European Union · updated 2026-06-15
Spain
Spain's AEPD issues more GDPR fines than any other EU regulator — mostly small-to-mid penalties against ordinary businesses, not big tech. Spain is where average companies actually get fined, so the basics matter most here.
- Law:
- GDPR + LOPDGDD + LSSI
Cookie consent
Opt-in required
Breach deadline
72 hours
DPA with vendors
Required
Max fine
€20,000,000 or 4% of global annual revenue, whichever is higher
What Spain requires
Compliance items with their statutory basis. Stamps mark whether each applies to every business or only above certain thresholds.
-
Privacy policy (política de privacidad)
Art. 13–14 GDPR + Art. 11 LOPDGDDSpanish-language privacy notice. LOPDGDD allows layered notices: a short first layer (identity, purpose, rights) linking to the full text.
How to implement Use the AEPD's layered-notice model. Include the AEPD as complaint authority and, if you use its channels, your DPO's contact.
Required -
Cookie consent banner
Art. 22.2 LSSIOpt-in consent with first-layer rejection. AEPD's cookie guide is prescriptive about wording and button design.
How to implement Follow the AEPD 2023 cookie guide: 'Aceptar' and 'Rechazar' with equal prominence, no colour tricks. AEPD fines for cookie violations start around €3,000–€30,000 for small sites.
Required -
Records of processing (ROPA)
Art. 30 GDPR + Art. 31 LOPDGDDSpain adds a twist: organisations covered by transparency law must publish an inventory of their processing activities.
How to implement Keep a standard ROPA. The AEPD's free 'Facilita' tool generates baseline documentation for low-risk small businesses in about 20 minutes.
Required -
Data protection officer
Art. 34 LOPDGDDMandatory for a defined list of sectors beyond the GDPR baseline; appointment must be notified to the AEPD within 10 days.
How to implement Check the Art. 34 sector list first. If covered, appoint and register via the AEPD Sede. AEPD-certified DPO schemes exist and are looked on favourably.
Conditional -
Breach notification process
Art. 33–34 GDPR72-hour AEPD notification plus individual notification for high-risk breaches.
How to implement The AEPD's 'Comunica-Brecha' tool helps assess whether individual notification is needed. Keep the assessment in your breach register.
Required
The details
- Cookie consent
- Art. 22.2 LSSI requires informed opt-in consent for non-essential cookies. AEPD's 2023 guidance requires a reject option at the first layer and bans cookie walls that offer no alternative.
- Data Protection Officer
- LOPDGDD Art. 34 goes beyond GDPR with a specific list of sectors that must appoint a DPO — including insurance, banking, telecoms, private security, and health — and requires notifying the AEPD of the appointment.
- Processing agreements
- Art. 28 GDPR agreements required with all processors. AEPD sanctions routinely cite missing DPAs with marketing and hosting vendors as a standalone violation.
- Breach notification
- Notify the AEPD through its electronic Sede within 72 hours. Spain also expects an internal register of all breaches, including non-notifiable ones.
- Enforcement in practice
- AEPD fined CaixaBank €6M and BBVA €5M in 2021 over defective consent and privacy information — and issues hundreds of four- and five-figure fines to SMEs every year.
Data subject rights
What users can demand from you in Spain, and the engineering that satisfies each right.
Right to access
Art. 15 GDPRCopy of all personal data plus processing details within one month.
AEPD complaint statistics show access and erasure as the top two complaint drivers — answer within 30 days and keep proof of response.
Right to erasure
Art. 17 GDPRDeletion when data is no longer necessary or consent withdrawn.
Spain's courts created the 'right to be forgotten' (Google Spain, CJEU 2014). Expect delisting-style requests; document retention exemptions under Spanish commercial law (6 years for books and records).
Right to data portability
Art. 20 GDPRMachine-readable export of user-provided data.
JSON/CSV export endpoint for consent- and contract-based data.
Right to rectification
Art. 16 GDPRCorrection of inaccurate data.
Self-service editing plus a support channel; log completed rectifications.
Right to restrict processing & to object
Art. 18, 21 GDPRFreeze during disputes; absolute objection to direct marketing.
Spain runs the 'Lista Robinson' opt-out registry — direct marketers must scrub campaigns against it before sending.
Digital rights (LOPDGDD Title X)
Art. 79–97 LOPDGDDSpain legislated extra digital rights: digital disconnection at work, digital testament, and protections for minors online.
For employers: respect the right to disconnect outside working hours and disclose any workplace monitoring. For consumer apps: age of digital consent in Spain is 14.
Tools that cover Spain
Services we'd shortlist for this jurisdiction. Links may be affiliate links.
-
privacy policy
iubenda
Spanish-language layered privacy and cookie policies matching AEPD's model structure.
Visit iubenda → -
cookie consent
Cookiebot
Auto-scans your site for trackers and enforces prior blocking per the AEPD cookie guide.
Visit Cookiebot → -
dpa template
Termly
Affordable DPA and policy templates for small teams selling into Spain.
Visit Termly →
Frequently asked questions
Why does Spain fine so many small businesses?
The AEPD acts on individual complaints rather than focusing on strategic big-tech cases, and Spanish consumers complain a lot — over 15,000 complaints a year. Missing cookie banners, ignored access requests, and CCTV signage are the most common triggers.
What is the age of digital consent in Spain?
14, set by Art. 7 LOPDGDD — lower than Germany's or France's. Below 14, parental consent is required for consent-based services.
Is there a free way to generate baseline Spanish GDPR documents?
Yes — the AEPD's own 'Facilita' web tool produces a basic ROPA, privacy clauses, and security measures for low-risk small businesses. It is a solid starting point before buying anything.
Are cookie walls legal in Spain?
Only if a genuine equivalent alternative exists (for example, paid access without tracking). A banner that forces acceptance to enter the site with no alternative violates the AEPD's guidance.
Similar jurisdictions
Free download
Get GDPR updates for Spain
A one-page privacy audit checklist covering the requirements that regulators actually fine for — cookie consent, breach runbooks, DPAs, and data subject request handling. We email occasional updates when the law changes; unsubscribe anytime.
No spam. Unsubscribe anytime — we practice what we document.