Elevate

LOPDGDD Spain Privacy Compliance

Operationalize GDPR compliance in Spain with LOPDGDD-specific requirements—from records of processing and DPO obligations to digital rights and audit-ready evidence.

LOPDGDD readiness assessment + remediation plan aligned to GDPR and Spain-specific requirements   

ROPA + accountability evidence (records of processing, processor controls, DPIA support)     

Spain-specific obligations: DPO appointment triggers, minors’ consent (14+), “data blocking,” and workplace digital rights

What the LOPDGDD is (and what it changes)

LOPDGDD (Organic Law 3/2018) is Spain’s national data protection law that adapts Spanish law to the GDPR and supplements it, while also establishing a set of “digital rights.”

The core shift for buyers and regulators in Spain: “GDPR compliance” must include Spain-specific operational requirements, not just GDPR templates, especially around DPO appointment triggers, children’s consent, records of processing, “blocking” rules, and employee digital rights.

LOPDGDD timeline (dates you can plan to)

  • In force since December 2018 (entered into force the day after publication in Spain’s Official State Gazette).   
  • Updated in May 2023 (procedural and enforcement-related adjustments referenced by AEPD).

What this means right now (2026)

In 2026, the priority is defensible evidence: a privacy program that can withstand AEPD scrutiny and enterprise due diligence—especially where Spain-specific rules apply (DPO triggers, minors, workplace monitoring, and data blocking).   

Who LOPDGDD applies to

LOPDGDD applies to organizations processing personal data in Spain as part of the broader GDPR framework it supplements. It also matters for non-EU organizations operating under GDPR’s extraterritorial scope: when GDPR applies and the affected individuals are in Spain, Spain’s authority framework can also come into play—LOPDGDD includes provisions for EU representatives and related liability concepts under certain conditions.

What “LOPDGDD-ready” means in practice

1) A GDPR program that includes Spain’s add-ons

Your baseline must align with GDPR, plus LOPDGDD’s Spain-specific requirements and digital rights framework.

2) Records of processing (ROPA) that are real—and maintained

Controllers and processors must maintain a record of processing activities (GDPR Art. 30), and LOPDGDD includes additional expectations such as keeping the DPO informed of meaningful changes when one is designated.

3) “Data blocking” operational procedure (often missed)

LOPDGDD introduces “blocking” as a defined practice: when data is rectified or erased, the organization may need to restrict processing while reserving data only for potential liabilities and competent authorities, then destroy it after limitation periods.

4) DPO appointment triggers beyond GDPR-only assumptions

LOPDGDD lists specific entity types that must appoint a DPO (e.g., schools / universities, many financial entities, insurers, certain telecom providers, health centers, and more), and sets rules for notifying the authority and maintaining an updated DPO directory. ​

5) Children’s consent age in Spain (14+)

Spain sets the consent threshold at 14 years old for consent-based processing; under 14 requires parental/guardian consent (with legal exceptions).

6) Workplace digital rights (policy + proof)

LOPDGDD includes digital rights in employment contexts—such as privacy in employer-provided digital devices, digital disconnection, and limits/notice expectations around workplace monitoring.

How Elevate Consult supports LOPDGDD readiness

  • Confirm applicable LOPDGDD “Spain add-ons” impacting your program   
  • Identify DPO obligation triggers and reporting/notification requirements   
  • Prioritize remediation based on risk, due diligence pressure, and enforcement exposure  
  • ROPA build/cleanup + operating procedures aligned to real workflows   
  • Processor controls (DPAs, sub-processor governance) aligned to GDPR’s contractual baseline referenced throughout the law   
  • Data retention + “blocking” workflow implementation and evidence   
  • Minors data handling controls + consent validation patterns (14+)   
  • Employee digital rights policy set (devices, monitoring, disconnection) with proof of communication and governance   
  • LOPDGDD/GDPR Requirements Matrix + Gap Assessment   
  • ROPA Pack (templates + operating process + update cadence)   
  • DPO Determination Pack (is it required, why, and how to operationalize)   
  • Data Blocking Procedure (when to block, how, evidence, retention alignment)   
  • Minors Consent Pack (Spain 14+ rules + controls + proof)   
  • Workplace Digital Rights Pack (policies + governance + communication artifacts) 
  • LOPDGDD Readiness Sprint (2–4 weeks): scope, gap assessment, roadmap  
  • Implementation Support (co-sourced): remediation + evidence library build  
  • Continuous Oversight: ongoing privacy operations support, due diligence, and audit readiness  

Why Elevate Consult for LOPDGDD

Spain-ready evidence, not generic GDPR templates: We build the artifacts that stand up in Spain—DPO triggers, minors consent, data blocking workflows, and workplace digital rights.   
Faster due diligence for EU buyers: We turn privacy posture into buyer-usable proof (ROPA, DPAs, governance, training) that reduces repetitive questionnaires and escalations.   
Operational controls that survive scrutiny: We focus on execution and traceability—what’s implemented, how it’s maintained, and how you prove it.   

FAQ

1) What is the LOPDGDD?

LOPDGDD is Spain’s Organic Law 3/2018 that adapts Spanish law to the GDPR and supplements it, while also establishing a set of digital rights.   

6) What is “data blocking” under Spanish law?  

LOPDGDD defines “blocking” as restricting processing while reserving data so it’s only available to courts, prosecutors, or competent authorities for potential liabilities during limitation periods—then destroyed afterward.   

2) How does LOPDGDD relate to GDPR?  

GDPR is directly applicable EU law; LOPDGDD complements it at the national level—adding Spain-specific rules (e.g., minors consent age, DPO triggers, data blocking, digital rights).

7) What workplace “digital rights” are relevant to employers?  

LOPDGDD includes employee digital rights such as privacy protections for employer-provided devices, a right to digital disconnection, and limits/notice expectations around monitoring and geolocation in employment contexts.

3) When did LOPDGDD take effect?  

It entered into force the day after publication in the BOE, and has been in force since December 2018.    periods.   

8) Is maintaining a ROPA (record of processing activities) required?  

Yes! controllers and processors must maintain a record of processing activities, and LOPDGDD includes additional operating expectations (e.g., DPO awareness of changes when designated)

4) What is the age of consent for minors in Spain?

For consent-based processing, Spain sets the threshold at over 14 years old. Under 14 requires parental/guardian consent (subject to legal exceptions).

9) Has LOPDGDD changed recently?  

There have been modifications (including updates referenced by AEPD in May 2023), reinforcing the need to keep governance and procedures current.   

5) When is a Data Protection Officer (DPO) mandatory under LOPDGDD?  

Beyond GDPR’s general cases, LOPDGDD lists specific entities that must appoint a DPO (including schools/universities, many financial and insurance entities, certain telecom and online profiling contexts, health centers legally obliged to keep medical records, and others).   

Ready to Build a Spain-Ready Privacy Program Buyers Trust?

Whether you’re tightening an existing GDPR program or expanding into Spain, we’ll assess LOPDGDD-specific obligations, implement the missing controls (ROPA, DPO triggers, digital rights, data blocking), and build an evidence library that accelerates enterprise due diligence.