Spain Data Privacy Laws: GDPR, LOPDGDD & AEPD Enforcement Guide (2026)

Spain enforces data privacy through the EU GDPR and Organic Law 3/2018 (LOPDGDD), administered by the AEPD. The LOPDGDD adds a digital rights charter and requires Data Protection Officers in 16 sectors under Article 34. Penalties for very serious violations reach 20 million euros.

Spain sits at the leading edge of European data protection law. The country applies the EU General Data Protection Regulation as the baseline for all personal data processing, supplemented by the LOPDGDD (Ley Organica 3/2018 de Proteccion de Datos Personales y garantia de los derechos digitales), a national law that adapts GDPR requirements and introduces a comprehensive charter of digital rights.

The Agencia Espanola de Proteccion de Datos (AEPD) has earned a reputation as one of Europe's most aggressive and prolific enforcement bodies, consistently ranking among the top three EU data protection authorities by volume of sanctions. In 2025, the AEPD issued 299 fines totaling 40 million euros, a 14% increase over the previous year's record 35.5 million euros.

Beyond data protection, Spain is also shaping the future of AI regulation. It created AESIA, the first dedicated national AI supervisory authority in the European Union, which has been operational since June 2024 and is now running the EU's first regulatory sandbox under the EU AI Act.

This guide covers the complete Spanish data privacy framework: constitutional foundations, the GDPR and LOPDGDD legal architecture, digital rights, enforcement, the AI Act overlay, cross-border transfers, and practical compliance requirements.

Quick Answer: Spain's Data Privacy Rules at a Glance

Spain's data privacy regime has three core layers:

1. The EU GDPR applies directly as binding EU law, setting the baseline for all personal data processing.
2. The LOPDGDD (Organic Law 3/2018) implements the GDPR into Spanish law and fills in areas the GDPR leaves to member states, including a broad digital rights charter.
3. The AEPD enforces both instruments, backed by regional authorities in Catalonia, the Basque Country, and Andalusia.

Any organization processing the personal data of people in Spain must comply with all three layers. The AEPD's enforcement record makes Spain a high-risk jurisdiction for non-compliance.

Constitutional Basis: Article 18.4

The Spanish Constitution of 1978 provides a uniquely strong constitutional foundation for data protection. Article 18.4 states that the law shall limit the use of information technology to guarantee the honour and personal and family intimacy of citizens and the full exercise of their rights.

This provision elevated data protection to constitutional status decades before the GDPR arrived. The Spanish Constitutional Court (Tribunal Constitucional) has repeatedly cited Article 18.4 to recognize informational self-determination as a fundamental right distinct from, but connected to, the rights to privacy (Article 18.1) and secrecy of communications (Article 18.3).

The constitutional basis is not merely symbolic. It means Spanish data protection law cannot be weakened by ordinary legislation and gives affected individuals direct standing to pursue constitutional remedies (recurso de amparo) before the Tribunal Constitucional when data protection rights are violated.

The GDPR in Spain

The General Data Protection Regulation (Regulation 2016/679) has applied directly in Spain since May 25, 2018. As a regulation rather than a directive, it does not need national transposition and supersedes conflicting national rules.

The GDPR establishes the foundational requirements that all Spanish data controllers and processors must meet:

Lawful basis for processing. Article 6 of the GDPR requires a valid legal basis for every processing activity. The six available bases are consent, contract performance, legal obligation, vital interests, public interest, and legitimate interest. The AEPD has taken a restrictive approach to legitimate interest in commercial contexts, consistently holding that economic benefit alone does not constitute a legitimate interest that overrides individuals' fundamental rights.

Transparency. Articles 13 and 14 require clear, accessible privacy notices covering the identity of the controller, processing purposes, legal bases, data retention periods, and the full range of data subject rights.

Data subject rights. Articles 15 through 22 give individuals rights of access, rectification, erasure, restriction, portability, and the right to object, including to profiling. Spain's LOPDGDD adds specific procedural requirements for exercising these rights.

