By:Mario Shai Aguado González | Personal Data Protection & Artificial Intelligence
There is a widespread belief among companies that their obligations regarding personal data protection begin when data belonging to customers, employees, suppliers, or any other data subject is stored in their systems.
However, that belief is incorrect, and a ruling by the Spanish Supreme Court confirms this.
The ruling is not based on Mexican law; however, its reasoning is entirely relevant to any company operating in Mexico that is subject to the obligations of the Federal Law on the Protection of Personal Data Held by Private Parties (LFPDPPP). This is because both legal systems share the same underlying logic: regulatory compliance is not a response to the personal data obtained, but rather to an obligation that arises upon its request.
What happened?
In March 2026, the Spanish Supreme Court (TSE) ruled on an appeal (STS 1590/2026) that, at first glance, appeared to stem from a minor matter: a correctional facility had required one of its employees to provide a medical diagnosis and the treatment prescribed by his doctor in order to justify three days of absence from work.
The employee refused, citing his right to privacy, and the prison never received that information. What happened to the employee? The prison deducted three days' pay from his salary.
In light of this situation, the official filed a complaint with the Spanish Data Protection Agency (AEPD), which launched an investigation that resulted in a sanction against the General Secretariat of Penitentiary Institutions in the form of a warning for violating the principle of data minimization. The National Court overturned the sanction, arguing that without the actual receipt of personal data, there can be no processing. The AEPD filed an appeal, and the Supreme Court ruled in its favor.
What is the central legal question?
The issue resolved by the TSE raises an interesting technical point:
Can the processing of personal data still take place even if the data never reached the controller (because the data subject refused to provide it)?
The National Court ruled that this was not the case. Its reasoning was that the General Data Protection Regulation (GDPR) defines data processing as any operation performed on personal data, with “collection” being the first item listed. Without data collection, there is no processing; therefore, there is no violation.
The TSE rejects this reasoning as insufficient. The TSE begins by acknowledging that the definition of “processing” in Article 4(2) of the GDPR is deliberately broad. The European legislator used the phrase “any operation,” accompanied by a non-exhaustive list of examples. This breadth is not accidental; it reflects the intention to give the concept a broad scope that effectively protects individuals’ fundamental rights. Not only that, but in addition to considering the breadth of the definition, the TSE considered two articles of the GDPR.
On the one hand, Article 5 of the GDPR establishes the principles governing data processing, such as lawfulness, purpose limitation, data minimization, accuracy, storage limitation, and security. These principles do not apply to data that has already been received; rather, they are obligations that must be met from the moment any activity aimed at collecting and processing personal data is designed.
Furthermore, Article 25 of the GDPR addresses privacy by design and by default, specifically referring to protective measures “both when determining the means of processing and at the time of processing itself.” In other words, before the first piece of data is collected.
Accordingly, the TSE concludes that the request for personal data is already part of an activity designed and intended to collect personal data. That activity constitutes, in and of itself, the processing of personal data and is therefore subject to compliance with all the principles set forth in the GDPR, including data minimization.
Why is the prison violating the GDPR?
Once that doctrine has been established, the TSE applies the principle of data minimization to the specific facts of the case.
The employee had provided medical documentation substantiating his absence. Those documents served the purpose of monitoring absenteeism. The additional request for the medical diagnosis and treatment does not add anything necessary for that purpose. On the contrary, the TSE noted that even in cases of sick leave due to temporary disability, the employer does not receive the medical diagnosis, and health institutions do not communicate anything to the workplace, precisely because that information is unnecessary for managing employee absences.
The request was unnecessary, disproportionate, and concerned health data, a category that the GDPR classifies as requiring special protection. The penalty was appropriate, even though the data had not been provided.
Does this apply to us in Mexico?
The LFPDPPP 2025 shares both the terminology and the structural logic of the GDPR. Article 2, Section XIX defines processing as “any operation or set of operations… related to the collection, use, recording, organization, storage…” placing collection first, in the same position as “collection” in the GDPR. This similarity reflects that both systems conceive of processing as a process that begins at the moment one seeks to access the data, not when it is already in the possession of the controller.
Article 5 of the LFPDPPP enshrines the principle of proportionality as one of the guiding principles of data processing, and Article 12 reiterates this: processing “shall be necessary, appropriate, and relevant in relation to the purposes set forth in the privacy notice.” That standard is functionally equivalent to the principle of data minimization in Article 5.1.c) of the GDPR, the violation of which is at the heart of the Spanish ruling.
Article 13 reinforces this interpretation by establishing the controller’s responsibility to take the necessary measures to ensure that the privacy notice is complied with “at all times.” And Article 16 requires that the notice be available from the moment the data is collected, which implies that the controller has already determined, prior to any request, what data will be collected, for what purpose, and what type of consent is required.
What Supreme Court Ruling 1590/2026 establishes in case law within the European context, the LFPDPPP already expressly requires in its text. The difference is that in Mexico, this logic is rarely articulated with the clarity with which the TSE does so in this ruling:a data controller who requests excessive data is already in violation of the principle of proportionality, regardless of whether the data subject provides that information or not.
What are the conclusions?
Supreme Court Decision 1590/2026 does not create a new obligation. It clarifies when the obligations already established by the regulatory framework take effect and, as we anticipated, sooner than most companies assume.
Developing that framework with legal rigor is precisely what sets a proactive company apart from one that only reacts once a problem has already arisen.
