Legal
GDPR — Article 23
Article 23 of the General Data Protection Regulation allows EU and member-state law to restrict some of the rights a data subject would otherwise have. This page documents the narrow set of circumstances in which we may lawfully decline or delay a request — and what we do to limit the impact.
1. What Article 23 allows
Article 23 permits restrictions to the rights established in Articles 12–22 and Article 34 where the restriction respects the essence of the fundamental rights and freedoms and is a necessary and proportionate measure to safeguard, among other things:
- National security, defence, public security.
- The prevention, investigation, detection, or prosecution of criminal offences.
- Important objectives of general public interest, including monetary, budgetary, and taxation matters.
- The protection of judicial independence and judicial proceedings.
- The enforcement of civil-law claims.
2. When SP3 may invoke Article 23
In practice, SP3 will only invoke an Article 23 restriction in the following narrow scenarios, and always documents why in writing:
- A judicial or administrative order from a competent Spanish authority obliges us to delay notification of an access or erasure request until an active investigation concludes.
- Spanish tax or accounting law requires us to retain billing records beyond the retention period we would otherwise apply.
- Enforcing a legitimate civil-law claim (for example, unpaid invoices) requires us to retain specific records until the claim is resolved.
We never invoke Article 23 to defend our own reputation, to avoid embarrassment, or to delay an otherwise valid request beyond what the law requires.
3. What we tell you when we do
Except where the restriction itself forbids us from doing so, we:
- Acknowledge the request within the statutory 30-day window.
- State the specific legal basis we are relying on.
- Describe the scope of the restriction — what is delayed, what is not, and for how long.
- Inform you of your right to complain to the Agencia Española de Protección de Datos (AEPD) and to seek judicial remedy.
4. Because we are end-to-end encrypted
Most Article 23 situations simply do not arise for file content held on SP3. We cannot disclose plaintext content in response to any order because we do not hold the keys. Orders directed at file content are met with the same technical reality: ciphertext and account metadata only. Orders directed at account metadata are treated as described above.
5. Law-enforcement guidelines
Our process for handling law-enforcement requests, including the categories of data that are and are not available, is provided on request to legal@sp3.es. Aggregate statistics — requests received, complied with in full or in part, and rejected — are provided to anyone who asks. A standing annual transparency report will be published once volumes justify it.
6. Your right to complain
If you believe an Article 23 restriction we have invoked is not necessary or proportionate, you may complain directly to the AEPD at aepd.es and to seek a judicial remedy under Article 79 GDPR.