EPIC --- Privacy and Human Rights Report
|Title Page Previous Next Contents | Country Reports >Kingdom of Spain|
The Spanish Constitution recognizes the right to personal privacy, secrecy of communications, and the protection of personal data. Article 18 of the Constitution states, "(1) The right of honor, personal, and family privacy and identity is guaranteed. (2) The home is inviolable. No entry or search may be made without legal authority except with the express consent of the owners or in the case of a flagrante delicto. (3) Secrecy of communications, particularly regarding postal, telegraphic, and telephone communication, is guaranteed, except for infractions by judicial order. (4) The law shall limit the use of data processing to guarantee personal and family honor, the privacy of citizens, and the full exercise of their rights."
The first Spanish Data Protection Act (LORTAD) was enacted in 1992, and was succeeded in 1999 by an amended Data Protection Act (LOPD) that brought Spanish law in line with the European Union Data Protection Directive. The LOPD applies to information held by the public and private sectors. The law establishes the right of citizens to know what personal data is contained in electronic records and grants citizens the right to correct or delete incorrect or false data in those records. Additionally, the LOPD also restricts the disclosure of personal information to a third party by requiring the consent of the individual to the specific purpose for which the data was collected. Additional protections are also provided for sensitive personal data. Consumer groups, however, are concerned about the law's provisions allowing use of information without consent unless the consumer has opted out of such use. In 1999, regulations on the secondary measures required to be taken to protect electronic data systems were issued in accordance with the LOPD.
The Spanish Data Protection Agency (Agencia Española de Protección de Datos, or AEPD) is charged with enforcing the LOPD. In 2000, the country's data protection laws and the AEPD's authority to enforce those laws was challenged and the Constitutional Tribunal of Spain issued three judgments clarifying the issues that arose. The first was a constitutional challenge against the 1992, law for breach of the provisions of the country's constitution relating to distribution of power between the State and other agencies (in this case the AEPD). The court rejected this challenge. The second concerned another constitutional challenge which was originally brought against the 1992 law but which carried over to the 1999 law. This judgment upheld the constitutionality of the law generally, although the court struck down certain provisions allowing government agencies to transfer personal information on Spanish citizens without a citizen's permission. The court ruled that these provisions infringed on the privacy rights guaranteed to citizens by Title 18 of the Spanish Constitution. The third case concerned an employer's processing of an employee's health data. The court ruled that the applicant's constitutional privacy rights were breached when the employer noted the employee's medical diagnosis on the sick leave records.
As part of their enforcement of the country's data protection laws, the AEPD maintains a registry of information databases in Spain and can investigate violations of the LOPD. As of May 31, 2007, there were 901,425 registered information databases, of which 842,859 were held by private entities, and 58,566 were held by public bodies or entities. In 2005, 387 penalization proceedings were commenced, compared with 148 in 2002. Preliminary investigations increased 60%, from 723 in 2002 to 1158 in 2005. Proceedings against public authorities increased threefold, from 13 in 2002 to 52 in 2005. During 2005 AEDP staff grew from 89 to 98. Additionally, in 2006: 556 defense of citizens' rights procedures (procedimientos de tutela de derechos) were defended. ). Also in 2006, the AEDP conducted 306 infringement procedures against the private sector, and 106 against the public sector. In comparison, in 2005 there were 579 defenses of citizens rights procedures, 274 infringement procedures against the private sector and 52 against the public sector. The AEPD also investigated a number of "spam" cases in 2006, initiating 14 investigations, as compared to 11 in 2005.
In the 2004 opinion on "The Qualification of the IP Address as Personal Data," the AEPD ruled that IP addresses can be considered "personal data" and therefore, that every data controller that processes such information has to comply with the LOPD requirements. Failure to comply may subject the violator to fines of up to EUR 300,000 (~USD 366,000).
