Skip to main content

GDPR Data Collection Consent Form Spain (Consentimiento RGPD)

Key facts

SpainSpainEnglish (ES)FreePDF & WordUpdated Jun 6, 2026
Legal basisSpainNotarization: Not requiredWitnesses: 0Parties: 1
GDPR Data Collection Consent Form (Consentimiento RGPD)
GDPR Data Collection Consent Form Spain (Consentimiento RGPD)

FORMULARIO DE CONSENTIMIENTO PARA EL TRATAMIENTO DE DATOS PERSONALES

Formulario de Consentimiento RGPD — España

De conformidad con el Artículo 7 del Reglamento (UE) 2016/679 (RGPD) y la Ley Orgánica 3/2018 (LOPDGDD)

1. RESPONSABLE DEL TRATAMIENTO

Nombre de la Empresa: [Controller Name]

Domicilio Social: [Controller Address]

Contacto de Protección de Datos: [Controller Email]

Delegado de Protección de Datos (DPD): [DPD Contact]

2. INTERESADO

Nombre Completo: [Data Subject Name]

Correo Electrónico: [Data Subject Email]

3. INFORMACIÓN DEL TRATAMIENTO (Artículos 13-14 RGPD)

Finalidades del Tratamiento:

Categorías de Datos Personales:

Destinatarios de los Datos y Cesión a Terceros:

Plazo de Conservación:

4. DERECHOS DEL INTERESADO (Artículos 15-22 RGPD)

El interesado dispone de los siguientes derechos en relación con sus datos personales tratados por [Controller Name]:

— Derecho de acceso (Artículo 15 RGPD): obtener confirmación de si se están tratando sus datos y una copia de los mismos;

— Derecho de rectificación (Artículo 16 RGPD): corregir datos inexactos o incompletos;

— Derecho de supresión ('derecho al olvido' — Artículo 17 RGPD): solicitar la eliminación de los datos;

— Derecho de limitación (Artículo 18 RGPD): limitar el tratamiento en circunstancias determinadas;

— Derecho a la portabilidad (Artículo 20 RGPD): recibir los datos en un formato estructurado y de uso común;

— Derecho de oposición (Artículo 21 RGPD): oponerse al tratamiento basado en el interés legítimo.

Estos derechos pueden ejercerse contactando con: [Controller Email].

El interesado tiene derecho a presentar una reclamación ante la Agencia Española de Protección de Datos (AEPD) en www.aepd.es, conforme al Artículo 77 RGPD.

5. RETIRADA DEL CONSENTIMIENTO (Artículo 7.3 RGPD)

El interesado podrá retirar su consentimiento en cualquier momento contactando con [Controller Email]. La retirada del consentimiento será tan sencilla como su otorgamiento. La retirada no afectará a la licitud del tratamiento basado en el consentimiento previo a su retirada. Tras la retirada, [Controller Name] cesará la actividad de tratamiento para la que el consentimiento constituía la base legal en un plazo de 30 días, y suprimirá o anonimizará los datos salvo que otra base legal justifique su conservación.

6. DECLARACIÓN DE CONSENTIMIENTO

Yo, [Data Subject Name], confirmo que he leído y comprendido la información anterior, que presto mi consentimiento libre, específico, informado e inequívoco (Artículo 7 RGPD) al tratamiento de mis datos personales por parte de [Controller Name] para cada una de las finalidades descritas anteriormente, y que soy consciente de mi derecho a retirar este consentimiento en cualquier momento.

[ ] Consiento el tratamiento para: [Processing Purposes]

Firma: _________________________ Fecha: _________________________

Data Subject / Interesado

________________

Signature

Maintained by Vladislav Sergienko, Founder·Template last modified: ·Report an error

What Is a GDPR Data Collection Consent Form Spain (Consentimiento RGPD)?

A GDPR Data Collection Consent Form (Formulario de Consentimiento para el Tratamiento de Datos Personales) in Spain is a document through which a data subject (interesado) provides a data controller (responsable del tratamiento) with freely given, specific, informed, and unambiguous consent for the processing of their personal data, as required by Article 7 of Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo, de 27 de abril de 2016, relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales (RGPD), supplemented in Spain by Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).

