Spanish Supreme Court Expands GDPR Compliance to Data Request Stage

Spain's Supreme Court ruled GDPR applies when personal data is requested, not just received.

The Spanish Supreme Court's Judgment No. 390/2026 marks a significant expansion of GDPR compliance: organizations must now meet GDPR obligations from the moment they decide to request personal data—well before any information is received.

• The March 26, 2026 decision arose from a prison employee case. The employee refused to supply medical certificates detailing diagnosis and treatment as requested by the employer, triggering a salary deduction and subsequent litigation.
• The Spanish Data Protection Agency (AEPD) sanctioned the General Secretariat of Penitentiary Institutions for violating GDPR principles by unjustifiably seeking sensitive health data.
• A prior National High Court ruling had stated GDPR did not apply since no data was collected, but the Supreme Court reversed this, establishing that requesting personal data is itself processing under GDPR.
• The Court stressed the importance of the data minimization principle (Article 5.1(c)), and noted that obligations for "protection by design and by default" (Article 25) arise as soon as a data request is formulated.

"The obligations of the data controller do not arise with the receipt of the data, but earlier, at the moment when it is decided what data will be requested, for what purpose, and by what means," the Court held.

This broader interpretation of "processing" signals a need for organizations—including U.S. companies with cross-border data flows—to reassess privacy compliance and integrate GDPR principles (such as data minimization and privacy by design) at the earliest stages of the data lifecycle.

Yes, but: Contrary to opinions from some data regulators, the Spanish ruling diverges from established CJEU doctrine, generating uncertainty for pan-EU compliance interpretations.