Data processing begins even before the data is received. A recent ruling of the Supreme Court of Spain clarifies the scope of GDPR obligations and the implications extend to the United States as well.

In STS 1590/2026 (Judgment No. 390/2026, dated March 26, 2026), the Spanish Supreme Court held that the obligations of a data controller do not arise upon receipt of personal data, but beforehand, at the moment the controller decides what data to request from an individual, for what purpose, and by what means. The case involved a penitentiary center that demanded a civil servant provide his medical diagnosis and treatment to justify a three-day absence from work, even though the employee had already submitted a physician’s certificate stating “indisposition”. The employee refused, invoking his right to privacy, and the Spanish Data Protection Agency (AEPD) sanctioned the employer for violating the data minimization principle. The lower court reversed, reasoning that no “processing” occurred because the data was never actually handed over. The Supreme Court disagreed and reinstated the sanction.

The Court’ held that it is still “data processing” under Article 4(2) of the GDPR even if the requested data is never provided by the data subject. Data collection begins even before this, at the moment when a controller decides what data to request from an individual, for what purpose and by what means.

This means that the principles of Article 5 of the GDPR, and in particular the principle of data minimization, as well as the obligation of data protection by design and by default under Article 25 of the GDPR, apply from that very moment. As such, the responsible party must examine, prior to obtaining the data, whether the requested data is adequate, relevant, and limited to what is necessary in relation to the purpose pursued.

The Supreme Court’s reasoning aligns with the Court of Justice of the European Union’s broad interpretation of “processing.” In Case C-175/20 (February 24, 2022), the CJEU held that a request by a tax authority for personal data constitutes “collection” under Article 4(2) of the GDPR such that GDPR obligations apply from the stage of requiring disclosure. The CJEU emphasized that the expression “any operation” reflects the EU legislature’s intent to give the concept of processing a wide reach, a conclusion it reaffirmed in Case C-659/22 (October 5, 2023). The Spanish Supreme Court’s new jurisprudential doctrine now cements this principle at the national level, requiring a “broad and non-restrictive interpretation” of the processing concept, with controller obligations attaching “from the very moment the controller requests personal data from a natural person, regardless of whether such data is ultimately provided”.

The U.S. Parallel: Data Minimization Obligations Apply Broadly

The same conclusion applies under U.S. state privacy laws as well. Although the statutory terminology varies, the definitions of “collection” and “processing” under these laws are broad enough to support a similar reading. In most states that have adopted the Virginia model, including Virginia, Colorado, Texas, Connecticut, and others, “processing” is defined as “any operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data”. California takes a slightly different approach, separately defining “collects” as “buying, renting, gathering, obtaining, receiving, or accessing any personal information pertaining to a consumer by any means,” including “receiving information from the consumer, either actively or passively, or by observing the consumer’s behavior”. While neither framework explicitly addresses a mere request for personal data, the precise gap the Spanish ruling fills, the breadth of these definitions suggests that the principles of data minimization and purpose limitation could, as a practical matter, be applied at the point of system design and data request, not merely at the moment of receipt.

The obligations of data minimization are equally, if not more, important under U.S. state privacy laws, and vigorous enforcement has already begun. In July 2025, the California Attorney General reached a record-setting at the time $1.55 million settlement with Healthline Media LLC for CCPA violations related to its use of online tracking technology on its health information website, Healthline.com.  The investigation found that Healthline failed to allow consumers to opt out of targeted advertising and shared data with third parties, including article titles that could reveal a consumer’s health condition, without CCPA-mandated privacy protections. The settlement included a novel term banning Healthline from sharing article titles that reveal that a consumer may have been diagnosed with a medical condition.

In addition, states have passed laws with stricter data minimization requirements that go beyond the traditional standard. Maryland’s Online Data Privacy Act (MODPA), effective October 1, 2025, imposes arguably the strictest data minimization obligation of any U.S. state privacy law, requiring controllers to limit the collection of personal data to what is “reasonably necessary and proportionate to provide or maintain a specific product or service requested by the consumer”. For sensitive data, the standard is even higher: collection or processing is permitted only where “strictly necessary” to provide a requested product or service, and the sale of sensitive data is banned outright, even with consumer consent.

State regulators have also declared data minimization a priority enforcement focus. In April 2024, the California Privacy Protection Agency (CPPA) Enforcement Division issued its first-ever Enforcement Advisory, titled “Applying Data Minimization to Consumer Requests,” categorizing data minimization as a “foundational principle” of the CCPA and underscoring that businesses must apply it to every purpose for which they collect, use, retain, and share consumer personal information. Deputy Director of Enforcement Michael Macko called data minimization and purpose limitation “fundamental” to the CCPA, declaring that “a priority for us going forward is making sure when we look at opt-outs and other aspects of California law, are we also looking at data minimization? Are we asking the right questions about purpose limitation?” The CPPA has since continued active enforcement, including settlements with Honda ($632,500) and Todd Snyder ($345,178) in 2025. The Texas Attorney General has emerged as one of the most aggressive non-California state enforcers, including through enforcement actions targeting the unlawful collection and sale of precise location data. Connecticut has likewise entered the enforcement arena, with its Attorney General bringing the state’s first CTDPA enforcement action and publicly stating that “serious privacy and data security concerns could have been offset, if not fully alleviated, if companies had properly minimized the data they collected and maintained.” Maryland, Colorado, Minnesota, Oregon, and New Jersey are all expected to emerge as active enforcers in 2026, with Maryland’s strict data minimization requirements expected to be an early area of scrutiny.

Practical Takeaway

The Spanish Supreme Court ruling is a useful reminder that data protection compliance does not begin when personal data arrives. It begins when an organization decides what data to ask for in the first place. Organizations operating in both the EU and the United States should evaluate their data intake processes, employee onboarding forms, customer verification questionnaires, health-related inquiries, vendor due diligence requests, to ensure that data minimization and purpose limitation are built into the design of those processes from the outset.