Skip to content
World Watch/Spain/Data & Privacy

Data & Privacy · Spain

Data protection & GDPR compliance in Spain (2026)

Comprehensive lawEU GDPR (Regulation 2016/679) as implemented nationally by Organic Law 3/2018 (LOPDGDD) on the Protection of Personal Data and Guarantee of Digital Rights; supervised by the Spanish Data Protection Agency (AEPD).Country index 96 · A+

Spain shaded by its data & privacy status

Data protection in Spain: comprehensive law, under EU GDPR (Regulation 2016/679) as implemented nationally by Organic Law 3/2018 (LOPDGDD) on the Protection of Personal Data and Guarantee of Digital Rights; supervised by the Spanish Data Protection Agency (AEPD)..

As an EU member state, Spain applies the GDPR directly, supplemented by the national LOPDGDD (Organic Law 3/2018, in force since December 2018), which adapts the GDPR and adds a charter of digital rights. The Agencia Española de Protección de Datos (AEPD) is the lead national supervisory authority, complemented by three regional authorities for their public sectors. The AEPD is consistently among the EU's most active enforcers by volume of sanctions.

GDPR & data protection in Spain

In Spain, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Spanish Data Protection Agency (AEPD).

Framework
the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
Supervisory authority
the Spanish Data Protection Agency (AEPD)
Applies to
any organisation processing the personal data of people in Spain, wherever the organisation is based
Maximum fine
€20 million or 4% of global annual turnover, whichever is higher
Breach notification
within 72 hours of becoming aware, to the supervisory authority
DPO
required for large-scale monitoring or large-scale special-category processing

The GDPR is bloc-wide; Spain supplements it with a national data-protection act and its own supervisory authority.

GDPR in Spain: FAQ

Does the GDPR apply in Spain?

Yes. As an EU/EEA member, Spain applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Spanish Data Protection Agency (AEPD).

Who enforces data protection law in Spain?

The Spanish Data Protection Agency (AEPD).

What are the GDPR fines in Spain?

Up to €20 million or 4% of global annual turnover, whichever is higher.

Do you need a Data Protection Officer in Spain?

A DPO is required where you carry out large-scale monitoring or process special-category data at scale.

How quickly must a data breach be reported in Spain?

Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.

Key points

Comprehensive law (GDPR + LOPDGDD)

The GDPR applies directly and is implemented domestically by Organic Law 3/2018 (LOPDGDD), published in the BOE on 6 December 2018, with 97 articles across ten titles. It both adapts the GDPR and fulfils the Spanish Constitution's Art. 18.4 mandate on data protection.

Supervisory authority (AEPD)

The Agencia Española de Protección de Datos is the independent national supervisory authority that enforces the GDPR/LOPDGDD, investigates complaints, issues fines and corrective orders, and represents Spain on the European Data Protection Board (EDPB).

Regional authorities for the public sector

Three regional authorities oversee public-sector bodies in their territories: the Catalan APDCAT, the Basque AVPD (Datuak Babesteko Euskal Bulegoa), and Andalusia's CTPDA. The AEPD remains competent for the private sector and the rest of the public sector.

Digital-rights charter (Title X)

Beyond GDPR, the LOPDGDD enshrines digital rights such as the right to digital disconnection at work (Art. 88), workplace device privacy (Art. 87), rules on video/audio surveillance (Art. 89) and worker geolocation (Art. 90), plus internet access, net neutrality and digital education rights.

Strong, proactive enforcement

Spain is the EU country with the most GDPR fines by a wide margin; since 2018 the AEPD has issued over 1,000 penalties. Its 2025-2030 Strategic Plan (published July 2025) commits to AI-assisted supervision focused on large-scale processors, biometrics and algorithmic systems.

Pending minors / consent reform

A draft Organic Law for the Protection of Minors in Digital Environments, approved by the Council of Ministers in March 2025 and under parliamentary consideration, would raise the digital consent age from 14 to 16 and require platform age verification.

Timeline - major decisions & events

Dec 10, 2025enforcementofficial
AEPD December 2025 Sanctions Publication: Year-End Record of €48.1 M in Fines

The AEPD published its year-end resolution (BOE-A-2025-26124) listing all sanctions above €1 million, capping a record-breaking year of 326 sanctioning proceedings, 30,931 complaints, a 64% increase year-on-year, and €48.1 million in total fines.

BOE (Official State Gazette)
Jan 1, 2025guidanceofficial
AEPD 2025-2030 Strategic Plan: AI, Biometrics, and Neurotechnologies as Enforcement Priorities

The AEPD published its five-year strategic plan making supervision of AI systems, biometric technologies, and neurotechnologies, especially when affecting vulnerable groups, its central priority, and committing to publish guidance on agentic AI.

AEPD
Jan 1, 2024enforcementofficial
AEPD Fines Google LLC €10 Million for Unlawful Data Transfers and Erasure Obstruction

The AEPD imposed a €10 million sanction on Google LLC for unlawfully transferring personal data to third parties and systematically obstructing users' right to erasure under GDPR Article 17, one of the agency's largest-ever individual penalties.

AEPD
Mar 1, 2023enforcementofficial
AEPD Orders Emergency Suspension of Worldcoin Iris-Scan Data Collection

The AEPD issued a precautionary measure ordering Tools for Humanity to immediately halt iris-biometric data collection across Spain and block all data already collected, citing missing information to subjects, processing of minors' data, and inability to withdraw consent, the first major EU supervisory intervention against Worldcoin.

AEPD
Dec 5, 2018lawofficial
LOPDGDD Enacted, Spain's GDPR Adaptation Law and Digital Rights Charter

Organic Law 3/2018 adapted Spanish law to the GDPR (exercising national margin of appreciation, e.g., setting digital-consent age at 14), replaced the 1999 LOPD, and pioneered a 'digital rights' title covering rights to internet access, digital disconnection, portability, and algorithmic transparency.

BOE (Official State Gazette)
May 13, 2014decisionofficial
CJEU Google Spain Ruling, Right to Be Forgotten Established (C-131/12)

In a case initiated by an AEPD complaint from a Spanish citizen, the Court of Justice of the EU held that search engine operators must delist links to outdated personal information upon request; the ruling established the 'right to erasure' later codified in GDPR Article 17 and put the AEPD at the centre of European data-protection jurisprudence.

EUR-Lex / CJEU
Nov 18, 1993decisionofficial
Constitutional Court STC 254/1993, Data Protection Recognised as Autonomous Fundamental Right

The Tribunal Constitucional ruled that Article 18.4 of the Constitution creates an independent fundamental right to 'informational self-determination' (autodeterminación informativa), giving every citizen standing to seek constitutional protection (recurso de amparo) for data-protection violations, a right stronger than that held in most EU peers.

Tribunal Constitucional de España
Oct 29, 1992lawofficial
LORTAD Enacted, Spain's First Comprehensive Data Protection Law

Organic Law 5/1992 created Spain's foundational data-protection framework for automated personal-data processing, established the Agencia de Protección de Datos (predecessor of the AEPD), and introduced core principles of purpose limitation, consent, data quality, and access rights.

BOE (Official State Gazette)

Spain - other topics

Data & Privacy in other countries

Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →