The Bottom Line
- Heightened Judicial Scrutiny: Expect Spanish judges to be more knowledgeable and critical about data protection issues. A new plan mandates intensive training for the judiciary, raising the bar for how corporate data is handled in litigation.
- New “Rules of the Road”: The judicial authority will publish official guides on data protection within court proceedings. Companies and their counsel must adapt their litigation strategies to this forthcoming guidance to ensure compliance.
- Increased Compliance Culture: The plan empowers a dedicated supervisory body to audit courts and handle data-related complaints. This internal focus will create a ripple effect, increasing expectations for data diligence from all parties involved in legal disputes.
The Details
Spain’s General Council of the Judiciary (CGPJ), the governing body of the country’s courts, has unveiled a new strategic plan focused on data protection for 2026-2028. The initiative is being driven by its internal Data Protection Supervision and Control Directorate (DSYCPD), which acts as the official data protection authority for all data processing carried out by courts for judicial purposes. While the plan’s focus is internal, its impact will be felt by any company involved in or facing litigation in Spain. The strategy is built on six pillars: ensuring regulatory compliance, providing legal advice, delivering training, active supervision, institutional cooperation, and public communication.
For business leaders and legal teams, the most significant elements are the commitments to training and guidance. The plan explicitly calls for the creation of a comprehensive “Guide on data protection in the judicial sphere” and the rollout of specialized courses for judges, prosecutors, and court staff. This initiative is designed to elevate the entire judiciary’s understanding of complex data protection laws like the GDPR. Consequently, businesses can expect judges to be far more sophisticated in their analysis of data-heavy evidence, privacy-related disputes, and data breach claims, demanding a higher standard of data management from litigants.
Furthermore, the plan reinforces the enforcement and supervisory role of the judicial data authority. The DSYCPD will not only handle complaints from individuals regarding the courts’ data processing but will also conduct proactive inspections and preventive audits of judicial bodies. This signals a move towards a robust internal compliance culture. This top-down focus on accountability means that the courts themselves will be held to a high standard, which will undoubtedly translate into higher expectations for the businesses and law firms that appear before them. The plan also emphasizes collaboration with national bodies like the Spanish Data Protection Agency (AEPD) and the European Data Protection Supervisor (EDPS), embedding the judiciary firmly within the broader European data protection framework.
Source
Consejo General del Poder Judicial (CGPJ)
