On 2 August, "we'll deal with it later" runs out .
High-risk systems come into full effect. Which companies thought they were exempt and turn out not to be — and where to start if nothing has been done yet.
Regulatory, strategy and compliance analysis for business owners who already have traction. Fortnightly ; no noise.
High-risk systems come into full effect. Which companies thought they were exempt and turn out not to be — and where to start if nothing has been done yet.
A UNE 19601 programme only exempts liability if it is kept alive. How to maintain it between audits.
Without data owners or a data catalogue, the sustainability report is built on sand.
Neither leaving management vacant nor improvising a promotion. The third way.
How to fit into the right category before overspending.
Why the classic consultancy's PowerPoint ages badly in 2026.
The value lies in the specialists who understand the sector, not in the price.
The AEPD's DPO Certification Scheme, with bodies accredited by ENAC, is a serious but voluntary credential: Article 37.5 of the GDPR requires qualification, not a certificate. This guide explains what it actually certifies, how the accreditation works, and what should really matter when choosing an external DPO.
Read articleChoosing an external DPO should not come down to comparing quotes. This guide gives ten objective criteria —conflict of interest, qualification, sector specialisation, proximity, contractual deliverables, 72-hour breach response and price transparency— to filter any proposal before signing, without naming competitors.
Read articleAppointing a DPO does not end with signing the designation letter: Article 37.7 of the GDPR requires notifying the AEPD and publishing the DPO's contact details. This guide explains the step-by-step procedure on the Electronic Office, the deadlines, the most common mistakes and what you risk by delaying.
Read articleMany SMEs believe they are exempt from keeping a Record of Processing Activities because they have fewer than 250 employees. Article 30.5 of the GDPR says otherwise: the exemption only protects a handful of very specific cases. This guide debunks the myth and explains, field by field, how to build a RAT as controller and as processor.
Read articleNot having a DPO when the law requires one is not an administrative oversight: it is a codified infringement that the AEPD can sanction under Article 83.4 of the GDPR, and one that Spain's LOPDGDD grades within its own penalty regime. This guide explains exactly what is being sanctioned, at what amounts, when it lapses, and how to avoid it.
Read articleThe GDPR and the LOPDGDD (Spain’s Organic Law on Personal Data Protection and Digital Rights Guarantee) establish a specific framework for processing employee data that goes far beyond payroll: legal bases, digital rights at work, working-time records and special categories of data are the pillars every company must understand in order to comply with the regulations.
Read articleWhenever a company receives a CV, runs a recruitment process or views a candidate's LinkedIn profile, it is processing personal data subject to the GDPR; understanding the specific obligations—legal basis, retention period, required information and social-media limits—is essential to avoid infringements.
Read articleArticle 34.9 of the Workers' Statute requires companies to record the daily working hours of each employee, but that record generates personal data that must be processed in compliance with the GDPR: minimisation, legal basis, biometrics as a special category and retention periods.
Read articleInstalling a GPS system in company vehicles involves processing employees' personal data: article 90 of the LOPDGDD (Organic Law on Data Protection and Guarantee of Digital Rights) sets the rules, and the AEPD (Spanish Data Protection Authority) has declared unlawful those processing operations that failed to provide prior information or that tracked employees outside working hours.
Read articleThe right of access allows any individual to find out what personal data your company holds about them, for what purpose and for how long; knowing how to respond correctly within the legal deadline can make the difference between compliance and a penalty.
Read articleArticle 17 of the GDPR grants every individual the right to have their personal data erased without undue delay, but that does not mean every request must be honoured: there are significant exceptions when the organisation has a legal obligation to retain the information.
Read articleWhen a data subject requests access to, rectification of, or erasure of their personal data, the controller has one month to respond; failure to do so opens the door to a complaint before the AEPD (Agencia Española de Protección de Datos, Spain's data protection authority).
Read articleThe General Data Protection Regulation expanded citizens' rights beyond the old ARCO framework: we now speak of ARSULIPO — six rights of the acronym, together with additional GDPR rights, each with specific deadlines, conditions and obligations for any organisation that processes personal data.
