GDPR Compliance for SMEs in Spain: What the New Simplified Rules Mean for Your Business

If you run a small or medium-sized business in Spain, GDPR has always applied to you — and the AEPD has never hesitated to prove it.

The Spanish Data Protection Authority regularly fines SMEs. Video surveillance without proper notices, sending marketing emails without valid consent, ignoring a customer's data access request — these are not the violations of large corporations. They are the everyday compliance failures of businesses with five employees, twenty employees, a hundred employees. And they result in real sanctions.

So when the European Commission announced a major simplification package in November 2025 — one that specifically targets compliance relief for smaller businesses — it was significant news.

The proposal, known as the Digital Omnibus, includes targeted amendments to GDPR that would reduce certain administrative obligations for SMEs and smaller companies. If adopted, it will change how some of your current GDPR duties work in practice.

But here is the critical point that many businesses are missing: the Digital Omnibus has not become law. It is still working its way through the EU legislative process. The full GDPR applies to your business today, exactly as it always has.

This guide explains what the proposed changes are, what they actually mean for SMEs in Spain, what obligations have not changed and will not change — and what you should do right now, regardless of where the legislation lands.

For the complete overview of GDPR and how it applies across all business sizes, see our pillar guide: EU GDPR Compliance for Businesses: The Complete Guide (2026).

What Is the EU Digital Omnibus — and Why Does It Matter for SMEs?

On 19 November 2025, the European Commission published a legislative package called the Digital Omnibus — a proposal to streamline, simplify, and consolidate the EU's digital regulatory framework, including targeted amendments to GDPR.

The driving force behind it was a recognition, supported by years of business feedback and a 2024 competitiveness review by former ECB President Mario Draghi, that the EU's cumulative digital regulation had become one of the most complex compliance environments in the world — and that smaller businesses were bearing a disproportionate share of the administrative burden.

Justice Commissioner Michael McGrath, presenting the package, was explicit: this was "not a reopening of the GDPR" and its "very core remains intact." Executive Vice-President Henna Virkkunen added that "simplification does not mean softening our standards."

What it does mean — if adopted — is that certain specific administrative obligations under GDPR would be lighter for smaller organisations. The changes are targeted and narrow, not sweeping.

The proposal is currently moving through the EU's ordinary legislative procedure, involving the European Parliament and the Council of the EU. Under the standard process, final adoption is expected sometime in mid-to-late 2026. Some provisions may change materially during negotiations. None of the proposed GDPR amendments are in force today.

What the Digital Omnibus Proposes for SMEs: The Specific Changes

1. Expanding the ROPA Exemption — The Biggest Practical Change

The most significant proposed change for SMEs concerns the Record of Processing Activities, or ROPA.

Under the current GDPR (Article 30), every organisation that processes personal data must maintain a written record of all its processing activities — what data it collects, why, how long it keeps it, who it shares it with, and what security measures are in place. This record is called the ROPA, and it is one of the primary tools regulators use when conducting inspections.

There is currently a partial exemption for organisations with fewer than 250 employees. Those organisations do not need to maintain a ROPA unless their processing is likely to pose a risk to individuals' rights, their processing is not occasional, or they handle special categories of sensitive data (such as health information, biometric data, or criminal records).

In practice, this exemption is much narrower than most small businesses realise. If you have employees, you are processing HR data regularly — that makes the processing non-occasional. If you have any kind of CRM or marketing system, the same applies. Most SMEs that believe they are exempt from the ROPA requirement are not.

The Digital Omnibus proposes expanding this exemption significantly. The proposal would raise the employee threshold from 250 to 750 employees — meaning organisations with fewer than 750 employees would qualify for the exemption, subject to the same conditions about high-risk processing. A separate Council position has proposed extending this even further, to organisations with fewer than 1,000 employees for certain categories.

Importantly, the EDPB and EDPS — the EU's data protection oversight bodies — issued a joint opinion in July 2025 broadly welcoming the proposal while emphasising that the exemption would not eliminate record-keeping entirely. Organisations would still need to maintain records for any processing that is "likely to result in a high risk" to data subjects. This includes large-scale employee monitoring, processing health or biometric data, and systematic profiling.

The EDPB's Chair, Anu Talus, framed the change clearly: it offers greater flexibility for SMEs to "choose the most appropriate method to be compliant" — not a route to skip compliance entirely.

What this means for your business right now: The ROPA exemption expansion is not law. If your business has fewer than 250 employees and your processing genuinely meets the existing exemption conditions, you already benefit from partial relief. If you are not sure whether you qualify, assume you need a ROPA — because the AEPD will.

