LetsLaw

Duty of diligence and loyalty in corporate management

LetsLaw — Mon, 30 Mar 2026 08:00:37 +0000

Managing a company entails responsibilities that go beyond mere decision-making. Directors have a duty of diligence and loyalty, which requires them to act always in the best interest of the company and its shareholders, avoiding any actions that could harm collective interests. This principle is not only ethical but also legal: the Spanish Companies Act establishes clear mechanisms to ensure that directors fulfill their obligations and are accountable for potential damages.

The duty of diligence means that directors must act with care, sufficient information, and prudence in both daily management and strategic decisions of the company. Meanwhile, the duty of loyalty requires that all actions be carried out with honesty and transparency, avoiding conflicts of interest and situations where personal gain outweighs the company’s interest. Failure to comply with these duties can have economic consequences and may even result in personal liability for the director.

When does a director become personally liable?

Spanish law establishes that directors may be held personally liable when they fail to fulfill the legal or statutory duties inherent to their role. In general terms, liability actions can be either social or individual. A social action allows the company to claim damages resulting from a director’s negligent or disloyal conduct. According to Articles 239 to 241 bis of the Spanish Companies Act, minority shareholders may also bring a liability action when directors fail to act in accordance with the law, including cases of breach of the duty of loyalty, without the need to submit the decision to the general meeting.

Creditors may also intervene in cases where the company’s assets are insufficient to satisfy their claims, exercising the social action subsidiarily. On the other hand, an individual action directly protects the interests of shareholders or third parties who have suffered a specific loss due to the directors’ actions. It is important to remember that all these actions prescribe after four years from the moment they could have been exercised, according to Article 241 bis, establishing a clear time limit for claims.

A particularly relevant case is regulated by Article 367, which addresses the joint liability of directors in dissolution scenarios. If directors fail to call a general meeting within the legal deadlines to adopt the necessary dissolution agreements or to remedy causes that could lead to dissolution, or if they fail to request judicial dissolution, they are jointly liable with their personal assets for obligations arising after the event that triggered the cause of dissolution.

This presumption of liability applies unless proven otherwise and protects legitimate creditors by ensuring that obligations arising after the cause of dissolution are assumed by those who should have acted. However, directors may be exonerated if they demonstrate that they communicated negotiations with creditors or requested the bankruptcy declaration within a two-month period.

In practice, this means that directors must maintain active, diligent and transparent management, reporting any situation that may compromise the company’s stability, strictly complying with legal deadlines, and avoiding any action that could cause economic harm. Direct personal liability is precisely intended to encourage prudence and strategic planning, ensuring that directors make decisions based on proper information and guided by the company’s best interests.

Protection of directors against third-party claims

While the law establishes clear mechanisms for liability, there are also tools to protect directors against third-party claims, especially when they act lawfully and within the scope of their duties. These protections include directors’ liability insurance, internal indemnification agreements, and policies covering damages arising from professional actions in the exercise of their functions. The purpose of these protections is to prevent directors from having to answer with their personal assets for situations that do not arise from negligence or disloyalty.

In practical terms, directors should adequately document their decisions, obtain technical and legal reports, and have the company’s backing for any significant action. This combination of legal duties and protective mechanisms allows for safer management, encouraging strategic decision-making without fear of unfounded claims.

Complying with duty of diligence and loyalty

Complying with the duty of diligence and loyalty is far from a mere formality: it is a fundamental pillar of corporate trust and economic stability. Directors must always act in the best interest of the company and its shareholders, avoiding conflicts of interest, making informed decisions, and strictly adhering to legal deadlines and procedures.

Direct personal liability, particularly in cases of dissolution or failure to fulfill essential duties, protects both the company and its creditors, encouraging prudence in management. At the same time, mechanisms designed to safeguard directors against third-party claims allow them to perform their roles with legal certainty, promoting effective and responsible management.

The combination of clearly defined duties and adequate protections ensures a balance between accountability and security, strengthening confidence in corporate governance and supporting the long-term sustainability of the business.

Contact Us

[contact-form-7]

Digital evidence in judicial proceedings: issues of validity and authenticity

LetsLaw — Fri, 27 Mar 2026 08:00:46 +0000

Digital evidence has become a central element in most modern disputes. An email, a WhatsApp message, a system access log, or a social media post can be decisive in proving facts, intent, or breaches. However, the mere existence of an electronic trace does not mean it will automatically qualify as strong evidence in court.

In judicial proceedings, digital evidence often faces two major challenges: its validity, understood as admissibility and lawfulness, and its authenticity, which requires proving that the content is genuine, has not been altered, and can be attributed to a specific person or source. For this reason, understanding what types of digital evidence exist, how they should be preserved and how authenticity is assessed is essential to avoid challenges and strengthen evidentiary value.

Types of digital evidence

First, it is useful to distinguish the main types of digital evidence:

The most common are electronic communications, such as emails, instant messaging, and social media messages, which are often submitted to prove agreements, warnings, claims, or conduct.
Digital documents and files are also frequently used, including electronically signed contracts, PDFs, spreadsheets, or cloud-stored documents, whose evidentiary weight is reinforced when they are submitted in their original format and with metadata preserved.
Another important category is web and social media content, such as posts, advertisements, reviews, or web pages, where the main issue is volatility, since content can be easily modified or deleted.
Added to this are technical records or logs, which include server traces, system audits, access records, IP addresses, and activity logs, particularly useful in cybersecurity matters or technology-related contractual breaches.
Audio, video and digital images are also commonly produced as evidence, including recordings, CCTV footage, screenshots, or photographs, whose assessment is often more delicate due to the possibility of cuts, edits, or lack of continuity.
Finally, there are more advanced forms of evidence, such as time stamping, digital custody systems or records linked to connected devices, which can provide additional guarantees when they have been properly obtained and documented.

