Part 1 of 3 | ANRO Privacy
Under Spain’s previous data protection regime, the Organic Law 15/1999 (LOPD), compliance was largely a matter of registration. Companies notified the authorities that they held personal data files, and for many that was the end of the exercise.
That model is gone. The General Data Protection Regulation (GDPR), together with Spain’s national adaptation, the Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales, or LOPDGDD), replaced it with something far more demanding. The principle at the heart of the current framework is accountability (responsabilidad proactiva). In practical terms, this means that a company must not only comply with the rules but must be able to prove that it complies.
Documentation is that proof. If the Spanish Data Protection Authority (Agencia Española de Protección de Datos, or AEPD) opens an investigation or a data subject files a complaint, the first thing the regulator will ask for is evidence. A defensible compliance file is the difference between demonstrating responsible data management and scrambling to explain why no records exist.
This article covers the baseline documentation pack, the set of documents that virtually every company acting as a data controller (responsable del tratamiento) in Spain should have in place, regardless of size, sector, or specific risk profile. Part 2 of this series covers conditional documents triggered by risk, sector, or activity. Part 3 addresses the additional layer for companies with websites or online commercial activity.
Spain adds a number of specific requirements on top of standard GDPR obligations, including mandatory data blocking, an expanded list of sectors requiring a Data Protection Officer, and a suite of digital rights for employees. Those are addressed in Parts 2 and 3. The focus here is on the seven document categories that form the foundation of any compliance programme.
Watch the video overview
The Record of Processing Activities (Registro de Actividades de Tratamiento, commonly abbreviated as RAT) is the foundational compliance document. It is a structured record of every processing activity the company carries out involving personal data.
The RAT must describe, for each activity, what personal data is processed, the purpose of the processing, the legal basis relied upon, the categories of data subjects and recipients, any international transfers, the applicable retention periods, and a general description of the security measures in place. Both data controllers and data processors (encargados del tratamiento) are required to maintain one.
Legal basis: GDPR Article 30, LOPDGDD Article 31.
The GDPR formally requires a RAT only for organisations with 250 or more employees, or where processing is not occasional, involves special category data, or is likely to result in a risk to the rights and freedoms of individuals. In practice, almost every company processing employee or customer data falls within one of these conditions. The AEPD’s own compliance tools, Facilita RGPD for low-risk SMEs and Gestiona RGPD for more complex operations, both begin with the creation of a processing inventory.
Example: A small estate agency in Marbella would typically record processing activities for client property searches, marketing communications, employee records, and supplier contacts. Each activity gets its own entry in the RAT, with the legal basis, retention period, and security posture documented separately.
A privacy information notice (cláusula informativa) is the document that tells a data subject, at the point their data is collected, what will happen with their personal information. The LOPDGDD formalises a layered approach to these notices in Article 11.
The first layer must be concise, providing the essential information at the point of collection: the identity of the data controller, the purpose of the processing, and the data subject’s rights. The second layer, accessible via a direct link or a secondary medium, contains the full detailed information required by GDPR Articles 13 and 14, including retention periods, recipients, details of any international transfers, and the right to lodge a complaint with the AEPD.
Legal basis: GDPR Articles 13 and 14, LOPDGDD Article 11.
Companies typically need separate notices for each audience: customers, employees, job applicants, and suppliers. The AEPD provides model clauses (modelos de cláusulas informativas) and a dedicated guide on the duty to inform, both available on the AEPD website.
Example: A boutique hotel needs a notice on its booking form for guests, a separate clause in its employment contracts for staff, a notice in its job application process, and a clause in its supplier onboarding paperwork. The content differs for each because the purposes, legal bases, and retention periods are not the same.
Individuals have the right to request access to their personal data, rectification, erasure (supresión), restriction of processing, data portability, and to object to processing. These are sometimes grouped under the Spanish acronym ARSOPOL. A company must have a documented procedure for receiving, verifying, and responding to these requests (ejercicio de derechos).
Legal basis: GDPR Articles 15 to 22.
The procedure should define how requests are received, who within the company is responsible for handling them, how the identity of the requester is verified, the response deadlines (one calendar month, extendable by a further two months for complex requests), and how outcomes are recorded in an evidence log.
The AEPD has consistently sanctioned companies for responding late to rights requests, even where the eventual response was correct and complete. The delay itself constitutes a violation. A documented procedure reduces this risk by establishing clear internal ownership and timelines.
Example: An accountancy firm receives an access request from a former client. The procedure defines which team member acknowledges receipt, what data is gathered from the firm’s systems, how the one-month deadline is tracked, and where the response and supporting evidence are filed.
Whenever a company uses a third party that processes personal data on its behalf, a data processor agreement (contrato de encargado del tratamiento) must be in place. This applies to any external provider that handles personal data as part of the service it delivers: payroll providers, cloud software platforms, marketing agencies, IT support companies, and similar.
Legal basis: GDPR Article 28, LOPDGDD Article 33.
The agreement must set out the subject matter and duration of the processing, its nature and purpose, the types of personal data involved, and the obligations of the processor. Key clauses include the processor’s duty to implement appropriate security measures, to notify the controller without undue delay in the event of a breach, to obtain prior authorisation before engaging sub-processors, to support the controller in responding to data subject rights requests, and to return or destroy the data at the end of the contract.
