Skip to main content

Data Processing Agreement (DPA) Spain

Key facts

SpainSpainEnglish (ES)FreePDF & WordUpdated Jun 6, 2026
Legal basisSpainNotarization: Not requiredWitnesses: 0Parties: 2
Data Processing Agreement (DPA) (Acuerdo de Encargado del Tratamiento)
Data Processing Agreement (DPA) Spain (Acuerdo de Encargado del Tratamiento)

ACUERDO DE ENCARGADO DEL TRATAMIENTO DE DATOS PERSONALES

Acuerdo de Encargado del Tratamiento (DPA)

Regulado por el Reglamento (UE) 2016/679 (RGPD), artículo 28, y la Ley Orgánica 3/2018 (LOPDGDD)

1. PARTES

RESPONSABLE DEL TRATAMIENTO:

Denominación social: [Controller Name]

Domicilio registral: [Controller Address]

Representante legal: [Controller Representative]

Contacto del DPD: [Controller DPO]

ENCARGADO DEL TRATAMIENTO:

Denominación social: [Processor Name]

Domicilio registral: [Processor Address]

Representante legal: [Processor Representative]

Contacto del DPD: [Processor DPO]

2. OBJETO, NATURALEZA, FINALIDAD Y DURACIÓN DEL TRATAMIENTO

Finalidad del tratamiento: [Processing Purpose]

Naturaleza de las operaciones de tratamiento: [Processing Nature]

Tipos de datos personales tratados: [Data Categories]

Categorías de interesados: [Data Subject Categories]

3. TRATAMIENTO CONFORME A INSTRUCCIONES DOCUMENTADAS Y CONFIDENCIALIDAD

Conforme al artículo 28.3.a RGPD, [Processor Name] tratará los datos personales únicamente siguiendo instrucciones documentadas de [Controller Name] y no tratará los datos para fines propios ni para ningún fin no autorizado por escrito por el responsable. El encargado notificará inmediatamente al responsable si, a su juicio, una instrucción infringe el RGPD o la LOPDGDD.

Conforme al artículo 28.3.b RGPD, [Processor Name] garantiza que todo el personal autorizado a tratar los datos personales se ha comprometido a respetar la confidencialidad —ya sea por obligación legal o mediante acuerdos contractuales de confidencialidad por escrito— y recibe la formación adecuada en protección de datos.

4. MEDIDAS DE SEGURIDAD TÉCNICAS Y ORGANIZATIVAS (ARTÍCULO 32 RGPD)

Medidas técnicas: [Technical Measures]

Medidas organizativas: [Organisational Measures]

Las medidas de seguridad serán revisadas y actualizadas por [Processor Name] al menos anualmente y ante cualquier cambio significativo en las operaciones de tratamiento, de conformidad con la Guía de Medidas de Seguridad de la AEPD (disponible en aepd.es).

5. SUBENCARGADOS DEL TRATAMIENTO

Autorización de subencargados: [Subprocessors Authorisation]

[Processor Name] deberá imponer obligaciones de protección de datos equivalentes a cualquier subencargado del tratamiento conforme al artículo 28.4 RGPD. El encargado sigue siendo plenamente responsable frente a [Controller Name] del cumplimiento por el subencargado de las obligaciones del RGPD. Se adjunta como Anexo B a este acuerdo una lista actualizada de subencargados aprobados.

6. ASISTENCIA EN EL EJERCICIO DE DERECHOS DE LOS INTERESADOS

[Processor Name] asistirá a [Controller Name] en la atención de las solicitudes de ejercicio de derechos de los interesados conforme a los artículos 15 a 22 RGPD — acceso, rectificación, supresión, limitación del tratamiento, portabilidad y oposición — dentro de los plazos establecidos por el artículo 12.3 RGPD (1 mes desde la recepción, ampliable a 3 meses en casos complejos). El encargado notificará al responsable cualquier solicitud directa de derechos recibida de un interesado en un plazo de 5 días hábiles.

7. APOYO EN LA EVALUACIÓN DE IMPACTO RELATIVA A LA PROTECCIÓN DE DATOS

[Processor Name] asistirá a [Controller Name] en la realización de las Evaluaciones de Impacto relativas a la Protección de Datos (EIPD) conforme al artículo 35 RGPD cuando resulte necesario, y en la consulta previa a la Agencia Española de Protección de Datos (AEPD) conforme al artículo 36 RGPD, facilitando toda la información sobre las operaciones de tratamiento y las medidas de seguridad necesarias para la EIPD.

