EU GDPR Compliance for Businesses: The Complete Guide (2026)

Spain issued more GDPR fines than any other EU country in 2024. The country's data protection authority — the AEPD — handed out a record €35.5 million in penalties that year alone, a 19% increase on the year before. And in January 2025, it was the highest-fining authority in the entire EU.

Those fines did not all go to large corporations. Small businesses, energy companies, insurance providers, and banks all received sanctions — many for violations that could have been avoided with basic compliance measures.

If your business operates in Spain, serves Spanish customers, or handles the personal data of anyone in the EU, GDPR compliance is not optional. But it does not have to be complicated either.

This guide covers everything you need to know about EU GDPR compliance for businesses in 2026 — in plain language, without legal jargon. By the end, you will understand what GDPR requires, what Spain's additional data protection law (the LOPDGDD) adds on top, and exactly where to start.

What Is GDPR — and Does It Apply to Your Business?

The General Data Protection Regulation (GDPR) is an EU law that sets the rules for how businesses collect, store, use, and protect personal data. It came into force in May 2018 and applies to any organisation that handles the personal data of people located in the EU — regardless of where the business itself is based.

That last point matters. A company based in Mexico, the United States, or the UK that has Spanish customers, runs a Spanish-language website, or processes data from EU residents must comply with GDPR. The regulation's reach is broad by design.

Personal data means any information that can identify a living person — names, email addresses, phone numbers, IP addresses, location data, cookie identifiers, and much more.

The businesses most commonly caught out are those that assume GDPR only affects large corporations, or that it only applies to companies physically based in the EU. Neither is true. If you collect a single email address from a customer in Spain, GDPR applies to you.

For a full breakdown of whether and how GDPR applies to your specific business, see our supporting guide: Why Spain Issues More GDPR Fines Than Almost Any Other EU Country.

The 7 Core Principles of GDPR

Everything in GDPR flows from seven core principles. Think of these as the foundation — every obligation in the regulation is built on top of them.

1. Lawfulness, fairness, and transparency. You must process personal data legally, treat people fairly, and be open about what you do with their data.

2. Purpose limitation. You can only use data for the specific purpose you collected it for. If a customer gives you their email to receive an invoice, you cannot start sending them marketing emails without separate consent.

3. Data minimisation. Only collect the data you actually need. If a name and email address will do, do not ask for a date of birth, phone number, and home address as well.

4. Accuracy. Keep personal data accurate and up to date. If a customer updates their address, your records should reflect that.

5. Storage limitation. Do not keep personal data longer than necessary. Define retention periods for different types of data and stick to them.

6. Integrity and confidentiality. Protect personal data from unauthorised access, loss, or destruction through appropriate security measures.

7. Accountability. This is the principle that catches many businesses off guard. You must not only comply with GDPR — you must be able to prove you comply. That means documentation, policies, and records.

Lawful Bases for Processing Personal Data

Before collecting or using any personal data, you must have a lawful basis for doing so. GDPR sets out six options. You must identify and document which one applies to each type of data processing you carry out.

Consent — The person has given clear, specific, and freely given permission. This is the most well-known basis but not always the most appropriate one. Consent must be as easy to withdraw as it was to give.

Contract — Processing is necessary to fulfil a contract with the individual, such as processing a customer's address to deliver an order.

Legal obligation — Processing is required to comply with a law, such as keeping payroll records for tax purposes.

Vital interests — Processing is necessary to protect someone's life. This applies in genuine emergencies and is narrow in scope.

Public task — Relevant mainly to public authorities carrying out official functions.

Legitimate interests — Your business has a genuine need to process data that outweighs the individual's privacy rights. This is flexible but must be documented through a Legitimate Interests Assessment, and it cannot override individuals' fundamental rights.

The most common mistake businesses make is defaulting to consent when another lawful basis would be more appropriate — and then struggling to maintain valid consent records. Choosing the right lawful basis from the start saves significant compliance work later.

For a full explanation of each basis with practical examples, see: GDPR Consent Rules in 2026: What Spanish Businesses Must Update Now.

Data Subject Rights — What Your Customers Can Demand From You

GDPR gives individuals — called data subjects — eight rights over their personal data. As a business, you are legally required to respect and facilitate these rights.

Right to be informed. People must know what data you collect, why, how long you keep it, and who you share it with. This is typically covered through your privacy policy and cookie banner.

Right of access. Anyone can request a copy of all the personal data you hold about them. You must respond within one month, free of charge. This is called a Subject Access Request (SAR).