The LOPDGDD adds a notable Spanish provision in Article 33.2: if a processor acts in its own name and establishes direct relationships with data subjects, it will be treated as a data controller regardless of what the contract says. This makes proper contractual boundaries especially important.
The AEPD publishes contract guidance and model clauses to assist with drafting.
Example: A restaurant chain using a cloud-based reservation system, an external payroll provider, and a digital marketing agency needs a separate processor agreement with each. If any of those providers uses sub-processors (for example, the payroll provider hosting data on a third-party cloud platform), that must also be documented and authorised.
The GDPR requires companies to implement technical and organisational security measures (medidas de seguridad) that are appropriate to the level of risk associated with their processing activities. Those measures must be documented.
Legal basis: GDPR Article 32.
This is not a one-size-fits-all exercise. What is “appropriate” depends on the nature of the data, the volume of processing, and the potential consequences of a breach. A small consultancy handling client contact details operates at a different risk level from a health clinic processing medical records.
Documentation should cover access controls, encryption practices, backup and recovery procedures, staff training records, physical security measures, and any policies governing the use of portable devices or remote working. The AEPD provides security guidance and risk management resources on its website.
Example: A professional services firm with eight staff might document the following measures: encrypted laptops, role-based access to client files, annual data protection training for all employees, a clean desk policy, and a locked filing cabinet for paper records containing personal data.
Every company must have an internal protocol for detecting, assessing, and responding to personal data breaches (brechas de seguridad de datos personales), together with a breach register (registro de brechas) that logs every breach, whether or not it is reported to the AEPD.
Legal basis: GDPR Articles 33 and 34.
Where a breach is likely to result in a risk to the rights and freedoms of individuals, the company must notify the AEPD within 72 hours. Where the risk is high, affected data subjects must also be informed. However, the obligation to record a breach in the register applies to all breaches, including those assessed as not requiring notification. The register serves as evidence that the company has a functioning breach management process.
The AEPD’s Comunica-Brecha RGPD tool provides a guided assessment to help companies determine whether a specific breach requires notification and to whom.
Example: An employee at an estate agency accidentally sends a client’s financial details to the wrong email address. The breach must be logged in the register immediately, even if the subsequent risk assessment concludes that notification to the AEPD is not required. The log should record what happened, when it was detected, the data affected, the assessment of risk, and any remedial action taken.
A retention and deletion policy (política de conservación y supresión) documents how long each category of personal data is kept and what happens when the retention period expires. In Spain, this document must also address a requirement that does not exist in the standard GDPR framework: data blocking (bloqueo de datos).
Legal basis: GDPR Article 5(1)(e) on storage limitation, LOPDGDD Article 32 on data blocking.
Under LOPDGDD Article 32, when a data controller rectifies or erases personal data, it must block that data rather than immediately destroying it. Blocking means that the data is identified, segregated, and technically locked so that it cannot be accessed by regular staff or used for any purpose other than being made available to judges, courts, the Public Prosecutor’s Office (Ministerio Fiscal), or competent public authorities in connection with potential liabilities arising from the processing.
The data remains in this blocked state for the statutory limitation period applicable to those liabilities, which typically ranges from three to six years depending on the type of obligation. Only once that period has expired must the data be physically destroyed.
If a company’s systems cannot support a blocking function, or if implementing one would require a disproportionate effort, LOPDGDD Article 32.4 permits an alternative: creating a secure copy of the data with digital evidence, or other evidence, that establishes its authenticity, the date of blocking, and the fact that the data has not been manipulated during the blocking period.
Failure to block data when rectification or erasure is carried out is classified as a serious infringement (infracción grave) under the LOPDGDD.
Example: A hotel guest exercises their right to erasure and requests deletion of their booking history. The hotel blocks the data so that it is inaccessible to reservations, marketing, or front-desk staff, but retains it in a locked state for the tax liability period (four years under Spanish tax law). After that period expires, the data is physically destroyed and the destruction is recorded.
These seven document categories, the Record of Processing Activities, privacy information notices, a data subject rights procedure, data processor agreements, security measures documentation, a breach procedure and breach register, and a retention and deletion policy with data blocking, form the minimum defensible compliance pack for a company operating in Spain.
Without them, a company cannot demonstrate the accountability that GDPR Article 5(2) requires. The AEPD’s enforcement record shows that procedural failings, such as missing documentation, late responses to rights requests, or the absence of a breach register, attract sanctions independently of whether any substantive harm to a data subject has occurred.
For companies that are building a compliance programme from scratch, a practical starting sequence is to begin with the RAT (establishing what processing exists), then address transparency through privacy notices, formalise vendor governance through processor agreements, build breach readiness, and document security measures and retention. The AEPD’s free tools, including Facilita RGPD for low-risk SMEs, Gestiona RGPD for more complex operations, and Comunica-Brecha RGPD for breach assessment, can support much of this process.
Part 2 of this series covers the conditional documents that become mandatory depending on a company’s specific risk profile, sector, or activities, including Data Protection Impact Assessments, DPO appointments, international transfer documentation, and workplace monitoring policies.
This article is published by ANRO Privacy for informational purposes only. It does not constitute legal advice and does not create a professional relationship between ANRO Privacy and the reader. Data protection compliance involves fact-specific assessments. Companies should consult a qualified Data Protection Officer or lawyer for advice tailored to their circumstances.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.