THE BOTTOM LINE
- Higher Standard of Care: Spain’s highest judicial governing body is now holding the court system itself to strict GDPR-aligned data breach standards. This signals an elevated expectation of data security for all entities operating in Spain.
- Impact on Litigation: Companies involved in Spanish legal proceedings can now expect a formal, time-sensitive response if their sensitive data (e.g., commercial secrets, employee information) is compromised while in the court’s possession.
- Compliance Benchmark: This internal judicial procedure serves as a powerful reminder for all businesses: the 72-hour notification rule and high-risk assessments are non-negotiable pillars of Spanish data protection compliance.
THE DETAILS
Spain’s General Council of the Judiciary (CGPJ), the governing body for the country’s judges and courts, has formally adopted a new internal procedure for managing and notifying personal data breaches. The new protocol, developed by the CGPJ’s Directorate for Supervision and Control of Data Protection (DSYCPD), applies specifically to personal data processed by judicial bodies for jurisdictional purposes—that is, data handled during the course of legal cases. This move institutionalizes a clear and mandatory response plan for the courts themselves, aiming to mitigate the impact of any potential security incidents.
The procedure closely mirrors the requirements of the GDPR. It defines a data breach in line with established European standards, covering any incident leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of personal data. Crucially, it mandates that judicial bodies must notify the DSYCPD of any qualifying breach within a maximum of 72 hours of becoming aware of it. This aligns the judiciary’s internal obligations with the same strict deadline imposed on private companies, underscoring the authority’s commitment to these principles.
For CEOs and General Counsel, this development is significant for two reasons. First, it provides a clear framework for how sensitive corporate information will be handled in the event of a breach within the judicial system. If a breach poses a “high risk to the rights and freedoms” of individuals, the courts are now required to communicate the incident and its implications directly to the affected parties in clear and simple language. Second, it sends an unambiguous message to the market: Spanish authorities are not only enforcing data protection laws but are also embedding them into their own core operations. This action solidifies the 72-hour rule as a gold standard for incident response that all organizations should be prepared to meet.
SOURCE
Source: Consejo General del Poder Judicial (CGPJ)
