THE BOTTOM LINE
- Increased Scrutiny in Litigation: Expect Spanish courts and judges to become more knowledgeable and stringent regarding data protection rules. This will directly impact how personal data is handled as evidence and during legal proceedings.
- New Guidance is Coming: The authority will publish a comprehensive guide on data protection in the judicial sphere. This will become the go-to reference for legal teams, clarifying compliance obligations for any data processed by the courts.
- Proactive Audits and Inspections: The plan shifts from reactive complaint handling to proactive supervision, including preventive audits of judicial bodies. Companies interacting with the court system must ensure their data handling practices are fully compliant.
THE DETAILS
Spain’s General Council of the Judiciary (CGPJ) has announced a new strategic plan from its own internal data protection authority, the Directorate for Supervision and Control of Data Protection (DSYCPD). This body is distinct from the well-known Spanish DPA (AEPD) and acts as the specific supervisor for all data processing carried out by courts for judicial purposes. The 2026-2028 plan signals a significant step-up in focus and enforcement within the judicial system itself, structured around six key pillars: compliance, legal advice, training, supervision, institutional cooperation, and communication.
A central theme of the new strategy is education and standardization. The DSYCPD plans to roll out extensive training for judges, court clerks, and administrative staff, and even aims to embed data protection as a core subject in the Judicial School and entrance exams. Crucially, it will publish an official “Guide on data protection in the judicial sphere” and create templates for handling data subject rights requests and breach notifications. For businesses and their legal counsel, this means the judiciary will be operating from a more informed and consistent playbook, reducing ambiguity but raising the bar for compliance when submitting or handling data in court.
Perhaps most importantly for businesses, the plan emphasizes a more muscular approach to supervision. Beyond simply processing complaints, the DSYCPD will conduct proactive inspections and preventive audits to verify that judicial bodies are adhering to data protection law. This signifies a move towards active enforcement within the justice system. The plan also calls for closer collaboration with other regulators, including the AEPD and the European Data Protection Supervisor (EDPS), ensuring that best practices and enforcement trends from the wider data protection world will now more directly influence the Spanish courts.
SOURCE
Source: Consejo General del Poder Judicial (CGPJ)
