At BMC we see the legal environment as a strategic lever for your business. Our legal department delivers a proactive service focused on preventing risks and resolving conflicts with maximum efficiency — from drafting commercial contracts to defending insolvency proceedings.
We cover all critical areas of business law: commercial law, criminal compliance, employment law, data protection, anti-money laundering (AML) and commercial debt recovery. Every solution is tailored to the specific characteristics of your sector and your business objectives.
Our team combines legal expertise with commercial acumen, enabling us to deliver practical, results-oriented legal advisory for businesses. We do not simply tell you what the law says; we show you how to use it to your advantage.
A legal practice built for growing businesses
Most business disputes do not arise in courtrooms — they arise in poorly drafted clauses, absent compliance programmes, defective board minutes or incomplete data protection protocols. Our model of corporate legal advisory places prevention ahead of resolution.
Services are therefore structured around four blocks: regulatory protection (compliance, AML/PBC, data protection), ordinary corporate activity (contracts, board acts, shareholders’ agreements), litigation (debt recovery, defence in proceedings) and exceptional situations (insolvency proceedings, second chance law, restructurings).
Legal practice areas
Compliance and regulatory obligations
- Criminal compliance: Design and implementation of criminal compliance programmes under Art. 31 bis of the Criminal Code. Risk maps, code of ethics, whistleblower channel, training and system governance. See the criminal compliance guide 2026 and the implementation checklist for practical guidance.
- Anti-money laundering (AML/PBC): Prevention manual, customer identification, management of suspicious transactions before SEPBLAC and AML obligations for obligated entities.
- Whistleblower channel: Implementation of the internal reporting system under Law 2/2023. Our whistleblower channel guide and implementation guide are the operational reference.
- Compliance risk mapping: Cross-cutting diagnostic and prioritisation of compliance controls in medium and large organisations.
- AI Act compliance and AI governance: Advisory on high-risk AI systems and the intersection between AI and data protection.
- NIS2 compliance and ISO 27001 certification: Adaptation to the NIS2 Directive, implementation of cybersecurity controls and design of the virtual CISO and corporate cyber insurance.
Commercial and corporate law
- Commercial law: Ongoing corporate legal advisory, routine corporate transactions, board minutes and resolutions and formalisation of shareholders’ agreements.
- Commercial contracts: Drafting, negotiation and review of complex contracts — distribution, agency, franchise, SaaS, licences, NDAs, joint ventures and international commercial agreements.
- Corporate governance: Design of board regulations, conflict-of-interest policies, and adaptation to corporate governance recommendations for listed and non-listed companies.
- Intellectual property: Protection of trademarks, patents, copyright and trade secrets.
- Commercial lawyers in Málaga: Local presence for businesses in southern Spain.
Employment law
- Employment law: Ongoing employment advisory, review of employment contracts, objective and disciplinary dismissals, collective bargaining and equality plans.
- Collective redundancy (ERE) and flexibility measures: Negotiation of ERE and ERTE, geographical and functional mobility, and legislative change response strategies.
- Employment lawyers in Madrid: Procedural defence before the social jurisdiction and administrative bodies.
Data protection, cybersecurity and digital rights
- International data transfers: Advisory on standard contractual clauses (SCCs), binding corporate rules and post-Schrems II transfer adequacy.
- Digital evidence: Digital forensics for disciplinary dismissal, information leakage, business fraud or internal investigation proceedings.
Debt recovery, insolvency and second chance
- Debt recovery: Out-of-court recovery, payment orders, enforcement proceedings and asset seizure for corporate creditors.
- Insolvency proceedings: Debtor and creditor defence in insolvency, insolvency administrator services, and evaluation of alternatives to liquidation and restructuring options.
- Second Chance Law: Advisory to self-employed individuals and private persons on debt discharge, including public debt cancellation following the Supreme Court’s 2026 ruling.
Mediation, arbitration and dispute resolution
- Business mediation: Civil and commercial mediation, mandatory mediation (MASC) introduced by the 2025 procedural reform, and commercial arbitration.
Relevant case studies
- Criminal compliance programme implementation for an 800-employee construction group, which served as an effective defence against a criminal investigation.
- Data protection breach management in a hospital clinic with AEPD notification and containment without sanction.
- Multinational employment defence in a collective dispute affecting four work centres.
- Collective redundancy negotiation (ERE) in the retail sector with settlement 22% below the provisioned cost.
- AML programme for real estate operator including manual, training and full implementation.
- Commercial debt recovery with full recovery of principal and legal costs.
- Second Chance Law for hospitality entrepreneur with cancellation of 92% of liabilities and business activity rebuild.
When to contact the legal team
We recommend contacting our practice for business legal advisory when:
- Your company exceeds 50 employees and needs to implement the mandatory whistleblower channel.
- You operate in a sector subject to AML obligations (real estate, luxury goods, professional services, jewellery, crypto assets).
