🇪🇸General Data Protection Regulation in Spain
A comprehensive guide to General Data Protection Regulation compliance for organisations operating in Spain. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About General Data Protection Regulation
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
General Data Protection Regulation Enforcement in Spain
Spain's AEPD is one of Europe's most prolific enforcers by number of decisions, regularly issuing hundreds of sanctions per year across a wide range of sectors. The Spanish Organic Law 3/2018 (LOPDGDD) supplements the GDPR with provisions on the rights of the deceased's digital legacy, employee digital rights (including the right to digital disconnection), video surveillance in the workplace, and whistleblower channel management. The AEPD has been particularly active in sanctioning unlawful video surveillance (CCTV), unsolicited commercial communications, and inadequate data processing in healthcare. Spain sets the age of digital consent at 14. The AEPD publishes detailed guides on practical compliance and maintains an extensive publicly searchable sanctions database.
Data Protection Authority
Agencia Española de Protección de Datos (AEPD)
Key Enforcement Focus Areas in Spain
- Video surveillance and CCTV compliance
- Direct marketing and unsolicited communications
- Healthcare data processing
- Employee digital rights (right to disconnect)
- Telecommunications sector compliance
Notable Enforcement Actions in Spain
CaixaBank S.A.
Processing customer data for commercial communications without valid GDPR-compliant consent
Vodafone España S.A.U.
Repeated unsolicited commercial calls and SMS messages, and failure to demonstrate valid consent
EDP Energía S.A.
Switching customers' energy suppliers using personal data without authorisation or valid consent
Equifax Ibérica
Maintaining inaccurate solvency data and failing to verify debt information accuracy
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Spain
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
EU Artificial Intelligence Act (AI Act)
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".