Also in December 2004, 12 persons from different social movements in the region of Catalunya filed a complaint in the AEPD as a result of the alleged inclusion of their personal data and photographs in an illegal database of a "political" nature held by the National Police force's Brigada Provincial de Información (Provincial Information Brigade). The plaintiffs have no criminal records, but are part of a group of 30 people whose photographs were shown to three persons accused of throwing molotov cocktails against the police station in Sants (a neighbourhood in Barcelona) on October 3, 2004, during their interrogation. This procedure would have been legal if the people whose photographs were shown had criminal records, and a further concern is that the photographs that were shown were not from their national ID cards (DNI), but had been taken during their participation in public activities. The plaintiffs claimed that Article 7.4 of the 1999 LOPD was contravened, as it forbids "databases created with the exclusive scope of storing personal data that reveals the ideology, trade union membership, religion, beliefs, racial or ethnic origin, or sexual habits." The police denied holding a database to identify people related to social movements, and that it only uses a database of citizens with judicial precedents, although it also admitted using a database for investigations, which operates under the control of the data protection authority.
In January 2005, the AEPD decided that, in the interest of transparency and to promote public knowledge of its decisions, it would publish all of its resolutions on its website within a month from the day after the persons concerned had been informed of a decision. The only exception would be with regard to the registration of databases in its record of authorised information databases.
Two issues on which the AEPD has been particularly active in 2004 and 2005 is the combating of "spam," and the encouragement of small- and medium-size businesses (pequeñas y medianas empresas – PYMES) to register their databases in the RGPD. Although registry of information databases is compulsory, only 10 percent of PYMES that are active on the Spanish territory are complying with the law. With regard to "spam," the AEPD announced the signing of a Memorandum of Understanding on February 23, 2005 with the US Federal Trade Commission. This memorandum is aimed at establishing an administrative cooperation between Spain and the United States in order to combat the problem of "spam." The AEPD also announced that almost a hundred investigations have been launched in relation to this phenomenon, and these investigations have given rise to 14 legal actions for breaches of data protection rules, of which six have been resolved. Of these six resolved cases, two were classified as "serious breaches," two as "minor breaches," and in the remaining two, proceedings were discontinued. In general, however, fines of up to EUR 30,000 (~USD 36,600) are applicable for breaches of anti-spam regulations.
In December 2006, the AEPD published a new regulation on videosurveillance. Images obtained from cameras located in public places are to be considered personal data, and the files containing both images and data derived from it are to be protected. Cameras will only be used when other, proportionate means of surveillance are not easily available; a distinctive label must be placed in a visible place; and the derived data will be erased after one month. This regulation includes recording, transmission, conservation and storage, including real-time reproduction and broadcasting. Personal recording for home use, and image use by law enforcement agencies are exempted.
Under the criminal code, interception of electronic communications requires a court order. There have been several scandals in Spain over illegal wiretapping by the intelligence services. In 1995, Deputy Prime Minister Narcis Serra, Defense Minister Julian Garcia Vargas, and military intelligence chief Gen. Emilio Alonso Manglano were forced to quit following revelations that they had monitored the conversations of hundreds of people, including King Juan Carlos. More recently, Juan Alberto Perote, the former head of operations of the Centro Superior de Información de la Defensa (CESID, the Spanish secret service, which was part of the armed forces until it was replaced by the CNI in 2002), was found guilty on April 12, 2005, and sentenced to four months in prison. In the first trial in 1999, Manglano and Perote both received sixth-month sentences and five CESID officers were sentenced to six months, although the Constitutional Tribunal annulled this ruling on March 29, 2004 after it deemed that the judge who heard the case was not impartial. Charges brought against Emilio Alonso Manglano and the five CESID officers by private individuals and groups placed under surveillance were dropped. Perote criticised the decision against him, claiming that his director, Manglano, and members of the Socialist Party government of the time knew about "this activity," which was carried out between 1983 and 1991.