Right to rectification. If someone's data is inaccurate or incomplete, they can ask you to correct it.

Right to erasure. Also known as the "right to be forgotten." In certain circumstances, individuals can ask you to delete their data. This right is not absolute — it does not apply if you have a legal obligation to retain the data.

Right to restrict processing. Individuals can ask you to pause the processing of their data while a dispute is being resolved.

Right to data portability. Where data was provided by the individual and processed by consent or contract, they can request it in a machine-readable format to take elsewhere.

Right to object. Individuals can object to their data being used for direct marketing. This objection must always be honoured — no exceptions.

Rights related to automated decision-making. Individuals have the right not to be subject to decisions made solely by automated processes when those decisions have a significant effect on them.

Every business needs a clear internal process for handling these requests. Failing to respond within the required timeframe is itself a violation — and one the AEPD actively enforces.

Do You Need a Data Protection Officer (DPO)?

A Data Protection Officer is a person responsible for overseeing an organisation's GDPR compliance, acting as the main contact point for data subjects and the AEPD.

Under GDPR, a DPO is mandatory if your organisation:

• Is a public authority
• Carries out large-scale, systematic monitoring of individuals (for example, through behavioural tracking or surveillance)
• Processes special categories of sensitive data — such as health data, biometric data, or criminal records — on a large scale

Spain's additional data protection law, the LOPDGDD, extends this requirement to specific sectors regardless of size. Private schools, hospitals, security companies, credit agencies, insurance providers, and several others must appoint a DPO even if they are small businesses.

Even if a DPO is not legally required for your organisation, having one — or appointing a responsible person internally — is strongly recommended. The DPO role does not have to be filled by a full-time employee. It can be an external consultant or outsourced service.

The rules changed for SMEs following proposed EU simplifications in 2025. For the full current picture: Do You Need a Data Protection Officer (DPO) in Spain? The Rules Just Changed for SMEs.

GDPR Data Breach Rules — The 72-Hour Clock

A personal data breach is any security incident that leads to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to personal data.

That definition is broader than most business owners expect. A breach is not only a cyberattack or a hacker stealing your database. It includes:

• Sending an email containing personal data to the wrong recipient
• Leaving a laptop containing customer data on a train
• A cloud storage misconfiguration that makes private files publicly accessible
• An employee accessing data they are not authorised to view

When a breach occurs, GDPR requires you to notify the AEPD within 72 hours of becoming aware of it — even if you do not yet have all the details. You do not need to wait until your investigation is complete. You notify first, update later.

If the breach is likely to result in a high risk to the rights and freedoms of individuals, you must also notify the affected people directly without undue delay.

Failure to notify on time is itself a GDPR violation. In 2025 alone, Spain recorded 2,765 data breach notifications, with over 200 million people affected by high-risk incidents — more than double the previous year. The AEPD has made it clear that failing to communicate with affected individuals is one of the key factors that triggers a formal investigation.

For a step-by-step breach response guide: How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained.

GDPR Fines — What Non-Compliance Actually Costs

GDPR penalties operate on a two-tier system.

Tier 1 — up to €10 million or 2% of global annual turnover (whichever is higher): For less severe violations such as failing to maintain records, not appointing a DPO when required, or failing to notify a breach on time.

Tier 2 — up to €20 million or 4% of global annual turnover (whichever is higher): For the most serious violations such as processing data without a lawful basis, ignoring data subject rights, or unlawful international data transfers.

These are not theoretical numbers. Here is what Spanish enforcement has looked like in the most recent enforcement cycle:

2024 — Record fine year:

• €5 million — an energy company fined for breaching the principles of fairness, transparency, and accountability during a fraudulent procurement process
• €4 million — an insurance provider fined after a cyberattack exposed customer data, with the AEPD finding that inadequate security measures had been in place
• €3.5 million — a bank fined for a design flaw in its computer application that resulted in a client confidentiality breach
• €3.5 million — a second energy company fined for web application vulnerabilities that led to a data breach

The AEPD issued 10 fines exceeding €1 million in 2024, compared to just 3 in 2023. Total fines for the year reached a record €35.5 million — a 19% increase on the year before.

