Outbound Call Regulations in Spain

In Spain, telephone calls for commercial purposes are subject to a strict legal framework that combines telecommunications regulations and personal data protection laws. Below is a summary of key laws and the role of regulatory bodies:

General Telecommunications Law 11/2022

This law, in effect since June 2022, explicitly recognizes the right of users not to receive unwanted commercial communications. In particular, Article 66.1 establishes that users cannot be called for advertising purposes without prior consent, except when there is another legitimate basis according to the GDPR. This represents a significant change from the previous regime, which only guaranteed the right to object (opt-out); now the prohibition of non-consented calls (opt-in) prevails.

Since June 29, 2023, this prohibition of commercial calls without express consent has been in force. However, the law allows as an exception for the company to demonstrate another legal basis provided in GDPR Article 6.1 (for example, legitimate interest in certain cases).

The Spanish Data Protection Agency (AEPD) has clarified through Circular 1/2023 that, in addition to express consent, only the legitimate interest of the controller could support commercial calls without consent, and only in very specific scenarios (analogous to those provided for commercial communications to existing customers).

In practice, this means that as a general rule, companies need the express consent of the consumer before calling them for advertising purposes, unless it is their own customer and the requirements for invoking legitimate interest are strictly met. Any unwanted call may be considered an infringement of the user's right to privacy.

Data Protection Regulations (GDPR and LOPDGDD)

The EU General Data Protection Regulation (GDPR) and Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD) fully apply to telemarketing activities. This implies obligations regarding prior consent, information and transparency, purpose limitation, and secure storage of call recipients' data.

In particular, the LOPDGDD regulates advertising exclusion systems (Article 23 LOPDGDD) that allow citizens to oppose direct marketing. Companies must mandatorily consult these lists before conducting a campaign and exclude registered individuals.

Likewise, if the personal data used for the call was not obtained from the data subject, the GDPR requires informing in the first communication about the identity of the controller, the source of the data, and how to exercise their rights. In any case, during the call, the user has the right to know the identity of the calling company and the reason for the call, as well as to object at that moment to receiving further communications. If the user expresses their refusal, the company must register their opposition and refrain from future calls (right to object).

These guarantees are in addition to the general principle that all processing of personal data for commercial purposes must be carried out in full compliance with GDPR and LOPDGDD, under risk of significant sanctions (the AEPD can impose administrative fines of up to 20 million euros or 4% of global turnover in the most serious cases).

Regulatory bodies (CNMC, AEPD, and SETSI)

Several entities supervise regulatory compliance. The National Commission for Markets and Competition (CNMC) is responsible for managing the National Telephone Numbering Plan and granting numbering usage rights to operators. It also ensures the correct use of these numbers: for example, it supervises that different numbering or improper ranges are not used, and collaborates in detecting irregular or fraudulent traffic.

The Spanish Data Protection Agency (AEPD) is the authority in charge of enforcing privacy rules: it handles complaints from individuals about telephone spam, monitors that there is consent or legal basis for calls, and can sanction companies for violations of personal data regulations (for example, calling someone on the Robinson List without justification). In fact, the AEPD has promoted the strict interpretation and application of Article 66.1.b) of Law 11/2022, making it clear that companies should not make unwanted commercial calls to consumers under any circumstances.

For its part, the Secretary of State for Telecommunications and Digital Infrastructures (SETELECO) - a body of the Ministry responsible for telecommunications - is responsible for developing regulations (such as the new Ministerial Order of 2025) and coordinating with the CNMC on the technical implementation of measures. SETSI can request information from operators and companies about their traffic and has sanctioning power in the field of telecommunications. An example of its role is the obligation imposed in 2025 for operators to send statistics of blocked calls to both the Secretary of State itself and the CNMC to monitor compliance with the new anti-fraud measures.

In summary, the current framework combines user protection (prohibiting unauthorized calls) with the responsibility of telecommunications operators to ensure the integrity of calls (truthful numbering without fraud), all under the supervision of the CNMC (technical and numbering aspects), AEPD (privacy and consent), and SETSI (general policy and telecommunications sanctions).

To make commercial calls, it is essential to comply with the rules on recipient consent and the advertising exclusion lists that exist in Spain:

Robinson List and exclusion systems

The Robinson List is the official advertising exclusion file in Spain, managed by the Digital Association (ADigital), which allows any person to register their data to avoid receiving unsolicited advertising. Companies planning to conduct marketing campaigns have the legal obligation to consult this list in advance and exclude registered numbers from their calls.

In practice, this means that if a phone number is registered on the Robinson List, it should not be called for commercial purposes unless there is express consent from the owner or an existing contractual relationship that allows it. Registration on the list is voluntary and free for citizens (it can be done online through the Robinson List Service) and takes effect two months after signing up - a period after which the user should no longer receive advertising communications from new companies.

