Cybersecurity and


Data Protection & GDPR

Our Privacy & Data Protection practice is one of the longest-standing ones in Europe and has been awarded top ranking in legal directories. We have been delivering solutions to the most complex privacy challenges and enforcement actions since 1996 and we also regularly work with data protection regulators.

You can download of Data Protection flyer here.


  • Coordination of Latin Atlantic Tech Law Collaborative at Florida International University
  • Participation in the Commission on the Digital Economy at the International Chamber of Commerce (ICC)
  • Participation in the working group for the GDPR Legitimate Interests Assessment Project at the Information Accountability Foundation – IAF
  • Membership of the FIDE Foundation, a major think-tank in Spain, where Javier F. Samaniego runs the blog 'Metamorphosis' on legal issues connected with innovation and disruptive technology. Javier also chairs the working group on implementation of GDPR in Spain and regularly speaks at FIDE seminars on Digital Economy legal issues such as Big Data, FinTech, Robotics, etc.
  • The firm is a member of Google Privacy Chair at San Pablo University CEU (Spain)
  • Participation in the European Advisory Board (EAB) of CPR NY, USA and its Working Group on Cybersecurity in Arbitration.
  • Participation in the ICCA-IBA Task Force on Data Protection in International Arbitration Proceedings.

Relevant rankings and awards

Javier Fernández-Samaniego offers unparalleled authority over information technology matters. His practice is further complemented by additional strength in dispute resolution, data protection and fintech matters.
"Javier is very experienced. He provides good added value to the project and comfort about the proposed legal solutions."
"He is very experienced and easy to work with."
"Javier avier is just the best. It's that simple."
Chambers Europe 2023, Spain, TMT.

Samaniego Law holds a compact team with broad experience in the IT field. Its areas of expertise include data protection and privacy as well as cybersecurity issues. The team regularly assists with commercial agreements, e-commerce and contentious matters. The law firm boasts a diverse client roster ranging from the ICT services, life sciences and fintech sectors.
"They always deliver a solid and good quality work to us, which proves their technical expertise on the different matters," highlights one interviewee.
Another client remarks the firm's excellent service, adding: "they have a lot of experience, and good communication."
Chambers Europe 2022, Spain, TMT.

Javier Fernández-Samaniego is widely recognized as one of the top specialists in the field, described in Chambers Europe guide as a leading (tier 1) IT lawyer in Spain and as “A true data protection expert and one of the best privacy lawyers in Europe.” He was one of the first lawyers to represent a private sector data controller during an inspection and the subsequent enforcement proceedings by the Spanish Data Protection Agency back in 1996. Since then, Javier has advised and represented many local and international companies and is well known for his advocacy practice defending private controllers before the Spanish DPA and relevant appeal Courts and his expertise relating to the International Transfer of Data to third countries, Outsourcing Transactions and Data Protection Review Programs.

Paula Fernández-Longoria has an extensive experience in advising clients in privacy issues in a variety of sectors in projects including international data flows, outsourcing transactions, assistance in investigations and procedures initiated by data protection authorities, contractual issues, and data compliance programs. She is praised for having "a lot of knowledge and a very pragmatic approach." Javier and Paula have worked together for over a decade in various law firms.

Our firm has substantial experience of data protection compliance and audit projects on an international basis, which gives us an in-depth knowledge, excellent understanding of the law and hands-on experience. We specialize in:

  • Contentious Data Protection: defense against enforcement action brought by Supervisory Authorities and individual or collective claims
  • Data Protection Reviews and Security Audits (including Client Training)
  • Transborder data flows
  • Whistleblowing reporting systems
  • Big Data Projects and marketing partnerships (including loyalty programs)
  • Data Protection assessment and other DP advice
  • Enforcement actions in Data Protection

We also advice clients on fulfilling their corporate ESG (Environmental, Social and Governance) commitments concerning data protection. This includes:

  • (i) identification of potential risks for members of the corporate management bodies in relation to decisions they take in terms of data protection and privacy and design of appropriate privacy and disclosures policies and operating procedures in accordance with the rest of ESG objectives and obligations
  • (ii) due diligence and analysis of transactions to identify possible negative impacts at privacy level as well as conduction of evaluations of compliance with established privacy standards
  • (iii) advice in the drafting of strategic and technical reports on the company's privacy and data protection mechanisms and implementation of best practices.

Examples of our work include:

  • Defense in several administrative sanctions' proceedings initiated by the Spanish Data Protection Authority and challenges and appeals in the relevant Spain Courts
  • Complaints before the European Commission against EU Sovereign Sates concerning the incorrect implementation and enforcement of EU Data Protection Law
  • Preliminary references in the ECJ

In addition, our team has expertise in the most significant privacy-related issues of recent times: Data breaches and security incidents, BCRs, transatlantic data flows, etc.

