THE BOTTOM LINE
- Heightened Scrutiny Ahead: Expect increased data protection oversight within the Spanish judicial system. The authority’s new plan includes proactive inspections and preventive audits to ensure courts and their service providers are compliant.
- Guidance and Education on the Rise: A major push for data protection literacy is coming. A new official guide will be published, and data protection will become a core part of training and examinations for judges, raising the bar for data handling standards in legal proceedings.
- Impact Extends to Third Parties: The plan’s focus is not limited to courts. It explicitly targets third-party service providers (e.g., IT, cloud services) acting as data processors for the judiciary, signaling greater compliance burdens for businesses in this ecosystem.
THE DETAILS
Spain’s General Council of the Judiciary (CGPJ) has approved a new strategic plan for its internal data protection authority, the Directorate for Supervision and Control of Data Protection (DSYCPD). This three-year roadmap for 2026-2028 outlines the priorities for the body responsible for overseeing how personal data is processed for jurisdictional purposes. Unlike the well-known Spanish Data Protection Agency (AEPD), the DSYCPD has a specific remit: to ensure that the courts themselves, in their judicial capacity, handle personal data in full compliance with privacy laws. This new plan signals a more structured and proactive approach to data governance within one of the state’s most sensitive data environments.
The plan is built on a foundation of education and support, aiming to embed a culture of data protection within the judiciary. A cornerstone of this strategy is the creation and publication of a “Guide on data protection in the judicial sphere,” designed to provide clear, practical advice to judges and court staff. This will be supplemented with training courses and the integration of data protection as a formal subject in the Judicial School and in examinations for entry into the judiciary. The DSYCPD will also develop standardized templates to help courts respond correctly to data subject rights requests under GDPR and to clarify protocols for notifying security breaches, moving from a reactive to a preventive compliance model.
Alongside these supportive measures, the plan reinforces the DSYCPD’s supervisory role. The directorate will actively handle complaints from individuals and, crucially, will conduct its own inspections and preventive audits to assess compliance levels within judicial bodies. This signals a shift towards more direct oversight. Furthermore, the strategy emphasizes institutional cooperation, with the DSYCPD planning to work closely with the AEPD, the European Data Protection Supervisor (EDPS), and other international counterparts. This ensures that its approach remains aligned with broader national and European data protection standards, creating a more cohesive regulatory landscape.
SOURCE
Source: Consejo General del Poder Judicial (CGPJ)