It should be noted that being on the Robinson List does not prevent your current providers (those companies of which you are already a customer) from sending you offers of products or services similar to the contracted one; but even in those cases, the user can always exercise their right to object so that the sending of advertising stops. Currently, the Robinson List covers multiple channels (telephone, SMS, postal mail, email, etc.), so registrants can specify which media they don't want advertising through.

In addition to the list managed by ADigital, some companies maintain their own "internal do-not-call lists," but the general and officially recognized mechanism is the Robinson List.

Prior consent for unsolicited calls

As mentioned in the legal framework, the general rule since 2023 is that no company can call a consumer if they have not given their express prior consent to receive that commercial call. Therefore, in B2C telemarketing (business-to-consumer), there has been a shift to a strict opt-in regime, reinforced by Law 11/2022.

Exceptionally, a call could be made without that consent if the company justifies another legal basis, mainly its legitimate interest; in practice, the AEPD only considers that legitimate interest valid in very specific scenarios (for example, communicating with current customers to offer related products, provided they have not objected).

Even in those cases, the recipient must have had a clear opportunity to object before and during the call. In summary, for prospects or people with whom there is no prior relationship, it is mandatory to obtain express consent (in writing, electronically, etc.) before calling. Ignoring this requirement can lead to sanctions from the AEPD for improper processing of personal data.

Transparency and identification in the call

When making a commercial call, regulations require transparency with the user. This means that at the beginning of the conversation, the agent must identify the company or entity on whose behalf they are calling, indicate the advertising purpose of the call, and verify that the user is willing to continue. It is prohibited to intentionally hide the identity of the company.

In fact, from a data protection perspective, if the call is based on data obtained from third parties (e.g., marketing databases), the company must inform the user, at least if requested, of how it obtained their number. Likewise, the telephone number displayed on the screen (CLI) must be a valid number associated with the company (not a "hidden number" or falsified), as will be detailed in the numbering section.

Transparency also includes providing the user with contact information or reference to the company (for example, a service number or website) in case they wish to exercise their rights later.

Right to object and real-time revocation

The call recipient has the right to say "no" at any time and to have their decision respected. Legally, if a user states during the call that they do not wish to receive more communications, the controller must immediately cease the call and refrain from contacting that person again for commercial purposes.

The request can be verbal in the same call - the company must have protocols to mark that number as excluded from future campaigns. This implements the right to object in Article 21 GDPR in an "immediate" way: the objection must take effect simply and free of charge.

Good practices indicate that the telemarketing operator should offer the user some explicit formula to exercise this right (for example, asking "Would you like us to include your number in our do-not-call list?"). Also, if the call is automated or pre-recorded, a simple method (such as pressing a key) should be provided to unsubscribe from future communications. Failure to comply with an objection request (continuing to call someone who asked not to be contacted) constitutes a serious infringement.

Obligation to prove consent

Finally, it is important to highlight that the burden of proving that valid consent exists falls on the calling company. This means that, in the event of a complaint or inspection, the company must be able to demonstrate (e.g., with an electronic record or signed form) that the user authorized those communications, or justify the alternative legal basis used.

In addition, any consent can be revoked at any time; companies must provide mechanisms for users to withdraw their consent as easily as they gave it (for example, through a toll-free customer service number or an unsubscribe link).

In summary, no commercial call campaign can be initiated without first verifying that all recipients: a) have given their express consent or, if not, meet the strict criteria of legitimate interest (e.g., current customers), and b) are not registered on the Robinson List or another applicable exclusion system. Furthermore, during the call itself, the user's rights to information and objection must be respected, always ensuring that if they do not want advertising, they do not receive it. These obligations protect the public's privacy and promote responsible marketing practices.

In the field of telecommunications, there are specific regulations on the use of the caller line identification (CLI) and the consistency of the numbering used in outbound calls. The main points are:

Accuracy of caller identification

Spanish regulations prohibit the manipulation or falsification of the origin number that is presented in a call. The number displayed (CLI) must effectively belong to the caller or the service making the call, and be assigned within the National Numbering Plan. Presenting a number that does not correspond (for example, spoofing to make it appear as if the call is coming from another user, a bank, a public agency, etc.) is considered irregular or fraudulent traffic.

Since 2015, Royal Decree 381/2015 has already contemplated measures against these practices, establishing that operators should not allow calls with falsified or unassigned identifiers. However, in practice, until now there was no uniform preventive blocking mechanism, which has led to the introduction of more specific regulations in 2025 (covered in the next section).

In any case, it is currently expressly prohibited to originate commercial calls hiding the number or sending an empty CLI. Unless the caller or subscriber themselves hides it for legitimate reasons of personal privacy (which is an option for personal calls, not applicable to commercial campaigns), companies must ensure that their number is correctly displayed in the call identification.

Numbering according to the National Plan

Spain, through the CNMC, manages a National Numbering Plan that defines which numerical ranges are assigned to each service. For example, mobile numbers generally begin with 6 or 7, geographic (fixed) numbers with 8 or 9 followed by the provincial code, 900/800 numbers are toll-free for the caller, 901/902 numbers have special rates, etc.

Companies must use numbers consistent with the nature of the service they offer. This means, for example, that it is not appropriate to use a prepaid mobile number for massive telemarketing campaigns, since mobile numbering is attributed to the personal mobile service (normally associated with a natural person) and not for use as a commercial call center.

Until now, there was no explicit prohibition on using a mobile phone as a CLI in a commercial call, but it was considered bad practice in many cases and could raise suspicions of spam or fraud. Another example of consistency is that if customer service is offered, the use of fixed numbering (geographic or toll-free) is typically expected instead of mobile, both to facilitate identification by the user and for tariff transparency.

Prohibition of alteration or impersonation of the origin number

Telephone operators are instructed to prevent, as far as possible, the transit of calls with falsified numbering. By virtue of Law 11/2022 and derived regulations, any manipulation of the CLI that induces error (for example, making a number appear different from the one actually used or not assigned to any entity) constitutes an infringement.

In addition to its impact on fraud, this affects commercial campaigns: the company making the call must identify itself with a real and contactable number, it cannot mask itself behind generic or non-existent numbers. If for technical reasons a company subcontracts outgoing calls through another network, it must ensure that the number presented is still a valid one of its ownership or of its provider.

The regulator has reinforced in 2025 the obligation to block calls with numbers that do not exist in the Spanish numbering plan or are not attributed (points detailed in section 4). In summary, today it is not allowed to "deceive" with the CLI: neither sending it empty, nor putting an invented one, nor using national numbers without authorization, much less using third-party numbers without consent.

Obligations for presentation and identification of numbering

Beyond not falsifying, there are requirements for the origin numbering to be useful and transparent for the called user. For example, the phone number displayed should allow returning the call in many cases. This is relevant in customer service and telemarketing: it is recommended that the CLI shown is attended (either because it redirects to a call center or at least to an informative voicemail) so that the user can contact back if desired.

Although not all regulations explicitly require it, the new 2025 regulation expressly authorizes the use of toll-free 800/900 numbers as identifiers for commercial calls precisely so that the consumer can return the call at no cost.

Another obligation is that operators must ensure correct number portability in the CLI presentation: if the company uses a number ported from one operator to another, the destination network must still recognize it. Likewise, good practice guides (and emergency service regulations) prohibit altering the CLI in calls to 112 or other emergency numbers.

Specific regulations from CNMC and SETSI

The CNMC, responsible for numbering, issues resolutions and circulars to ensure efficient use of numbers. For example, it has streamlined procedures for sub-assignment of fixed numbering to reseller companies, so that an operator can assign numerical ranges to a third party while maintaining control over their use.

SETSI, for its part, establishes rules on the dialing and presentation of CLI in areas such as automatic calls, advertising fax, etc., in line with European electronic communications regulations. An important reference is the Regulation on communication markets, access and numbering (Royal Decree 2296/2004) and the Regulation on universal service and users (Royal Decree 424/2005), which contain provisions on the integrity of the CLI (for example, Article 81 of RD 424/2005 requires respecting the identity of the calling line). All these technical rules form the legal basis that operators must follow regarding numbering.

In conclusion, the telephone numbering used in commercial outbound calls must be valid, appropriate to the service, and displayed without deception. Companies must use officially assigned numbers (their own or from their authorized providers) and avoid any practice of impersonation or concealment. This is not only a legal issue but also one of image: users tend to distrust calls from hidden or unusual numbers. The Spanish regulator has recently tightened the mechanisms to detect and block calls with irregular numbering, which forces companies to be totally transparent in the use of their telephone numbers.

June 7, 2025 marks the effective date of the most innovative and strict measures regarding outbound commercial calls, introduced by Ministerial Order TDF/149/2025, dated February 12, 2025. This order (published in the Official State Gazette on February 15, 2025) establishes a new set of obligations aimed at combating telephone spoofing and ensuring the correct identification of commercial and customer service calls. Its main provisions are detailed below:

Blocking of calls with unallocated, empty, or inconsistent numbering

Article 4 of Order TDF/149/2025 requires all telecommunications operators to block outgoing calls that present an empty CLI or a number that has not been assigned/allocated in the National Numbering Plan. This means that, at the network level, calls that lack a caller line identifier or that show a non-existent number (for example, a range not assigned to any operator, or a number that although belonging to a valid range has not been granted to any subscriber) will be filtered and not processed.

This measure specifically complies with what was provided in Royal Decree 381/2015 on irregular traffic, which until now required avoiding such traffic but did not define a clear mechanism; from June 2025, the mechanism will be automatic technical blocking. For companies making commercial calls, this means that it will no longer be possible to "go out" with an invented or generic number: if they tried to use an unauthorized CLI, the call would not reach its recipient because the outgoing operator would stop it.

