A technology company establishes its European sales hub in Madrid, onboards hundreds of customers across the EU. Additionally, begins processing personal data. only to discover. Months later, that its internal policies, consent forms. Additionally, data transfer mechanisms do not meet Spanish and EU requirements. The Agencia Española de Protección de Datos (Spanish Data Protection Authority, known as AEPD) opens an investigation. Fines, reputational damage, and operational disruption follow.
Data protection compliance in Spain is governed by the General Data Protection Regulation (GDPR) and supplemented by Spanish organic data protection legislation. This adapts EU rules to the national legal system and introduces additional obligations for specific sectors and business types. Every organisation that processes personal data of individuals in Spain. whether incorporated as a Sociedad Anónima (SA. The Spanish joint-stock company) or a Sociedad Limitada (SL, the Spanish limited liability company). must maintain a complete compliance programme before data collection begins. Non-compliance can result in administrative sanctions reaching the upper tiers of the GDPR penalty scale.
This guide sets out the procedural steps, documentary requirements, common errors made by international businesses, and a decision checklist for different operational scenarios. It is addressed to companies already operating in Spain or preparing to enter the market.
The regulatory system governing data protection in Spain
Spain's data protection system rests on two primary pillars. The first is the GDPR, which applies directly as EU law and sets out the core principles of lawful processing, purpose limitation, data minimisation, and accountability. The second is Spanish organic privacy legislation, which refines and extends those principles in several important respects.
Spanish organic privacy legislation fills gaps left by the GDPR. It specifies conditions for processing employee data, regulates the use of video surveillance in the workplace, establishes rules on digital disconnection at work, and sets out detailed provisions on the processing of children's data. For a foreign business entering Spain, this domestic layer is often the source of unexpected compliance obligations – not the GDPR text itself, which most international legal teams already know.
The AEPD is the supervisory authority with primary jurisdiction over data protection matters in Spain. It has broad powers: it can conduct audits, issue binding orders, impose administrative fines, and refer matters to criminal prosecutors where applicable. The AEPD is one of the most active data protection authorities in the EU. It publishes binding criteria and guidelines that Spanish courts – including the Tribunal Supremo (Supreme Court of Spain) – have consistently treated as authoritative when reviewing enforcement decisions.
The Tribunal Supremo has clarified on several occasions that the AEPD's interpretive guidance carries significant weight in judicial review proceedings. Businesses that fail to follow published AEPD criteria cannot easily argue ignorance as a mitigating factor. This creates a practical obligation to monitor the authority's output on an ongoing basis.
For organisations incorporated under Spanish law, the Notario (notary public) and the Registro Mercantil (Commercial Register) are relevant when data protection obligations intersect with corporate governance. for example. When appointing a Data Protection Officer through a notarised corporate resolution or registering changes to the company's constitutional documents that affect data governance structures. These formalities are straightforward but must not be overlooked.
Step-by-step compliance programme: building from the ground up
A structured compliance programme for Spain follows a logical sequence. Each step builds on the previous one. Skipping steps – a common approach by teams under time pressure – creates gaps that surface during audits or incidents.
Step 1: Data mapping and records of processing activities. The starting point is a comprehensive inventory of all personal data processed by the organisation. This covers what data is collected, from whom, for what purpose, on what legal basis, how long it is retained, and with whom it is shared. The resulting document – the Record of Processing Activities (RPA) – is a mandatory document under EU privacy legislation. It must be kept up to date and must be available to the AEPD on request. Many businesses treat the RPA as a one-time exercise. In practice, it must be reviewed whenever a new product, service, or third-party relationship is introduced.
Step 2: Legal basis assessment for each processing activity. Every processing activity requires a valid legal basis. The available bases under EU privacy legislation include consent, contract performance, legal obligation, vital interests, public task, and legitimate interests. Consent – the basis most commonly selected by default – carries the highest compliance burden in Spain. The AEPD requires that consent be freely given, specific, informed, and unambiguous. Pre-ticked boxes, bundled consent, and consent obtained as a condition of service access are all non-compliant. Legitimate interests is often a more proportionate basis for B2B marketing, analytics, and fraud prevention, but it requires a documented balancing test.
