Data protection and privacy law in Spain operates under a dual framework: the EU General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 on Personal Data Protection and Guarantee of Digital Rights (Ley Orgánica de Protección de Datos y Garantía de los Derechos Digitales, LOPDGDD). Together, these instruments create one of the most detailed and actively enforced privacy regimes in Europe. For international businesses operating in Spain - whether through a subsidiary, a digital service, or a commercial agent - understanding this framework is not optional. The Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD) is among the most active supervisory bodies in the EU, and its enforcement record demonstrates that procedural gaps translate directly into financial penalties. This article answers the most frequently asked legal questions on data protection and privacy in Spain, covering the legal basis of processing, rights of data subjects, cross-border transfers, breach notification, and enforcement.
Spain';s data protection regime rests on two pillars. The GDPR, which applies directly as EU law, sets the overarching principles, legal bases for processing, and rights of data subjects. The LOPDGDD supplements and adapts the GDPR to the Spanish legal context, addressing areas where the regulation expressly permits national derogations.
The LOPDGDD covers several topics that the GDPR leaves to member states. These include the minimum age for consent to digital services (set at 14 years under Article 7 LOPDGDD), specific rules on processing employee data (Articles 87-91 LOPDGDD), and the right to digital disconnection in the workplace. It also establishes the legal framework for the AEPD and defines the administrative infringement procedure applicable in Spain.
For businesses, the practical consequence is that GDPR compliance alone is insufficient. A company that has implemented a GDPR-compliant programme in Germany or France cannot assume automatic compliance in Spain. The LOPDGDD introduces obligations that are specific to the Spanish jurisdiction, and the AEPD interprets these provisions independently.
The AEPD operates under Royal Decree 389/2021, which governs its organisation and procedures. It has the power to investigate, impose corrective measures, and issue administrative fines. It also publishes binding criteria and non-binding guidelines that, in practice, define the compliance standard expected of controllers and processors operating in Spain.
A non-obvious risk for international groups is the interaction between the GDPR';s one-stop-shop mechanism and the AEPD';s jurisdiction. Where a company';s main establishment is in another EU member state, the lead supervisory authority handles cross-border cases. However, the AEPD retains jurisdiction over purely domestic infringements and can act as a concerned supervisory authority in cross-border proceedings, meaning its positions carry weight even when it is not the lead authority.
Any natural or legal person, public authority, or other body that determines the purposes and means of processing personal data of individuals located in Spain must comply with the GDPR and LOPDGDD. This includes companies established outside the EU that offer goods or services to individuals in Spain or monitor their behaviour, as provided under Article 3(2) GDPR.
The core obligations for controllers include the following:
The LOPDGDD expands the DPO appointment obligation beyond the GDPR';s minimum requirements. Article 34 LOPDGDD lists categories of controllers and processors that must appoint a DPO regardless of whether their processing meets the GDPR thresholds. These include credit institutions, insurance companies, educational establishments, healthcare providers, and entities whose core activities involve large-scale processing of special categories of data.
A common mistake made by international clients is treating the record of processing activities as a one-time administrative exercise. In practice, the AEPD treats an outdated or incomplete record as evidence of systemic non-compliance, which can aggravate the severity of any infringement finding. The record must reflect the actual processing operations in real time, including any changes to data flows, retention periods, or third-party processors.
Processors - entities that process data on behalf of a controller - must operate under a written data processing agreement (DPA) that meets the requirements of Article 28 GDPR. The AEPD has sanctioned both controllers for failing to execute adequate DPAs and processors for processing data outside the scope of their instructions. The contractual relationship between controller and processor is therefore a direct compliance risk, not merely a commercial formality.
To receive a checklist of mandatory compliance obligations for controllers and processors operating in Spain, send a request to info@vlolawfirm.com
The GDPR grants data subjects a set of enforceable rights, and the LOPDGDD specifies how these rights operate in the Spanish context. Controllers must respond to requests within one calendar month, with a possible extension of two further months for complex or numerous requests, as provided under Article 12(3) GDPR.
The principal rights are:
The LOPDGDD introduces additional rights specific to Spain. Article 85 LOPDGDD establishes the right to digital disconnection for employees, which obliges employers to adopt internal policies limiting contact outside working hours. Articles 93-94 LOPDGDD recognise the right to be forgotten in internet searches and social networks, creating obligations for search engine operators and social media platforms beyond what the GDPR explicitly requires.
In practice, handling data subject requests correctly requires a documented internal procedure. The AEPD has sanctioned controllers for failing to respond within the legal deadline, for providing incomplete responses, and for requiring data subjects to submit requests in a format that creates unnecessary barriers. A non-obvious risk is the interaction between the right to erasure and legal retention obligations: data that must be retained under Spanish tax law (Ley 58/2003 General Tributaria, Article 66) or commercial law (Código de Comercio, Article 30) cannot be erased simply because a data subject requests it, but the controller must communicate this clearly and restrict further processing of the retained data.
Many international businesses underappreciate the reputational and regulatory consequences of mishandling access requests. A data subject who receives no response, or an inadequate one, may file a complaint with the AEPD at no cost. The AEPD is obliged to investigate complaints and may open a formal infringement procedure on the basis of a single complaint, without requiring evidence of widespread harm.
A personal data breach is defined under Article 4(12) GDPR as a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The GDPR and LOPDGDD impose a two-track notification obligation: notification to the supervisory authority and, in certain cases, notification to affected data subjects.
Controllers must notify the AEPD of a breach without undue delay and, where feasible, within 72 hours of becoming aware of it, as required by Article 33(1) GDPR. Where notification is not made within 72 hours, the controller must provide a reasoned explanation for the delay. The notification must include, at minimum, a description of the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.
Where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must also notify the affected data subjects directly under Article 34 GDPR. The AEPD has published criteria for assessing the risk level of a breach, taking into account the sensitivity of the data, the number of individuals affected, and the ease with which the data could be used to cause harm.
A common mistake is delaying internal escalation of a suspected breach pending a full investigation. The 72-hour clock starts when the controller becomes aware of the breach, not when the investigation is complete. Controllers should therefore have an incident response procedure that triggers immediate internal notification and a preliminary assessment within the first hours of detection.
Processors face a parallel obligation under Article 33(2) GDPR: they must notify the controller without undue delay after becoming aware of a breach. The processor';s notification to the controller is a contractual and regulatory obligation, and the absence of a clear escalation mechanism in the DPA is a risk that the AEPD has treated as an aggravating factor in enforcement proceedings.
The LOPDGDD does not introduce materially different breach notification requirements beyond the GDPR, but it reinforces the obligation to maintain documentation of all breaches, including those that do not require notification to the AEPD. Article 33(5) GDPR requires controllers to document all breaches, and the AEPD treats this documentation as a primary source of evidence in investigations.
To receive a checklist on data breach response procedures adapted to Spanish law, send a request to info@vlolawfirm.com
The AEPD is the competent supervisory authority for data protection in Spain. It investigates complaints, conducts proactive inspections, and issues administrative decisions. Its enforcement powers are derived from Article 58 GDPR and further specified in the LOPDGDD.
The GDPR establishes a two-tier penalty structure. Less serious infringements attract fines of up to EUR 10 million or 2% of total worldwide annual turnover, whichever is higher. More serious infringements - including violations of the basic principles of processing, conditions for consent, and data subjects'; rights - attract fines of up to EUR 20 million or 4% of total worldwide annual turnover.
The LOPDGDD classifies infringements into three categories under Articles 72-74:
The AEPD applies a set of aggravating and mitigating factors when calculating the specific fine amount. Aggravating factors include the intentional nature of the infringement, the duration of the violation, the number of data subjects affected, and prior infringements by the same controller. Mitigating factors include prompt remediation, cooperation with the AEPD, and the implementation of measures to reduce harm.
In practice, it is important to consider that the AEPD has developed a specific methodology for calculating fines, published in its sanctioning procedure guidelines. This methodology applies a step-by-step approach that starts from a base amount determined by the seriousness of the infringement and adjusts it based on aggravating and mitigating factors. Controllers that proactively remediate identified issues before the AEPD opens a formal investigation are in a materially better position than those that wait for enforcement action.
The risk of inaction is concrete: the AEPD can open an investigation on the basis of a complaint, a media report, or its own initiative. Once a formal investigation is opened, the controller has limited time to respond - typically 15 business days for the initial response - and the procedural burden increases significantly. Engaging legal counsel at the earliest stage of an AEPD inquiry is consistently more cost-effective than attempting to manage the process without specialist support.
Beyond fines, the AEPD can impose corrective measures including temporary or permanent bans on processing, orders to erase data, and orders to bring processing operations into compliance within a specified period. These operational consequences can be more disruptive to a business than the financial penalty itself.
Transferring personal data from Spain to countries outside the European Economic Area (EEA) requires a legal mechanism under Chapter V GDPR. The available mechanisms are adequacy decisions, standard contractual clauses (SCCs), binding corporate rules (BCRs), and derogations for specific situations under Article 49 GDPR.
Adequacy decisions are issued by the European Commission and cover a limited number of countries. Where an adequacy decision exists, transfers may proceed without additional safeguards. For transfers to countries without an adequacy decision - including many jurisdictions where international businesses have operations - controllers must rely on SCCs or BCRs.
