Data Privacy Compliance in the Cloud
Made Easy

Understand Cloud and Data Protection Law in only 4 easy steps. Plus highly relevant legal information for 33 countries. Provided by EuroCloud and 53 European lawyers.

The Spanish DPA published a report on the processing of personal data related to political opinions by political parties


The Spanish DPA published a recent report on the processing by political parties of personal data related to political opinions.

This report will be valid until the Constitutional Court makes a decision on the unconstitutionality appeal filed by the Spanish ombudsman on this new provision, as it brought a lot of controversy in the public opinion.

The Spanish DPA has published the said report in which it analyzes the processing of personal data in relation to the third final provision of the Organic Law 3/2018 on the Protection of Person-al Data and the guarantee of digital rights (LOPDGDD), which modifies the law on elections, LOREG, adding article 58 bis. 

The new article 58 bis of the LOREG states that:

  1. "The collection of personal data related to the political opinions of the persons carried out by political parties in the framework of their electoral activities will be protected in the public interest only when adequate guarantees are offered.
  2. Political parties, coalitions and constituencies may use personal data obtained in web pages and other sources of public access to carry out political activities during the electoral period.
  3. The sending of electoral advertisements by electronic means or messaging systems and the hir-ing of electoral propaganda in social networks or equivalent means will not be considered as activ-ity or commercial communication.
  4. The aforementioned informative activities will clearly identify their electoral nature.
  5. The recipient shall be provided with a simple and free way of exercising the right to object.” 

The AEPD considers that the modification of the LOREG, which deals with the processing of data related to political opinions by the political parties and the like, must be subject to a restrictive in-terpretation, firstly, because it is an exception to the general rule contained in the article 9 of the General Data Protection Regulation (GDPR) and 9.1 of the LOPDGDD, which prohibit the pro-cessing of special categories of personal data -including political opinions-. 

Furthermore, because article 58 bis must be interpreted in accordance with the provisions of the Spanish Constitution, so that it does not violate fundamental rights such as data protection, the right to ideological freedom, freedom of expression and information or the right to political partici-pation.

The report states that political parties, federations, coalitions and constituencies can only process political opinions when they have been freely expressed by people in the exercise of their right to freedom of expression and their ideological freedom. This article does not entitle parties to apply big data or artificial intelligence technologies to infer a person's political ideology, since this would imply a violation of their fundamental right not to declare their ideology. 

In any case, these processing must also comply with all the principles set forth in article 5 of the GDPR: legality, loyalty and transparency; limitation of purpose; data minimization; accuracy; limita-tion of conservation period; integrity and confidentiality and accountability. 

Regarding the sending of electoral advertising by electronic means or messaging systems and the hiring of electoral advertising in social media or equivalent media (article 58 bis LOREG), the data that will be used for the sending of electoral advertising (numbers telephone, email, etc.) must have been obtained lawfully, covered by any of the legal bases of Article 6 of the GDPR. In any case, in the shipments that are carried out, it must be clearly stated its electoral nature as well as the subject’s right to object.


Article provided by: Belén Arribas (Andersen Tax & Legal,


Discover more about the Cloud Privacy Check(CPC) / Data Privacy Compliance(DPC) project

Director CPC project: Dr. Tobias Hö



53 lawyers from 33 countries are contributing to the project “Cloud Privacy Check (CPC)” in 26 different languages.

Understanding the complexity of current European data protection laws and regulations is already difficult enough for an IT engineer, buyer, or business user. In combination with the often small but nevertheless significant differences between various EU member states, however, it can become an almost insurmountable challenge without proper juristic accompaniment from the very start... Read More



The CPC is a trusted, not-for-profit international network of qualified professionals who deliver simplified and straight-forward guidance to help navigate the legal and regulatory environment relating to privacy and the cloud. This is done through collective know-how, research and market analysis gained from pan-European industry activity, collaboration and experience. Our mission is to provide authoritative views, information and practical solutions to two principal stakeholders: industry professionals and public authorities.