Privacy Policy Spain (Política de Privacidad LOPDGDD)

A Privacy Policy Spain (Política de Privacidad) is a mandatory legal document required of any organisation that processes personal data of individuals in Spain, setting out how personal data is collected, used, stored, shared, and protected — governed by the Reglamento (UE) 2016/679 General de Protección de Datos (RGPD), directly applicable in all EU Member States, and by the Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y Garantía de los Derechos Digitales (LOPDGDD), which supplements and specifies the RGPD in Spain. Article 13 RGPD and Article 11 LOPDGDD establish the information that must be provided to data subjects at the time of data collection.

The Agencia Española de Protección de Datos (AEPD) is the Spanish supervisory authority (autoridad de control) responsible for enforcing the RGPD and LOPDGDD, with powers to investigate complaints, conduct audits, issue binding orders, and impose administrative fines of up to €20 million or 4% of the global annual turnover of the undertaking under Article 83 RGPD. Spain was one of the first EU countries to impose significant RGPD fines — the AEPD issued fines against Vodafone España (€8.15 million in 2020), Google LLC (€10 million in 2022), and BBVA (€5 million in 2022), among others.

The RGPD establishes seven core data protection principles that the Política de Privacidad must reflect: (1) lawfulness, fairness, and transparency (licitud, lealtad y transparencia — Article 5.1(a)); (2) purpose limitation (limitación de la finalidad — Article 5.1(b)); (3) data minimisation (minimización de datos — Article 5.1(c)); (4) accuracy (exactitud — Article 5.1(d)); (5) storage limitation (limitación del plazo de conservación — Article 5.1(e)); (6) integrity and confidentiality (integridad y confidencialidad — Article 5.1(f)); and (7) accountability (responsabilidad proactiva — Article 5.2).

The LOPDGDD introduces several Spain-specific provisions supplementing the RGPD. Article 7 LOPDGDD sets the minimum age for digital consent at 14 years (younger than the 16-year default permitted by RGPD Article 8). Article 17 LOPDGDD governs data processing in employment relationships (relación laboral), including CCTV, geolocation, and employee monitoring. Articles 79 to 97 LOPDGDD establish specific digital rights (derechos digitales) including the right to digital disconnection (derecho a la desconexión digital), the right not to be subject to algorithmic profiling without transparency, and specific protections for whistleblowers.

The Política de Privacidad must address data processing across all channels through which the organisation collects personal data — website contact forms, e-commerce checkout, newsletter subscriptions, loyalty programmes, employee data, and B2B contact databases. Each processing activity requires a legal basis under Article 6 RGPD: consent (consentimiento — Article 6.1(a)), contract performance (ejecución de contrato — Article 6.1(b)), legal obligation (obligación legal — Article 6.1(c)), vital interests (intereses vitales — Article 6.1(d)), public task (interés público — Article 6.1(e)), or legitimate interests (intereses legítimos — Article 6.1(f)), the last requiring a documented balancing test.

The legal framework governing the Privacy Policy Spain (Política de Privacidad LOPDGDD) in Spain draws on several key statutes and regulatory bodies. Under the Ley de Sociedades de Capital (LSC) RDL 1/2010, the Registro Mercantil maintains the register of Spanish companies. The Código de Comercio 1885 governs commercial obligations. The Agencia Estatal de Administración Tributaria (AEAT) administers Impuesto sobre Sociedades (IS) under Ley 27/2014. The Comisión Nacional de los Mercados y la Competencia (CNMC) enforces competition law. The Código Civil governs general contractual obligations under Article 1255. Parties executing a Privacy Policy Spain (Política de Privacidad LOPDGDD) in Spain should confirm the document reflects current law, including any amendments enacted since the original drafting date. The LOPDGDD Ley Orgánica 3/2018 (art. 13); RGPD (UE) 2016/679 sets the foundational requirements.

A Privacy Policy Spain is legally required for any organisation — company, autónomo, association, or public body — that processes personal data of natural persons resident in Spain or in the EU, regardless of where the organisation is based.

A Política de Privacidad is required for any website that collects personal data — including contact forms, newsletter sign-ups, user accounts, and e-commerce checkboxes — under Article 13 RGPD, which requires information to be provided at the point of data collection.

The policy is required for any app or digital service (servicio de la sociedad de la información) that processes user data, as reinforced by Article 11 LOPDGDD and the LSSI obligation to display a privacy policy accessible from the site's main navigation or footer.

A Política de Privacidad is needed for any Spanish employer processing employee personal data — including payroll data, health and absence records, CCTV footage, and computer monitoring — under Article 17 LOPDGDD, which requires that employees be specifically informed of the processing activities to which their data is subject.

