GDPR Data Collection Consent Form Spain (Consentimiento RGPD)

A GDPR Data Collection Consent Form (Formulario de Consentimiento para el Tratamiento de Datos Personales) in Spain is a document through which a data subject (interesado) provides a data controller (responsable del tratamiento) with freely given, specific, informed, and unambiguous consent for the processing of their personal data, as required by Article 7 of Reglamento (UE) 2016/679 del Parlamento Europeo y del Consejo, de 27 de abril de 2016, relativo a la protección de las personas físicas en lo que respecta al tratamiento de datos personales (RGPD), supplemented in Spain by Ley Orgánica 3/2018, de 5 de diciembre, de Protección de Datos Personales y garantía de los derechos digitales (LOPDGDD).

Consent under Article 7 of the RGPD is one of six legal bases for lawful processing listed in Article 6.1 of the RGPD — the others being contract performance (Article 6.1(b)), legal obligation (Article 6.1(c)), vital interests (Article 6.1(d)), public task (Article 6.1(e)), and legitimate interests (Article 6.1(f)). Consent is required — and is the appropriate legal basis — when none of the other five bases applies. In Spain, the Agencia Española de Protección de Datos (AEPD) has confirmed through binding decisions and guidelines that consent is the correct basis for: direct marketing to private individuals, newsletter subscriptions, cookie placement on websites, use of photographs or images for commercial purposes, and processing of special categories of data (datos especiales) under Article 9 of the RGPD — such as health data, biometric data, religious beliefs, political opinions, and trade union membership.

The RGPD imposes strict requirements on the validity of consent under Article 7 and Recital 32. Consent must be: freely given (libre) — not bundled with contract terms as a condition of receiving a service unless strictly necessary for that service; specific (específico) — given separately for each distinct processing purpose; informed (informado) — the data subject must have been provided with all information required by Articles 13 and 14 of the RGPD before giving consent; and unambiguous (inequívoco) — demonstrated by a clear affirmative act such as ticking a box or signing a document. Pre-ticked boxes, silence, and inactivity do not constitute valid consent under Article 7.2 of the RGPD and Recital 32.

Ley Orgánica 3/2018 (LOPDGDD) adapts the RGPD to the Spanish legal context and adds specific national provisions. Article 7 of the LOPDGDD sets the age of consent for data processing purposes at 14 years (lower than the RGPD's default of 16, using the national derogation permitted by Article 8.1 RGPD) — below age 14, parental or guardian consent is required. Article 8 of the LOPDGDD governs processing of child data in the context of internet services. Articles 11-16 of the LOPDGDD establish special rules for processing based on consent in employment, healthcare, and financial services contexts.

The AEPD has sanctioned numerous Spanish companies for invalid consent — including Vodafone (€8.15 million in 2020), Caixabank, and BBVA — for collecting consent through bundled clauses, pre-ticked boxes, or without adequate information. The AEPD's Sede Electrónica (aepd.es) publishes guidance documents (guías prácticas), templates (modelos de cláusulas), and binding decisions that constitute the authoritative Spanish interpretation of RGPD consent requirements.

A GDPR Consent Form in Spain is required whenever a data controller processes personal data based on the consent legal basis under Article 6.1(a) of the RGPD — meaning when none of the other five lawful bases applies and explicit consent is the only valid grounds for the specific processing activity.

A Consentimiento RGPD form is needed for direct marketing (comunicaciones comerciales) sent to private individuals by email, SMS, phone, or post. Under Ley 34/2002 (LSSI) Article 21 and the RGPD, sending unsolicited commercial communications to natural persons requires prior explicit consent — the so-called opt-in requirement. Businesses using CRM systems (Customer Relationship Management) must obtain a documented consent for each marketing channel separately.

A RGPD consent form is required for cookie placement on websites beyond technically necessary cookies. Under the AEPD's Cookie Guidelines (Guía sobre el uso de las cookies), analytics cookies, advertising cookies, and social media tracking cookies require prior informed consent through a cookie consent mechanism compliant with Article 7 of the RGPD. The consent mechanism must offer genuine choice — no dark patterns, no pre-consent to non-essential cookies.

