A common misunderstanding in Spanish boardrooms is to describe data protection compliance as «having the LOPD done». The problem is that the original LOPD — Organic Law 15/1999 — was repealed in 2018. And the compliance work done in 2016 does not cover the obligations of 2026. This article explains, in plain terms, what each regulation is, why distinguishing them matters, and what specific obligations the current framework places on companies operating in Spain.
What is each regulation? Hierarchy and current status
The 1999 LOPD: history, not a current obligation
The Organic Law 15/1999 on the Protection of Personal Data (LOPD) was Spain's main data protection statute for nearly two decades. It transposed EU Directive 95/46/EC and created the regime of file registration with the Spanish Data Protection Agency (AEPD), security levels (basic, medium, high) and the associated security measures. It was repealed on 7 December 2018 when the LOPDGDD came into force. It imposes no obligations today. Referring to it as binding law is an error.
The GDPR: the European regulation that changed everything
The Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data (GDPR) has applied directly in all Member States since 25 May 2018. It did not need transposition: it takes effect as written. As an EU regulation — not a directive — its text prevails over any conflicting national rule. It is the foundational statute for any organisation processing data of EU residents, regardless of where that organisation is established.
The LOPDGDD: Spain's adaptation of the GDPR
The Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD) adapts and supplements the GDPR within the margins the regulation leaves to Member States. It entered into force on 7 December 2018 and expressly repealed the 1999 LOPD. It does not replace the GDPR: it accompanies it. Where both regulate the same matter, the GDPR takes precedence; where the LOPDGDD covers matters the GDPR leaves to national law — such as the minimum age for consent, trade union membership data, workplace video surveillance or digital workers' rights — the LOPDGDD provides the specific rule.
Who supervises? The AEPD as supervisory authority
The Spanish Data Protection Agency (AEPD) is the independent supervisory authority in Spain for compliance with both the GDPR and the LOPDGDD, pursuant to Article 57 GDPR and Article 44 LOPDGDD. Its functions include investigating complaints, imposing corrective measures, issuing reprimands, applying fines and publishing guidance. The AEPD does not guarantee any company's compliance: it offers guidance, but it also sanctions when it detects infringements.
For practical questions, the AEPD publishes technical guidance on cookies, video surveillance, the data protection officer and other topics. These documents are soft law — they do not have the force of statute — but they represent the criteria the agency itself applies when assessing compliance.
Specific obligations under the current GDPR + LOPDGDD framework
Records of processing activities
Article 30 GDPR requires controllers and processors to maintain records of their processing activities. These records must include, among other elements: the name and contact details of the controller, the purposes of processing, a description of the categories of data subjects and personal data, recipients, international transfers and, where possible, the envisaged erasure time limits. This document is the cornerstone of the accountability principle required by the GDPR.
Legal basis for each processing operation
Article 6 GDPR requires every processing operation to have a lawful basis: consent, performance of a contract, legal obligation, vital interests, public task or legitimate interest. Processing personal data without a lawful basis is a serious infringement. The LOPDGDD adds specific rules for certain bases in the Spanish context (Article 19 LOPDGDD on the minimum age for consent: 14 years in Spain, within the 13-to-16 margin permitted by the GDPR).
Information and transparency
Articles 13 and 14 GDPR set out the information to be provided to data subjects when their data are collected (layers 1 and 2 of the privacy policy). The information must be concise, transparent, intelligible and easily accessible, in clear and plain language. A privacy notice copied from a generic 2016 template does not meet these requirements.
Data subjects' rights
The GDPR grants the rights of access (Art. 15), rectification (Art. 16), erasure or 'right to be forgotten' (Art. 17), restriction of processing (Art. 18), data portability (Art. 20) and objection (Art. 21). Organisations must provide an effective channel for receiving requests and respond within one month (extendable by a further two months in complex cases). The LOPDGDD adds digital rights in employment relationships (Arts. 87-91), including the right to digital disconnection, the right to privacy in the face of video surveillance and the right to privacy in the use of digital devices at work.
Security breaches: notification within 72 hours
Article 33 GDPR obliges the controller to notify the AEPD of any personal data breach likely to result in a risk to the rights and freedoms of natural persons, within 72 hours of becoming aware of it. If the notification cannot be completed within that period, it may be provided in phases, explaining the reasons for the delay. Additionally, Article 34 GDPR requires the controller to communicate the breach to the affected data subjects without undue delay when it is likely to result in a high risk to their rights and freedoms, using clear and plain language.
Video surveillance: Articles 22 and 89 LOPDGDD
Video surveillance has specific regulation under the LOPDGDD. Article 22 LOPDGDD governs the capture of images in public or publicly accessible places by private individuals and legal entities: it requires an adequate legal basis, a standardised informative sign ('video surveillance zone' with the controller's details) visible before entering the recorded area, and a maximum image retention period of one month (unless retention beyond that period is required by judicial or administrative order). Article 89 LOPDGDD governs the use of surveillance and recording cameras in the employment relationship: employers may install video surveillance systems to monitor work performance, but must inform employees and their representatives in advance, expressly, clearly and concisely. Covert cameras to detect unlawful conduct are only admissible in very limited cases defined by the case law of the Supreme Court and the Constitutional Court.
