RGPD & LOPDGDD for E-Commerce in Spain 2026: AEPD Compliance, Cookie Consent & Data Protection Guide

1. The RGPD + LOPDGDD Legal Stack — Overview

Few European countries enforce data protection as intensively as Spain. The chart below summarises the six legal and regulatory layers covered in this guide — keep it nearby as you read each deep-dive section.

What the RGPD Actually Demands

The RGPD is built on six processing principles set out in Article 5 — lawfulness, fairness and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality — plus the meta-principle of accountability (the controller must be able to demonstrate compliance). For a Spanish online shop this means: only collect what you need, only use it for the purposes you stated, store it only as long as the law requires, and document every step.

The RGPD also defines six legal bases for processing in Article 6: consent, contract, legal obligation, vital interests, public interest, and legitimate interest. The vast majority of e-commerce processing falls under contract (the purchase you made) or legal obligation (tax retention, anti-fraud), with consent reserved for clearly optional purposes such as marketing newsletters and non-essential cookies.

How LOPDGDD Extends the RGPD in Spain

The LOPDGDD 3/2018 is Spain's national implementing law. It does three things the pure RGPD does not:

• It adds specific Spanish rules: minimum age of consent set at 14 years (RGPD allows 13–16), explicit ban on data processing in employment based on consent alone, special rules for deceased persons' data (Article 3).
• It lists 16 mandatory DPO sectors in Article 34 — far broader than the three generic RGPD triggers — covering credit reporting, gambling, healthcare, schools, insurance, distribution and supply of electricity, water and gas, and providers of electronic communication services.
• It introduces Title X "Garantía de los derechos digitales": rights to internet neutrality, digital security, digital education, digital disconnection at work, digital will and updating of personal information in digital media. These are unique to Spain.

2. The AEPD — Spain's Data Protection Authority

Origins and Structure

The Agencia Española de Protección de Datos was established in 1993 under Spain's first data-protection law, LORTAD (Ley Orgánica 5/1992). It is an independent public-law body governed today by the LOPDGDD, headquartered at C/ Jorge Juan 6, Madrid 28001. The Director is appointed for a five-year non-renewable term by Royal Decree following a proposal from the Ministry of Justice and after a hearing in the Cortes Generales. Two regional authorities exist alongside the AEPD with competence over their own public sectors: APDCAT for Catalonia and AVPD for the Basque Country.

Powers Under Article 58 RGPD

The AEPD has three families of powers:

• Investigation — request information, conduct on-site inspections, access premises and equipment, audit the controller's data, summon witnesses.
• Corrective — issue warnings, reprimands, orders to bring processing into compliance, orders to satisfy data subject rights, temporary or definitive bans on processing, and administrative fines.
• Authorisation and advisory — approve binding corporate rules, certify codes of conduct, issue opinions on draft national legislation, advise the Government and the Cortes Generales.

Why the AEPD Matters Specifically for E-Commerce

The AEPD has historically been one of the most active EU supervisory authorities. Its enforcement spans large telecoms operators, banks, social networks and many e-commerce platforms. Recurring areas of investigation in 2024–2026 included: cookie banners without a valid Reject option, unsolicited commercial communications, data breaches involving customer accounts, transfers of personal data to third countries without adequate guarantees, and failure to attend to data subject access requests within the statutory one-month period.

3. Cookie Consent Banner — Mandatory Requirements

Legal Basis — LSSI-CE Article 22.2 + RGPD Article 7

Cookies on Spanish websites are governed by a two-layer rule. The legal hook is Article 22.2 of LSSI-CE (Ley 34/2002), which requires "clear and complete information about the use of data storage and retrieval devices". The notion of valid consent comes from RGPD Article 7 — freely given, specific, informed and unambiguous, plus the right to withdraw at any time as easily as it was given.

