Until very recently, Spanish companies that wanted to process citizens’ Personal Data needed always their consent, except if said data were obtained from public sources. This is now changing.

The Supreme Court has partially overturned said prohibition, included in the Spanish regulations governing Personal Data Processing. It has adapted into Spanish Law a previous Decision of the Court of Justice of the European Union (ECJ).

The European Directive, and by extension Spanish Law, requires the consent of those affected, before their Data are processed. The Spanish regulations extended the need of consent, unless the Data appeared in publicly available sources.

Hence, companies could not use / produce Data Files with information about fraudulent activities, with the “consent” of the fraudster!!!

In November, the ECJ opposed the Spanish rules, because they excluded “categorically and in very general terms” all kind of processing of Data that are not included in publicly available sources. And it also established that Art. 7 (f) of the Directive was “directly applicable” in Spain.

Does the Court Decisions mean that Spanish companies have now absolute freedom in their processing of personal data? This is not the case. But the Spanish Supreme Court recognizes that the Spanish rulings on Data Processing had gone too far.

The Spanish Decision allows that Spanish companies process Data, even if not obtained from a public source, if they have a “legitimate interest”. Accordingly, Data processing of fraudulent activities will be permitted. This is an important modification on Spanish rules on Data processing.

Santiago Nadal