With GDPR fully in force now, it is worth highlighting our role as chair of the working group on implementation of GDPR in Spain, hosted by the leading think tank FIDE Foundation, as well as our participation in IAF Legitimate Interest project.

We have assisted clients in:

  • GDPR Strategic Planning
  • Undertaking Privacy Impact Assessments (PIA)
  • Adapting their privacy policies to the new GDPR principles
  • Handling Data Breaches notifications
  • Defense against enforcement actions and investigations initiated by Supervisory Authorities and against individual and collective compensatory redress actions (Article 82 GDPR).

Cybersecurity and NIS (Networks and Information Security)

Organizations have always taken measures to protect their information systems against internal and external threats. However, we now face an increased number and variety of cyber-attacks, making cybersecurity a vital topic that demands an integrated and robust approach.

We guide our clients through from prevention to planning and response to cyber incidents, offering the following services:

  • Advice in relation to Cybersecurity of 5G networks - EU Toolbox of risk mitigating measures.
  • Proactive identification of your threat profile and an assessment of your legal obligations and response readiness
  • Development of internal policies and procedures and incident-response simulations, together with staff training
  • Management of cyberattack by breach notification, external communications, law enforcement interactions and expert identification
  • Dealing with industry-specific security and IT risk management obligations, regulatory, reporting and procurement requirements
  • Counselling on available cybersecurity solutions and technology
  • Assistance to digital service providers, such as online markets, online search engines and cloud computing services, as well as providers of essential services established in Spain in matters related to their obligations to comply with the Spanish NIS (network and information services) regulations (Royal Decree-Law 12/2018 of 7 September 2018 and its implementation regulation Royal Decree 43/2021 of 26 January 2021).

Trade Secret Protection

Any confidential business information which provides an enterprise with a competitive edge may be considered a trade secret. The unauthorized use of this industrial or commercial information is regarded as a violation. We understand the sensitivities involved in trade secret claims and work closely with our Intellectual Property, Employment and Competition colleagues to provide clients with specialist advice on technology-focused trade secrets.

The protectability of trade secrets depends greatly on taking reasonable precautions to maintain their confidentiality.

Our services include:

  • establishing Trade Secrets Review Plans (risk assessments and remedy plans) that are designed to ensure that trade secrets remain secret and consist of the implementation of comprehensive and sound trade secret protection policies.
  • advice to companies on protecting their trade secrets and on potential disclosures by their business partners or employees
  • advice related to claims arising from restrictive covenants, theft of trade secrets, breach of fiduciary duty and duty of loyalty, misappropriation of trade secrets, non-compete or non-disclosure agreements, etc.
  • handling trade secret litigation cases, on both the prosecution and defense side; we are particularly skilled at deploying resources, reliable methods, and expert witnesses to address damages issues.
  • We also provide workforce training, explaining the nuances of trade secrets and detailing legal principles that employees and executives can both understand and follow. Such sessions are key to protecting the company’s own business, but they also help to reduce the risk of the information being misused by the company’s partners, individuals, or third parties.

    Success Cases

    • Security and Privacy

      - Assisting client, a leading CRM company, in its major Global Privacy Compliance Project. Involving coordination of execution of project in 13 Central and South American Jurisdiction and the US ( 2023).

      - Advice to major multinational companies on cybersecurity and data protection matters in relation to EU Toolbox cybersecurity of 5G networks related regulations in Spain (since 2020).

      - Strategic legal and consulting Advice to US client in relation to launch of its hospitality and entertainment sevice in the Metaverse (2023).

      - Strategic regular advice, negotiation, and ample privacy advice to a major association of luxury brands, especially concerning its e-commerce business (since 2021).

      - Advice to a leading US Pharma company on privacy issues arising from the use of mobile applications And other e-health matters (since 2021).

      - Advice to a Mexican leading manufacturer in toy industry on the launch of its operations and e-commerce platform in Europe all all e-marking and data processing operations involved (2021).

      - Advice to one of world's most globally recognized brands (also known for its collectible fashion and music-related merchandise, dining experiences, and Live performance venues) in the commercial/data protection aspects of the launch of its first non-franchise hotel in Madrid, Spain (2021).

      - Representing a leading European fintech company before Spanish Data Protection Agency and National Court of Appeal on identity thefts and other cybersecurity challenges.

      - Providing strategic legal advice to major US company on assessment and redefinition of its data processing operation and GDPR compliance.

      - Advising a leading global US-based for-profit corporation and online social media & networking service in relation to European GDPR and enforcement matters.

      - Chairing (Javier F. Samaniego) the working group on GDPR implantation in Spain at FIDE Foundation.

      - Contributing to the IAF Legitimate Interests and Integrated Risk and Benefits Assessment Project.

      - Participation in CPR’s Working Group on Cybersecurity in Arbitration.