An exclusionary rule applies to evidence collected by means of illegal wiretaps or bugs, and in November of 2000, the Barcelona High Court (Audiencia de Barcelona) threw out a case because the evidence was so tainted. In May of 2001, prosecutors asked for 12-year sentences for each of two detectives accused of placing illegal wiretaps. In December 2004, the Supreme Court claimed that "the approval of an adequate regulation for telephone interceptions" cannot be postponed, after acquitting two suspected drug traffickers because telephone interceptions used to sentence them in the Audiencia Nacional were deemed to be irregular. The Court added that Spain has already been condemned by the European Court of Human Rights for failing to specify the nature of offenses that can give rise to these interceptions and to fix a time limit for them.
In early 2004, the National Police Corps (Cuerpo Nacional de Policía) and the Civil Guard (Guardia Civil) reportedly started using a new software program, SINTEL, that enables them to directly tap into telephonic communications without the need to get prior court authorization. SINTEL, which was designed by an October 2001 secret agreement, works in real time. In addition to recording the content of the communication, the software also provides the identity of both callers and the place from which they are calling.
The 2003 General Telecommunications Act (LGT) guaranteed the right of individuals to use strong cryptography but also contained a provision – Article 36 -- allowing for a key recovery system. Previous versions of this provision were strongly opposed by civil liberties advocates. The new Article 36 does not change much from the former Article 52 which compelled the notification of the algorithms used, but still remains ambiguous with regard to any reference to the creation of a key escrow system.
The terrorist attack on a Madrid commuter line on March 11, 2004 was followed by announcements of a raft of measures to be introduced with regards to the problem of Islamist terrorism, most notably those of placing "radical" imams and former mujahedins (Muslims who fought in Afghanistan or the Balkans) under surveillance, and of establishing databases in order to establish their numbers.
The draft National Defence Law, published on March 31, 2005, seeks to expand the scope of activities by the National Intelligence Centre (Centro Nacional de Inteligencia, or CNI), by directing it to "contribute . . . in obtaining, evaluating and interpreting the necessary information to prevent and avoid any risk or threat that affects the independence and integrity of Spain, national interests and the stability of the State of law and its institutions" (Article 26). The Law was finalized on November 17, 2005. The words "risk or threat" alter the wording of the decree that established the CNI, which envisaged its scope as preventing and avoiding "danger, threat or aggression against," which cannot be interpreted as widely. Experts cited in El País newspaper suggested that "risk that affects the integrity of Spain" is so ambiguous as to be liable to be interpreted as giving the intelligence service a role in countering political proposals such as the so-called Plan Ibarretxe, proposed by the lehendakari (head of the Basque government) to change the status of the Basque autonomous region.
Additionally, there are two new laws related to the fight against terrorism. These two laws are written to complement each other and directly impact the field of data protection by creating new databases in public ownership. The first law aims at preventing and freezing terrorism funding. It sets up the Commission for Monitoring the Funding of Terrorist Activities. This institution has the authority to freeze funds, bank accounts, and other financial assets belonging to entities or persons linked to terrorist activities. It develops its findings within the administrative sphere and collaborates with the judiciary to transmit its conclusions to the judge in criminal trials. The law establishes the obligations of financial entities (e.g., banks, credit entities, exchange bureaus) and all subjects referred to in the law against money laundering (Law 19/2003, described below) to collaborate in providing all the information required (including personal data) in relation to frozen funds. This law also provides that, with regard to the provisions of the LOPD, the files created by the Monitoring Commission will be considered files in public ownership, and therefore exempt with regard to the rights of access, rectification, and cancellation.
The second regulation is Law 19/2003 regulating the movement of money and international transactions and enacted in July 2003. This law works to prevent money laundering and is closely linked with the law regarding the funding of terrorist activities. It was approved as a modification to the law of 1993 preventing money laundering. The new rule also incorporates into national legislation, Directive 2001/97 on the prevention of money laundering.
