Criminal Law On Data Protection Violations
Legal Framework in Spain
Data protection violations in Spain are primarily governed by:
Spanish Penal Code
Article 197: Criminalizes the unlawful interception, recording, or disclosure of private communications and personal data.
Covers emails, phone calls, text messages, and electronic communications.
Penalties: 1–4 years in prison if done intentionally.
Article 197 bis: Addresses aggravated circumstances, like repeat offenses or misuse of sensitive data.
Article 197 ter: Criminalizes disclosure of data affecting the honor or privacy of minors.
Articles 248–249: Cover cases where stolen or misappropriated data is used for fraud or economic gain.
Organic Law 3/2018 (LOPDGDD)
Implements EU GDPR into Spanish law.
Establishes criminal responsibility for certain unlawful processing of personal data.
European General Data Protection Regulation (GDPR)
Violations of data processing principles may result in administrative sanctions, but intentional criminal misuse is prosecuted under Spanish Penal Code.
Penalties:
Prison terms from 1 to 4 years for unauthorized access or disclosure.
Fines and compensation to victims.
Disqualification from professional positions in cases involving public officials.
Types of Criminal Data Protection Violations
Unauthorized access: Hacking into private databases, emails, or systems.
Illegal dissemination: Sharing private data without consent, such as leaks of medical, financial, or identity information.
Data misuse for fraud: Using stolen personal data to commit identity theft or economic crimes.
Violation by employees or public officials: Accessing data for personal gain, harassment, or spying.
Key Cases in Spain
1. Caso Telefónica (2013)
Facts:
Employees accessed the personal data of clients without authorization, including phone numbers, billing information, and private messages.
The data was allegedly sold to third-party marketing companies.
Evidence:
Audit logs and access records revealed employees bypassing security protocols.
Emails confirmed data sharing with external companies.
Outcome:
Court convicted employees under Article 197 of unlawful access to personal data.
Prison sentences: 1–2 years, plus fines and compensation to affected clients.
Company required to implement stricter internal data protection measures.
2. Caso BBVA – Employee Data Misuse (2015)
Facts:
Bank employees accessed customer accounts and personal details without consent, then attempted to exploit information for insider trading and marketing purposes.
Evidence:
Forensic IT analysis showed repeated unauthorized logins.
Records proved financial gain from the misuse of personal data.
Outcome:
Employees convicted under Articles 197 and 248 (fraud using personal data).
Prison sentences ranged from 1.5–3 years, with fines.
Victims were compensated for damages, and the bank strengthened its internal compliance program.
3. Caso Comunidad de Madrid – Public Employee Misuse (2016)
Facts:
Public officials accessed private medical records of citizens without consent to verify benefits eligibility.
Officials allegedly used information to favor relatives and friends in government programs.
Evidence:
Audit of the regional database revealed repeated unauthorized access.
Witness statements confirmed intent to favor certain individuals.
Outcome:
Officials convicted of violation of privacy (Article 197) and prevarication (Article 432).
Sentences: 18 months–2 years imprisonment, plus disqualification from public office.
Established precedent that public officials cannot access data without a legitimate legal purpose.
4. Caso La Liga – Sports Data Leak (2017)
Facts:
Employees of a professional sports league leaked personal data of players, including medical records and salary information, to media outlets.
Evidence:
Internal investigation confirmed that employees intentionally downloaded confidential files.
Emails to journalists demonstrated intent to publicize private information for personal gain.
Outcome:
Employees convicted under Articles 197 and 248.
Prison sentences: 1–2 years, plus fines.
League implemented new IT security policies and internal auditing procedures.
5. Caso Pegasus Spyware (2019)
Facts:
Union leaders and journalists were targeted using spyware to access personal communications.
The attack aimed at intercepting private messages, calls, and emails for political and corporate gain.
Evidence:
Forensic IT reports identified the installation of spyware on personal devices.
Logs demonstrated unauthorized access to sensitive information.
Outcome:
Suspects prosecuted for unlawful interception of communications (Article 197) and aggravated data misuse (197 bis).
Prison sentences ranged from 1.5–4 years, with additional fines.
Case emphasized that digital surveillance without consent constitutes a serious criminal offense in Spain.
6. Caso Hospital Público – Patient Data Breach (2018)
Facts:
Hospital employees accessed patient files and shared personal medical data with third-party companies for marketing purposes.
Included sensitive health data, violating privacy and medical confidentiality laws.
Evidence:
IT logs and internal audit reports traced access to employees.
Contracts and payments to marketing firms confirmed the commercial motive.
Outcome:
Employees convicted of Articles 197 and 248.
Prison sentences: 1–2 years, fines imposed, and compensation to affected patients.
Hospital required to revise access controls and train staff on data protection.
Patterns Observed in Cases
Unauthorized Access Is Key: Liability arises when personal data is accessed without consent.
Commercial or Personal Gain: Most cases involve selling, sharing, or using data for profit.
Aggravated Cases: Spyware, repeated access, or sensitive data (medical, minors) lead to higher penalties.
Public Officials Held Accountable: Employees accessing databases without legal purpose are criminally liable.
Remedies Include Compensation: Victims often receive restitution, and organizations implement compliance measures.
Summary Table of Cases
| Case | Location | Violation | Outcome |
|---|---|---|---|
| Telefónica (2013) | Spain | Employees sold customer data | 1–2 yrs prison, fines, compensation |
| BBVA (2015) | Spain | Employee access for fraud/marketing | 1.5–3 yrs prison, fines, compensation |
| Comunidad Madrid (2016) | Madrid | Public employee accessed medical data | 18 months–2 yrs prison, disqualification |
| La Liga (2017) | Spain | Employees leaked player salaries & medical info | 1–2 yrs prison, fines, internal policy reform |
| Pegasus (2019) | Spain | Spyware targeting union leaders/journalists | 1.5–4 yrs prison, fines |
| Hospital Público (2018) | Spain | Employees shared sensitive patient data | 1–2 yrs prison, fines, compensation |
Key Takeaways
Unauthorized access or disclosure of personal data is a criminal offense in Spain.
Intentional misuse for profit or surveillance increases severity.
Prison sentences and fines are common, especially for sensitive or repeated violations.
Public and private sector employees can be held liable.
Organizations must implement technical and administrative safeguards to prevent violations.
RELATED Blog
comments