.svg){kind=small}
In 2023, Spain’s data protection authority — the AEPD — issued fines totalling over €20 million to companies that failed to meet GDPR requirements. Several of those companies were foreign businesses that assumed the rules were the same in Spain as in their home country. They were not. Spain has one of the most active GDPR enforcement environments in the EU. If your company processes personal data of people in Spain, this guide is for you.
The General Data Protection Regulation (GDPR) applies directly across all EU member states — including Spain. But Spain also has its own national data protection law, the LOPDGDD (Ley Orgánica 3/2018 de Protección de Datos Personales y garantía de los derechos digitales), which adapts and complements the GDPR with specific national rules. Companies operating in Spain must comply with both.
Who does GDPR compliance in Spain apply to?
GDPR — and Spanish data protection law — applies to any organisation that:
- Has an establishment in Spain (office, branch, subsidiary, or representative)
- Offers goods or services to people located in Spain — even without a physical presence in the country
- Monitors the behaviour of people in Spain (e.g., through cookies, tracking pixels, or analytics)
This means foreign companies — from outside the EU — that market to Spanish consumers or track Spanish users online are within scope of GDPR compliance in Spain, regardless of where the company is based.
The AEPD: Spain’s data protection authority
The Agencia Española de Protección de Datos (AEPD) is Spain’s national supervisory authority responsible for enforcing the GDPR and the LOPDGDD. The AEPD is one of the most active data protection regulators in Europe. It receives thousands of complaints each year, conducts proactive inspections, and regularly issues significant fines.
The AEPD also issues binding guidelines on specific topics — including cookie consent, employee monitoring, biometric data, and the use of AI systems — that companies operating in Spain must follow in addition to the general GDPR framework.
Core GDPR obligations for companies in Spain
1. Lawful basis for processing
Every processing activity involving personal data must have a valid legal basis. The six lawful bases under GDPR are: consent, contract, legal obligation, vital interests, public task, and legitimate interests. In Spain, the LOPDGDD restricts the use of legitimate interests in certain contexts — particularly for employee data and for processing involving vulnerable populations.
2. Register of processing activities (ROPA)
Companies that are not micro-enterprises (fewer than 250 employees) must maintain a Record of Processing Activities — an internal document that maps all data processing activities, their purpose, the categories of data and individuals involved, retention periods, and any international data transfers. The AEPD can request this register at any time.
3. Privacy notices and transparency
Individuals whose data you process must be informed about how their data is used. Privacy notices on websites, apps, and physical forms must comply with GDPR Article 13/14 requirements and be written in clear, plain language. In Spain, notices must be available in Spanish — and in the co-official language of the relevant region where applicable.
4. Cookie compliance
Cookie consent in Spain is an area of particularly active AEPD enforcement. The key rules:
- Cookies that are not strictly necessary (analytics, advertising, social media) require prior, freely given, specific, informed, and unambiguous consent
- Pre-ticked boxes, consent implied by scrolling, or cookie walls (blocking access unless cookies are accepted) do not constitute valid consent
- Users must be able to withdraw consent as easily as they gave it
- A compliant cookie banner must present a genuine choice — accept or reject — without making rejection harder than acceptance
5. Data subject rights
Individuals have rights under GDPR that your company must be able to respond to within defined timeframes — generally one month:
- Right of access: individuals can request a copy of all data you hold about them
- Right to rectification: correction of inaccurate data
- Right to erasure (‘right to be forgotten’): deletion of data in certain circumstances
- Right to data portability: receiving data in a machine-readable format
- Right to object: to processing based on legitimate interests or for direct marketing
6. Data breach notification
If a personal data breach occurs (loss, unauthorised access, or accidental destruction of personal data), companies must notify the AEPD within 72 hours of becoming aware of the breach — if the breach is likely to result in a risk to individuals’ rights and freedoms. If the risk is high, affected individuals must also be notified without undue delay.
7. Data transfers outside the EU
Transferring personal data from Spain to countries outside the EU/EEA requires a legal mechanism: an adequacy decision by the European Commission, Standard Contractual Clauses (SCCs), Binding Corporate Rules, or another approved transfer tool. This applies to data sent to cloud providers, payment processors, or group companies based in third countries.
Do you need a Data Protection Officer (DPO)?
A DPO is mandatory in Spain for:
- Public authorities and bodies
- Companies whose core activities involve large-scale systematic monitoring of individuals
- Companies whose core activities involve large-scale processing of special categories of data (health, biometric, genetic, criminal records, etc.)
Even when not mandatory, appointing a DPO — or an external data protection adviser — is strongly recommended for any company that processes significant volumes of personal data in Spain. The DPO must be registered with the AEPD.
GDPR fines in Spain: what is at stake
GDPR provides for two tiers of fines:
- Up to €10 million or 2% of global annual turnover (whichever is higher) for less serious infringements
- Up to €20 million or 4% of global annual turnover (whichever is higher) for the most serious infringements — such as processing data without a lawful basis, violating data subjects’ rights, or unlawful international transfers
The AEPD has fined companies of all sizes — from large multinationals to small businesses. Non-EU companies that process Spanish users’ data are not immune: the AEPD has enforcement powers over any entity subject to the GDPR’s territorial scope.
Frequently asked questions
Does GDPR compliance in Spain require a local representative?
Non-EU companies that are subject to GDPR but have no establishment in the EU must designate an EU representative — this can be a Spanish-based individual or company acting as the point of contact for data subjects and the AEPD. This is a legal requirement under GDPR Article 27, not optional.
How often should GDPR compliance be reviewed?
GDPR compliance is not a one-time project — it is an ongoing programme. Best practice is a formal review at least annually, or whenever there is a significant change in processing activities, new technology is deployed, or there is an update to AEPD guidelines. The LOPDGDD and AEPD guidance continue to evolve.
What is a DPIA and when is it required?
A Data Protection Impact Assessment (DPIA) is a risk assessment that must be carried out before starting any processing activity that is likely to result in a high risk to individuals. The AEPD has published a list of processing types that always require a DPIA in Spain — including large-scale processing of health data, systematic monitoring of employees, and certain uses of AI or automated decision-making.
GDPR compliance in Spain requires more than copying a privacy policy from another country. At Capital Auditors & Consultants, we work with companies operating in Spain to build compliant data protection frameworks — from gap analysis and ROPA to cookie audits and DPO support. Contact our team to assess your current compliance position.
