Any company that handles personal data — and today virtually all of them do — is subject to a data protection framework that is neither optional nor graduated: you either comply or you do not, and the consequences range from multi-million euro fines to reputational damage that is difficult to reverse. In 2026, after eight years of GDPR enforcement and five years of LOPDGDD in force, the AEPD has moved past the educational phase and sanctions regularly. This guide explains precisely what your company must do to be compliant.
Regulatory framework: GDPR, LOPDGDD and applicable guidelines
The General Data Protection Regulation (GDPR), in force since 25 May 2018, is the primary reference text. It applies directly across the EU without requiring transposition and establishes the fundamental obligations for any controller or processor. Its extraterritorial effect — article 3 — means it also binds companies established outside the EU that process data of individuals in European territory.
Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) adapts the GDPR to the Spanish legal order and adds its own obligations: it extends the sectors requiring a mandatory DPO, regulates the right to be forgotten on social media, establishes digital rights for workers (digital disconnection, video surveillance, geolocation) and sets the sanctioning criteria applied by the AEPD.
Alongside these two instruments, companies must be aware of AEPD guidelines and resolutions — available at aepd.es — and the European Data Protection Board (EDPB) guidelines, which interpret and develop specific aspects of the GDPR: legal bases for processing, impact assessments, breach notification, international transfers and cookies, among others. The consolidated text of the LOPDGDD is available at the BOE website.
Processing principles: the standard the AEPD verifies
Article 5 of the GDPR sets out the principles governing any processing of personal data. These are the parameters the Authority evaluates when investigating a company:
Lawfulness, fairness and transparency. Data must be processed on a valid legal basis, fairly and without deception, and the data subject must be clearly and accessibly informed of what is done with their data.
Purpose limitation. Data collected for a specific purpose cannot be used for purposes incompatible with the original one. If the company wishes to extend the use, it needs a new legal basis or the data subject’s consent.
Data minimisation. Only the data strictly necessary for the stated purpose should be processed. The practice of collecting data “just in case” violates this principle.
Accuracy. Data must be kept up to date. The company has an obligation to take reasonable steps to erase or rectify inaccurate data.
Storage limitation. Data cannot be retained indefinitely. Erasure timelines must be defined and documented for each category of processing.
Integrity and confidentiality. The controller must ensure the security of data through appropriate technical and organisational measures against unauthorised access, loss or destruction.
Accountability. This principle, set out in article 24 of the GDPR, obliges the controller not only to comply but to demonstrate compliance. All compliance documentation — PAR, policies, contracts, assessments — serves precisely this purpose.
Legal bases for processing: getting it right from the start
Before initiating any data processing, the company must identify which of the legal bases in article 6 of the GDPR applies. An incorrect legal basis — or the absence of one — is the most frequently sanctioned error by the AEPD.
Consent (art. 6.1.a). Must be freely given, specific, informed and unambiguous. Implicit consent, pre-ticked boxes and consent obtained as a condition of a service are not valid unless strictly necessary for that service. It is revocable at any time. For special category data (health, racial origin, sexual orientation, trade union membership) explicit consent is required (art. 9.2.a).
Performance of a contract (art. 6.1.b). Covers processing necessary to execute or prepare the contract with the data subject: customer data for invoicing, employee data for managing the employment relationship. It does not justify ancillary or complementary processing beyond what is strictly necessary.
Legal obligation (art. 6.1.c). When a legal rule requires the processing: tax declarations, anti-money laundering, payroll records, electronic invoicing. No consent from the data subject is required in this case.
Legitimate interests (art. 6.1.f). Common in B2B contexts, direct marketing or fraud prevention. Requires passing a balancing test: the controller’s interest must be legitimate, necessary, and must not override the data subject’s rights. This test must be documented. The AEPD has repeatedly questioned its use as a catch-all fallback.
Processing Activity Register (PAR): content and maintenance
Article 30 of the GDPR requires a Processing Activity Register to be maintained. An exemption exists only for controllers with fewer than 250 employees that do not carry out processing likely to result in a risk to individuals’ rights, do not process special category data, and whose processing is not habitual. In practice this exemption is very narrow: the AEPD recommends that all companies maintain a PAR.