The AEPD Cookie Guide — 2024 Update

The AEPD published the current version of its Guía sobre el uso de las cookies in January 2024, aligned with the EDPB's 2023 guidelines. The compliance bar is now explicit:

• First-layer banner: must identify the controller, list the purposes of the cookies (technical, preferences, analytics, advertising, social), explain the consequences of accepting and rejecting, and link to the complete second-layer Cookie Policy.
• Reject button at the same level as Accept: the AEPD considers it an infringement to present "Accept" as a prominent coloured button while "Reject" is a small grey link or hidden behind "Manage preferences". As of 2024 the Reject button must be of equivalent prominence to Accept.
• Granular options: shoppers must be able to accept or reject by category (analytics, advertising, social, personalisation) separately.
• No pre-ticked boxes: under no circumstances can purposes other than strictly technical cookies be pre-selected.
• No cookie walls: blocking access to the site unless the user accepts is an infringement, except where a genuine equivalent service is offered.
• "Continue browsing" is not consent: continuing to scroll, navigate or click a link is not valid consent.
• Withdrawal mechanism: a permanent control to withdraw consent must be visible on every page (typically a floating icon).

The Two-Layer Architecture

What Counts as a "Strictly Technical" Cookie

Strictly technical cookies are exempt from consent under Article 22.2 LSSI-CE. They include session cookies, authentication cookies for the duration of the session, shopping cart cookies, security cookies (anti-CSRF), load balancing cookies and accessibility / language preference cookies. Analytics is not technical in the AEPD's reading — even Google Analytics 4 requires consent unless processing is fully anonymous and configured exclusively for traffic measurement of the controller's own service.

4. Privacy Policy — What Must Be in It

The Articles 13 / 14 RGPD Minimum

Every Spanish e-commerce site needs a Privacy Policy (Política de Privacidad) accessible from every page, satisfying the information duties of RGPD Articles 13 (data collected from the data subject) and 14 (data obtained from third parties). The mandatory contents are:

• Identity and contact details of the controller and, if applicable, the EU representative and the DPO
• Purposes of the processing and the legal basis for each purpose (contract, legitimate interest, consent, legal obligation)
• Legitimate interests pursued by the controller, where Article 6(1)(f) is invoked
• Recipients or categories of recipients of the personal data (payment processors, logistics providers, marketing tools)
• Transfers to third countries, identifying the country, the legal mechanism (adequacy decision, SCC, BCR) and a reference to the safeguards
• Storage period or the criteria used to determine that period
• The eight RGPD rights and how to exercise them, plus the right to complain to the AEPD
• Whether the provision of data is mandatory or voluntary and the consequences of refusal
• The existence of automated decision-making, including profiling, with meaningful information about the logic involved
• The right to withdraw consent, where consent is the legal basis

LOPDGDD Article 11 — Layered Information

The LOPDGDD explicitly allows a layered approach: a short, plain-language information notice at the point of collection (the checkout form), with a hyperlink to the full Privacy Policy that contains all the RGPD Articles 13/14 information. This pattern is now the AEPD-preferred approach for e-commerce.

Where the Privacy Policy Must Appear

• Footer of every page — permanent, accessible link labelled "Política de Privacidad" or equivalent in the storefront language
• Account registration — checkbox separate from terms acceptance, never pre-ticked, linking to the Policy
• Checkout — short notice of the data processed for the order, link to the Policy
• Newsletter form — separate consent for marketing, separate from "create account"
• Contact form — short notice + link, separate consent only if marketing follow-up is intended

5. Data Protection Officer (DPO) — When Is It Mandatory?

The Three Generic RGPD Triggers (Article 37)

Under RGPD Article 37, a controller or processor must appoint a DPO whenever any one of the following applies:

• Processing is carried out by a public authority or body (except courts acting in their judicial capacity)
• The core activities consist of processing operations that, by their nature, scope or purposes, require regular and systematic monitoring of data subjects on a large scale
• The core activities consist of processing on a large scale of special categories of data (Article 9) or personal data relating to criminal convictions (Article 10)

The 16 Sectors Where LOPDGDD Article 34 Imposes a DPO

Spain went further than the RGPD: LOPDGDD Article 34 explicitly lists sixteen activity categories where a DPO is mandatory regardless of size. The most relevant for e-commerce-adjacent businesses are:

• Credit information system operators
• Companies engaged in advertising and commercial prospection with profiling
• Health establishments legally required to keep medical records
• Issuers of electronic money and credit institutions
• Insurance and reinsurance entities
• Investment service companies
• Electricity and natural gas suppliers
• Providers of electronic communication services where they regularly and systematically process personal data of their clients
• Information society service providers when they elaborate large-scale profiles of users
• Gambling operators offering services via electronic means
• Private security companies
• Sports federations covering minors

Notification Duty

Every controller required to appoint a DPO must notify the AEPD via the online portal (sede.aepd.gob.es) within ten days of the appointment, and again whenever the DPO is replaced. The DPO's contact details must also be published in the Privacy Policy.

