{"id":5588,"date":"2026-06-04T09:52:41","date_gmt":"2026-06-04T09:52:41","guid":{"rendered":"https:\/\/levantic.es\/?p=5588"},"modified":"2026-06-04T12:09:21","modified_gmt":"2026-06-04T12:09:21","slug":"gdpr-and-spanish-data-rules-for-small-businesses-what-you-actually-need","status":"publish","type":"post","link":"https:\/\/levantic.es\/es\/gdpr-and-spanish-data-rules-for-small-businesses-what-you-actually-need\/","title":{"rendered":"GDPR and Spanish data rules for small businesses: what you actually need"},"content":{"rendered":"
\n

A quick note before we start.<\/strong> This is general information, not legal advice. Spanish data and e-commerce rules depend on your specific situation, and for anything binding you should speak to a gestor<\/em> or a data protection lawyer. What follows is the plain-English picture so you know what to ask about \u2014 and where the technical work sits. Levantic handles the technical side and works alongside your adviser, not in place of them.<\/p>\n<\/blockquote>\n\n\n\n

Few sets of letters rattle a small business owner quite like “GDPR.” It arrives with a vague sense that you’re probably already doing something wrong, that there’s a form you forgot to file, and that a large fine is one mistake away. The reality is calmer. Most of the rules are manageable, a lot of the fear comes from misconceptions, and once the basics are set up properly they mostly stay set up. Here are the main lines.<\/p>\n\n\n\n

\"\"<\/figure>\n\n\n\n

GDPR vs. LOPDGDD: what’s the difference<\/h2>\n\n\n\n

You’ll see both names, and you need to know both. The GDPR is the EU-wide regulation \u2014 it applies directly in every member state, Spain included. The LOPDGDD is Spain’s own national law, in force since December 2018, that fills in the areas where the GDPR deliberately leaves room for national rules: things like the age at which someone can consent, certain sectors that must appoint a data protection officer, and digital rights in the workplace. If you operate in Spain, you comply with both. (You’ll also hear the GDPR called the RGPD<\/em> in Spanish \u2014 same thing.)<\/p>\n\n\n\n

The registration myth<\/h2>\n\n\n\n

This is the single most common worry we hear: “Don’t I have to register my customer database with the AEPD?”<\/em> No. Spain’s old requirement to register data “files” with the data protection agency was scrapped in 2018 when the GDPR took over. There is no general registration step, no form to submit before you start, and no licence to wait for.<\/p>\n\n\n\n

What replaced it is lighter than it sounds: you keep your own internal record of what personal data you handle and why. You only contact the AEPD in specific situations \u2014 most notably to report a data breach.<\/p>\n\n\n\n

What you actually do need<\/h2>\n\n\n\n

Three quiet fundamentals do most of the work:<\/p>\n\n\n\n

A lawful basis<\/strong> for each thing you do with personal data \u2014 usually consent, a contract, or a legitimate interest. A privacy notice<\/strong> that plainly tells people what you collect, why, and what rights they have. And a Record of Processing Activities (RoPA)<\/strong> \u2014 that internal log describing your data processing. Very small businesses can be exempt from the RoPA in narrow cases, but if you handle customer data regularly it’s simpler to just keep one. None of this requires a lawyer on retainer. It requires doing it once, properly.<\/p>\n\n\n\n

Your website: legal notice, cookie banner, policies<\/h2>\n\n\n\n

If your website represents a business, Spanish law (the LSSI) expects a legal notice<\/strong> \u2014 an aviso legal<\/em> \u2014 identifying the company: name, tax ID, registered address and contact details. Alongside it you’ll usually want a pol\u00edtica de privacidad<\/strong> and a cookie policy<\/strong>.<\/p>\n\n\n\n

The cookie banner<\/strong> is where most sites slip up. Non-essential cookies \u2014 analytics, advertising, tracking \u2014 must not load until the visitor actively agrees. Your banner needs an “Accept” and a “Reject” option that are equally easy to use; you can’t make rejecting harder than accepting, and a visitor scrolling or continuing to browse does not count as consent. You also need layered information: a short notice up front and a full cookie policy behind it. This reflects the AEPD’s cookie guidance, updated in 2024.<\/p>\n\n\n\n

Email marketing: Spain’s strict opt-in rules<\/h2>\n\n\n\n

Spain has some of the tightest email marketing rules in the EU. As a general rule, under the LSSI you need the recipient’s prior opt-in consent before sending commercial email \u2014 silence and pre-ticked boxes don’t count.<\/p>\n\n\n\n

There’s one narrow exception for existing customers: you may email them about similar<\/em> products or services if you collected their address during a sale and you give them an easy way to opt out in every message. Either way, every commercial email has to identify your business clearly and include a working unsubscribe link.<\/p>\n\n\n\n

Tools and data outside the EU<\/h2>\n\n\n\n

Most businesses run on tools \u2014 a CRM, an email platform, hosting, a form provider \u2014 and many of those are US companies that store data outside the EU. That’s allowed, but only on the right terms. Sending personal data outside the EU\/EEA needs either an EU “adequacy” decision for the destination or appropriate safeguards in place, most commonly the EU’s Standard Contractual Clauses. A lot of US services are covered through the EU\u2013US Data Privacy Framework. The practical step is simple: know where each tool stores data and which transfer mechanism it relies on.<\/p>\n\n\n\n

