On 4 May 2023, the Contentious Chamber of the Supreme Court established doctrine in its Ruling 1946/2023. It defined the interpretation of Articles 14.2 and 15.1 of Spanish Act 19/2013 on transparency, access to public information and good governance, Articles 1.1, 1.2 and 4 of Regulation (EU) 2016/679 on the protection of natural persons with regard to the processing of personal data, and Articles 1 and 27.2 of Spanish Act 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights, establishing that “the restriction on the right of access to public information relating to administrative sanctions that do not entail a public reprimand for the offender only refers to natural persons who have been sanctioned and excludes legal entities”.

This doctrine was established by the Supreme Court when it upheld an appeal in cassation lodged by the Catalan Government (Generalitat de Cataluña) against a judgment handed down by the Catalan High Court of Justice, in which an offending company sought to have its name withheld from disclosure.

The company in question, Fundació Privada Residència Bell Repós de Súria, appeared on a list provided by the Generalitat to a journalist who requested information about old people’s homes in Catalonia that had been sanctioned during a certain period of time. Faced with this situation, the company filed a lawsuit with the courts, and the High Court considered that the company’s name should not be made public, in accordance with data protection regulations. The Catalan High Court considered that the protection of personal data relating to the commission of administrative offences that did not involve a public reprimand was equivalent to the protection of data on ideology, trade union membership, religion, beliefs, racial origin, health, sexual life and the commission of offences in general. Consequently, the journalist was prohibited from using the information in question.

Despite this, the Supreme Court upheld the position of the Catalan Administration and criticised the Catalan High Court for incorrectly applying data protection regulations to legal entities. According to Article 14 of the Transparency Law, limits on access to information must be justified and proportional, taking into account the object and purpose of protection, as well as the circumstances of the specific case and the existence of an overriding public or private interest that justifies access. Article 15 establishes which personal data concerning natural persons may not be disclosed, except for those that have the express consent of the data subject or have been previously made public (ideology, religion, beliefs, sex life, biometric data). The Generalitat also referred in its appeal to Articles 1(1), 1(2) and 4 of EU Regulation 2016/679, which apply exclusively to data relating to natural persons.

Thus, the Supreme Court in its ruling stated that: “the Generalitat’s counsel is correct in stating that the regulation on personal data protection applies only to natural persons and does not include legal entities. Spanish Act 3/2018 on Data Protection refers explicitly to natural persons, so legal entities cannot be included within its scope of application”.

In conclusion, although the data protection regulation was already very clear regarding its subjective scope of application, its improper application has been corrected by the Supreme Court, which has made it clear that legal entities are not covered by personal data protection.