DPO Independence and Conflicts of Interest

The DPO must report directly to the highest management level, cannot be sanctioned or dismissed for performing their tasks, and cannot occupy a position that defines the purposes and means of processing (for example, CEO, CIO, CFO or marketing director). The EDPB and the AEPD have both confirmed that combining the DPO role with such positions is a structural conflict of interest.

6. Data Subject Rights — The Eight RGPD Rights + LOPDGDD Digital Rights

The Core Eight Under RGPD Chapter III

Every Spanish customer can exercise the following rights at any time, free of charge, with a maximum one-month response window (extendable by two months for complex requests, with a justified communication to the data subject):

Right	Article	What the Customer Can Demand
Access	Art. 15	Confirmation of processing + a copy of the data + all Article 13/14 information
Rectification	Art. 16	Correction of inaccurate or incomplete data without undue delay
Erasure	Art. 17	"Right to be forgotten" when the data is no longer necessary, consent is withdrawn, or processing is unlawful
Restriction	Art. 18	Temporary freezing of processing pending verification
Portability	Art. 20	Data in a structured, commonly used, machine-readable format (JSON, CSV)
Objection	Art. 21	Right to object to processing based on legitimate interest or for direct marketing (absolute right for marketing)
Automated decisions	Art. 22	Right not to be subject to a solely automated decision, including profiling, with legal or significant effects
Complaint to AEPD	Art. 77	The data subject can always escalate to the AEPD if they consider the response unsatisfactory

LOPDGDD Title X — Spain's Unique Digital Rights

The LOPDGDD's Title X is a Spanish original. It catalogues digital rights that go beyond the RGPD, including:

• Right to internet neutrality (Article 80)
• Right to digital security (Article 82)
• Right to digital education (Article 83)
• Protection of minors on the internet (Article 84)
• Right to rectification on the internet (Article 85)
• Right to update information in digital media (Article 86)
• Right to privacy and use of digital devices at work (Article 87)
• Right to digital disconnection at work (Article 88)
• Right to privacy against geolocation devices at work (Article 90)
• Right to a digital will (Article 96)

The Operational DSR Playbook

For e-commerce, the operational pattern is:

1. Receive the request via email, web form or postal mail — all channels must be accepted.
2. Verify identity — proportionately. For a long-time customer logged in to their account, the session is normally sufficient; for an anonymous email, request reasonable identification.
3. Respond within one month — extendable by two months with justification.
4. Log every request — date received, type, response, decision, justification — both for internal audit and for the AEPD's eventual inspection.
5. Inform the data subject of their right to complain to the AEPD if they disagree.

7. Personal Data Breach — The 72-Hour Notification

The Three Notification Streams

A "personal data breach" is defined in RGPD Article 4(12) as "a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data". When one occurs, three notification streams may activate:

• Notification to the AEPD within 72 hours from awareness (RGPD Article 33) — unless the breach is unlikely to result in a risk to rights and freedoms.
• Communication to the affected data subjects "without undue delay" (RGPD Article 34) when the breach is likely to result in a high risk to their rights and freedoms.
• Internal logging in the breach register regardless of severity — this internal log is itself mandatory and audited.

The AEPD Notification Form

The AEPD operates an online form at sede.aepd.gob.es for breach notification. The form follows the EDPB template and requires:

• Identification of the controller and DPO contact details
• Nature of the breach — confidentiality, integrity, availability
• Date and time the breach occurred and date and time of awareness
• Categories and approximate number of data subjects affected
• Categories and approximate number of records affected
• Likely consequences for the data subjects
• Measures taken or proposed to mitigate the breach
• Whether and how affected data subjects have been or will be notified

The "72 Hours" Clock

The clock starts not at the moment the breach occurs but at the moment the controller becomes aware of it. "Awareness" requires a reasonable degree of certainty that an incident has occurred and that personal data is affected. If the initial notification is incomplete because the investigation is still ongoing, the AEPD accepts a phased notification: an initial notice with the available information within 72 hours, followed by complementary submissions as new information emerges.

