The Supreme Court sets the scope of the concept of "processing" and requires compliance with the principles of the GDPR from the request for personal data

On March 26, 2026, the Judicial Review Chamber of the Supreme Court issued a judgment of particular relevance in the area of personal data protection, marking the first time in Spain that the Court has ruled on the scope of the concept of ‘processing’ as set out in Article 4(2) of the General Data Protection Regulation (GDPR). In this regard, the high court held that data controllers are required to comply with the GDPR’s data processing principles – including the principle of data minimization (article 5.1 c) of the GDPR) – from the moment they request personal data from an individual, regardless of whether such data are ultimately provided and subsequently collected by the controller.

Background of the case

The case stemmed from a penalty proceeding filed by the Spanish Data Protection Agency (AEPD) against the Office of the General Secretary of Penitentiary Institutions (SGIIPP). As set out in the facts of the judgement, in 2019 a public official from the Lanzarote Penitentiary Center was absent from work for three days due to health reasons and submitted the appropriate medical certificate, which stated “indisposed.” He also justified a subsequent partial absence with proof that he had attended a medical consultation.

After submitting these certificates, management at the Penitentiary asked the public official to provide the specific medical diagnosis and the treatment that had been prescribed. The official refused to do so, arguing that its content was personal and that it was not necessary for him to provide this information. As a result of his refusal, disciplinary measures were imposed on him.

Following the performance of the relevant investigative procedure, the AEPD imposed a penalty on the Office of the General Secretary of Penitentiary Institutions, due to the breach of the principle of data minimization set out in article 5.1.c) of the GDPR, on the grounds that the request for the medical diagnosis was excessive and unnecessary for the purpose of monitoring workplace absenteeism.

National Appellate Court judgment: the restrictive interpretation

The SGIIPP filed an appeal for judicial review at the National Appellate Court against the ruling and the Court issued an initial judgment annulling the AEPD’s penalty, based on a formalistic and literal interpretation of Article 4.2 of the GDPR. The Court found that there could be no “processing” of personal data where no actual collection of such data had taken place at any point. In its reasoning, the chamber held that since the public official had not actually provided the required data, the authorities were unable to carry out any processing activity and, therefore, the essential element of the infringement relating to the principle of personal data minimization was missing.

The cassation appeal and the matter of cassational interest

The AEPD filed a cassation appeal against the National Appellate Court judgement. As in the previous instance, the legal representation of the case was conducted by professionals from Garrigues’ Data Economy, Privacy and Cybersecurity area.

The AEPD’s defense argued that the National Appellate Court's interpretation ran counter to case law by the Court of Justice of the European Union (CJEU), citing, inter alia, the judgments of February 24, 2022 (case C‑175/20), October 5, 2023 (case C‑659/22) and October 4, 2024 (case C‑548/21). The line of argument underpinning the appeal revolved around the premise that the GDPR requires data controllers to design and implement their procedures in light of the principles laid down in the GDPR on an a priori basis, that is, prior to any physical handling of personal data. Accordingly, compliance with the GDPR – including the principle of data minimization – must occur before the personal data is physically received by the data controller, pursuant to the principles of accountability and privacy by design.

Case law by the Supreme Court

In the judgment in question, the Supreme Court quashed and set aside the ruling of the National Appellate Court on the grounds set out below and establishing the following case law:

• Broad and systematic interpretation of article 4.2 of the GDPR. The chamber rejected the literal and formalistic interpretation that made the existence of ‘processing’ dependent on the actual collection of the data. Instead, it carried out a systematic interpretation linking the definition set out in article 4.2, with the obligations incumbent on the data controller under articles 5 and 25 of the GDPR. The Court concluded that data ‘processing’ takes place as soon as the authorities ask an individual to provide personal data, even where the data are not ultimately provided, in light of the numerus apertus nature of the list of activities described in article 4.2 of the GDPR as constituting data processing.
• Effective protection of fundamental rights. The Supreme Court underscored that the effective protection enshrined in article 8.1 of the Charter of Fundamental Rights of the European Union and article 18 of the Spanish Constitution is only possible if the data processing is deemed to begin with the mere request made to provide the personal data. Making compliance with the principles conditional upon the actual “physical receipt” of the data would hinder the effective protection of data subjects’ rights and would generate uncertainty which is incompatible with the principle of legal certainty.
• Alignment with CJEU case law. The Supreme Court judgment is expressly in line with CJEU case law. Indeed, in its judgement of February 24, 2022 (case C-175/20) the CJEU had already held that the EU legislature had intended to give the concept of ‘processing’ a broad scope, indicating that a request for personal data by the authorities initiates a process of ‘collection’ of those data, within the meaning of article 4.2 of the GDPR. The court also cited the CJEU judgement of October 5, 2023 (case C-659/22), which reiterated this broad interpretation.

Application to the case in question: breach of the data minimization principle

In the case at issue, the chamber held that the Lanzarote Penitentiary had breached the data minimization principle by requesting the public official’s medical diagnosis, since this information was neither appropriate, pertinent or necessary for the purpose of monitoring workplace absenteeism, which could be adequately carried out using the medical certificates that had already been provided. The Court underscored that the information requested constituted specially protected health data and that even where an employee is formally on sick leave, the employer does not – and should not – have access to the worker’s medical diagnosis, since both the National Social Security Institute (INSS) and the General Mutual Insurance Scheme for State Civil Servants (MUFACE) expressly exclude this information from the reports provided to employers.

The far‑reaching importance of the criterion established

This judgment constitutes a milestone in the interpretation of the GDPR in Spain for several reasons. First, because the Supreme Court has set out, for the first time, its case law position on the scope of the concept of personal data ‘processing’, extending it to stages as early as the actual request for such data – an issue that had not previously been addressed in a cassation appeal. Second, because it brings Spanish case law into line with the approach adopted by the CJEU since 2022 in the aforementioned judgments, reinforcing the overall coherence of the European data protection system. Third, because it has a profound practical impact: any entity, whether public or private, that acts as data controller must assess compliance with the GDPR principles, especially data minimization, before requesting any personal data, rather than only after such data have been effectively collected.

The criterion established by the Supreme Court strengthens the preventive and proactive approach that underpins the GDPR, reinforcing the principle of accountability and data protection by design and by default. Consequently, organizations are required to design their data collection processes in accordance with the principles of the Regulation before carrying out any processing activities.