Preservation and custody of evidence

However, the factor that most strongly determines the strength of any digital evidence is its preservation and custody. In the electronic context, custody involves maintaining the integrity and traceability of the evidence from the moment it is obtained until it is presented in court. If it cannot be coherently explained who obtained it, when, from which device or account, how it was preserved, and what measures were taken to prevent alterations, the opposing party will often question its reliability.

Many problems arise when only screenshots are submitted without further support, when a device or file is manipulated without documentation, or when the origin trail is lost. For example, a screenshot of a conversation may be enough to frame the dispute, but it is more vulnerable if it is not accompanied by a complete export, the original file, or technical verification.

Proper custody, by contrast, aims to preserve the original or a faithful copy, minimize interventions on the evidence, document the collection and preservation process, and, when the case requires it, apply technical safeguards such as generating digital fingerprints (hash values) or time stamping.

In practice, the higher the risk of challenge or the greater the importance of the fact to be proven, the more advisable it is to adopt measures that demonstrate the evidence remained intact and that there were no reasonable opportunities for manipulation.

How is the authenticity of electronic evidence assessed?

The authenticity of electronic evidence is typically assessed on the basis of three essential issues:

The first is attribution, meaning whether the evidence can be linked to the person who allegedly created or sent it. It is not enough for a name to appear on a screen; what matters is proving the relationship between the account or device and the individual, relying on contextual data, the coherence of the conversation, email header information, authentication records, or other elements that consistently identify the user.
The second issue is integrity: the court must be able to trust that the content has not been modified since its creation. For this purpose, the original formats, metadata, the absence of signs of editing, and technical and chronological consistency are particularly important, as well as, where available, verification through hash values, time stamping, or third-party custody.
The third issue is the reliability of the method of collection and presentation. If the procedure used to capture or extract the evidence is weak or insufficiently transparent, authenticity is undermined. Conversely, when evidence is provided in full, the method of collection is explained, and a forensic IT expert report is submitted in complex cases, the evidence tends to become more robust and better able to withstand adversarial scrutiny.

Ultimately, digital evidence is extremely useful, but also fragile. Its success in court depends not only on what the document or message “shows,” but on the ability to prove that it is lawful, intact and attributable.

Anyone preparing proceedings with a technological component should anticipate the usual risks by preserving evidence early, ensuring proper custody, and, where the dispute requires it, relying on technical verification and expert evidence. This reduces challenges and increases the credibility of the evidence before the court.

Contact Us

[contact-form-7]

Who owns the prompt?

LetsLaw — Wed, 25 Mar 2026 08:00:30 +0000

The rapid advance of generative artificial intelligence has shifted the center of gravity of legal debate away from the output produced by the machine and toward the human instruction that triggers it. In professional practice, the so called prompt has ceased to be a simple technical command and has become a first rate strategic asset.

This new reality makes it necessary to examine whether these instructions have enough substance to be protected by the legal system or whether, on the contrary, they remain in a regulatory limbo where information security and intellectual property are under constant risk.

Copyright in the prompt and the originality threshold

Determining whether a prompt qualifies as a work that can be protected under the Intellectual Property Act requires a rigorous analysis of the concept of originality. For a creation to be covered by copyright, it must be an individual intellectual expression that reflects the author’s personality through free and creative choices.

In this sense, most functional instructions or simple requests for information lack the creative height needed to be considered literary works. However, where we find complex structures that combine a specific data architecture with carefully built logical constraints, the prompt could reach the category of a technical work.

Current case law, in line with international positions such as those of the United States Copyright Office, tends to deny authorship over the machine generated result, but it leaves the door open to protecting the human instruction provided it clears certain levels of complexity.

Pinpointing where the technical instruction ends and where the protectable work begins is a blurred boundary that calls for an individualized assessment of each interaction protocol.

Confidentiality and operational risks in handling data through artificial intelligence

Beyond ownership of the content, the main compliance concern lies in the integrity and confidentiality of the information. The prompt operates as a data entry space that, in open computing environments, can compromise professional secrecy and business confidentiality in an irreversible way.

Most commercial language models use user inputs for retraining processes, which involves a transfer of information beyond the control of the original sender.

This practice clashes with the obligations arising from the General Data Protection Regulation and the new requirements of the European Union Artificial Intelligence Act. The risk does not lie only in the possibility that the platform stores sensitive information, but also in the chance that such information is later reproduced in response to third party queries through data extraction techniques. Managing these risks requires the implementation of security protocols and usage policies that are not always obvious to corporate users.

Protection through trade secrets and contractual architecture

Given the uncertainties of relying on copyright to protect instructions that are often utilitarian in nature, the most solid legal strategy for organizations lies in trade secret protection.

An optimized prompt that delivers a real competitive advantage is an economic asset that should be safeguarded through a specific legal structure. If the organization implements technical and organizational measures to keep these instruction libraries confidential, they may be protected as industrial secrets.

In this scenario, legal protection does not stem from linguistic aesthetics, but from commercial value and exclusivity of access. However, the mere existence of secrecy does not guarantee successful enforcement if intellectual property clauses and appropriate confidentiality agreements have not been put in place beforehand in employment and commercial settings.

Only through tailored contractual architecture is it possible to ensure that the professional’s talent and specialized knowledge remain within the creator’s assets.

