Essential privacy and data protection terminology for English-speaking businesses navigating Spain's regulatory framework
Last updated: January 2025
Understanding data protection terminology is crucial for businesses operating in Spain. This comprehensive glossary defines key privacy terms in both English and Spanish, helping you navigate Spain's dual regulatory framework under the GDPR and LOPDGDD (Spain's national data protection law).
Whether you're a UK company expanding to Spain, an expat running a Spanish business, or an international organisation with Spanish operations, this glossary provides the foundational terminology you need for compliance.
A formal request from a data subject to obtain confirmation of whether their personal data is being processed and, if so, to receive a copy of that data. In Spain, controllers must respond within one month under both GDPR Article 15 and LOPDGDD provisions.
Spain's independent supervisory authority responsible for enforcing GDPR and LOPDGDD, investigating complaints, imposing fines, and issuing binding guidance on data protection matters. The AEPD maintains a notably aggressive enforcement posture compared to many EU counterparts.
The process of rendering personal data irreversibly unidentifiable, ensuring individuals cannot be identified directly or indirectly through any means reasonably likely to be used. Properly anonymised data falls outside the scope of GDPR and LOPDGDD entirely.
The fundamental requirement that data controllers must demonstrate compliance with data protection principles through documented policies, procedures, and technical measures rather than merely claiming compliance. This represents the shift from "paper compliance" to proactive responsibility.
Personal data resulting from specific technical processing relating to physical, physiological, or behavioural characteristics (such as facial images or fingerprints) that allow unique identification of a natural person. Spain heavily restricts biometric processing, particularly in employment contexts, as demonstrated by the €10 million AENA fine.
A uniquely Spanish requirement under LOPDGDD Article 32 whereby data marked for deletion must first be placed in a restricted, offline state for a defined retention period (typically 4-5 years) before physical destruction. Data remains available only for legal claims, compliance obligations, or regulatory requests during the blocking period.
The mandatory obligation to report personal data breaches to the AEPD within 72 hours of discovery and, where high risk exists, to affected data subjects without undue delay. Controllers must maintain internal breach registers even when AEPD notification is not legally required.
A freely given, specific, informed, and unambiguous indication of a data subject's wishes by which they agree to the processing of their personal data through a clear affirmative action. In Spain, consent for children under 14 years requires parental or guardian authorisation, lower than the GDPR's default age of 16.
The natural or legal person, public authority, agency, or body which alone or jointly with others determines the purposes and means of processing personal data. Controllers bear primary legal responsibility for GDPR/LOPDGDD compliance including documentation, security measures, and rights fulfilment.
Regulated databases containing information about debts and payment behaviour, governed by strict rules under LOPDGDD Article 20. Debts under €50 cannot be registered, negative data must be removed after five years, and debtors must be notified before registration.
The movement of personal data from Spain or the EU to third countries outside the European Economic Area, which requires adequate safeguards such as Standard Contractual Clauses, Binding Corporate Rules, or an adequacy decision from the European Commission.
A security incident leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data transmitted, stored, or otherwise processed. Controllers must maintain breach registers and notify the AEPD within 72 hours where required.
The GDPR principle requiring that personal data collected must be adequate, relevant, and limited to what is strictly necessary for the specified processing purposes. Over-collection violates this fundamental principle even with valid consent.
The right of data subjects under GDPR Article 20 to receive their personal data in a structured, commonly used, and machine-readable format and to transmit it to another controller without hindrance when processing is based on consent or contract.
A mandatory risk assessment required before implementing high-risk processing activities such as large-scale processing of special category data, systematic monitoring of public areas, or automated decision-making with legal effects. The AEPD maintains a specific list of processing operations requiring DPIAs.
An independent expert appointed to monitor GDPR/LOPDGDD compliance, advise on data protection obligations, cooperate with the AEPD, and serve as a contact point for data subjects. Under LOPDGDD Article 34, appointment is mandatory for 16 specific sectors regardless of organisation size—stricter than standard GDPR requirements.
An identified or identifiable natural living person whose personal data is being processed. Spanish law uniquely extends certain data protection rights to relatives and heirs of deceased persons under LOPDGDD Article 3.