In practice, operators will consult numbering databases (managed by the CNMC) in real time to verify if a number is valid before allowing the call. This provision directly combats scams where scammers used false numbers to prevent tracing the origin.

Blocking of international calls impersonating Spanish numbering

Article 5 of the Order establishes the mandatory blocking of incoming calls of international origin that present a CLI belonging to the Spanish national plan, unless it is a case of legitimate roaming. That is, if a call originates from outside Spain but appears with a Spanish number (+34) as the identifier, it will be assumed to be impersonation, and operators will not deliver it to the recipient in Spain, unless they can identify that it is, for example, the case of a Spanish subscriber who is abroad using their mobile phone (which would be a genuine roaming situation, not fraud).

This measure tackles a common technique of telephone fraud in which criminals from other countries made their calls appear local (showing known Spanish numbers to deceive users). From June 2025, all international calls with a Spanish prefix will be suspicious and blocked by default, except for routes clearly identified as roaming.

Spanish operators will have to implement filters in their international gateways to detect and stop this type of traffic. For legitimate companies operating from abroad but calling customers in Spain, this means they will not be able to present Spanish numbering if the call enters via international routes; instead, they will have to route calls through providers in Spain or use their own foreign numbers. In short, the possibility of call centers located outside simulating to be calling "from Spain" through CLI tricks is cut off – a technique that was used in both frauds and commercial spam.

Prohibition of using mobile numbers for customer service and unsolicited commercial calls

One of the most relevant innovations is Article 9 of the Order, which expressly prohibits the use of mobile numbering (ranges assigned to the mobile communications service, typically beginning with 6 or 7) for making customer service calls or unsolicited commercial calls. Until now, some companies used mobile numbers for these functions (for example, a teleoperator calling from a corporate mobile, or showing a mobile in the identifier).

From June 7, 2025, this will be prohibited; the reason is to avoid detected abuses, such as misleading or fraudulent telemarketing campaigns that used disposable mobile SIMs for cold calling. The new rule seeks to make such communications more transparent and easily identifiable by the user, which is achieved by requiring the use of fixed or special numbering instead of mobile.

Failure to comply with this prohibition is classified as an infringement, punishable under Article 107.19 of Law 11/2022. This will have a direct impact on call center operations: for example, companies that distributed mobile phones to their agents to call potential customers will have to migrate to using fixed lines (VoIP or PSTN) or authorized specific numbering. Likewise, customer service that offered mobile contact numbers (an unusual practice but existing in SMEs) will have to change to designated numberings (fixed geographic or others).

In summary, it will no longer be possible to use a mobile number as an outgoing telephone for massive commercial calls or as a customer service number; any commercial call originated from a mobile would violate the rule, except perhaps for a few exceptions (e.g., a self-employed commercial agent contacting their client from their personal mobile could fall into a gray area, but for organized campaigns the prohibition will apply).

Obligation to use fixed or special numbering (800/900) for commercial calls and customer service

Correlative to the previous prohibition, Article 10 of the Order reserves and enables the 800 and 900 ranges for use in customer service and unsolicited commercial calls. Specifically, numbers that start with 800 or 900 – traditionally toll-free numbers for the caller – may (and must) be used by companies for these purposes.

The order confirms that calls from 800/900 numbering will continue to be free for those who receive/return the call, and generally authorizes that these numbers can be presented in the CLI of outgoing commercial calls, so that the called user can return the call at no cost.

This implies a change in architecture: telemarketing companies and customer service call centers will have to have geographic fixed numbering or, preferably, contract 900 or 800 numbers to use them as identifiers for their communications. For example, a company that previously conducted campaigns from a mobile X will now have to use perhaps a number 911234567 (Madrid fixed line) or a 900123456. Many companies will opt for 900 numbers, as providing a free return improves user service.

In addition, in 2022 a reform of the General Law for the Defense of Consumers was approved that requires companies in certain sectors to offer a toll-free customer service number – this requirement now aligns with the availability of 800/900 numbers. In summary, from 2025 the standard for commercial calls and service will be to use fixed lines or toll-free numbers, with mobile being relegated only to personal communications. This provides coherence: the citizen will be able to identify that a call from a 900 is probably advertising or support, while they will no longer legally receive promotions from random mobiles.

CLI validation and traffic generation platforms

The previous measures imply important technical adjustments. Network operators will have to implement systems for automatic validation of the CLI of all calls before processing them. For example, when a call is initiated in the network, they will verify in their numbering tables if that CLI is authorized: if it is empty or does not exist, it is blocked (Article 4); if it comes from outside and seems Spanish, it is blocked (Article 5); if it is a mobile used in a context not allowed (telemarketing), it is also likely to be rejected (Article 9).

This will require advanced filtering platforms, possibly making use of real-time numbering databases provided by the CNMC. Some operators were already testing STIR/SHAKEN-type authentication systems (a call authentication framework) to guarantee call identity; it is possible that with this order the adoption of such technologies to verify origin will accelerate.

