GDPR Data Protection: Full Compliance with Complete Guarantees

Data protection in Spain is governed by two complementary frameworks: the EU General Data Protection Regulation (GDPR, Regulation 2016/679), which applies directly across all EU member states, and Spain's Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD), which adapts and complements the GDPR in areas where member states retain discretion. The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), which can impose administrative fines of up to EUR 20 million or 4% of global annual turnover for serious violations. Controllers processing personal data must maintain a Record of Processing Activities, establish lawful legal bases for each processing activity, implement technical and organisational security measures, and manage data subject rights within statutory deadlines.

Our privacy team combines legal expertise in the GDPR and LOPDGDD with practical experience implementing privacy management systems across companies of all sectors and sizes.

The Compliance Gap Most Companies Don’t See

The GDPR came into force in 2018. Six years later, a significant proportion of Spanish companies remain materially non-compliant — not because they are unaware of the regulation, but because they have implemented only its most visible requirements (a privacy policy, a cookie banner) while leaving the structural foundations of compliance incomplete. The records of processing activities are missing or out of date. Processor contracts with cloud providers have never been reviewed for standard contractual clause compliance. The data breach protocol exists as a document but has never been tested. The DPO, if appointed, is a formality rather than a functioning role.

The AEPD is an active enforcement authority. Its sanctioning decisions — regularly exceeding millions of euros for serious violations — confirm that Spanish companies are not being given a pass. The question for most businesses is not whether they need to comply, but how to close the gap efficiently without overinvesting in bureaucracy.

Building a Functional Privacy System

Our approach begins with a structured gap analysis. We map your data flows: what personal data you collect, on what legal basis, for what purpose, how long it is retained, with which third parties it is shared, and whether any of those third parties are outside the European Economic Area. Most companies are surprised by the scope of their own processing — employee monitoring tools, CRM systems, analytics platforms, payroll processors — each of which requires a correctly structured processor agreement and, in some cases, a data protection impact assessment (DPIA).

The result of the gap analysis is a prioritised action plan. We implement the records of processing, update privacy notices, revise processor contracts, and establish a breach-response protocol that can meet the 72-hour AEPD notification deadline in practice, not just in theory. For companies that have undergone mergers or acquisitions, we audit the privacy compliance of integrated entities, which frequently have different systems and documentation standards.

The DPO as a Strategic Role

The outsourced DPO service goes beyond regulatory box-ticking. An effective DPO advises on the privacy implications of new products and marketing campaigns before they launch, flags the data-protection requirements of new supplier contracts before they are signed, and manages the relationship with the AEPD when complaints or investigations arise. We provide this function for over 100 organisations, from SMEs processing modest volumes of customer data to regulated entities handling sensitive health or financial information.

For companies launching new digital products or using AI-powered tools, privacy by design is a legal obligation under Article 25 of the GDPR, not an optional best practice. We integrate with your product and technology teams to embed privacy requirements from the earliest design stage — a far more efficient approach than retrofitting compliance after launch.

Privacy in Corporate Transactions

Privacy due diligence is now standard in any transaction involving a data-intensive business. A target company’s GDPR compliance status affects its valuation, the representations and warranties it can give, and the post-acquisition integration plan. We audit target companies’ privacy frameworks, quantify the remediation cost of identified gaps, and advise acquirers on the indemnities and conditions that should be included in the purchase agreement.

Legal Bases Under the GDPR: Getting the Foundations Right

One of the most frequent sources of GDPR non-compliance among Spanish businesses is the incorrect selection of the legal basis for data processing. The GDPR establishes six alternative legal bases under Article 6, and choosing the wrong one has consequences that go beyond formalism: it conditions data subjects’ rights, the possibility of international transfers, and permissible retention periods.

Consent is the most visible basis — the one that appears in cookie banners and web forms — but also the most fragile. The GDPR requires it to be freely given, specific, informed, and unambiguous, and revocable at any time without consequence. Consent is not an appropriate legal basis for processing that is necessary to perform a contract or fulfil a legal obligation: using it in those cases creates a false right of objection that does not actually exist.

Performance of a contract is the correct basis for customer data processing that is necessary to deliver the contracted service: contact data, payment data, purchase history to the extent needed for fulfilment. It cannot be extended to accessory or ancillary processing beyond the core service.

Legitimate interests (Article 6(1)(f)) is the most flexible basis and the one that generates the most controversy in practice. It requires a three-step test: the interest pursued must be legitimate; the processing must be necessary for that interest; and the data subject’s fundamental rights and interests must not override the controller’s interest. The AEPD has applied a restrictive interpretation of legitimate interests in certain contexts — CCTV surveillance, direct marketing — and documenting the balancing test is essential to defending against complaints.

International Data Transfers in 2025-2026

Transfers of personal data outside the European Economic Area (EEA) require adequate safeguards under Chapter V of the GDPR. The landscape of valid mechanisms in 2025-2026 is more complex than in 2018, following the Schrems II judgment (C-311/18) and the EU-US Data Privacy Framework (DPF):

The EU Commission has adopted adequacy decisions for a limited number of countries — the UK, Japan, South Korea, Israel, Argentina, and the US under the DPF adopted in July 2023. The DPF has been challenged before the Court of Justice by Max Schrems (the so-called Schrems III case), with an uncertain outcome. Companies transferring data to DPF-certified US entities should maintain a Standard Contractual Clauses (SCCs) fallback in case the framework is invalidated.

