Diagnosis
We audit personal data processing as it actually happens day to day — not as described in inherited documentation — and identify gaps, risks and priorities for action.
Implementation and ongoing maintenance of the data protection framework — the General Data Protection Regulation (EU) 2016/679 and Spain's Organic Law 3/2018 (LOPDGDD) — with living templates, a real breach channel and staff training. A service that works from day 1, not a folder of documents nobody opens again.
The difference between a company that complies with the GDPR and one that merely holds GDPR paperwork shows up the day a breach happens. The first has a procedure, a channel and a person; the second has a generic inbox and a folder untouched since the initial audit.
We work with the business as it actually operates: we map processing activities as they happen, not as written in the template that came with the management software, and we build the system on that reality. What we deliver is a framework that evolves with the company: documents that change when processes change, periodic training, breach drills and continuous review — not a PDF signed once and forgotten.
When an AEPD inspection arrives, or a large client asks for a supplier audit, the work is already done. And when a security breach happens — because sooner or later it does — you know exactly who to call and in what order to act.
The General Data Protection Regulation (EU) 2016/679 has applied directly across the European Union since 25 May 2018 and covers any organisation, public or private, that processes personal data of individuals, regardless of its size or turnover. There is no threshold of staff or revenue that exempts an organisation from compliance: a freelancer with three clients and a multinational are subject to the same text, even though the scale of their obligations — and the real risk — differs greatly.
Spain's Organic Law 3/2018 on Data Protection and Digital Rights Guarantee (LOPDGDD) develops the GDPR within Spanish law: it sets out the cases where a mandatory DPO must be appointed (art. 34), regulates video surveillance (art. 22), marketing opt-out systems, the data of deceased persons, and digital rights in the workplace, and establishes the national penalty regime (arts. 70–78) aligned with the tiers of Article 83 GDPR. The Spanish Data Protection Agency (AEPD) is the competent supervisory authority in Spain and the body that resolves complaints, opens sanctioning procedures, and publishes the sector's reference guidance.
For an SME, complying with the GDPR and the LOPDGDD means, in practice, five things: knowing what personal data it processes and on what legal basis (art. 6), documenting it in a record of processing activities (art. 30), correctly informing individuals (arts. 13–14), keeping a handle on contracts with suppliers that access that data (art. 28), and being ready to respond to both a rights request and a security breach within the legal deadlines.
The GDPR is not solved with a single page or a single document: it is a management system made of specialised pieces that combine depending on the risk and sector of each organisation. This page is the starting point — the map of obligations — and from here we connect to the services that cover each specific front: the outsourced DPO when the appointment is mandatory or strengthens the system, security breach management, bringing video surveillance in line with Article 22 of the LOPDGDD, the procedure for handling data subjects' rights, and the sector variants for healthcare, education and local government.
Not every organisation needs the same pieces of the silo: a five-person consultancy will likely resolve its compliance with base-level adequacy plus a breach channel; a clinic or a school will almost certainly also need an outsourced DPO registered with the AEPD; and a town council or a company installing cameras on its premises adds the video surveillance piece. The initial diagnosis determines which combination applies to your specific case, without selling services that don't fit.
The penalty regime of Article 83 GDPR sets two tiers: up to €10 million or 2% of worldwide annual turnover for less serious infringements (incomplete records of processing, missing processor agreements, failure to appoint a DPO when mandatory), and up to €20 million or 4% of worldwide turnover for more serious ones (absence of a legal basis, breach of processing principles, systematic failure to honour rights). The LOPDGDD, in Articles 72 to 74, transposes these tiers into Spanish law and adds limitation periods depending on the severity of the infringement.
The AEPD does not only act on its own initiative: most sanctioning procedures are opened after a complaint from an individual or the notification of a poorly managed security breach. Having the system documented and operational before an incident happens is, in practice, the difference between a penalty and a dismissed file.
Breach detection
Direct channel, no form. A real person during business hours; on-call cover at all other times.
Classification and containment
Team activates the documented procedure and contains the incident.
Impact analysis
Personal data involved? How many individuals affected? Special category data?
Notification decision
Where applicable: notification to the data protection authority within 72 hours and to affected individuals without undue delay.