Step 3: Privacy notices and consent mechanisms. Once legal bases are assigned, the organisation must update its external-facing documentation. Privacy notices must meet the transparency requirements of EU privacy legislation: they must be written in plain language, cover all mandatory information fields, and be presented at the point of data collection. For websites targeting Spanish users, the privacy notice must be accessible from every page. Cookie banners must reflect the actual consent model – reject-all options must be as prominent as accept-all. The AEPD has sanctioned multiple organisations for cookie banners that buried the rejection option or made consent withdrawal disproportionately difficult.
Step 4: Data processor agreements. Every third party that processes personal data on the organisation's behalf. cloud providers. Payroll processors, CRM platforms, marketing agencies. must be engaged under a written data processor agreement that complies with EU privacy legislation. The agreement must specify the subject matter, duration, nature, and purpose of processing, as well as the processor's obligations and the controller's rights. Many international businesses use generic service agreements that do not contain the required data processing clauses. This is one of the most frequently cited deficiencies in AEPD investigations. For organisations with our detailed advice on data protection services in Spain, the audit of existing vendor contracts is typically an early priority.
Step 5: Data Protection Officer appointment. The obligation to appoint a Delegado de Protección de Datos (Data Protection Officer, DPO) arises in three scenarios under EU privacy legislation: where the organisation is a public authority. There. Its core activities require large-scale systematic monitoring of individuals. Alternatively. There, its core activities involve large-scale processing of special category data. In Spain, however, the organic privacy legislation extends this obligation to additional categories – including certain healthcare providers, financial institutions, and entities engaged in specific security-related activities. The DPO must be registered with the AEPD within ten days of appointment. The DPO's contact details must appear in privacy notices. Failure to register is itself an infraction.
Step 6: Data Protection Impact Assessments. Where a processing activity is likely to result in a high risk to individuals. profiling. Large-scale processing of special category data, systematic monitoring of publicly accessible areas. a Data Protection Impact Assessment (DPIA) is mandatory before processing begins. The DPIA must describe the processing, assess necessity and proportionality, identify risks, and document the measures taken to address them. Where the DPIA indicates a high residual risk that cannot be mitigated, the organisation must consult the AEPD before proceeding. This prior consultation requirement is often overlooked by businesses that assume the DPIA is an internal document with no external implications.
Step 7: Internal policies and staff training. The accountability principle under EU privacy legislation requires that compliance be demonstrable, not merely asserted. Internal data protection policies – covering access controls, breach response, retention and deletion, and subject rights handling – must exist in writing and must be communicated to all relevant staff. Training must be documented. The AEPD treats the absence of training records as evidence of systemic non-compliance, which can increase the severity of any sanction.
To receive an expert assessment of your data protection compliance position in Spain, contact us at info@ferrazwhitmore.com.
Cross-border data transfers and the Spain-specific dimension
International data transfers – moving personal data from Spain to countries outside the European Economic Area – require one of the transfer mechanisms recognised under EU privacy legislation. The primary mechanisms are adequacy decisions issued by the European Commission, Standard Contractual Clauses (SCCs), Binding Corporate Rules, and, for specific situations, derogations.
Following significant judicial and regulatory scrutiny of trans-Atlantic data flows, the use of SCCs requires a Transfer Impact Assessment (TIA) for transfers to jurisdictions where the receiving country's legal system may not afford EU-equivalent protections. The TIA is a documented analysis of the destination country's legal environment and of any supplementary technical or organisational measures that reduce transfer risk. The AEPD has published guidance on TIA methodology. Businesses that rely on SCCs without a supporting TIA are exposed to enforcement action.