Data minimization and purpose limitation. Articles 5(1)(b) and 5(1)(c) require that data be collected only for specified purposes and limited to what is necessary.

Security. Article 32 requires appropriate technical and organizational measures. Failure to implement adequate security has been one of the most common grounds for AEPD sanctions.

The LOPDGDD: Spain's National Data Protection Law

The Ley Organica 3/2018 entered into force on December 7, 2018. It replaced the earlier LOPD (Ley Organica 15/1999) and adapts the GDPR to the Spanish legal system in several important ways.

Age of Consent for Minors

The LOPDGDD sets the age of digital consent at 14 years old. Children under 14 require parental or guardian consent for personal data processing in online services. The GDPR's default is 16, but member states can lower the threshold to 13. Spain chose 14 as a compromise.

This threshold is now under legislative pressure. A draft Organic Law for the Protection of Minors in Digital Environments, approved by the Council of Ministers in March 2025 and sent to Parliament, would raise the age of digital consent back to 16 and impose new age verification obligations on online platforms. Device manufacturers would be required to include parental control systems enabled by default, and social network access would be restricted for those under 16.

Deceased Persons' Data

Articles 3 and 96 of the LOPDGDD create a legal framework for managing the data of deceased individuals. Heirs and designated family members may request access, rectification, or erasure of a deceased person's data unless the deceased left contrary instructions.

Expanded DPO Mandates

Article 34 requires Data Protection Officer appointments for 16 specific sectors regardless of company size. This is broader than the GDPR's own DPO requirements. Organizations falling within the mandatory sectors include healthcare institutions, financial institutions, telecommunications providers, gambling operators, private security companies, sports federations processing minors' data, and educational institutions at all levels. Any appointment or removal of a DPO must be notified to the AEPD within 10 days.

Infringement Classification

The LOPDGDD classifies GDPR violations into three tiers for enforcement purposes. Minor violations carry a one-year statute of limitations. Serious violations carry a two-year period. Very serious violations carry three years. This tiered system operates alongside the GDPR's own penalty ceilings.

Title X: Spain's Charter of Digital Rights

One of the most distinctive and internationally recognized features of the LOPDGDD is Title X (Articles 79 through 97), a charter of digital rights that extends well beyond data protection into broader digital citizenship.

Internet Access and Neutrality

Article 80 enshrines internet neutrality as a legal right, preventing internet service providers from discriminating between types of traffic. Article 81 establishes universal access to the internet as a right, recognizing digital participation as essential to civic and social life.

Right to Digital Disconnection (Article 88)

Workers in both the public and private sectors have a legally enforceable right not to answer work-related digital communications outside their contracted working hours. Employers must respect employees' rest periods, holidays, and personal and family time.

Organizations are required to develop internal digital disconnection policies in consultation with employee representatives. These policies must define when employees can be contacted, specify tools and channels, and include training and awareness measures. The AEPD has cited inadequate disconnection policies as an aggravating factor in several workplace monitoring investigations.

Right to Privacy When Using Work Devices (Article 87)

Employees have a recognized right to privacy when using digital devices provided by their employer. Employers may set guidelines for the use of work devices, including restrictions on personal use, but must communicate these guidelines in advance and in writing. Any access to the content of work devices must respect proportionality and employee dignity.

Video Surveillance in the Workplace (Article 89)

Employers may use video surveillance for legitimate purposes but must comply with strict conditions. Cameras are prohibited in rest areas, changing rooms, toilets, and dining areas. Audio surveillance is generally prohibited unless justified by specific, documented safety risks. Recorded images may be retained for a maximum of one month unless they constitute evidence of unlawful activity. Employees and their representatives must be notified in advance.

In exceptional cases involving well-founded suspicions of unlawful conduct, a reduced duty of information may apply, but covert surveillance remains tightly constrained.

Geolocation Tracking (Article 90)

Employers may use GPS and geolocation systems to track employees engaged in field operations, but must inform both employees and their representatives about the existence and scope of the tracking. Data collected may not be used beyond the disclosed purpose.