Contact Us

[contact-form-7]

What is tokenization? Legal implications

Marta Díaz — Mon, 23 Mar 2026 08:00:02 +0000

The digitalization of assets is transforming how value is represented, transferred and managed. In this context, tokenization has emerged as one of the most significant developments within the blockchain ecosystem.

Despite its growing presence, the concept still generates confusion. It is frequently associated exclusively with cryptocurrencies, when in reality they represent only a specific application within a much broader phenomenon.

Understanding what tokenization means, the different types of tokens that exist and how they fit within the European regulatory framework has become essential for legal practitioners interacting with the digital economy.

Tokenization is not synonymous with cryptocurrencies

When blockchain is mentioned, many people immediately think of Bitcoin or financial speculation. However, cryptocurrencies are merely one specific application of a much wider technological development.

From both a legal and technological perspective, tokenization consists of digitally representing an asset, right, or utility through a token recorded on a blockchain network. In other words, tokenization converts an asset or right into a transferable and programmable digital unit.

The underlying asset may be virtually anything, including money, corporate shares, real estate, art, access rights to services, intellectual property or physical assets from the real world.

This leads to a key concept within today’s ecosystem: the tokenization of real-world assets.

Blockchain technology does not necessarily create new value. Instead, it digitizes the legal representation of existing value, enabling traceability, fractionalization and transfer without traditional intermediaries.

Cryptocurrencies, therefore, are not the origin of tokenization. They are simply tokens whose value derives from the digital economic systems in which they operate.

Difference between utility tokens, security tokens and NFTs

One of the most common misconceptions within the blockchain ecosystem is assuming that all tokens share the same legal nature. From a legal standpoint, however, token classification depends not on the technology used, but on its economic function and the rights it confers.

Consequently, the applicable legal regime is determined not by the fact that an asset is tokenized, but by what the token actually represents.

Regulation (EU) 2023/1114, known as MiCA Regulation (Markets in Crypto-Assets Regulation), establishes a harmonized regulatory framework for certain crypto-assets, introducing three main regulatory categories:

Asset-Referenced Tokens.
E-Money Tokens.
Other crypto-assets, a residual category in which utility tokens generally fall.

However, MiCA does not regulate the entirety of the tokenization phenomenon. The Regulation expressly recognizes that certain tokens, particularly those representing financial instruments, fall outside its scope.

In particular, security tokens, when they embody rights equivalent to transferable securities or financial instruments, remain subject to the traditional European financial markets framework, primarily MiFID II and the corresponding national legislation.

The legal conclusion is clear, the economic function of the token determines its legal regime.

Utility tokens: access, not investment

Utility tokens are defined under MiCA as crypto-assets other than asset-referenced tokens or e-money tokens.

These tokens grant access to a product or service within a digital ecosystem. They function as a digital mechanism of use or consumption, allowing holders to interact with platforms or benefit from specific functionalities.

Typical examples include:

Access to SaaS platforms.
Services within metaverse environments.
Tokenized loyalty or reward programs.

The determining element is that they do not grant financial participation rights or profit expectations. For this reason, they are generally not considered financial instruments.

The main legal challenges surrounding utility tokens typically relate to consumer protection, transparency obligations, contractual terms and technological compliance rather than financial regulation.

Security tokens: when a token becomes a financial instrument

Security tokens represent economic or financial rights linked to an underlying asset and perform functions equivalent to traditional financial instruments.

They may be equivalent to shares, holdings, debt, investment rights or even profit sharing.

From a legal perspective, blockchain technology is irrelevant for regulatory classification. If a token incorporates investment expectations or economic rights characteristic of transferable securities, financial markets regulation applies, including MiFID II, the Prospectus Regulation and supervision by national authorities such as the CNMV.

This reflects the principle of technological neutrality, whereby technology does not alter the legal nature of the asset.
A financial instrument remains a financial instrument, even when represented digitally on a decentralized infrastructure.

NFTs: digital uniqueness

NFTs (Non-Fungible Tokens) constitute a distinct category based on non-fungibility, meaning each token possesses unique characteristics and cannot be exchanged on a one-to-one basis with another.

They are commonly used to represent digital art, collectibles,gaming assets or digital certifications.

The regulatory focus tends to be on issues of intellectual property, usage licences, digital authenticity, and rights associated with the token vis-à-vis the asset represented.

A frequent misconception must be clarified: purchasing an NFT does not automatically transfer copyright ownership unless an explicit rights assignment exists.

Tokenization of Real-World Assets

Beyond purely digital environments, the true potential of blockchain technology lies in the tokenization of real-world assets, understood as the digital representation of traditional assets through tokens recorded on decentralized networks.

The underlying asset can be very diverse, ranging from real estate to shares, commodities or works of art.

Tokenisation allows for:

The fractionalisation of traditionally illiquid assets.
The facilitation of global secondary markets.
The reduction of intermediation.
The automation of compliance through smart contracts.
Increased transparency and traceability.

Essentially, it does not create a new asset, but rather a new form of legal and technological representation of the existing asset.

Contact Us

[contact-form-7]

Dark patterns and e-commerce: the new legal risk arising from the Digital Fairness Act

Abogada Maria Barbero — Wed, 18 Mar 2026 08:00:15 +0000

E-commerce has evolved into highly sophisticated environments designed to increase conversion rates and optimize commercial performance. However, certain persuasive design techniques have crossed the line, becoming manipulative practices known as dark patterns.

With the forthcoming approval of the Digital Fairness Act (hereinafter, the “DFA”), these practices will move from being merely a reputational issue to constituting a legal risk for any e-commerce operator, reinforcing the protection of digital consumers and expanding the scope of obligations already established under current legislation.

