The General Data Protection Regulation has been in force since 2018, and fines have not stopped growing. In 2025, the Spanish Data Protection Agency (AEPD) imposed penalties totalling over €46 million. Most sanctioned companies were SMEs that assumed they were 'more or less' compliant. They were not.
What does GDPR require your company to do?
Any company processing personal data of European citizens — customers, employees, suppliers — is subject to GDPR. That covers virtually every Spanish business. The four core obligations are: informing data subjects about how you use their data, obtaining explicit consent where required, maintaining a Record of Processing Activities (RPA), and implementing appropriate technical and organisational security measures.
Non-compliance with GDPR is not just a fine risk — it is a reputational risk. A data incident can cost a company more in lost customers than in financial penalties.
The most common mistakes AEPD finds in SMEs
Email marketing without consent
Sending newsletters to contacts who never explicitly authorised their inclusion is one of the most frequent and most easily detected infringements.
Video surveillance without signage
Cameras on premises require visible signage. Without the regulatory notice the system is illegal, even if the cameras themselves are legitimate.
Outdated privacy policy
Copying a generic policy from another website does not comply. It must accurately reflect what data you process, for what purpose, and who receives it.
Poorly managed employee data
HR data (payroll, time tracking, performance reviews) has its own rules under GDPR and Spanish labour legislation.
Do you need a Data Protection Officer (DPO)?
Not all companies are required to have an in-house DPO, but all must have someone responsible for ensuring compliance. For SMEs, the most efficient solution is to outsource this function to a specialist provider. The cost is significantly lower than a fine for a serious infringement, which can exceed €20 million or 4% of annual global turnover.
The minimum viable plan to get compliant
Start with the Record of Processing Activities: document what data you hold, whose it is, what you use it for, and how long you retain it. Then audit your web forms and email campaigns. Finally, review your contracts with suppliers that access your customer data (accountants, CRM platforms, hosting companies): you must have a data processing agreement signed with each one. These three actions cover 80% of the risk.
Want to know where your company stands on GDPR compliance? Contact our team .