Since May 2018, the General Data Protection Regulation — Regulation (EU) 2016/679, known as the GDPR — has been the benchmark privacy standard for all organisations that process personal data of EU citizens. In Spain it is complemented by Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), which adapts the Regulation to Spanish law and adds specific provisions on digital media, video surveillance, employment and minors. The supervisory authority in Spain is the Agencia Española de Protección de Datos (AEPD).
What surprises many SMEs when they grasp the real scope of these rules is precisely their breadth: the GDPR is not only for large technology corporations. If your company manages customer lists, sends newsletters by email, records the interior of premises with cameras or logs employee attendance, you are already processing personal data and the Regulation applies to you.
Who exactly does the GDPR apply to?
The GDPR applies to any organisation — company, sole trader, association, public authority — that meets either of these two conditions:
- It is established in the European Union and processes personal data in the context of that activity, regardless of where the processing takes place.
- It is not established in the EU but offers goods or services to people in the EU, or monitors the behaviour of people located in the EU (Art. 3 GDPR).
In practice, a hardware store in Burgos with a customer CRM, a dental clinic in Las Palmas with patient records or an online shop in Salamanca with a subscriber list: all fall under the GDPR. Company size reduces certain formal requirements (micro-enterprises with fewer than 250 employees are exempt from maintaining the record of processing activities in some cases), but it does not remove the obligation to process data lawfully, transparently and securely.
What is personal data under the GDPR?
The Regulation defines «personal data» as any information relating to an identified or identifiable natural person (Art. 4.1 GDPR). Personal data includes, among others:
- Name, surnames, national identity number (DNI/NIF) of a natural person.
- Email address, phone number, postal address.
- IP address, device identifiers, tracking cookies.
- Images captured by video surveillance where they allow a person to be identified.
- GPS location data.
- Medical records or health data (special category, Art. 9 GDPR).
- Data on trade union membership, ideology, religion or sexual life (special categories).
Data relating to legal entities (companies, corporations) falls outside the scope of the GDPR, although the contact details of a sole trader or an employee of a company are personal data.
What principles does the GDPR require when processing data?
Article 5 of the GDPR sets out the principles that govern all lawful processing. Obtaining consent alone is not enough: all principles must be met simultaneously:
| Principle | What it means in practice |
|---|---|
| Lawfulness, fairness and transparency | A valid legal basis exists and the data subject knows what is done with their data. |
| Purpose limitation | Data is only used for the declared purpose; it is not repurposed without a new legal basis. |
| Data minimisation | Only data strictly necessary for the purpose is collected. |
| Accuracy | Data must be kept up to date; inaccurate data must be rectified or erased. |
| Storage limitation | Data is not kept longer than necessary for the purpose, unless there is a legal obligation. |
| Integrity and confidentiality | Appropriate technical and organisational measures protect the data. |
| Accountability | The controller can demonstrate compliance with all the above principles. |
Legal bases: on what ground can I process data?
Processing data without a valid legal basis is a serious infringement. Article 6 of the GDPR provides six possible bases. The most common in a business context are:
- Consent (Art. 6.1.a): free, specific, informed and unambiguous. Pre-ticked boxes are not valid consent. Consent may be withdrawn at any time.
- Performance of a contract (Art. 6.1.b): the processing is necessary to perform the contract concluded with the data subject (e.g., delivering an order to the customer's delivery address).
- Legal obligation (Art. 6.1.c): the law requires the controller to process those data (e.g., retaining invoices for the tax retention period, recording working hours).
- Legitimate interests (Art. 6.1.f): requires a documented balancing test demonstrating that the controller's interest does not override the data subject's rights. It is not a generic escape clause.
Rights of individuals that every business must guarantee
The GDPR grants data subjects a catalogue of rights that must be exercisable in a simple and free-of-charge manner:
- Access (Art. 15): the data subject can request what data is held about them and for what purpose.
- Rectification (Art. 16): correction of inaccurate or incomplete data.
- Erasure or «right to be forgotten» (Art. 17): deletion of data when no longer necessary or when consent is withdrawn.
- Objection (Art. 21): the data subject may object to processing, especially when based on legitimate interests or carried out for direct marketing purposes.
- Data portability (Art. 20): receive data in a structured, machine-readable format to transfer to another controller.
- Restriction of processing (Art. 18): limit the use of data in certain circumstances.
Businesses must respond to these requests within one month, extendable to three in complex cases. Failing to respond or refusing without justification is a sanctionable infringement.
