Defining regulatory principles


2.1.1 Civil and Commercial Codes

Electronic contracts are fully subject to the rules established by the Spanish Civil Code on obligations and contracts and by the Commercial Code.

Electronic contracts are also subject to EC Regulation 593/2008, of June 17, 2008, on the law applicable to contractual obligations (Rome I) which will apply to contractual obligations in the civil and commercial area in situations involving a conflict of laws.

2.1.2 Distance sales

1. Equally applicable to electronic sales are the rules related to distance sales and other related relevant rules:Regarding commercial operations in which the buyer is an undertaking or a business man, the Act 7/1996 ordering the Retail Trade should be taken into consideration, in particular the Chapter regarding Distance Sales, which makes a specific referral to Title III of Book II of the Legislative Royal Decree 1/2007, of 16th of November, approved the Revised General Consumer and User Protection Law and other supplementary laws.

2. Whenever e-commerce activities are targeted at consumers, it is necessary to comply with consumer protection legislation, regulated in the mentioned Legislative Royal Decree 1/2007, of November 16, 2007.

This Law defines “distance sales” as sales concluded without the simultaneous physical presence of the buyer and the seller, where the seller’s offer and the buyer’s acceptance are conveyed exclusively by a means of distance communication of any nature and within a distance contract system organized by the seller.

This Law establishes that distance sale offers (either to consumers or to undertakings) must contain at least the following:

  • The seller’s identity.
  • The special features of the product, the price, and the shipping expenses and, if applicable, the cost of using the distance communication technique if it is calculated on a basis other than the basic rate basis.
  • The payment method, and form of delivery or types of fulfillment of orders.
  • The period for which the offer remains valid and, if applicable, the minimum term of the contract.
  • The existence of a right to withdraw or terminate the contract and, if applicable, the circumstances and conditions in which the seller could supply a product of equivalent price and quality.
  • The out-of-court dispute resolution procedure, if applicable, in which the seller participates.
  • Remainder of the existence of a legal guarantee depending on the type of goods or services.
  • Information of the cases in which the Seller shall take the costs of returning the goods.

This Royal Decree sets out, among other matters affecting the consumers, the rules governing unfair conditions of contracts concluded with consumers, and the right to withdraw that consumers have in distance sales (fourteen calendar days).

3. It should also be noted that Law 22/2007, of July 11, 2007, on the distance marketing of consumer financial services, shall also be taken into consideration when dealing with consumers in the financial sector. The Law specifically regulates the protection granted by the general law to the users of remote financial services by establishing, among others, the generic requirement to provide the consumer with precise and exhaustive information on the financial contract prior to its signature and by granting the consumer a specific right to withdraw from the distance contract previously concluded.

4. In making the contract, there is an intention to incorporate predisposed clauses into a plurality of contracts, regard must be had to Standard Contract Terms Law 7/1998.

5. If the activity carried out is related to the sale of consumer goods, the aforementioned Legislative Royal Decree must be taken into consideration regarding the warranties on consumer, because it establishes the measures aimed at ensuring a minimum uniform standard of consumer protection. The Royal Decree establishes a free 2-year warranty for consumers on all consumer goods and offers consumers a range of possible remedies when the goods acquired are not in keeping with the terms of the contract, enabling consumers to demand their repair or substitution.

2.1.3 Other applicable regulations

1. In accordance with Law 56/2007, enterprises that provide services of special economic significance to the general public and that are of a certain size are required to provide their users with an electronic means of communication which, through the use of qualified electronic signature certificates, enables them to perform at least the following steps: (a) conclude contracts electronically and amend and terminate them; (b) consult their customer data (including a record of billing covering at least the past 3 years) and the concluded contract, with its general conditions; (c) submit complaints, incidents, suggestions and claims (while guaranteeing a record of their submission and direct personal assistance); and (d) exercise the rights of access, rectification, cancellation and objection (known as “ARCO” rights) provided for in the data protection legislation.

This requirement applies to enterprises providing services of special economic significance to the general public provided that they employ more than 100 workers or have an annual turnover (according to the VAT legislation) of more than €6,010,121.04. The enterprises that Law 56/2007 includes in this category are those operating in the following industries: (I) electronic communications services to consumers; (II) financial services aimed at consumers (banking, credit or payment, investment services, private insurance, pension plans and insurance brokerage); (III) supplying water to consumers; (IV) supplying retail gas; (V) supplying electricity to final consumers; (VI) travel agencies; (VII) carriage of travelers by road, railway, by sea, or by air; and (VIII) retail trade (although for these last-mentioned ones, the electronic means of communication need only enable what is set out in letters (c) and (d) above).

