THE BOTTOM LINE
- Increased Scrutiny on Data in Litigation: Expect Spanish courts to apply data protection principles more rigorously to evidence and case files, impacting how your company manages and submits information during legal disputes.
- New Risk of Proactive Audits: The plan includes inspections and preventive audits of judicial bodies. While not targeting companies directly, this could uncover data handling issues in court submissions, potentially affecting ongoing cases.
- A More Data-Aware Judiciary: With planned training and official guidance for judges, businesses and their legal counsel must be prepared to address more sophisticated data protection arguments in court.
THE DETAILS
Spain’s General Council of the Judiciary (CGPJ) has announced a new strategic plan from its own data protection authority, the Directorate for Supervision and Control of Data Protection (DSYCPD). This body is a specialized watchdog, separate from the main Spanish DPA (AEPD), tasked with overseeing how personal data is processed for judicial purposes. The 2026-2028 plan outlines a clear roadmap to embed robust data protection practices within the country’s courts, signaling a significant shift towards stricter enforcement and heightened awareness that will have a direct impact on any company involved in Spanish litigation.
The plan moves beyond reactive complaint handling, emphasizing proactive supervision and the creation of clear, standardized guidance. Key initiatives include conducting “inspections and preventive audits” to assess compliance levels within courts. Furthermore, the DSYCPD will publish an official “Guide on data protection in the judicial sphere.” This will provide judges and court staff with a unified framework for handling sensitive information, from evidence submission to responding to data subject access requests. For businesses, this means the days of treating court filings as a data protection-free zone are over; the legal basis and proportionality of data submitted as evidence will face greater scrutiny.
A central pillar of the strategy is enhancing the data protection expertise of the judiciary itself. The plan calls for dedicated training courses for judges, court clerks, and administrative staff, and even integrating data protection into judicial entrance exams. This investment in education will cultivate a judiciary that is more critical and knowledgeable about data privacy issues. Consequently, legal teams should anticipate and prepare for more detailed questions and potential challenges related to data handling, security breaches, and data subject rights within the context of legal proceedings. The plan also includes cooperation with other European data authorities, ensuring its approach remains aligned with broader EU privacy standards.
SOURCE
Source: Consejo General del Poder Judicial (CGPJ)
