Data & Privacy - Spain

The GDPR applies directly and is implemented domestically by Organic Law 3/2018 (LOPDGDD), published in the BOE on 6 December 2018, with 97 articles across ten titles. It both adapts the GDPR and fulfils the Spanish Constitution's Art. 18.4 mandate on data protection.

The Agencia Española de Protección de Datos is the independent national supervisory authority that enforces the GDPR/LOPDGDD, investigates complaints, issues fines and corrective orders, and represents Spain on the European Data Protection Board (EDPB).

Three regional authorities oversee public-sector bodies in their territories: the Catalan APDCAT, the Basque AVPD (Datuak Babesteko Euskal Bulegoa), and Andalusia's CTPDA. The AEPD remains competent for the private sector and the rest of the public sector.

Beyond GDPR, the LOPDGDD enshrines digital rights such as the right to digital disconnection at work (Art. 88), workplace device privacy (Art. 87), rules on video/audio surveillance (Art. 89) and worker geolocation (Art. 90), plus internet access, net neutrality and digital education rights.

Spain is the EU country with the most GDPR fines by a wide margin; since 2018 the AEPD has issued over 1,000 penalties. Its 2025-2030 Strategic Plan (published July 2025) commits to AI-assisted supervision focused on large-scale processors, biometrics and algorithmic systems.

A draft Organic Law for the Protection of Minors in Digital Environments, approved by the Council of Ministers in March 2025 and under parliamentary consideration, would raise the digital consent age from 14 to 16 and require platform age verification.