Spain Data Privacy Laws: GDPR & LOPDGDD Guide (2026)

Spain maintains one of the most robust data privacy frameworks in the European Union. The country applies the EU-wide General Data Protection Regulation (GDPR) as its baseline, supplemented by the LOPDGDD, a comprehensive national law that adapts GDPR requirements to the Spanish legal system and introduces a pioneering charter of digital rights.

The Agencia Espanola de Proteccion de Datos (AEPD) serves as Spain's primary data protection authority. It has earned a reputation as one of Europe's most aggressive enforcement bodies. In fiscal year 2024, the AEPD imposed a record 35.5 million euros in total fines, a 19.4% increase over the previous year.

This guide covers the complete Spanish data privacy framework, including the legal foundations, enforcement landscape, digital rights protections, and practical compliance requirements for organizations operating in Spain.

The Legal Framework: GDPR and LOPDGDD

Spain's data protection regime rests on two pillars: the directly applicable EU General Data Protection Regulation (Regulation 2016/679), and the Ley Organica 3/2018 de Proteccion de Datos Personales y garantia de los derechos digitales, commonly known as the LOPDGDD.

The LOPDGDD was approved by the Cortes Generales (Spanish Parliament) and entered into force on December 7, 2018. It replaced the earlier Ley Organica 15/1999 de Proteccion de Datos de Caracter Personal (LOPD).

Constitutional Foundation

The Spanish Constitution provides a strong foundation for data protection. Article 18.4 states that "the law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights." This constitutional mandate gives data protection elevated legal status in Spain.

What the LOPDGDD Adds to the GDPR

While the GDPR provides the core data protection rules, the LOPDGDD fills in several areas where the GDPR allows member states to set their own standards:

• Age of consent for minors: Set at 14 years in Spain, compared to the GDPR's default of 16. Children under 14 need parental or guardian consent for data processing.

• Deceased persons' data: Articles 3 and 96 create a framework for managing the data of deceased individuals. Heirs and family members may request access, rectification, or erasure of a deceased person's data, subject to the deceased's prior instructions.

• Digital rights charter: Title X (Articles 79 through 97) establishes a comprehensive set of digital rights that go well beyond standard data protection.

• Expanded DPO requirements: Article 34 mandates Data Protection Officer appointments for 16 specific sectors, regardless of company size.

• Infringement classification: The law categorizes violations as minor, serious, or very serious, with corresponding statute of limitations periods of one, two, and three years.

The AEPD: Spain's Data Protection Authority

The Agencia Espanola de Proteccion de Datos (AEPD) is Spain's primary supervisory authority for data protection. Established in 1993, it is one of the oldest and most experienced data protection authorities in Europe.

Jurisdiction and Structure

The AEPD oversees the entire private sector and most of the public sector across Spain. Three independent regional authorities handle public sector matters within their respective autonomous communities:

• APDCAT (Autoritat Catalana de Proteccio de Dades) for Catalonia
• DBEB/AVPD (Datuak Babesteko Euskal Bulegoa) for the Basque Country
• CTPDA (Consejo de Transparencia y Proteccion de Datos de Andalucia) for Andalusia

A separate authority, the CGPJ (Consejo General del Poder Judicial), supervises data processing for judicial purposes.

Enforcement Track Record

The AEPD has built a formidable enforcement reputation. Key statistics from its 2024 Annual Report demonstrate the scale of its operations:

• Total fines in 2024: 35,592,200 euros, a record high representing a 19.4% increase over 2023
• Large fines: 10 fines exceeding 1 million euros in 2024, up from just 3 in 2023
• Claims processed: 18,855 claims recorded in 2024
• Data breach notifications: 2,933 breach notifications received, a 46% increase over 2023

The most common complaint categories in 2024 were video surveillance (3,411 complaints), internet services (3,141 complaints), trade, transport, and hospitality (1,633 complaints), and advertising (1,297 complaints).

In 2025, the trend continued with 2,765 data breach notifications. Controllers notified over 200 million affected individuals of high-risk breaches, double the approximately 100 million notified in 2024. Ransomware and cyberattack-driven data exfiltration drove this surge.