This law applies not only to terrorist crimes, illegal drug trafficking, and organized crime (current situation) but also to all other serious crimes (punishable with more than three years in prison) and related money-laundering activities. The law also imposes new obligations on subjects, such as auditors, external accountants (not only internal company accountants), and tax advisors. Notaries, lawyers and attorneys must also collaborate with full respect to professional secrecy and without prejudice to the constitutional right to defense.
On December 11, 2003, the Parliament enacted the Law on Digital Signatures. The legislation established an electronic identification card (DNI electrónico) that includes a certificate used to generate a digital signature. The card, to be fully rolled out by 2007, would allow individuals and businesses to digitally sign documents – and provide the same value as a regular handwritten signature. The government seeks to encourage the development of electronic commerce and promote consumer confidence in Internet-based transactions. The electronic ID card will include two elements: a chip with information relating to the citizen's identity and electronic signature, as well as biometric data (fingerprint and photograph). Privacy groups criticize the law because, as they assert, it would make the card compulsory for all and would create a huge database of citizens' personal data that would be subject to serious security risks. They have urged that the project be revised to ensure the full protection of Spanish citizens' privacy. In mid-February 2006, the Ministry of Interior announced that root keys were generated. The first e-DNI was issued on March 16, and after a trial testing period e-DNIs were routinely being issued. By mid-December, the number of e-DNI issued raised to 120,000.
The Commission on Liberties and Information Technology (Comisión Libertades e Informática, or CLI) complained about the lack of debate with regards to the introduction of the planned electronic ID card, warning that measures that are to be introduced may contravene fundamental rights, such as the rights to privacy and to the protection of personal data. It also stressed that it will be important for adequate security measures to be adopted in relation to the introduction of this identification document, as it may contain elements that will make it possible to access sensitive personal information about cardholders, such as race and religious affiliation in the case of photographs. The CLI has also warned about the possibility that DNA details be included, and that it would be illegal for it to include medical information (or to turn the ID card into a multipurpose document required to have access to health services), as was suggested in February 2004, by the former Minister of Public Administration, Julia García Valdecasas.
Since August 2006, all passports issued by Spain are electronic passports that contain an RFID tag. Holding an e-passport is compulsory for citizens from countries that belong to the Visa Waiver Program (all countries belonging to the European Economic Area plus Switzerland, Iceland, Norway, New Zealand, Australia and Brunei) for traveling to the United States and therefore all comply with the same technical specification. The private watchdog CLI and other groups have expressed concerns about the adoption of RFID technologies in passports, noting that RFID-enabled passports have been hacked in some countries.
On June 29, 2006, the AEDP opened an investigation into the SWIFT case. SWIFT, the Society for Worldwide Interbank Financial Telecommunication, handles financial wire transfers for banks throughout the world. The AEDP investigation follows a complaint from Privacy International. SWIFT had been covertly disclosing financial data to U.S. authorities. Privacy International complained that this disclosure fell within the scope of the Spanish Data Protection Law, and that SWIFT handled over 45 million Spanish financial messages for over 140 Spanish banks and institutions. The AEDP later joined other European data protection Agencies in approving an Article 29 Working Group Opinion on the SWIFT matter. The opinion concluded that SWIFT and European Financial institutions had failed to respect the provisions of EU Data Protection Directive 94/46/EC.
Spain is preparing to implement the European Directive on Data Retention. The Directive is the framework for member states of the European Union to pass relevant legislation that would ensure a number of measures regarding data retention for telephone and Internet traffic data, for a period between 6 and 24 months. Internet and civil liberties organizations posed a strong reaction to the Directive and all of them fully endorsed the European-wide campaign "Data Retention is no solution," including the Spanish section of Computer Professionals for Social Responsibility, CPSR-ES; however, Spain has been creating legislation to comply with the European Directive since then. One draft bill was approved by the Justice Commission of the Spanish Parliament in May 2007. It provides that the retention period in Spain will be 12 months; this law also will ban the anonymity of prepaid card mobile phone users.
