GDPR compliance, data protection, cybersecurity, IT contracts and technology law.
Filter by specialisation
We're actively expanding our directory. In the meantime, use the lawyer wizard — it'll match you to the best available firm for your situation.
Use the Lawyer Wizard → Suggest a FirmLeading Spanish law firm specializing in corporate and M&A work with strong international capabilities
Major full-service law firm with extensive English-speaking team and international practice
Spanish law firm with strong corporate and tax practice serving multinational clients
Leading Spanish firm with international corporate and finance expertise
International law firm with strong presence in Madrid for corporate and finance work
Global firm with comprehensive legal services in Madrid
GDPR applies to any organisation that processes personal data of EU residents, regardless of where the organisation is based. A data protection lawyer can advise on compliance.
Fines can reach €20 million or 4% of global annual turnover (whichever is higher). A data protection lawyer can help implement compliant processes to minimise risk.
Browse our verified directory of law firms across Spain's major cities. All listed firms offer English-language legal services to expats and foreign nationals.
Find My Lawyer in 60 SecondsSpain implements RGPD (GDPR) through the Ley Orgánica 3/2018 de Protección de Datos y garantía de los Derechos Digitales (LOPDGDD). The Spanish supervisory authority is the Agencia Española de Protección de Datos (AEPD).
| Company | Fine | Year | Violation |
|---|---|---|---|
| Endesa Energía | €3,000,000 | 2022 | Illegal energy contract using third-party data without consent |
| Vodafone España | €8,150,000 | 2021 | Unlawful processing, inadequate security, spam |
| Caixabank | €6,000,000 | 2023 | RGPD art. 13/14 — inadequate information to clients |
| BBVA | €5,000,000 | 2021 | Insufficient transparency in data processing |
| Mercadona | €2,520,000 | 2021 | Illegal facial recognition system in stores (RGPD art. 9 biometric data) |
| Topic | Spanish Rule (LOPDGDD) |
|---|---|
| DPD (Data Protection Delegate) | Mandatory for public bodies, colleges, teaching centres, credit institutions, insurance companies, ISPs, gambling companies, advertising platforms (art. 34 LOPDGDD — broader list than RGPD) |
| Age of consent (menores) | 14 years (LOPDGDD art. 7 — Spain chose 14, EU minimum is 13) |
| Derecho al olvido digital | Specific right to request deletion from search engines, social networks (art. 93, 94 LOPDGDD) |
| Testamento digital | Right to designate a person to manage digital data after death (art. 96 LOPDGDD) |
| Derecho a la desconexión digital | Employees' right to digital disconnection outside working hours (art. 88 LOPDGDD — ET art. 20 bis) |
| Videovigilancia laboral | Employer may monitor employees via CCTV but must notify — covert monitoring requires specific legal basis (art. 89 LOPDGDD) |