2. Due to their particular importance in electronic commerce, it is worth noting some legal provisions concerning payment services:

  1. Payment Services Law 16/2009, of November 13, 2009, which mainly affects the payment transactions that are most commonly used in an electronic commerce environment: transfers, direct debiting and cards, establishing as a general rule that the payer and the payee of the transaction must each bear the charges levied by their respective payment services providers. In any event, in the case of transactions with consumers, the specific legislation (Legislative Royal Decree 1/2007) prohibits the trader from charging the consumer fees for the use of payment methods that exceed the cost borne by the trader for the use of such payment methods. 

    Lastly, both the Payment Services Law and the consumer protection legislation envisage for distance contracts that, where the amount of the purchase or of a service has been charged fraudulently or incorrectly using the number of a payment card, the consumer may request the immediate cancellation of the charge.

  2. The legislation on interchange fees has been introduced by Royal Decree-Law 8/2014, of July 4 and Law 18/2014, of October,15. This legislation establishes a system of caps on interchange fees in transactions with credit or debit cards in Spain (applying them to POS terminals located in Spain), regardless of the trade channel used (that is, including physical and virtual POS terminals), provided that they require the involvement of payment services providers established in Spain.

    The caps applicable on or after September 1, 2014 are as follows:

    1. Debit cards: the interchange fee per transaction may not exceed 0.2% of the value of the transaction, subject to a cap of 7 euro cents. But if the amount does not exceed twenty euros, the interchange fee may not exceed 0.1% of the value of the transaction.

    2. Credit cards: the interchange fee per transaction may not exceed 0.3% of the value of the transaction. But if the amount does not exceed twenty euros, the interchange fee may not exceed 0.2% of the value of the transaction.

  1. These caps do not affect transactions performed with company cards or withdrawals of cash from automatic teller machines. In addition, three-party payment card systems are excluded from the application of these caps, except for certain cases identified by the legislation.

  1. The Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC has not been transposed in Spain, but it is of direct application from January 13th 2018. It regulates, the payment initiation services and the account information services.

3. Lastly, worthy of note is Law 29/2009, of December 30, 2009, modifying the legal regime governing unfair competition and advertising in order to enhance consumer and user protection. Special mention should be made of the unfair practice status to be granted to the making of unwanted and reiterated proposals by telephone, fax, e-mail and other means of long-distance communication, unless such proposals are legally justified for the purpose of complying with a contractual obligation. Moreover, when issuing such communications, traders and professionals must use systems that enable consumers to place on record their opposition to continuing to receive commercial proposals from such traders or professionals. Thus, when making such proposals by telephone, calls must be made from an identifiable number.

2.2 Electronic invoicing

Article 88.2 of Value Added Tax Law 37/1992 states that VAT shall be charged through the invoice, on the conditions and with the requirements determined by regulations. A clear indication that the new invoicing regulations approved by Royal Decree 1619/2012, of November 30, 2012, aim to promote electronic invoicing is that they establish the same treatment for electronic invoices as for paper invoices. A new definition is provided for electronic invoice, i.e., an invoice that meets the requirements established in the Royal Decree but which has been issued and received on electronic format.

Therefore, this equal treatment for paper and electronic invoices broadens the possibilities for the supplier to be able to issue invoices electronically without needing to use specific technology to do so.

Moreover, Order EHA/962/20071 issued by the Ministry of Finance establishes and further develops particular obligations regarding telematic invoicing. That Order clarifies that any Advanced Electronic Signature based on a certain certificate and generated through safe signing procedures will be valid in order to guarantee the authenticity and origin of the bill. The Order also clarifies the legal requirements that electronic invoices issued abroad must meet in order to be validly accepted in Spain.

Since January 15, 2015, there has been an obligation in Spain (by application of Law 25/2013, of December 27, 2013, on the promotion of electronic billing and the creation of a public sector accounting register of invoices) to issue invoices in electronic format that affects enterprises operating in certain industries (according to a list included in the law) and providing services “of special economic significance” to the general public.

This obligation to issue electronic invoices applies regardless of the contracting channel used (face-to-face or distance, electronic or non-electronic), provided that the customer agrees to receive them or has expressly requested them. However, travel agencies, carriage services and retail trade businesses are only required to issue electronic invoices where the contracting has taken place by electronic means.

