Regulation
The regimes that frame the practice of data protection in Spain.
The practice of the Data Protection Officer in Spain rests on a body of rules whose centre is the GDPR and Organic Law 3/2018 (LOPDGDD). To that core are added the regimes that intersect with it — from cookies and electronic communications to artificial intelligence and cybersecurity — and the digital rights of Title X.
| Area | Instrument | Authority |
|---|---|---|
| Data protection (general) | GDPR — Regulation (EU) 2016/679 | AEPD |
| National law | Organic Law 3/2018 (LOPDGDD), of 5 December | AEPD |
| DPO — designation, position, intervention | GDPR Arts. 37–39; LOPDGDD Arts. 34–37 | AEPD |
| Information society services and cookies | Law 34/2002 (LSSI-CE) | AEPD |
| Electronic communications (ePrivacy) | Directive 2002/58/EC; Law 11/2022 General Telecommunications | AEPD |
| Digital rights | Title X of the LOPDGDD | — |
| Artificial Intelligence | AI Act — Regulation (EU) 2024/1689 | AESIA |
| Cybersecurity (interface) | NIS2 — Directive (EU) 2022/2555 (national transposition) | INCIBE |
| Guidance and doctrine | EDPB Guidelines; WP243 | CEPD / EDPB |