For businesses with operations across the Iberian peninsula, it is worth noting that the regulatory regimes in Spain and Portugal share a common GDPR foundation but diverge in their domestic extensions. A cross-border compliance programme covering both jurisdictions requires jurisdiction-specific analysis of each domestic layer. Our guide to data protection compliance in Portugal addresses the Portuguese regime in detail.
Intra-group transfers within multinational organisations are not automatically lawful simply because the entities involved are related. Each transfer must be covered by a valid mechanism. Binding Corporate Rules are the most robust solution for multinational groups but require AEPD approval and take considerable time to obtain. Most groups use SCCs supplemented by intra-group data transfer agreements as an interim or permanent solution.
For companies deploying AI-driven data processing tools in Spain, the interaction between EU privacy legislation and emerging EU artificial intelligence regulation creates an additional layer of analysis. Businesses in this position should also review their obligations under the AI regulatory regime, which our team addresses in the context of AI law in Spain.
For a tailored strategy on cross-border data transfer compliance in Spain, reach out to info@ferrazwhitmore.com.
Common errors by international businesses and their consequences
International businesses entering the Spanish market tend to replicate their existing compliance documentation from another jurisdiction – typically their home country or a prior EU market. The result is documentation that does not reflect Spanish requirements and that fails AEPD scrutiny at the first point of contact.
The most frequent errors fall into six categories.
Consent mechanism deficiencies. Consent forms drafted for other markets often fail the AEPD's granularity and withdrawal standards. Bundled consent – where a single tick box covers marketing, analytics, and third-party sharing simultaneously – is non-compliant. Each processing purpose requires separate consent. Withdrawal of consent must be as easy as giving it.
Incomplete data processor agreements. Contracts with cloud providers and SaaS vendors signed under the vendor's standard terms rarely contain the data processing clauses required by EU privacy legislation. Controllers remain liable for processor non-compliance where they failed to conduct due diligence or impose contractual safeguards.
Failure to register the DPO. Where appointment is mandatory, failure to register the DPO with the AEPD within the required period is a direct infraction. This is a straightforward administrative step, but it is frequently delayed because internal compliance teams treat it as lower priority than substantive policy work.
Ignoring the domestic layer. Businesses familiar with the GDPR often assume that GDPR compliance equals Spanish law compliance. The domestic organic legislation introduces additional obligations – particularly in employment, healthcare, and financial services contexts – that have no direct GDPR counterpart. Mapping only to the GDPR leaves these obligations unaddressed.
Inadequate breach response procedures. EU privacy legislation requires notification to the AEPD within seventy-two hours of becoming aware of a personal data breach that poses a risk to individuals. Many businesses lack the internal procedures to identify, assess, and notify a breach within this window. The AEPD has imposed sanctions not only for the breach itself but for the delayed or deficient notification.
Unaddressed subject rights processes. Individuals in Spain have rights to access, rectification, erasure, restriction, portability, and objection. Requests must be acknowledged and resolved within one calendar month. Businesses that handle these requests informally – or fail to track them – routinely miss deadlines. A missed deadline is itself a reportable breach of EU privacy legislation.
Self-assessment checklist before initiating or reviewing a compliance programme
This checklist is addressed to compliance leads, in-house counsel, and international business owners assessing their organisation's position in Spain.
A full compliance programme in Spain is applicable if any of the following conditions are met: the organisation collects or processes personal data of individuals located in Spain. the organisation offers goods or services to Spanish residents. Regardless of where it is incorporated. the organisation monitors the behaviour of individuals in Spain. or the organisation is incorporated as an SA or SL and has employees, customers. Alternatively, suppliers whose data it processes.
Before initiating or reviewing a compliance programme, verify the following:
- The Record of Processing Activities exists, is current, and covers all active data flows including those managed by third-party processors.
- Every processing activity has a documented legal basis, and consent-based activities use granular, withdrawal-friendly consent mechanisms.
- All vendor and service provider contracts include compliant data processor clauses meeting the requirements of EU privacy legislation.
