Legal framework and tax implications of e-commerce in Spain

2 Defining regulatory principles

2.1 Civil and Commercial Legislation

2.1.1 Civil and Commercial Codes

Electronic contracts are fully subject to the rules established by the Spanish Civil Code on obligations and contracts and by the Commercial Code.

Electronic contracts are also subject to EC Regulation 593/2008, of June 17, 2008, on the law applicable to contractual obligations (Rome I) which will apply to contractual obligations in the civil and commercial area in situations involving a conflict of laws.

2.1.2 Distance sales

Equally applicable to electronic sales are the rules related to distance sales and other related relevant rules: Regarding commercial operations in which the buyer is an undertaking or a business man, the Act 7/1996 ordering the Retail Trade should be taken into consideration, in particular the Chapter regarding Distance Sales, which makes a specific referral to Title III of Book II of the Legislative Royal Decree 1/2007, of 16^th of November, approved the Revised General Consumer and User Protection Law and other supplementary laws (“TRLGDCU”).
Whenever e-commerce activities are targeted at consumers, it is necessary to comply with consumer protection legislation, regulated in the aforementioned TRLGDCU.

This Law defines “distance sales” as sales concluded without the simultaneous physical presence of the buyer and the seller, where the seller’s offer and the buyer’s acceptance are conveyed exclusively by a means of distance communication of any nature and within a distance contract system organized by the seller.

This Law establishes that distance sale offers (either to consumers or to undertakings) must contain at least the following:
- The seller’s identity, including its trade name.
- The main features of the product, the price, and the shipping expenses and, if applicable, the cost of using the distance communication technique if it is calculated on a basis other than the basic rate basis.
- The full address of the trader's establishment, telephone number and e-mail address, and details of any other medium made available to consumers or users by the trader.
- Where applicable, the fact that the price has been customized on the basis of automated decision-making.
- The payment method, and form of delivery or types of fulfillment of orders.
- The period for which the offer remains valid and, if applicable, the minimum term of the contract.
- The existence of a right to withdraw or terminate the contract and, if applicable, the circumstances and conditions in which the seller could supply a product of equivalent price and quality.
- The out-of-court dispute resolution procedure, if applicable, in which the seller participates.
- Remainder of the existence of a legal guarantee depending on the type of goods or services.
- Information of the cases in which the Seller shall take the costs of returning the goods.
This Royal Decree sets out, among other matters affecting the consumers, the rules governing unfair conditions of contracts concluded with consumers, and the right to withdraw that consumers have in distance sales (fourteen calendar days).
It should also be noted that Law 22/2007, of July 11, 2007, on the distance marketing of consumer financial services, shall also be taken into consideration when dealing with consumers in the financial sector. The Law specifically regulates the protection granted by the general law to the users of remote financial services by establishing, among others, the generic requirement to provide the consumer with precise and exhaustive information on the financial contract prior to its signature and by granting the consumer a specific right to withdraw from the distance contract previously concluded.
In making the contract, there is an intention to incorporate predisposed clauses into a plurality of contracts, regard must be had to Standard Contract Terms Law 7/1998.
If the activity carried out is related to the sale of consumer goods, the aforementioned TRLGDCU must be taken into consideration regarding the warranties on consumer goods, because it establishes the measures aimed at ensuring a minimum uniform standard of consumer protection. Such rules require the trader to provide a free 3-year warranty for consumers on all consumer goods (acquired for the first time) and a 2-year warranty in the case of digital contents or services¹, and to offer consumers a range of possible remedies when the goods acquired do not conform to the terms of the contract, to make them conform, enabling consumers to choose between demanding their repair or substitution.

2.1.3 Other applicable regulations

In accordance with Law 56/2007 of December 28, 2007 on Measures to Promote the Information Society, enterprises that provide services of special economic significance to the general public and that are of a certain size are required to provide their users with an electronic means of communication which, through the use of qualified electronic signature certificates, enables them to perform at least the following steps: (a) conclude contracts electronically and amend and terminate them; (b) consult their customer data (including the record of billings covering at least the past 3 years) and the concluded contract, with its general conditions; (c) submit complaints, incidents, suggestions and claims (while guaranteeing a record of their submission and direct personal assistance); and (d) exercise the rights provided for in data protection legislation.