Read articleChoosing the wrong lawful basis for a data processing activity is not a minor mistake: it invalidates the processing, exposes the organisation to penalties, and forces a restart from scratch. This article explains when each of the six bases under Article 6(1) GDPR applies and how to document the decision correctly.
Read articleThe GDPR's penalty regime sets two fine tiers that can reach €20 million or 4 % of global annual turnover, but the final amount depends on up to eleven grading criteria that the AEPD weighs in each case.
Read articleThe storage limitation principle of article 5.1.e of the GDPR prohibits retaining data longer than necessary, but determining that limit requires cross-referencing data protection law with the sector-specific legislation that applies to each processing activity.
Read articleReceiving a communication from the AEPD (Spain's Data Protection Agency) triggers a process with strict deadlines and significant legal consequences. Understanding the phases, knowing your rights, and having the right documentation ready makes the difference between responding with authority or being caught at a disadvantage.
Read articleEvery time a Spanish company sends data to a cloud service provider based in the United States, it transfers personal data outside the EEA — an act governed by Chapter V of the GDPR that requires a lawful transfer mechanism before the data crosses the border.
Read articleThe use of chatbots and artificial intelligence systems in business raises specific data protection obligations: legal basis, user information, the right not to be subject to automated decisions, and simultaneous compliance with the GDPR and the AI Act.
Read articleInstalling cameras in the common areas of a homeowners' association requires compliance with the GDPR, the LOPDGDD and the Spanish Horizontal Property Act: from the general meeting resolution to the information notice, the maximum thirty-day retention period and strict control of access to recordings.
Read articleIf you install cameras on your business premises, regulations require you to display a video surveillance zone sign with precise information about the data controller, the purpose of processing and the rights of data subjects; we explain exactly what it must contain and where to place it.
Read articleThe 72-hour clock does not start when the security breach occurs, but when the data controller becomes aware of it. This article explains in detail how that deadline is calculated, what role the preliminary internal investigation plays, when the justified delay under Article 33(1) applies and when to use phased notification under Article 33(4) GDPR.
Read articleNotifying the AEPD (Spanish Data Protection Authority) within 72 hours is only one part of the legal duty: when the incident poses a high risk to individuals' rights, art. 34 of the GDPR also requires direct communication to the people affected.
Read articleKnowing what to do in the first hours after detecting a security incident makes the difference between an orderly response and a crisis that spirals out of control: we walk you through the phases of a real protocol, from detection to lessons learned.
Read articleThe law limits to one month the time that images captured by security cameras may be kept, but there are incident-blocking scenarios and exceptions that every business must know before configuring its CCTV system.
Read articleArticle 25 of the GDPR (Regulation (EU) 2016/679) obliges organisations to embed data protection from the very first blueprint of any system — not as an afterthought. This is how privacy by design and by default works in business practice.
Read articleThe right to data portability and the right to object are two of the GDPR instruments that generate the most uncertainty in organisations: when they apply, how to process them, and what distinguishes portability from the right of access.
Read articleDoes your business process data from customers, employees or suppliers? The GDPR applies from the very first data point. We explain what it is, who it covers and what non-compliance means.
Read articleMany businesses still talk about 'the LOPD' when they have actually been bound by the GDPR for years. Understanding the difference is not a technicality — it determines your obligations, your supervisory authority and the fines you face.
Read articleMost SMEs know the GDPR exists, but few are clear about which specific measures they must implement and in what order. This guide structures the compliance process into manageable phases, without unnecessary jargon.
Read articleWhen a security breach occurs, the clock starts from the moment you become aware of the incident. The General Data Protection Regulation sets a 72-hour deadline to notify the Spanish Data Protection Agency (AEPD), and not every organisation knows what steps to take or in what order.
Read articleLosing a laptop with client files, suffering a ransomware attack or sending an email to the wrong recipient are all data breaches that the GDPR requires you to manage within strict deadlines. Many SMEs do not know what to do in the first few hours.