Key developments introduced by the Digital Fairness Act

The purpose of this new regulation is to respond to the growing sophistication of digital manipulation techniques. Although European legislation already prohibited misleading commercial practices and material omissions, the DFA introduces three major enhancements:

Explicit regulation of interface design, by directly addressing the manipulation of user behavior through the design of digital interfaces. The regulation acknowledges that digital architecture can shape and influence economic decisions.
Enhanced protection against the exploitation of vulnerabilities, with particular attention to vulnerable consumers, such as minors and elderly individuals.
Coordination with other digital regulations, integrating the DFA into a broader regulatory ecosystem that includes the Digital Markets Act and the General Data Protection Regulation. A single interface design may simultaneously generate risks in the areas of data protection, competition law, and consumer protection.

What types of practices are considered dark patterns?

Dark patterns are design techniques that induce users to make decisions they would not have made under conditions of transparency and informational balance.

However, not all forms of persuasion are unlawful. The legal threshold lies in the manipulation or significant distortion of the consumer’s economic behavior.

Among the most relevant practices are the following:

Confirm shaming, which involves the use of messages designed to embarrass or pressure users into accepting an option that they would likely reject under neutral conditions. This mechanism relies on emotionally charged language that introduces an affective bias into the decision-making process. By associating the rejection option with a negative or socially undesirable connotation, it subtly undermines the consumer’s freedom of choice.
Cancellation obstruction, which occurs when subscription or sign-up processes can be completed in one or two clicks, while cancellation requires multiple steps, opaque forms, complex navigation paths, or even mandatory telephone contact.
Artificial scarcity and time pressure, through messages such as “Only 2 items left” when such statements are not supported by real or verifiable data. These practices accelerate purchasing decisions by exploiting urgency bias and fear of missing out, thereby limiting the time available for rational evaluation.
Visual interference, consisting of interface designs that disproportionately highlight the option most favorable to the company while minimizing the consumer’s alternative. This may be achieved through large buttons, striking colors, prominent placement, or high visual contrast.

Sanctions for engaging in prohibited practices

Furthermore, the entry into force of the Digital Fairness Act increases enforcement risk. In line with other European digital regulations, sanctions may be calculated as a percentage of total annual global turnover, meaning that large platforms may face multi-million-euro fines for engaging in such practices.

In addition, national consumer authorities may require the withdrawal or modification of interfaces within short timeframes, which entails a direct operational impact, such as urgent redesign, suspension of campaigns, and possible effects on conversion rates.

In addition, The strengthening of the regulatory framework facilitates the initiation of collective actions by consumer associations, thereby increasing companies’ exposure to both judicial and reputational consequences. In this context, businesses may face not only investigations by the competent authorities but also coordinated litigation strategies aimed at challenging and contesting manipulative digital practices.

Contact Us

[contact-form-7]

AI and health data

Abogada Paula Ferrandiz — Mon, 16 Mar 2026 08:00:22 +0000

Artificial intelligence is no longer a futuristic promise: it is rapidly becoming embedded in hospitals, clinics, laboratories, and mobile applications that monitor our daily lives. From systems that help detect tumors in medical images to algorithms that predict cardiovascular risks or personalize treatments, AI relies on a key resource: data. And when that data relates to our health—diagnoses, medical records, genetics, habits, or biometrics, the potential is enormous, but so are the implications.

This article explores the relationship, as powerful as it is delicate, between AI and health data. We will analyze why this information is considered particularly sensitive, the challenges it raises in terms of privacy, security, and bias, and how the regulatory framework (data protection and AI regulation) shapes its use. Because innovation in healthcare is essential, but doing it properly is not optional—it is the only way technology can advance without putting fundamental rights at risk.

Risks of bias when using AI in healthcare

The use of artificial intelligence in healthcare raises a particularly significant risk: algorithmic bias. AI systems learn from large volumes of data, and if those datasets are not representative or contain existing inequalities, the system may reproduce them or even amplify them. In healthcare, where decisions can directly affect diagnosis, access to treatments, or the prioritization of patients, this issue becomes critically important.

A common example is diagnostic systems trained on medical datasets that do not adequately reflect the diversity of the population. If an algorithm has been trained primarily on data from certain demographic groups, for example, patients of a predominant sex, age group, or ethnic background, t may produce less accurate results when applied to other populations. This can lead to delayed diagnoses, less effective treatments, or poorer risk assessments for certain groups.

Moreover, biases do not always originate solely from the data used to train the system. They can also arise during the algorithm design phase, in the selection of relevant variables, or even in the way results are interpreted. In the healthcare sector, where professionals increasingly rely on AI-based decision-support tools, there is a risk that automated or semi-automated decisions may introduce errors that are difficult to detect without adequate human oversight.

Compliance with the GDPR and the AI Regulation

In healthcare, the use of AI almost always involves processing particularly sensitive data, which means that the GDPR requires a solid legal basis and reinforced safeguards. It is not enough to claim that data are “anonymous” if they are in fact pseudonymized, nor is it sufficient to rely on a generic legitimate interest. Organizations must justify the legal basis for processing and the specific exception that allows the use of health data, while ensuring compliance with principles such as data minimization, purpose limitation, transparency, security and access control. In practice, many projects also require a data protection impact assessment because they involve special category data, new technologies, and potentially significant effects on individuals.

At the same time, the European AI Regulation (AI Act) classifies many healthcare-related AI uses as “high risk”, which introduces additional obligations aimed at ensuring the safety and reliability of AI systems. These include requirements relating to data quality and governance, technical documentation and traceability, risk management, human oversight, robustness, and cybersecurity. In simple terms, the GDPR primarily protects individuals’ rights with respect to personal data, while the AI Act focuses on the risks associated with the AI system itself. Complying with one without considering the other often leaves important regulatory gaps.