A pioneering right enshrined in LOPDGDD Article 88 (Title X Digital Rights) requiring employers to establish policies and protocols limiting out-of-hours digital communications and respecting employees' rest periods, leave, personal time, and family privacy.
The right under LOPDGDD Article 96 for individuals to provide legally binding instructions regarding the access, use, rectification, or deletion of their online accounts, social media profiles, and digital content after death.
A technical security measure that transforms readable data into an encoded format requiring a decryption key for access, recognised under GDPR Article 32 as an appropriate safeguard for protecting personal data confidentiality and integrity.
The right of data subjects under GDPR Article 17 to obtain deletion of their personal data without undue delay when specific conditions are met (purpose achieved, consent withdrawn, unlawful processing). In Spain, erasure is closely linked to the mandatory blocking obligation under LOPDGDD Article 32.
The requirement under GDPR Article 5 that personal data be processed lawfully, fairly, and transparently in relation to the data subject, ensuring individuals can understand, challenge, and exercise control over how their information is used.
A free online compliance tool provided by the AEPD specifically designed to help Spanish small and medium-sized enterprises achieve GDPR compliance through guided questionnaires, automated documentation generation, and sector-specific templates.
Regulation (EU) 2016/679, the primary European legal framework for data protection that came into effect on 25 May 2018, establishing harmonised rules across all EU member states whilst allowing national adaptations through "opening clauses" that Spain exercised via LOPDGDD.
Special category data under GDPR Article 9 relating to physical or mental health of a natural person, including provision of healthcare services, which requires heightened protection. Processing generally requires explicit consent or must be necessary for healthcare provision, public health monitoring, or specific legal obligations.
See Data Protection Impact Assessment (DPIA)
The transparency obligations under GDPR Articles 13-14 requiring controllers to provide data subjects with clear information about processing purposes, legal basis, recipients, retention periods, and rights. LOPDGDD Article 11 endorses a layered approach for complex processing activities.
A core data protection principle under GDPR Article 5(1)(f) requiring that personal data be processed securely using appropriate technical and organisational measures to prevent unauthorised or unlawful processing, accidental loss, destruction, or damage.
Two or more controllers who jointly determine the purposes and means of processing personal data under GDPR Article 26, requiring a transparent written arrangement defining each party's respective compliance obligations and data subject rights procedures.
The fundamental GDPR Article 6 requirement that all personal data processing must be based on at least one of six legal bases: consent, contract necessity, legal obligation, vital interests, public task, or legitimate interests. Processing without a valid legal basis is unlawful.
The Spanish practice endorsed by LOPDGDD Article 11 and AEPD guidance of providing privacy information in progressive tiers: essential details provided immediately at point of collection, with additional comprehensive information accessible through clearly signposted links, documents, or QR codes.
A legal basis for processing under GDPR Article 6(1)(f) where the controller demonstrates compelling interests that do not override the fundamental rights and freedoms of data subjects. LOPDGDD Article 19 creates a rebuttable presumption of legitimate interest for business-to-business professional contact data.
Spain's Organic Law 3/2018 of 5 December on Protection of Personal Data and Guarantee of Digital Rights, which adapts and supplements the GDPR with stricter national requirements including lower age of consent (14 years), mandatory data blocking, expanded DPO obligations across 16 sectors, and pioneering digital rights provisions in Title X.
In Spain, individuals under 14 years of age are considered minors for data protection purposes and require verifiable parental or guardian authorisation to consent to processing of their personal data in information society services—notably lower than the GDPR's default age threshold of 16 years.
The right of data subjects under GDPR Article 21 to object to processing based on legitimate interests or public interest tasks, and an absolute right to object to direct marketing. Controllers must cease processing unless they can demonstrate compelling legitimate grounds that override the individual's interests.
Any information relating to an identified or identifiable natural person (data subject), including names, identification numbers, location data, online identifiers, or factors specific to physical, physiological, genetic, mental, economic, cultural, or social identity under GDPR Article 4(1).
A natural or legal person, public authority, agency, or body which processes personal data on behalf of and under the documented instructions of a controller, bound by written contracts specifying processing scope, security requirements, sub-processor authorisation, and assistance obligations.
