Skip to content
Our team

Bárbara Botía

Senior Lawyer — Legal Division

Areas of expertise

Data protection & privacy Corporate compliance Commercial and civil law Real estate law Legal due diligence

Specializations

  • External Data Protection Officer (DPO)
  • Legal cybersecurity
  • Due diligence on corporate transactions
  • Tourist rental & real estate regulation
  • Criminal compliance (Art. 31 bis CP)

Languages

Spanish English

Biography

Role

Bárbara Botía is part of the BMC team as Senior Lawyer — Legal Division, based in the Murcia office.

Practice areas

Book a consultation with Bárbara Botía

Pick a time that works for you. Instant confirmation · complimentary call · no commitment.

Loading availability…

Services led

Practice areas where Bárbara serves as lead advisor or active contributor

Criminal Compliance for Companies in Madrid

Criminal compliance for businesses in Madrid: Article 31 bis CP programme, whistleblowing channel Law 2/2023, compliance officer and Anticorruption Prosecutor defence.

View service
Cybersecurity Audit

Security posture assessment, compliance audits (ENS, ISO 27001, NIS2), vulnerability assessment, penetration testing management, and third-party risk evaluation.

View service
Cyber Insurance Advisory

Cyber insurance advisory: policy review, coverage gap analysis, risk quantification for underwriters, claims management, and pre-renewal security improvement roadmap.

View service
DORA Compliance (Digital Operational Resilience)

Full implementation of the DORA framework (Regulation 2022/2554) for financial entities: ICT risk management, incident reporting, resilience testing, and ICT third-party risk.

View service
Cybersecurity Incident Response

Incident response plans, tabletop exercises, breach containment, forensic investigation coordination, and regulatory notifications to AEPD and NIS2 supervisory authorities.

View service
ISO 27001 Certification

Information Security Management System implementation and ISO 27001:2022 certification: from gap analysis and Statement of Applicability through the certification audit.

View service
NIS2 Compliance

EU Network and Information Security Directive 2 compliance: scope assessment, control implementation, incident notification protocols, and board-level security governance.

View service
Virtual CISO

Outsourced Chief Information Security Officer for SMEs: strategic cybersecurity leadership, governance, and regulatory compliance without the cost of a full-time executive.

View service
Corporate Secretarial

End-to-end management of corporate obligations: general meetings, minutes, share register, accounts filing, and Commercial Registry matters.

View service
Entity Management

Full-service corporate entity administration that frees your leadership team from the operational burden of compliance.

View service
EU AI Act Compliance

Full compliance with the EU Artificial Intelligence Act: risk classification, conformity assessments, transparency obligations, and prohibited practice audits.

View service
Data Breach Management

Immediate data breach response: 72-hour AEPD notification, containment, impact assessment, affected individual communication, and post-breach remediation.

View service
AI Governance

AI governance frameworks, ethics committees, algorithmic auditing, bias detection, and AI system registries for responsible organisations.

View service
Compliance Risk Mapping

Comprehensive compliance risk mapping: regulatory obligation register, risk heat maps, multi-regulatory gap analysis (GDPR, NIS2, AI Act, AML), and regulatory change management.

View service
Cookie Compliance & Digital Consent

Cookie audit, Consent Management Platform implementation, LSSI-CE compliance, and ePrivacy Regulation preparation for websites and digital platforms.

View service
High-Risk AI Systems

AI Act compliance for high-risk AI systems: conformity assessments, technical documentation, CE marking, post-market monitoring, and EU database registration.

View service
Outsourced DPO (Data Protection Officer)

Fully outsourced Data Protection Officer service: continuous GDPR compliance, AEPD liaison, supervisory authority management, and annual compliance reviews.

View service
International Data Transfers

Cross-border data transfer compliance: Standard Contractual Clauses, Transfer Impact Assessments, EU-US Data Privacy Framework, and Binding Corporate Rules for multinational groups.

View service
Data Protection Impact Assessment (DPIA)

Structured DPIA methodology for high-risk processing: risk identification and mitigation, AEPD prior consultation management, and AI system impact assessments.

View service
Privacy by Design

Article 25 GDPR implementation: privacy by design and by default for digital products, software, apps, and internal processes. Direct integration with product and engineering teams.

View service
Anti-Money Laundering (AML)

AML/CFT compliance programme for entities subject to Spain's Law 10/2010: policies, procedures, training, and SEPBLAC liaison.

View service
Criminal Compliance

Corporate criminal compliance programmes to exempt or mitigate the criminal liability of legal entities under Article 31 bis of the Spanish Criminal Code.

View service
Criminal Defence for Money Laundering

Specialised legal defence for individuals and companies investigated for money laundering (Art. 301–304 CP). Technical defence of rights before the judicial police, the Public Prosecutor's Office and the examining courts.

View service
Criminal Defence for Tax Fraud

Tax crime defence (Art. 305 CP): expert quantification of the evaded tax quota, voluntary disclosure before charge, and litigation strategy from the AEAT inspection through to oral trial.

View service
Criminal Defence for Unfair Administration

Specialised legal defence for directors, authorised signatories and executives investigated for unfair administration (Art. 252 CP). Comprehensive strategy from investigation to trial, with coordination of parallel civil corporate liability proceedings.

View service
DAC8 and Crypto-Asset Tax Obligations

Advisory on compliance with the DAC8 Directive (EU 2023/2226) on crypto-asset information exchange, in force from 2026. Obligations for CASP providers and user reporting.

View service
Financial Regulatory (CNMV, Banco de España, MiCA, MiFID II)

Financial regulatory advisory for financial entities, fintechs, and crypto-asset businesses in Spain: CNMV and Banco de España authorisations, MiCA compliance, MiFID II, PSD3, Solvency II, AML. Licences for EAFIs, SGIIC, payment institutions, and crypto-asset service providers.

View service
Data Protection & Privacy

GDPR and LOPDGDD compliance, outsourced DPO, and comprehensive privacy management for businesses.

View service
Internal Corporate Investigations

Independent internal investigations triggered by whistleblower reports (Law 2/2023), workplace harassment, fraud, bribery, and data breaches — forensic methodology, digital chain of custody, and criminal coordination.

View service
Whistleblowing Channel (EU Directive)

Implementation of internal whistleblowing channels under Spanish Law 2/2023 transposing EU Directive 2019/1937. Full Internal Information System design, investigation protocols, and confidentiality guarantees.

View service
Digital Evidence & E-Discovery

Digital evidence preservation with chain of custody, forensic IT coordination, e-discovery in arbitration and litigation, and acquisition of admissible electronic evidence for Spanish and international proceedings.

View service

Request a personalized consultation

Our experts are ready to analyze your situation and provide tailored solutions.

Email
Contact