Read articleInstalling cameras without an adequate information notice is one of the most common CCTV infringements sanctioned by Spain's data protection authority, the AEPD. We explain what the notice must include, where to place it, how long images may be retained, and the key differences between cameras in public-facing areas and in the workplace.
Read articleInstalling cameras on business premises without complying with Article 89 LOPDGDD and the GDPR exposes the company to fines of up to EUR 20 million or 4% of global annual turnover. Here we explain what the law requires and how to comply.
Read articleThe AEPD Cookie Guide sets precise rules on banners, reject buttons and consent records. Non-compliance can result in fines of up to 2 % of global annual turnover. Here is exactly what you must do.
Read articleThe Data Protection Officer (DPO) is not a paperwork exercise: the regulation gives this figure genuine independence and clearly defined responsibilities. This guide explains what a DPO does, what they cannot do, and when their designation is mandatory under the GDPR and the Spanish LOPDGDD.
Read articleThe cost of an external DPO in Spain ranges from €80 to €600 per month depending on sector, data volume and service intensity. We break down the real variables and what your contract must include.
Read articleThe GDPR allows you to appoint a Data Protection Officer from within your own staff or through an external professional. The choice is not purely financial: it affects independence, specialisation and accountability before the supervisory authority.
Read articleThe Transparency Act does not only apply to public bodies: many SMEs that work with public funds or provide services to certain private entities need to demonstrate transparency policies. Here we explain what the law requires and how to address it efficiently.
Read articleEverything a service company needs to know to bid on regional public contracts in Castilla y León: requirements, platforms and keys to scoring well.
Read articleA legal audit of your online store detects gaps in LSSI, GDPR, terms of sale and cookies before the AEPD or a dissatisfied customer does.
Read articleA practical guide to M&A advisor fee structures: monthly retainer, success fee, and the factors that determine how much it costs to sell an SME.
Read articleEverything an SME manufacturer needs to know about CE marking for machinery: current regulations, real deadlines, approximate cost and how to avoid the most common mistakes.
Read articleDORA has been mandatory since January 2025. Here is the roadmap with phases, priorities and the traps that most delay institutions that start late.
Read articleA practical guide to what an AML/CFT consultancy includes, which businesses are subject to obligations, and how the budget is structured according to company size and sector.
Read articleComplete methodology to carry out the mandatory pay equity audit, interpret the results and correct the gender pay gap without mistakes.
Read articleThe new digital working time recording regulation tightens the technical requirements for the system: here are the deadlines, requirements, and what your company must do now.
Read articleA guide with indicative market prices for GDPR compliance in a Spanish SME: from the initial gap analysis to ongoing annual maintenance.
Read articleThe GDPR and Spain's LOPDGDD make a mandatory DPO compulsory for almost every private clinic that processes health data: here are the exact criteria, real fines, and market price ranges for the external service.
Read articleWithout a laboratory or researchers on the payroll, many industrial SMEs let tens of thousands of euros in R&D grants slip by every year — grants they are fully entitled to.
Read articleThe AI Act is already in force: we explain how to determine whether your AI system is high-risk, which categories Annex III covers and what you must do if it applies.
Read articleIf you manufacture, distribute, or provide services to a large company, CSRD is already knocking at your door: we explain what ESG information they will request and how to get ahead of it.
Read articleDentists process special-category data every day: clinical records, X-rays, diagnoses. The GDPR requires the appointment of a Data Protection Officer, and the AEPD has already fined practices that ignored this obligation.
Read articleState-funded private schools process children's data at scale and are required by law to appoint a DPO: here is what that means in practice.
Read articleCCTV cameras, online bookings, loyalty cards and guest Wi-Fi: the hospitality sector collects far more personal data than it realises, and the AEPD knows it.
Read articleA complete map of the compliance obligations affecting your SME in 2026: from criminal liability programmes to the NIS2 directive, with application criteria by size and sector.
