GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both

If your business operates in Spain — or handles the personal data of people in Spain — you do not have one data protection law to comply with. You have two.

The EU General Data Protection Regulation, universally known as GDPR, sets the baseline that applies across all 27 EU member states. But Spain has layered its own national law on top of it: the Ley Orgánica 3/2018 de Protección de Datos Personales y Garantía de los Derechos Digitales — the LOPDGDD.

These two laws do not replace each other. They work in parallel. The GDPR cannot be understood in Spain without the LOPDGDD, and the LOPDGDD cannot be applied correctly without knowing where the GDPR ends and Spain's national rules begin.

For most businesses, this dual framework is the single most confusing aspect of data protection compliance in Spain. Businesses that focus only on GDPR miss Spain-specific obligations that the AEPD actively enforces. Businesses that believe the LOPDGDD replaces GDPR misunderstand the architecture entirely.

This guide cuts through that confusion. It explains what each law is, how they interact, where they differ in ways that matter for your business, and what compliance with both looks like in practice in 2026.

For the broader picture of what GDPR requires from every business operating in Spain, see our pillar guide: EU GDPR Compliance for Businesses: The Complete Guide (2026).

Understanding the Architecture: Why Two Laws Exist

The GDPR came into force on 25 May 2018 as a directly applicable EU regulation. This means it does not require a national law to give it effect — it automatically became law in every EU member state on the same day, with the same text. Every business in every EU country is bound by GDPR in exactly the same way.

However, the GDPR is not a complete code. It deliberately leaves certain areas open for national discretion — moments where it says, in effect, "member states may set their own rules on this." These openings are known as GDPR "derogations" and "specifications."

The LOPDGDD, enacted in Spain on 6 December 2018, is Spain's response to those openings. It does three things simultaneously:

It adapts GDPR to the Spanish legal context — filling in areas where the GDPR allows national customisation, such as the minimum age of digital consent and mandatory DPO sectors.

It supplements GDPR with Spain-specific obligations — adding rules that go beyond what GDPR requires, most notably the extensive digital rights framework in Title X.

It specifies how the GDPR's general principles apply in particular Spanish contexts — including video surveillance, credit reporting systems, whistleblowing channels, and professional secrecy.

The result is a framework where GDPR always applies as the floor, and the LOPDGDD either raises that floor or adds new rooms to the building entirely.

One important clarification: the LOPDGDD did not repeal or replace Spain's previous data protection law, the LOPD of 1999. It replaced that law while simultaneously implementing GDPR into the Spanish legal system. This historical context matters because some older compliance documentation in Spanish businesses still references the 1999 LOPD — which has been superseded and is no longer operative.

The vast majority of what the LOPDGDD says aligns directly with GDPR. The seven core principles of data protection — lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability — are the same in both laws. The six lawful bases for processing personal data are the same. The framework for data subject rights — access, rectification, erasure, restriction, portability, and objection — is the same.

The AEPD, as Spain's supervisory authority, enforces both frameworks simultaneously. It does not run separate investigations for GDPR violations and LOPDGDD violations — they are assessed together in a single enforcement process. A fine from the AEPD is typically framed as a violation of a specific GDPR article, though LOPDGDD provisions may also be cited.

The fine structure is also unified. The maximum penalties under both laws are the same: up to €20 million or 4% of total global annual turnover for the most serious violations, and up to €10 million or 2% of total global annual turnover for less serious ones. Spain's LOPDGDD classifies infringements as minor, serious, or very serious, with statutory limitation periods of one, two, and three years respectively — a tiered structure that supplements the GDPR's own categorisation.

Where the LOPDGDD Goes Further: The Key Differences

This is where Spanish compliance becomes more demanding than the EU baseline — and where most compliance gaps exist for businesses operating in Spain.

1. The Age of Digital Consent: 14, Not 16

The GDPR sets the default minimum age at which a child can provide valid consent for digital services at 16, allowing member states to lower this to a minimum of 13. Spain set it at 14.

This means that any digital service collecting personal data from users in Spain must treat anyone under 14 as a child requiring parental or guardian consent — not 16 as in many other EU countries and not 13 as the GDPR would permit.

The practical implications are substantial for any business running a website, app, e-commerce platform, or digital service accessible to Spanish users. Registration forms, consent mechanisms, and age-gating systems must reflect the 14-year threshold specifically for Spain.

In February 2026, this went significantly further. Spanish Prime Minister Pedro Sánchez announced at the World Government Summit in Dubai that Spain would introduce legislation banning social media access for children under 16 entirely — requiring platforms to implement mandatory, robust age verification systems, not simple date-of-birth fields. The bill must pass through Spain's Congress and Senate before becoming law, with approval expected sometime in late 2026 or 2027. But the direction of travel is clear: Spain is moving toward the strictest minor protection rules in the EU, and businesses processing data of young users in Spain need to monitor these developments actively.

2. The LOPDGDD's Expanded DPO Requirements

Under GDPR Article 37, a DPO is required for public bodies, organisations carrying out large-scale systematic monitoring, and organisations processing special categories of sensitive data at scale.

