Personal data protection is regulated by the 15/1999 Act on Personal Data Protection and the 1720/2007 Royal Decree which develops the Act. Both were partially amended by the 2/2011 Act on a Sustainable Economy and, more recently, by the 5/2018 Royal Decree Law of urgent measures for the adaptation of the Spanish law to the European Union’s legislation on data protection (to abide by the decision of May 13th, 2014 by the European Union Court on the so-called “right to be forgotten”).
The Spanish Data Protection Agency was created in 1993 to guarantee citizens the right to know who may have access to their personal data and for what purpose and to provide a platform for exercising the rights of access, alteration, cancellation and opposition.
The regional data protection agencies for Madrid, Catalonia and the Basque Country were created in 1997, 2002 and 2003 respectively, and institutional collaboration now takes place between the General Data Protection Register of the Agency and the regional registers. Regulations concerning data protection have a clear impact on the way cultural services (libraries, museums, theatres, etc.) market themselves to potential users / audiences through the type of data requested for membership or information about activities, etc.
In the opposite sense, in 2013 the Act of transparency, access to public information and good government recognised and guaranteed the access to public information. In 2014, the Spanish government launched a transparency website.