Data & Privacy · Spain
Data protection & privacy laws in Spain (2026)
Spain shaded by its data & privacy status
As an EU member state, Spain applies the GDPR directly, supplemented by the national LOPDGDD (Organic Law 3/2018, in force since December 2018), which adapts the GDPR and adds a charter of digital rights. The Agencia Española de Protección de Datos (AEPD) is the lead national supervisory authority, complemented by three regional authorities for their public sectors. The AEPD is consistently among the EU's most active enforcers by volume of sanctions.
Key points
The GDPR applies directly and is implemented domestically by Organic Law 3/2018 (LOPDGDD), published in the BOE on 6 December 2018, with 97 articles across ten titles. It both adapts the GDPR and fulfils the Spanish Constitution's Art. 18.4 mandate on data protection.
The Agencia Española de Protección de Datos is the independent national supervisory authority that enforces the GDPR/LOPDGDD, investigates complaints, issues fines and corrective orders, and represents Spain on the European Data Protection Board (EDPB).
Three regional authorities oversee public-sector bodies in their territories: the Catalan APDCAT, the Basque AVPD (Datuak Babesteko Euskal Bulegoa), and Andalusia's CTPDA. The AEPD remains competent for the private sector and the rest of the public sector.
Beyond GDPR, the LOPDGDD enshrines digital rights such as the right to digital disconnection at work (Art. 88), workplace device privacy (Art. 87), rules on video/audio surveillance (Art. 89) and worker geolocation (Art. 90), plus internet access, net neutrality and digital education rights.
Spain is the EU country with the most GDPR fines by a wide margin; since 2018 the AEPD has issued over 1,000 penalties. Its 2025-2030 Strategic Plan (published July 2025) commits to AI-assisted supervision focused on large-scale processors, biometrics and algorithmic systems.
A draft Organic Law for the Protection of Minors in Digital Environments, approved by the Council of Ministers in March 2025 and under parliamentary consideration, would raise the digital consent age from 14 to 16 and require platform age verification.
Timeline - major decisions & events
The AEPD published its year-end resolution (BOE-A-2025-26124) listing all sanctions above €1 million, capping a record-breaking year of 326 sanctioning proceedings, 30,931 complaints — a 64% increase year-on-year — and €48.1 million in total fines.
BOE (Official State Gazette) ↗The AEPD published its five-year strategic plan making supervision of AI systems, biometric technologies, and neurotechnologies — especially when affecting vulnerable groups — its central priority, and committing to publish guidance on agentic AI.
AEPD ↗The AEPD imposed a €10 million sanction on Google LLC for unlawfully transferring personal data to third parties and systematically obstructing users' right to erasure under GDPR Article 17 — one of the agency's largest-ever individual penalties.
AEPD ↗The AEPD issued a precautionary measure ordering Tools for Humanity to immediately halt iris-biometric data collection across Spain and block all data already collected, citing missing information to subjects, processing of minors' data, and inability to withdraw consent — the first major EU supervisory intervention against Worldcoin.
AEPD ↗Organic Law 3/2018 adapted Spanish law to the GDPR (exercising national margin of appreciation, e.g., setting digital-consent age at 14), replaced the 1999 LOPD, and pioneered a 'digital rights' title covering rights to internet access, digital disconnection, portability, and algorithmic transparency.
BOE (Official State Gazette) ↗In a case initiated by an AEPD complaint from a Spanish citizen, the Court of Justice of the EU held that search engine operators must delist links to outdated personal information upon request; the ruling established the 'right to erasure' later codified in GDPR Article 17 and put the AEPD at the centre of European data-protection jurisprudence.
EUR-Lex / CJEU ↗The Tribunal Constitucional ruled that Article 18.4 of the Constitution creates an independent fundamental right to 'informational self-determination' (autodeterminación informativa), giving every citizen standing to seek constitutional protection (recurso de amparo) for data-protection violations — a right stronger than that held in most EU peers.
Tribunal Constitucional de España ↗Organic Law 5/1992 created Spain's foundational data-protection framework for automated personal-data processing, established the Agencia de Protección de Datos (predecessor of the AEPD), and introduced core principles of purpose limitation, consent, data quality, and access rights.
BOE (Official State Gazette) ↗Spain - other topics
Last verified 5/23/2026 · Orientation, not legal advice - verify against the primary sources linked above. Explore the full world map →