How to ensure legal compliance when processing data with AI

Proper compliance begins with clearly defining the purpose of the AI system and identifying who actually determines the purposes and means of processing, since this determines responsibilities, contractual arrangements, and legal obligations. It is also necessary to identify what types of data are processed—including health-related inferences—select the appropriate legal basis and specific authorization for processing health data, and provide clear information to individuals about the use of AI, its purposes, and its limitations. From an operational perspective, compliance largely depends on security, governance and proper documentation, including real technical safeguards, oversight of service providers, limited retention periods, and evidence that the system has been validated and is subject to ongoing monitoring.

Finally, it is essential to recognize that AI systems are not static. Models that are retrained, updated, or that drift over time require continuous review. For this reason, compliance is not limited to documentation but must involve an ongoing cycle of evaluation and improvement, including bias and accuracy checks, effective human oversight, and the ability to detect and manage incidents. Only in this way can innovation in healthcare progress without compromising privacy, security, and fairness.

Contact Us

[contact-form-7]

How to minimise the risk of trademark opposition

Abogada Claudia Somovilla — Wed, 11 Mar 2026 08:00:36 +0000

Registering a trademark is a strategic decision that directly affects the value and protection of any business project. However, one of the main obstacles in this process is a trademark opposition — a situation that may delay or even block registration if prior rights conflict with the application.

Reducing the risk of trademark opposition is not a matter of chance, but of proper legal planning. Below, we analyse the key measures to minimise contingencies before and after filing a trademark registration.

Preliminary steps before registering a trademark

Most conflicts can be avoided through a rigorous prior assessment. Before filing an application with the Oficina Española de Patentes y Marcas (OEPM) or the Oficina de Propiedad Intelectual de la Unión Europea (EUIPO), three fundamental aspects should be addressed:

Clearance search

A trademark clearance search is the most effective filter to detect potential conflicts. It is not enough to verify whether the exact name is already registered; phonetic, visual and conceptual similarities must also be assessed.

A sign may give rise to a likelihood of confusion even if it is not identical to a previously registered mark. The analysis should include:

Similar word and figurative marks.
Related goods or services in the same or connected classes.
Well-known or reputed trademarks with extended protection.

A superficial search significantly increases the probability of facing an opposition.

Strategic Definition of Classes

Selecting the appropriate classes under the Nice Classification is a technical decision. Filing in too many classes may unnecessarily increase exposure to oppositions. Filing in too few may leave the actual business activity insufficiently protected.

It is advisable to precisely define current goods and services as well as those planned in the short term. A broad but justified specification reduces friction without compromising protection.

Assessment of distinctiveness

One of the most common mistakes is attempting to register descriptive or generic terms. Weak trademarks not only have limited enforcement capacity but also tend to generate more conflicts because their scope of protection is narrow.

A strong trademark is distinctive, does not directly describe the goods or services, and does not contain elements commonly used in the sector. The more distinctive the sign, the lower the likelihood of opposition and the greater its future enforceability.

Risk of conflict with larger brands

One of the most sensitive scenarios involves coexistence with established or reputed trademarks. In such cases, the analysis must be particularly cautious.

Enhanced protection of reputed trademarks

Trademarks with recognised reputation do not require identity of goods or services to oppose a later application. It is sufficient to demonstrate unfair advantage or dilution of their distinctive character.

In practice, this means that a smaller brand may face opposition even if it operates in a different sector, provided that the sign creates an association with a highly recognised trademark.

Indirect similarity and reputational risk

The risk is not limited to obvious copying. Minor variations in pronunciation, visual structure, suffixes or prefixes may be considered infringing if they clearly evoke a strong prior trademark.

Beyond administrative opposition proceedings, the owner of the earlier mark may initiate infringement or unfair competition actions, increasing both financial and reputational exposure.

If a business project is inspired — even indirectly — by an established brand, it is advisable to reconsider the naming strategy before investing in branding, domain names or marketing materials. Adjusting a trademark at an early stage is manageable; doing so after receiving a formal opposition often entails sunk costs and delays in commercial strategy.

What should I do if I receive a trademark opposition?

Receiving an opposition does not mean that registration is automatically lost. It does mean that a third party considers your trademark to encroach upon its scope of protection. The first step is not to react impulsively, but to analyse the situation.

A detailed assessment is required of the actual similarity between the signs, the overlap of goods or services, and the strength of the earlier trademark. Facing a weak mark is not the same as confronting one with a consolidated market position. Likewise, not every similarity automatically creates a legal likelihood of confusion.

Once a clear diagnosis has been made, the appropriate strategy can be defined. In some cases, negotiation is the most efficient route, particularly where it is possible to delimit fields of use and reach a coexistence agreement. In others, a formal response before the OEPM or EUIPO will be necessary, setting out technical arguments to demonstrate the absence of relevant conflict.

Cost-benefit analysis should always be part of the decision-making process. If investment in the trademark is still limited and the legal risk is high, redefining the sign may be more strategic than pursuing a lengthy and uncertain proceeding.

Minimising the risk of opposition begins long before filing the application. A thorough clearance search, a genuinely distinctive sign, and a properly defined specification of goods and services significantly reduce exposure to conflict.

When an opposition arises, the key is to address it with legal rigour and business perspective rather than urgency. A trademark that is strategically designed from the outset not only has greater chances of registration, but also stronger enforcement capacity and long-term stability.