Right to Be Forgotten Online

The LOPDGDD codifies the right to be forgotten in search engines and social networks, giving explicit statutory backing to the principle the Court of Justice of the EU established in the landmark Google Spain case (C-131/12, 2014). Individuals can request the removal of outdated or contextually irrelevant personal information from search results.

Digital Will (Article 96)

Individuals can designate instructions for what happens to their digital accounts and online presence after death. Heirs can exercise access, deletion, or rectification rights over a deceased person's online personal data and social media accounts, unless the deceased explicitly prohibited such access during their lifetime.

The AEPD: Spain's Data Protection Authority

The Agencia Espanola de Proteccion de Datos (AEPD) is Spain's principal supervisory authority. Established in 1993, it operates as an independent body and has built a formidable enforcement reputation over more than three decades.

Jurisdiction

The AEPD has jurisdiction over the entire private sector and most of the public sector across Spain. Three independent regional authorities operate in parallel for public sector matters within their respective autonomous communities:

• APDCAT (Autoritat Catalana de Proteccio de Dades) for Catalonia
• DBEB / AVPD (Datuak Babesteko Euskal Bulegoa / Agencia Vasca de Proteccion de Datos) for the Basque Country
• CTPDA (Consejo de Transparencia y Proteccion de Datos de Andalucia) for Andalusia

Private sector entities operating across Spain report to the AEPD regardless of where they are registered within Spain. The regional authorities handle complaints against public sector bodies within their territories. Data breach notifications for public sector bodies in these three regions go to the respective regional authority rather than the AEPD.

Enforcement Volume

The AEPD processes an exceptionally high volume of cases by European standards. In 2024, the agency recorded 18,855 claims, issued fines totaling 35.5 million euros, and received 2,933 data breach notifications, a 46% increase over 2023. In 2025, fines rose further to approximately 40 million euros across 299 sanctions. Breach notifications reached 2,765 in 2025, with over 200 million individuals notified of high-risk breaches, double the approximately 100 million notified the previous year. Ransomware-driven data exfiltration was the primary driver of the surge.

Strategic Plan 2025-2030

In July 2025, the AEPD published its Strategic Plan for 2025-2030. The plan signals a shift toward risk-based, technology-driven supervision, meaning the agency will increasingly identify non-compliance proactively rather than waiting for complaints. Priority areas include biometrics, advanced AI-driven surveillance, algorithmic systems, and organizations that process personal data at scale.

Notable AEPD Enforcement Cases (2021-2026)

Spain's enforcement record is among the most active in the EU. These cases illustrate the breadth and financial severity of the AEPD's approach.

CaixaBank: 6 Million Euros (2021)

In January 2021, the AEPD fined CaixaBank 6 million euros for processing clients' data without a valid legal basis (4 million euros) and for failing to provide adequate transparency information (2 million euros). The bank was also found to have conducted unlawful intra-group data transfers and was ordered to bring its operations into compliance within six months.

Vodafone Spain: Over 8 Million Euros (2021)

Vodafone Spain received four separate fines totaling more than 8.15 million euros. The violations included continuing to contact individuals who had exercised their right to erasure and right to object to marketing, failures under Spain's digital rights law, cookie consent violations, and inadequate security measures that allowed SIM-swapping fraud.

La Liga: 250,000 Euros (2021, upheld 2022)

The professional football league was fined 250,000 euros for using its official app to access users' microphones and geolocation data to detect unauthorized broadcasts of live matches. The AEPD and the Audiencia Nacional (Spain's High Court) held that disclosing microphone access only at the time of download was insufficient. La Liga was required to notify users at the actual moment each data access occurred.

Informa D&B: 1.8 Million Euros (2025)

In January 2025, the AEPD fined Informa D&B 1.8 million euros for processing personal data from over 1.6 million business owners without a valid legal basis and without adequate transparency. The AEPD ordered the company to cease processing and delete all affected records within three months.

