Spain

Return to id map

Contributor: Jose Arraiza

Organization: Independent researcher

Last update:

Chapeau

Spain has a long history of implementing regulations and laws surrounding digital ID. These laws and regulations are through various levels as high as the EU and on a national level. Since the 1990s, National ID cards have evolved through the years to incorporate digital elements alongside various ways for digital authentication and identification. Some of the programs implemented are Cl@ve, references numbers, EID and TOKEN. Spain is bound by EU law on data protection and more generally, by EU and Council of Europe standards of human rights in relation to identification and digital governance. While Spain has not had much controversy surrounding its methods of digital ID in comparison to other countries such as Kenya, India or Uganda, there is still room for the data services to improve. For example, there should be further development on accessibility to the elderly, economically disadvantaged and linkages with the private sector.

1.1. Which are the specific laws creating and regulating Digital ID and what is their hierarchy (constitutional, organic laws, regional/sub-state laws, regulations, procedures)?

Under EU Law, there is the regulation on electronic identification and trust services for electronic transactions in the internal market and repealing directive.^[1] This is commonly known as eIDAS.^[2] The regulation creates the framework for a system of identification, authentication and trust services meant for all stakeholders operating in the European Union. The EU states: “[t]he eIDAS Regulation introduces one single framework for eID and trust services making it more straightforward to deliver business services across the EU. It promotes interoperability across the 28 EU countries, ensuring that countries mutually recognise each others’ electronic identification and trust services across borders.”^[3]
There is also some national legislation that has been passed. There is the Organic Law 15/1999, a law that protects personal data. ^[4]
There is also the Protection of Personal Data and Guarantee of Digital Rights that states personal data protection is a fundamental right to people through the Spanish Constitution.^[5]
There have been several other laws passed, such as the Organic Law on Protection of Personal Data and Guarantee of Digital Rights, an Organic Law on Public Safety and Security, law on trusted Electronic Services and several Royal decrees that modified different laws or regulate the issuance of national identity cards and electronic signature certificates.
Spain, on a strategic policy level, developed a plan called the “National Plan for the Digitalisation of the Public Administration, 2021-2025, Strategy on Digital Administration and Digital Public Services.” This plan hopes to “develop and implement a new digital identity model that allows for 100 percent telematic and secure digital accreditation.”^[6] It also hopes to help “evolve and promote the Spanish eIDAS node” and “adapt existing identification mechanisms to the European context and facilitate their reuse and interoperability by all Spanish public administrations.” ^[7]

^[1]Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC, https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=uriserv:OJ.L_.2014.257.01.0073.01.ENG.

^[2] Evidos, The eIDAS Regulation Explained: All Businesses Need to Know, Apr. 30, 2022, (https://www.evidos.com/e-signature/eidas-regulation#What_is_the_eIDAS_Regulation_and_What_Does_it_Mean).

^[3] Id.

^[4] https://boe.es/buscar/doc.php?id=BOE-A-1999-23750

^[5] https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673

^[6] Financiado por la Union Europea, New digital identity model, https://espanadigital.gob.es/en/lines-action/new-digital-identity-model.

^[7] Id.

1.2. What is the definition of Digital Identity brought by the Law or regulation, if any?

As of now, there are four models of digital identification and authorization in Spain. There is Cl@ve, which is a method of identification that is used to identify physical persons which allow for a number of online transactions and procedures.^[1] Another method is reference numbers, which is a system for authentication and identification for physical persons where tax procedures and payment can be done.^[2] The third one is electronic ID and Certificate, also known as E-ID which allows for authentication and identification for various administrative procedures.^[3] Lastly, there is TOKEN, a temporary key that permits certain official transactions through a phone conversation with a public official.^[4]
^[1] Agencia Tributaria, Cl@ve Movil, https://sede.agenciatributaria.gob.es/Sede/clave.html.
^[2] Agencia Tributaria, Número de referencia, https://sede.agenciatributaria.gob.es/Sede/numero-referencia.html.
^[3] Agencia Tributaria, Certificado y DNI electrónico, https://sede.agenciatributaria.gob.es/Sede/certificado-dni-electronico.html.
^[4] Agencia Tributaria, TOKEN, https://sede.agenciatributaria.gob.es/Sede/identificacion-digital/token.html.