8. NOTIFICACIÓN DE VIOLACIONES DE LA SEGURIDAD DE LOS DATOS PERSONALES

[Processor Name] notificará a [Controller Name] sin dilación indebida —y en todo caso en un plazo máximo de 72 horas desde que tenga conocimiento— cualquier violación de la seguridad de los datos personales conforme al artículo 33 RGPD, proporcionando: una descripción de la violación; categorías y número aproximado de interesados afectados; categorías y número aproximado de registros de datos afectados; consecuencias probables; y medidas adoptadas o propuestas para abordar la violación. Esto permite a [Controller Name] evaluar el riesgo y notificar, en su caso, a la AEPD y a los interesados afectados.

9. DEVOLUCIÓN O SUPRESIÓN DE DATOS

Al vencimiento o resolución de este contrato de encargo, [Processor Name], a elección de [Controller Name], suprimirá de forma segura o devolverá todos los datos personales conforme al artículo 28.3.g RGPD en un plazo de 30 días naturales desde la resolución, salvo que la legislación de la UE o española exija su conservación continuada. La supresión segura deberá documentarse y certificarse al responsable.

10. CUMPLIMIENTO ANTE LA AEPD Y DERECHO DE AUDITORÍA

[Processor Name] pondrá a disposición de [Controller Name] toda la información necesaria para demostrar el cumplimiento del artículo 28 RGPD y permitirá y contribuirá a las auditorías, incluidas las inspecciones, realizadas por el responsable o por un auditor designado por este. Las infracciones del artículo 28 RGPD se clasifican conforme al artículo 83.4 RGPD como sujetas a multas administrativas de hasta 10.000.000 € o el 2% de la facturación anual global total, siendo supervisadas y sancionadas por la Agencia Española de Protección de Datos (AEPD), creada conforme al artículo 44 de la Ley Orgánica 3/2018 (LOPDGDD).

11. LEY APLICABLE

Este Acuerdo de Encargado del Tratamiento se rige por el Reglamento (UE) 2016/679 (RGPD) y la Ley Orgánica 3/2018 (LOPDGDD). Las controversias se resolverán ante los tribunales españoles competentes.

FIRMAS

RESPONSABLE DEL TRATAMIENTO:

Representado por: [Controller Representative]

Firma: _________________________ Fecha: _________________________

ENCARGADO DEL TRATAMIENTO:

Representado por: [Processor Representative]

Firma: _________________________ Fecha: _________________________

Responsable del tratamiento / Representante legal

________________

Signature

Encargado del tratamiento / Representante legal

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: ·Report an error

What Is a Data Processing Agreement (DPA) Spain?

A Data Processing Agreement Spain (Acuerdo de Encargado del Tratamiento — AET) is a legally mandatory contract required by Article 28 of Reglamento (UE) 2016/679 — the General Data Protection Regulation (RGPD) — whenever a data controller (responsable del tratamiento) instructs a data processor (encargado del tratamiento) to process personal data on its behalf. In Spain, the RGPD is supplemented by Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD), and supervised by the Agencia Española de Protección de Datos (AEPD), the independent data protection supervisory authority established under Article 34 LOPDGDD.

The Data Processing Agreement formalises the relationship between the responsable del tratamiento — the entity that determines the purposes and means of processing (for example, a company using a cloud provider or marketing platform) — and the encargado del tratamiento — the entity that processes data solely on the controller's documented instructions (for example, a SaaS provider, payroll bureau, or IT support company). Article 28.3 RGPD mandates that the processing agreement be concluded in writing and contain a minimum set of provisions including the subject matter, duration, nature and purpose of processing, the type of personal data processed, the categories of data subjects, and the obligations and rights of the controller.

Failure to execute a compliant Data Processing Agreement exposes both the responsable and the encargado to administrative sanctions under Article 83 RGPD — up to €10,000,000 or 2% of total global annual turnover (whichever is higher) for violations of Article 28. The AEPD has issued multiple sanction resolutions (resoluciones sancionadoras) for the absence of a DPA or for DPAs that lack the mandatory Article 28.3 clauses — including sanctions against major Spanish telecommunications operators and financial entities. All AEPD resolutions are published in the Sede Electrónica de la AEPD at aepd.es.

