On September 16, 2020, the Spanish Supervisory Authority (“AEPD”) approved a “Code of Conduct for Data Processing in Advertising” (“Code”) (see the decision approving the code here). This is the first GDPR approved Code of Conduct with an accredited monitoring body in the European Union. The Code enters into effect on November 17, 2020, two months after its approval.

Below we provide a brief FAQ about the Code.


Continue Reading The Spanish Supervisory Authority Approves a GDPR Code of Conduct on Advertising

On March 12, 2020, the Spanish Supervisor Authority (“AEDP”) issued a statement and a report on data protection and COVID-19. The AEPD highlights that controllers processing personal data in the context of their effort to prevent COVID-19 must comply with the GDPR, the Spanish Data Protection Law and the Spanish sectorial health laws. However, the AEPD underlines that these laws do not stand in the way of addressing the challenges posed by the COVID-19 epidemic.

Continue Reading Spanish Supervisory Authority Issues Statement on Data Protection and Coronavirus

On November 8, 2019, the Spanish Supervisory Authority (“SA”) issued detailed guidance on cookies and similar technologies in collaboration with stakeholders in the ad industry, including Adigital, Anunciantes, AUTOCONTROL and IAB Spain. The guidance is divided in 4 chapters:

  • Chapter 1: scope of the Spanish cookie rules (Art. 22 of Law 34/2002);
  • Chapter 2

On 25 June, the Advocate General (the “AG”) submitted an Opinion on a set of questions that a Spanish court referred to the Court of Justice of the European Union (the “Court”). This is the first time that the Court has been asked to interpret the European Data Protection Directive 95/46/EC (the ‘Directive’) in the context of internet search engines. The questions concern three main issues:

  • the territorial scope of and the applicable national law under the Directive;
  • whether search engine providers are data controllers; and,
  • whether there is a right to be forgotten.

The proceedings were triggered by an individual who was the subject of some press reports in a newspaper in early 1998. In 2010, he requested Google Spain not to show any links to the newspaper when users entered his name in the Google search engine. The publisher, whom the individual also contacted, refused to erase the relevant data. The individual therefore lodged a complaint with the Spanish data protection authority, which subsequently ordered Google Spain and Google Inc. to take the measures necessary to withdraw the data from their index and to render future access to the data impossible. Google appealed the decision to a Spanish court, which referred the aforementioned questions to the Court for a preliminary ruling.


Continue Reading Advocate General Submits Opinion in Google Spain Case

The Court of Justice of the European Union (“CJEU”) in Luxembourg heard argument yesterday concerning the “right to be forgotten”—specifically, whether search engines such as Google must block search results when asked by European citizens to remove references to themselves. 

This particular case—which is representative of approximately 200 similar cases in Spain—came before the CJEU when Google declined to comply with an order from the Spanish Data Protection Authority.  A Spanish citizen, Costeja, wanted Google to de-list references to a publication in a Spanish newspaper in 1998, which discussed the auction of Costeja’s house in connection with his failure to pay social insurance contributions.

Google has taken the position that search engines should not be obligated to remove links to valid (i.e., non-incorrect, defamatory, or otherwise illegal) material that exists online.  Rather, only the original publisher can make the decision to remove such content, at which point it will disappear from the search engine index once removed from source webpages. 


Continue Reading Must Google Forget You?