THE BOTTOM LINE
- Increased Scrutiny: Spain’s judicial system has formalized its data breach response, meaning sensitive corporate data submitted in legal proceedings (e.g., client files, commercial secrets, employee data) is now protected under a new, specific notification protocol.
- Strict Reporting Deadlines: Judicial bodies must now report data breaches to a dedicated supervisory authority within 72 hours, setting a high bar for incident response that could influence how litigation data is managed and secured.
- Heightened Transparency & Risk: For high-risk incidents, affected parties (including companies and individuals involved in litigation) must be notified directly, increasing transparency but also the potential for reputational risk if their case-related data is compromised.
THE DETAILS
The General Council of the Judiciary (CGPJ), Spain’s governing body for the justice system, has introduced a formal procedure for managing and reporting personal data breaches within the courts. This move, driven by its new Data Protection Supervision and Control Directorate (DSYCPD), aims to standardize the response to security incidents involving data processed for jurisdictional purposes. The procedure defines a breach broadly, covering any incident that leads to the unauthorized destruction, loss, alteration, or disclosure of personal data, and categorizes them into breaches of confidentiality, integrity, and availability, mirroring established GDPR principles.
This new protocol solidifies the application of data protection law, specifically the GDPR and Spain’s Organic Law 7/2021, to the unique context of the judicial system. By establishing the DSYCPD as the dedicated supervisory authority for data processed in legal proceedings, the CGPJ is signaling a significant commitment to data security. This creates a specialized oversight body focused purely on the sensitive information handled by courts, from evidence submitted in a commercial dispute to personal details in criminal cases. For businesses and their legal counsel, this means the judiciary is now holding itself to a clear and enforceable data protection standard.
In practical terms, the procedure establishes a two-tiered notification system. Any breach that poses a risk to the rights and freedoms of individuals must be documented and reported to the DSYCPD via a dedicated online form within a strict 72-hour window. Crucially, if a breach is deemed to present a high risk, the affected individuals or entities must also be informed “without delay” in clear and simple language. This direct communication requirement ensures that parties involved in litigation are promptly made aware of incidents that could compromise their sensitive information, giving them the opportunity to take mitigating action.
SOURCE
Source: Consejo General del Poder Judicial (General Council of the Judiciary), Spain
