TLDR: The LOPDGDD is Spain's data protection law that works alongside GDPR but adds stricter Spanish-specific requirements. It mandates Data Protection Officers for certain sectors, establishes unique "data blocking" obligations, and grants digital workplace rights. The Spanish Data Protection Agency (AEPD) actively enforces these rules with fines up to €20 million.
Operating in Spain means complying with both GDPR and the LOPDGDD, Spain's data protection law that adds requirements beyond baseline European rules.
The LOPDGDD (Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales) is Spain's Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights. It came into effect on 7 December 2018, shortly after GDPR's implementation.
Think of it as Spain's personalised version of GDPR. Whilst GDPR provides the baseline rules for all EU member states, the LOPDGDD fills in the gaps and adds Spanish-specific requirements. This creates a dual compliance framework: businesses in Spain must follow both GDPR and LOPDGDD.
The law does more than regulate data processing. It establishes a comprehensive "Digital Bill of Rights" for Spanish citizens, covering everything from the right to disconnect from work emails to how digital assets are handled after death. For businesses, this means your compliance obligations extend beyond traditional data security into areas like employee rights and digital legacy planning.
GDPR compliance alone isn't sufficient in Spain. The LOPDGDD introduces specific requirements that catch unprepared businesses by surprise:
Stricter Age Requirements: Spain sets the consent threshold at 14 years (not 16 as in many EU countries). Businesses collecting data from young people need age verification systems meeting Spain's lower threshold.
Mandatory Data Protection Officers: Specific sectors must appoint a DPO regardless of company size, including small language academies, private security firms, and local health clinics.
Data Blocking Obligations: Spanish law requires a "data blocking" phase before permanent deletion. Your IT systems must support this functionality.
The AEPD actively enforces these rules with substantial fines: €10 million against AENA for biometric processing violations, €8.15 million against Vodafone for security failures.
Article 34 of the LOPDGDD lists 16 sectors that must appoint a DPO regardless of company size. This includes:
If your business falls into any of these categories, appointing a DPO isn't optional, it's mandatory. The DPO must be registered with the AEPD and acts as an independent advisor and contact point for data protection matters.
The LOPDGDD's Title X establishes groundbreaking workplace rights. Your employees have the right to "digital disconnection", meaning they can refuse to respond to work communications outside working hours. Your business needs written policies addressing:
Video surveillance in the workplace has strict limitations. Cameras cannot record audio, cover break rooms, toilets or changing areas, or monitor areas beyond what's strictly necessary for security. The AEPD has repeatedly fined companies for excessive workplace surveillance.
If your business reports debts to credit reference agencies, the LOPDGDD sets specific thresholds. Debts under €50 cannot be reported to solvency files, and customers must be notified before their information is included. Data can only be retained whilst the debt remains unpaid, with a maximum period of five years from when the debt became due.
Spanish data subjects have enhanced rights compared to baseline GDPR:
Access and Portability: Request all personal data a company holds about you in a readable, transferable format.
Right to Erasure (with Blocking): Companies must first "block" your data, making it inaccessible whilst retaining it for legal obligations, befor permanent deletion.
Data Concerning Deceased Persons: Family members and heirs can request access to, correction of, or deletion of a deceased person's data (unless explicitly prohibited by the deceased).
Digital Disconnection: Employees can refuse to respond to work communications outside working hours.
Data Breach Notification: Companies must notify you directly if a breach poses high risk to your information.
The AEPD provides resources specifically for SMEs. Here's how to ensure compliance:
Document Your Processing Activities: Create a Record of Processing Activities (RAT) documenting what personal data you collect, why you need it, how you store it, and who has access.
Implement Appropriate Security: Use encryption for devices storing personal data, strong passwords with two-factor authentication, regular software updates, and staff training on data protection.
Review Your Legal Basis: Every piece of data must have a valid legal basis (consent, contractual necessity, or legitimate interest). Marketing requires explicit consent, pre-ticked boxes don't comply.
Create Clear Privacy Policies: Use a "layered approach" with a short summary followed by detailed information explaining what data you collect, why, retention periods, and how individuals exercise their rights.
Handle Requests Properly: Respond to data subject requests within one month, following Spain's unique requirements like data blocking.
Check DPO Requirements: Review Article 34's mandatory sectors list. If your business falls into any category, appointing a DPO is mandatory.
Prepare for Breaches: Notify the AEPD within 72 hours of breaches posing risk to individuals using the AEPD's "Comunica-Brecha RGPD" tool.
The LOPDGDD classifies violations into three tiers with corresponding penalties:
Minor Infractions: Fines up to €40,000 for issues like incomplete transparency notices or failure to register your DPO with the AEPD.
Serious Infractions: Fines from €40,001 to €300,000 for violations including inadequate security measures, processing children's data without proper consent, or failing to appoint a mandatory DPO.
Very Serious Infractions: Fines up to €20 million or 4% of global annual turnover (whichever is higher) for fundamental violations like processing without legal basis, unauthorised international data transfers, or violating data subjects' rights.
Recent enforcement actions demonstrate the AEPD's willingness to impose substantial penalties:
Small businesses aren't immune. The AEPD regularly fines SMEs thousands of euros for violations like improper video surveillance or inadequate cookie consent mechanisms.
Does LOPDGDD replace GDPR? No. LOPDGDD works alongside GDPR. You must comply with both regulations, GDPR as the European baseline and LOPDGDD as Spain's additional requirements.
I'm a sole trader with no employees. Do these rules apply? Yes. If you process personal data as part of your business, customer emails, client information, marketing lists, LOPDGDD applies regardless of size. The AEPD's Facilita RGPD tool provides free compliance guidance for small businesses.
What if my UK business serves Spanish customers? If you offer goods or services to people in Spain or monitor their behaviour, both GDPR and LOPDGDD apply regardless of your physical location.
Can I use pre-ticked consent boxes? No. Consent must be a clear, affirmative action. Pre-ticked boxes, assumed consent, or consent by silence don't meet Spanish requirements.
The LOPDGDD creates an active enforcement framework that shapes how businesses operate in Spain. Understanding Spain's requirements beyond baseline GDPR compliance protects your business from financial penalties and reputational damage.
Compliance with LOPDGDD should be a priority for any business in Spain handling personal data. The combination of mandatory DPOs for specific sectors, unique data blocking requirements, and the AEPD's enforcement stance creates a compliance environment demanding attention.
Don't wait for an AEPD investigation to address your obligations. Resources exist to help small businesses comply and take the first step toward ensuring your Spanish operations meet both GDPR and LOPDGDD requirements.
Disclaimer: This article provides general information about Spanish data protection law and should not be construed as legal advice. It does not create a professional relationship between the reader and ANRO Privacy. For specific compliance questions affecting your business, consult a qualified Data Protection Officer or legal professional specialising in Spanish data protection law.
Informational Purposes Only: The content provided by ANRO DIGITAL SOLUTIONS S.L.U. (including resolution summaries, infographics, and case analyses) is for educational and informational purposes only.
No Legal Advice: This information does not constitute legal advice, a formal legal opinion, or a substitute for professional legal counsel. The interpretation of data protection laws (including the GDPR, LOPDGDD, and AEPD resolutions) is subject to change and can vary based on specific facts and circumstances.
No Liability: ANRO DIGITAL SOLUTIONS S.L.U. assumes no responsibility or liability for any actions taken, or not taken, based on the information provided on this website. While we strive for accuracy, we make no guarantees regarding the completeness or timeliness of the information.
Consult a Professional: Data protection compliance is a complex legal requirement. You should not act upon this information without seeking advice from a qualified Data Protection Officer (DPO) or a specialist data protection lawyer licensed to practice in your jurisdiction.
Third-Party Links: Links to official AEPD documents are provided for convenience. We are not responsible for the content or availability of these external government portals.
Este resumen tiene carácter meramente informativo. Para más información, consulte nuestro Aviso Legal.