THE BOTTOM LINE
- The 72-Hour Rule is Non-Negotiable: Spain’s court system is now holding itself to the same strict 72-hour data breach notification deadline that businesses must follow. This signals that regulators and judges will expect nothing less than full and timely compliance from the private sector.
- Incident Response Plans Under Scrutiny: The new judicial protocol emphasizes rapid risk assessment and clear communication to affected individuals. CEOs should ensure their own internal data breach response plans are robust, tested, and capable of meeting these high standards.
- A New Benchmark for Compliance: By formalizing its own data protection procedures, the Spanish judiciary is setting a clear benchmark for what it considers “best practice.” Companies involved in litigation can expect increased scrutiny of their own data handling and breach response measures.
THE DETAILS
The General Council of the Judiciary (CGPJ), the governing body of Spain’s courts, has approved a new internal procedure for managing and notifying personal data breaches. This move, initiated by its Directorate for Data Protection Supervision and Control (DSYCPD), formalizes how all judicial bodies must act when data processed for court purposes is compromised. The procedure is a key part of the DSYCPD’s Strategic Plan for 2026-2028, aiming to mitigate the impact of security incidents and reinforce data protection within the justice system itself.
The requirements laid out in the procedure will sound familiar to anyone working with the GDPR. If a breach occurs that is likely to pose a risk to individuals’ rights and freedoms, the judicial body must notify the DSYCPD within a maximum of 72 hours of becoming aware of it. Furthermore, if the breach could result in a high risk to those rights—such as the exposure of sensitive legal or financial information—the affected individuals must be informed “without undue delay.” The rules cover all types of security failures, including breaches of confidentiality (unauthorized access), integrity (data alteration), and availability (data loss).
While this procedure applies directly to the judiciary, its signal to the business community is unmistakable. The Spanish legal system is demonstrating its deep commitment to the principles of European data protection law, not just by enforcing it but by embedding it into its own operations. For CEOs and legal counsel, this development serves as a critical reminder: the standards for data breach response are high, and the expectation of swift, transparent action is now being modeled by the very institutions that interpret the law. Excuses for delays or inadequate internal procedures are unlikely to find a sympathetic ear.
SOURCE
Source: Consejo General del Poder Judicial
