world, and fights surveillance and other intrusions into private life by governments and corporations. Read more »


III. Privacy topics

Internet and consumer privacy


The AEPD noted in its 2007 Annual Report that in the case of peer-to-peer (P2P) litigation, where the legal subjects of privacy and copyright merge, only a law could define which personal data can be used and for which purposes, as well as define the right balance between data protection and intellectual property.1 The Director of the AEPD referred to the Court of Justice's decision of 28 January 2008, according to which the "copyright directives do not require the disclosure of personal data in civil proceedings, and that Member States' competent authorities should take measures to ensure the balance between copyright and intellectual property, on the one hand, and privacy and personal data protection, on the other."2

At the administrative level, the Spanish Data Protection Authority recommended an initiative to promote special precautions to avoid the unwanted exchange of sensitive personal data on the Internet via peer-to-peer (P2P) file-sharing networks. The AEPD stressed that users should be aware of the risks of disseminating information stored on their computers, as well as avoiding inadvertent sharing on the Internet of any folders in which files with personal data have been stored.3


There is nothing to report under this section.

Online behavioural marketing and search engine privacy

On 1st December 2007, the AEPD issued a recommendation about Internet search engines. The document recommends that the information included in search engine privacy policies on the use of users' personal data is not clear enough, and probably not understandable for the general community of Internet users. It also notes that it is necessary to limit the use and storage of personal data. Once the information is no longer necessary for the purposes of the service, it must be deleted. Search engine services are under the obligation of allowing data subjects to exercise the rights of removal and opposition where their personal data are listed on other websites. It also called attention to the need to establish international standards to define and agree upon rules for guaranteeing privacy on the Internet.4

The AEPD has received a lot of complaints from people exercising their right as data subjects to cancel the publication of their personal data in the official gazettes. The Data Protection Authority of Madrid (Agencia de Protección de Datos de la Comunidad de Madrid, or APDCM) made a Recommendation (2/2008) about the publication of personal data in official gazettes5 and on the websites of public institutions of the Region of Madrid.6 The issue arose after it was shown that people's names and identifying information can be easily found in the official gazettes by the simple use of an online search engine. The Recommendation mandates public institutions of the Region of Madrid, whenever they publish administrative acts in official gazettes or on their websites (such as fines, subventions, etc.) to apply the quality principle. For example, in the case of subventions, the quality principle dictates only to publish the total score of subventions, not their partial one. Official gazettes also have implemented that principle in a way that prevents the names of people published in them from being indexed by online search engines. As an answer, the City Council of Madrid issued an Instruction7 regarding the publication of personal data in its Official Gazette, while the Data Protection Authority of Catalonia (Autoridad Catalana de Protección de Datos/Autoritat Catalana de Protecció de Dades8) published a recommendation regarding the publication on personal data on the Internet.9

Online social networks and virtual communities

The claims before the AEPD grew by 45 percent in 2008, with a particular worry by citizens for the Internet and online social networks.10

The AEPD has worked with Tuenti (the Spanish social network for young people with more than 8 million users) and Facebook in order to implement a system of user verification (parental consent) for children under 14 years of age.

Online youth safety

The Law 34/2002 of 11 July 2002 on Information Society and E-commerce was modified by Law 56/2007 of 28 December 2007 on Measures to Promote E-commerce.11

The LOPD prohibits the collection of personal data from minors under 14 years of age without their parents' or tutors' consent. As many profiles on social networking websites belong to minors under 14, several initiatives have been launched in the last two years in Spain to improve how those websites protect and control minors' activities. Greater involvement by national education authorities and parents has also been demanded.

On 9 February 2010 the Safe Internet International Day was celebrated (Día Internacional de Internet Seguro), promoted by the European Commission and organised in the European union by INS@FE, the European network of awareness centres "promoting safe, responsible use of the Internet and mobile devices to young people",12 and in Spain, by the association "Protégeles" (Protect Them).

The AEPD has also organised several activities aimed at raising awareness of privacy among minors with guidelines and a special area in its website.13

In 2009 and 2010, the Madrid Data Protection Authority (APDCM) launched a project addressed to minors with presentations about privacy risks on the Internet that it delivered in all 404 secondary schools of the Region of Madrid with the help of school teachers, directors and tutors, 60 privacy experts (magistrates, lawyers and consultants). The APDCM gave students a manual on Internet privacy14 produced by the Commission on Liberties and Information Technology (Comisión de Libertades Informáticas, or CLI).15 Other data protection authorities (from Catalonia and the Basque Country) have also elaborated materials addressed specifically to minors.16

The non-profit association CLI developed the "CLI-PROMETEO" Project aimed at promoting the use of information technologies among minors and teenagers, together with the protection of personal data. The project has been subsidised by the Department of Industry, Tourism and Trade and supported by diverse institutions, among them the Spanish AEPD.

Workplace privacy

The Supreme Court decided in July and September 2007 two cases about privacy in the workplace. The first one tried to determine whether it is possible for an employer to use fingerprints to control employees' work schedule, which the Court considered that in that case it is. The second case dealt with an employer's use of email and Internet monitoring tools in the workplace. The Court defined Internet and email as "a tool that employers provides to employees in order to facilitate their work", and considered that employers may use monitoring tools but only upon adequate notice to his employees.

On 7 November 2005, the Constitutional Court decided that trade unions can email workers even if the workers are not trade union members, in order to inform them of their activities. However, workers can exercise the right to cancel, or object to such mailing. The employer does not have the obligation to install an email system in his company. However, if the employer installs it, it has to facilitate its use by trade union of emails so that they may inform company employees about their activities.

Health and genetic privacy

Health privacy

The CLI, after four months of work with the Ministry of Health and Consumer Protection, supports the current implementation of the "Clinical Digital History in the National Health System" Project.

Some regions in Spain have implemented the electronic medical record. The Department of Health and the Regions are working on implementing the electronic prescription.17

Law 14/2007 of 3 July 2007 about Biomedical Investigations18 regulates many of the issues related to genetic data like, for example, the conditions to delete genetic data for biomedical investigation purposes. Organic Law 7/2006 of 21 November 200619 regulates doping: the data that must be communicated to international doping authorities.20 Law 29/2006 of 26 July 2006,21 while it regulates the rational use of medicines, some of its provisions deal exclusively with the protection of patients' personal data. It is not necessary to obtain the data subject's consent to process a communication of personal data that are the consequence of implementing an information system based in prescription (paper or electronic).

Genetic privacy

Law 14/2007 of 3 July 2007 about Biomedical Investigations22 regulates many of the issues related to genetic data like, for example, the conditions to delete genetic data for biomedical investigation purposes.

Financial privacy

On 29 June 2006, the AEDP opened an investigation into the SWIFT case.23 SWIFT, the Society for Worldwide Interbank Financial Telecommunication, handles financial wire transfers for banks throughout the world.24 The AEDP investigation followed a complaint from Privacy International.25 SWIFT had been covertly disclosing financial data to U.S. authorities. Privacy International complained that this disclosure fell within the scope of the Spanish Data Protection Law, and that SWIFT handled over 45 million Spanish financial messages for over 140 Spanish banks and institutions.26 The AEDP later joined other European data protection Agencies in approving an Article 29 Working Group Opinion on the SWIFT matter.27 The opinion concluded that SWIFT and European Financial institutions had failed to respect the provisions of the EU Data Protection Directive 95/46/EC.28