Data & Privacy · Spain
Data protection & GDPR compliance in Spain (2026)
Spain shaded by its data & privacy status
Data protection in Spain: comprehensive law, under EU GDPR (Regulation 2016/679) as implemented nationally by Organic Law 3/2018 (LOPDGDD) on the Protection of Personal Data and Guarantee of Digital Rights; supervised by the Spanish Data Protection Agency (AEPD)..
As an EU member state, Spain applies the GDPR directly, supplemented by the national LOPDGDD (Organic Law 3/2018, in force since December 2018), which adapts the GDPR and adds a charter of digital rights. The Agencia Española de Protección de Datos (AEPD) is the lead national supervisory authority, complemented by three regional authorities for their public sectors. The AEPD is consistently among the EU's most active enforcers by volume of sanctions.
GDPR & data protection in Spain
In Spain, data protection is governed by the EU General Data Protection Regulation (GDPR), which applies directly and is enforced by the Spanish Data Protection Agency (AEPD).
- Framework
- the GDPR (Regulation (EU) 2016/679) plus the national data-protection act
- Supervisory authority
- the Spanish Data Protection Agency (AEPD)
- Applies to
- any organisation processing the personal data of people in Spain, wherever the organisation is based
- Maximum fine
- €20 million or 4% of global annual turnover, whichever is higher
- Breach notification
- within 72 hours of becoming aware, to the supervisory authority
- DPO
- required for large-scale monitoring or large-scale special-category processing
The GDPR is bloc-wide; Spain supplements it with a national data-protection act and its own supervisory authority.
GDPR in Spain: FAQ
Yes. As an EU/EEA member, Spain applies the GDPR (Regulation (EU) 2016/679) directly, enforced by the Spanish Data Protection Agency (AEPD).
The Spanish Data Protection Agency (AEPD).
Up to €20 million or 4% of global annual turnover, whichever is higher.
A DPO is required where you carry out large-scale monitoring or process special-category data at scale.
Personal-data breaches must be notified to the supervisory authority within 72 hours of becoming aware.
Key points
The GDPR applies directly and is implemented domestically by Organic Law 3/2018 (LOPDGDD), published in the BOE on 6 December 2018, with 97 articles across ten titles. It both adapts the GDPR and fulfils the Spanish Constitution's Art. 18.4 mandate on data protection.
The Agencia Española de Protección de Datos is the independent national supervisory authority that enforces the GDPR/LOPDGDD, investigates complaints, issues fines and corrective orders, and represents Spain on the European Data Protection Board (EDPB).
Three regional authorities oversee public-sector bodies in their territories: the Catalan APDCAT, the Basque AVPD (Datuak Babesteko Euskal Bulegoa), and Andalusia's CTPDA. The AEPD remains competent for the private sector and the rest of the public sector.
Beyond GDPR, the LOPDGDD enshrines digital rights such as the right to digital disconnection at work (Art. 88), workplace device privacy (Art. 87), rules on video/audio surveillance (Art. 89) and worker geolocation (Art. 90), plus internet access, net neutrality and digital education rights.
Spain is the EU country with the most GDPR fines by a wide margin; since 2018 the AEPD has issued over 1,000 penalties. Its 2025-2030 Strategic Plan (published July 2025) commits to AI-assisted supervision focused on large-scale processors, biometrics and algorithmic systems.
A draft Organic Law for the Protection of Minors in Digital Environments, approved by the Council of Ministers in March 2025 and under parliamentary consideration, would raise the digital consent age from 14 to 16 and require platform age verification.
Timeline - major decisions & events
The AEPD published its year-end resolution (BOE-A-2025-26124) listing all sanctions above €1 million, capping a record-breaking year of 326 sanctioning proceedings, 30,931 complaints, a 64% increase year-on-year, and €48.1 million in total fines.
BOE (Official State Gazette) ↗The AEPD published its five-year strategic plan making supervision of AI systems, biometric technologies, and neurotechnologies, especially when affecting vulnerable groups, its central priority, and committing to publish guidance on agentic AI.
AEPD ↗The AEPD imposed a €10 million sanction on Google LLC for unlawfully transferring personal data to third parties and systematically obstructing users' right to erasure under GDPR Article 17, one of the agency's largest-ever individual penalties.
AEPD ↗The AEPD issued a precautionary measure ordering Tools for Humanity to immediately halt iris-biometric data collection across Spain and block all data already collected, citing missing information to subjects, processing of minors' data, and inability to withdraw consent, the first major EU supervisory intervention against Worldcoin.
AEPD ↗Organic Law 3/2018 adapted Spanish law to the GDPR (exercising national margin of appreciation, e.g., setting digital-consent age at 14), replaced the 1999 LOPD, and pioneered a 'digital rights' title covering rights to internet access, digital disconnection, portability, and algorithmic transparency.
BOE (Official State Gazette) ↗In a case initiated by an AEPD complaint from a Spanish citizen, the Court of Justice of the EU held that search engine operators must delist links to outdated personal information upon request; the ruling established the 'right to erasure' later codified in GDPR Article 17 and put the AEPD at the centre of European data-protection jurisprudence.
EUR-Lex / CJEU ↗The Tribunal Constitucional ruled that Article 18.4 of the Constitution creates an independent fundamental right to 'informational self-determination' (autodeterminación informativa), giving every citizen standing to seek constitutional protection (recurso de amparo) for data-protection violations, a right stronger than that held in most EU peers.
Tribunal Constitucional de España ↗Organic Law 5/1992 created Spain's foundational data-protection framework for automated personal-data processing, established the Agencia de Protección de Datos (predecessor of the AEPD), and introduced core principles of purpose limitation, consent, data quality, and access rights.
BOE (Official State Gazette) ↗Spain - other topics
Data & Privacy in other countries
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Methodology & how to cite · Explore the full world map →