THE BOTTOM LINE
- Increased Scrutiny in Litigation: Companies involved in Spanish legal proceedings can expect heightened scrutiny of how sensitive commercial and personal data is handled by the courts, as judges and staff receive dedicated data protection training.
- New Compliance Bar for Court Vendors: Service providers and tech companies acting as data processors for the Spanish justice system will face more rigorous oversight and preventive audits to ensure compliance with data protection laws.
- Forthcoming Official Guidance: A new official guide on data protection in the judicial sphere will be published, providing critical clarity for legal teams on the rules for submitting and protecting data during court cases.
THE DETAILS
Spain’s General Council of the Judiciary (CGPJ) has announced a comprehensive strategic plan for data protection, set to run from 2026 to 2028. The plan is being driven by its specialized internal authority, the Directorate for Supervision and Control of Data Protection (DSYCPD), which acts as the official data protection regulator for all data processed by Spanish courts for jurisdictional purposes. This move signals a significant step toward embedding robust data privacy principles directly into the fabric of the justice system, moving from reactive compliance to a proactive enforcement and awareness footing.
The three-year plan is built on six strategic pillars, but three areas will have the most direct impact on businesses. First, the DSYCPD will focus heavily on training and awareness, rolling out courses for judges, clerks, and court staff. This means the judiciary will be more sophisticated in identifying and managing data protection issues, from redacting sensitive information to handling data subject access requests within the context of a legal case. Second, the authority will ramp up its supervision through preventive inspections and audits of court operations, ensuring that the rules are not just known but consistently followed.
For CEOs and General Counsel, this plan has clear implications. Any interaction with the Spanish courts—whether as a litigant, a witness, or a third party providing evidence—will now occur within a stricter data protection framework. The forthcoming official guide will become essential reading for legal departments, clarifying the procedures for handling everything from trade secrets to employee data in submissions. Furthermore, the plan’s emphasis on cooperation with other authorities, including the main Spanish DPA (AEPD) and the European Data Protection Supervisor, indicates that the judiciary’s approach will be aligned with broader national and EU enforcement trends.
SOURCE: Consejo General del Poder Judicial (CGPJ)
