Skip to content

Business glossary

GDPR in Spain (LOPD-GDD)

Spain implements the EU General Data Protection Regulation (GDPR) through the Ley Orgánica de Protección de Datos y Garantía de Derechos Digitales (LOPD-GDD). The supervisory authority is the Agencia Española de Protección de Datos (AEPD), one of the EU's most active data protection regulators.

Digital

GDPR and Spain’s LOPD-GDD

The EU General Data Protection Regulation (GDPR — Regulation 2016/679) has applied directly throughout Spain since 25 May 2018. It is complemented and supplemented by Spain’s national implementation law, the Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPD-GDD), which adapts GDPR to Spanish constitutional law (the right to privacy is a fundamental right under Article 18 of the Spanish Constitution) and adds sector-specific rules.

For businesses operating in Spain, it is the combination of GDPR and LOPD-GDD — not just GDPR alone — that sets the compliance standard.

Spain’s Data Protection Authority: AEPD

The Agencia Española de Protección de Datos (AEPD) is Spain’s independent supervisory authority. It is consistently one of the most active data protection authorities in the EU, regularly issuing substantial fines against companies of all sizes. Notable AEPD enforcement actions have included fines against major telecommunications operators, airlines, and banks, as well as against smaller companies for basic compliance failures.

The AEPD’s enforcement priorities include:

  • Unlawful use of cookies and tracking technologies
  • Inadequate legal bases for processing personal data
  • Failure to respond to data subject rights requests within statutory deadlines (one month)
  • Inadequate technical and organisational security measures following data breaches

Key Compliance Obligations

Every processing activity must rest on one of the six GDPR legal bases: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. In Spain, the AEPD scrutinises consent mechanisms carefully — pre-ticked boxes, bundled consent, and consent used as a catch-all for commercial profiling are all challenged regularly.

2. Records of Processing Activities (ROPA)

Companies with more than 250 employees, or that process sensitive data or carry out systematic processing, must maintain a written register documenting all processing activities, their purposes, data categories, retention periods, and security measures.

3. Data Protection Officer (DPO)

A DPO is mandatory for public authorities, companies that process sensitive data on a large scale, or companies that carry out large-scale systematic monitoring of individuals. The DPO can be an employee or an external provider and must be registered with the AEPD.

4. Data Processing Agreements (DPAs)

Any third-party provider that processes personal data on behalf of your company (cloud providers, payroll processors, marketing platforms) must have a signed DPA in place meeting GDPR Article 28 requirements. This is a common gap found in Spanish company due diligence.

5. Cookies and Online Tracking

The AEPD’s Guía sobre el uso de las cookies is among the EU’s most detailed cookie guidance documents. Consent must be specific, informed, and freely given; consent walls (blocking access unless cookies are accepted) are permissible only in specific circumstances. Analytics cookies are not “strictly necessary” and require consent.

6. HR Data

The LOPD-GDD adds specific provisions on employee monitoring, digital rights in the workplace, and the use of biometric data for time-and-attendance systems (a popular but legally complex practice in Spain).

Fines and Penalties

GDPR allows fines up to EUR 20 million or 4% of global annual turnover (whichever is higher) for the most serious violations. The AEPD regularly imposes fines in the EUR 50,000–300,000 range for medium-sized companies and has issued fines exceeding EUR 5 million for large organisations.

LOPD-GDD Additions Beyond GDPR

The LOPD-GDD adds specifically Spanish rights and obligations not found in base GDPR:

  • Right to digital disconnection at work (derecho a la desconexión digital)
  • Right not to be subject to automated profiling in employment decisions
  • Specific rules for processing data of deceased persons

How BMC Can Help

We carry out GDPR compliance audits, prepare ROPA registers and internal policies, negotiate DPAs with suppliers, support DPO designation, manage AEPD complaints and investigations, and advise on the data protection aspects of M&A transactions.

Frequently asked questions

How does the LOPD-GDD differ from the GDPR in Spain?
The GDPR (Regulation 2016/679) applies directly in Spain as EU law. The LOPD-GDD (Ley Orgánica 3/2018) is Spain's national implementation law that adapts the GDPR to Spain's constitutional framework — where privacy is a fundamental right under Article 18 — and adds Spanish-specific rules. Key LOPD-GDD additions include digital rights in employment (right to digital disconnection, right not to be profiled in HR decisions), detailed rules on employee monitoring, and specific provisions on processing data of deceased persons.
What fines can the AEPD impose for GDPR violations in Spain?
The AEPD can impose fines up to EUR 20 million or 4% of global annual turnover (whichever is higher) for the most serious GDPR violations, such as unlawful processing, inadequate security leading to a data breach, or denial of data subject rights. For less serious infringements, fines of up to EUR 10 million or 2% of global turnover apply. In practice, the AEPD regularly imposes fines in the EUR 50,000–300,000 range for medium-sized companies and has issued fines exceeding EUR 5 million for large organisations.
When is a Data Protection Officer (DPO) mandatory in Spain?
A DPO is mandatory under the GDPR for public authorities, companies that process sensitive data on a large scale, and companies that carry out large-scale systematic monitoring of individuals. Under Spain's LOPD-GDD, the obligation extends to educational institutions, credit entities, insurance companies, and several other categories. The DPO must be registered with the AEPD and can be an internal employee or an external provider.
What are Spain's cookie compliance requirements?
The AEPD's cookie guidance is among the most detailed in the EU. Analytics and advertising cookies are not "strictly necessary" and require specific, informed, freely given consent — pre-ticked boxes are invalid. Consent walls (blocking access to a website unless cookies are accepted) are permissible only in narrow circumstances and only where a genuine alternative is offered. Cookie consent must be as easy to withdraw as to give, and the AEPD actively enforces against non-compliant websites.
What GDPR obligations apply to employee data in Spain?
Employers processing employee data under GDPR must have a valid legal basis (usually contractual necessity or legal obligation). The LOPD-GDD adds specific rules: biometric data for time-and-attendance systems requires explicit consent or a specific legal basis; monitoring of communications at work requires prior notice to employees and worker representatives; employees have a right to digital disconnection outside working hours. Payroll data, health surveillance records, and disciplinary records each have specific retention period requirements.

Related service

Legal

Discover our services in this area

Related sectors

Technology & Startups Financial Services

Related terms

Due Diligence Sociedad Limitada (SL) — Spanish Limited Liability Company Commercial Registry (Registro Mercantil) Integrated Compliance NIS2 Directive ISO 27001 (Information Security Management System) Data Protection Officer (DPO) Whistleblowing Channel

Related Articles

Aug 2023

Data Protection and AI: New Legal Challenges

Back to glossary

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Free consultation
Call Contact