HomeAnalyticsAlertsData Protection Enforcement in Spain: Recent Regulatory Actions

Data Protection Enforcement in Spain: Recent Regulatory Actions

Spain's data protection authority has intensified its enforcement activity across multiple business sectors. Fines issued in recent months have reached the upper bands permitted under EU data protection legislation, and several large and mid-sized companies have received formal notices requiring urgent remediation. International businesses operating in Spain cannot treat this regulatory shift as a background concern.

Data Protection Enforcement in Spain is now governed by a combination of EU data protection legislation and the Spanish organic law on personal data protection. Administered by the Agencia Española de Protección de Datos (Spanish Data Protection Authority, AEDPD). Sanctions may be imposed on any entity – regardless of size or nationality – that processes personal data relating to individuals in Spain. Enforcement actions in the current cycle target consent mechanisms, cross-border data transfers, and the accountability obligations of both the data controller and the data processor.

This alert outlines the recent regulatory developments, identifies which business categories are most exposed, and sets out immediate steps that international companies should take now.

What has changed and when it takes effect

The AEDPD has issued a series of enforcement decisions and formal guidance updates that collectively signal a new operational posture. Several distinct areas have been addressed.

First, the authority has tightened its position on consent mechanisms. Pre-ticked boxes, bundled consents, and cookie walls that deny service to users who decline tracking have each been found to violate the lawful basis requirements under EU data protection legislation. Companies relying on these practices received compliance orders with short remediation windows – in some cases fewer than 30 days from the date of notification.

Second, the AEDPD has taken a stricter approach to cross-border data transfers. Organisations routing personal data outside the European Economic Area without adequate transfer mechanisms – or relying on outdated contractual arrangements – have been cited. The authority has confirmed that standard contractual clauses must be accompanied by a documented transfer impact assessment. This requirement applies to the data controller and, jointly, to any data processor operating on its behalf.

Third, the authority has scrutinised the adequacy of data processing agreements. Where a Spanish-registered entity – whether a Sociedad Anónima (SA) or a Sociedad Limitada (SL) – acts as a processor for a non-EU controller. The AEDPD has examined whether the processor's internal documentation meets the standards required by EU data protection legislation. Deficiencies at the processor level are now routinely attributed to the controller as well.

The regulatory actions do not carry a single legislative effective date in the traditional sense. They reflect the AEDPD's ongoing exercise of authority under existing law. However, the authority has signalled that further enforcement campaigns will begin in the first quarter of 2026, with particular focus on the digital marketing, financial services, and healthcare sectors.

Which businesses are affected and the compliance threshold

Exposure to this enforcement wave is not limited to large corporations. The AEDPD has demonstrated a willingness to act against entities of all sizes. The threshold for regulatory risk is determined by the nature of processing activities, not by revenue or headcount alone.

Businesses most at risk include the following categories:

  • E-commerce and digital platforms that collect behavioural data from Spanish-resident users
  • Financial services companies processing sensitive personal data across borders
  • Technology and SaaS providers acting as data processors for EU-based clients
  • Healthcare providers and clinical research organisations handling special-category data
  • Marketing agencies and advertising networks relying on consent-based data flows

Entities that maintain a branch, subsidiary, or registered representative in Spain – or that direct commercial activities specifically at Spanish residents – are within the jurisdiction of the AEDPD. Registration in the Registro Mercantil (Spanish Commercial Register) or involvement of a Notario (notary) in the entity's Spanish incorporation does not, by itself, affect data protection obligations. Those obligations arise from the targeting of Spanish residents and the processing of their data.

Non-EU companies that have designated a Spanish entity as their EU representative under data protection legislation are directly exposed. The authority will treat that representative as the point of enforcement contact, and sanctions may be directed at the representative as well as the principal controller.

The Tribunal Supremo (Supreme Court of Spain) has confirmed in several rulings that the AEDPD's enforcement powers extend to the full penalty range established by EU legislation. This means that organisations classified as large undertakings – or those whose violations are characterised as systematic or intentional – may face sanctions at the higher tier. The authority has shown willingness to apply aggravating factors where prior guidance was ignored.

GDPR compliance deficiencies identified during this enforcement cycle have in several cases been treated as systemic failures rather than isolated errors. This characterisation carries significant consequences for the quantum of any sanction. International businesses operating through Spanish subsidiaries should not assume that the parent entity's group-level data protection programme offers full protection at the local level without specific localisation steps.

To receive an expert assessment of your GDPR compliance exposure in Spain, contact us at info@ferrazwhitmore.com.

Immediate actions required

The following steps should be treated as priority items for international businesses operating in Spain or processing data of Spanish residents.

Review consent mechanisms immediately. Audit all active consent collection points – websites, apps, and offline forms – against the AEDPD's published guidance. Any mechanism that does not meet the standard of freely given, specific, informed, and unambiguous consent must be remediated before the first quarter of 2026 enforcement campaigns begin. Pay particular attention to cookie consent banners and the technical implementation of consent withdrawal.

Validate cross-border data transfer arrangements. Identify all data flows from Spain or the EU to third countries. Confirm that standard contractual clauses or equivalent transfer tools are in place and that a current transfer impact assessment documents the legal basis for each flow. Outdated or generic transfer agreements represent an immediate enforcement risk under the current scrutiny level.

Audit data processing agreements with Spanish-entity processors. If your organisation acts as a controller and uses a Spanish SA or SL as a processor. Review the processing agreement against the requirements of EU data protection legislation. Confirm that the agreement addresses sub-processing, data subject rights, security measures, and return or deletion of data at contract end.

Appoint or re-confirm a data protection officer where required. Businesses engaged in large-scale processing of special-category data – or systematic monitoring of individuals – are required to designate a data protection officer (DPO). Verify that any existing DPO appointment is formally documented and that the DPO has adequate access to information and resources.

Document accountability measures. The AEDPD has placed particular emphasis on accountability during this enforcement cycle. Records of processing activities, data protection impact assessments for high-risk processing, and evidence of staff training should all be current, complete, and retrievable. A DPA audit can proceed rapidly once a company is under investigation. Documentation gaps are treated as independent violations.

For guidance on aligning your Spanish operations with current GDPR compliance requirements, our team covering data protection services in Spain can assist with an operational review. Businesses developing AI-driven products or services in Spain may also need to consider the intersection of data protection obligations with emerging technology regulation. our analysis of AI law in Spain addresses these overlapping compliance demands. A parallel review of enforcement trends in a neighbouring jurisdiction is available in our alert on data protection enforcement in Portugal.

About Ferraz & Whitmore

Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions. Our data protection practice assists international companies. including those operating through Spanish SA and SL structures. with GDPR compliance audits, data transfer assessments, DPO support, and regulatory response strategies before and during AEDPD enforcement proceedings. As a law firm in Spain and across Europe, we combine Portuguese civil law expertise with English common law tradition to deliver practical cross-border data protection counsel. Our team includes practitioners with experience before EU supervisory authorities and with technology-sector clients managing complex consent mechanism and data processor arrangements. To discuss your regulatory position in Spain, contact us at info@ferrazwhitmore.com.

Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.