In any event, it is the recipient of the invoices who has the power to give his or consent to the issuance and sending of invoices in electronic format and to revoke such consent in order to receive them on paper again. In the absence of consent, the trader should issue and send the invoices on paper.

2.3 Electronic signature

The Electronic Signature Law 59/2003 of December 19 aims to promote more widespread use of electronic signatures as an instrument that generates trust and security in telematic communications, thereby contributing to the development of e-commerce and of the “e-government.”

“Electronic signature” is defined by the Law as a set of data, in electronic form, attached to or associated with other electronic data, which can be used as a method for identifying the signatory. A separate class of electronic signature is the “advanced electronic signature,” which is recognized as a signature which permits the signatory to be identified and the integrity of the data signed to be verified, since it is linked exclusively to the signatory and to the data to which it relates and since it has been created by means that the signatory can keep under his sole control.

The Law includes the concept of “recognized electronic signature”, defining it as an advanced electronic signature based on a certificate recognized and generated through a secure-signature-creation device.

Under the referred Law, both individuals and legal entities can act as signatories. In this way, the Law aims to encourage the placing of orders and issuing of invoices by telematic means, while at the same time safeguarding legal certainty for the entity holding the electronic signature and for the third parties who have dealings with it. However, electronic certificates of legal entities will not alter civil and commercial legislation as regards the provisions governing the concept of the hierarchical or voluntary representative.

Furthermore, the Electronic Signature Law regulates the activity of certification service providers issuing certificates that link signature verification data to a certain signatory. The Government also has a service to publicize information on the certification service providers operating in the market.

Furthermore, in order to be able to offer their services, certification service providers must arrange liability insurance of at least €3 million to cover any risk of liability for damage or loss.

Lastly, Electronic Signatures Law 59/2003 contains provisions regulating the electronic national identity card, which is defined as a recognized electronic certificate intended to popularize the use of secure electronic instruments capable of conferring the same integrity and authenticity as currently surround communications on physical medium.

On the 28th of August 2014, the European Regulation on Electronic Signature was published in the Official Journal. This Regulation came into force on the 17th of September of the same year and it is obligatory since the 1st of July 2016. The Directive 1999/93/CE was then automatically repealed. There has been no explicit derogation of the mentioned national law, therefore both regulations live together, and the European Regulation shall prevail over the national law in case of conflict.

2.4 Personal data protection

Another aspect that may have e-commerce implications is the possible processing of any personal data in transactions of this nature.

Constitutional Law 15/1999, of 13 December, on Personal Data Protection, regulates the processing of an individual’s personal data.

On May 4th 2016, the General Data Protection Regulation of the European Union (GDPR) was published in the Official Journal, which will be obligatory on May 25th 2018. Until then, the local Data Protection Law will continue to be obligatory.

A new Spanish Data Protection Law will be published to regulate those matters that the European General Data Protection Regulation established that should be decided at a national level. The bill is being discussed at the Parliament, but the Law is not expected in the first half of 2018. The bill foresees the explicit derogation of the mentioned existing Law 15/1999.

The Organic Law applies to “personal data,” meaning any information concerning identified or unidentified individuals. Accordingly, it does not apply to data concerning legal entities; in addition, it does not apply to data concerning individual entrepreneurs or individuals being the contact person of a legal entity where the personal data is used exclusively in a “B2B” framework and where such data is limited to the following: name and surname(s), functions or jobs performed, as well as the postal or e-mail address and professional telephone and fax numbers.

Personal data protection legislation revolves around the following principles:

  • The data subject must give prior consent to the processing of his or her personal data, with the exceptions envisaged by the Law.
  • The processing of specially protected data (i.e., data referring to ideology, labor union membership, religion, beliefs, ethnicity, health, and sex life) require the data subject’s express consent (in writing in the first four cases).
  • The data subject must be informed of a number of matters in relation to the envisaged processing of his or her personal data.
  • Personal data may only be processed where they are adequate, relevant and not excessive in relation to the purpose for which they have been obtained.
  • Personal data may only be communicated to a third party if the data subject has given his or her prior consent for such purpose, unless such communication is permitted by the Law.
  • When the communication is addressed to a third party classified by the Law as a data processor, which provides a service entailing access to such data, prior consent by the data subject is not required, but the relationship must be regulated in a contract for services that includes a number of provisions established by the Law.
  • Data subjects are afforded the rights of access, rectification, cancellation, and opposition to and of the processing of their personal data.
  • The creation of personal data filing systems must be previously notified to the Spanish Data Protection Agency2, the agency in charge of enforcing this legislation.
  • The establishment of minor, serious or very serious infringements as a result of breaches of the obligations imposed by this Law, with penalties of up to €600,000 for each data unlawfully processed.