A Consentimiento form is needed for processing photographs, videos, or voice recordings of identifiable individuals for commercial or promotional purposes. Under Article 2 of Ley Orgánica 1/1982 de protección civil del derecho al honor, a la intimidad personal y familiar y a la propia imagen, use of a person's image requires their consent. This intersects with the RGPD since photographs and videos of identifiable persons constitute personal data under Article 4.1 RGPD.

A RGPD consent form is required for processing special categories of personal data (datos especiales de categoría especial) under Article 9 of the RGPD — including health data, biometric data used for identification, genetic data, data revealing racial or ethnic origin, religious beliefs, political opinions, trade union membership, or sexual orientation. For special category data, Article 9.2(a) RGPD requires explicit consent (consentimiento explícito) — a higher standard than ordinary consent under Article 6.1(a).

A consent form is needed in employment contexts when an employer wishes to process employee data beyond what is strictly necessary for the employment contract or legal obligations — for example, wellness app participation, voluntary health screening programs, or publication of employee photos on the company website. The AEPD has noted that consent from employees must account for the inherent power imbalance in the employment relationship, which may affect the freedom of consent.

A valid GDPR Consent Form in Spain under Article 7 of the RGPD and the AEPD's guidelines must contain the following elements to constitute legally effective consent and withstand scrutiny by the Agencia Española de Protección de Datos (AEPD) in the event of a complaint or audit.

Identity of the Data Controller: The full name or company name, NIF, registered address, and contact details of the data controller (responsable del tratamiento) responsible for processing the personal data. Where a Data Protection Officer (Delegado de Protección de Datos — DPD) has been appointed under Articles 37-39 of the RGPD — mandatory for public authorities, large-scale data processors, and processors of special category data — the DPD's contact details must also be provided.

Specific Processing Purposes: A clear, specific description of each distinct purpose for which consent is being requested — e.g. sending promotional emails, personalising digital advertising, processing health data for wellness programs. Each purpose must be described separately, with a separate consent checkbox, so that consent is granular and purpose-specific as required by Article 7.2 RGPD and the principle of purpose limitation under Article 5.1(b) RGPD.

Categories of Personal Data: The specific categories of personal data to be processed — name, email address, health data, biometric data, location data, browsing data — so that the data subject knows exactly what information is being collected. For special categories under Article 9 RGPD, the specific type of special category data must be identified, and explicit consent (consentimiento explícito) must be obtained separately.

Data Recipients: Information on whether the personal data will be shared with third parties (destinatarios), and if so, who they are — categories of recipients, specific third-party companies, or international transfers outside the EU/EEA. For international transfers under Articles 44-49 of the RGPD, the country of destination and the safeguards applicable (e.g. EU Standard Contractual Clauses — Cláusulas Contractuales Tipo) must be identified.

Retention Period: The specific period for which the data will be retained under the principle of storage limitation (Article 5.1(e) RGPD), or the criteria used to determine the retention period. The AEPD requires that retention periods be specific, not open-ended — stating "as long as necessary" without further specification is not compliant.

Data Subject Rights: A clear explanation of the data subject's rights under Articles 15-22 of the RGPD — right of access (acceso), rectification (rectificación), erasure (supresión), restriction (limitación), portability (portabilidad), and objection (oposición) — and how to exercise them (contact email or form, response timeframe). The right to lodge a complaint with the AEPD (aepd.es) must also be stated under Article 13.2(d) RGPD.

Withdrawal of Consent: A statement that consent may be withdrawn at any time under Article 7.3 RGPD, without affecting the lawfulness of processing based on consent before withdrawal, and specifying the mechanism for withdrawal. Forms-legal.com provides this RGPD Consent Form as a starting point. All consent forms should be reviewed by a qualified data protection professional (DPD or asesor de protección de datos) to confirm compliance with AEPD guidelines and the LOPDGDD national requirements.

Additional compliance elements for a GDPR Data Collection Consent Form Spain (Consentimiento RGPD) used in Spain include: Under Spanish law, the Código Civil governs marriage (Article 66), divorce (Article 81), custody (Article 92), and maintenance (Article 142). The Ley Orgánica 1/1996 (LOPJM) protects minors. The Registro Civil records births, marriages, and deaths. The Ley 15/2015 de Jurisdicción Voluntaria governs non-contentious proceedings. The Ley Orgánica 1/1982 protects fundamental rights including image and privacy. Forms-legal.com provides this template as a starting point for Spain-compliant documentation.