If something goes wrong: the 72-hour rule<\/h2>\n\n\n\n

If personal data is exposed in a way that could put people at risk, you must notify the AEPD within 72 hours of becoming aware of it. If the risk to individuals is high, you also have to tell the affected people directly. It’s worth deciding now<\/em> who would do what in those 72 hours \u2014 a short plan written calmly today beats improvising under pressure later.<\/p>\n\n\n\n

How Levantic handles the technical side<\/h2>\n\n\n\n

This is the part we take off your plate. We set up compliant cookie consent on your site, secure hosting and data handling, a proper legal notice and privacy and cookie policies, and the processing agreements you need with the tools you use. For your specific legal and tax obligations, we work alongside your gestor<\/em> or legal adviser rather than replacing them \u2014 you get the technical layer done correctly, and a clear sense of where your own responsibilities sit.<\/p>\n\n\n\n

Frequently asked questions<\/h2>\n\n\n\n

Do I need to register my business with the Spanish data protection agency (AEPD)?<\/strong>
No. Spain’s old requirement to register data “files” with the AEPD was abolished in 2018 when the GDPR took effect. Instead you keep your own internal Record of Processing Activities (RoPA) describing what personal data you handle and why. You only contact the AEPD in specific situations, such as reporting a data breach.<\/p>\n\n\n\n

What’s the difference between the GDPR and the LOPDGDD?<\/strong>
The GDPR is the EU-wide regulation that applies directly in every member state. The LOPDGDD is Spain’s national law, in force since December 2018, that fills in the areas where the GDPR leaves room for national rules \u2014 things like the age of consent, certain DPO sectors and digital workplace rights. If you operate in Spain you comply with both.<\/p>\n\n\n\n

Do I need a Data Protection Officer (DPO)?<\/strong>
Most small businesses don’t. A DPO is only legally required if you’re a public body, if your core activity involves large-scale systematic monitoring of people, or if you process sensitive data at scale. Spain’s LOPDGDD also requires one for certain regulated sectors \u2014 such as private schools, healthcare, insurance and security firms \u2014 regardless of size. Even when it isn’t mandatory, naming someone internally responsible for data protection is good practice.<\/p>\n\n\n\n

What must appear on a Spanish business website by law?<\/strong>
Under the LSSI, any website representing a business must show a legal notice (aviso legal<\/em>) identifying the company: name, tax ID, registered address and contact details. Alongside that you’ll usually need a privacy policy and a cookie policy. These are transparency basics, separate from the cookie-consent banner itself.<\/p>\n\n\n\n

What does my cookie banner need to do to be compliant in Spain?<\/strong>
Non-essential cookies \u2014 analytics, advertising, tracking \u2014 may not load until the visitor actively agrees. Your banner needs an “Accept” and a “Reject” option that are equally easy to use; you can’t make rejecting harder than accepting, and scrolling or continued browsing doesn’t count as consent. You also need layered information: a short first-layer notice and a full cookie policy behind it. This reflects the AEPD’s guidance updated in 2024.<\/p>\n\n\n\n

Can I send marketing emails to people in Spain?<\/strong>
Spain has some of the strictest email rules in the EU. Under the LSSI you generally need the recipient’s prior opt-in consent before sending commercial email. There’s a narrow exception for existing customers: you may email them about similar products if you collected their address during a sale and you offer an easy opt-out in every message. Every commercial email must identify your business and include a working unsubscribe link.<\/p>\n\n\n\n

Is it a problem if my tools store data outside the EU?<\/strong>
It can be. Sending personal data outside the EU\/EEA is only allowed if the destination has an EU “adequacy” decision or you have appropriate safeguards in place \u2014 most commonly the EU’s Standard Contractual Clauses. Many US services are covered through the EU\u2013US Data Privacy Framework. The practical step is to check where each tool stores data and which transfer mechanism it relies on.<\/p>\n\n\n\n

What happens if there’s a data breach?<\/strong>
If personal data is exposed in a way that could put people at risk, you must notify the AEPD within 72 hours of becoming aware of it. If the risk to individuals is high, you also have to inform the affected people directly. It’s worth having a simple plan for who does what in those 72 hours before you ever need it.<\/p>\n\n\n\n

What does Levantic actually do here?<\/strong>
We handle the technical side: compliant cookie consent, secure hosting and data handling, a proper legal notice and privacy\/cookie policies, and processing agreements with the tools you use. For your specific legal and tax obligations we work alongside your gestor or legal adviser rather than replacing them.<\/p>\n\n\n\n

\n\n\n\n

This article is general information and not legal advice; for your specific situation, speak to a gestor or data protection lawyer. Want the technical side handled properly? Start with a quick scan<\/a> \u2014 or ask the assistant in the corner what compliant setup looks like.<\/em><\/p>","protected":false},"excerpt":{"rendered":"

A quick note before we start. This is general information, not legal advice. […]<\/p>\n","protected":false},"author":1,"featured_media":5589,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"content-type":"","footnotes":""},"categories":[36],"tags":[56,57,58],"class_list":["post-5588","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-technology","tag-gdpr","tag-privacy","tag-small-business"],"_links":{"self":[{"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/posts\/5588","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/comments?post=5588"}],"version-history":[{"count":1,"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/posts\/5588\/revisions"}],"predecessor-version":[{"id":5590,"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/posts\/5588\/revisions\/5590"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/media\/5589"}],"wp:attachment":[{"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/media?parent=5588"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/categories?post=5588"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/levantic.es\/es\/wp-json\/wp\/v2\/tags?post=5588"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}