It should also be noted that communications of data involving the international movement of personal data require the prior authorization of the Director of the Spanish Data Protection Agency, when such data is to be sent to countries without a level of protection comparable to that of Spain, except in a number of specific cases such as, for example, when the data subject gives his or her unambiguous consent to the transfer of his or her data. In this connection, it is assumed that States that are part of the European Economic Area ensure an adequate level of protection. In other cases, a decision in this connection is required from the EU Commission3, or a ruling from the Spanish Data Protection Agency, that the data protection offered by the country in question is appropriate.

In relation to penalties, worthy of note is the power of the Spanish Data Protection Agency not to commence, in certain exceptional cases, disciplinary proceedings and, instead, require the party responsible for the offense to evidence that it has taken the corrective measures applicable in each case.

Also of special note are the Regulations implementing Personal Data Protection Constitutional Law 15/1999, approved by Royal Decree 1720/2007, of December 21. These Regulations include many of the standards and recommendations that the Spanish Data Protection Agency has been issuing in recent years on the practical application of, and ways to execute, the various principles that govern personal data protection. In this respect, the Regulations govern matters such as ways of obtaining consent, in particular where data is processed for marketing purposes, the outsourcing of personal data processing or the way in which data subjects can exercise their rights of access, cancellation, rectification and opposition. The Regulations also include a chapter on the security measures that must be taken by data controllers, regardless of whether the data is processed by automatic or manual means.

Most of the formal obligations in the Constitutional Act 15/1999 will disappear when then GDPR is obligatory, which bases its regulatory structure on the “accountability”, which implies the obligation for the data controller to assess the processing that it carries out and the risks attached thereto, adopting the security measures that are more accurate for each case.

2.5 Intellectual and industrial property and domain names 

2.5.1 Intellectual property

The legal protection of intellectual property is hugely important when engaging in e-commerce in the “information society”, since digital content protected by intellectual property (copyright, trademarks, image rights, etc.) constitute the real value added of the internet.

The Copyright Law establishes in Article 10 that all original literary, artistic or scientific creations expressed by any means or on any medium, whether tangible or intangible, currently known or invented in the future, are copyrightable. Accordingly, all original creations are subject to protection, including graphic designs and source codes of, and information contained on, websites.

Website content will be afforded such protection as pertains to the specific category of the content (graphics, music, literary works, audiovisual, databases, etc.) and, therefore, the person in charge of the website must hold the related rights, either as the original owner (of the collective work under his management or developed by employees) or as a licensee.

In protecting intellectual property, the owner may seek both civil and criminal remedies. The Copyright Law affords the holder of the rights of exploitation the possibility of applying for the cessation of unlawful activities (e.g., a website unlawfully disseminating a protected work could be closed down) and of seeking damages. From a criminal law standpoint, the protection of intellectual property on the Internet is based on Article 270 of the Criminal Code, which imposes prison sentences or fines for crimes against intellectual property.

Directive 2001/29/EC on the harmonization of certain aspects of copyright and related rights in the information society, was implemented in Spain through Law 23/2006, which amends the Copyright Law in order to harmonize the economic rights of reproduction, distribution and public communication (including new forms of interactive on-demand making available of works), with the rest of EU Member States and to adapt the rules governing these rights to the new operating procedures existing in the Information Society. Recently, Spain has placed itself at the forefront of the fight to strengthen copyright protection on the Internet in Europe. The Law 21/2014, of November 4, broadens the powers of the administrative body within the Ministry of Culture and Sports (the “Second Section of the Copyright Commission”), strengthening an expedited hybrid procedure of administrative and judicial nature to fast-track action for copyright infringement on the Internet. The purpose of this amendment is to force Internet Service Providers (ISPs) to take down unlawful content and, in some cases, to shut down websites which openly violate copyright legislation (including websites which actively provide lists of links to unlawful content). However, the amendment is not focused on individuals who share unlawful content through “peer to peer” networks.

Lastly, we must underline the elimination of the private copying levy, applied in Spain until January 1, which required collaboration from manufacturers, distributors and retailers of products “suitable for reproducing copyrighted works”. The former system was replaced in 2012 with a new form of compensation which shall be satisfied directly by the State to the copyright owners. The law 21/2014 consolidates the State-funded system.