2. Extending SME Benefits to Small Mid-Cap Companies (SMCs)

The Digital Omnibus also introduces a new category: Small Mid-Cap Companies, or SMCs. These are businesses that exceed the standard SME thresholds but are not large enterprises — specifically, companies with fewer than 750 employees and either an annual turnover not exceeding €150 million or a balance sheet total not exceeding €129 million.

Currently, certain GDPR compliance tools — such as codes of conduct and certification mechanisms — are designed with SME needs in mind. The proposal would extend this consideration to SMCs, ensuring that compliance support mechanisms account for the realities of slightly larger businesses that still lack the resources of major corporations.

3. Codes of Conduct and Certification — Extended to SMCs

The existing GDPR provisions requiring data protection authorities and industry bodies to develop codes of conduct and certification mechanisms currently specify that the particular needs of SMEs must be taken into account. The Digital Omnibus proposes extending this to SMCs as well, so that compliance frameworks developed under GDPR are designed to be workable for a broader range of business sizes.

4. What the Omnibus Does NOT Change

This point is critical for any SME reading this guide.

The Digital Omnibus does not propose changes to:

• The seven core GDPR principles — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability
• The six lawful bases for processing personal data
• Data subject rights — the right to access, erasure, rectification, portability, restriction, and objection remain fully intact
• Data breach notification obligations (though a proposed extension from 72 to 96 hours is included in the package for breach reporting to authorities)
• Data Protection Impact Assessments for high-risk processing
• The requirement to appoint a DPO where legally required under GDPR or Spain's LOPDGDD
• The AEPD's enforcement powers or the fine structure

Every obligation that matters for day-to-day compliance in your business remains exactly as it is.

What GDPR Currently Requires From Every SME in Spain — Right Now

While the legislative process plays out, here is what applies to your business today.

You Must Have a Lawful Basis for Every Type of Data Processing

Before collecting or using any personal data, your business must be able to identify and document which of the six lawful bases under GDPR applies. For most SMEs, the most relevant are consent, contract, legal obligation, and legitimate interests. Defaulting to consent for everything is one of the most common and costly mistakes — consent must be freely given, specific, and as easy to withdraw as to give.

Your Privacy Notice Must Be Accurate and Up to Date

Every customer, website visitor, employee, or supplier whose personal data you collect has the right to be informed — clearly, in plain language — about what data you collect, why you collect it, how long you keep it, who you share it with, and how they can exercise their rights. A privacy policy copied from another website or left unchanged since 2018 is not GDPR-compliant. The AEPD enforces transparency obligations actively.

You Must Have Processes for Data Subject Rights Requests

Any individual whose personal data you hold can submit a Subject Access Request (SAR) asking for a copy of all the data you hold on them. They can also ask you to correct, delete, or stop processing their data. You must respond within one month. Failing to respond — or responding incorrectly — is a standalone GDPR violation, and one the AEPD fines regularly.

You Must Have Data Processing Agreements With Third Parties

Every external service you use that processes personal data on your behalf — your cloud hosting provider, your CRM platform, your email marketing tool, your payroll system, your IT support company — requires a Data Processing Agreement (DPA). If you do not have signed DPAs in place, you are in breach of GDPR right now, regardless of the size of your business.

You Must Have a Data Breach Response Plan

If a personal data breach occurs — a hacked email account, a misdirected email containing customer data, a stolen laptop, a misconfigured cloud folder — you may have 72 hours from the point of awareness to notify the AEPD. You also need to notify affected individuals directly if the breach poses a high risk to their rights. Without a documented plan for detecting, assessing, and reporting breaches, meeting this deadline is nearly impossible.

Spain's LOPDGDD Adds Additional Requirements

Businesses operating in Spain must comply not only with GDPR but also with Spain's national data protection law, the LOPDGDD (Ley Orgánica 3/2018). This law adds obligations that go beyond the GDPR baseline — including the requirement to appoint a Data Protection Officer in specific sectors regardless of company size, specific rules on employee monitoring and digital workplace rights, and a minimum age of digital consent set at 14 rather than the EU default. For a full breakdown of both laws and how they interact, see: GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both.

Does Your SME Need a Data Protection Officer?

One of the most frequently asked questions from smaller businesses in Spain — and one the Digital Omnibus does not resolve.

Under GDPR, a DPO is mandatory if your organisation is a public authority, carries out large-scale systematic monitoring of individuals, or processes special categories of sensitive data on a large scale. For many small businesses, this threshold is not met under GDPR alone.

However, Spain's LOPDGDD extends the mandatory DPO requirement to specific sectors regardless of company size. If your business operates in any of the following sectors, you are required to appoint a DPO even as a micro-SME:

• Private education (schools, academies, training providers)
• Healthcare (hospitals, clinics, pharmacies, medical labs)
• Private security companies
• Credit and insurance providers
• Financial institutions
• Advertising or market research companies that carry out profiling

There is no minimum employee count for these sectors. A sole trader running a private tutoring academy in Spain must appoint a DPO. The AEPD has confirmed this position explicitly. For everything you need to know about the DPO requirement in Spain, see: Do You Need a Data Protection Officer (DPO) in Spain? The Rules Just Changed for SMEs.

