Spain data protection act

Jurisdictions

Select all jurisdictions in Asia-Pacific

Select all jurisdictions in Oceania

Select all jurisdictions in Micronesia (Federated States of)

Select all jurisdictions in Australia

Select all jurisdictions in Kazakhstan

Select all jurisdictions in EU - International

Select all jurisdictions in Qatar

Select all jurisdictions in UAE

Select all jurisdictions in China

Select all jurisdictions in Germany

Select all jurisdictions in Europe

Select all jurisdictions in Caribbean

Select all jurisdictions in CIS

Select all jurisdictions in USA

Select all jurisdictions in Latin America

Select all jurisdictions in Middle East

Select all jurisdictions in Africa

Select all jurisdictions in Canada

• Ask an Analyst
• Report technical issue

Select all jurisdictions in Asia-Pacific

Select all jurisdictions in Oceania

Select all jurisdictions in Micronesia (Federated States of)

Select all jurisdictions in Australia

Select all jurisdictions in Kazakhstan

Select all jurisdictions in EU - International

Select all jurisdictions in Qatar

Select all jurisdictions in UAE

Select all jurisdictions in China

Select all jurisdictions in Germany

Select all jurisdictions in Europe

Select all jurisdictions in Caribbean

Select all jurisdictions in CIS

Select all jurisdictions in USA

Select all jurisdictions in Latin America

Select all jurisdictions in Middle East

Select all jurisdictions in Africa

Select all jurisdictions in Canada

Spain

Summary

Law: Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) (LOPDGDD) and General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Summary: The LOPDGDD, while implementing the GDPR in the Spanish legal system, also derogates in areas such as the appointment of data protection officers, digital rights in the working environment, and whistleblowing schemes. In addition, the AEPD is one of the most active authorities in Europe in terms of issuing enforcement actions and responding to data subjects' complaints and requests. The AEPD has imposed several administrative penalties in cases affecting multinational organizations from different business sectors, as well as small to medium-sized enterprises and private subjects. Furthermore, the AEPD has also issued substantive guidance on a range of key compliance areas, such as the use of cookies, data transfers mechanisms, and Data Protection Impact Assessment ('DPIA') requirements, providing organizations with both a blacklist and a whitelist in relation to DPIAs.