Contact Us

[contact-form-7]

“Cuidado con lo que le confIAs”, the new AEPD ten-point guide

LetsLaw — Mon, 09 Mar 2026 08:00:45 +0000

On 27 January 2026, the day before International Data Protection Day (28 January), the Spanish Data Protection Agency (AEPD) published the “Cuidado con lo que le confIAs” ten-point guide, with practical recommendations to reduce privacy risks when we interact with AI systems.

Objectives of the AEPD ten-point guide

Aware of the growing use ofand the already tangible potential of Artificial Intelligence systems, the Agency considers it important to provide a set of tips to help people understand and prevent privacy risks arising from the improper use of these tools.

In the Agency’s own words, this ten-point guide “aims to offer the public key pointers to promote a safe, responsible and informed use of artificial intelligence and to foster a digital environment that respects people’s fundamental rights.”

In addition, this initiative follows the direction set out by the AEPD in its 2025-2030 Strategic Plan on Responsible Innovation and the defence of dignity in the digital era, where it reaffirmed its commitment to promoting a culture of privacy and data protection among both citizens and organisations, as well as supporting technological innovation with safeguards.

Responsible use of artificial intelligence

Talking about “responsible use” is not only an ethical matter; it is also a practical one. In day-to-day use of generative AI, there are four ideas worth keeping in mind:

1. Your prompt is not always “just text”

When you write a query, it is not only the content of the message that travels. In many services, use may involve technical and contextual data (browsing data, identifiers, metadata, etc.). In other words, even if your question is harmless, the surrounding ecosystem might not be.

2. Privacy is not breached only by sharing your name and surname

Some data may not look personal at first, but can become personal through accumulation: habits, frequent locations, routines, concerns, or preferences. With enough repetition, small clues add up to a profile.

3.AI doesn’t “understand” like a professional

These tools can sound convincing even when they are wrong. And in sensitive matters (health, legal advice, psychological support), the risk is not only privacy-related: it can also lead to poorly informed decisions.

4. It’s not only your privacy: you are also responsible for other people’s data

A common mistake is to think “this isn’t mine” and let your guard down: a client’s data, a candidate’s details, a supplier’s information, a colleague, a minor, a screenshot with names, a forwarded email… If you input these into an AI tool, you are processing personal data and may be exposing third-party information without a legal basis, without necessity, and without control.

The good practices recommended by the AEPD

The value of the ten-point guide lies precisely in the fact that it does not stay at generalities: it proposes concrete habits. These are the 10 recommendations set out by the Agency:

1. Don’t upload your personal information to AI

Avoid including information that directly identifies you (e.g., contact details, documents, personal images). If you need to describe a case, anonymise it or use a fictional scenario.

2. Be especially careful not to upload sensitive or delicate information

Some categories are best kept out by default: health data, financial information, contractual matters, locations or stays. These are high-impact data if exposed.

3. Respect the privacy of third parties

If your query involves other people, remove any element that could identify them. And as a rule of thumb: don’t upload images of third parties to generate new content, especially when minors are involved.

4. Don’t include professional information

If you use AI in a professional context, apply the “as if you were going to paste it into a public channel” standard (because, in practice, the risk of exposure exists). No contracts, reports, strategies, client data, or employee information.

5. Review the AI service’s terms before using it and choose the safest options

Before using a tool, check what happens to your information (retention, use for improvement, privacy settings, permissions). Prioritise solutions that collect only what is strictly necessary and provide clear controls.

6. If you need specialised professional advice, emotional support or psychological help, go to a professional rather than AI

If you need a diagnosis, clinical guidance, legal advice, or psychological support, don’t replace it with a conversation with AI. You can use AI as support, but not as “the professional”.

7. Don’t believe everything an AI says: keep a critical stance towards its answers

Maintain a critical mindset. Don’t delegate important decisions without verification, and cross-check against reliable sources (especially for matters with legal, financial, or personal impact).

8. Advise and guide the minors in your care

Explain what risks exist, what types of data should not be shared, and encourage critical thinking. Here, prevention means practical digital education.

9. Use different accounts and delete your history

If you are “testing” tools, avoid mixing them with your personal or professional email. Use separate accounts, review deletion options, and remove conversations regularly when the service allows it.

10. Your questions can define you

You don’t need to type “my ID number” to leave a trail. Repeated questions about habits, fears, likes or routines can build a very precise profile. Practise the “minimum necessary” principle in what you ask as well.

Contact Us

[contact-form-7]

Legal and commercial errors that can block an investment round

Abogado Alberto Zuñiga — Wed, 04 Mar 2026 08:00:16 +0000

When a company decides to launch an investment round, attention usually focuses on valuation, the equity to be offered, or the growth strategy. However, practice shows that, even before discussing figures, the real filter often lies in the company’s legal position.

The economic negotiation may be well structured, but if the legal framework is not properly organized, the transaction may be delayed, become more costly, or ultimately fail to close.

From a systematic perspective, the risks that most frequently affect an investment round can be grouped into three main categories: regulatory non-compliance, deficiencies in the corporate structure, particularly in the shareholders’ agreement, and contingencies related to the company’s key assets.

Regulatory non-compliance

The first level of analysis is regulatory.

Every company must conduct its business in accordance with the applicable legal and regulatory framework. However, in early stages it is relatively common for certain obligations to be postponed or interpreted with some flexibility. What may seem manageable in day-to-day operations can become a concrete contingency during a due diligence process.

It is common to identify activities subject to administrative authorization carried out without the required license, non-compliance with data protection regulations, contractual terms that do not conform to sector-specific rules, or failure to comply with regulations applicable to regulated industries.

