GDPR Data Protection: Full Compliance with Complete Guarantees

Data protection in Spain is governed by two complementary frameworks: the EU General Data Protection Regulation (GDPR, Regulation 2016/679), which applies directly across all EU member states, and Spain's Organic Law 3/2018 on Data Protection and Guarantee of Digital Rights (LOPDGDD), which adapts and complements the GDPR in areas where member states retain discretion. The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), which can impose administrative fines of up to EUR 20 million or 4% of global annual turnover for serious violations. Controllers processing personal data must maintain a Record of Processing Activities, establish lawful legal bases for each processing activity, implement technical and organisational security measures, and manage data subject rights within statutory deadlines.

Our privacy team combines legal expertise in the GDPR and LOPDGDD with practical experience implementing privacy management systems across companies of all sectors and sizes.

The Compliance Gap Most Companies Don’t See

The GDPR came into force in 2018. Six years later, a significant proportion of Spanish companies remain materially non-compliant — not because they are unaware of the regulation, but because they have implemented only its most visible requirements (a privacy policy, a cookie banner) while leaving the structural foundations of compliance incomplete. The records of processing activities are missing or out of date. Processor contracts with cloud providers have never been reviewed for standard contractual clause compliance. The data breach protocol exists as a document but has never been tested. The DPO, if appointed, is a formality rather than a functioning role.

The AEPD is an active enforcement authority. Its sanctioning decisions — regularly exceeding millions of euros for serious violations — confirm that Spanish companies are not being given a pass. The question for most businesses is not whether they need to comply, but how to close the gap efficiently without overinvesting in bureaucracy.

Building a Functional Privacy System

Our approach begins with a structured gap analysis. We map your data flows: what personal data you collect, on what legal basis, for what purpose, how long it is retained, with which third parties it is shared, and whether any of those third parties are outside the European Economic Area. Most companies are surprised by the scope of their own processing — employee monitoring tools, CRM systems, analytics platforms, payroll processors — each of which requires a correctly structured processor agreement and, in some cases, a data protection impact assessment (DPIA).

The result of the gap analysis is a prioritised action plan. We implement the records of processing, update privacy notices, revise processor contracts, and establish a breach-response protocol that can meet the 72-hour AEPD notification deadline in practice, not just in theory. For companies that have undergone mergers or acquisitions, we audit the privacy compliance of integrated entities, which frequently have different systems and documentation standards.

The DPO as a Strategic Role

The outsourced DPO service goes beyond regulatory box-ticking. An effective DPO advises on the privacy implications of new products and marketing campaigns before they launch, flags the data-protection requirements of new supplier contracts before they are signed, and manages the relationship with the AEPD when complaints or investigations arise. We provide this function for over 100 organisations, from SMEs processing modest volumes of customer data to regulated entities handling sensitive health or financial information.

For companies launching new digital products or using AI-powered tools, privacy by design is a legal obligation under Article 25 of the GDPR, not an optional best practice. We integrate with your product and technology teams to embed privacy requirements from the earliest design stage — a far more efficient approach than retrofitting compliance after launch.

Privacy in Corporate Transactions

Privacy due diligence is now standard in any transaction involving a data-intensive business. A target company’s GDPR compliance status affects its valuation, the representations and warranties it can give, and the post-acquisition integration plan. We audit target companies’ privacy frameworks, quantify the remediation cost of identified gaps, and advise acquirers on the indemnities and conditions that should be included in the purchase agreement.

Legal Bases Under the GDPR: Getting the Foundations Right

One of the most frequent sources of GDPR non-compliance among Spanish businesses is the incorrect selection of the legal basis for data processing. The GDPR establishes six alternative legal bases under Article 6, and choosing the wrong one has consequences that go beyond formalism: it conditions data subjects’ rights, the possibility of international transfers, and permissible retention periods.

Consent is the most visible basis — the one that appears in cookie banners and web forms — but also the most fragile. The GDPR requires it to be freely given, specific, informed, and unambiguous, and revocable at any time without consequence. Consent is not an appropriate legal basis for processing that is necessary to perform a contract or fulfil a legal obligation: using it in those cases creates a false right of objection that does not actually exist.

Performance of a contract is the correct basis for customer data processing that is necessary to deliver the contracted service: contact data, payment data, purchase history to the extent needed for fulfilment. It cannot be extended to accessory or ancillary processing beyond the core service.

Legitimate interests (Article 6(1)(f)) is the most flexible basis and the one that generates the most controversy in practice. It requires a three-step test: the interest pursued must be legitimate; the processing must be necessary for that interest; and the data subject’s fundamental rights and interests must not override the controller’s interest. The AEPD has applied a restrictive interpretation of legitimate interests in certain contexts — CCTV surveillance, direct marketing — and documenting the balancing test is essential to defending against complaints.

International Data Transfers in 2025-2026

Transfers of personal data outside the European Economic Area (EEA) require adequate safeguards under Chapter V of the GDPR. The landscape of valid mechanisms in 2025-2026 is more complex than in 2018, following the Schrems II judgment (C-311/18) and the EU-US Data Privacy Framework (DPF):

The EU Commission has adopted adequacy decisions for a limited number of countries — the UK, Japan, South Korea, Israel, Argentina, and the US under the DPF adopted in July 2023. The DPF has been challenged before the Court of Justice by Max Schrems (the so-called Schrems III case), with an uncertain outcome. Companies transferring data to DPF-certified US entities should maintain a Standard Contractual Clauses (SCCs) fallback in case the framework is invalidated.

Standard Contractual Clauses remain the most widely used mechanism in practice. The Commission adopted new model clauses in June 2021, with additional Transfer Impact Assessment (TIA) requirements that must be documented for each transfer. Many companies are still using the obsolete pre-2021 models. Binding Corporate Rules (BCRs) are the most robust mechanism for multinational groups with frequent intra-group transfers, but also the most costly to implement: they require approval by the lead supervisory authority (in Spain, the AEPD) and are best suited to groups with high volumes of cross-border intra-group data flows.

Data Breach Management: The 72-Hour Protocol in Practice

The 72-hour deadline for notifying a data breach to the AEPD (Article 33 GDPR) is one of the regulation’s best-known requirements and, in practice, one of the hardest to meet without prior preparation. The 72 hours run from the moment the data controller becomes aware of the breach — not from when it occurred, but from when it is detected — and they are calendar hours, not business hours.

The breach-response protocol we implement covers all phases: detection and identification (monitoring systems that generate alerts on anomalous access, data exfiltration, or accidental deletion); initial impact assessment (determining whether the breach poses a risk to the rights and freedoms of affected individuals, which is the notification threshold); AEPD notification within 72 hours with the information available at that point (supplementable in the following 72 hours); and, where the breach poses a high risk, individual communication to affected data subjects.

The AEPD has sanctioned companies not only for the underlying breach but for inadequate post-breach management: late notification, insufficient information in the notification, or failure to communicate to affected individuals when required. A well-designed, practised breach protocol — with at least annual tabletop exercises — dramatically reduces the regulatory risk after an incident. Coordination with the cybersecurity team and a virtual CISO is essential to ensure the protocol functions under the real pressure of an active incident.