CC-01 · Regulatory compliance

GDPR LOPDGDD

Implementation and ongoing maintenance of the data protection framework — the General Data Protection Regulation (EU) 2016/679 and Spain's Organic Law 3/2018 (LOPDGDD) — with living templates, a real breach channel and staff training. A service that works from day 1, not a folder of documents nobody opens again.

Duration3 months + ongoing maintenance
Teamconsultant + DPO
Applicable toany SME

The difference between a company that complies with the GDPR and one that merely holds GDPR paperwork shows up the day a breach happens. The first has a procedure, a channel and a person; the second has a generic inbox and a folder untouched since the initial audit.

We work with the business as it actually operates: we map processing activities as they happen, not as written in the template that came with the management software, and we build the system on that reality. What we deliver is a framework that evolves with the company: documents that change when processes change, periodic training, breach drills and continuous review — not a PDF signed once and forgotten.

When an AEPD inspection arrives, or a large client asks for a supplier audit, the work is already done. And when a security breach happens — because sooner or later it does — you know exactly who to call and in what order to act.

The General Data Protection Regulation (EU) 2016/679 has applied directly across the European Union since 25 May 2018 and covers any organisation, public or private, that processes personal data of individuals, regardless of its size or turnover. There is no threshold of staff or revenue that exempts an organisation from compliance: a freelancer with three clients and a multinational are subject to the same text, even though the scale of their obligations — and the real risk — differs greatly.

Spain's Organic Law 3/2018 on Data Protection and Digital Rights Guarantee (LOPDGDD) develops the GDPR within Spanish law: it sets out the cases where a mandatory DPO must be appointed (art. 34), regulates video surveillance (art. 22), marketing opt-out systems, the data of deceased persons, and digital rights in the workplace, and establishes the national penalty regime (arts. 70–78) aligned with the tiers of Article 83 GDPR. The Spanish Data Protection Agency (AEPD) is the competent supervisory authority in Spain and the body that resolves complaints, opens sanctioning procedures, and publishes the sector's reference guidance.

For an SME, complying with the GDPR and the LOPDGDD means, in practice, five things: knowing what personal data it processes and on what legal basis (art. 6), documenting it in a record of processing activities (art. 30), correctly informing individuals (arts. 13–14), keeping a handle on contracts with suppliers that access that data (art. 28), and being ready to respond to both a rights request and a security breach within the legal deadlines.

The GDPR is not solved with a single page or a single document: it is a management system made of specialised pieces that combine depending on the risk and sector of each organisation. This page is the starting point — the map of obligations — and from here we connect to the services that cover each specific front: the outsourced DPO when the appointment is mandatory or strengthens the system, security breach management, bringing video surveillance in line with Article 22 of the LOPDGDD, the procedure for handling data subjects' rights, and the sector variants for healthcare, education and local government.

Not every organisation needs the same pieces of the silo: a five-person consultancy will likely resolve its compliance with base-level adequacy plus a breach channel; a clinic or a school will almost certainly also need an outsourced DPO registered with the AEPD; and a town council or a company installing cameras on its premises adds the video surveillance piece. The initial diagnosis determines which combination applies to your specific case, without selling services that don't fit.

The penalty regime of Article 83 GDPR sets two tiers: up to €10 million or 2% of worldwide annual turnover for less serious infringements (incomplete records of processing, missing processor agreements, failure to appoint a DPO when mandatory), and up to €20 million or 4% of worldwide turnover for more serious ones (absence of a legal basis, breach of processing principles, systematic failure to honour rights). The LOPDGDD, in Articles 72 to 74, transposes these tiers into Spanish law and adds limitation periods depending on the severity of the infringement.

The AEPD does not only act on its own initiative: most sanctioning procedures are opened after a complaint from an individual or the notification of a poorly managed security breach. Having the system documented and operational before an incident happens is, in practice, the difference between a penalty and a dismissed file.

24h
AEPD notification
0h

Breach detection

Direct channel, no form. A real person during business hours; on-call cover at all other times.

+2h

Classification and containment

Team activates the documented procedure and contains the incident.

+12h

Impact analysis

Personal data involved? How many individuals affected? Special category data?

+24h

Notification decision

Where applicable: notification to the data protection authority within 72 hours and to affected individuals without undue delay.

The GDPR LOPDGDD process.

The process · four stages
01

Diagnosis

We audit personal data processing as it actually happens day to day — not as described in inherited documentation — and identify gaps, risks and priorities for action.

02

Design

We draft the records of processing activities, privacy policies, information clauses and response procedures. Living documents, written for the real business, not downloaded templates.

