Support Centre



Law: Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) ('LOPDGDD') and General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR')

Regulator: Spanish data protection authority ('AEPD')

Summary: The LOPDGDD, while implementing the GDPR in the Spanish legal system, also derogates in areas such as the appointment of data protection officers, digital rights in the working environment, and whistleblowing schemes. In addition, the AEPD is one of the most active authorities in Europe in terms of issuing enforcement actions and responding to data subjects' complaints and requests. The AEPD has imposed several administrative penalties in cases affecting multinational organisations from different business sectors, as well as small to medium-sized enterprises and private subjects. Furthermore, the AEPD has also issued substantive guidance on a range of key compliance areas, such as the use of cookies, data transfers mechanisms, and Data Protection Impact Assessment ('DPIA') requirements, providing organisations with both a blacklist and a whitelist in relation to DPIAs.


Artificial intelligence ('AI') has been identified by the EU as one of the most relevant technologies of the 21st century, and a key strategic component for the EU's digital transformation. On its part, machine learning ('ML'), a sub-discipline of AI, relies largely on accurate and representative data sets.

With the aim to clear up common misconceptions surrounding ML systems (with special emphasis on the protection of personal data), the Spanish data protection agency ('AEPD') and the European Data Protection Supervisor ('EDPS') have convened again to prepare a joint paper with technology as the guiding thread, this time titled '10 misunderstandings about machine learning' ('the joint ML paper')1. This document follows on from the AEPD-EDPS joint paper on '10 misunderstandings related to anonymisation'2.

Bárbara Sainz de Vicuña, Isabela Crespo Vitorique, and Mercedes Ferrer Bernal, from GÓMEZ-ACEBO & POMBO ABOGADOS, S. L. P., provide an overview of the joint ML paper and how AI and ML interplay with data protection.

The Spanish data protection authority ('AEPD') published, on 29 June 2021, its 'Guidelines on Risk Management and Impact Assessment in the Processing of Personal Data'1 ('the Guidelines'). Isabela Crespo, Bárbara Sáinz de Vicuña, and Mercedes Ferrer, from Gómez-Acebo & Pombo, summarise the main provisions of the Guidelines.

The processing of personal data relating to criminal convictions under Article 10 of the General Data Protection Regulation (Regulation (EU) 2016/679 ('GDPR') outlines that the processing of such data is subject to additional restrictions. OneTrust DataGuidance Research breaks down Member State requirements regarding the processing of personal data related to criminal offences for employment purposes in the Czech Republic, Germany, and Spain, featuring insights from Bartoš Vojtěch and Ema Černá, from Havel & Partners s.r.o, Clemens Ganz and Dr. Isabelle Brams, from Latham & Watkins LLP, and Juan Ignacio Alonso Dregi, from Ceca Magán. Part one focuses on Member State requirements in France, Portugal, and Italy.

On 10 February 2022, the Spanish data protection authority ('AEPD') approved the Code of Conduct on the Processing of Personal Data for the Purposes of Clinical Trials, other Clinical Investigations and Pharmacovigilance ('the Code'), making it the first sectoral code of conduct to be approved following the entry into force of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR’). The Code was approved under Article 40 of the GDPR and Article 38 of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD'). Bárbara Sainz de Vicuña, Isabela Crespo Vitorique, and Mercedes Ferrer Bernal, from GÓMEZ-ACEBO & POMBO ABOGADOS, S. L. P., discuss the Code and its requirements.

The processing of personal images of employees by companies is regulated not only by the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), but also by local laws in jurisdictions such as Spain. Roger Vilanova Jou, Lawyer at PwC, discusses this topic and its nuances.

Facial recognition technology ('FRT') is an area which creates novel challenges for European data protection law and in particular how certain provisions of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') can be interpreted. Roger Vilanova Jou, Lawyer at PwC, discusses this topic and recent developments in the Spanish context.