The PAR must contain, for each processing activity:
- Name and contact details of the controller (and the representative if based outside the EU) and the DPO if one has been appointed
- Purpose of the processing
- Description of categories of data subjects and personal data processed
- Categories of recipients (including processors)
- International transfers and applicable safeguards
- Envisaged erasure timelines for each category
- General description of technical and organisational security measures
The PAR is not a document prepared once and filed away. It must be reviewed and updated whenever the company adds a new digital tool, engages a supplier who accesses customer or employee data, or modifies an internal process. The AEPD may request it at any time, and an incomplete or outdated PAR is an independent infringement.
When does a company need a DPO?
Article 37 of the GDPR establishes three mandatory DPO scenarios: public authorities, controllers whose core activities require large-scale, regular and systematic monitoring of data subjects, and controllers that process special category data on a large scale under article 9.
The LOPDGDD (article 34) extends this list for Spain to include specific sectors: credit institutions, insurers, investment services companies, electricity and gas distributors and retailers, professional associations, large-scale real estate developers, educational institutions, online gambling entities and operators of critical infrastructure, among others.
For other companies, a DPO is not mandatory but is highly recommended when the volume or sensitivity of processing justifies it. The external DPO is the standard solution for SMEs: it provides access to the role without the cost of a dedicated employee and guarantees the independence the GDPR requires of the position.
The DPO’s functions are prescribed in article 39 of the GDPR: informing and advising the controller, monitoring compliance, advising on impact assessments, cooperating with the supervisory authority, and acting as a contact point for the AEPD and data subjects. The DPO cannot be given instructions regarding the exercise of their functions, nor sanctioned for doing so.
Data subject rights and response timelines
The GDPR grants data subjects a catalogue of rights that the company must be able to honour effectively:
- Access (art. 15): the data subject is entitled to know whether their data is being processed and to obtain a copy.
- Rectification (art. 16): correction of inaccurate or incomplete data.
- Erasure or right to be forgotten (art. 17): in specific prescribed circumstances: data no longer needed, withdrawal of consent, unlawful processing, legal obligation to erase.
- Restriction of processing (art. 18): suspension of processing while a dispute is resolved.
- Portability (art. 20): receive data in a structured format when processing is based on consent or a contract.
- Objection (art. 21): particularly relevant in direct marketing, where the right to object is absolute.
The response deadline is one month from receipt of the request. This can be extended by two further months when the complexity or volume of requests justifies it, provided the data subject is informed within the first month. Failure to respond within the deadline is a sanctionable infringement.
The company must set up effective channels for data subjects to exercise their rights: a web form, a dedicated email address or a postal address. It cannot require payment of fees unless requests are manifestly unfounded or excessive.
Security breaches: notifying the AEPD within 72 hours
A security breach is any incident causing the destruction, loss, alteration, disclosure or unauthorised access to personal data. This includes common situations such as a mass email sent with all recipients visible in the CC field, the theft of a laptop containing customer data, or a ransomware attack.
Article 33 of the GDPR requires the breach to be notified to the AEPD within 72 hours of the controller becoming aware of it, provided it is likely to result in a risk to the rights and freedoms of the affected individuals. If complete information is not available at that point, an initial notification can be made and supplemented subsequently.
The notification must include the nature of the breach, the categories and approximate number of data subjects and records affected, the DPO’s contact details, the likely consequences, and the measures taken or proposed to address the situation.
When the breach poses a high risk to data subjects — for example, exposure of health data, passwords or financial data — the company must also notify the affected individuals without undue delay, using clear and plain language. The AEPD may require this direct notification if the controller fails to carry it out.
Failure to meet the 72-hour deadline is one of the most frequently sanctioned infringements. In 2024, the AEPD initiated sanctioning proceedings for unreported or late-reported breaches with fines ranging from €50,000 to €300,000.