When Communication to Data Subjects Is Required

Article 34 requires direct communication to data subjects only when the breach poses a high risk — for example, when the breach involves passwords, financial data, government identifiers, special categories of data, or when the affected data could enable identity theft or fraud. The communication must be in clear and plain language and contain the same essential information as the AEPD notification.

8. Cross-Border Data Transfers — SCC, Adequacy and TIA

Why Transfers Are Restricted

RGPD Chapter V (Articles 44–50) restricts transfers of personal data outside the European Economic Area (EEA) to ensure the level of protection guaranteed by the RGPD is not undermined. For e-commerce sites this is one of the most-overlooked compliance areas: any non-EU SaaS provider (US analytics, US email marketing, US CRM, US chat widget) potentially triggers a Chapter V analysis.

The Six Legal Mechanisms

1. Adequacy decision (Art. 45) — the European Commission has decided the third country provides an essentially equivalent level of protection. Currently includes the UK, Switzerland, Japan, South Korea, Israel, New Zealand, Argentina, Canada (commercial sector), and the United States only for organisations certified under the EU-US Data Privacy Framework (DPF).
2. Standard Contractual Clauses — SCC (Art. 46(2)(c)) — the modernised SCCs adopted by Commission Decision 2021/914 in June 2021. Four modules: C2C, C2P, P2P, P2C. Mandatory for transfers to non-adequate countries.
3. Binding Corporate Rules — BCR (Art. 47) — internal codes for intra-group transfers in multinational corporations, approved by the lead supervisory authority.
4. Approved codes of conduct or certification mechanisms (Art. 46(2)(e)–(f))
5. Ad hoc contractual clauses (Art. 46(3)) — subject to authorisation by the supervisory authority
6. Specific derogations (Art. 49) — explicit consent, contract necessity, important reasons of public interest. Narrowly construed and not suited to routine transfers.

Schrems II and the Transfer Impact Assessment (TIA)

Following the CJEU Schrems II ruling of 16 July 2020, controllers relying on SCCs to transfer data to a non-adequate country (especially the United States outside the DPF) must perform a Transfer Impact Assessment (TIA). The TIA evaluates:

• Whether the laws of the destination country grant access to personal data in a way that is incompatible with EU fundamental rights
• Whether the SCC contractual safeguards are sufficient to compensate for any such gap
• Whether supplementary measures (encryption with EU-controlled keys, pseudonymisation, split processing) are necessary

The EDPB's Recommendations 01/2020 on supplementary measures remain the operational reference. A documented TIA is not a "nice to have" — the AEPD has explicitly asked controllers to produce TIAs during inspections.

The Practical 2026 Vendor Stack

Vendor Category	Mechanism in 2026	TIA Required?
Google Analytics 4 (USA, DPF-certified)	Adequacy via EU-US DPF	Light review
AWS / Azure / Google Cloud (EU regions)	Storage in EU, SCC for support access	Yes, for support flows
Mailchimp / SendGrid (USA)	DPF if certified, else SCC + TIA	Yes, if not DPF
UK SaaS (Hotjar, etc.)	UK adequacy decision	Light review
Non-DPF US vendor	SCC + supplementary measures + full TIA	Yes, full

9. AEPD Fines 2026 — Up to €20M or 4% of Global Turnover

The Two-Tier Sanctions Regime

RGPD Article 83 sets out two ceilings for administrative fines, and the AEPD applies them strictly:

The LOPDGDD Spanish Layer — Article 70+ Classification

The LOPDGDD reclassifies the infringements into very serious, serious and minor with statute-of-limitation periods of three, two and one year respectively (Articles 72–74 and 78). This is a Spanish particularity: in addition to the RGPD ceilings, the LOPDGDD imposes its own procedural framework, which affects how the AEPD calculates the fine and how the defendant can rely on the limitation period.

The Aggravating and Mitigating Factors (Article 83(2) RGPD)

The AEPD considers eleven factors when setting the fine: nature, gravity and duration of the infringement; intentional or negligent character; mitigating actions taken; degree of responsibility; previous infringements; cooperation with the authority; categories of personal data affected; how the authority became aware; compliance with corrective measures previously ordered; adherence to codes of conduct or certification; and any other aggravating or mitigating circumstance.