It should be borne in mind that investors assess not only the project’s growth potential, but also the existence of risks that may jeopardize its continuity. A significant administrative sanction, operational restriction, or the nullity of certain contractual provisions may substantially alter the investment scenario.

For this reason, before launching a funding round, it is advisable to verify the level of regulatory compliance and, where necessary, regularize any issues identified.

Corporate structure and shareholders’ agreement

The second block of risks lies within the internal corporate structure. And it is worth emphasizing that, in many cases, the main source of tension is not the articles of association, but the shareholders’ agreement.

The entry of a new investor generally entails a capital increase and a shift in the balance among shareholders. At that stage, the shareholders’ agreement ceases to be merely an internal arrangement among founders and becomes the document that ultimately governs corporate governance, decision-making, and future exit scenarios.

It is common to encounter shareholders’ agreements drafted in early stages without anticipating growth scenarios. Imprecisely drafted drag-along or tag-along clauses, overly broad veto rights, reinforced majorities that hinder future capital increases, economic preferences granted without considering subsequent rounds, or the absence of clear provisions regarding new issuances and incentive plans are frequent issues.

Although a shareholders’ agreement has a contractual nature, its practical impact is decisive. If the internal framework is not properly structured, the entry of a new investor will likely require prior renegotiation. In some cases, that renegotiation proves more complex than the round itself.

In addition, consistency between the shareholders’ agreement and the articles of association is essential. Any misalignment creates legal uncertainty and requires the corporate framework to be adjusted before closing.

Likewise, basic corporate formalities must be reviewed: filing of annual accounts, proper registration of corporate resolutions, updated bylaws, and accurate maintenance of corporate books. Although these may appear to be formal matters, non-compliance conveys a sense of internal disorder.

In short, a poorly structured shareholders’ agreement is not a minor detail; it can become the main obstacle to raising capital.

Key assets and intellectual/industrial property

The third block of analysis concerns the assets that constitute the core value of the company.

In many startups, these assets are intangible: technological developments, software, databases, or trademarks. From a legal standpoint, it is essential to demonstrate that the company holds proper title to these assets or has sufficient rights to exploit them.

In practice, it is common to identify developments created by founders without formal assignment agreements, trademarks or domain names registered in the name of individuals, or the absence of documentation evidencing the transfer of strategic assets to the company.

If ownership is not properly documented, investors may require its regularization as a condition precedent to the investment. Where discrepancies exist among founders or former collaborators, the situation may become significantly more complex.

Considerations for preparing for an investment round

Preparing for an investment round should not be limited to drafting a compelling deck or negotiating valuation. It is advisable to conduct a comprehensive legal review in advance to assess regulatory compliance, alignment between corporate documents and shareholders’ agreements, the company’s corporate and registry status, and the adequate protection of its key assets.

A solid legal structure does not guarantee the success of a funding round, but it significantly reduces the risks that may jeopardize it or weaken the shareholders’ negotiating position.

If you are considering initiating a financing process, reviewing these aspects in advance may facilitate negotiations and strengthen your position vis-à-vis potential investors.

At LetsLaw, we analyze the legal position of each project with the aim of anticipating contingencies and structuring its growth on a sound legal basis.

Contact Us

[contact-form-7]

Legal notice and analysis of the Customer Service Act

Abogada Candela Martín — Mon, 02 Mar 2026 08:00:58 +0000

This legal memorandum is intended to provide a practical legal analysis of Law 10/2025, of 26 December, regulating customer service activities (the “Customer Service Act” or the “CSA”), highlighting its implications for companies subject to its provisions and offering useful legal criteria for adapting their customer service processes.

Legal analysis

For the first time in Spain, the CSA introduces a specific and mandatory regulatory framework governing how companies must provide customer service, establishing clear standards regarding response times, access to human assistance, transparency, accessibility, and traceability of interactions, as well as mechanisms to ensure the efficient resolution of queries, incidents, and complaints. Its purpose is to strengthen consumer protection, enhance market confidence, and prevent practices that may generate legal or reputational risks for companies.

In particular, the CSA has popularly been referred to as the ‘Three-Minute Law‘, as it requires that customer service calls be answered within an average maximum waiting time of three minutes. This requirement represents only one of several mandatory compliance obligations that companies must consider in order to mitigate legal risks and optimize customer experience.

The effective entry into force is accompanied by a transitional period until 28 December 2026, providing a limited window for companies to adapt their processes, systems, and contractual arrangements under a preventive and strategic approach.

Preliminary considerations

The CSA constitutes the first piece of legislation establishing specific and detailed obligations regarding the proper provision of customer service, moving beyond prior sector-specific approaches and consolidating minimum standards applicable to all affected operators.

The CSA pursues two core objectives:

Effective consumer protection: safeguarding users and consumers against practices that commonly generate frustration, such as excessive waiting times, exclusively automated customer service systems, unsolicited commercial calls (spam), hidden charges, and false online reviews.
Standardization of customer service quality: imposing clear metrics and performance obligations for customer service operations, ensuring that consumer experience translates into legal compliance and reduced reputational risk.

The nickname ‘Three-Minute Law’ stems from one of its most emblematic provisions: companies must ensure that 95% of customer service calls are answered within an average maximum waiting time of three minutes, without the possibility of terminating calls on the grounds of excessive waiting time. This requirement constitutes an obligation of result rather than a mere best-efforts standard, meaning that the allocation of human and technological resources must be strategically structured to ensure compliance.

The CSA introduces both result-based and organizational obligations directly affecting:

Omnichannel service models.
IVR systems and automation architectures.
Complaint management systems.
Outsourced call centers.
Interaction logging and traceability systems.
Commercial policies related to after-sales services.