Likewise, companies that generate large volumes of traffic (e.g., VoIP switchboards) will have to ensure they correctly configure the CLI according to what is authorized. Automatic dialing platforms (dialers) will have to be adjusted not to emit calls without ID or with random IDs out of range. In short, the technical infrastructure of telemarketing in Spain is going to experience changes: greater scrutiny of each call and requirements that the number be validated against assignment lists. This may entail investment in new tools by both operators and large call centers.

Sanctions and compliance regime

Non-compliance with the provisions of Order TDF/149/2025 carries a significant sanctions regime. The order itself refers to the sanctions of the General Telecommunications Law – in particular, Article 107.19 of Law 11/2022 classifies disobedience to obligations such as these as a very serious infringement. The fines can be substantial; for example, very serious telecommunications infractions can lead to sanctions of up to €20 million or percentages of business volume.

In addition, the AEPD could sanction in parallel if non-compliance involves a violation of personal data (for example, using a mobile number for spam would also infringe privacy rules). It is worth noting that the order provides for gradual deadlines: although it comes into force in March 2025, it gave a 3-month margin to implement the blocking of fraudulent international calls and the prohibition of mobile numbering (hence the date of June 7, 2025). Other measures, such as the registration of aliases for SMS, have a longer deadline (15 months) until 2026.

This shows that some initial flexibility will be given for technical adaptation, but from those dates the authorities expect full compliance. The SETSI and the CNMC will require annual reports from operators with statistics of blocked calls and messages, classifying reasons, which indicates that there will be close monitoring.

In case of detecting non-compliance (e.g., an operator that does not block as required, or a company calling from an unauthorized mobile), sanctioning proceedings can be opened. Therefore, companies and operators must take these new obligations very seriously from 2025, as regulatory bodies will have clear tools to penalize telephone fraud and spam.

Impact for telemarketing companies

Overall, this Ministerial Order represents a drastic tightening of the conditions for making commercial calls. Companies will have to review their numbering architecture (for example, migrating from mobile SIMs to fixed VoIP trunks or 900 numbers), implement quality controls for their CLI listings, and possibly coordinate with their telephony providers to ensure that their calls are not filtered.

Certain previously common practices (using mobile numbers for convenience, or platforms abroad that showed local numbers) will become practically unfeasible. In the medium term, these measures are expected to increase user confidence in legitimate calls, as they will reduce the volume of telephone spam and scams, forcing surviving telephone advertising to be more transparent and respectful.

The new regulations impose duties on both telecommunications operators (which provide the lines and network access) and intermediary or reseller companies that handle voice traffic without being authorized operators themselves. It is important to distinguish the parties involved:

Authorized operators and virtual operators

An authorized operator is a company that has notified the CNMC Operators Register of its intention to provide electronic communications services in Spain, and can therefore obtain public resources (numbering, spectrum, interconnection). Among these are operators with their own network and mobile virtual operators (MVNOs) or voice virtual operators who, although they do not own complete infrastructure, act under license using another's network. All of them are fully subject to the General Telecommunications Law and sectoral ministerial orders.

Order TDF/149/2025 is directly addressed to "providers of electronic communications networks and services," i.e., operators. Consequently, each operator must implement in its network the call blocking and validation measures described (empty/non-allocated CLI, national CLI from abroad, etc.), and be responsible for the traffic it carries. This includes wholesale operators that terminate third-party calls on their network.

Virtual operators, although they subcontract the infrastructure, must contractually ensure that the restrictions apply to their customers in the same way as to the host operator's customers.

Numbering or traffic reseller companies

There are companies that, without being registered operators, act as intermediaries, for example buying minutes or sub-assigning numbering from a main operator to offer services to call centers, contact centers, or telemarketing. These entities are commonly known as resellers. A typical case would be a company that leases a block of numbers from an operator and then distributes them among different clients for campaigns.

While the reseller is not formally an operator in the eyes of the CNMC, the operator that owns the numbering remains responsible to the CNMC and SETSI for the proper use of those numbers. Therefore, the regulations require control and coordination mechanisms between operators and their resellers to comply with the new requirements.

Order TDF/149/2025 provides that the CNMC will establish a specific mechanism for these cases, so that an operator that has resellers on its network can know which numbering is actually assigned to end users without incurring exchanges of sensitive commercial data.

In practice, this may mean the implementation of centralized databases where resellers report which of the sub-assigned numbers are in use and which are free, so that the main operator knows when to block a call (for example, if it detects that a reseller is originating a call with a number that according to its records is not assigned to any client, it will block it for violating Article 4 of the Order).

Contractually, operators will have to strengthen their agreements with resellers: include clauses that oblige the reseller to comply with the regulations (not allow improper use of mobiles, respect Robinson, etc.), and establish penalties or service cuts if their clients send fraudulent traffic. Many operators already require their resellers and corporate clients to sign anti-spam and anti-fraud commitments, but now these obligations will have to be even stricter, since the originating operator will face sanctions if prohibited calls slip through its network.