Consent under Article 7 of the RGPD is one of six legal bases for lawful processing listed in Article 6.1 of the RGPD — the others being contract performance (Article 6.1(b)), legal obligation (Article 6.1(c)), vital interests (Article 6.1(d)), public task (Article 6.1(e)), and legitimate interests (Article 6.1(f)). Consent is required — and is the appropriate legal basis — when none of the other five bases applies. In Spain, the Agencia Española de Protección de Datos (AEPD) has confirmed through binding decisions and guidelines that consent is the correct basis for: direct marketing to private individuals, newsletter subscriptions, cookie placement on websites, use of photographs or images for commercial purposes, and processing of special categories of data (datos especiales) under Article 9 of the RGPD — such as health data, biometric data, religious beliefs, political opinions, and trade union membership.

The RGPD imposes strict requirements on the validity of consent under Article 7 and Recital 32. Consent must be: freely given (libre) — not bundled with contract terms as a condition of receiving a service unless strictly necessary for that service; specific (específico) — given separately for each distinct processing purpose; informed (informado) — the data subject must have been provided with all information required by Articles 13 and 14 of the RGPD before giving consent; and unambiguous (inequívoco) — demonstrated by a clear affirmative act such as ticking a box or signing a document. Pre-ticked boxes, silence, and inactivity do not constitute valid consent under Article 7.2 of the RGPD and Recital 32.

Ley Orgánica 3/2018 (LOPDGDD) adapts the RGPD to the Spanish legal context and adds specific national provisions. Article 7 of the LOPDGDD sets the age of consent for data processing purposes at 14 years (lower than the RGPD's default of 16, using the national derogation permitted by Article 8.1 RGPD) — below age 14, parental or guardian consent is required. Article 8 of the LOPDGDD governs processing of child data in the context of internet services. Articles 11-16 of the LOPDGDD establish special rules for processing based on consent in employment, healthcare, and financial services contexts.

The AEPD has sanctioned numerous Spanish companies for invalid consent — including Vodafone (€8.15 million in 2020), Caixabank, and BBVA — for collecting consent through bundled clauses, pre-ticked boxes, or without adequate information. The AEPD's Sede Electrónica (aepd.es) publishes guidance documents (guías prácticas), templates (modelos de cláusulas), and binding decisions that constitute the authoritative Spanish interpretation of RGPD consent requirements.

When Do You Need a GDPR Data Collection Consent Form Spain (Consentimiento RGPD)?

A GDPR Consent Form in Spain is required whenever a data controller processes personal data based on the consent legal basis under Article 6.1(a) of the RGPD — meaning when none of the other five lawful bases applies and explicit consent is the only valid grounds for the specific processing activity.

A Consentimiento RGPD form is needed for direct marketing (comunicaciones comerciales) sent to private individuals by email, SMS, phone, or post. Under Ley 34/2002 (LSSI) Article 21 and the RGPD, sending unsolicited commercial communications to natural persons requires prior explicit consent — the so-called opt-in requirement. Businesses using CRM systems (Customer Relationship Management) must obtain a documented consent for each marketing channel separately.

A RGPD consent form is required for cookie placement on websites beyond technically necessary cookies. Under the AEPD's Cookie Guidelines (Guía sobre el uso de las cookies), analytics cookies, advertising cookies, and social media tracking cookies require prior informed consent through a cookie consent mechanism compliant with Article 7 of the RGPD. The consent mechanism must offer genuine choice — no dark patterns, no pre-consent to non-essential cookies.

A Consentimiento form is needed for processing photographs, videos, or voice recordings of identifiable individuals for commercial or promotional purposes. Under Article 2 of Ley Orgánica 1/1982 de protección civil del derecho al honor, a la intimidad personal y familiar y a la propia imagen, use of a person's image requires their consent. This intersects with the RGPD since photographs and videos of identifiable persons constitute personal data under Article 4.1 RGPD.

