GDPR explained: who it applies to and key obligations in Spain

·

Since May 2018, the General Data Protection Regulation — Regulation (EU) 2016/679, known as the GDPR — has been the benchmark privacy standard for all organisations that process personal data of EU citizens. In Spain it is complemented by Organic Law 3/2018 on Personal Data Protection and Digital Rights Guarantee (LOPDGDD), which adapts the Regulation to Spanish law and adds specific provisions on digital media, video surveillance, employment and minors. The supervisory authority in Spain is the Agencia Española de Protección de Datos (AEPD).

What surprises many SMEs when they grasp the real scope of these rules is precisely their breadth: the GDPR is not only for large technology corporations. If your company manages customer lists, sends newsletters by email, records the interior of premises with cameras or logs employee attendance, you are already processing personal data and the Regulation applies to you.

Who exactly does the GDPR apply to?

The GDPR applies to any organisation — company, sole trader, association, public authority — that meets either of these two conditions:

In practice, a hardware store in Burgos with a customer CRM, a dental clinic in Las Palmas with patient records or an online shop in Salamanca with a subscriber list: all fall under the GDPR. Company size reduces certain formal requirements (micro-enterprises with fewer than 250 employees are exempt from maintaining the record of processing activities in some cases), but it does not remove the obligation to process data lawfully, transparently and securely.

What is personal data under the GDPR?

The Regulation defines «personal data» as any information relating to an identified or identifiable natural person (Art. 4.1 GDPR). Personal data includes, among others:

Data relating to legal entities (companies, corporations) falls outside the scope of the GDPR, although the contact details of a sole trader or an employee of a company are personal data.

What principles does the GDPR require when processing data?

Article 5 of the GDPR sets out the principles that govern all lawful processing. Obtaining consent alone is not enough: all principles must be met simultaneously:

Principle What it means in practice
Lawfulness, fairness and transparency A valid legal basis exists and the data subject knows what is done with their data.
Purpose limitation Data is only used for the declared purpose; it is not repurposed without a new legal basis.
Data minimisation Only data strictly necessary for the purpose is collected.
Accuracy Data must be kept up to date; inaccurate data must be rectified or erased.
Storage limitation Data is not kept longer than necessary for the purpose, unless there is a legal obligation.
Integrity and confidentiality Appropriate technical and organisational measures protect the data.
Accountability The controller can demonstrate compliance with all the above principles.

Legal bases: on what ground can I process data?

Processing data without a valid legal basis is a serious infringement. Article 6 of the GDPR provides six possible bases. The most common in a business context are:

Rights of individuals that every business must guarantee

The GDPR grants data subjects a catalogue of rights that must be exercisable in a simple and free-of-charge manner:

Businesses must respond to these requests within one month, extendable to three in complex cases. Failing to respond or refusing without justification is a sanctionable infringement.

Personal data breaches: what to do and within what timeframe

A personal data breach is any incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. The GDPR imposes specific obligations:

All breaches must be documented internally, even if they do not meet the threshold for mandatory notification (Art. 33.5 GDPR). The internal record allows the controller to demonstrate due diligence to the AEPD.

Video surveillance and cameras in the workplace

Video surveillance is one of the areas where the GDPR compliance service for businesses receives the most enquiries. The applicable regulations combine the GDPR with the LOPDGDD:

Cookies and the LSSI-CE

The use of cookies is primarily governed by Art. 22.2 of Law 34/2002 on Information Society Services and Electronic Commerce (LSSI-CE), which requires the informed consent of the user for the installation of non-technical cookies. The AEPD has published the Guide on the use of cookies (updated in 2023), which is essential for compliance in practice and establishes:

The Data Protection Officer (DPO): when is designation mandatory?

Articles 37 to 39 of the GDPR regulate the figure of the Data Protection Officer (DPO). Designation is mandatory in three specific cases (Art. 37.1 GDPR):

  1. Public authorities and bodies.
  2. Organisations whose core activities consist of processing operations which, by virtue of their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale (e.g., behavioural advertising platforms, telecommunications operators).
  3. Organisations whose core activities consist of large-scale processing of special categories of data (health data, biometric data, data on criminal convictions, etc.).

Outside these cases, designation is voluntary but advisable. The DPO acts as a contact point with the AEPD, provides internal compliance advice and supervises the application of the Regulation. They may be internal or external; for SMEs, the external DPO option is the most cost-efficient, providing access to a qualified expert without the need for a full-time hire.

How much can the AEPD fine?

The GDPR establishes a two-tier sanctioning regime (Art. 83):

No consulting service can guarantee the absence of sanctions — that depends solely on actual compliance and the specific circumstances of each case — but expert guidance from the outset significantly reduces both the likelihood of an investigation being opened and the severity of its consequences.

Where to start: the basic steps towards GDPR compliance

  1. Processing inventory: identify what data is processed, for what purpose, on what legal basis, for how long and who has access. The result is the Record of Processing Activities (Art. 30 GDPR).
  2. Risk assessment: evaluate whether the processing poses risks to data subjects and, where applicable, carry out a Data Protection Impact Assessment (DPIA), mandatory where processing is likely to result in a high risk (Art. 35 GDPR).
  3. Documentation: privacy policy, information clauses, processor agreements (suppliers that access data), procedures for handling rights requests and managing breaches.
  4. Technical and organisational measures: access controls, encryption, password policy, backups, staff training.
  5. DPO designation where required, or assignment of internal supervisory responsibilities.
  6. Periodic review: compliance is not a one-off milestone; it requires review when the business activity changes, new digital tools are introduced or regulations are amended.

To begin this process with the support of a specialist team, see our GDPR compliance service for businesses in Castilla y León and the Canary Islands. You can also find further detail on specific aspects in our articles on Data Protection Impact Assessments (DPIA) and the external DPO service.