Any form of automated processing of personal data used to evaluate, analyse, or predict aspects concerning an individual's performance, economic situation, health, personal preferences, interests, reliability, behaviour, location, or movements under GDPR Article 4(4).
Processing personal data in such a manner that it can no longer be attributed to a specific data subject without use of additional information kept separately under technical and organisational measures, reducing but not eliminating data protection obligations under GDPR Article 4(5).
The mandatory written documentation required under GDPR Article 30 describing all processing operations an organisation conducts, including purposes, legal basis, data categories, recipients, international transfers, retention periods, and security measures. Must be available to the AEPD upon request.
The right of data subjects under GDPR Article 16 to obtain correction of inaccurate personal data and completion of incomplete data without undue delay, with controllers obliged to communicate rectifications to all recipients unless impossible or requiring disproportionate effort.
The right under GDPR Article 18 to require controllers to mark stored personal data and limit its processing to storage only (except with data subject consent, for legal claims, or protecting another person's rights), applicable when accuracy is contested, processing is unlawful but deletion is opposed, or data is needed for legal claims.
Administrative fines imposed by the AEPD for GDPR/LOPDGDD violations, classified under Spanish law as minor infractions (up to €40,000), serious infractions (€40,001 to €300,000), or very serious infractions (up to €20 million or 4% of total worldwide annual turnover of the preceding financial year, whichever is higher).
Technical and organisational safeguards required under GDPR Article 32 to ensure appropriate security of personal data, including confidentiality, integrity, availability, and resilience of processing systems through measures such as encryption, pseudonymisation, access controls, backup systems, and incident response procedures.
See Special Categories of Personal Data
Personal data under GDPR Article 9 revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data for unique identification purposes, health data, or data concerning sex life or sexual orientation. Processing is generally prohibited without explicit consent or specific legal grounds.
An independent public authority established by an EU Member State responsible for monitoring GDPR application under Articles 51-59. In Spain, the primary authority is the AEPD, with regional supervisory authorities in Catalonia (Autoritat Catalana de Protecció de Dades), the Basque Country, and Andalusia holding competence for regional public sector processing.
A natural or legal person, public authority, agency, or body other than the data subject, controller, processor, and persons who under the direct authority of the controller or processor are authorised to process personal data under GDPR Article 4(10).
The fundamental GDPR Article 5(1)(a) requirement that all information and communications relating to personal data processing be concise, easily accessible, clear, and written in plain language understandable to the intended audience, particularly when information is addressed to children.
The monitoring of spaces using camera systems, heavily regulated in Spain under LOPDGDD with strict requirements including mandatory yellow informative signage visible before entering monitored areas, prohibition on recording audio or filming public streets (unless authorised security forces), and significant limitations on workplace monitoring including prohibitions in break rooms and toilets.
A non-financial sanction available to the AEPD under LOPDGDD as an alternative to administrative fines for first-time, minor infringements particularly by public bodies, small organisations, or natural persons, imposing corrective obligations and future compliance requirements without immediate monetary penalty.
Internal reporting systems required under Spanish Law 2/2023 for companies with 50 or more employees, allowing anonymous reporting of irregularities, fraud, or legal violations whilst ensuring robust data protection for both whistleblowers and reported parties under strict AEPD oversight and specific retention limitations.
Spain operates under a dual regulatory framework combining the directly applicable EU GDPR with national specifications in the LOPDGDD. This creates compliance obligations that go significantly beyond baseline GDPR requirements familiar to UK and international businesses.
Key Spain-specific terminology to master includes:
For English-speaking businesses operating in Spain, understanding these terms isn't just academic—it's essential for avoiding substantial fines and ensuring genuine compliance with one of Europe's strictest data protection regimes.
This glossary provides foundational terminology, but navigating Spain's sophisticated dual GDPR/LOPDGDD framework requires specialised expertise. ANRO Privacy focuses exclusively on Spanish data protection compliance for English-speaking businesses and expats.
Disclaimer: This glossary is provided for informational and educational purposes only and does not constitute legal advice. It does not create a professional relationship between ANRO Privacy and the reader. For specific compliance guidance tailored to your business circumstances, consult a qualified Data Protection Officer or legal professional with expertise in Spanish data protection law.
© 2025 ANRO Privacy. All rights reserved.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.