Spain is a member of the Council of Europe (CoE) and has signed and ratified the Convention for the Protection of Individuals with Regard to Automatic Processing of Personal Data (Convention No. 108). It has signed and ratified the European Convention for the Protection of Human Rights and Fundamental Freedoms. In November 2001, Spain signed the CoE Convention on Cybercrime. It is a member of the Organization for Economic Cooperation and Development (OECD) and has adopted the OECD Guidelines on the Protection of Privacy and Transborder Flows of Personal Data.
 Constitution of Spain, as amended August 1992, available at <http://www.constitucion.es/constitucion/lenguas/ingles.html>.
See Organic Law 5/1992 of October 29,
1992 Regulating the Automated Processing of Personal Data), Ley Orgánica
5/1992 de 29 de Octubre 1992, de Regulación del Tratamiento Automatizado
de los Datos de Caracter Personal (LORTAD), enacted on January 14, 2000,
see also Organic Law 15/1999 of
December 13, 1999 on the Protection of Personal Data (LOPD), (Ley
Orgánica 15/99 de 13 de Diciembre 1999 de Protección de Datos de
Carácter Personal (LOPD), available at
 See Royal Decree No. 994/1999 of June 11, which approves the regulation on mandatory security measures for the computer files which contain personal data (Real Decreto 994/1999, del 11 de junio, por el que se aprueba el Reglamento de medidas de seguridad de los ficheros automatizados que contengan datos de carácter personal), available at <http://noticias.juridicas.com/base_datos/Admin/rd994-1999.html>.
See Spanish Data Protection Authority
see also <https://www.agpd.es> (in
 Judgements Nos. 290/2000 <http://www.tribunalconstitucional.es/jurisprudencia/Stc2000/STC2000-290.html>, 292/2000 <http://www.tribunalconstitucional.es/jurisprudencia/Stc2000/STC2000-292.html>, and 202/1999 <http://www.boe.es/g/es/bases_datos_tc/doc.php?coleccion=tc&id=SENTENCIA-1999-0202> respectively
 Judgement No. 292/2000, supra.
Estadísticas Mensuales Registro General de Protección de Datos,
May 2007 <https://www.agpd.es/upload/Informa%20AEPD/est200705.pdf>.
 AEDP, 2005 Annual Report Summary 18, <http://www.agpd.es/upload/English_Resources/RESUMEN%20MEMORIA_2005.pdf>.
 Id. at 2.
 Email from Esperanza Zambrano Gómez, Spanish Data Protection Agency, to Guilherme Roschke, Skadden Fellow, Electronic Privacy Information Center, August 2, 2007 (on file with EPIC).
Española de Protección de Datos, "Carácter de dato personal
de la dirección IP," (Informe 327/03), available at
 Marta Escudero & Javier Maestre, "Como Consecuencia, Muchos Webmasters Deberán Registrar Sus Ficheros en la Agencia," July 5, 2004, available at <http://www.kriptopolis.com/more.php?id=201_0_1_0_M>.
 "12 activistas de Barcelona denuncian que la policía les incluye en un fichero ilegal," El País, December 30, 2004.
 Instrucción 1/2004, de 22 de diciembre, de la Agencia Española de Protección de Datos sobre la publicación de sus resolucioness <https://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/Instruccion1-2004.pdf>.
 "Solo el
10% de las PYMES españolas cumple la Ley de Protección de Datos",
Atlántico, April 13, 2005.
 AEPD, press statement, February 23, 2005, available at <https://www.agpd.es/upload/Prensa/Nota%20eeuu.pdf>.
 Agencia Española de Protección De Dados, Instrucción 1/2006, de 8 de noviembre, de la Agencia Española de Protección de Dados, sobre el tratamiento de dados personales con fines de vigilancia a través de sistemas de cámaras o videocámaras, December 12 2006, <http://www.agpd.es/upload/Canal_Documentacion/legislacion/Estatal/Instruccion_1_2006_videovigilancia.pdf>, English version at <https://www.agpd.es/upload/English_Resources/Instruccion%20videovigilancia%20EN.pdf>.