Identification, validation, and blocking of suspicious traffic

At an operational level, operators will have to monitor traffic for anomalous patterns. For example, sequential mass calls from newly activated numbering, or the same origin number calling thousands of times simultaneously (which suggests an automated use perhaps not in accordance with its assignment).

The regulations against "non-permitted traffic" (RD 381/2015) already empowered operators to block irregular traffic; with the new order, it becomes an active obligation. If an operator detects that one of its customers (either direct or through a reseller) is generating fraudulent traffic, it must cut it off. This includes not only cases of false CLI, but also other frauds (e.g., identity theft, wangiri, etc., although these go beyond the commercial issue).

Additionally, operators must ensure they validate the origin numbering: in interconnections, check that if a call with a Spanish number enters from outside, it comes through the designated roaming routes; and in outgoing calls, that the client placing a CLI has the right to use it. Some operators already implement "white lists" of CLI per client: for example, a call center that contracts 10 numbers can only make calls presenting one of those 10; any other CLI is rejected. This practice will likely be extended and formalized.

For resellers, first-level responsibility falls on their provider operator, but they in turn must implement controls with their own customers. It is foreseeable that technological solutions will emerge offered to resellers to filter their clients' CLI before delivering calls to the main operator, thus avoiding blockages and conflicts.

Technical procedures and contractual obligations

To comply with all of the above, operators are adopting new internal procedures. For example, updating their switches or SBC (Session Border Controller) platforms with rules that examine each call and apply the blocking policies. Technically, this may involve millisecond queries to numbering databases administered by CNMC/SETSI to verify assignments.

Regarding contracts, both interconnection contracts between operators and service provision contracts to corporate clients and resellers are being modified to reflect the new prohibitions (such as mobile CLI) and responsibilities. An operator that provides outbound services to an international call center may now include specific clauses: "The Client undertakes not to use Spanish mobile numbering in the presentation of commercial calls, nor to originate calls from abroad with Spanish CLI, under penalty of immediate suspension of service."

It is also likely that operators will request from their clients a list of the numbers from which they will call, to configure them in their systems. In short, at the backend level, automatic filters, authorized numbering databases, and fraud detection tools are being established, and at the legal level, agreements are being strengthened to empower the operator to cut services in case of illicit use.

Differences between operators and resellers regarding sanctions

An important detail is who faces the consequences in case of non-compliance. SETSI and CNMC can directly sanction authorized operators, as they are the subjects obliged by sectoral regulations. If a reseller (which is not a registered operator) allows abuses, it will be the operator that gave them numbering who receives the sanction and then may contractually pass it on to the reseller.

On the other hand, the AEPD could also pursue the end company that makes the calls (whether or not an operator) for violating data protection regulations. Thus, a reseller that only interconnects calls but does not decide to make them might not receive a sanction from AEPD, but the advertising company that ordered calls without consent would.

In any case, a chain of co-responsibility is generated: operators monitoring resellers, resellers monitoring their customers, and all under the scrutiny of regulators. The CNMC has indicated that it will seek mechanisms that allow this control without violating competition (i.e., so that one operator does not have to reveal customer data to another), probably through neutral centralized systems.

In summary, the new obligations require intense cooperation between operators and their business partners to clean up telephone traffic. Operators that provide services to third parties must act diligently by blocking abuse, and resellers must fully align with Spanish regulations even if they do not have a direct license. The entire outgoing telephony ecosystem is compelled to improve its controls, as the authority has made it clear that, otherwise, significant sanctions and even the revocation of numbering rights can be generated if repeated improper use is detected.

Companies located outside Spain but making calls to Spanish users (international call centers, telesales platforms, etc.) are also covered by Spanish regulations in several aspects. The following points should be taken into account:

Extraterritorial applicability of user protection rules

The obligation to respect the consumer's right not to receive unsolicited calls applies regardless of where the calling company is established. In other words, if a foreign company calls a Spanish number to offer a product or service, it must comply with the same rules of consent and non-disturbance as a national company.

Article 66.1.b) of Law 11/2022 and the AEPD's interpretation refer to "data controllers that make commercial calls, regardless of the sector to which they belong," which includes foreign entities when they process data of Spanish consumers. In addition, the GDPR has extraterritorial effect: any company outside the EU that directs marketing communications to people in the EU is subject to the GDPR (Article 3.2) and could be sanctioned through representatives in the EU or when processing data of European citizens.

In practice, the AEPD has processed complaints against companies with call centers in other countries (Latin America, for example) that harassed Spanish users, coordinating with international counterparts. Therefore, being outside is not an escape route: legally, the same respect for the Robinson List, consent, and the right to object is expected.

Use of Spanish numbering from abroad

Many international companies use Spanish numbers to facilitate interaction with customers in Spain (for example, they contract a Madrid number to show in the identifier, although the call originates via VoIP from another country). With the new 2025 Order, this scheme will have to be carefully reviewed.

