Jurisdictions
Law: Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) (LOPDGDD) and General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')
Summary: The LOPDGDD, while implementing the GDPR in the Spanish legal system, also derogates in areas such as the appointment of data protection officers, digital rights in the working environment, and whistleblowing schemes. In addition, the AEPD is one of the most active authorities in Europe in terms of issuing enforcement actions and responding to data subjects' complaints and requests. The AEPD has imposed several administrative penalties in cases affecting multinational organizations from different business sectors, as well as small to medium-sized enterprises and private subjects. Furthermore, the AEPD has also issued substantive guidance on a range of key compliance areas, such as the use of cookies, data transfers mechanisms, and Data Protection Impact Assessment ('DPIA') requirements, providing organizations with both a blacklist and a whitelist in relation to DPIAs.