A RGPD consent form is required for processing special categories of personal data (datos especiales de categoría especial) under Article 9 of the RGPD — including health data, biometric data used for identification, genetic data, data revealing racial or ethnic origin, religious beliefs, political opinions, trade union membership, or sexual orientation. For special category data, Article 9.2(a) RGPD requires explicit consent (consentimiento explícito) — a higher standard than ordinary consent under Article 6.1(a).

A consent form is needed in employment contexts when an employer wishes to process employee data beyond what is strictly necessary for the employment contract or legal obligations — for example, wellness app participation, voluntary health screening programs, or publication of employee photos on the company website. The AEPD has noted that consent from employees must account for the inherent power imbalance in the employment relationship, which may affect the freedom of consent.

What to Include in Your GDPR Data Collection Consent Form Spain (Consentimiento RGPD)

A valid GDPR Consent Form in Spain under Article 7 of the RGPD and the AEPD's guidelines must contain the following elements to constitute legally effective consent and withstand scrutiny by the Agencia Española de Protección de Datos (AEPD) in the event of a complaint or audit.

Identity of the Data Controller: The full name or company name, NIF, registered address, and contact details of the data controller (responsable del tratamiento) responsible for processing the personal data. Where a Data Protection Officer (Delegado de Protección de Datos — DPD) has been appointed under Articles 37-39 of the RGPD — mandatory for public authorities, large-scale data processors, and processors of special category data — the DPD's contact details must also be provided.

Specific Processing Purposes: A clear, specific description of each distinct purpose for which consent is being requested — e.g. sending promotional emails, personalising digital advertising, processing health data for wellness programs. Each purpose must be described separately, with a separate consent checkbox, so that consent is granular and purpose-specific as required by Article 7.2 RGPD and the principle of purpose limitation under Article 5.1(b) RGPD.

Categories of Personal Data: The specific categories of personal data to be processed — name, email address, health data, biometric data, location data, browsing data — so that the data subject knows exactly what information is being collected. For special categories under Article 9 RGPD, the specific type of special category data must be identified, and explicit consent (consentimiento explícito) must be obtained separately.

Data Recipients: Information on whether the personal data will be shared with third parties (destinatarios), and if so, who they are — categories of recipients, specific third-party companies, or international transfers outside the EU/EEA. For international transfers under Articles 44-49 of the RGPD, the country of destination and the safeguards applicable (e.g. EU Standard Contractual Clauses — Cláusulas Contractuales Tipo) must be identified.

Retention Period: The specific period for which the data will be retained under the principle of storage limitation (Article 5.1(e) RGPD), or the criteria used to determine the retention period. The AEPD requires that retention periods be specific, not open-ended — stating "as long as necessary" without further specification is not compliant.

Data Subject Rights: A clear explanation of the data subject's rights under Articles 15-22 of the RGPD — right of access (acceso), rectification (rectificación), erasure (supresión), restriction (limitación), portability (portabilidad), and objection (oposición) — and how to exercise them (contact email or form, response timeframe). The right to lodge a complaint with the AEPD (aepd.es) must also be stated under Article 13.2(d) RGPD.

Withdrawal of Consent: A statement that consent may be withdrawn at any time under Article 7.3 RGPD, without affecting the lawfulness of processing based on consent before withdrawal, and specifying the mechanism for withdrawal. Forms-legal.com provides this RGPD Consent Form as a starting point. All consent forms should be reviewed by a qualified data protection professional (DPD or asesor de protección de datos) to confirm compliance with AEPD guidelines and the LOPDGDD national requirements.

Additional compliance elements for a GDPR Data Collection Consent Form Spain (Consentimiento RGPD) used in Spain include: Under Spanish law, the Código Civil governs marriage (Article 66), divorce (Article 81), custody (Article 92), and maintenance (Article 142). The Ley Orgánica 1/1996 (LOPJM) protects minors. The Registro Civil records births, marriages, and deaths. The Ley 15/2015 de Jurisdicción Voluntaria governs non-contentious proceedings. The Ley Orgánica 1/1982 protects fundamental rights including image and privacy. Forms-legal.com provides this template as a starting point for Spain-compliant documentation.