Notable AEPD Enforcement Cases

The AEPD's enforcement actions illustrate the breadth and severity of Spain's data protection regime. Several high-profile cases have drawn international attention.

CaixaBank: 6 Million Euro Fine (2021)

In January 2021, the AEPD imposed a 6 million euro fine on CaixaBank, Spain's third-largest bank, for violations of GDPR Articles 6, 13, and 14. The fine broke down into two components.

CaixaBank was fined 4 million euros for unlawfully processing clients' personal data without a valid legal basis. An additional 2 million euro fine addressed the bank's failure to provide sufficient information about data processing, including inadequate details regarding categories of personal data, processing purposes, and the legal basis for processing, particularly for activities based on legitimate interest.

The bank was also found to have carried out illicit transfers of personal data to group companies. The AEPD ordered CaixaBank to bring its processing operations into compliance within six months.

Vodafone Spain: Multiple Fines Exceeding 8 Million Euros

Vodafone Spain became the target of the highest cumulative fines ever issued by the AEPD. The telecommunications company received four separate fines totaling approximately 8.15 million euros.

Two of the fines, totaling roughly 5.3 million euros, related to GDPR violations involving aggressive telemarketing tactics. The company continued contacting individuals who had exercised their right to object to marketing communications and their right to erasure. A third fine of approximately 2 million euros cited violations of both Spanish digital rights laws and the GDPR. The final fine addressed cookie consent violations under Spain's LSSI (Law 34/2002).

In a separate proceeding, Vodafone was fined 3.94 million euros for violating GDPR Articles 5(1)(f) and 5(2) by failing to implement adequate security measures, which allowed fraudulent SIM card duplication (SIM swapping attacks).

La Liga: 250,000 Euro Fine for App Microphone Access

Spain's professional football league, La Liga, was fined 250,000 euros for violating the transparency principle of the GDPR (Article 5(1)). The case centered on La Liga's official mobile app, which accessed users' microphones and geolocation data to detect unauthorized broadcasts of live matches in bars and public venues.

While the app only captured acoustic fingerprints rather than intelligible audio, the AEPD and later the Audiencia Nacional (Spain's High Court) ruled that informing users about microphone access only at the time of download was insufficient. La Liga was required to inform users each time the app accessed their microphones, at the actual moment of data processing.

Informa D&B: 1.8 Million Euro Fine (2025)

In January 2025, the AEPD sanctioned Informa D&B, a business intelligence company, with 1.8 million euros in fines. Informa processed personal data from over 1.6 million individual business owners through a data-sharing agreement with CAMERDATA. The data originally came from Spain's tax authority for the public business census.

The AEPD found that Informa lacked a valid legal basis under GDPR Article 6.1 for this processing and failed to provide adequate transparency information to affected individuals. Beyond the fine, the AEPD ordered the company to cease processing the data and delete all affected records within three months.

Yoti: 950,000 Euro Fine (2026)

In March 2026, the AEPD imposed a 950,000 euro fine on Yoti Ltd, a British digital identity and age verification company, for three GDPR violations. The fine included 500,000 euros for processing biometric special category data (facial templates) without an adequate legal basis under Article 9, 200,000 euros for obtaining invalid consent through pre-ticked checkboxes for research use of biometric data, and 250,000 euros for retaining personal data, including geolocation records for five years and video liveness recordings for 30 days, beyond what the processing purposes required. Yoti announced it would appeal to the Spanish High Court.

Title X: Spain's Charter of Digital Rights

One of the most distinctive features of the LOPDGDD is Title X (Articles 79 through 97), which establishes a comprehensive charter of digital rights. These provisions go beyond data protection into broader digital citizenship.

Internet Access and Neutrality

Article 80 enshrines the right to internet neutrality, preventing internet service providers from discriminating between types of traffic. Article 81 establishes universal access to the internet as a right, reflecting Spain's recognition that digital participation is essential in modern society.

Digital Education and Minors' Protection

Articles 83, 84, and 92 address digital education, with specific attention to protecting minors in digital environments. Schools and educational institutions must include digital literacy and responsible internet use in their curricula.

