Breach of Professional Secrecy Lawyer (Art. 199 CP)
Criminal defense for disclosing another person's secrets known through one's office, employment relationship or a profession bound by a duty of confidentiality.
Last updated:
Breach of professional secrecy is defined in Article 199 of the Spanish Criminal Code, among the offences of discovery and disclosure of secrets that protect the personal and family privacy recognised in Article 18 of the Constitution. Unlike the unlawful access to communications or data (discovery and disclosure of secrets under Art. 197 CP), here the secret is not obtained unlawfully: it is known lawfully through one's office, employment relationship or professional practice, and the criminal conduct is to improperly divulge or disclose it. As criminal lawyers specialising in privacy offences in Madrid, we build the technical defense of professionals, employees and companies facing these charges.
Legal Framework: Article 199 CP
The provision contains two clearly distinct forms:
- Art. 199.1 CP (basic offence): punishes anyone who discloses another person's secrets known by reason of their office or employment relations. The penalty is imprisonment of one to three years and a fine of six to twelve months. It covers employees, workers and service providers who, without being registered professionals subject to confidentiality, access another's confidential information through their position.
- Art. 199.2 CP (aggravated offence): punishes the professional who, in breach of their duty of confidentiality or reserve, divulges another person's secrets. The penalty is imprisonment of one to four years, a fine of twelve to twenty-four months and special disqualification from that profession for two to six years. This is the case of the doctor, lawyer, psychologist, notary, journalist, adviser or any professional bound by a specific duty of reserve.
The greater severity of 199.2 is justified by the qualified trust the victim places in the professional and by the duty of confidentiality imposed by the relevant professional and ethical rules (medical confidentiality, the lawyer's professional secrecy under Art. 542.3 of the Judiciary Act, etc.). Special disqualification is a particularly damaging consequence, as it prevents the practice of the profession for years.
Criminal Conduct and Protected Interest
The offence requires three elements: (1) the existence of a genuine secret belonging to another —reserved information, neither public nor notorious, affecting a third party's private sphere—; (2) that the person knows it lawfully through their office, employment relationship or profession; and (3) an act of disclosure or divulgation to unauthorised persons, carried out with intent. Mere negligence in safekeeping is not punished, but the conscious disclosure is. Nor does any data suffice: it must be reserved information whose dissemination harms or may harm its holder.
Distinction from the Ethical Duty
A central key to the defense is distinguishing the ethical (deontological) breach from the criminal offence. Professional secrecy has a professional-body and disciplinary dimension (sanctions by the relevant professional association) and a criminal dimension (Art. 199 CP). Not every breach of the duty of reserve reaches criminal relevance: many forms of conduct remain in the disciplinary sphere without amounting to the offence, particularly where intent is lacking, where the information was not strictly secret, or where a ground of justification applies. Identifying this boundary is decisive to avoid a criminal conviction and, with it, disqualification.
Defense Strategies
The defense may rest, depending on the case, on: consent of the holder of the secret, express or implied, which excludes the offence; absence of a secret nature of the information (data already public, notorious or known to third parties); lack of intent to disclose (inadvertent divulgation, error as to the reserved nature); necessity or performance of a duty (for instance, the legal obligation to report certain crimes, the communication to health or judicial authorities, or the prevention of a serious and imminent harm); and the existence of a prevailing legitimate interest justifying the communication. The procedural requirement is also essential: under Article 201 CP, the offence is only prosecutable upon a complaint by the aggrieved party or their legal representative, so the absence of a valid complaint bars the proceedings.
Criminal Consequences
The basic offence under 199.1 carries imprisonment of 1 to 3 years and a fine of 6 to 12 months. The aggravated offence under 199.2 raises the penalty to imprisonment of 1 to 4 years, a fine of 12 to 24 months and special disqualification from the profession for 2 to 6 years. Alongside the penalty, civil liability for the harm caused to the victim may be declared. The defense focuses on avoiding conviction or, alternatively, on the most favourable sentencing and on the suspension of imprisonment where the legal requirements are met.
We act before the Investigating Courts, the Criminal Courts and the Provincial Courts throughout Spain. For a confidential assessment of your case, you may contact our firm at Velázquez 27, Madrid, or by phone at 91 078 65 74.
