Data Protection in Spain — GDPR and LOPDGDD

The Legal Framework: GDPR + LOPDGDD

Data protection in Spain operates under a two-layer framework:

1. GDPR (Regulation (EU) 2016/679): Directly applicable in all EU member states from 25 May 2018. Sets the overarching principles, rights, and obligations — it is self-executing and does not require national transposition.

2. LOPDGDD (Ley Orgánica 3/2018, de 5 de diciembre): Spain’s national implementing and supplementing law. It does not replace the GDPR but fills gaps where the GDPR permits national derogations, specifies administrative procedures, and adds Spain-specific rules.

Together, these instruments create a comprehensive framework applicable to any organisation processing personal data of individuals in Spain, or targeting goods and services at individuals in Spain — regardless of where the organisation is established.

The AEPD: Spain’s Supervisory Authority

The Agencia Española de Protección de Datos (AEPD) is Spain’s national data protection supervisory authority (autoridad de control). Its functions:

• Investigating complaints from data subjects
• Conducting proactive investigations and audits
• Issuing binding decisions, warnings, and fines
• Issuing guidance and binding resolutions on data protection questions
• Coordinating with other EU supervisory authorities in cross-border cases through the EDPB one-stop-shop mechanism

The AEPD has been one of the most active EU supervisory authorities in terms of fine volume. It can issue fines up to:

• EUR 10 million or 2% of global annual turnover (lower tier — for technical obligations)
• EUR 20 million or 4% of global annual turnover (upper tier — for fundamental principle violations, consent issues, data subject rights)

Notable AEPD enforcement actions have targeted banks, telecoms operators, social media platforms, and public administrations.

Key GDPR Obligations for Organisations in Spain

1. Lawful Basis for Processing

Every processing activity requires a lawful basis under Article 6 GDPR:

• Consent (consentimiento): Freely given, specific, informed, unambiguous. Particularly required for marketing and tracking cookies.
• Contract performance (ejecución de contrato): Processing necessary to perform a contract with the data subject.
• Legal obligation (obligación legal): Required by EU or Spanish law.
• Vital interests (intereses vitales): Rare; for life-threatening emergencies.
• Public task (tarea de interés público): For public sector bodies.
• Legitimate interests (intereses legítimos): Requires a three-part balancing test (purpose, necessity, individual rights balance). The AEPD scrutinises legitimate interests claims carefully.

2. Privacy Notice (Información al Interesado)

Organisations must provide clear privacy notices at the point of data collection, covering:

• Controller’s identity and contact details
• DPO contact (if appointed)
• Purposes and lawful bases for processing
• Categories of data processed
• Recipients and international transfers
• Retention periods
• Data subject rights and how to exercise them
• Right to lodge a complaint with the AEPD

3. Register of Processing Activities (Registro de Actividades de Tratamiento)

All controllers and processors (except organisations with fewer than 250 employees, unless their processing poses high risk) must maintain an internal record of all processing activities — Article 30 GDPR. This is a core accountability document.

4. Data Protection by Design and by Default

Privacy controls must be integrated from the design stage of any new product, system, or process (not added as an afterthought). Default settings must be the most privacy-protective option.

5. Data Protection Impact Assessment (DPIA)

A DPIA is mandatory before processing that is likely to result in high risk to individuals. The AEPD publishes a list of processing activities requiring mandatory DPIA, including:

• Large-scale processing of special category data (health, biometrics, religion, race, etc.)
• Systematic profiling of individuals
• Processing of personal data of vulnerable persons
• Automated decision-making with significant effects

6. Data Breach Notification

Data breaches (brechas de seguridad) involving personal data must be:

• Notified to the AEPD within 72 hours of becoming aware (if the breach is likely to result in risk to individuals)
• Communicated to affected data subjects if the breach is likely to result in high risk

The AEPD’s online notification portal is used for breach reporting. The AEPD has been strict on the 72-hour deadline and the adequacy of breach documentation.

7. Data Subject Rights

Under the GDPR, data subjects in Spain have the following rights:

• Right of access (derecho de acceso) — obtain a copy of their data
• Right of rectification (rectificación) — correct inaccurate data
• Right of erasure (supresión, “right to be forgotten”) — request deletion
• Right to restriction of processing (limitación) — pause processing
• Right to data portability (portabilidad) — receive data in a structured format
• Right to object (oposición) — object to processing based on legitimate interests or direct marketing
• Rights related to automated decision-making — request human review of algorithmic decisions with significant effects

Controllers must respond to data subject rights requests within one month, extendable to three months for complex cases.