If the call goes out to the public telephone network from an international gateway, the anti-spoofing filter (Article 5 of the OM) will block it for having a Spanish CLI with foreign origin. To avoid this, the foreign company has two options: either route its calls through an operator in Spain (for example, contract a SIP trunk with a Spanish operator, so that technically the call originates in national territory with its Spanish number) or use international numbering (show a number from its country, although that may reduce user response).

The first option is the most common: the foreign call center signs with a Spanish VoIP operator to obtain Spanish numbering and process calls; thus, in the eyes of the network, the call is domestic. This will continue to be viable, but with the caveat that the Spanish operator will have to comply with the rules (will not allow using a mobile as CLI, etc.).

What will not be possible is what some platforms did before: sending the call through cheap international routes "injecting" a Spanish number into the signaling. Now, the Spanish operator that receives that call at the border will discard it.

Foreign companies with assigned Spanish numbering

Some multinationals have a presence in Spain only to obtain numbering ranges, but operate from outside. They must ensure that they comply with the usage conditions of that numbering as if they were operating within. For example, if they have 900 numbers assigned in Spain for their global call center, they will have to use them according to the Plan (toll-free calls, etc.) and respect the prohibition on improper use.

If a foreign company uses a Spanish mobile number that it bought from a third party, from June 2025 it will be violating the regulations (due to the prohibition in Article 9); it could face the cancellation of that number by the provider operator. Therefore, foreign companies must re-evaluate the types of Spanish numbers they use: it is advisable to migrate to fixed or toll-free numbers for B2C campaigns in Spain.

Requirements for international operators delivering traffic to Spain

Operators from other countries (international carriers) that terminate calls on Spanish networks are also affected. Spanish operators will require in interconnection agreements compliance with these policies, and in fact many will directly implement filters in their gateways.

For example, if a foreign operator sends traffic with a high percentage of calls with manipulated CLIs, the Spanish receiver may block or even cut the interconnection for violation of the conditions (which usually include anti-fraud clauses). It is expected that there will be greater international collaboration: sharing lists of unassigned numbers, exchanging signaling to distinguish legitimate roaming calls from fraudulent VoIP traffic, etc.

Carriers will have to ensure they properly mark roaming calls in the signaling (via SS7 or SIP protocols) so they are not blocked by mistake. Likewise, any terminator in Spain will want to know who the real source of the call is; they may begin to require origin operator identification codes or STIR/SHAKEN authentication in international SIP sessions when possible. In summary, international traffic to Spain will be subject to more filters, and serious foreign operators will have to filter out spam on their side to prevent their routes from being closed.

Scope of sanctions for foreign companies

While it is true that directly sanctioning a company without presence in Spain can be complicated, authorities have indirect mechanisms. In data protection, the AEPD can cooperate with the authority of the country where the company resides, or address the parent company if one exists. In telecommunications, the CNMC/SETSI can sanction the Spanish operator that facilitates the irregular activity of the foreign company.

For example, if a Spanish operator acts as a mere gateway for a foreign company that does mass spam, and does not prevent it, the Spanish operator will be sanctioned here, and then internally will have to terminate the contract with that company. Additionally, consumer protection rules (General Consumer Law) could enable administrative sanctions to foreign companies for aggressive commercial practices towards Spanish consumers. This is substantiated case by case, but the trend is clear: it doesn't matter where the call comes from, calls to Spain are subject to Spanish laws to protect the end user.

In conclusion, foreign companies making B2B or B2C calls to Spain must adapt to the same level of demand as national ones. They must obtain the necessary consents, respect the Spanish Robinson List, and technically route their calls legitimately. If they use Spanish numbering, they will have to do so through Spanish operators complying with the new restrictions (fixed or 900 numbers, not mobile, authenticated CLI). Failure to do so will result in blocked calls and possible legal repercussions. On the positive side, those foreign companies that align with these good practices will be able to continue contacting the Spanish market without setbacks, benefiting from a more reliable ecosystem less saturated with fraudulent calls.

Given the complexity and severity of current regulations, it is highly recommended that companies making outbound call traffic implement proactive best practices to ensure compliance. Below are key recommendations:

Use of compliant platforms and providers (automatic CLI validation)

It is advisable to use operator services or cloud-based switchboards that already incorporate numbering validation controls. Many professional dialing platforms will not allow sending a CLI that is not previously registered/verified for that account. Such solutions ensure that an authorized number is always sent, avoiding blockages.

It is also advisable to work with certified or reputable operators who are up to date with regulatory requirements. These operators can guide the company in choosing the appropriate numerical range (geographic or 900) and will configure the necessary filters to avoid infractions.

Emerging technologies such as STIR/SHAKEN or call authentication systems can be a plus: if the operator offers the possibility of digitally signing calls to attest to their legitimacy, it can improve the connection rate and the receiver's trust. In summary, relying on the right technology will greatly facilitate automatic regulatory compliance.