This requirement applies to enterprises providing services of special economic significance to the general public provided that they employ more than 100 workers or have an annual turnover (according to the VAT legislation) of more than €6,010,121.04. The enterprises that Law 56/2007 includes in this category are those operating in the following industries: (i) electronic communications services to consumers; (ii) financial services aimed at consumers (banking, credit or payment, investment services, private insurance, pension plans and insurance brokerage); (iii) supplying water to consumers; (iv) supplying retail gas; (v) supplying electricity to final consumers; (vi) travel agencies; (vii) carriage of travelers by road, railway, by sea, or by air; and (viii) retail trade (although for these last-mentioned ones, the electronic means of communication need only enable what is set out in letters (c) and (d) above).
Due to their particular importance in electronic commerce, it is worth noting some legal provisions concerning payment services:
1. Royal Decree-Law 19/2018, of November 23, on payment services and other urgent measures on financial matters is the law transposing in Spain the Directive (UE) 2015/2366, of November 25, on payment services in the internal market (known as PSD2 Directive). This Royal Decree-Law has repealed the Payment Services Law 16/2009, of November 13, 2009. The new payment services legislation mainly affects the payment transactions that are most commonly used in an electronic commerce environment: transfers, direct debiting and cards, establishing, as a general rule, that the payer and the payee of the transaction must each bear the charges levied by their respective payment services providers. In any event, in the case of transactions with consumers, the specific legislation (Legislative Royal Decree 1/2007) prohibits the trader from charging the consumer fees for the use of payment methods that exceed the cost borne by the trader for the use of such payment methods.
  
  Due to the volume and importance of the data that may be exchanged in connection with economic transactions executed in an e-commerce environment, the protection of the personal data that they may contain is particularly important. In this regard, it is important to consider Guidelines 06/2020 on the interplay of the Second Payment Services Directive and the General Data Protection Regulation, adopted by the European Data Protection Board ("EDPB") on December 15, 2020.
  
  Lastly, both the Royal Decree-Law 29/2018 and the consumer protection legislation envisage for distance contracts that, where the amount of the purchase or of a service has been charged fraudulently or incorrectly using the number of a payment card, the consumer may request the immediate cancellation of the charge.
  
  As one of the main news of the Royal Decree-Law 19/2018, it regulates the payment initiation services and the account information services.
2. The legislation on interchange fees has been introduced by Royal Decree-Law 8/2014, of July 4 and Law 18/2014, of October,15. This legislation establishes a system of caps on interchange fees in transactions with credit or debit cards in Spain (applying them to POS terminals located in Spain), regardless of the trade channel used (that is, including physical and virtual POS terminals), provided that they requirethe involvement of payment services providers established in Spain.
  
  The caps applicable on or after September 1, 2014 are as follows:
  1. Debit cards: The interchange fee per transaction may not exceed 0.2% of the value of the transaction, subject to a cap of 7 euro cents. But if the amount does not exceed €20, the interchange fee may not exceed 0.1% of the value of the transaction.
  2. Credit cards: The interchange fee per transaction may not exceed 0.3% of the value of the transaction. But if the amount does not exceed €20, the interchange fee may not exceed 0.2% of the value of the transaction.
  These caps do not affect transactions performed with company cards or withdrawals of cash from automatic teller machines. In addition, three-party payment card systems are excluded from the application of these caps, except for certain cases identified by the legislation.
Also worthy of note is Law 29/2009, of December 30, 2009, modifying the legal regime governing unfair competition and advertising in order to enhance consumer and user protection. Special mention should be made of the unfair practice status to be granted to the making of unwanted and reiterated proposals by telephone, fax, e-mail and other means of long-distance communication, unless such proposals are legally justified for the purpose of complying with a contractual obligation. Moreover, when issuing such communications, traders and professionals must use systems that enable consumers to place on record their opposition to continuing to receive commercial proposals from such traders or professionals. Thus, when making such proposals by telephone, calls must be made from an identifiable number.
It is convenient to take into account the legislation deriving from the Directive (EU) 2016/1148, concerning measures for a high common level of security of network and information systems across the Union. In Spain, this Directive has been transposed by means of the Royal Decree-law 12/2018, of 7 September, concerning security of the networks and information systems, which has itself been developed by Royal Decree 43/2021, of 26^th January. This legislation applies to essential services operators and digital services providers, as they are defined , as they are defined therein (digital services being the cloud computing services, online search engines and online marketplaces). In particular, these marketplaces are a more and more common way of developing e-commerce activities.

