The additional provision 9 of Organic Law 3/2018 provides that public authorities, computer emergency response teams (CERT), security incident response teams (CSIRT), network and electronic communication providers and security technology providers may only process personal data contained in security notifications during the threat. They shall strictly use personal data for analysis, detection as well as protection while implementing adequate security measures. (link)

Reporting a data breach in Spain

Data breaches can be reported to the AEPD via this online form. Detailed instructions on the data breach assessment and reporting process is available in this guide in English. The guide contains a reporting form draft in Annex II.