Not Fine to be Fined: Spanish Data Protection Agency Guide

    As Consultants, you will more than likely handle information of a sensitive nature whilst collaborating with clients. Personal



How safe is your clients' data?

How safe is your clients’ data?

As Consultants, you will more than likely handle information of a sensitive nature whilst collaborating with clients. Personal data is a person’s most precious commodity. In a technological age where it is so easy to hack into somebody else’s bank account, steal social security details etc, it is no wonder that the majority are a little hesitant when it comes to handing over their personal information. As a professional, how can you reassure your client that their data is safe with you? What legal obligations do you have in that regard? Even though this article is based on Data Protection laws in Spain, most countries have similar legislation so it would be a good idea to find out what your obligations are in your place of residence.

To answer many of the burning questions you may have, I have spoken to an expert in this particular field, José Ángel Campos Sánchez whose company, Pengdolph IT & Services,  is on a mission to inform other companies and individual business-owners of how to comply with these strict laws.

So, José, what exactly is Data Protection?

The Organic Law for the protection of data of a personal nature and the regularities of security measures of automated files with personal data are the basics for all companies and self-employed persons who in their day to day work deal with personal data. This law establishes how this data should be collected, stored, conserved, what consent is necessary etc. This refers to data stored in paper or digital format.

Who is obliged to comply with this law?

All self-employed persons, communities of owners and companies both public as well as private that have security cameras or files that hold personal data of their clients, owners, tenants or employees are obligated to comply with this legislation.

Thanks to the data protection agency, the Spanish Tax Office collected more than 250 million Euros in fines during last year alone and for this precise reason, fines in this regard have been increased this year.

Last year, the fine for not registering your company with the Data Protection Agency was set at 600€ but today it stands at 900€ and there is no appeal process against any decision made by the Agency as they, like the Tax Office are a public organization.


I Spy... Do Your Cameras Comply with the Data Protection Act?

I Spy… Do Your Cameras Comply with the Data Protection Act?


When am I obliged to register?

Registration should take place within the first 30 days of starting to deal with a client’s personal data. There are currently various fines in process due to the lack of registration by many.

If I register with the Data Protection Agency, is that it?

No, just registering does not mean you are complying with the law. Once you have registered, a security document has to be created, contracts for the transfer of data, internal procedures and various other documents as well as an incident book which is obligatory for the audits and inspections are necessary, amongst other things.

If you work from an office, there are other security requirements that must be complied with in regards to the treatment of personal data. Inspections by the agency are carried out periodically, without prior notice and even though the law states that an audit is obligatory every two years, inspections are normally done well before the stipulated time. For that reason, I recommend an internal audit be carried out every six months or at least once a year.

If the Agency audits my company and finds fault with it, what type of fine could I be facing?

At present, there are three types of fines; mild, severe and very severe – in money terms, from 900€ up to 601.000€. To give you an example; not registering in the data protection agency would create a fine of between 900€ to 60.000€. Each case varies depending on the type of data that is manipulated. A tax consultancy office for example, handles the bank details of its clients so the fine would be around 45.000€ to 60.000€. A bar however only handles the details of its employees so the fine would be from around 900€ to 1.800€

The data protection agency is not the only one to report you for non-compliance. The local police as well as the military police are also reporting those companies who have misused client data or used it without the proper authorization. Those companies that have security cameras on their premises must also be very aware because the fines in this regard are quite severe (up to 600.000€) even if the cameras do not actually record images.

So, does that mean that I have the right to know how a company uses my personal data?

Yes, that’s exactly so. You even have the right to access the data they possess as well as to modify or even cancel it.

What exactly does your company, Pengdolph IT & Services do and what value does it have?

My company adapts your company so that it fully complies with each and every aspect of data protection laws.

What has been your experience whilst dealing with people who aren’t well informed on such matters?

Well, once I explain the basics of the law and why they must register, I have found that the majority think that it’s the same as driving, as long as the police don’t stop you, you’re fine but that’s not the case. The tax office itself will begin to request registry documentation and as I mentioned before, last year they received 254 million Euros in fines.

But on the whole, do people accept the information or not?

People are always resistant to change even though it may benefit their company but the law obliges us to adapt. We always think it won’t happen to us but why chance it? Why not make the necessary changes before it’s too late?

Finally, what advice would you give to those who have not as yet registered?

I always say it is better to tackle issues now before they become a serious problem. Also, I would recommend a licensed company, equipped to properly deal with your company’s registry but even if this is the case, you are not exempt from being fined for not complying with the rest of the data protection act. As with any profession, there are people who carry out business activities without the necessary qualifications so you need to double check their credentials. You’ll note that on the Agency’s website there is a multitude of pending lawsuits against companies who due to bad advice do not comply with the law.

I’d like to thank José for taking the time to answer my questions. Here you have all the main facts about the data protection act. Now it is up to you to take action to ensure that your company complies with the law. Not only will it reassure potential clients, it will also protect your current ones.

Your Data Protection Expert

Your Data Protection Expert

Contact Pengdolph IT & Services for further information:


About Sabrina L. Williams

Although I was born in the UK, I moved to the Canary Islands, Spain at a young age and I haven't looked back. The Canaries is a fantastic place to live, I mean you can do all types of outdoor activities practically all year round because of the great weather. Horses are my poison but the islands are also a superb spot for water sports so they do attract a lot of attention from people around the world. Anyway, enough about that. Back in 2011, I made one of the biggest, scariest yet best decisions I'd ever made and set-up my own business in the middle of a recession. I love what I do as no two days are the same, plus Spanish law keeps me on my toes as it is constantly changing (often without warning!) so there is always something new to learn. As I've branched out in the world of Administrative Consultancy, I decided to create a blog to discuss topics of interest to others in my industry and my clients, share tips and experiences, to see what new ideas people have for improving their businesses and the like so I hope you'll find the time to join me on this venture...

Leave a Comment