- You are negotiating a significant commercial contract — international distribution, SaaS, joint venture, master agreement with a key account — and want a review before signing.
- You are considering a dismissal with risk of unfair dismissal finding, or collective bargaining for an ERE/ERTE.
- You face a legal claim, administrative request or an inspection from the AEPD.
- A supplier or customer has defaulted and you need to decide between a payment order, enforcement action, ordinary claim or mediation.
- Your activity is affected by the entry into force of NIS2, the AI Act or data protection reforms.
- You are in a situation of financial stress and are analysing pre-insolvency options or insolvency proceedings.
- As a self-employed person or private individual, you want to assess whether the Second Chance Law offers a route out of an over-indebtedness situation.
A no-commitment initial legal consultation is the first step to defining legal priorities, sizing risks and establishing the rhythm of ongoing advisory.
The regulatory landscape: what companies need to manage in 2026
The legal compliance environment for businesses operating in Spain has undergone a significant transformation in the last three years, driven by the simultaneous entry into force of multiple EU frameworks. The combined effect of the GDPR enforcement maturation, Law 2/2023 (Whistleblower Protection), Law 28/2022 (Startups Act), the NIS2 Directive transposition, the AI Act (Regulation 2024/1689/EU), and the DORA Regulation for financial entities has created a layered compliance obligation that most legal departments — and all small and medium enterprises without in-house counsel — cannot address without external support.
Data protection and the AEPD remain the most active enforcement area. The AEPD issued EUR 36.5M in sanctions in 2024, with fines against companies of all sizes — not only multinationals. The average fine for failure to appoint a DPO in sectors where appointment is mandatory was EUR 60,000. For SMEs, the most common violations relate to insufficient legal basis for processing, absence of processor agreements with suppliers, and failure to document breach notification decisions. Our data protection and outsourced DPO practices address these gaps systematically.
NIS2 (Directive 2022/2555/EU, transposed into Spanish law in 2024) introduces mandatory cybersecurity risk management and incident reporting obligations for essential and important entities across 18 sectors including energy, transport, health, financial infrastructure, digital infrastructure, and B2B ICT services. Companies in scope face potential fines of up to EUR 10M or 2% of global turnover for essential entities, and EUR 7M or 1.4% for important entities. The NIS2 compliance practice manages the gap assessment, technical and organisational measure implementation, and incident reporting protocol design.
The AI Act (Regulation 2024/1689/EU, application from August 2026 for high-risk AI systems) imposes conformity assessment, transparency, documentation, and human oversight obligations on developers and deployers of AI systems. Companies using AI in HR decisions, credit scoring, access to essential services, or biometric identification face the strictest requirements. Our AI Act compliance and AI governance practices are already managing the gap analysis and compliance roadmap for companies preparing for the August 2026 implementation deadlines.
Commercial contracts: the legal infrastructure of the business
A company’s contractual framework is its first line of legal protection. Commercial contracts that are poorly drafted — or simply not drafted, with orders governed only by general trading terms or informal exchanges — are the single most common source of commercial disputes. The key areas of contractual risk that we address are:
Liability caps and limitation of liability clauses: under Spanish law, liability limitation clauses in B2B contracts are generally enforceable, but they must be sufficiently prominent and specifically agreed. The absence of a cap — or a cap that is effectively uncapped by the complexity of consequential damage claims — creates exposure that the commercial team typically does not quantify at contract negotiation stage.
Termination and exit mechanisms: the right to terminate for cause, the remediation period, the consequences of termination (compensation, IP ownership, customer data return) and the survival of post-termination obligations are areas where standard template contracts typically provide inadequate protection. We review and renegotiate these provisions in key commercial relationships.
International contracts and governing law: contracts with counterparties in other jurisdictions require attention to governing law, jurisdiction clauses, and the enforcement of judgments. A Spanish governing law clause with a Madrid court jurisdiction clause is not automatically enforceable against a foreign defendant — enforcement requires an exequatur proceeding or the availability of a bilateral treaty. For high-value international contracts, we advise on ICC or LCIA arbitration as an alternative to state court litigation.
Employment law: managing people compliantly in Spain
Spain has one of the most complex employment regulatory frameworks in the EU, combining the Workers’ Statute (Real Decreto Legislativo 2/2015), multiple sector collective agreements, and a Social Jurisdiction that is generally employee-protective. Key areas where companies make costly mistakes include:
The misclassification of employment relationships — treating what is effectively an employee relationship as a service provider or freelance relationship — creates significant retrospective social security and income tax obligations when identified in an inspection. The criteria for reclassification (dependence, exclusivity, organisational integration) are assessed factually by the labour inspectorate and the courts.