Penalties & Consequences: Breach of Professional Secrecy Lawyer (Art. 199 CP)
| Type / Scenario | Criminal Penalty |
|---|---|
| Imprisonment | 1-3 years (Art. 199.1) or 1-4 years in the aggravated offence of the professional bound by confidentiality (Art. 199.2). |
| Fine | 6-12 months (199.1) or 12-24 months (199.2), set by daily quotas according to financial capacity. |
| Disqualification | Special disqualification from the profession for 2 to 6 years in the aggravated offence under Art. 199.2 CP. |
* Penalties shown are indicative. The actual penalty depends on case circumstances, applicable mitigating and aggravating factors.
Defense Strategy: Breach of Professional Secrecy Lawyer (Art. 199 CP)
Criminal/Ethical Distinction
We assess whether the conduct reaches criminal relevance or remains within the professional body's disciplinary sphere, avoiding conviction under Art. 199 CP.
Lack of Offence
We establish the holder's consent, the absence of a secret nature of the information, or the lack of intent to disclose.
Procedural Requirement
We verify the existence and validity of the prior complaint by the aggrieved party required under Art. 201 CP.
Cybercrime in Spain: Hacking, Phishing & Digital Fraud — Defence Guide
Cybercrime encompasses illegal access to computer systems (Art. 197 bis CP), computer damage and ransomware (Art. 264 CP), phishing and digital fraud (Art. 249.1.a CP), and the production or distribution of hacking tools (Art. 197 ter). Spain's prosecution of cybercrime has intensified dramatically, with specialised units in the National Police (BIT) and Guardia Civil (GDT) leading investigations. Defence requires a unique combination of criminal law expertise and advanced technical knowledge.
Penalty Table: Cybercrime
| Offence | Article | Description | Penalty |
|---|---|---|---|
| Illegal access to systems | Art. 197 bis | Unauthorised access breaching security measures | 6 months – 2 years |
| Interception of data | Art. 197 bis.2 | Intercepting non-public data transmissions | 3 months – 2 years |
| Production/supply of hacking tools | Art. 197 ter | Creating or distributing tools designed for cybercrime | 6 months – 2 years |
| Computer damage (basic) | Art. 264.1 | Deleting, damaging or making data inaccessible | 6 months – 3 years |
| Aggravated damage (critical infrastructure) | Art. 264.2 | Affecting essential services or critical infrastructure | 2 – 5 years prison |
| Cyber fraud (phishing) | Art. 249.1.a | IT manipulation to obtain unlawful transfer of assets | 6 months – 3 years |
Key Defence Strategies
IP Attribution Challenge
An IP address does not identify a person. Shared Wi-Fi networks, VPNs, Tor exit nodes and NAT configurations mean multiple users may share one IP. The prosecution must prove the accused was the actual user at the relevant time.
Chain of Digital Custody
Digital evidence is extremely fragile. If the police failed to image the hard drive with a write-blocker, if hash values don't match, or if evidence was handled improperly, the defence can seek exclusion of the entire digital evidence chain.
Authorised Security Testing
Ethical hacking and penetration testing carried out with the system owner's authorisation is legal. If the defendant had a written engagement contract, bug bounty agreement or responsible disclosure policy, there is no criminal offence.
Lack of 'Breaching Security Measures'
Art. 197 bis requires that security measures were breached. If the system had no password, no firewall, or the access point was public, the element of 'breaching security' may be absent, negating the offence.
Key Case Law
The Supreme Court confirmed that 'access' requires effectively entering the system, not merely attempting it. The prosecution must prove: (1) access occurred, (2) it was unauthorised, and (3) security measures were breached. Port scanning alone does not constitute the offence.
The Court ruled that ransomware attacks may constitute a concurrent offence of computer damage (Art. 264) and extortion (Art. 243 CP). The encryption of data satisfies the 'damage' element even if data is technically recoverable upon payment.
In phishing operations, the Court distinguished between the organiser and the 'money mule' (account holder). The mule's liability depends on proof of knowledge that the funds were illicit. Wilful blindness may suffice, but mere negligence does not.
Why Choose Us?
Need a criminal defense lawyer for this type of offense? Here's how we work:
Do you need specialised legal assistance?
The judicial system is complex. We have the criminal-law specialisation and technical resources required to take on the defence.