Right to Be Forgotten

The LOPDGDD guarantees the right to be forgotten in both search engines and social networks. Individuals can request the removal of outdated or irrelevant personal information from search results and social media platforms. This right, originally established by the Court of Justice of the EU in the Google Spain case (C-131/12), receives explicit statutory backing under the LOPDGDD.

Digital Will

Article 96 introduces the concept of a "digital will." Individuals can designate instructions for what happens to their digital accounts and online data after death. Heirs can exercise rights of access, deletion, or rectification over a deceased person's online personal data and social media accounts, unless the deceased explicitly prohibited such access while alive.

Employee Privacy and Workplace Monitoring

The LOPDGDD contains some of Europe's most detailed provisions on employee data protection and workplace monitoring. These rules apply to both public and private sector employers.

Right to Digital Disconnection (Article 88)

Workers in both the public and private sectors have a legal right to digital disconnection outside of working hours. Employers must respect employees' rest time, leave, holidays, and personal and family time. Companies are required to develop internal policies, in consultation with employee representatives, that define how this right is exercised, including training and awareness actions for staff.

Use of Work Devices (Article 87)

Employees have a recognized right to privacy when using digital devices provided by the employer. Employers may establish guidelines for personal use of work devices but must inform employees in advance. Access to the content of digital devices must respect the employee's dignity and the proportionality principle.

Video Surveillance in the Workplace (Article 89)

Employers may use video surveillance cameras for monitoring purposes as permitted by Article 20.3 of the Workers' Statute, but several strict conditions apply:

• Employers must inform employees in advance, clearly and specifically, about the surveillance
• Cameras are prohibited in rest areas, changing rooms, toilets, dining areas, and similar spaces
• Sound recording is generally prohibited unless justified by relevant safety risks and the proportionality principle
• Recorded images may be retained for a maximum of one month unless needed as evidence of illegal activity

In exceptional cases involving well-founded suspicions of unlawful behavior, a reduced duty of information may apply, where a visible notice may suffice.

Geolocation Systems (Article 90)

Article 90 addresses employer use of GPS and geolocation tracking of employees. Employers must inform employees and their representatives about the existence and characteristics of geolocation devices. The data collected must be proportionate to the purpose and may not be used for purposes beyond those disclosed.

Data Protection Officer Requirements

Spain has one of the broadest mandatory DPO appointment regimes in the EU. Article 34 of the LOPDGDD requires Data Protection Officer appointments for 16 specific sectors, regardless of company size or the scale of processing. These sectors include:

• Vocational schools, schools, and universities (public and private)
• Telecommunications providers and network operators
• Information society service providers (when forming user profiles at scale)
• Financial institutions: credit institutions, investment service companies, and insurance companies
• Entities supervising credit institutions and credit rating agencies
• Utility providers (electricity, gas, water)
• Entities conducting advertising, commercial prospecting, or market research
• Health institutions required to maintain patient clinical records
• Gambling and gaming operators
• Private security companies
• Sports federations processing minors' personal data
• Business reporting agencies

Any organization appointing or removing a DPO must notify the AEPD within 10 days. DPOs employed directly by the organization receive elevated dismissal protection under Spanish law, except in cases of deliberate fraud or gross negligence.

Data Breach Notification

Spain follows the GDPR's standard breach notification framework with several AEPD-specific procedural requirements.

Notification Timeline and Method

Controllers must notify the AEPD within 72 hours of becoming aware of a personal data breach that is likely to result in a risk to individuals' rights and freedoms. The notification must be submitted electronically through the AEPD's Electronic Office using the official breach notification form.

If the 72-hour deadline cannot be met, the notification must include an explanation of the reasons for the delay. As the AEPD states: "Notifying in a timely manner is evidence of the diligence of the organization, while not complying with that obligation is classified as an infraction."

Required Information

The notification must include the nature of the incident, the number of individuals affected, the possible consequences, and the corrective measures adopted or planned.