These are not quality recommendations, but legally enforceable standards whose compliance may be subject to verification in the context of inspections carried out by the competent consumer protection authorities.

Obligated entities and scope of application

In general terms, the CSA applies to:

Private and public entities providing customer service.
Companies serving consumers and users with more than 250 employees or annual turnover exceeding €50 million.
Providers of essential services, including energy, water, gas, telecommunications, transport, financial, and postal services.

Although SMEs are initially excluded, the Act’s impact extends to subcontracting chains, digital service providers, and technology platforms involved in customer service activities of obligated entities. This scenario necessitates a review of agreements with outsourced call centers, CRM providers, automation service providers, and artificial intelligence system suppliers, as ultimate liability vis-à-vis consumers and public authorities remains with the principal operator.

Minimum service quality standards

Among the minimum enforceable standards, customer service must be:

Free of charge for users.
Effective and measurable through clear performance indicators.
Universally accessible, including to persons with disabilities or language barriers.
Verifiable, through records and documentation capable of demonstrating compliance during inspections or disputes.

Particular importance is placed on the obligation to ensure that 95% of calls are answered within the average maximum period of three minutes. The key legal aspect is not merely achieving the metric, but being able to document and evidence compliance.

From a practical standpoint, companies must implement internal monitoring protocols, periodic reporting, and audits to ensure alignment with these obligations, transforming regulatory requirements into competitive service advantages.

Specific consumer rights and practical implications

The CSA guarantees specific consumer rights with direct legal implications for companies:

1. Right to human assistance

Customer service may not be exclusively automated through bots or AI systems. Users are entitled to request assistance from a qualified human representative.

Companies should implement tiered escalation systems allowing prompt human intervention, particularly in complex or sensitive cases, and review IVR and chatbot architectures to avoid artificial delays in transfer.

2. Maximum resolution deadlines

Complaints and incidents must be resolved within fifteen (15) business days.

Shorter deadlines apply in specific cases:

Undue charges: five (5) business days.
Essential service interruptions: two (2) hours regarding status updates and restoration forecasts.

Clear internal SLAs, tracking systems, and automated alerts are advisable, as failure to comply may constitute an administrative infringement.

3. Prohibition of abusive practices

Unsolicited commercial calls are expressly prohibited, and companies must identify themselves through specific codes.

Commercial campaigns and databases must be audited to ensure lawful consent and traceability.

4. Price transparency

Hidden charges or surcharges are prohibited; advertised prices must match the final payable amount.

Internal billing standards, customer portals, and contractual documentation must be reviewed accordingly.

5. Online reviews and advertising

Reviews must be issued by genuine users within the previous 30 days, subject to verification mechanisms and removal procedures for false reviews.

Proactive verification and moderation systems are recommended.

6. Accessibility and non-discrimination

Customer service must be adapted for vulnerable persons, including individuals with hearing impairments or language barriers.

Investment in staff training, assistive technologies, and inclusive protocols is advisable.

7. Documentary evidence

Companies must provide acknowledgment of receipt and content of communications, including date and time stamps, and allow access to call recordings where applicable.

Robust logging and secure storage systems should be implemented to serve as evidentiary support in inspections or claims.

Additional key measures: legal implications and strategic opportunities

The CSA requires the design of integrated internal processes combining service provision, traceability, performance metrics and risk management.

Proactive companies that continuously improve these processes may convert regulatory compliance into a competitive advantage by increasing customer satisfaction, reducing disputes and litigation, and optimizing commercial operations.

Opportunities arise for legal advisory services in:

Redesigning internal processes.
Conducting periodic audits.
Reviewing service provider contracts.
Establishing preventive compliance protocols.

Sanctioning regime and legal impact

Non-compliance with the CSA constitutes an administrative infringement in consumer protection matters. Sanctions may include significant financial penalties, with increased severity in cases of repeated breaches or harm to vulnerable consumers.

Companies will be subject to periodic external audits certifying compliance, requiring integration of regulatory compliance into corporate governance and risk management frameworks.

Recommended strategy and practical guidance

From a risk management perspective, adaptation to the CSA cannot be limited to isolated operational adjustments. Each affected operator should begin with a comprehensive internal assessment covering service channels, response times, traceability mechanisms, and accessibility standards.

This diagnosis will enable the definition of legal compliance KPIs, such as response times, resolution rates, and percentage of human-assisted interactions.

Subsequently, internal protocols and mandatory record-keeping systems should be designed and implemented to evidence compliance during inspections and audits.

Periodic external audits should review service provider agreements, subcontracting structures, and digital platforms to ensure full compliance.

Staff training in consumer rights and internal protocols is essential to ensure efficient, compliant incident resolution.

Commercial and communication strategies must be continuously reviewed to ensure transparency and prevent abusive practices.

Through this approach, mandatory compliance with the CSA may be transformed into a strategic advantage, enhancing customer satisfaction, corporate reputation, and operational efficiency.

Summary of the Customer Service Act

The so-called ‘Three-Minute Law‘ represents a structural shift in how companies must conceive customer service: from a purely reputational element to a source of administrative liability exposure.

The transitional period until December 2026 should not be regarded as a period of inaction, but as a strategic opportunity to:

Redesign internal processes.
Strengthen corporate governance.
Integrate compliance into daily operations.
Reduce exposure to sanctions.

At LetsLaw, S.L., we assist organizations in conducting specific legal audits concerning customer service operations, designing tailored adaptation plans that integrate regulatory analysis, contractual review and operational alignment. Check out our legal services in Spain.

Contact Us

[contact-form-7]