Aena: 10 Million Euros (November 2025)

The AEPD imposed a 10 million euro fine on Aena, Spain's state-owned airport operator, and ordered the suspension of its biometric facial recognition boarding system at eight airports including Madrid Barajas and Barcelona El Prat. The AEPD found that Aena's Data Protection Impact Assessment was inadequate: it did not assess proportionality against less intrusive alternatives such as QR codes and digital boarding passes, and relied on centralized storage of biometric templates that increased the risk of a large-scale data breach. Aena announced it would appeal.

FC Barcelona: 500,000 Euros (March 2026)

The AEPD fined FC Barcelona 500,000 euros for processing biometric (facial and voice) data from approximately 143,000 club members during a 2023 digital census without a legally compliant DPIA. The AEPD established a precedent: member consent does not eliminate the separate obligation to conduct a DPIA before deploying a high-risk biometric system. Both requirements must be satisfied independently.

Yoti: 950,000 Euros (March 2026)

The AEPD fined Yoti Ltd 950,000 euros across three GDPR violations: 500,000 euros for processing special category biometric data without an adequate Article 9 legal basis; 200,000 euros for relying on pre-ticked checkboxes as consent for research use of biometric data; and 250,000 euros for retaining geolocation records for five years and video liveness data for 30 days beyond what the processing purposes required.

Data Breach Notification

Spain follows the GDPR breach notification framework with AEPD-specific procedural requirements.

Controllers must notify the AEPD within 72 hours of becoming aware of a breach that is likely to result in a risk to individuals' rights and freedoms. Notifications are submitted electronically through the AEPD's Electronic Office.

If the 72-hour window cannot be met, the notification must include a documented explanation for the delay. The AEPD treats timely notification as evidence of organizational diligence. Failure to notify is itself a violation that can be independently sanctioned.

The notification must describe the nature of the breach, the number of individuals affected, the likely consequences, and corrective measures taken or planned. Two AEPD tools assist with this process: ASESORA BRECHA helps determine whether a breach meets the notification threshold, and COMUNICA-BRECHA RGPD helps assess whether affected data subjects must also be individually notified.

When a breach presents high risk to individuals, the controller must also notify affected individuals directly in clear, plain language.

Even when a breach does not meet the notification threshold, the controller must document it internally, together with the reasoning for the non-notification decision and the corrective steps taken.

Data Protection Officer Requirements

Spain has one of the most expansive mandatory DPO regimes in the EU. Under Article 34 of the LOPDGDD, the following 16 sectors must appoint a DPO regardless of company size or processing scale:

• Educational institutions at all levels, both public and private
• Telecommunications providers and network operators
• Information society service providers that build user profiles at scale
• Credit institutions, investment service companies, and insurance companies
• Bodies supervising financial institutions and credit rating agencies
• Utility providers (electricity, gas, and water)
• Entities conducting advertising, commercial prospecting, or market research
• Healthcare institutions required to maintain patient clinical histories
• Gambling and gaming operators
• Private security companies
• Sports federations that process minors' personal data
• Business data and credit reporting agencies

Any DPO appointment or removal must be notified to the AEPD within 10 days. DPOs in direct employment relationships enjoy enhanced dismissal protection under Spanish law, except in cases of serious misconduct.

Cross-Border Data Transfers

Spain follows the GDPR framework for transfers of personal data outside the European Economic Area. The LOPDGDD does not add material restrictions beyond the GDPR baseline.

Transfers to third countries are lawful under one of four mechanisms:

Adequacy decisions. The European Commission has recognized a number of countries as providing essentially equivalent data protection to the EU. Transfers to these countries require no additional safeguards. The EU-US Data Privacy Framework, adopted in 2023, restored adequacy for certified US organizations, though it continues to face legal challenges.

Standard Contractual Clauses (SCCs). The 2021 SCCs published by the European Commission are the most widely used safeguard for transfers to countries without adequacy decisions. Organizations must also conduct a Transfer Impact Assessment to verify that the legal environment of the destination country does not undermine the SCCs' protections.

Binding Corporate Rules. Multinational groups may use BCRs approved by a lead EU supervisory authority for intra-group transfers.

Derogations. In limited circumstances, transfers may proceed on the basis of explicit consent, contract performance, or compelling reasons of public interest.