Orgánica 10/1995, de 23 de noviembre, del Código Penal.
Penal Code, Sections 197-199.
 "Spain Socialists Seek Opposition Apology on Bugging," Reuters, February 6, 1996.
 "Perote, condenado a cuatro meses de arresto por las escuchas del Cesid," El País, April 13, 2005; and "Cuatro meses de prisón para Perote por las escuchas del Cesid," El País, April 4, 2005.
Communicaciones Audienceia Invalida Pruebas Obtenidas por "Pinchazo" Telefono,"
Spanish Newswire Services, November 23,
 "Pinchazos Telefonicos: Fiscalia Pide 24 Años Paragraph Detectives por Pinchar Telefonos," Spanish Newswire Service, May 7, 2001.
 "El Supremo cree inapalazable regular el control de telefonos." El País, December 13, 2004.
 "Policía y Guardia Civil Pueden Pinchar Los Teléfonos Informáticamente," February 19, 2004, available at <http://www.nodo50.org/tortuga/article.php3?id_article=204>.
32/2003, de 3 de noviembre, General de Telecomunicaciones.,
partial English translation at
 See Global Internet Liberty Campaign, "New Spanish Telecommunications Law Opens a Door to Mandatory Key Recovery Systems," July 1998, available at <http://www.gilc.org/crypto/spain/gilc-crypto-spain-798.html>.
 See "No al articulo 36 Restricciones a la Criptograpfía: La Nueva Ley General de Telecomunicaciones Impone la Obligación de Revelar las Claves de Cifrado," March 2003, available at <http://www.spain.cpsr.org/02042003.php>; Mercé Molist, "El Congreso no Aclara el Depósito del Cifrado en la Ley de Telecomunicaciones," El País, June 12, 2003.
 "Censo de ex muyahidines e imanes radicales," El País, May 30, 2004.
 Proyecto de Ley Orgánica de la defensa nacional 121/000031, Boletín Oficial de las Cortes Generales, March 31, 2005.
secret service agency.
 Ley Orgánica 5/2005, de 17 de noviembre, de la Defensa Nacional, available at <http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=2005/18933>.
 "El borrador permite al servicio secreto investigar cualquier riesgo que afecte a la integridad de España," El País, March 18, 2005.
 Ley 12/2003, de 21 de mayo, de prevención y bloqueo de la financiación del terrorismo, (Law 12/2003 of May 21 on preventing and freezing terrorism funding), available at <http://www.boe.es/g/es/bases_datos/doc.php?coleccion=iberlex&id=2003/10289> (in Spanish); see also <http://www.igsap.map.es/cia/dispo/26927.htm>.
19/2003, de 4 julio, sobre régimen jurídico de los movimientos de
capitales y de las transacciones económicas con el exterior y sobre
determinadas medidas de prevención del blanqueo de capitales, available
 Directiva 2001/97/CE del Parlamento Europeo y del Consejo, de 4 de diciembre de 2001 sobre Blanqueo de capitales: prevención de la utilización del sistema financiero (European Parliament and Council Directive 2001/97/EC of December 4, 2001 related to Money laundering: Preventing use of the financial system), available at <http://europa.eu.int/scadplus/leg/es/lvb/l24016.htm>.
59/2003, de 19 de diciembre, de firma electrónica
 See generally <http://www.dnielectronico.es>.
 "La Ley de la Firma Electrónica entra en vigor," Redes and Telecoms, December 12, 2003, available at <http://www.redestelecom.com/Actualidad/Noticias/Comunicaciones/Legislaci%C3%B3n/20031212036>.
 "El DNI Electrónico se Tramitará en España el Próximo Año," El País, May 5, 2003.
 Dirección General de la Policía y de la Guardia Civil, El Ministro del Interior pone en marcha el sistema de certificación del nuevo DNI electrónico, February 16, 2006 <http://www.dnielectronico.es/oficina_prensa/noticias/noticia04.html>.
