In this case, the defendants have been accused by FLIX SOLAR S.L., BCN FINANCES PERSONALS S.L. and FUNDS AND PORTFOLIOS S.L. of attempting to access their computer servers to extract sensitive information. Following the Investigating Court’s decision to proceed with the case on the grounds of a potential ongoing offence involving the disclosure of trade secrets, the defendants appealed against this decision. The appeal was upheld, resulting in the case being dismissed and the proceedings being closed.

Consequently, the private prosecution appealed against the Provincial Court of Barcelona’s decision, arguing that the events in question should be classified as a crime of disclosure of commercial secrets, or at least as an attempted crime. After examining relevant case law relating to the punishability of attempted crimes, the Criminal Chamber of the Spanish Supreme Court affirmed that the means employed by the defendants to obtain sensitive information from the companies in question were appropriate, thereby preventing the proceedings from closing for the time being.

In this regard, it should be noted that both defendants, who are in a relationship, were employees of the plaintiff companies. The first of them had been responsible for IT, so he had extensive knowledge of the entire IT area, and had been dismissed prior to the events. The second defendant worked at FLIX SOLAR S.L. as head of the administration department and therefore she was aware of the email addresses with access to the company’s digital platform.

The companies’ servers detected four attempts by the defendants to access the platform using their personal and corporate email addresses from their shared residence (after the first defendant was fired). However, the defendants were unaware that a two-factor authentication had been set up and that the passwords for accessing the server had been changed. Consequently, despite using their personal and professional credentials, they were unable to access the server.

Given their knowledge, the suspects had all the means to access the server and obtain sensitive company information; the plan they had devised appeared feasible. However, circumstances beyond their control meant that they were unable to obtain the information they were interested in. Although the defendants took all the necessary steps to obtain the company’s confidential information, they were unaware that the company had updated its security controls and were therefore unable to gain access.

For all the above reasons, at this stage of the proceedings, at least, the relative unsuitability of attempting to access a database with an expired or modified password by the database owner cannot be ruled out.

Without prejudice to the outcome of the evidence that may ultimately be presented at the trial, an objective observer could conceive of the possibility of accessing the database using the user’s assigned passwords. The defendants’ lack of awareness of the changes to the server access conditions does not alter this conclusion.

Judgment of the Spanish Supreme Court (Criminal Chamber)662/2025 of 10 July 2025