The AEPD has issued guidance encouraging organizations to complete Transfer Impact Assessments with care, particularly for transfers to the United States, following the Schrems II judgment.

ePrivacy: Cookies and Electronic Marketing

Spain's ePrivacy rules derive from Ley 34/2002 (LSSI), which transposed the EU ePrivacy Directive. The LSSI requires prior informed consent for all non-essential cookies and similar tracking technologies. This requirement operates alongside the GDPR: the GDPR determines how consent is obtained and evidenced, while the LSSI specifies when cookies require consent at all.

For electronic marketing, the LSSI generally prohibits unsolicited commercial communications by electronic means without prior consent. An exception applies for existing customer relationships, where marketing for similar products or services to those already purchased is permitted provided the customer is offered a simple opt-out mechanism at each communication.

The AEPD has been active on cookie enforcement. Its guidance requires that cookie banners offer a genuine choice: an accept option must be balanced by an equally prominent reject option. Pre-ticked boxes, accept-only banners, and designs that make rejection unnecessarily complex all violate the GDPR's consent standard.

The EU AI Act and AESIA

Spain has taken the most proactive approach to AI regulation of any EU member state.

AESIA: Europe's First National AI Supervisory Authority

The Agencia Espanola de Supervision de la Inteligencia Artificial (AESIA) was established by Royal Decree 729/2023 and became operational in June 2024. It is the first dedicated national AI supervisory authority in the European Union.

AESIA's mandate covers the supervision of AI systems to ensure ethical, safe, and rights-respecting deployment. Once Spain's national AI law fully enters into force, AESIA will serve as Spain's market surveillance authority for AI under the EU AI Act, with inspection powers and authority to impose sanctions.

The EU AI Act

The EU AI Act (Regulation 2024/1689) entered into force on August 1, 2024, with provisions applying on a phased timeline. Prohibitions on unacceptable-risk AI systems applied from February 2025. Rules for high-risk AI systems are applying progressively through 2026-2027.

The AI Act introduces tiered obligations based on risk level. AI systems that pose unacceptable risks, such as real-time biometric surveillance in public spaces and social scoring systems, are prohibited outright. High-risk systems, including those used in hiring, credit decisions, healthcare, and critical infrastructure, face stringent obligations: mandatory DPIAs, transparency documentation, human oversight requirements, and registration in an EU database.

The Aena facial recognition fine is instructive as a preview of how the AI Act's heightened standards will apply to biometric identification systems. Although the fine was issued under the GDPR, the AEPD's analysis tracked closely the proportionality and DPIA requirements that the AI Act codifies for high-risk AI systems.

Spain's First EU AI Act Regulatory Sandbox

Spain ran the first Article 57 AI Act regulatory sandbox in the EU. In April 2025, AESIA selected 12 high-risk AI projects from Spanish companies to participate. The sandbox covers systems operating in six sectors: essential services, biometrics, employment, critical infrastructure, machinery, and healthcare products. Participating companies receive high-level guidance and operate under supervised real-world conditions before market launch.

In December 2025, AESIA published 16 detailed compliance guides covering AI Act requirements for high-risk systems. These are the most detailed national-level compliance guides available in the EU.

National AI Legislation

On March 11, 2025, Spain's Council of Ministers approved a draft national AI law (Anteproyecto de Ley para el Buen Uso y la Gobernanza de la IA) to implement the EU AI Act at the national level. The law designates AESIA as the competent authority with enforcement powers and establishes the national institutional framework for AI governance.

AEPD-AESIA Coordination

Data protection and AI regulation intersect frequently in practice, since most AI systems process personal data. The AEPD and AESIA have established coordination mechanisms to avoid duplicative investigations and to issue joint guidance where GDPR and AI Act requirements overlap. The Aena and FC Barcelona cases, both involving biometric AI systems, illustrate how the AEPD's GDPR enforcement foreshadows the issues AESIA will address under the AI Act.

See also: Spain Recording Laws for how these AI and data protection frameworks apply to audio and video recording specifically.

