Privacy Laws

Data protection in Spain compared to the GDPR

The Spanish flag with a building the background — © SOMATUSCANI / stock.adobe.com | #43770513

General overview

The Spanish Data Protection Law (Organic Law 3/2018) contains several specifications related to various opening clauses of the GDPR. These pertain to, for example, the rights of data subjects, rules on the mandatory appointment of a Data Protection Officer (DPO), consent from minors, and information obligations. Furthermore, the Spanish Data Protection Law provides additional regulations for the digital rights of citizens and employees, such as rights to internet access, digital education, and digital separation in the workplace.

GDPR opening clauses

Spain has established national regulations for data processing involving minors, data processing for journalistic purposes, and data processing for scientific research.

Key differences and national specifics

Specific data protection laws and official guidelines

Spain has specific data protection laws and official guidelines. These provide detailed information and guidance for compliance with data protection regulations in Spain.

Legal basis and sensitive data

In Spain, there are specific regulations concerning the legal basis for data processing as well as the processing of sensitive data. Companies must ensure that they inform data subjects adequately about the processing of their data.

E-Marketing, cookies, and automated decision-making

Spain has regulations related to e-marketing and the handling of cookies. It is important to note that a new regulation through the ePrivacy Regulation is still pending. Additionally, there are regulations concerning automated decision-making.

Data subject rights and Data Protection Impact Assessments (DPIAs)

Data subject rights in Spain are extensively regulated. Companies should ensure that they respect these rights. Furthermore, companies in Spain should conduct DPIAs in accordance with Spanish regulations.

DPO (Data Protection Officer)

Companies in Spain should ensure that they perform DPIAs according to Spanish provisions. Additionally, there are regulations concerning the appointment of a Data Protection Officer.

Conclusion

Spain has adopted many of the GDPR guidelines but has also introduced some national peculiarities. Companies operating in Spain or conducting business with Spanish citizens should ensure that they fully understand and comply with both the GDPR and Spanish data protection laws.

Write email

Group	external media
Name	Calendly
Technical name	_cf_bm,__cfruid,OptanonConsent
Provider	Calendly LLC
Expire in days	365
Privacy policy	https://calendly.com/privacy
Use	To arrange appointments via the provider Calendly.
Allowed
Group	essential
Name	Contao CSRF Token
Technical name	csrf_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Serves to protect the website from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	Contao HTTPS CSRF Token
Technical name	csrf_https_contao_csrf_token
Provider	Contao
Expire in days	0
Privacy policy
Use	Used to protect the encrypted website (HTTPS) from being falsified by cross-site requests. The cookie is deleted again after the browser is closed.
Allowed
Name	PHP SESSION ID
Technical name	PHPSESSID
Provider	Contao
Expire in days	0
Privacy policy
Use	Cookie from PHP (programming language), PHP data identifier. Contains only a reference to the current session. No information is stored in the user's browser and this cookie can only be used by the current website. This cookie is mainly used in forms to increase user-friendliness. Data entered in forms is stored for a short time, for example, if the user makes an input error and receives an error message. Otherwise, all data would have to be entered again.
Allowed
Name	FE USER AUTH
Technical name	FE_USER_AUTH
Provider	Contao
Expire in days	0
Privacy policy
Use	Saves a visitor's information as soon as they log in to the frontend.
Allowed