Dismissal procedures are subject to formal requirements that, if not followed precisely, can convert an otherwise justified dismissal into an unfair dismissal with the associated compensation. The disciplinary letter must specify the acts, dates, and the applicable collective agreement clause; the objective dismissal letter must be accompanied by a mandatory severance payment (twenty days per year of service) at the moment of delivery. Missing either of these requirements is a formal defect that renders the dismissal unfair regardless of the substantive grounds.
The 37.5-hour working week reform introduced by Royal Decree-Law 2/2025 (effective from 1 January 2026 for most sectors) reduces the standard working week from 40 to 37.5 hours. Companies must adapt collective agreements, working hour registries, and remuneration structures by the applicable implementation date for each sector.
AML compliance: obligations for professional services firms
Anti-money laundering (AML) regulations in Spain — governed by Law 10/2010 on the prevention of money laundering and terrorist financing, implementing the EU’s Fourth and Fifth AML Directives — impose specific obligations on professional service firms including lawyers, accountants, tax advisors, real estate agents, notaries and company formation agents. These obligations include: customer due diligence (KYC) procedures, identification of beneficial owners, assessment of the business relationship’s purpose, enhanced due diligence for high-risk customers and PEPs (politically exposed persons), and suspicious activity reporting to SEPBLAC (the Spanish financial intelligence unit).
Failure to comply with AML obligations in professional services contexts is a serious regulatory risk. SEPBLAC has increased inspection activity significantly since 2023, and fines for non-compliant obligated entities range from EUR 60,000 to EUR 10M for serious infringements. Our AML compliance practice designs prevention manuals, implements KYC procedures, delivers staff training, and manages relations with SEPBLAC for professional services firms across all obligated sectors.
Insolvency and restructuring: protecting interests in financial distress
When a company faces financial distress, legal advisory becomes critical across multiple simultaneous dimensions: negotiation with creditors, management of cash flow and payment priorities, assessment of director liability exposure, and evaluation of restructuring alternatives versus formal insolvency proceedings. The reformed Insolvency Act (Ley Concursal) provides a range of tools — from informal negotiation and pre-insolvency moratoriums to the formal concurso de acreedores and the new Plan de Reestructuración — and the optimal choice depends on the composition of the creditor base, the availability of viability as a going concern, and the timeline available before formal insolvency becomes unavoidable.
Director liability (responsabilidad de administradores) is a specific risk in insolvency situations. Directors who fail to file for insolvency within two months of the company becoming insolvent, who continue incurring new debt after insolvency, or who are found to have engaged in conduct that caused or worsened the insolvency, may face personal liability for the company’s debts. Our director liability advisory addresses this risk proactively — advising on the obligations and protected actions available to directors in distress situations before liability crystallises.
Related Insights
Go deeper with our most recent analysis:
-
Anti-Money Laundering: Company Obligations — Who is obligated, what controls SEPBLAC requires, and penalties for non-compliance
-
Board Compliance Spain: Director Obligations — Fiduciary duties, personal liability exposure and protection measures for directors
-
Criminal Compliance in Spain 2026: 3-Step Setup — Building an effective compliance programme under Article 31 bis of the Criminal Code
-
Corporate Governance for SMEs in Spain: Practical Guide — How to structure the board, shareholder agreements and conflict-of-interest policies
-
Buying a Business in Spain 2026: Step-by-Step Guide — Legal and tax aspects of corporate acquisitions and asset deals
-
Due Diligence Cost in Spain 2026: A Practical Pricing Guide — What a full due diligence covers, how long it takes, and fee ranges by deal size
-
Spanish Criminal Code: complete reference guide — CP LO 10/1995: arts. 248 fraud, 252 misappropriation, 390 falsification, 31 bis corporate criminal liability, 310 bis ta
-
Spanish Civil Code: complete reference guide — Spanish CC (RD 1889): books, art. 1902 extra-contractual liability, arts. 1091-1258 contracts, succession, private inter
-
Spanish General Social Security Act: complete guide for companies and self-emplo — Everything about the LGSS (RD Leg. 8/2015): affiliation, contributions, pensions, unemployment benefit, RETA for self-em
-
Spanish Social Jurisdiction Act: complete guide for companies — Everything about the LRJS (Ley 36/2011): ordinary labour proceedings, dismissal, collective disputes, suplicación appeal
-
Spanish Judiciary Act: guide for companies and litigants — Everything about the LOPJ (LO 6/1985): organisation of the Spanish justice system, Supreme Court, CGPJ, civil, criminal,
-
Remote Work in Spain for a Foreign Employer: Where Is Social Security Due? — EU Reg. 883/2004: remote workers relocated to Spain must contribute to Spanish Social Security. Two compliance routes an
-
From Regularisation to Permanent Residence and Nationality: The Complete Roadmap — What comes after the first residence permit: renewals, long-term residence (5 years) and the path to Spanish nationality
-
Municipal Registration (Empadronamiento): The Key Proof of Residence in Immigrat — How to use empadronamiento to prove residence for arraigo, regularisation and immigration permits. What it certifies, ho