2025 — Biometrics and AI become priority targets:

• €10,043,002 — Spain's airport operator Aena was fined and ordered to immediately suspend its facial recognition boarding programme at eight major airports, including Madrid-Barajas and Barcelona-El Prat, after the AEPD found the company had failed to carry out an adequate Data Protection Impact Assessment before enrolling almost 40,000 travellers in the scheme. This is one of the largest fines the AEPD has ever imposed and signals clearly that biometric technology projects — even voluntary, well-intentioned ones — are not exempt from full GDPR compliance. Tech Research Online
• €1.8 million — a business intelligence company fined for processing personal data from over 1.6 million individual business owners without a valid legal basis, and ordered to cease processing and delete all affected records
• €1.2 million — a telecoms provider fined for unlawful data processing connected to fraudulent SIM card duplication

2026 — Enforcement continues into the new year:

• €950,000 — Yoti Ltd, a British digital identity and age verification company, was fined across three separate GDPR violations: €500,000 for unlawfully processing biometric special category data, €200,000 for using pre-ticked checkboxes to obtain invalid consent, and €250,000 for retaining personal data — including biometric templates and geolocation data — beyond what the purposes of processing required. Semrush

• €500,000 — FC Barcelona fined for conducting a deficient biometric data impact assessment

The pattern across all of these cases is consistent. The AEPD is no longer primarily focused on smaller, high-volume violations. The agency has shifted its strategy toward addressing more complex, high-impact cases with significantly larger penalties, reflecting what it describes as the "greater complexity of data processing activities, their wider scope, and consequently their greater impact." Semrush

The sectors now under the sharpest scrutiny are biometrics, AI-based data processing, financial services, telecommunications, and any organisation handling data at scale. But smaller businesses are not immune — the AEPD regularly fines SMEs for video surveillance violations, unlawful marketing, and failing to respond to data subject rights requests.

Two things are clear from the enforcement record: the fines are getting larger, and the AEPD is getting more selective but more severe. Compliance is no longer a box-ticking exercise — it is a financial risk management issue.

For a detailed breakdown of how the AEPD's fine procedure works and what to do if you receive a notification: What Happens If You Get a GDPR Fine in Spain? A Step-by-Step Breakdown.

Data Protection Impact Assessments (DPIAs)

A Data Protection Impact Assessment — or DPIA — is a formal process for identifying and reducing the privacy risks of a new project or data processing activity before it begins.

DPIAs are legally required under GDPR whenever a new processing activity is likely to result in a high risk to individuals' rights and freedoms. This includes:

• Large-scale processing of sensitive personal data (health data, biometric data, etc.)
• Systematic monitoring of individuals in public spaces
• Automated decision-making that produces legal or similarly significant effects
• Using new technologies in ways that involve personal data

Even when not strictly required, conducting a DPIA is considered best practice and demonstrates the accountability principle in action. It also protects your business — documenting that you assessed the risks and implemented mitigations is a strong defence in any regulatory investigation.

A DPIA does not need to be a lengthy bureaucratic document. It is a structured risk assessment that asks: what data am I processing, what are the risks, and what measures am I putting in place to reduce those risks?

For a practical walkthrough: GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026.

GDPR and the EU AI Act — What Changes in 2026

This is the most time-sensitive section of this guide.

The EU AI Act entered into force in August 2024 and its most significant compliance deadline — covering high-risk AI systems — falls on 2 August 2026. That date is weeks away at the time of writing.

The AI Act does not replace GDPR. Both laws apply simultaneously. If your business uses any AI tool that processes personal data — a chatbot, an automated recruitment system, AI-powered analytics, credit scoring tools — you now have obligations under both frameworks.

Key overlaps to be aware of:

• Any AI system that processes personal data still needs a valid GDPR lawful basis
• High-risk AI deployments may require both a GDPR Data Protection Impact Assessment (DPIA) and an AI Act Fundamental Rights Impact Assessment
• GDPR's rules on automated decision-making (Article 22) apply to AI-driven decisions that significantly affect individuals
• Data minimisation, accuracy, and transparency requirements under GDPR apply to data used to train or operate AI systems

The penalties under the AI Act are even steeper than under GDPR — up to €35 million or 7% of global turnover for the most serious violations.

If your business uses AI tools of any kind, you need to act before August 2026. For a full guide specific to Spanish businesses: GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026.

GDPR Compliance in Spain — The LOPDGDD Layer

Businesses operating in Spain do not just need to comply with GDPR. They must also comply with Spain's national data protection law: the LOPDGDD (Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales).

The LOPDGDD came into force in December 2018 and adds several important requirements on top of the GDPR baseline:

Age of consent set at 14. GDPR allows member states to set the minimum age for consent between 13 and 16. Spain chose 14. If your business collects data from minors, you need age verification processes aligned to this threshold — not the EU default.

