The Bottom Line
- Increased Scrutiny for Litigants: Expect a more data-savvy judiciary. Spanish courts will increasingly apply a data protection lens to evidence and procedures, raising compliance expectations for all parties involved in legal disputes.
- Higher Standards for Service Providers: Technology vendors, legal tech firms, and other service providers acting as data processors for the Spanish justice system will face stricter oversight, including the possibility of preventive audits.
- Proactive Compliance is Key: The plan’s focus on creating clear guidance and training for judges presents an opportunity. Aligning your company’s data handling practices with these forthcoming judicial standards can prevent future compliance headaches.
The Details
Spain’s General Council of the Judiciary (CGPJ), the governing body of the country’s judges, has unveiled a new strategic plan that will significantly ramp up data protection enforcement and awareness within the judicial system from 2026 to 2028. The plan, developed by the Council’s Data Protection Supervision and Control Directorate (DSYCPD)—the specific data protection authority for judicial proceedings—lays out a clear roadmap for embedding robust data privacy principles into the day-to-day operations of the courts. This signals a strategic shift from foundational compliance to a more proactive and supervisory posture.
The core of the three-year plan is built on two key pillars: proactive guidance and active supervision. The Directorate will develop and publish a comprehensive Guide on data protection in the judicial sphere to sensitize judges and court staff to their obligations. This will be supported by new training courses and the integration of data protection as a core subject in the Judicial School and judicial entrance exams. Crucially, the plan also introduces a more assertive supervisory role, empowering the Directorate to conduct “preventive inspections and audits” of judicial bodies to ensure compliance, in addition to handling complaints from individuals.
For business leaders and legal counsel, this internal judicial plan has significant external implications. A judiciary that is highly trained and audited on data protection will naturally hold companies participating in legal proceedings to a higher standard. This impacts everything from e-discovery and evidence submission to the handling of personal data within lawsuits. Furthermore, any company providing services to the courts—from cloud hosting to translation services—is considered a data processor and will fall under this intensified scrutiny. The plan’s emphasis on collaboration with other authorities, like the main Spanish Data Protection Agency (AEPD), points toward a more unified and rigorous enforcement landscape across Spain.
Source
Consejo General del Poder Judicial (General Council of the Judiciary)