- If a DPO is required under the GDPR or Spanish organic privacy legislation, the DPO is appointed, registered with the AEPD, and identified in privacy notices.
- DPIAs have been completed for all high-risk processing activities, and any residual high-risk activities have been notified to the AEPD for prior consultation.
The decision on whether to appoint an external DPO or build the function in-house depends on the size and complexity of the organisation's processing activities, the availability of internal expertise, and cost considerations. External DPO services are common among mid-sized businesses operating in Spain. Fees for DPO retainer services vary depending on the scope of the mandate and the volume of data subjects involved.
Legal and compliance costs for building a full programme from scratch run from the low thousands of euros for a simple single-entity business to considerably more for a multinational group with complex processing activities and cross-border transfer arrangements. Government fees for DPO registration are nominal. The cost of a first-instance AEPD sanction can reach the upper levels of the GDPR scale – making front-loaded investment in compliance substantially more economical than remediation after enforcement begins.
Frequently asked questions
Q: How long does it take to build a compliant data protection programme in Spain from scratch?
A: For a single-entity business with a straightforward processing profile, a baseline compliance programme can typically be assembled within six to twelve weeks. This covers data mapping, legal basis assessment, updated privacy notices, consent mechanisms, and data processor agreements. More complex organisations – with multiple business lines, international transfers, or special category data – should budget three to six months for an initial programme, with ongoing review thereafter. Engaging a lawyer in Spain with specialist data protection experience from the outset significantly reduces the risk of missing domestic-layer obligations that extend beyond the GDPR text.
Q: Is a Data Protection Officer mandatory for every company operating in Spain?
A: Not for every company. The obligation arises under the GDPR in three defined scenarios: public authorities, organisations engaged in large-scale systematic monitoring, and those processing special category data at scale. Spanish organic privacy legislation adds further categories, including certain healthcare, financial, and security-sector businesses. Many mid-sized companies operating in Spain do not fall within the mandatory categories but choose to appoint a DPO voluntarily as a governance measure. A common misconception is that the DPO appointment obligation applies to all companies with more than a specified number of employees – this is incorrect. The trigger is the nature and scale of processing, not headcount.
Q: Can a company headquartered outside the EU rely on its home country compliance programme for Spain?
A: Only partially. The GDPR applies to any organisation that processes personal data of individuals in Spain, regardless of where it is established. A compliance programme built for the US, UK, or another non-EU jurisdiction will address some overlapping principles but will not satisfy the specific requirements of the GDPR or Spanish organic privacy legislation. Key gaps typically include consent mechanism standards, DPO appointment rules, breach notification timelines, data transfer mechanisms, and the domestic sectoral extensions introduced by Spanish law. A law firm in Spain with cross-border data protection experience can identify these gaps and adapt an existing programme rather than building from the ground up.
About Ferraz & Whitmore
Ferraz & Whitmore is an international law firm based in Lisbon, advising business clients across 46 jurisdictions on data protection compliance, AI regulation, and technology law matters. As an international law firm in Spain, we advise companies operating in the Spanish market on GDPR compliance, Data Protection Authority engagement, cross-border data transfer structuring, and DPO advisory services. Our team combines Portuguese civil law expertise with English common law tradition to deliver data protection solutions that address both the EU regulatory layer and the domestic requirements of each member state. We work with international entrepreneurs, technology companies, institutional investors, and in-house legal teams who need results-oriented data protection counsel. The firm's data protection practice spans civil law and common law systems across Europe, and our attorneys have advised on GDPR compliance and AEPD engagement matters across multiple jurisdictions. To discuss your data protection compliance position in Spain, contact us at info@ferrazwhitmore.com.
Disclaimer: This publication is provided for informational purposes only and does not constitute legal advice. The information herein should not be relied upon as a substitute for professional legal counsel tailored to your specific circumstances. Ferraz & Whitmore assumes no liability for actions taken or not taken based on the contents of this material. For advice regarding your particular situation, please contact info@ferrazwhitmore.com.