LOPDGDD Spain Privacy Compliance
LOPDGDD readiness assessment + remediation plan aligned to GDPR and Spain-specific requirements
ROPA + accountability evidence (records of processing, processor controls, DPIA support)
Spain-specific obligations: DPO appointment triggers, minors’ consent (14+), “data blocking,” and workplace digital rights
What the LOPDGDD is (and what it changes)
LOPDGDD (Organic Law 3/2018) is Spain’s national data protection law that adapts Spanish law to the GDPR and supplements it, while also establishing a set of “digital rights.”
The core shift for buyers and regulators in Spain: “GDPR compliance” must include Spain-specific operational requirements, not just GDPR templates, especially around DPO appointment triggers, children’s consent, records of processing, “blocking” rules, and employee digital rights.
LOPDGDD timeline (dates you can plan to)
- In force since December 2018 (entered into force the day after publication in Spain’s Official State Gazette).
- Updated in May 2023 (procedural and enforcement-related adjustments referenced by AEPD).
What this means right now (2026)
In 2026, the priority is defensible evidence: a privacy program that can withstand AEPD scrutiny and enterprise due diligence—especially where Spain-specific rules apply (DPO triggers, minors, workplace monitoring, and data blocking).
Who LOPDGDD applies to
What “LOPDGDD-ready” means in practice
1) A GDPR program that includes Spain’s add-ons
2) Records of processing (ROPA) that are real—and maintained
3) “Data blocking” operational procedure (often missed)
4) DPO appointment triggers beyond GDPR-only assumptions
5) Children’s consent age in Spain (14+)
6) Workplace digital rights (policy + proof)
How Elevate Consult supports LOPDGDD readiness
LOPDGDD Readiness Assessment (Scope → Gaps → Roadmap)
- Confirm applicable LOPDGDD “Spain add-ons” impacting your program
- Identify DPO obligation triggers and reporting/notification requirements
- Prioritize remediation based on risk, due diligence pressure, and enforcement exposure
Evidence-led implementation (not “policy theater”)
- ROPA build/cleanup + operating procedures aligned to real workflows
- Processor controls (DPAs, sub-processor governance) aligned to GDPR’s contractual baseline referenced throughout the law
- Data retention + “blocking” workflow implementation and evidence
Spain-specific programs
- Minors data handling controls + consent validation patterns (14+)
- Employee digital rights policy set (devices, monitoring, disconnection) with proof of communication and governance
What you get (deliverables)
- LOPDGDD/GDPR Requirements Matrix + Gap Assessment
- ROPA Pack (templates + operating process + update cadence)
- DPO Determination Pack (is it required, why, and how to operationalize)
- Data Blocking Procedure (when to block, how, evidence, retention alignment)
- Minors Consent Pack (Spain 14+ rules + controls + proof)
- Workplace Digital Rights Pack (policies + governance + communication artifacts)
Engagement options
- LOPDGDD Readiness Sprint (2–4 weeks): scope, gap assessment, roadmap
- Implementation Support (co-sourced): remediation + evidence library build
- Continuous Oversight: ongoing privacy operations support, due diligence, and audit readiness
Why Elevate Consult for LOPDGDD
Spain-ready evidence, not generic GDPR templates: We build the artifacts that stand up in Spain—DPO triggers, minors consent, data blocking workflows, and workplace digital rights.
Faster due diligence for EU buyers: We turn privacy posture into buyer-usable proof (ROPA, DPAs, governance, training) that reduces repetitive questionnaires and escalations.
Operational controls that survive scrutiny: We focus on execution and traceability—what’s implemented, how it’s maintained, and how you prove it.
FAQ
1) What is the LOPDGDD?
LOPDGDD is Spain’s Organic Law 3/2018 that adapts Spanish law to the GDPR and supplements it, while also establishing a set of digital rights.
6) What is “data blocking” under Spanish law?
LOPDGDD defines “blocking” as restricting processing while reserving data so it’s only available to courts, prosecutors, or competent authorities for potential liabilities during limitation periods—then destroyed afterward.
2) How does LOPDGDD relate to GDPR?
GDPR is directly applicable EU law; LOPDGDD complements it at the national level—adding Spain-specific rules (e.g., minors consent age, DPO triggers, data blocking, digital rights).
7) What workplace “digital rights” are relevant to employers?
LOPDGDD includes employee digital rights such as privacy protections for employer-provided devices, a right to digital disconnection, and limits/notice expectations around monitoring and geolocation in employment contexts.
3) When did LOPDGDD take effect?
It entered into force the day after publication in the BOE, and has been in force since December 2018. periods.
8) Is maintaining a ROPA (record of processing activities) required?
Yes! controllers and processors must maintain a record of processing activities, and LOPDGDD includes additional operating expectations (e.g., DPO awareness of changes when designated).
4) What is the age of consent for minors in Spain?
For consent-based processing, Spain sets the threshold at over 14 years old. Under 14 requires parental/guardian consent (subject to legal exceptions).
9) Has LOPDGDD changed recently?
There have been modifications (including updates referenced by AEPD in May 2023), reinforcing the need to keep governance and procedures current.
5) When is a Data Protection Officer (DPO) mandatory under LOPDGDD?
Beyond GDPR’s general cases, LOPDGDD lists specific entities that must appoint a DPO (including schools/universities, many financial and insurance entities, certain telecom and online profiling contexts, health centers legally obliged to keep medical records, and others).