03

Implementation

Staff training, a security breach drill and operational templates tested before the system is declared active: nothing is delivered without checking that it actually works.

04

Maintenance

Ongoing review of the records and of processor agreements, an annual audit with a written record, and immediate response to any incident or AEPD request.

What is included

What GDPR LOPDGDD includes.

The operational detail: what we deliver as part of the engagement and what we keep active afterwards.

  • Records of processing activities

    The master document under Article 30 GDPR: every processing activity, its purpose, legal basis, data categories, third-party disclosures and retention periods.

  • Privacy policy and contractual clauses

    Legal notice, privacy policy, information clauses for staff, clients and suppliers, drafted to meet the information duty of Articles 13 and 14 GDPR.

  • Processor agreements

    Review and drafting of the agreements required by Article 28 GDPR with any supplier that accesses personal data: software, accounting firms, cloud services, IT maintenance.

  • DPIA · impact assessment

    For high-risk processing activities under the criteria of the European Data Protection Board (art. 35 GDPR): extensive video surveillance, automated profiling, large-scale processing of special categories of data.

  • Breach management channel

    Operational procedure for detection, containment, risk assessment and, where applicable, notification to the AEPD within 72 hours (art. 33) and communication to affected individuals when the risk is high (art. 34).

  • Handling data subjects' rights

    Procedure and response templates for access, rectification, erasure, objection, portability and restriction, within the timelines of Article 12 GDPR.

  • Staff training

    Sessions tailored to each role, with in-house material and an assessment test. Eligible for FUNDAE subsidised training where the company contributes to the fund.

  • Annual compliance audit

    A full review once a year, with a written record and a corrective action plan, so you reach any inspection or client due diligence with the work already done.

Regulatory framework

The regulatory framework.

The European GDPR and the Spanish LOPDGDD coexist and complement each other.

EU GDPR Applicable to this service
ES LOPDGDD Applicable to this service
AEPD Guidance Applicable to this service
EDPB Guidelines Applicable to this service

Frequently asked questions about GDPR LOPDGDD.

Do all companies have to comply with the GDPR?

Yes. The GDPR applies to any organisation, public or private, large or small, that processes personal data of individuals within the European Union. There is no turnover or headcount threshold that exempts compliance; what varies is the scale of the specific obligations depending on the risk of the processing.

How often does the record of processing activities need updating?

The record has no expiry date, but Article 30 GDPR requires it to be kept up to date. We review it annually and whenever a new processing activity is introduced — a different CRM, a new supplier, an additional online service.

What if we have a security breach?

We activate the channel in under 24 hours. We help you document the incident, assess whether notification to the AEPD is required within the 72-hour window of Article 33 GDPR and, if the risk is high, communicate with affected individuals under Article 34.

Do we need a DPO as an SME?

It depends on the sector. In healthcare, education, religious entities and other sectors listed in Article 34 LOPDGDD, yes, regardless of size. Outside those cases, it's recommended but not mandatory. We clarify this in the initial diagnosis and, where relevant, cover it with our outsourced DPO service.

What is the difference between the GDPR and the LOPDGDD?

The GDPR is a European regulation directly applicable since 2018; the LOPDGDD is the Spanish law that develops it, sets out the cases where a DPO is mandatory, regulates specific matters such as workplace video surveillance, and establishes the national penalty regime. They apply together, not as alternatives.

How long does GDPR adequacy take?

For a medium-sized SME with typical processing activities (clients, staff, suppliers), full adequacy usually takes between four and eight weeks. For organisations with more complex processing — healthcare centres, schools, companies handling large volumes of client data — the timeline can extend.

Does the GDPR also apply to my employees' data?

Yes. Processing personnel data (payroll, time tracking, workplace video surveillance, corporate email) is subject to the GDPR and, in the case of video surveillance and time tracking, to specific LOPDGDD rules on digital rights in the workplace.

What if a large client asks us for a data protection audit?

It's one of the most common reasons an SME speeds up its GDPR adequacy: more and more large companies require suppliers to prove GDPR compliance before signing or renewing a contract. With the system documented, that audit is resolved in days, not weeks.

Is GDPR adequacy the same as hiring an outsourced DPO?

No, they are different pieces of the same silo. GDPR adequacy builds the full system (records, policies, contracts, training); the outsourced DPO is the supervisory and AEPD-liaison role required by Article 37 GDPR in certain cases. Many organisations start with adequacy and add the DPO when their sector requires it or when they want to strengthen the system.

What about data we were already processing before hiring the service?

It's incorporated into the records of processing from the initial diagnosis, just like any new processing activity. There's no need to start from scratch: we start from what the organisation already processes and document and correct it where needed, without stopping the activity while it's adjusted.