The European Commission adopted updated SCCs in June 2021. These replace the earlier model clauses and introduce a modular structure covering four transfer scenarios: controller to controller, controller to processor, processor to controller, and processor to processor. Controllers in Spain that rely on SCCs must use the updated versions and must complete a Transfer Impact Assessment (TIA) to verify that the legal framework of the recipient country does not undermine the protection afforded by the SCCs.
BCRs are an alternative mechanism for intra-group transfers within multinational companies. They require approval by the competent supervisory authority - in Spain, the AEPD where it is the lead authority - and involve a detailed application process that typically takes 12 to 18 months. BCRs are appropriate for large groups with complex intra-group data flows, but the procedural burden makes them unsuitable for smaller organisations or one-off transfer scenarios.
The derogations under Article 49 GDPR - including explicit consent and the necessity of the transfer for the performance of a contract - are available only in specific circumstances and cannot be used as a general substitute for SCCs or BCRs. The AEPD has consistently interpreted these derogations narrowly, and relying on them for systematic or large-scale transfers carries significant enforcement risk.
A practical scenario that arises frequently involves a Spanish subsidiary of a US or Asian parent company that transfers employee or customer data to the parent for HR or CRM purposes. This transfer requires either SCCs or BCRs, a completed TIA, and documentation of the transfer in the record of processing activities. A common mistake is treating the parent company';s global privacy programme as sufficient without adapting it to the Spanish legal requirements, including the LOPDGDD';s specific provisions on employee data.
Another scenario involves a Spanish e-commerce business that uses a US-based cloud provider for data storage and analytics. The use of the provider constitutes a transfer to a third country, and the controller must execute SCCs with the provider, conduct a TIA, and ensure that the provider';s sub-processors are also covered by appropriate transfer mechanisms. Many businesses underappreciate the depth of the due diligence required for cloud service arrangements, particularly where data is processed across multiple jurisdictions.
To receive a checklist on cross-border data transfer compliance for businesses operating in Spain, send a request to info@vlolawfirm.com
What is the most significant practical risk for a foreign company that processes personal data of Spanish residents without a local legal entity?
A foreign company that targets Spanish residents with goods or services, or that monitors their behaviour, falls within the territorial scope of the GDPR under Article 3(2) regardless of where it is established. The AEPD has jurisdiction to investigate complaints from Spanish residents and can coordinate with the supervisory authority of the country where the company is established. The most significant practical risk is that the company may have no local compliance infrastructure - no privacy notice in Spanish, no mechanism for handling data subject requests, no DPA with Spanish processors - making it vulnerable to complaints and enforcement action. Appointing a representative in the EU under Article 27 GDPR is mandatory for companies outside the EEA that fall within the regulation';s scope, and failure to do so is itself an infringement.
How long does an AEPD investigation typically take, and what are the financial consequences of a finding of infringement?
An AEPD investigation can take anywhere from several months to over a year, depending on the complexity of the case and whether the controller cooperates fully. The formal sanctioning procedure involves multiple stages: preliminary investigation, formal opening of proceedings, submission of allegations, and a final resolution. Financial consequences depend on the classification of the infringement and the size of the controller. For large companies, fines in the hundreds of thousands of euros are not uncommon for serious infringements. For smaller businesses, fines are typically lower but can still represent a material financial burden. In addition to the fine, the AEPD may order corrective measures that require investment in new systems or processes, adding to the total cost of non-compliance.
When should a business choose to conduct a DPIA, and what happens if it does not?
A DPIA is mandatory under Article 35 GDPR when processing is likely to result in a high risk to the rights and freedoms of natural persons. The AEPD has published a list of processing operations that require a DPIA in Spain, which includes large-scale processing of special categories of data, systematic monitoring of publicly accessible areas, and profiling that produces legal or similarly significant effects. If a controller fails to conduct a required DPIA, this constitutes a serious infringement under Article 73(k) LOPDGDD and can attract a significant fine. Beyond the regulatory risk, the absence of a DPIA means the controller has not formally assessed the risks of its processing operations, which makes it harder to demonstrate compliance with the accountability principle and to defend against claims by data subjects who suffer harm.
Data protection and privacy compliance in Spain requires a precise understanding of both the GDPR and the LOPDGDD, as well as the enforcement priorities of the AEPD. The framework is detailed, actively enforced, and contains obligations that go beyond what many international businesses expect from a standard GDPR compliance programme. The cost of non-compliance - measured in fines, corrective orders, and reputational damage - consistently exceeds the cost of building a robust compliance structure from the outset. Businesses that invest in documented processes, trained staff, and specialist legal support are materially better positioned to manage regulatory risk in Spain.
Our law firm VLO Law Firms has experience supporting clients in Spain on data protection and privacy matters. We can assist with compliance audits, drafting privacy documentation, handling AEPD investigations, advising on cross-border transfer mechanisms, and responding to data subject requests. To receive a consultation, contact: info@vlolawfirm.com