The lawsuit filed on Monday is directed against the Bishops' Conference and the bishops, who had posted a list with the data of a total of 45 victims online on the websites of their dioceses, Spanish media reported on Wednesday.
The confidential information was available on the diocesan websites in December and January and was then deleted by the dioceses.
The personal data of those affected is said to have been available on the internet for a further four months.
The list with the personal information and detailed reports on the offences of abuse is said to be part of the confidential part of the abuse report that the Bishops' Conference commissioned from the Madrid law firm Cremades & Calvo-Sotelo.
The study presented in December last year speaks of more than 2,000 victims of sexual abuse in the Spanish church, while the Bishops' Conference assumes only around half this number.
The Bishops' Conference had noticed the unauthorised publication of the personal information and removed the data from its website.
However, it did not report this breach of data protection to the Spanish Data Protection Agency, as is required in such cases.
The victims of abuse affected were not informed either.
The victims are therefore suing the bishops for breach of secrecy and cover-up.
The Bishops' Conference could also be accused of violating data protection law, which provides for fines of up to 20 million euros.
The bishops deny responsibility for the unlawful publication, as does the law firm Cremades & Calvo-Sotelo.
Both blame each other for the incident.