No. Doxxing—revealing private personal data without consent—violates Spain’s Organic Law 3/2018 (LOPDGDD) and the Penal Code (Art. 197.7). The AEPD enforces GDPR-aligned penalties up to €20M or 4% of global turnover, while prosecutors may pursue criminal charges under harassment or defamation statutes. Recent 2026 amendments to the Digital Services Act (DSA) further tighten platform liability for facilitating such disclosures.
Key Regulations for Doxxing in Spain
- LOPDGDD (Art. 5-10): Prohibits processing personal data without explicit consent, with strict limits on “public interest” exceptions. The AEPD’s 2025 guidelines clarify that even anonymized data may be actionable if re-identifiable.
- Penal Code (Art. 197.7): Criminalizes the dissemination of private data with intent to harm, punishable by 3 months to 2 years’ imprisonment. Courts apply this to social media leaks, even if data was lawfully obtained.
- Digital Services Act (DSA) Compliance (2026): Hosting providers must remove doxxing content within 24 hours of notice under Spain’s transposition, with fines up to €10M for repeat offenses. The CNMC oversees enforcement.
Platforms face joint liability if they fail to implement “proportionate measures” to prevent doxxing, per Spain’s 2024 Royal Decree 5/2024. Victims may also seek injunctions under the Ley Orgánica 1/2023 for urgent data protection violations.