LOPDGDD-Specific Provisions

Digital Rights in the Employment Context (Derechos digitales)

Title X of the LOPDGDD establishes specific digital rights for workers, including:

• Right to digital disconnection (desconexión digital): Employers must adopt a policy on disconnection outside working hours.
• Right to privacy with use of digital devices at work: Employers may monitor work devices only within defined proportionate limits and with prior information to workers (via the works council or through the internal policy).
• Right to privacy regarding video surveillance and audio recording at work: Cameras may be used only for workplace security and must be signposted; covert recording is prohibited except in narrow circumstances.
• Geolocation of workers: Use of geolocation systems (including vehicle tracking) must be communicated to workers in advance.
• Use of artificial intelligence in employment: Article 22 LOPDGDD requires workers and their representatives to be informed of algorithmic or AI-based tools that affect employment decisions.

Political Parties and Electoral Data

The LOPDGDD permits political parties to use publicly available personal data for electoral campaign purposes without individual consent — a significant derogation that has been controversial.

Credit and Financial Profiling

The LOPDGDD sets specific rules for including individuals in debt or credit default registries (ficheros de morosos): minimum debt amount (EUR 50), prior notification requirement, and strict accuracy obligations.

Processing of Data by Lawyers, Tax Advisers, and Notaries

Spain has specific derogations recognising professional secrecy in relation to data processing by lawyers, tax advisers, and notaries, and special rules for processing in the context of professional advice.

International Data Transfers

Transferring personal data outside the EU/EEA is restricted unless the recipient country has an adequacy decision (e.g., UK, Japan, USA under the EU-US Data Privacy Framework) or appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs): The 2021 SCCs issued by the European Commission are the most common mechanism.
• Binding Corporate Rules (BCRs): For intra-group transfers in multinational companies.
• Specific derogations: Limited exceptional circumstances.

The AEPD has jurisdiction to investigate and sanction unlawful international transfers by Spain-based controllers.

DPO (Delegado de Protección de Datos)

A Data Protection Officer (DPO) is mandatory for:

• Public authorities and bodies
• Organisations whose core activities require large-scale systematic monitoring of individuals
• Organisations whose core activities involve large-scale processing of special category data

The DPO may be internal (employed) or external (contracted). Their contact details must be notified to the AEPD and published in privacy notices. The DPO cannot be instructed on how to perform their data protection tasks.

Cookie and ePrivacy Compliance

Spain implements the ePrivacy Directive through the Ley de Servicios de la Sociedad de la Información (LSSI). The AEPD has issued specific guidance on cookie consent requirements:

• Strictly necessary cookies: No consent required.
• Analytics, advertising, and tracking cookies: Prior informed consent required (opt-in). Pre-ticked consent boxes and implied consent from continued browsing are not valid.
• Cookie banners must not use dark patterns (consent buttons more prominent than rejection, confusing layering) — the AEPD has sanctioned several companies for non-compliant consent interfaces.

Frequently Asked Questions

Does the GDPR apply to a small company in Spain with only 5 employees? Yes. The GDPR applies to any organisation processing personal data of EU residents, regardless of size. Small organisations may be exempt from the processing activities register if they have fewer than 250 employees and their processing does not pose high risk — but all other GDPR obligations (lawful basis, privacy notices, data subject rights, security) apply fully.

What is the difference between a data controller and a data processor under Spanish/EU law? The controller (responsable del tratamiento) determines the purposes and means of processing — it decides why and how personal data is used. The processor (encargado del tratamiento) processes data on behalf of the controller, following its instructions. A formal Data Processing Agreement (DPA) — Article 28 GDPR agreement — is mandatory between controller and processor.

Do we need to appoint a DPO in Spain? Only if your processing meets the statutory triggers (public authority, large-scale monitoring, or large-scale special category data processing). Many Spanish companies voluntarily appoint a DPO as a best practice measure. The AEPD’s online tool can help assess the obligation.

What are the most common AEPD sanction grounds? The AEPD’s most frequent sanction grounds include: invalid cookie consent, inadequate privacy notices, failure to respond to data subject access requests within the statutory period, inadequate security measures leading to data breaches, and unlawful use of data for direct marketing without a valid lawful basis.

Can we transfer EU employee data to a parent company outside the EU? Yes, but only with appropriate safeguards. The most common mechanism is the 2021 Standard Contractual Clauses (Module 1: controller-to-controller, or Module 4: processor-to-controller for HR data flows to a parent). A Data Transfer Impact Assessment (DTIA) is required to assess the law and practice of the destination country.