In Spain, the collection, use, and disclosure of personal data are primarily regulated by: 

• The Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD). This law complements the GDPR and adapts its provisions to the Spanish legal framework. It includes specific regulations on data protection, digital rights, and additional measures to ensure the protection of personal data in Spain. The LOPDGDD addresses national concerns and introduces rights such as the right to digital education and the right to digital disconnection in the workplace.
• Law 34/2002 on Information Society Services and Electronic Commerce (LSSI). This law regulates various aspects of electronic commerce and information society services, including certain data protection requirements related to electronic communications and online services. It ensures that service providers comply with data protection standards when offering digital services.
• Law 11/2022, of June 28, on General Telecommunications (LGT). This law regulates privacy issues such as the use of communication data for commercial purposes, the use of location data or the possibility of using subscriber number directories for commercial purposes.
• Sector-specific laws regulating healthcare, insurance, video surveillance, advertising, etc. (i.e., Law 41/2002, of November 14, on basic law regulating patient autonomy and rights and obligations regarding information and clinical documentation, and Law 20/2015, of July 14, on the regulation, supervision, and solvency of insurance and reinsurance entities.) 

According to its Article 2, the LOPDGDD applies to any processing of personal data that is fully or partially automated, as well as to non-automated processing of personal data that is contained or intended to be contained in a personal data file. 

The scope of application excludes: 

• The processing conducted by an individual in the context of purely personal or household activities. This encompasses, for instance, personal directories or address books, family and friends’ photo albums, family accounting records, home videos, lists for family celebration invitations, and similar activities. However, if the data were to be shared on a social network without access restrictions, or used for commercial, political, judicial, or other purposes, its use would automatically be subject to the requirements established by data protection regulations.
• The processing of personal data carried out for purposes of national security and defence. 
• The processing of personal data carried out by competent authorities for the purposes of the prevention, investigation, detection, or prosecution of criminal offences or the execution of criminal penalties. 
• The processing of personal data in the context of activities related to Spain’s foreign policy.

Regarding the data of deceased persons, the GDPR does not apply as stated in its recital 27. Nevertheless, even though this category of data is not regarded as personal data, Article 3 of the LOPDGDD provides a framework for heirs or related individuals to oversee the management of this data, in accordance with the instructions, if any, left by the deceased.

The LOPDGDD does not contain a specific provision regarding its territorial scope. However, its territorial reach is indirectly determined by the GDPR, which the LOPDGDD complements and develops. 

The territorial scope of the LOPDGDD is governed by the criteria established in Article 3 of the GDPR, which states that the LOPDGDD applies to:

• The processing of personal data in the context of the activities of an establishment of a controller or processor in the EU, regardless of whether the processing takes place in the EU or not.
• The processing of personal data of data subjects who are in the EU by a controller or processor not established in the EU, where the processing activities are related to: 
  • the offering of goods or services to such data subjects in the EU, irrespective of whether a payment is required; and 
  • the monitoring of their behaviour as far as their behaviour takes place within the EU.
• The processing of personal data by a controller not established in the EU, but in a place where Member State law applies by virtue of public international law.

It is important to note that the LOPDGDD applies to these processing activities in so far as it develops or complements the provisions of the GDPR.

The LOPDGDD complements the GDPR by providing more specific regulations and clarifications in certain areas, such as guiding principles, consent and legal basis for processing, data subject’s rights, data controller and processor responsibilities, appointment and responsibilities of the Data Protection Officer (DPO), international data transfers, powers of the Spanish Data Protection Agency (AEDP) and sanctioning regime. 

The LOPDGDD regulates the processing of personal data, which, according to the European Commission, is defined as any information relating to an identified or identifiable natural person. This includes identification data such as name, surname, national identity number, financial or health information, and special categories of personal data like ethnic or racial origin, political opinions, and biometric data, among others.

Even if personal data has been encrypted or pseudonymised, it still falls within the scope of the LOPDGDD if it can be used to re-identify an individual. However, personal data that has been anonymised in such a way that the individual is no longer identifiable is no longer considered personal data. For data to be truly anonymised, the process must be irreversible.

The LOPDGDD, in accordance with GDPR, establishes a general prohibition for the processing of sensitive data (personal data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, and the processing of genetic data, biometric data intended to uniquely identify a natural person, data concerning the health or data concerning the sex life or sexual orientation of a natural person), unless one of the exceptions provided is met, such as obtaining explicit consent, fulfilling legal obligations, protecting vital interests, conducting legitimate activities by non-profit organisations, addressing substantial public interest, or for medical purposes.

