GDPR Data Protection: Full Compliance with Complete Guarantees

Data protection in Spain is governed by two complementary frameworks: the EU General Data Protection Regulation (GDPR, Regulation 2016/679), which applies directly across all EU member states, and Spain's Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD), which adapts and complements the GDPR in areas where member states retain discretion. The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), which can impose administrative fines of up to EUR 20 million or 4% of global annual turnover for serious violations. Controllers processing personal data must maintain a Record of Processing Activities, establish lawful legal bases for each processing activity, implement technical and organisational security measures, and manage data subject rights within statutory deadlines.

Our privacy team combines legal expertise in the GDPR and LOPDGDD with practical experience implementing privacy management systems across companies of all sectors and sizes.

The Compliance Gap Most Companies Don’t See

The GDPR came into force in 2018. Six years later, a significant proportion of Spanish companies remain materially non-compliant — not because they are unaware of the regulation, but because they have implemented only its most visible requirements (a privacy policy, a cookie banner) while leaving the structural foundations of compliance incomplete. The records of processing activities are missing or out of date. Processor contracts with cloud providers have never been reviewed for standard contractual clause compliance. The data breach protocol exists as a document but has never been tested. The DPO, if appointed, is a formality rather than a functioning role.

The AEPD is an active enforcement authority. Its sanctioning decisions — regularly exceeding millions of euros for serious violations — confirm that Spanish companies are not being given a pass. The question for most businesses is not whether they need to comply, but how to close the gap efficiently without overinvesting in bureaucracy.

Building a Functional Privacy System

Our approach begins with a structured gap analysis. We map your data flows: what personal data you collect, on what legal basis, for what purpose, how long it is retained, with which third parties it is shared, and whether any of those third parties are outside the European Economic Area. Most companies are surprised by the scope of their own processing — employee monitoring tools, CRM systems, analytics platforms, payroll processors — each of which requires a correctly structured processor agreement and, in some cases, a data protection impact assessment (DPIA).

The result of the gap analysis is a prioritised action plan. We implement the records of processing, update privacy notices, revise processor contracts, and establish a breach-response protocol that can meet the 72-hour AEPD notification deadline in practice, not just in theory. For companies that have undergone mergers or acquisitions, we audit the privacy compliance of integrated entities, which frequently have different systems and documentation standards.

The DPO as a Strategic Role

The outsourced DPO service goes beyond regulatory box-ticking. An effective DPO advises on the privacy implications of new products and marketing campaigns before they launch, flags the data-protection requirements of new supplier contracts before they are signed, and manages the relationship with the AEPD when complaints or investigations arise. We provide this function for over 100 organisations, from SMEs processing modest volumes of customer data to regulated entities handling sensitive health or financial information.

For companies launching new digital products or using AI-powered tools, privacy by design is a legal obligation under Article 25 of the GDPR, not an optional best practice. We integrate with your product and technology teams to embed privacy requirements from the earliest design stage — a far more efficient approach than retrofitting compliance after launch.

Privacy in Corporate Transactions

Privacy due diligence is now standard in any transaction involving a data-intensive business. A target company’s GDPR compliance status affects its valuation, the representations and warranties it can give, and the post-acquisition integration plan. We audit target companies’ privacy frameworks, quantify the remediation cost of identified gaps, and advise acquirers on the indemnities and conditions that should be included in the purchase agreement.