 Dirección General de la Policía y de la Guardia Civil, El Ministro del Interior entrega el primer ejemplar del nuevo DNI electrónico a una ciudadana de Burgos, March 16, 2006 <http://www.dnielectronico.es/oficina_prensa/noticias/noticia09.html>.
 Dirección General de Relaciones Informativas y Sociales, Comienza la expedición del nuevo DNI electrónico en trece ciudades españolas, July 5, 2006 <http://www.mir.es/DGRIS/Notas_Prensa/Policia/2006/np070504.html>.
 Dirección General de la Policía y de la Guardia Civil, La Policía Nacional alcanza los 120.000 DNI electrónicos en 31 ciudades españolas, May 12, 2006 <http://www.dnielectronico.es/oficina_prensa/noticias/noticia18.html>.
 "El DNI Electrónico no puede incluir datos personales ajenos a la identificación," IBLNEWS, October 4, 2004.
 "La CLI
advierte que el contenido del DNI Electrónico no puede incluir datos de
carácter personal," Asociación de Internautas, May 20, 2005,
available at <http://www.internautas.org/html/1/2934.html>.
 Comisión de Libertades e Informática press statement, February, 19, 2004.
 Home Office
(Ministerio de Interior), Información sobre Trámites / Pasaporte
/ Pasaporte electrónico
 Visa Waiver Program (VWP) <http://travel.state.gov/visa/temp/without/without_1990.html>.
 Asociación de Internautas, La CLI se opone a que se incrusten RFID en el futuro pasaporte electrónico y, posteriormente, en el DNI electrónico, March 7, 2006, <http://www.internautas.org/privacidad/html/3517.html>. Kriptopólis, Pasaporte hacia la inseguridad, November 19, 2006 <http://www.kriptopolis.org/pasaporte-hacia-la-inseguridad>.
 AEDP, La
Agencia Española De Protección de Datos investiga last
implicaciones del "caso SWIFT" en España, June 29, 2006
 See generally <http://www.swift.com/>.
 Simon Davies, Complaint: Transfer of personal data from SWIFT to the US government, June 27, 2006, <http://www.privacyinternational.org/issues/terrorism/swift/spain.pdf>.
 AEDP, Las Autoridaded Europeas de Protección de Datos apreuban una Opinión sobre el caso "SWIFT", November 28, 2006 <https://www.agpd.es/upload/Prensa/OPINI%D3N%20Swift_28_11_2006.pdf>.
 Article 29 Data Protection Working Party, Opinion 10/2006 on the processing of personal data by the Society for Worldwide Interbank Financial Telecommunication (SWIFT), November 22, 2006 <http://ec.europa.eu/justice_home/fsj/privacy/docs/wpdocs/2006/wp128_en.pdf>.
2006/24/EC of the European Parliament and of the Council of 15 March 2006 on the
retention of data generated or processed in connection with the provision of
publicly available electronic communications services or of public
communications networks and amending Directive 2002/58/EC
 “Data Retention is no Solution,” <http://www.dataretentionisnosolution.com>.
 See CPSR-ES, ¿Cómo te afecta la retención de datos? September 27, 2005 <http://wiki.dataretentionisnosolution.com/index.php/Texto_cpsr_es>.
 Informe de la Ponencia 121/000128 Conservación de los datos relativos a las Comunicaciones Electrónicas y a las Redes Públicas de Comunicaciones <http://estaticos.elmundo.es/documentos/2007/05/31/conservacion_datos.pdf>. Pablo Romero, Vuelve al proyecto de ley la identificación de todos los usuarios de móviles prepago, El Mundo, May 31, 2007 <http://www.elmundo.es/navegante/2007/05/31/tecnologia/1180600696.html>.
January 28, 1982; ratified April 31, 1984; entered into force October 1,
 Signed November 24, 1977; ratified October 4, 1979; entered into force October 4, 1979.
 Signed November 23, 2001.