Recent Enforcement Patterns

Without naming specific resolutions, in 2024–2026 the AEPD's enforcement focus included:

• Cookie banners without an equivalent Reject button — recurring fines in the €30K–€100K range, with higher amounts for large platforms
• Unsolicited commercial communications sent without valid consent — typically combining LSSI-CE and RGPD infringements
• Data breaches involving credentials and payment data — fines escalating sharply when notification was late or absent
• Cross-border transfers without a TIA — increasingly cited in resolutions involving US ad-tech vendors
• Failure to respond to data subject access requests within one month — a high-volume, lower-individual-amount category

The LOPDGDD Article 76(2) Mitigation for SMEs

The LOPDGDD includes an SME-friendly provision: the AEPD may issue an apercibimiento (warning) in lieu of a fine when the infringement is of low severity, the controller is a small or medium-sized enterprise, and a remedial plan is implemented within the time set by the AEPD. This is widely used for first-time infringements by small e-commerce operators — but it must be requested in the defendant's submission and is at the AEPD's discretion.

10. E-Commerce Compliance Checklist 2026 — Step by Step

The Twelve-Point AEPD Readiness Checklist

Whether you are launching a new Spanish online shop or auditing an existing one, the following twelve items are the minimum AEPD-readiness checklist for 2026:

1. Privacy Policy (Política de Privacidad) on the footer of every page, satisfying RGPD Articles 13/14 with layered information.
2. Legal Notice (Aviso Legal) under LSSI-CE Article 10 — identification of the provider, NIF, contact, registration data, professional accreditation.
3. Cookie banner with Accept / Reject / Configure at the same visual level, granular categories, no pre-ticked boxes, withdrawal control on every page.
4. Cookie Policy page detailing each cookie, purpose, duration and third-party recipient — kept current with the technology.
5. Record of Processing Activities (RAT — Registro de Actividades de Tratamiento) under RGPD Article 30 — one entry per processing activity (customers, orders, marketing, suppliers, employees).
6. Data Protection Officer (DPO) appointed and notified to the AEPD if any of the LOPDGDD Article 34 sectors or RGPD Article 37 triggers apply.
7. EU representative designated in writing for non-EU controllers offering goods or services in Spain (RGPD Article 27).
8. Data Subject Request (DSR) channel — at least an email address plus a web form, internal log, and a one-month SLA.
9. Breach response plan with named owner, AEPD form-field-aligned template, customer notification template and a 72-hour clock.
10. Vendor / processor contracts with all third parties (RGPD Article 28) — DPA (Data Processing Addendum) for each.
11. International transfer documentation — SCC modules signed, TIA performed for non-adequate countries, supplementary measures applied where required.
12. Staff training — at least annual, documented, covering RGPD basics, cookie compliance, phishing awareness and the internal breach reporting procedure.

The Implementation Sequence

1. Week 1 — Inventory: list every form, every cookie, every vendor and every type of personal data processed. This populates the RAT and identifies all transfers.
2. Week 2 — Documents: draft or update the Privacy Policy, Legal Notice, Cookie Policy, DPA templates, breach response plan.
3. Week 3 — Technical: deploy the compliant cookie banner, implement DSR web form, configure the breach response notification chain.
4. Week 4 — Training and sign-off: train all customer-facing staff, present the package to management for formal sign-off, schedule the next annual review.

Why Centralisation Matters

Spanish e-commerce frequently runs on a stack of Shopify / WooCommerce / PrestaShop + marketplaces (Amazon ES, AliExpress, El Corte Inglés) + marketing tools + logistics + payment. Each tool may collect, store and share personal data, and each tool needs to be covered by the RAT, the Privacy Policy and the international transfer analysis. Trying to manage this manually in spreadsheets is the most common failure mode.

Zunapro consolidates the compliance layer across every connected channel: one master RAT, one master Privacy Policy template, one cookie consent log, one DSR inbox, one breach register. The AEPD inspector who eventually asks for documentation receives a single coherent file — not twelve different exports from twelve different tools.

Spanish Data Protection FAQ 2026