However, in its Article 9, it is established that, to avoid discriminatory situations, the mere consent of the data subject will not be sufficient to lift the prohibition on the processing of data whose main purpose is to identify their ideology, trade union membership, religion, sexual orientation, beliefs or racial or ethnic origin.

When processing involves processing of sensitive data, data relating to criminal convictions or offences, or data that allows determining the financial situation or solvency or inferring information about individuals related to sensitive data, it is necessary to conduct a privacy impact assessment. In this regard, the AEDP has published the Risk Management and Personal Data Processing Impact Assessment Guide, which offers a framework for identifying, evaluating, and mitigating risks associated with personal data processing.

Before processing any personal data in Spain, it is necessary to consider that each data processing must be carried out in accordance with the guiding principles set out in Article 5 of the GDPR, such as lawfulness, fairness, and transparency, purpose limitation, data minimisation, accuracy, storage limitation, and confidentiality. 

Regarding consent as a legal basis for processing, the LOPDGDD specifies that consent for processing the data of minors is valid starting at the age of 14.

Each data processing in Spain must be carried out in accordance with the obligations established in the GDPR such as implementing appropriate security measures to protect the data, respecting and facilitating the data subjects’ rights, notifying of data breaches, demonstrating compliance with the GDPR and LOPDGDD and ensuring that transfers outside the EU comply with legal safeguards such as standard contractual clauses or adequacy decisions. 

In addition to these obligations, the LOPDGDD introduces specific provisions that must be considered: 

• The concept of “data blocking”, which refers to the obligation to retain certain personal data in a restricted manner when it is no longer needed for the purposes for which it was collected but must be retained to comply with legal obligations, such as addressing potential liabilities arising from the processing. During this period, access to the data is limited to specific individuals for legal purposes, and the data cannot be used for other purposes. The data is retained only as long as necessary to meet these obligations and must be deleted afterward.
• Specifies more clearly the cases in which it is mandatory to appoint a DPO such as in professional associations, educational institutions, insurance companies, and investment service firms.
• Establishes specific rules for video surveillance in the workplace, requiring proportional use and justification for security reasons. Employees must be informed about the cameras through visible signs and cameras cannot be placed in areas compromising privacy, like locker rooms or restrooms, and recordings must be deleted within one month unless needed for an investigation. 
• Mandates that whistleblowing systems maintain the confidentiality of whistleblowers and others involved. These systems should only handle reports of workplace misconduct, collecting only relevant and necessary information. In addition, affected individuals have the right to be informed about reports, as long as the investigation is not compromised, and can access, correct, or delete their personal data if it is inaccurate or irrelevant.

The LOPDGDD includes the GDPR’s data subject rights, such as transparency, access, rectification, erasure, restriction, data portability, objection, and protection against solely automated decisions, including profiling. However, it introduces specific digital rights such as internet access, digital education, privacy in the use of digital services, digital disconnection, security in digital communications, neutrality of the internet, protection of minors on the internet, the right to be forgotten in internet searches, privacy from the use of video surveillance, sound recording devices and the use of geolocation systems in the workplace and digital inheritance. 

In accordance with the provisions of the AEPD, when these rights are exercised, the data controller must respond within one month from the receipt of the request, which can be extended by two additional months if necessary, taking into account the complexity and number of requests. If extended, the controller will inform the data subject of such extensions within one month from the receipt of the request, indicating the reasons for the delay. 

In addition, the data controller cannot charge for processing these requests unless they are manifestly unfounded or excessive, in which case they may charge a reasonable fee based on administrative costs or refuse to act on the request. However, the burden of demonstrating that the request is unfounded or excessive lies with the data controller.

In Spain, the regulation of commercial or direct marketing communications is primarily governed by the following laws: the GDPR; the LOPDGDD; the Spanish Law 34/2002, of July 11, on Information Society Services and Electronic Commerce (LSSI); and the Spanish Law 11/2022, of June 28, on General Telecommunications (LGT). These laws establish rules to protect individuals from unsolicited commercial communications while ensuring the right to business marketing activities.

Electronic communications

• Prohibition without consent. Article 21 of the LSSI prohibits sending commercial communications via email or equivalent electronic means (i.e., SMS), without the recipient’s prior consent.
• Right to revoke consent. Recipients can revoke their consent at any time. Each communication must include a free and simple method for doing so, such as a link or an email address.
• Exceptions to consent. These include situations where:
  • there is a prior contractual relationship; 
  • the recipient’s contact details were lawfully obtained; 
  • the communication relates to similar products or services; and 
  • an option to opt out is provided in every communication.