Penalties and Sanctions

The LOPDGDD establishes a three-tier classification for violations, which works alongside the GDPR's penalty framework.

Minor violations carry fines of up to 40,000 euros and a one-year statute of limitations. Examples include minor procedural failures and inadequate record-keeping.

Serious violations carry fines between 40,001 and 300,000 euros, with a two-year statute of limitations. These include violations of data subject rights, failures in data processing agreements, and insufficient security measures.

Very serious violations carry fines up to 20 million euros or 4% of global annual turnover (whichever is higher), with a three-year statute of limitations. These cover fundamental violations: processing without a legal basis, large-scale unauthorized international transfers, and obstruction of AEPD investigations.

The AEPD considers multiple factors when setting penalty amounts: the severity and duration of the violation, harm caused to data subjects, the number of individuals affected, whether there was intent or negligence, remediation steps taken, the sensitivity of the data categories involved, whether the controller cooperated with the investigation, and any prior violations.

Public sector organizations generally receive formal warnings rather than monetary fines, though the AEPD has discretion to impose fines on public sector bodies in particularly serious cases.

Recent Developments (2024-2026)

Biometrics enforcement wave. The AEPD has made biometric data processing its most active enforcement front. The Aena (10 million euros), FC Barcelona (500,000 euros), and Yoti (950,000 euros) cases, all resolved in late 2025 or early 2026, signal that the agency will scrutinize any biometric system that lacks a compliant DPIA and demonstrably proportionate design.

AEPD Strategic Plan 2025-2030. Published in July 2025, the plan commits the AEPD to proactive, AI-assisted supervision, focusing on large-scale data processors, biometrics, and algorithmic systems. Organizations that process data at high volume or use AI-driven decision-making are the primary targets.

Protection of minors. The draft Organic Law for the Protection of Minors in Digital Environments, approved by the Council of Ministers in March 2025 and under Parliamentary consideration, represents the most significant proposed change to the LOPDGDD since its enactment. It would raise the digital consent age from 14 to 16, require age verification by platforms, and mandate default parental controls on connected devices.

AESIA's first regulatory sandbox. Spain completed the first cohort of its EU AI Act sandbox in 2025, with 12 high-risk AI projects tested across six sectors. Results will inform a public report of good practices to guide future national AI regulation.

LOPDGDD interaction with DSA. The Spanish Government approved a draft Digital Services Act implementing law in July 2025, aligning Spain's framework with the EU Digital Services Act. The measure affects how online platforms handle content moderation, algorithmic transparency, and risk assessment, all of which intersect with data protection obligations.

Business Compliance Checklist

Organizations processing the personal data of people in Spain should address these requirements as a baseline:

1. Establish a valid lawful basis under GDPR Article 6 for every processing activity. Document the basis in your Records of Processing Activities.
2. Appoint a Data Protection Officer if your organization falls within any of the 16 mandatory sectors under LOPDGDD Article 34. Notify the AEPD of the appointment within 10 days.
3. Prepare and implement a digital disconnection policy in consultation with employee representatives, as required by LOPDGDD Article 88.
4. Review workplace monitoring practices for compliance with Articles 87, 89, and 90: camera placement restrictions, advance notice obligations, one-month retention limit for surveillance footage.
5. Conduct a Data Protection Impact Assessment before deploying any biometric system, facial recognition system, or large-scale profiling system. The DPIA must assess proportionality against less intrusive alternatives.
6. Establish breach notification procedures, including registration with the AEPD's Electronic Office and internal documentation workflows for non-notifiable breaches.
7. Audit cookie consent mechanisms for compliance with LSSI and GDPR: equal prominence of accept and reject options, no pre-ticked boxes, genuine freedom to decline.
8. Review privacy notices to ensure they cover all Article 13/14 required information in accessible Spanish.
9. Assess international transfer mechanisms for any personal data leaving the EEA and complete Transfer Impact Assessments where required.
10. If you deploy or use AI systems that qualify as high-risk under the EU AI Act, engage with AESIA's guidance and register in the EU high-risk AI system database.