It should be noted that the aforementioned Directive (EU) 2016/1148 has recently been repealed by Directive (EU) 2022/2555 of 14 December 2022 on measures for a high common level of cybersecurity across the Union (NIS 2 Directive).

The main objectives of this new Directive are: to eliminate the divergences that have arisen between Member States' national cybersecurity regulations and the implementation thereof, namely by defining minimum standards for the functioning of a coordinated regulatory framework, establishing mechanisms to ensure that the competent authorities of each Member State cooperate effectively, updating the list of sectors and activities subject to cybersecurity obligations, and making available effective remedies and enforcement measures to guarantee actual compliance with such obligations. However, although this Directive came into force on January 16, 2023, the deadline for its transposition is October 17, 2024, and until its transposition into Spanish law has been approved, the provisions of Royal Decree-Law 12/2018 will continue to apply.

We simply mention this legislation because, although it only applies to certain types of service providers, compliance with it is particularly important, especially in the case of the obligated parties under Royal Decree-Law 12/2018, and those others referred to in the provisions transposing the NIS 2 Directive, based on the new activities and criteria for determining whether an entity is an obligated party included in the scope of application of the Directive.

All obligated entities must take into account this legislation, which, among others, imposes an obligation to notify the competent authorities beforehand, and requires compliance with other data security obligations (such as, for example: governance measures, internal organizational policies and greater control over subcontractors). Non-compliance may lead to high penalties (up to 10 million euros or a maximum of at least 2% of the total annual worldwide turnover of the organization to which the essential entity belonged during the previous financial year, whichever is higher).
Finally, it is important to draw attention to Regulation (EU) 2022/2554 of 14 December 2022 on digital operational resilience for the financial sector ("DORA"), which came into force on January 16, 2023 and whose mandatory date of application in all Member States will be January 17, 2025.

Digital operational resilience is defined as the ability of a financial entity to build, assure and review its operational integrity and reliability by ensuring, either directly or indirectly through the use of services provided by ICT third-party service providers, the full range of ICT-related capabilities needed to address the security of the network and information systems which a financial entity uses², and which support the continued provision of financial services and their quality, including throughout disruptions.

In this regard, the purpose of the DORA Regulation is to establish, for the security of networks and information systems, a series of uniform requirements: (i) that are applicable to financial institutions (e.g. on ICT risk management, the notification of serious ICT and payment incidents, digital operational resilience testing); (ii) requirements regarding contractual arrangements with ICT providers; (iii) rules on the supervisory framework for critical ICT third-party providers; and (iv) rules on cooperation between authorities.

As a result, this Regulation contains important organizational, analytical and technical requirements for the entities which are obliged to comply with its provisions. It establishes that the organization's most senior managing body shall be responsible for defining, approving and supervising a management and governance framework for the organization to ensure compliance with ICT risk management requirements and the obligations envisaged in its provisions.

¹In accordance with art. 16.7 of Royal Decree-Law 7/2021 of April 27, 2021, which amends, among others, art. 120 of the TRLGDCU, the period for declaring a lack of conformity in the case of contracts for the sale and purchase of goods is changed from two to three years, effective for goods purchased after January 1, 2022.

²The scope of application of the DORA Regulation includes a broad list of entities, such as credit institutions, payment institutions, account information service providers, e-money institutions, investment firms and third-party providers of ICT services.

Cookie	Duration	Description
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_gat_gtag_UA_51756832_11	1 minute	Set by Google to distinguish users.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.

Cookie	Duration	Description
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.