Skip to content
GDPR by Law

European Union · updated 2026-06-15

Spain

Conditional

Spain's AEPD issues more GDPR fines than any other EU regulator — mostly small-to-mid penalties against ordinary businesses, not big tech. Spain is where average companies actually get fined, so the basics matter most here.

Law:
GDPR + LOPDGDD + LSSI
Regulator:
AEPD (Agencia Española de Protección de Datos)

Cookie consent

Opt-in required

Breach deadline

72 hours

DPA with vendors

Required

Max fine

€20,000,000 or 4% of global annual revenue, whichever is higher

What Spain requires

Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.

  1. Privacy policy (política de privacidad)

    Art. 13–14 GDPR + Art. 11 LOPDGDD

    Spanish-language privacy notice. LOPDGDD allows layered notices: a short first layer (identity, purpose, rights) linking to the full text.

    How to implement Use the AEPD's layered-notice model. Include the AEPD as complaint authority and, if you use its channels, your DPO's contact.

    Required
  2. Cookie consent banner

    Art. 22.2 LSSI

    Opt-in consent with first-layer rejection. AEPD's cookie guide is prescriptive about wording and button design.

    How to implement Follow the AEPD 2023 cookie guide: 'Aceptar' and 'Rechazar' with equal prominence, no colour tricks. AEPD fines for cookie violations start around €3,000–€30,000 for small sites.

    Required
  3. Records of processing (ROPA)

    Art. 30 GDPR + Art. 31 LOPDGDD

    Spain adds a twist: organisations covered by transparency law must publish an inventory of their processing activities.

    How to implement Keep a standard ROPA. The AEPD's free 'Facilita' tool generates baseline documentation for low-risk small businesses in about 20 minutes.

    Required
  4. Data protection officer

    Art. 34 LOPDGDD

    Mandatory for a defined list of sectors beyond the GDPR baseline; appointment must be notified to the AEPD within 10 days.

    How to implement Check the Art. 34 sector list first. If covered, appoint and register via the AEPD Sede. AEPD-certified DPO schemes exist and are looked on favourably.

    Conditional
  5. Breach notification process

    Art. 33–34 GDPR

    72-hour AEPD notification plus individual notification for high-risk breaches.

    How to implement The AEPD's 'Comunica-Brecha' tool helps assess whether individual notification is needed. Keep the assessment in your breach register.

    Required

The details

Cookie consent
Art. 22.2 LSSI requires informed opt-in consent for non-essential cookies. AEPD's 2023 guidance requires a reject option at the first layer and bans cookie walls that offer no alternative.
Data Protection Officer
LOPDGDD Art. 34 goes beyond GDPR with a specific list of sectors that must appoint a DPO — including insurance, banking, telecoms, private security, and health — and requires notifying the AEPD of the appointment.
Processing agreements
Art. 28 GDPR agreements required with all processors. AEPD sanctions routinely cite missing DPAs with marketing and hosting vendors as a standalone violation.
Breach notification
Notify the AEPD through its electronic Sede within 72 hours. Spain also expects an internal register of all breaches, including non-notifiable ones.
Enforcement in practice
AEPD fined CaixaBank €6M and BBVA €5M in 2021 over defective consent and privacy information — and issues hundreds of four- and five-figure fines to SMEs every year.

Data subject rights

What users can demand from you in Spain, and the engineering that satisfies each right.

Right to access

Art. 15 GDPR

Copy of all personal data plus processing details within one month.

AEPD complaint statistics show access and erasure as the top two complaint drivers — answer within 30 days and keep proof of response.

Right to erasure

Art. 17 GDPR

Deletion when data is no longer necessary or consent withdrawn.

Spain's courts created the 'right to be forgotten' (Google Spain, CJEU 2014). Expect delisting-style requests; document retention exemptions under Spanish commercial law (6 years for books and records).

Right to data portability

Art. 20 GDPR

Machine-readable export of user-provided data.

JSON/CSV export endpoint for consent- and contract-based data.

Right to rectification

Art. 16 GDPR

Correction of inaccurate data.

Self-service editing plus a support channel; log completed rectifications.

Right to restrict processing & to object

Art. 18, 21 GDPR

Freeze during disputes; absolute objection to direct marketing.

Spain runs the 'Lista Robinson' opt-out registry — direct marketers must scrub campaigns against it before sending.

Digital rights (LOPDGDD Title X)

Art. 79–97 LOPDGDD

Spain legislated extra digital rights: digital disconnection at work, digital testament, and protections for minors online.

For employers: respect the right to disconnect outside working hours and disclose any workplace monitoring. For consumer apps: age of digital consent in Spain is 14.

Tools that cover Spain

Services we'd shortlist for this jurisdiction. Links may be affiliate links.

  • privacy policy

    iubenda

    Spanish-language layered privacy and cookie policies matching AEPD's model structure.

    Visit iubenda →
  • cookie consent

    Cookiebot

    Auto-scans your site for trackers and enforces prior blocking per the AEPD cookie guide.

    Visit Cookiebot →
  • dpa template

    Termly

    Affordable DPA and policy templates for small teams selling into Spain.

    Visit Termly →

Frequently asked questions

Why does Spain fine so many small businesses?

The AEPD acts on individual complaints rather than focusing on strategic big-tech cases, and Spanish consumers complain a lot — over 15,000 complaints a year. Missing cookie banners, ignored access requests, and CCTV signage are the most common triggers.

What is the age of digital consent in Spain?

14, set by Art. 7 LOPDGDD — lower than Germany's or France's. Below 14, parental consent is required for consent-based services.

Is there a free way to generate baseline Spanish GDPR documents?

Yes — the AEPD's own 'Facilita' web tool produces a basic ROPA, privacy clauses, and security measures for low-risk small businesses. It is a solid starting point before buying anything.

Are cookie walls legal in Spain?

Only if a genuine equivalent alternative exists (for example, paid access without tracking). A banner that forces acceptance to enter the site with no alternative violates the AEPD's guidance.

Similar jurisdictions

Free download

Get GDPR updates for Spain

A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.

No spam. Unsubscribe anytime — we practice what we document.