2.5.2 Industrial property

When engaging in e-commerce, regard should also be had to industrial property matters. Article 4.c of Patents and Utility Models Law 11/19865 6 provides that plans, rules, and methods for conducting a business, as well as software, cannot be patented.

2.5.3 Domain names

Another essential issue to take into account is the registration and use of domain names. In this respect, Order ITC/1542/2005 approved the National Plan for Internet Domain Names under the country code for Spain (“.es”). The function of assigning domain names under the “.es” code is performed by the public for-profit entity Red.es.

Order ITC/1542/2005, following international trends, simplified the system for assigning “.es” domain names, which can be requested directly from the granting authority or through an agent.

Thus, second-level domain names under the code “.es” are assigned on a “first come, first serve” basis. This assignment can be requested by individuals or legal entities and entities without legal personality that have interests in or ties with Spain. However, those which coincide with a first-level domain name or with generally known names of Internet terms will not be assigned.

It is also established that domain names under the codes “.com.es,” “.nom.es,” “.org.es,” “.gob.es” and “.edu.es” may be assigned in the third level. The persons or entities that can apply for the domain names will vary according to the codes. Thus, for example, the Spanish Public Authorities and the public law entities can request domain names under the “.gov.es” code.

Furthermore, the National Plan establishes that the right to use a domain name under the “.es” code is transferable provided that the acquiror meets the requirements necessary to own the domain name and that the transfer is notified to the assigning authority.

Also, one of the main features of Order ITC/1542/2005 is the establishment of an extrajudicial body of mediation and arbitration for the resolution of disputes concerning the assignment of “.es” domain names.

2.6 Law 34/2002 on E-Commerce and Information Society Services

Law 34/2002 on E-Commerce and Information Society Services (ECISSA) defines as “information society services” any service provided for a valuable consideration, long-distance, through electronic channels and upon individual request by the recipient, also including those not paid for by the recipient, to the extent that they constitute an economic activity for the provider. Specifically, the following are deemed to be information society services:

  • Contracting for goods and services through electronic means;
  • Organization and management of auctions using electronic means or of virtual shopping centers or markets;
  • Management of purchases on the network by groups of persons;
  • Sending of commercial communications;
  • Supply of information through telematic channels; and
  • Video upon demand, as a service that the user may select through the network and, in general, the distribution of contents upon individual request.

The ECISSA applies to information society service providers established in Spain. In this respect, the provider is considered to be established in Spain when its place of residence or registered office is located in Spanish territory, provided that it coincides with the place where its administrative management and business administration are actually centralized. Otherwise, the place where such management or direction is performed will be considered.

Likewise, the ECISSA will apply to services rendered by providers who are resident or have a registered office in any other State when the services are offered through a permanent establishment located in Spain. Therefore, the mere use of technological means located in Spain to provide or access the service will not of itself determine that the provider has an establishment in Spain.

The above notwithstanding, the requirements of the ECISSA will apply to service providers established in another State of the European Union or the European Economic Area when the recipient of the services is located in Spain and the services affect:

  • Intellectual or industrial property rights;
  • Advertising issued by collective investment institutions;
  • Direct insurance activities;
  • Obligations arising from contracts with consumers; or
  • The lawfulness of unsolicited commercial communications by e-mail.

The ECISSA establishes the basic legal regime for information society service providers and e-mail activities, including:

  • The principle of freedom to provide services not subject to prior authorization applies to information society services, except in certain cases. In the case of service providers established in States that do not belong to the European Economic Area, this principle will apply in accordance with the applicable international agreements.
  • The following obligations are imposed on information society service providers:

  To put in place the means to permit the recipients of the services and the responsible bodies to access easily, directly and free of charge, the information on the provider (corporate name, registered office, registration particulars, tax identification number, etc.), on the price of the product (stating if it includes applicable expenses and shipping costs) and on the codes of conduct to which it has adhered.

–  For providers of intermediation services, to cooperate with the responsible authorities in interrupting the provision of information society services or in withdrawing contents.

Please note that depending on the specific services that these intermediation service providers carry out (access to the internet, e-mail services), they are obliged to furnish certain information such as, for example, the security measures in place, the filters for certain persons to access the site or the responsibility of the users.