Personal data breaches: what to do and within what timeframe
A personal data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The GDPR imposes specific obligations:
- Notification to the AEPD (Art. 33 GDPR): where a breach is likely to result in a risk to the rights and freedoms of natural persons, it must be notified to the supervisory authority within 72 hours of the controller becoming aware of it. If notification within that period is not possible, it is made without undue delay with the information available and completed subsequently.
- Communication to data subjects (Art. 34 GDPR): where the breach is likely to result in a high risk to the rights and freedoms of natural persons, the controller must communicate the breach to them without undue delay, in clear and plain language, indicating the nature of the breach and the measures taken.
All breaches must be documented internally, even if they do not meet the threshold for mandatory notification (Art. 33.5 GDPR). The internal record allows the controller to demonstrate due diligence to the AEPD.
Video surveillance and cameras in the workplace
Video surveillance is one of the areas where the GDPR compliance service for businesses receives the most enquiries. The applicable regulations combine the GDPR with the LOPDGDD:
- Art. 22 LOPDGDD (general video surveillance): natural or legal persons may process images captured by video surveillance cameras to preserve the safety of persons and facilities. It is mandatory to display an informative sign in a visible place indicating the processing (video-surveilled area), the controller's identity and how to exercise rights. Images must be erased within a maximum period of 30 days, unless they need to be retained to document unlawful acts or handed over to law enforcement.
- Art. 89 LOPDGDD (cameras in the workplace): employers may process images obtained through video surveillance cameras to monitor workers in the performance of their duties, provided that workers or their representatives have been informed in advance, expressly, clearly and concisely. Cameras may not be installed in rest areas, changing rooms or toilets.
Cookies and the LSSI-CE
The use of cookies is primarily governed by Art. 22.2 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), which requires the informed consent of the user for the installation of non-technical cookies. The AEPD has published the Guide on the use of cookies (updated in 2023), which is essential for compliance in practice and establishes:
- The cookie banner must allow users to refuse as easily as they accept; «Accept» and «Reject» buttons must be equally prominent.
- Pre-ticked boxes or options that nudge the user towards acceptance (dark patterns) are not permitted.
- Non-essential cookies must not be installed before the user has given consent.
- The user must be able to withdraw consent as easily as they gave it.
The Data Protection Officer (DPO): when is designation mandatory?
Articles 37 to 39 of the GDPR regulate the figure of the Data Protection Officer (DPO). Designation is mandatory in three specific cases (Art. 37.1 GDPR):
- Public authorities and bodies.
- Organisations whose core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale (e.g., behavioural advertising platforms, telecommunications operators).
- Organisations whose core activities consist of large-scale processing of special categories of data (health data, biometric data, data on criminal convictions, etc.).
Outside these cases, designation is voluntary but advisable. The DPO acts as a contact point with the AEPD, provides internal compliance advice and supervises the application of the Regulation. They may be internal or external; for SMEs, the external DPO option is the most cost-efficient, providing access to a qualified expert without the need for a full-time hire.
How much can the AEPD fine?
The GDPR establishes a two-tier sanctioning regime (Art. 83):
- Serious infringements: fines of up to €10,000,000 or 2% of the total worldwide annual turnover of the preceding financial year (whichever is higher).
- Very serious infringements: fines of up to €20,000,000 or 4% of the total worldwide annual turnover (whichever is higher).
No consulting service can guarantee the absence of sanctions — that depends solely on actual compliance and the specific circumstances of each case — but expert guidance from the outset significantly reduces both the likelihood of an investigation being opened and the severity of its consequences.
Where to start: the basic steps towards GDPR compliance
- Processing inventory: identify what data is processed, for what purpose, on what legal basis, for how long and who has access. The result is the Record of Processing Activities (Art. 30 GDPR).
- Risk assessment: evaluate whether the processing poses risks to data subjects and, where applicable, carry out a Data Protection Impact Assessment (DPIA), mandatory where processing is likely to result in a high risk (Art. 35 GDPR).
- Documentation: privacy policy, information clauses, processor agreements (suppliers that access data), procedures for handling rights requests and managing breaches.
- Technical and organisational measures: access controls, encryption, password policy, backups, staff training.
- DPO designation where required, or assignment of internal supervisory responsibilities.
- Periodic review: compliance is not a one-off milestone; it requires review when the business activity changes, new digital tools are introduced or regulations are amended.
To begin this process with the support of a specialist team, see our GDPR compliance service for businesses in Castilla y León and the Canary Islands. You can also find further detail on specific aspects in our articles on Data Protection Impact Assessments (DPIA) and the external DPO service.