AEPD Assessment Tools

The AEPD provides two specialized tools to help organizations navigate breach notification:

• ASESORA BRECHA: Helps organizations determine whether a breach triggers notification obligations
• COMUNICA-BRECHA RGPD: Assists in evaluating whether affected data subjects must also be notified

Documentation Obligations

Even when a controller determines that a breach does not pose a risk to individuals and therefore does not require notification, the organization must still document the incident, its effects, and the corrective measures taken.

High-Risk Breaches

When a breach presents a high risk to individuals' rights and freedoms, the controller must also notify affected data subjects directly, in clear and understandable language, about the incident and any steps they can take to protect themselves.

Regional Notification

For public sector bodies in Catalonia, the Basque Country, or Andalusia, breach notifications go to the respective regional data protection authority rather than the AEPD.

Penalties and Sanctions

The LOPDGDD establishes a three-tier system for classifying data protection violations. This classification system works alongside the GDPR's penalty framework.

Minor Infractions

Minor violations carry fines of up to 40,000 euros and have a one-year statute of limitations. Examples include failure to comply with minor procedural requirements or inadequate record-keeping.

Serious Infractions

Serious violations carry fines between 40,001 and 300,000 euros, with a two-year statute of limitations. These include violations of data subject rights, insufficient security measures, and failures in data processing agreements.

Very Serious Infractions

Very serious violations can result in fines of up to 20 million euros or 4% of global annual turnover, whichever is higher. The statute of limitations is three years. These cover fundamental violations such as processing without a legal basis, large-scale unauthorized transfers, and obstruction of supervisory authority investigations.

Factors in Determining Penalties

The AEPD considers multiple factors when setting fine amounts, including the severity of the infraction, the harm caused to data subjects, the degree of intent or negligence, measures taken to mitigate damage, the categories of personal data affected, and any prior violations by the controller.

Public Sector Distinction

Public sector organizations are subject to the same rules but typically receive formal warnings rather than monetary fines, reflecting a different enforcement approach for government bodies.

International Data Transfers

Spain follows the GDPR framework for international data transfers without adding significant national-level restrictions. Data may be transferred outside the European Economic Area through several mechanisms:

• Adequacy decisions: Transfers are freely permitted to countries the European Commission has recognized as providing adequate data protection
• Standard Contractual Clauses (SCCs): The most commonly used safeguard for transfers to non-adequate countries
• Binding Corporate Rules: For intra-group transfers within multinational organizations
• Derogations: Specific situations such as explicit consent, contract performance, or important public interest may permit transfers in the absence of other safeguards

The AEPD has focused on providing guidance to help organizations comply with transfer requirements rather than imposing additional restrictions beyond the GDPR baseline.

ePrivacy: Cookies and Electronic Communications

Spain's implementation of the ePrivacy Directive is primarily through Ley 34/2002, the Ley de Servicios de la Sociedad de la Informacion y de Comercio Electronico (LSSI). This law requires:

• Cookie consent: Prior informed consent for all non-essential cookies and similar tracking technologies
• Commercial communications: Opt-in consent for commercial electronic messages, with limited exceptions for existing customer relationships
• Information obligations: Service providers must clearly identify themselves and provide accessible terms of service

The AEPD actively enforces cookie compliance, as demonstrated by its fines against Vodafone Spain for cookie consent failures.

Practical Compliance Checklist for Organizations in Spain

Organizations processing personal data in Spain should address these key requirements:

1. Establish lawful processing bases under both the GDPR and LOPDGDD for all data processing activities
2. Appoint a DPO if your organization falls within any of the 16 mandatory sectors under Article 34
3. Implement a digital disconnection policy in consultation with employee representatives
4. Post clear video surveillance notices if using workplace cameras, and never record in rest areas
5. Prepare breach notification procedures including registration with the AEPD's Electronic Office
6. Review cookie consent mechanisms for LSSI compliance
7. Update privacy notices to include all GDPR-required information in clear, accessible Spanish
8. Register your DPO with the AEPD within 10 days of appointment
9. Assess international transfer mechanisms for any data leaving the EEA
10. Document all processing activities in a Records of Processing Activities (ROPA)

Sources and References