Standard Contractual Clauses remain the most widely used mechanism in practice. The Commission adopted new model clauses in June 2021, with additional Transfer Impact Assessment (TIA) requirements that must be documented for each transfer. Many companies are still using the obsolete pre-2021 models. Binding Corporate Rules (BCRs) are the most robust mechanism for multinational groups with frequent intra-group transfers, but also the most costly to implement: they require approval by the lead supervisory authority (in Spain, the AEPD) and are best suited to groups with high volumes of cross-border intra-group data flows.

Data Breach Management: The 72-Hour Protocol in Practice

The 72-hour deadline for notifying a data breach to the AEPD (Article 33 GDPR) is one of the regulation’s best-known requirements and, in practice, one of the hardest to meet without prior preparation. The 72 hours run from the moment the data controller becomes aware of the breach — not from when it occurred, but from when it is detected — and they are calendar hours, not business hours.

The breach-response protocol we implement covers all phases: detection and identification (monitoring systems that generate alerts on anomalous access, data exfiltration, or accidental deletion); initial impact assessment (determining whether the breach poses a risk to the rights and freedoms of affected individuals, which is the notification threshold); AEPD notification within 72 hours with the information available at that point (supplementable in the following 72 hours); and, where the breach poses a high risk, individual communication to affected data subjects.

The AEPD has sanctioned companies not only for the underlying breach but for inadequate post-breach management: late notification, insufficient information in the notification, or failure to communicate to affected individuals when required. A well-designed, practised breach protocol — with at least annual tabletop exercises — dramatically reduces the regulatory risk after an incident. Coordination with the cybersecurity team and a virtual CISO is essential to ensure the protocol functions under the real pressure of an active incident.

GDPR enforcement in Spain: AEPD sanctions and case law

The Agencia Española de Protección de Datos (AEPD) is one of the most active data protection supervisory authorities in the EU, consistently ranking among the top three in number of annual decisions. Spanish enforcement patterns provide useful indicators of the specific GDPR provisions most likely to trigger formal investigations:

• Unlawful monitoring of employees (including GPS tracking of vehicles, email monitoring, keystroke logging): violations of LOPDGDD Article 87 (digital privacy at work) and GDPR Article 6 (lawful basis). Major sanctions have been issued against companies in the transport, logistics, and retail sectors.
• CCTV and biometric data: installation of cameras in workplaces without meeting proportionality and information requirements under LOPDGDD Article 89, and the use of biometric authentication without GDPR Article 9(2) explicit consent or CBA justification.
• Cookie compliance: the AEPD has issued guidance requiring genuine prior consent for non-essential cookies, and has sanctioned websites with confusing or pre-ticked consent mechanisms.
• Data subject rights non-response: failure to respond to access (Article 15), erasure (Article 17), or portability (Article 20) requests within the 30-day deadline is a common ground for AEPD complaints.

Our data protection service addresses each of these enforcement risk areas in the initial gap assessment, prioritising the issues most likely to attract regulatory attention in your sector.

Data protection in employment: the LOPDGDD dimension

For Spanish employers, the LOPDGDD introduces specific obligations beyond GDPR: the right to digital disconnection (Article 88), information rights specific to employee monitoring (Article 89-90), and limitations on the use of biometric data in access control (Article 91). The equality obligations in RD 902/2020 (pay transparency) also create data processing requirements — pay audit data involving sensitive personal information — that require careful GDPR-compliant design.

Self-diagnostic: GDPR compliance health check

Review your organisation’s data protection posture against these indicators:

• Is your Record of Processing Activities (RoPA) current and does it accurately reflect all active processing operations, including cloud services and SaaS tools that process personal data?
• Does every material data processor relationship have a signed Data Processing Agreement meeting the Article 28 GDPR requirements?
• Have employees with access to personal data received GDPR training in the last 12 months — with records maintained?
• Do your website cookies require genuine prior consent for non-essential cookies, with a consent management platform that meets AEPD standards?
• Is there a documented, tested data breach response protocol that can meet the 72-hour AEPD notification deadline?
• Have data transfers to non-EEA countries been assessed for adequacy, with appropriate safeguards (SCCs, BCRs, adequacy decisions) documented for each transfer?

Deficiencies in any of these areas represent active GDPR risk. Our data protection audit addresses each of them systematically, delivering a prioritised gap report and implementation roadmap. Contact our DPO advisory team for an initial assessment.

International data transfers: SCCs and adequacy decisions

Following the Schrems II judgment (CJEU, July 2020) invalidating Privacy Shield, and the EDPB supplementary measures guidance, Spanish companies transferring personal data to non-EEA jurisdictions must rely on one of the GDPR Chapter V transfer mechanisms: adequacy decisions (UK, Japan, Canada, Switzerland, Israel, New Zealand, South Korea, the US under the EU-US Data Privacy Framework), Standard Contractual Clauses (SCCs — updated June 2021), Binding Corporate Rules (BCRs) for intra-group transfers, or derogations under Article 49 GDPR.

The practical challenge is that many Spanish SMEs are unaware they are making international transfers — because their cloud providers and SaaS tools are routing data through US or Asian data centres. AWS, Google Cloud, and Microsoft Azure offer EU-region instances that keep data in the EEA; verifying that these are actually configured and that no auxiliary services route data outside the EEA is a non-trivial technical and legal assessment. Our data protection team audits your actual data flows, not just your contractual map, to identify undocumented transfers.