The LOPDGDD goes considerably further. Article 34 mandates DPO appointment across 16 specific sectors, regardless of company size, employee count, or the scale of processing. This includes private educational establishments of all sizes, healthcare providers of any scale, insurance and financial entities, private security companies, advertising and market research companies that profile individuals, sports federations, gambling entities, and energy distributors.

A sole trader running a private physiotherapy clinic is legally required to appoint a DPO under the LOPDGDD. A three-teacher language academy faces the same obligation as a national hospital. This Spain-specific expansion of the DPO requirement has no equivalent in most EU member states and is one of the most commonly overlooked compliance obligations among SMEs.

For a full breakdown of who needs a DPO in Spain and how to appoint one, see: Do You Need a Data Protection Officer (DPO) in Spain? The Rules Just Changed for SMEs.

3. Data Blocking: Spain's Unique Pre-Erasure Obligation

One of the most operationally significant differences between GDPR and the LOPDGDD is the concept of "data blocking" — an obligation that has no direct GDPR equivalent.

Under the LOPDGDD, when a data subject requests erasure of their personal data, and the data cannot immediately be deleted because it must be retained to comply with legal obligations or to address potential liabilities, the organisation must "block" the data rather than simply retaining it.

Blocked data must be stored in a restricted state — accessible only to specific individuals and only for specific legal purposes, not used for any operational purpose, and deleted once the legal retention period has ended.

This creates a technical and procedural obligation that most GDPR-focused compliance programmes do not address. Organisations operating in Spain need systems capable of placing data in a restricted state, tracking what has been blocked, why, and for how long, and automatically deleting it when the blocking period expires. IT systems that have been configured purely to the GDPR standard — allowing deletion or continued processing, with no intermediate state — do not satisfy the LOPDGDD.

4. Spain’s Digital Rights Charter: Title X of the LOPDGDD

Perhaps the most distinctive feature of the LOPDGDD, and one with no parallel anywhere else in EU data protection law, is Title X — a comprehensive charter of digital rights covering Articles 79 through 97.

These provisions extend well beyond data protection into broader digital citizenship. For businesses with employees in Spain, several are directly operative:

The Right to Digital Disconnection (Article 88): Employees in both the public and private sectors have a legal right to digital disconnection outside of working hours. Employers must adopt a written internal policy, developed in consultation with employee representatives, that defines how this right is exercised. Businesses that contact employees via email, messaging apps, or phone outside working hours without a compliant disconnection policy are in breach of the LOPDGDD.

Privacy on Digital Devices at Work (Article 87): Employers may establish usage guidelines for personal use of work-provided digital devices, but must inform employees of these guidelines in advance. Access to the content of work devices for monitoring purposes must respect employees' dignity and the principle of proportionality.

Video Surveillance and Audio Recording at Work (Article 89): Cameras may only be used for workplace security purposes and must be clearly signposted. Critically, the LOPDGDD prohibits recording audio with workplace video surveillance systems — a rule that has no equivalent in GDPR and is frequently violated by businesses that install standard CCTV equipment without adjusting the audio recording settings. Covert recording is prohibited except in narrow, specifically defined circumstances.

Geolocation of Workers (Article 90): Any use of geolocation systems — including vehicle tracking — must be communicated to workers in advance. This applies whether the device is a company vehicle, a company phone, or any other tracking system.

AI and Algorithmic Decision-Making at Work (Article 22 LOPDGDD): Workers and their employee representatives must be informed of any algorithmic or AI-based tools that affect employment decisions — including performance assessment systems, scheduling algorithms, and productivity monitoring tools.

As of January 2026, Spain also introduced mandatory digital timekeeping. Daily working time must now be recorded via tamper-resistant digital systems. Manual timesheets that can be edited retroactively without an audit trail are no longer compliant with Spanish labour and data protection requirements. Labour inspectors can now require instant access to digital records proving employee start and end times.

5. Deceased Persons' Data

The GDPR explicitly does not apply to deceased persons — Recital 27 states this clearly, leaving the matter to national law. The LOPDGDD fills this gap through Articles 3 and 96.

Article 3 allows relatives and heirs of a deceased person to request access to, rectification of, or deletion of the deceased's personal data — subject to any contrary instructions the deceased left in life. Article 96 introduces the concept of a "digital will" — individuals can designate instructions for what happens to their digital accounts and online presence after death, including social media profiles, email accounts, and cloud-stored data. Heirs can exercise rights of access, deletion, or rectification unless the deceased explicitly prohibited such access.

For businesses holding customer or user data, this means that a data subject rights request may legitimately come from a deceased person's family member — and must be handled accordingly.

6. Credit and Debt Reporting: The "Ficheros de Morosos" Rules

The LOPDGDD sets specific rules for including individuals in credit default registries — the so-called ficheros de morosos or solvency files. These rules go beyond GDPR's general framework:

The debt must be certain, due, and payable — disputed debts cannot be reported. The minimum amount that can be reported is €50 — debts below this threshold cannot be entered into a solvency file. The creditor must notify the debtor before adding them to the registry, giving them the opportunity to dispute or pay the debt. Strict accuracy obligations apply, including mandatory update and deletion when the debt is settled.