The policy is required when a company processes customer data for direct marketing (marketing directo) — sending commercial communications by email or SMS under Article 21 of the LSSI requires prior consent, and the Política de Privacidad must explain how this consent is obtained, how marketing preferences are managed, and how users may unsubscribe.

A Política de Privacidad update is needed when a new data processing activity begins, when a new third-party data processor (encargado del tratamiento) is engaged, when data is shared with a new category of recipients, or when data is transferred outside the EU. The RGPD accountability principle requires that the policy reflect the current actual data processing at all times.

Parties in Spain should prepare a Privacy Policy Spain (Política de Privacidad LOPDGDD) proactively rather than waiting for a dispute to arise. Courts interpret agreements based on the written terms rather than oral representations. Under the Ley de Sociedades de Capital (LSC) RDL 1/2010, the Registro Mercantil maintains the register of Spanish companies. The Código de Comercio 1885 governs commercial obligations. The Agencia Estatal de Administración Tributaria (AEAT) administers Impuesto sobre Sociedades (IS) under Ley 27/2014. The Comisión Nacional de los Mercados y la Competencia (CNMC) enforces competition law. The Código Civil governs general contractual obligations under Article 1255. Where the transaction involves regulated activities, prior approval from the relevant authority may be required before execution.

A valid Privacy Policy Spain under RGPD Article 13 and LOPDGDD must contain the following essential elements to satisfy AEPD enforcement standards.

Identity and Contact Details of the Data Controller (Responsable del Tratamiento): Full legal name, registered address, NIF, and contact details of the data controller. Where a Data Protection Officer (Delegado de Protección de Datos — DPO) has been appointed under Article 37 RGPD or Article 34 LOPDGDD, the DPO's contact details must be provided. A DPO is mandatory for public authorities, organisations processing sensitive data at large scale, and organisations engaged in systematic large-scale monitoring of individuals.

Processing Activities and Purposes (Finalidades del Tratamiento): A clear description of each category of personal data processed (e.g. identification data, contact data, financial data, behavioural data) and the specific purpose for which each category is processed — consistent with the principle of purpose limitation under Article 5.1(b) RGPD.

Legal Basis for Each Processing Activity (Base Jurídica): The specific Article 6 RGPD legal basis for each processing purpose. Where the basis is legitimate interests (intereses legítimos), the policy should summarise the outcome of the balancing test. Where the basis is consent, the policy must explain how consent was obtained and how it may be withdrawn.

Data Recipients and Transfers (Destinatarios de los Datos): Identification of the categories of recipients to whom personal data are disclosed — including encargados del tratamiento (data processors such as cloud hosting providers, email service providers, and payment processors) and terceros (third parties). For international transfers outside the EEA, the transfer mechanism under Article 46 RGPD must be stated — Standard Contractual Clauses, Binding Corporate Rules, or adequacy decisions.

Retention Periods (Plazos de Conservación): The specific period for which personal data will be retained, or the criteria used to determine retention. Retention periods must reflect actual business needs and applicable statutory retention requirements — for example, accounting records must be retained for 6 years under Código de Comercio Article 30, and labour records for 4 years under the Estatuto de los Trabajadores.

Data Subject Rights (Derechos de los Interesados): A clear statement of all rights available under RGPD Articles 15 to 22 — access (acceso), rectification (rectificación), erasure / right to be forgotten (supresión / derecho al olvido), restriction of processing (limitación del tratamiento), data portability (portabilidad), objection (oposición), and rights related to automated decision-making and profiling (decisiones automatizadas y elaboración de perfiles). The procedure for exercising these rights (contact details, response timeline of one month under Article 12 RGPD) must be provided, as well as the right to lodge a complaint with the AEPD.

Cookie and Tracking Information: A reference to the Política de Cookies for information on tracking technologies, or a summary of cookie practices if a separate cookie policy is not published. Forms-legal.com provides this Privacy Policy Spain template as a practical starting point. Every Política de Privacidad must be tailored to the organisation's specific data processing activities — a generic template cannot substitute a purpose-specific policy.

Under Spanish and EU data protection law, the RGPD (UE) 2016/679 is directly applicable in Spain. The LOPDGDD (Ley Orgánica 3/2018) supplements the RGPD. The Agencia Española de Protección de Datos (AEPD) at aepd.es supervises compliance and publishes guidance. The Comité Europeo de Protección de Datos (EDPB) issues guidelines at European level. The Registro de Actividades de Tratamiento (Article 30 RGPD) must be maintained internally.