From AYCE Laborytax we want to explain what the new LOPD-GDD is and how it works,so that you know all the keys that you should not overlook in your company when applying it.

the New Law on Data Protection and Guarantee of Digital Rights entered into force on December 7, 2018,and has as its main objective to regulate the correct use of personal data of third parties, as well as to adapt the Spanish legislation to the European Data Protection Regulation.

It should be noted that it is a totally law mandatory for all types of companies and businesses dealing with sensitive data (customer databases, dataphone, sending newsletters, video surveillance cameras, etc.),to try to ensure greater protection of privacy in the current digital environment, in which privacy is much more vulnerable.

How to implement the new LOPD-GDD in your company?

Any type of company or business that deals with sensitive data of third parties, must comply with each and every one of the requirements established in the new regulations of the Law on Protection of Personal Data and Guarantees of Digital Rights.

That said, implementing the new LOPD-GDD is much more than a mere procedure that you must carry out to avoid harsh sanctions in your company. With its implementation you will be making a declaration of intentions to all those people who have agreed to offer you personal data,making your company much more competitive, improving its image and increasing the confidence of your customers.

You are interested in:

Learn how to apply the new GDPR Law on your website to avoid millionaire penalties

Although every company should already comply with the European Data Protection Regulation (GDPR) since last May 25, with the new LOPD-GDD come a series of novelties that you should not overlook.

What’s new in the new LOPD-GDD?

Implementation framework

The LOPD-GDD will be applied when the following treatments are given:

  • Data processing of individual entrepreneurs and liberal professionals.
  • Commercial operations.
  • Use of surveillance systems.
  • Advertising exclusion systems.
  • Communication channels and complaints.
  • Credit information systems.

Protection of minors

The LOPD-GDD places special emphasis on the protection of minors’ data. The consent of a minor will only be valid when he is over fourteen years of age, being necessary the authorization of the father, mother or guardian if it is not.

Control of personal data

To avoid the use of personal data for commercial use without prior consent, the LOPD-GDD establishes that the control of personal data falls directly on the user,always requiring their consent to use them.

Clear information about the use of data

Companies must inform users in a clear, simple and concise wayabout the possible use of the personal data they have been given. Otherwise, a company could be fined up to EUR 20 million.

Data retention

The personal data transferred to the companies must be kept in a manner consistent with their use. This means that if a person wants to access that data while it is stored, they will have the full right to do so, and may even demand a copy of them.

You are interested in:

Practical tips for the destruction of confidential documents under the new data protection regulation

Employee privacy

The new LOPD-GDD protects the right to privacy of employees,in view of the use of video surveillance systems or sound recording in the work area. In this way, it is forbidden to take recordings in the areas intended for the rest of the workers, toilets and other places intended for leisure.

Right to be forgotten

One of the key points of the LOPD-GDD is the right to be forgotten,which establishes the right to delete data on social networks and other equivalent services.

Data of deceased persons

In the event of death, any family member linked to the deceased person may request access, rectification or deletion of the shared data.

Delinquency files

With the LOPD-GDD is set at 50 euros the minimum amount to include in a file of delinquency to a person. In addition, the maximum period for the inclusion of debts is reduced from 6 to 5 years.

Security issues

If a company suffers a security problem, and loses personal data within the business environment, you must report the incident within a maximum of 72 hours,from the knowledge of the situation. This communication must be made through the Spanish Agency for Data Protection (AEPD).

Data Protection Officer

Companies are not obliged to appoint a Data Protection Officer (DPO), and a natural or legal person may perform this function; but there are certain cases in which this obligation exists.

According to the criteria established by European regulations and, more specifically, by the Spanish Agency for Data Protection, with respect to cases in which it is mandatory to implement in a company the figure of the Data Protection Delegate (DPO), three types of assumptions can be established:

  1. In cases where it is a public authority or body;
  2. where the principal activity of the controller or controllers of customer data consists of operations requiring regular and systematic monitoring;
  3. or where the main activities of the controller or controllers consist of the large-scale processing of certain personal data relating to convictions or offences.


As for accounting, any type of monetary, banking or credit transaction carried out by the company must be recorded,including each and every one of the treasury movements.

Sanctioning regime of the LOPD-GDD

the GDPR established sanctions for companies that could reach between 10 and 20 million euros, or between 2 and 4% of the annual turnover, provided that the penalty is considered very serious. What was not very clear were the cases in which a company could be sanctioned, and by how much, something for which the LOPD-GDD has been much more precise and unambiguous.

Very serious sanctions

A company would be punished in a very serious way when it makes a substantial breach of the processing of personal data, related to:

  • The use of data for a purpose other than that advertised.
  • Omission of the obligation to inform the affected person.
  • Demand for a payment to be able to access the stored own data.
  • International transfers of information without guarantees.

This type of very serious infringement expires after three years.

Severe penalties

Severe penalties apply when the processing is substantially violated, and relates to:

  • Data of minors obtained without consent.
  • Lack of technical and organizational measures to protect data effectively.
  • Failure to comply with the obligation to appoint a data controller or processor.

Serious infringements are time-barred after two years.

Light penalties

The light penalties would be all those that do not appear in the two previous groups:

  • Provide information in a non-transparent way.
  • Do not inform users when they have requested it.
  • Failure to comply with the corresponding obligations.

The light penalties are prescribed one year after they are committed.


The new LOPD-GDD arrives to adapt the Spanish legislation to the European Data Protection Regulation, having as its main objective to guarantee the protection of the privacy of third parties in the digital environment. It is important to know all the news it presents, both to guarantee the privacy of personal data, and to avoid harsh penalties for non-compliance.