Cite this page

CC BY 4.0 · free to cite

Reference this free template in an article, syllabus, or research note:

APA
Forms Legal. (2026). GDPR Data Collection Consent Form Spain (Consentimiento RGPD) (Spain) [Legal document template]. Forms Legal. https://forms-legal.com/espana/personal/consent/gdpr-data-collection-consent-form-spain
MLA
"GDPR Data Collection Consent Form Spain (Consentimiento RGPD) (Spain)." Forms Legal, 2026, https://forms-legal.com/espana/personal/consent/gdpr-data-collection-consent-form-spain.
Chicago
Forms Legal. "GDPR Data Collection Consent Form Spain (Consentimiento RGPD) (Spain)." Forms Legal, 2026. https://forms-legal.com/espana/personal/consent/gdpr-data-collection-consent-form-spain.
BibTeX
@misc{formslegal-gdpr-data-collection-consent-form-spain,
  author       = {{Forms Legal}},
  title        = {GDPR Data Collection Consent Form Spain (Consentimiento RGPD) (Spain)},
  year         = {2026},
  howpublished = {\url{https://forms-legal.com/espana/personal/consent/gdpr-data-collection-consent-form-spain}},
  note         = {Free legal document template}
}
Wikipedia
{{cite web |title=GDPR Data Collection Consent Form Spain (Consentimiento RGPD) (Spain) |website=Forms Legal |publisher=Forms Legal |date=2026 |url=https://forms-legal.com/espana/personal/consent/gdpr-data-collection-consent-form-spain}}
RIS
TY  - ELEC
T1  - GDPR Data Collection Consent Form Spain (Consentimiento RGPD) (Spain)
T2  - Forms Legal
PB  - Forms Legal
PY  - 2026
UR  - https://forms-legal.com/espana/personal/consent/gdpr-data-collection-consent-form-spain
ER  - 
Forms LegalUpdated 2026-06-06.bib.ris

Frequently Asked Questions

Statute-referenced template — Template last modified June 2026

This template is provided for informational purposes only and does not constitute legal advice. Laws vary by jurisdiction and change over time. Consult a qualified attorney for advice specific to your situation.Full disclaimer

Found an error? Let us know

Related Documents

You may also find these documents useful:

Acuerdo de Encargado del Tratamiento de Datos España

Acuerdo de Encargado del Tratamiento (AET) para España — exigido por el artículo 28 del RGPD y la LOPDGDD 3/2018, que regula el tratamiento de datos personales por el encargado en nombre del responsable, bajo supervisión de la AEPD.

Formulario de Baja de Suscripción (España)

Formulario de Baja de Suscripción para España, conforme al artículo 102 de la Ley 3/2014 y el Real Decreto Legislativo 1/2007 (TRLGDCU), que permite a los consumidores cancelar suscripciones periódicas, membresías y contratos de servicios con plena cobertura legal.

Acuerdo de Confidencialidad España — Ley 1/2019 de Secretos Empresariales

Acuerdo de Confidencialidad (NDA) para España conforme al artículo 1255 del Código Civil, la Ley Orgánica 3/2018 (LOPDGDD) y la Ley 1/2019 de Secretos Empresariales, que protege la información empresarial confidencial, los secretos comerciales y los datos exclusivos en relaciones comerciales.

Contrato de Trabajo Indefinido España

Contrato de Trabajo Indefinido para España — conforme al Estatuto de los Trabajadores (RDL 2/2015), artículos 15 y 49, estableciendo una relación laboral por tiempo indefinido con alta en la Tesorería General de la Seguridad Social (TGSS).

Aviso Legal — España

Un Aviso Legal para España — obligatorio conforme al artículo 10 de la Ley de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSI-CE, Ley 34/2002), divulgando la identidad, los datos de contacto y la información regulatoria del titular del sitio web para cumplir con la legislación española de comercio electrónico.