Expanded mandatory DPO sectors. The LOPDGDD requires DPO appointments in specific sectors regardless of company size. This includes private schools, hospitals, pharmacies, private security firms, credit reporting agencies, insurance providers, and financial institutions.

Digital workplace rights. The LOPDGDD grants Spanish employees new rights that go beyond GDPR: the right to digital disconnection (the right not to respond to work communications outside working hours), specific rules on workplace surveillance, and protections around geolocation tracking of workers.

Data blocking before deletion. Under Spanish law, when a data subject requests erasure, the business must first "block" the data — making it inaccessible but not immediately deleting it — before permanent deletion. This differs from the standard GDPR erasure process.

The AEPD's enforcement record. Spain's data protection authority has issued more fines than any other DPA in the EU — 932 fines recorded in the most recent CMS GDPR Enforcement Tracker Report. The AEPD is proactive, well-resourced, and increasingly focused on AI, biometric data, and cookie compliance.

For a complete breakdown of both laws and how they interact: GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both.

GDPR Compliance Checklist — Where to Start

If you are reading this guide because you are not sure where to begin, here is a practical starting point. These are the foundational steps every business should take.

1. Map your data. Identify every type of personal data your business collects, where it is stored, how it is used, and who has access to it. This is called a Record of Processing Activities (RoPA) and is mandatory under GDPR Article 30 for most organisations.

2. Identify your lawful bases. For each type of data processing you carry out, document which lawful basis you are relying on. Do not default to consent if another basis is more appropriate.

3. Update your privacy policy. Your privacy notice must tell people what data you collect, why, how long you keep it, who you share it with, and how they can exercise their rights. Plain language only — no legal boilerplate.

4. Set up processes for data subject requests. You need a clear internal workflow for handling Subject Access Requests, erasure requests, and other rights requests within the one-month deadline.

5. Review your consent mechanisms. If you use cookie banners, email marketing opt-ins, or any other consent-based collection, make sure your consent is freely given, specific, and properly recorded.

6. Assess your third-party processors. Every external service you use that processes personal data on your behalf — cloud storage, email platforms, CRM tools, payroll providers — needs a Data Processing Agreement (DPA) in place.

7. Prepare a breach response plan. You need to know who is responsible for detecting, assessing, and notifying a breach — and how to do it within 72 hours.

8. Decide whether you need a DPO. Check the GDPR and LOPDGDD requirements and assess whether your business is required to appoint one.

9. Train your team. Data protection is everyone's responsibility. Staff who handle personal data need to understand the basics — what counts as personal data, how to recognise a breach, and who to report it to.

10. Document everything. Accountability is not just about what you do — it is about being able to prove you did it. Keep records of your compliance decisions, assessments, training, and consent records.

From Understanding GDPR to Actually Implementing It

Understanding GDPR is the first step. Implementing it inside your business — building the documentation, processes, assessments, and controls that regulators actually want to see — is a different task entirely.

The EU GDPR Compliance and Data Protection for Businesses course from Spanish Compliance Institute is designed to bridge that gap.

Across five structured modules, you will go from the foundational principles of GDPR to advanced topics including risk assessment, sectoral regulation, and the privacy implications of emerging technology — all aligned to the Spanish and EU regulatory environment your business actually operates in.

The course includes 18 downloadable templates — from Records of Processing Activities and DPIA frameworks to breach notification forms and data processing agreements — so you leave with tools you can use immediately, not just knowledge.

Whether you are a business owner getting compliant for the first time, a compliance officer building a formal programme, or a professional preparing for a DPO role, this course gives you the structure, the substance, and the practical tools to get it done.

Also in this series:

• Why Spain Issues More GDPR Fines Than Almost Any Other EU Country 
• GDPR and Spain's AEPD: What Every Business Needs to Know About the Spanish Data Protection Authority 
• GDPR Compliance for SMEs in Spain: What the New Simplified Rules Mean for Your Business
• What Happens If You Get a GDPR Fine in Spain? A Step-by-Step Breakdown 
• GDPR Consent Rules in 2026: What Spanish Businesses Must Update Now 
• Do You Need a Data Protection Officer (DPO) in Spain? The Rules Just Changed for SMEs 
• GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026 
• How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained 
• Transferring Customer Data Outside the EU? What Spanish Businesses Need to Know in 2026 
• GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both