Read articleThe R&D tax deduction can return up to 42% of research and innovation expenditure, but applying it without adequate documentary support turns the saving into a fiscal risk.
Read articleEverything you need to know to register your trademark in Spain: the procedure with the OEPM, current fees, the opposition period and when it makes sense to move to an EU trade mark.
Read articlePublic procurement is a real opportunity for SMEs, but the process can be daunting. We explain how it works, what the law requires and how to prepare a winning bid.
Read articleHealth data is the most protected category under the GDPR. Discover the specific obligations your clinic must meet, what fines you risk and how to get compliant.
Read articleEducational centres process particularly sensitive data about minors: academic performance, health, images. Find out what the GDPR requires and how to comply without errors.
Read articleDigital time tracking is now mandatory for all companies. We analyse what the law requires in 2026, which systems are valid and what the penalties for non-compliance are.
Read articleLaw 19/2013 goes beyond public administrations: political parties, trade unions and private entities receiving grants are also obliged. We explain who, what and how.
Read articleCE marking is not a quality seal: it is a legal requirement to place certain products on the European Economic Area market, and getting it wrong can lead to market withdrawal and penalties.
Read articleCorporate governance is not just for large listed companies: SMEs that properly structure their governing bodies, minutes and good-governance policies gain better access to financing, close better deals and reduce their legal exposure.
Read articleLaw 2/2023 requires all companies with 50 or more employees to have an operative whistleblowing channel. Since September 2025, the AIPI can already issue sanctions. Are you covered?
Read articleLaw 10/2010 imposes very specific obligations on dozens of sectors. Do you know whether your business is on the list and what you must have in place?
Read articleFrom 50 employees onwards it is mandatory. We explain which companies must have an equality plan, what it must include and how to register it correctly.
Read articleThe AI Act already has active obligations: we explain what applies to your business, which deadlines are real after the Digital Omnibus, and where to start.
Read articleThe NIS2 Directive extends cybersecurity obligations to 18 sectors and more than 100,000 entities across Europe: find out whether your company is included.
Read articleLaunching an online store without complying with the LSSI, the GDPR and consumer regulations can cost you from €3,000 to €600,000 in fines. Here is the complete map.
Read articleThe GDPR makes the DPO mandatory in three specific cases, but the AEPD recommends voluntary appointment in many more. We explain when it is obligatory, when it is advisable, and what market price ranges look like.
Read articleA DPIA is mandatory when a data processing activity is likely to result in a high risk to individuals. This guide explains when that obligation is triggered and how to address it correctly.
Read articleCarbon footprint, renewable energy and circular economy.
Read articleRegulation, robust policies and periodic internal audit.
Read article5S tools, kanban, added value and efficiency.
Read articleSupplier evaluation and strategic outsourcing management.
Read articleFinancial, legal and operational analysis in complex transactions.
Read articleSDGs, sustainability reports and international certifications.
Read articleProject management frameworks, modern tools and phases.
Read articleOpen innovation methodology and agile prototyping.
Read articleSLA, NPS and strategic VIP customer programmes.
Read articleSales funnel, strategic CRM and opportunity closing.
Read articleUnique value proposition, segmentation and market differentiation.
Read articleSelection, implementation and operation of IT management systems.
Read articleEffective negotiation techniques and lasting commercial agreements.
Read articleFeasibility analysis, market entry and localisation in new markets.
Read articleIdentification, assessment and mitigation of business risks.
Read articleEffective channels, messages and a positive corporate reputation.
Read articleFunctional org chart, professional profiles and career development.
Read articleFinancial analysis, cash flow and return on investment.
Read articleCorporate purpose and strategic alignment of teams.
Read articleObjective setting, KPIs and systematic monitoring.
Read articleLeadership styles and group dynamics for maximum productivity.
Read articleCommunication, resistance management and adoption of organisational change.
Read articleProcess redesign to improve operational efficiency and reduce costs.
Read articleSWOT matrix, Porter's model and direct competitive analysis in target markets.
Read articleSteps to digitalise processes without losing operational efficiency.
Read article