International transfers: the post-Schrems II framework
Any transfer of personal data to a country outside the European Economic Area (EEA) requires an adequate safeguard. The applicable framework is article 46 of the GDPR, with three main mechanisms in use:
European Commission adequacy decisions. Allow data to be transferred without additional safeguards to the destination country. In 2026, the following countries have adequacy decisions: United Kingdom (renewed), Japan, New Zealand, Canada (private sector), Israel, Argentina, Switzerland, Uruguay, South Korea, Andorra, Faroe Islands, Guernsey, Isle of Man, Jersey, and the United States under the Data Privacy Framework (DPF), in force since July 2023 and not yet challenged before the CJEU.
Standard Contractual Clauses (SCCs). The SCCs adopted by the European Commission in June 2021 are the most widely used mechanism for transfers to countries without an adequacy decision. They must be incorporated into the contract with the foreign provider and, in most cases, a Transfer Impact Assessment (TIA) must be completed to evaluate whether the law of the destination country guarantees essentially equivalent protection to that in the EU. If the TIA reveals deficiencies, supplementary measures must be implemented (encryption, pseudonymisation, technical architecture).
Binding Corporate Rules (BCRs). A mechanism specific to multinational groups transferring data between their entities. Requires approval from the competent supervisory authority.
Everyday tools such as Google Workspace, Microsoft 365, Salesforce or email marketing platforms involve transfers to the US that must be covered by SCCs or the DPF. It is common for companies to use these tools without having updated their PAR or formalised the required safeguards, which constitutes an infringement of articles 44–49 of the GDPR.
AEPD fines in 2024–2026: amounts and real cases
The GDPR provides for two bands of fines: up to €10 million or 2% of total worldwide annual turnover for less serious infringements, and up to €20 million or 4% for the most serious. The LOPDGDD adapts this framework to three levels: minor (up to €40,000), serious (€40,001 to €300,000) and very serious (€300,001 to €20 million or 4% of turnover).
Representative cases from 2024–2026:
- Telecoms company, fine of €6.2 million (2024): large-scale processing of customer data without a valid legal basis and failure to fulfil the duty to inform data subjects in marketing campaigns.
- Dental clinic, €150,000 (2024): disclosure of medical records to an insurer without explicit consent, and absence of a mandatory DPO.
- HR platform, €300,000 (2025): transfers to the US without SCCs or an adequacy assessment following a change of cloud provider.
- Distribution company, €75,000 (2025): installation of CCTV cameras with a field of view over a public road, without adequate signage and without a legal basis for processing employee data.
- Educational institution, €50,000 (2026): retention of former students’ data for over ten years without justification and without a documented erasure policy.
The differentiating factor in sanctioning is reoffending, intent and, above all, attitude towards the Authority: companies that demonstrate active compliance programmes, notify breaches on time and cooperate with investigations receive significant reductions.
What to do now: a compliance roadmap
The starting point for any company is a data protection audit that maps all active processing activities, identifies legal bases, detects unformalised international transfers, assesses existing security measures and determines whether DPO appointment is mandatory. For higher-risk processing, this audit should be accompanied by a data protection impact assessment (DPIA). From there, the compliance programme includes:
- Drawing up or updating the PAR with all processing activities
- Reviewing and updating information texts (contract clauses, website, forms)
- Formalising processor agreements with all suppliers who access personal data
- Regularising international transfers (SCCs, TIA, DPF as applicable)
- Establishing protocols for responding to data subject rights requests and security breaches
- Assessing whether a DPO is required and, if so, appointing one — internal or external
- Conducting impact assessments (DPIAs) for high-risk processing activities (art. 35 GDPR)
The GDPR does not reward static perfection: it rewards documented continuous improvement. A living compliance programme, reviewed periodically, is the best defence against an AEPD investigation.
For an assessment of your company’s compliance status, contact BMC’s data protection team or enquire whether your organisation needs an external DPO.
This article is for informational purposes only and does not constitute legal advice. For an analysis specific to your situation, please consult a data protection specialist. If you are interested in data processing in artificial intelligence contexts, see our analysis on the intersection between the AI Act and the GDPR.