The LOPDGDD 3/2018 introduced specific additional requirements for Spanish data processing relationships beyond those in the RGPD. Article 28 LOPDGDD requires that public bodies processing data on behalf of another public body use a specific form of processing agreement approved by the competent supervisory authority (the AEPD for the central state administration, and the equivalent regional data protection authorities — Autoridad Catalana de Protección de Datos (APDCAT), Agencia Vasca de Protección de Datos (AVPD), and Agencia Española de Protección de Datos de Navarra — for regional authorities). Article 33 LOPDGDD extends the obligation to maintain a register of processing activities (Registro de Actividades de Tratamiento — RAT) under RGPD Article 30 to all controllers and processors, regardless of size, removing the SME exemption that Article 30.5 RGPD nominally provides.

Where an encargado del tratamiento engages a sub-processor (subencargado), Article 28.2 RGPD requires prior written authorisation from the responsable — either specific (naming the sub-processor) or general (allowing sub-processors subject to notification). The subencargado must be bound by equivalent data protection obligations as the encargado, and the encargado remains fully liable to the responsable for the subencargado's compliance failures.

International data transfers outside the European Economic Area (EEA) by the encargado require a legal transfer mechanism under Chapter V RGPD — typically Standard Contractual Clauses (Cláusulas Contractuales Tipo — CCT) approved by the European Commission under Decisión de Ejecución (UE) 2021/914, an adequacy decision (decisión de adecuación), or Binding Corporate Rules (Normas Corporativas Vinculantes — BCR). The AEPD supervises international transfer compliance and may impose transfer bans as a corrective measure under Article 58.2(j) RGPD.

When Do You Need a Data Processing Agreement (DPA) Spain?

A Data Processing Agreement Spain is required under Article 28 RGPD in every situation where a company or organisation (responsable del tratamiento) instructs another entity (encargado del tratamiento) to process personal data on its behalf — regardless of whether the processing is commercial, charitable, or governmental in nature.

The DPA is required when a Spanish company uses a cloud computing provider (proveedor de servicios en la nube) — such as AWS, Google Cloud, or Microsoft Azure — to store or process customer personal data. These providers are encargados del tratamiento and must execute a RGPD-compliant processing agreement with each Spanish client under Article 28.

A Data Processing Agreement is required when a Spanish employer outsources payroll processing (gestión de nóminas) to an external gestor laboral or HR software provider. The payroll provider processes employee personal data — including salario, NSS number, IRPF withholding rates, and bank account details — on the employer's behalf, making it an encargado del tratamiento.

The DPA is required when a Spanish business uses an email marketing platform (plataforma de email marketing) — such as Mailchimp, HubSpot, or ActiveCampaign — to send commercial communications to its subscriber list. The platform processes contact data on the company's behalf and must execute a DPA compliant with Article 28 RGPD and Ley 34/2002 de Servicios de la Sociedad de la Información (LSSI).

A Data Processing Agreement is needed when a Spanish e-commerce business uses a third-party payment processor (pasarela de pago) that accesses cardholder data, or a logistics provider (empresa de mensajería) that receives customer delivery address data. Both entities process personal data on behalf of the e-commerce operator and require a DPA.

The agreement is required when a Spanish hospital, clinic (clínica privada), or healthcare provider engages a medical records management company or electronic health record (historia clínica electrónica) software provider. Health data is a special category under Article 9 RGPD and processing requires explicit consent or another specific legal basis, with enhanced DPA provisions for special category data under LOPDGDD.

A DPA is also required when Spanish public bodies (Administraciones Públicas) contract IT service providers, data analytics companies, or cloud hosting providers to process data from citizen registries (padrón municipal), social services, or tax administration — with the additional requirements imposed by Article 28 LOPDGDD for public sector processing agreements.

What to Include in Your Data Processing Agreement (DPA) Spain

A compliant Data Processing Agreement Spain under Article 28.3 RGPD and LOPDGDD 3/2018 must contain the following mandatory provisions. Absence of any of these elements exposes both parties to AEPD sanctions.

Identification of Controller and Processor: Full legal names, registered addresses, NIF/CIF, and data protection officer (Delegado de Protección de Datos — DPD) contact details (if appointed) for both the responsable del tratamiento and the encargado del tratamiento. Appointment of a DPD is mandatory for Spanish public bodies, for entities conducting large-scale systematic monitoring, and for entities processing special category data under Article 37 RGPD and Article 34 LOPDGDD.

Subject Matter, Duration, and Nature of Processing: A precise description of what personal data will be processed, for what purpose (finalidad), by what means (medios), and for how long (duración). Vague or generic descriptions — such as simply stating "customer data" — are insufficient under the AEPD's enforcement guidance.