Database hygiene and consent management

A fundamental best practice is to keep contact lists and their permissions up to date. The company should implement a regular "scrubbing" procedure against the Robinson List – that is, purge its lists of numbers by excluding those on the Robinson List (and any other applicable exclusion list, e.g., internal to the company). This should be done immediately before launching each campaign, to avoid errors if someone has recently signed up.

Additionally, it is advisable to record in a central database the preferences of each contact: who gave consent for what type of calls, on what date, and through what evidence. Thus, in case of any doubt, compliance can be demonstrated. On the other hand, unnecessary data accumulation should be avoided: if a lead has not given consent or has been inactive for a long time, it is prudent not to call them.

It is also useful to implement an easy opt-out system: for example, if a confirmation SMS is sent after a missed call, include a text "If you do not want to receive more calls from us, reply STOP." Any unsubscribe or objection expressed should be immediately reflected in the database so that no agent calls that number again. These data hygiene measures not only prevent sanctions but also improve efficiency (avoiding wasting effort on customers who do not want to be contacted).

Training of commercial and technical staff

It is essential that both call center agents and technical staff understand the new regulatory framework. Commercial staff should be trained to handle the call correctly: identify the company at the beginning, ask if it is a good time to talk, briefly explain the reason, and at the slightest sign of disinterest or rejection from the customer, respectfully offer the option not to call again.

They should know how to respond if the user mentions the Robinson List, and know the internal process to mark a number as excluded. For their part, technical staff (dialing system administrators, telecommunications managers) should be aware of the restrictions on CLI and numbering.

They should configure the switchboards to use the appropriate numbers (for example, ensure that no extension goes out with a mobile number if not allowed), and monitor the operator's reports on possible blocked call attempts. Investing in training will avoid errors due to lack of knowledge. Even certifications or courses offered by the AEPD or sectoral entities on "Legal and safe telephone marketing" can be considered.

Continuous compliance monitoring and auditing

Given that laws can evolve (as has happened recently) and campaign situations change, it is recommended to establish a continuous compliance program. This includes periodically auditing telemarketing operations: reviewing call samples to verify that agents follow the information script, checking system logs to see that prohibited calls are not being made (e.g., to numbers on the Robinson List or during non-permitted hours, if any sectoral time restriction applies), and staying alert to new regulations.

For example, although now the bulk of changes are in effect in 2025, European legislation (pending ePrivacy Regulation) could introduce novelties in the future. A compliance officer (Data Protection Officer or similar) should follow the circulars of the AEPD, CNMC, and Ministry, as well as the sanctioning resolutions that are published, to adjust the company's practices.

Documenting all compliance measures is also useful: internal procedure manuals, record of training provided, etc., so that if any authority requests it, a diligent attitude can be demonstrated.

Adaptation of B2B vs B2C strategy

As mentioned, the strictest regulations focus on consumer protection. In the case of Business-to-Business (B2B) marketing, although there is not the same absolute prohibition legally (since commercial communications directed at legal entities are not considered "consumers"), it is also advisable to adopt a respectful approach.

For calls to businesses, one can base on legitimate interest as long as it is about offering related and reasonable products or services for that company, but it is still advisable to obtain consent from the interlocutors whenever possible, or at least respect if they indicate they are not interested.

Moreover, many professionals are registered with their mobiles on the Robinson List; while technically that registration is oriented to the personal sphere, it is prudent to refrain from calling a self-employed professional who has expressed such a preference. In sum, maintaining high standards of permission and segmentation also in B2B will avoid friction with the LOPDGDD and project a better image.

Appropriate choice of call timing and frequency

Although the question does not directly address it, as a good practice it is worth remembering that commercial calls should be made at reasonable hours (daytime hours, avoiding rest periods) and with moderate frequency. Too insistent calls can be considered harassment and even reported by users.

Some European regulations establish time slots, and in Spain, self-regulation suggests not calling before 9:00 or after 21:00, nor on weekends unless the customer has requested it. Similarly, if a call attempt has no response, it is recommended not to repeat more than a certain number of times (2-3) on different days, to avoid harassment. These guidelines, while not all codified into law, help comply with the spirit of the regulation not to bother the user without their consent.

Recourse to official sources and legal advice

Given the complexity of the subject, it is advisable to rely on official sources to clarify doubts. For example, consult the AEPD's Guide on unwanted advertising, the CNMC's informative notes on numbering, and of course the legal texts in the BOE (Law 11/2022, Order TDF/149/2025, etc.).

Maintaining links with sectoral telemarketing or call center associations can be useful, as they often issue codes of conduct and practical interpretations of the rules. If the company makes significant volumes of calls, it should certainly have specialized legal advice in telecommunications and privacy, which reviews the procedures and contracts.

For example, reviewing clauses with providers to ensure they incorporate the new obligations (blockages, etc.), or verifying that the consent texts collected meet all formal requirements. This proactive legal accompaniment can avoid major problems later.