For any business in Spain involved in credit, debt collection, or financial services, these provisions are operationally critical. Failure to follow them — particularly the pre-notification requirement — is a category of violation the AEPD has enforced directly.

7. Political Parties and Electoral Processing

In a derogation that has generated significant controversy since 2018, the LOPDGDD permits political parties to use publicly available personal data for electoral campaign purposes without individual consent. This represents a significant departure from the GDPR's general consent and legitimate interests framework, and one that Spain's Constitutional Court has reviewed without striking down.

For most businesses, this provision is not directly relevant. But for organisations that provide data services, political consulting, or marketing platforms in Spain, awareness of this specific derogation — and its limits — is important.

What Compliance With Both Laws Looks Like in Practice

Given the dual framework, a compliant organisation in Spain cannot rely on a GDPR compliance programme alone. Compliance with both laws requires, at minimum, the following Spain-specific additions to a standard GDPR framework:

Age of consent threshold at 14: All consent mechanisms, registration flows, and parental consent processes must reflect the Spanish threshold, not the GDPR default of 16.

DPO assessment against the LOPDGDD sector list: An assessment of whether any mandatory DPO obligation under LOPDGDD Article 34 applies must be conducted alongside — not instead of — the GDPR Article 37 assessment.

Data blocking capability: IT systems and data retention processes must be capable of placing data in a restricted "blocked" state between the data subject's erasure request and the end of the applicable legal retention period.

Digital disconnection policy: Any business with employees in Spain must have a written digital disconnection policy, developed in consultation with employee representatives, that defines how the right to disconnect is exercised in practice.

Video surveillance audit: Any CCTV or workplace monitoring system must be assessed against the LOPDGDD requirements — signage, purpose limitation, and — critically — audio recording must be disabled if not legally justified.

Worker notification for AI tools: If your business uses any AI, algorithmic scoring, or automated tool that affects employment decisions, employees and their representatives must be informed.

Deceased persons procedure: Data subject rights processes must include a procedure for handling requests from the heirs or relatives of deceased data subjects.

Credit reporting procedures: Any business that reports debts to credit registries must have a verified process for pre-notification, minimum debt threshold checks, and accuracy maintenance.

The Practical Risk of Treating Them as Separate

Some businesses handle GDPR and the LOPDGDD as if they are independent frameworks — completing a GDPR audit and then treating LOPDGDD compliance as an optional add-on. This approach carries real regulatory risk.

The AEPD enforces both frameworks simultaneously. It does not compartmentalise an investigation into "GDPR issues" and "LOPDGDD issues" — it assesses the full compliance picture of the organisation. An organisation that has a technically sound GDPR programme but has never addressed the digital disconnection requirement, has no data blocking process, or has employees in mandatory DPO sectors without a registered DPO, has significant compliance gaps — gaps the AEPD will find if it investigates.

In 2024, the AEPD issued a record €35.6 million in total fines. In 2025, data breach notifications reached 2,765 — with over 200 million individuals notified of high-risk breaches, double the previous year. The volume of enforcement is not falling. If anything, 2026's focus on biometrics, AI-powered processing, and minor protection is raising the bar further.

The businesses the AEPD does not fine are not the ones that treated compliance as optional. They are the ones that treated both laws, together, as the operating standard.

One Country, Two Laws, Zero Optional Compliance

Spain's data protection framework is not more complicated than other countries' for the sake of complexity. It reflects a deliberate legislative choice to build on the GDPR baseline with rights and protections that Spain's legislature considered insufficiently covered at the EU level — particularly around digital rights in employment, protection of minors, and obligations specific to the Spanish financial and professional services landscape.

For your business, the practical implication is straightforward. GDPR compliance is the minimum. The LOPDGDD raises the floor in specific areas and adds obligations that have no GDPR equivalent. Compliance with one without the other is not full compliance in Spain — and the AEPD assesses the full picture.

The EU GDPR Compliance and Data Protection for Businesses course from Spanish Compliance Institute covers both laws in depth — from the GDPR's foundational principles through to the LOPDGDD-specific obligations that apply only in Spain. Its five structured modules include everything from data subject rights and lawful processing to advanced risk assessment, workplace digital rights, and sector-specific compliance. The course includes 18 downloadable templates built for the Spanish regulatory environment.

Also in this series:

• EU GDPR Compliance for Businesses: The Complete Guide (2026) 
• Why Spain Issues More GDPR Fines Than Almost Any Other EU Country 
• GDPR and Spain's AEPD: What Every Business Needs to Know About the Spanish Data Protection Authority
• What Happens If You Get a GDPR Fine in Spain? A Step-by-Step Breakdown 
• GDPR Consent Rules in 2026: What Spanish Businesses Must Update Now 
• Data Protection Officer in Spain: Who Needs a DPO (2026 Guide)
• GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026
• How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained
• Transferring Customer Data Outside the EU? What Spanish Businesses Need to Know in 2026