Types of Personal Data and Categories of Data Subjects: Specification of the categories of personal data processed (e.g., identification data, contact data, financial data, health data, location data) and the categories of data subjects (e.g., employees, customers, website visitors). Processing of special categories under Article 9 RGPD (health, biometric, ethnic origin, trade union membership) requires express mention and enhanced justification.

Processing Only on Documented Instructions: The encargado must process personal data only on the documented instructions of the responsable under Article 28.3(a) RGPD. The DPA must prohibit the encargado from processing data for its own purposes or for any purpose not authorised by the responsable.

Confidentiality of Processing: Personnel authorised to process the personal data must be under an obligation of confidentiality under Article 28.3(b) RGPD — either a statutory obligation (e.g., professional secrecy of lawyers or doctors) or a contractual obligation.

Technical and Organisational Security Measures: The encargado must implement appropriate technical and organisational measures (medidas técnicas y organizativas — MTOs) to protect personal data under Article 32 RGPD — proportionate to the risk of the processing. The DPA should specify minimum security standards: pseudonymisation, encryption, access controls, business continuity, backup procedures, and periodic security testing. The AEPD's Guía de Medidas de Seguridad (available at aepd.es) provides sector-specific guidance.

Sub-processor Authorisation: Whether the encargado may engage sub-processors (subencargados) — and if so, whether authorisation is specific (listing named sub-processors) or general (subject to notification). The encargado must impose equivalent obligations on any subencargado under Article 28.4 RGPD.

Data Subject Rights Assistance: The encargado must assist the responsable in responding to data subject rights requests — access (Article 15 RGPD), rectification (Article 16), erasure (Article 17), restriction (Article 18), portability (Article 20), and objection (Article 21) — within the deadlines established by Articles 12 and 22 RGPD.

Data Protection Impact Assessment Support: The encargado must assist the responsable in carrying out Data Protection Impact Assessments (Evaluaciones de Impacto relativas a la Protección de Datos — EIPD) under Article 35 RGPD where required, and in prior consultation with the AEPD under Article 36 RGPD.

Personal Data Breach Notification: The encargado must notify the responsable without undue delay (and within 72 hours maximum) of any personal data breach (violación de la seguridad) under Article 33 RGPD, providing sufficient information for the responsable to assess the risk and notify the AEPD if required.

Return or Deletion of Data: Upon termination of the DPA, the encargado must return or securely delete all personal data under Article 28.3(g) RGPD — within a specified timeframe — unless Spanish law requires retention of the data.

International Transfers: If the encargado or any subencargado will transfer personal data outside the EEA, the DPA must specify the transfer mechanism under Chapter V RGPD — Standard Contractual Clauses (CCT — Decisión 2021/914), adequacy decision, or BCR.

Forms-legal.com provides this Data Processing Agreement Spain template as a practical starting point. All DPAs should be reviewed by a qualified abogado specialising in protección de datos or a certified Delegado de Protección de Datos before execution, to confirm compliance with current AEPD enforcement positions and RGPD requirements.

Cite this page

CC BY 4.0 · free to cite

Reference this free template in an article, syllabus, or research note:

APA
Forms Legal. (2026). Data Processing Agreement (DPA) Spain (Spain) [Legal document template]. Forms Legal. https://forms-legal.com/espana/business/policies/data-processing-agreement-spain
MLA
"Data Processing Agreement (DPA) Spain (Spain)." Forms Legal, 2026, https://forms-legal.com/espana/business/policies/data-processing-agreement-spain.
Chicago
Forms Legal. "Data Processing Agreement (DPA) Spain (Spain)." Forms Legal, 2026. https://forms-legal.com/espana/business/policies/data-processing-agreement-spain.
BibTeX
@misc{formslegal-data-processing-agreement-spain,
  author       = {{Forms Legal}},
  title        = {Data Processing Agreement (DPA) Spain (Spain)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/espana/business/policies/data-processing-agreement-spain}},
  note         = {Free legal document template}
}
Wikipedia
{{cite web |title=Data Processing Agreement (DPA) Spain (Spain) |website=Forms Legal |publisher=Forms Legal |date=2026 |url=https://forms-legal.com/espana/business/policies/data-processing-agreement-spain}}
RIS
TY  - ELEC
T1  - Data Processing Agreement (DPA) Spain (Spain)
T2  - Forms Legal
PB  - Forms Legal
PY  - 2026
UR  - https://forms-legal.com/espana/business/policies/data-processing-agreement-spain
ER  - 
Forms LegalUpdated 2026-06-06.bib.ris

Also available for these jurisdictions:

Frequently Asked Questions

Statute-referenced template — Template last modified June 2026

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know