1.3. Which are the corresponding Data Protection laws, if existing?

One of the main sources is EU law, through the General Data Protection Regulation, which aims to protect the personal information and data of people and the movement of said data.^[1] Under national law, there is the Organic Law 3/2018 of December 5 on Protection of Personal Data and Guarantee of Digital Rights, which recognizes a wide net of rights such as the Right to Internet Neutrality, universal access to the internet, digital education and protection of children on the internet.^[2]

^[1] https://gdpr-info.eu/

^[2] https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673; https://ecija.com/en/sala-de-prensa/organic-law-3-2018-of-december-5-protection-of-personal-data-and-guarantee-of-digital-rights/

1.4. What are the main elements of the Digital ID framework (scope, eligibility criteria, remedies)?

All citizens and legal residents are entitled to use the four forms of identification Cl@ve, reference numbers, TOKEN and E-ID

1.5. Are there specific complaint mechanisms foreseen in the Digital ID and Data Protection laws?

The Agencia Española de Protección de Datos is the agency in charge of ensuring the implementation of data protection legislation and whatever elements of the GDPR that are within Spain’s jurisdiction. [refer back to question 1.3 for GDPR]Those who wish to make a complaint can easily access it online and can also call the number for the complaint hotline.
All data within the Spanish jurisdiction have unalienable rights guaranteed that include: Right to access the data subject’s own personal data: As per Spain’s data protection law, all data subjects have the right to access their own personal data collected on them by the data handlers. In case the identity of the data handler is unknown, the data subject can request General Data Protection Register to know everything they can to know about their personal data, the purpose of its collection, and the identity of the data handler.
Right to rectify/correct the data subject’s own personal data: All data subjects have the right to request rectification or correction of any data collected on them due to incomplete, incorrect, or outdated information.
Right to erasure of personal data: All the data subjects have the right to request erasure and permanent deletion of any data collected on them by the data handler. The collected data can only be maintained solely at the disposal of the public administrations, judges, and courts to determine any liability arising from the processing. The data is to be deleted after the expiration of such liability.
Right to damages: All the data subjects have the right to claim compensation in lieu of damages incurred due to processing activities carried out by the data handler. The claim will be heard in civil court.”^[1]

^[1] https://securiti.ai/spain-data-protection-law/

1.6. Was public participation ensured when these were drafted and enacted? How?

The laws discussed above follow the regular legislative process.

1.7. Was there a Human Rights Impact Assessment prior to the enactment of the laws?

There was no Human Rights Impact Assessment reported.

1.8. Does the country’s Digital ID framework reflect any particular digital ID model existing elsewhere (e.g., similar/comparable to X country)?

The model sought after is the eIDAS node, created by EU Law.

1.9. What is the interrelation of these Digital ID laws with existing nationality laws (does Digital ID reflect nationality status, is nationality an eligibility criterion or only legal residence)?)

National Identification Cards are provided to citizens only, while lawful foreign residents receive a Foreigner Identity Card.^[1]

^[1] Ministerio Del Interior, https://www.interior.gob.es/opencms/eu/servicios-al-ciudadano/tramites-y-gestiones/extranjeria/regimen-general/tarjeta-de-identidad-de-extranjero/ .

1.10. Court cases: Is there litigation going on? Has there been prior litigation? What are the specifics of those cases (list and summarize)?

There is no litigation reported.

1.11. How has Digital ID been rolled out?

The first National Identity Cards (cédulas de identidad o personales) date back to the early 19th Century. Their primary functions were tax collection and travel authorisations. The first real National ID came to live in 1951. The first form of “computerized” or digital ID appeared in 1990, including an OCR code. In 2006, a first ID with a digital chip was introduced. It was supposed to allow for digital administrative transactions through a special reader. It was not very successful and lasted only until 2015. The latest version of Digital ID came through in 2015. It incorporated a “dual interface chip” which permits connection with telematic services through a card reader, as well as the NFC technology of smartphones and tablets. It has the same data structure as a passport and can be used in rapid border crossing posts within the EU.
*A graphic evolution IDs is included in the original report. I do not know if you would like that to be transferred over here.

1.12. Has there been any special measures to ensure access for vulnerable and isolated communities (e.g., for PwD, minorities, elderly) such as mobile offices or free legal aid? Are those measures provided for in law?

ID services are accessible in every National Police station. There are policies in place for access to PwD.^[1] The accessibility for Cl@ve, digital certificate depends on the accessibility options given by personal computers.

^[1] Sede Electrónica Real Casa de la Moneda, Fábrica Nacional de Moneda y Timbre, https://www.sede.fnmt.gob.es/registro-inicio/preguntas-frecuentes/-/asset_publisher/DKnDigPrgk4U/content/1715-emision-de-certificados-de-firma-electronica-a-personas-con-discapacidad.

Tagged map