The AEPD's Track Record With SMEs: Why Size Does Not Protect You

Some business owners assume the AEPD focuses only on large corporations and that small businesses operate below its radar. The enforcement record says otherwise.

The AEPD regularly fines businesses with fewer than 10 employees. A gym fined €27,000 for requiring customers' fingerprints for access without a DPIA. A small employer fined for installing a keylogger on staff computers without transparency. A local business fined for CCTV footage shared without consent. These are not exceptional cases — they are routine enforcement actions that appear in AEPD decisions every month.

As of September 2025, Spain had issued over 1,021 GDPR fines totalling approximately €120.7 million — more than any other EU country. The high volume of complaints (18,855 in 2024 alone) means violations at every business size are regularly brought to the AEPD's attention by individuals. You do not need to be fined directly following an inspection — a single complaint from a customer or former employee is enough to trigger a formal investigation.

For the full picture of how Spain's enforcement compares to the rest of the EU and what patterns of violations draw the most penalties, see: Why Spain Issues More GDPR Fines Than Almost Any Other EU Country.

What Should Your SME Do Right Now?

Given that the Digital Omnibus is not yet law — and may change before it is — the most sensible approach for any SME in Spain is to build your compliance foundation on the current rules, not on proposed future relief.

Here is a practical starting framework:

Step 1 — Conduct a data audit. Identify every category of personal data your business collects, where it is stored, how long you keep it, and who has access to it. This is the foundation of a ROPA and the starting point for every other compliance decision.

Step 2 — Identify your lawful basis for each type of processing. Document which lawful basis you rely on for collecting customer data, employee data, marketing lists, and any other processing activity. Do not default to consent unless it genuinely applies.

Step 3 — Review your privacy notices. Audit your website privacy policy, cookie banner, employee data notice, and any other privacy communications to ensure they are accurate, complete, and written in plain language.

Step 4 — Put Data Processing Agreements in place. List every third-party service that processes personal data on your behalf and check whether a signed DPA exists. If not, request one.

Step 5 — Create a breach response procedure. Assign responsibility for detecting and escalating a potential data breach. Document the steps for assessing severity and notifying the AEPD within 72 hours if required.

Step 6 — Decide on your DPO position. Assess whether your sector requires a mandatory DPO under the LOPDGDD. If not mandatory, assess whether your processing activities — particularly if you handle employee data, customer health information, or marketing at scale — make a DPO or external privacy consultant advisable.

Step 7 — Train your team. Every person in your business who handles personal data needs to understand the basics — what counts as personal data, how to recognise a breach, who to report it to, and what rights customers have. Staff training is itself an accountability requirement under GDPR.

The Honest Picture: Simplification Is Coming, But Compliance Is Now

The EU Digital Omnibus represents a genuine shift in how Brussels views the compliance burden on smaller businesses. If adopted as proposed, the ROPA exemption expansion alone will reduce administrative work for hundreds of thousands of SMEs across the EU.

But "coming soon" is not the same as "now." The AEPD does not pause enforcement while legislation is negotiated. Its complaint inbox remains open. Its inspection programme continues. Its fine calculator does not have a "pending reform" discount.

The businesses that will benefit most from the Digital Omnibus simplifications are the ones that have already built a solid compliance foundation — because they will have less to adjust, not more to catch up on.

If your SME has been waiting for GDPR to get easier before getting started, the honest answer is: do not wait.

The EU GDPR Compliance and Data Protection for Businesses course from Spanish Compliance Institute is built specifically for this. Five structured modules take you from foundational GDPR principles through to advanced compliance, risk assessment, and the LOPDGDD requirements that apply specifically in Spain. It includes 18 downloadable compliance templates you can begin using immediately — not after some future legislative deadline.

Also in this series:

• EU GDPR Compliance for Businesses: The Complete Guide (2026) 
• Why Spain Issues More GDPR Fines Than Almost Any Other EU Country 
• GDPR and Spain's AEPD: What Every Business Needs to Know About the Spanish Data Protection Authority 
• What Happens If You Get a GDPR Fine in Spain? A Step-by-Step Breakdown 
• GDPR Consent Rules in 2026: What Spanish Businesses Must Update Now 
• Do You Need a Data Protection Officer (DPO) in Spain? The Rules Just Changed for SMEs 
• GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026 
• How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained 
• Transferring Customer Data Outside the EU? What Spanish Businesses Need to Know in 2026 
• GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both