Cookies and electronic communications: Art. 22.2 LSSI-CE and the AEPD Cookie Guide
Cookies are not regulated directly by the GDPR but by Article 22.2 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), which requires the user's prior informed consent for the storage of non-strictly-necessary cookies. The AEPD Cookie Guide (updated in 2023) specifies the requirements: a first-layer banner visible when accessing the site, with no pre-ticked boxes, and with the option to reject cookies as accessible and simple as the option to accept. Treating scrolling as consent or site access as consent is not valid.
Data Protection Officer (DPO): Articles 37–39 GDPR
Articles 37 to 39 GDPR regulate the role of the Data Protection Officer. Designation is mandatory in the cases set out in Article 37.1: public authorities and bodies, controllers whose core activities involve large-scale systematic monitoring of data subjects, and controllers processing at large scale special categories of data (health, ideology, racial origin, etc.) or data relating to criminal convictions and offences. The LOPDGDD extends these cases in Article 34, including educational centres, credit institutions, insurers, pharmacists and others. The DPO may be internal or external, must have expert knowledge of data protection law and practice, must act with functional independence and must report to the highest management level.
Sanctions framework: Article 83 GDPR
The GDPR does not specify fine amounts for each individual infringement: it establishes a two-tier framework in Article 83. The most serious infringements — such as processing data without a legal basis, violating the fundamental principles of processing or transferring data to third countries without adequate safeguards — may be sanctioned with fines of up to EUR 20,000,000 or 4% of the total annual worldwide turnover of the preceding financial year, whichever is higher. Lesser infringements may reach EUR 10,000,000 or 2% of turnover. The LOPDGDD classifies infringements as minor, serious and very serious (Arts. 72–74) and establishes limitation periods, but the maximum fines are those set by the GDPR. The AEPD takes into account multiple mitigating and aggravating factors when calculating the effective fine.
Comparison table: 1999 LOPD, GDPR and LOPDGDD at a glance
| Aspect | LOPD (LO 15/1999) | GDPR (EU 2016/679) | LOPDGDD (LO 3/2018) |
|---|---|---|---|
| Current status | Repealed since Dec. 2018 | In force since May 2018 | In force since Dec. 2018 |
| Origin | Spanish law (Directive 95/46/EC) | EU regulation (directly applicable) | Spanish organic law |
| File registration with AEPD | Mandatory | Replaced by records of processing (Art. 30) | Confirms elimination |
| Data breaches | No specific rule | Notify AEPD within 72 h (Art. 33); inform data subjects if high risk (Art. 34) | Supplements GDPR |
| Mandatory DPO | Did not exist | Arts. 37–39 (specific cases) | Art. 34 extends cases in Spain |
| Workplace video surveillance | No specific rule | General framework | Arts. 22 and 89 LOPDGDD |
| Cookies | Not regulated | Not regulated directly | Refers to Art. 22.2 LSSI-CE and AEPD Guide |
| Maximum fine | EUR 600,000 (most serious) | EUR 20 M or 4% turnover (Art. 83) | Refers to GDPR; classifies infringements |
What does this mean for your company?
Compliance is not a one-off administrative exercise. The GDPR requires a proactive, ongoing accountability approach: documenting why you process each piece of data, on what legal basis, for how long and with what security measures. Companies that updated their documentation in 2018 should review whether their records, processor agreements and privacy policies are still accurate in 2026, given any changes in suppliers, processes or purposes that have occurred in the intervening years.
At Summum Consultoria we support companies in Castilla y León and the Canary Islands through GDPR and LOPDGDD compliance: from the initial diagnostic through the implementation of the records of processing activities, the review of privacy notices, the management of data subjects' rights and the response to security breaches. If you have questions about which rules apply to your company or whether your current documentation is still valid, we can help you clarify.
Frequently asked questions
Do I still need to register files with the AEPD?
No. The obligation to register files was eliminated when the GDPR came into force in 2018. What is mandatory since then is maintaining the internal record of processing activities required by Article 30 GDPR. This is an internal document — not a procedure before the AEPD — that evidences what data the organisation processes, for what purpose and on what legal basis.
When must a data breach be notified to the AEPD?
When the breach is likely to result in a risk to the rights and freedoms of natural persons, notification must be made to the AEPD within a maximum of 72 hours of the controller becoming aware of it (Art. 33 GDPR). If completing the notification within that period is not possible, it may be done in phases. Additionally, if the breach is likely to result in a high risk to data subjects, they must be informed directly (Art. 34 GDPR) without undue delay, in clear and plain language. The key is to have an internal detection and response protocol in place before an incident occurs, not to improvise once it has happened.
Does my company need a Data Protection Officer?
It depends on the type of processing you carry out. Designation of a DPO is mandatory, among other cases, when the core activities involve large-scale processing of health data, biometric data, children's data or data relating to criminal offences, or when large-scale systematic monitoring of data subjects is performed. The LOPDGDD extends these cases in Spain. If none of these scenarios apply, designation is not mandatory, though it is advisable for organisations with significant processing volumes. You can read more in our article on when an external DPO is mandatory.
What happens if my website uses Google Analytics without a cookie banner?
Google Analytics installs analytics cookies that are not strictly necessary for the service requested. Article 22.2 LSSI-CE requires prior informed consent from the user before installing them. Operating Google Analytics without a valid cookie banner — or with a banner that does not offer a reject option as easily accessible as the accept option — is an infringement of the LSSI-CE that the AEPD can sanction. The AEPD Cookie Guide (2023) is the reference document for assessing whether a banner meets the requirements.