Commercial calls

• Consent-based regime (opt-in). Article 66.1(b) of the LGT requires explicit consumer consent for commercial calls, shifting from an opt-out to an opt-in model.
• Exceptions. Where:
  • other legal bases under Article 6.1 of the GDPR apply; and 
  • a prior contractual relationship exists, provided data was lawfully collected, and the call concerns similar products and calls occur within one year of the last interaction. 

The Spanish Data Protection Agency (AEPD), through Circular 1/2023, clarified that legitimate interest may justify calls if a positive balancing test is conducted. Article 66 applies universally to all data controllers making commercial calls, prioritising consumer rights.

Postal mail

There is no specific regulation that exclusively governs the sending of commercial communications via regular postal mail. However, this does not mean that such activities are unregulated. Instead, they fall under broader data protection and consumer protection laws. 

In this regard, there are no restrictions beyond the fact that the data must be processed legitimately.

The LOPDGDD specifies that international data transfers are regulated by the GDPR’s provisions. In this regard, the AEPD has not introduced any additional specific rules for international data transfers beyond those set by the GDPR. Instead, the AEPD has concentrated on offering guidance and recommendations to assist organisations in complying with the GDPR and LOPDGDD requirements related to international transfers.

In accordance with Articles 47 to 49 of the LOPDGDD, the AEPD has extensive investigatory and enforcement powers to ensure compliance with data protection regulations. 

Investigatory powers

These include:

• Requesting information from data controllers and processors to assess compliance with data protection laws. This includes details about data processing activities, security measures, and data protection impact assessments.
• Conducting audits and inspections of organisations to ensure they are adhering to data protection regulations. These audits can be routine or triggered by specific concerns or complaints.
• Reviewing certifications and seals of approval related to data protection to verify that organisations meet the required standards.
• Notifying alleged infringement: if the AEPD identifies potential violations of data protection laws it can formally notify the concerned parties and initiate further investigation or corrective actions.
• Accessing personal data and necessary information to perform its regulatory functions, ensuring that organisations are transparent and co-operative.
• Accessing premises of data controllers and processors to gather evidence and assess compliance with data protection obligations. 

Enforcement powers

These include:

• Issuing warnings and reprimands to organisations that are found to be in breach of data protection laws, serving as a preliminary step before more severe actions.
• Ordering organisations to comply with data subject rights, such as access, rectification, erasure, and objection, ensuring individuals’ rights are respected.
• Requiring organisations to modify their data processing activities to align with legal requirements, such as changing data collection practices or enhancing security measures.
• In the event of a data breach, the AEPD can compel organisations to notify affected individuals and the agency itself, ensuring transparency and accountability.
• Restricting or prohibiting certain data processing activities if they are deemed non-compliant or pose a risk to individuals’ rights and freedoms.
• Instructing organisations to correct inaccurate data or delete data that is unlawfully processed or no longer necessary.
• Revoking any data protection certifications or seals of approval previously granted.
• Imposing administrative fines on organisations that violate data protection laws.
• Suspending the transfer of personal data to countries or organisations outside the EU that do not provide adequate data protection, safeguarding individuals’ data from inadequate protection levels.

Sanctions

Articles 72, 73 and 74 of the LOPDGDD define offences in accordance with the provisions set forth in the GDPR. However, in order to comply with the rules of administrative sanctioning law, three categories of offences have been established: 

• Minor, which can carry administrative fines up to EUR 40,000. 
• Serious, which can carry administrative fines between EUR 40,001 and EUR 300,000. 
• Very serious, which can carry administrative fines exceeding EUR 300,001.

Sanctions are imposed based on the severity of the infraction, the harm caused, intent, and other mitigating or aggravating circumstances.

Article 78 of the LOPDGG establishes the periods of prescription for infringements and sanctions, commencing on the date of the infringement. The following periods are applicable:

• For minor infringements, the statute of limitations period is one year.
• For serious infringements, the period is two years.
• For very serious infringements, the period is three years.

Remedies

In Spain, remedies for non-compliance with data protection laws include: 

• administrative fines, which can be substantial; 
• formal warnings;
• orders to comply with specific provisions; 
• suspension of data processing activities; 
• infringement notification orders; 
• withdrawal of certifications; and 
• compensation for damages to affected individuals. 

In addition, data subjects can take legal action for injunctive relief and damages, and authorities can make sanctions public to prevent non-compliance and protect individuals’ right to privacy.