We audit personal data processing as it actually happens day to day — not as described in inherited documentation — and identify gaps, risks and priorities for action.
We draft the records of processing activities, privacy policies, information clauses and response procedures. Living documents, written for the real business, not downloaded templates.
Staff training, a security breach drill and operational templates tested before the system is declared active: nothing is delivered without checking that it actually works.
Ongoing review of the records and of processor agreements, an annual audit with a written record, and immediate response to any incident or AEPD request.
The operational detail: what we deliver as part of the engagement and what we keep active afterwards.
Records of processing activities
The master document under Article 30 GDPR: every processing activity, its purpose, legal basis, data categories, third-party disclosures and retention periods.
Privacy policy and contractual clauses
Legal notice, privacy policy, information clauses for staff, clients and suppliers, drafted to meet the information duty of Articles 13 and 14 GDPR.
Processor agreements
Review and drafting of the agreements required by Article 28 GDPR with any supplier that accesses personal data: software, accounting firms, cloud services, IT maintenance.
DPIA · impact assessment
For high-risk processing activities under the criteria of the European Data Protection Board (art. 35 GDPR): extensive video surveillance, automated profiling, large-scale processing of special categories of data.
Breach management channel
Operational procedure for detection, containment, risk assessment and, where applicable, notification to the AEPD within 72 hours (art. 33) and communication to affected individuals when the risk is high (art. 34).
Handling data subjects' rights
Procedure and response templates for access, rectification, erasure, objection, portability and restriction, within the timelines of Article 12 GDPR.
Staff training
Sessions tailored to each role, with in-house material and an assessment test. Eligible for FUNDAE subsidised training where the company contributes to the fund.
Annual compliance audit
A full review once a year, with a written record and a corrective action plan, so you reach any inspection or client due diligence with the work already done.
The European GDPR and the Spanish LOPDGDD coexist and complement each other.
GDPR cuts across systems and processes.
Yes. The GDPR applies to any organisation, public or private, large or small, that processes personal data of individuals within the European Union. There is no turnover or headcount threshold that exempts compliance; what varies is the scale of the specific obligations depending on the risk of the processing.
The record has no expiry date, but Article 30 GDPR requires it to be kept up to date. We review it annually and whenever a new processing activity is introduced — a different CRM, a new supplier, an additional online service.
We activate the channel in under 24 hours. We help you document the incident, assess whether notification to the AEPD is required within the 72-hour window of Article 33 GDPR and, if the risk is high, communicate with affected individuals under Article 34.
It depends on the sector. In healthcare, education, religious entities and other sectors listed in Article 34 LOPDGDD, yes, regardless of size. Outside those cases, it's recommended but not mandatory. We clarify this in the initial diagnosis and, where relevant, cover it with our outsourced DPO service.
The GDPR is a European regulation directly applicable since 2018; the LOPDGDD is the Spanish law that develops it, sets out the cases where a DPO is mandatory, regulates specific matters such as workplace video surveillance, and establishes the national penalty regime. They apply together, not as alternatives.
For a medium-sized SME with typical processing activities (clients, staff, suppliers), full adequacy usually takes between four and eight weeks. For organisations with more complex processing — healthcare centres, schools, companies handling large volumes of client data — the timeline can extend.
Yes. Processing personnel data (payroll, time tracking, workplace video surveillance, corporate email) is subject to the GDPR and, in the case of video surveillance and time tracking, to specific LOPDGDD rules on digital rights in the workplace.
It's one of the most common reasons an SME speeds up its GDPR adequacy: more and more large companies require suppliers to prove GDPR compliance before signing or renewing a contract. With the system documented, that audit is resolved in days, not weeks.
No, they are different pieces of the same silo. GDPR adequacy builds the full system (records, policies, contracts, training); the outsourced DPO is the supervisory and AEPD-liaison role required by Article 37 GDPR in certain cases. Many organisations start with adequacy and add the DPO when their sector requires it or when they want to strengthen the system.
It's incorporated into the records of processing from the initial diagnosis, just like any new processing activity. There's no need to start from scratch: we start from what the organisation already processes and document and correct it where needed, without stopping the activity while it's adjusted.