  • A specific system of liabilities is established for information society service providers, without prejudice to the provisions of civil, criminal and administrative legislation.
  • A specific system is established for commercial communications through electronic channels, without prejudice to the legislation in force on commercial, publicity and personal data protection matters. In this regard, commercial communications through electronic channels must be clearly identifiable, stating the individual or corporation for whom they are made, and spelling out the conditions for access and participation, in the case of discounts, prizes, gifts, competitions or promotional games.

Additionally, advertising or promotional communications sent by e-mail or similar form of communication that have not been previously requested or expressly authorized by the recipients are prohibited. Express consent will not be necessary when there is a pre-existing contractual relationship, provided that the supplier had lawfully obtained the recipient’s contact data and that the commercial communications refer to goods or services of the provider’s own company which are similar to those for which the recipient initially made a contract. In any case, the provider must offer the recipient the possibility to object to the processing of his data for promotional purposes, through a procedure that is simple and free of charge, both at the time the data is collected and in each of the commercial communications sent to him. Where the communications have been sent by e-mail, that medium shall necessarily include a valid e-mail address where the recipient can exercise this right, it being prohibited to send communications that do not include such address.

  • Service providers may use devices for storage and recovery of data on computer terminals of the recipients (commonly known as “cookies”), on the condition that the recipients have given their consent after having received clear and complete information on their use.

Where technically possible and efficient, the recipient may give his consent to the processing of his data through the use of the appropriate parameters of the browser or of other applications, provided that the recipient must configure it during installation or updating through express action for that purpose.

The foregoing will not prevent the possible technical storage or access for the sole purpose of transmitting a communication through an electronic communications network or, to the extent that it is strictly necessary, providing an information society service expressly requested by the recipient.

The Spanish Data Protection Agency is the body with the authority to impose monetary penalties to the information society providers for the use of cookies without the proper informed consent from users of an information society service. The fines can reach the amount of €30.000.

  • Contracts through electronic channels are regulated, recognizing the effectiveness of the agreements made through electronic channels when consent has been granted and other requirements necessary for their validity are met. Additionally, the following provisions are established for contracts made through electronic channels:

  The requirement that a document should be placed on record in writing is considered to be met when it is contained on electronic medium.

  The admission of documents on electronic medium as documentary evidence in lawsuits.

  Determination of the legislation applicable to the contract made through electronic channels will be governed by the provisions of international private law.

  Establishment of a series of obligations to be met prior to commencement of the contracting procedures, relating to the information that must be furnished on the formalities for the making of the contract, the validity of offers or proposals of contracts and the availability, if any, of general contracting conditions.

  Obligation on the offeror to confirm receipt of the acceptance within 24 hours after its receipt, by an acknowledgement sent by e-mail or equivalent means to that used in the contracting procedure which enables the recipient to give such confirmation.

  Assumption that agreements made through electronic channels in which the consumer participates have been made in the place where the consumer has his customary place of residence. When these contracts are made between entrepreneurs or professionals, they will be assumed to have been made, in the absence of a provision on the matter, in the place where the service provider is established.

When dealing with agreements entered into with customers, the Revised General Consumer and User Protection Law should be taken into account, in particular in connection with distance sales.

  • Recognition of a ground to claim cessation against conduct that contravenes the ECISSA which is detrimental to collective or general consumers’ interests, and promotion of out-of-court settlement of disputes.
  • Establishment of minor, serious and gross infringements due to failure to comply with the obligations imposed by the ECISSA, with penalties of up to €600,000.

1  Order EHA/92/2007, of April 10, 2007, implementing certain provisions concerning telematic billing and electronic invoice storage, contained in Royal Decree 1496/2003, of November 28, 2003, approving the regulations governing billing obligations.

2  www.agpd.es

3  Up to now, according to different Decisions the European Commission consider that the following countries provide an adequate level of protection: Switzerland, Canada, Argentina, Guernsey, Isle of Man, Jersey, Faeroe Islands, Andorra and Israel. As for the transfers of data to the United States, after the annulation of the “Safe Harbor” principles by the European Union Court of Justice on October 6th 2015, the transfers to that country will be allowed to be made in a simplified manner when the importing entity has adhered to the “Privacy Shield” system.

4  Legislative Royal Decree 1/1996, of April 12, 1996, approving the Revised Intellectual Property Law, regulating, clarifying and harmonizing the legal provisions in force in this area.

5  On April 1st 2017, the Law 24/2015 will enter in force, repealing the Law 11/1986, except in those cases mentioned in its transitorial provisions.