SecurePrivacy Logo

Spanish Organic Law on Data Protection (LOPDGDD)

View Law Text
Maximum Fine
€20M or 4%
Scope
National
Regulator
AEPD
Framework
GDPR

Need Help with Spanish Organic Law on Data Protection (LOPDGDD) Compliance?

Get expert guidance on implementing Spanish data protection requirements and ensuring ongoing compliance for your organization.

Get Expert Help

Overview

The Organic Law on Data Protection and Digital Rights Guarantee (LOPDGDD) implements and supplements the GDPR in Spain, establishing specific national requirements and introducing new digital rights.

Key Facts

  • Enacted in 2018 to align with GDPR
  • Enforced by Spanish Data Protection Agency (AEPD)
  • Includes specific digital rights guarantees

Key Principles

Lawfulness and Transparency

Personal data must be processed lawfully, fairly, and transparently.

Requirements

  • Valid legal basis for processing
  • Clear privacy notices
  • Transparent processing activities
  • Documentation of legal grounds
  • Regular compliance reviews

Examples

  • Privacy notices on websites
  • Consent management systems
  • Processing records
  • Documentation of legal bases

Digital Rights Protection

Special protection for digital rights including internet access and digital legacy.

Requirements

  • Digital rights guarantees
  • Internet neutrality protection
  • Digital education access
  • Digital legacy management
  • Digital inclusion measures

Examples

  • Digital rights policies
  • Internet access procedures
  • Digital education programs
  • Legacy management systems

Spanish-Specific Requirements

Additional requirements specific to Spanish data protection law.

Requirements

  • Data blocking procedures
  • Credit information systems
  • Digital guarantees system
  • Whistleblowing channels
  • Video surveillance rules

Examples

  • Blocking procedures
  • Credit reporting policies
  • Whistleblowing systems
  • CCTV policies

Compliance Requirements

Data Protection Officer

Requirements for appointing and maintaining a Data Protection Officer position.

Implementation Steps

  • Assess DPO requirement
  • Appoint qualified DPO
  • Ensure independence
  • Provide resources
  • Document activities

Required Documentation

  • DPO appointment letter
  • Qualification records
  • Activity reports
  • Training certificates
  • Resource allocation

Processing Records

Maintenance of records of processing activities under Article 30.

Implementation Steps

  • Document processing activities
  • Map data flows
  • Update regularly
  • Review compliance
  • Maintain records

Required Documentation

  • Processing records
  • Data flow diagrams
  • Review logs
  • Update history
  • Compliance reports

Risk Assessment

Requirements for assessing and managing privacy risks.

Implementation Steps

  • Identify processing risks
  • Evaluate impact levels
  • Implement safeguards
  • Document assessments
  • Regular reviews

Required Documentation

  • Risk assessments
  • Impact evaluations
  • Mitigation plans
  • Review records
  • Update history

Enforcement & Penalties

Administrative Penalties

The Spanish Data Protection Agency (AEPD) can impose significant administrative fines for violations.

Penalty Categories

Very Serious Violations
Up to €20M or 4% of global revenue
For violations of basic principles or data subject rights
Serious Violations
Up to €10M or 2% of global revenue
For violations of technical and organizational measures
Minor Violations
Up to €100,000
For minor infractions and documentation issues

Example Cases

Vodafone España
€8.15 million
2023 - International data transfers and marketing violations
CaixaBank
€6 million
2022 - Processing personal data without proper legal basis

Additional Measures

The AEPD can impose various corrective measures beyond monetary penalties.

Penalty Categories

Processing Bans
Temporary or Permanent
Prohibition of specific processing activities
Corrective Orders
Mandatory Changes
Orders to bring processing into compliance
Public Warnings
Publication
Public disclosure of violations

Example Cases

Google Spain
Processing Ban
2023 - Ordered to cease specific data collection practices
Social Media Platform
Corrective Order
2022 - Required to modify privacy practices