The protection of consumer and user data has been one of the biggest concerns of the legislator in recent times. The so-known Organic Law on Data Protection (LOPD) arises from this desire to provide greater security to individuals when, in the exercise of their private autonomy, they are forced to provide personal data to companies.

The counterpart of this protection is, logically, the existence of a series of obligations for those who provide services or sell goods on the market, and they require such personal data.

Companies and freelancers are exposed to
sanctions for non-compliance with this LOPD Law
if they do not act in accordance with it in a correct way.

Self-employed and SMEs before the LOPD

In terms of data protection, entrepreneurs have certain duties depending on the type of business they run.

The self-employed who operate through a Company, have no personal obligation to comply with the Organic Law on Data Protection,but as administrators of the same, they must ensure that the company does not violate the duties that the law imposes in the development of its activity.

The self-employed person who acts personally – not through a legal person – in the traffic of the information of certain data, has a personal responsibility in the fulfillment of the duties of protection and custody of the same.

You must treat the data of your employees (if you have them), customers and suppliers in accordance with the provisions of the regulations.

If you do not work with a staff, you will only be subject to the LOPD if your business activity requires keeping an updated record with personal data of suppliers or customers.

Penalties for non-compliance with the LOPD


What happens if I do not comply with the obligations of the LOPD? In that case, there are three types of infractions of the LOPD, depending on the seriousness with which the law has been violated, which entail a series of economic sanctions:

  • Minor infractions:this type of infractions will be sanctioned with amounts ranging between 600 and 60,100 euros.
  • Serious infractions:in this case, the fines would range between 60,101 and 300,506 euros.
  • Very serious infractions:In case the infraction is considered as very serious, the penalties could range between 300,507 and 600,000 euros.

The classification of an offence as minor, serious or very serious depends on the extent of the breach of the law.

The amounts of the sanctions will be graduated according to a series of criteria, such as:

  1. The continued nature of the infringement.
  2. The volume of the treatments carried out.
  3. The linking of the activity of the infringer with the processing of personal data.
  4. The volume of business or activity of the infringer.
  5. The profits obtained as a result of the commission of the infringement.
  6. The degree of intentionality.
  7. Recidivism due to the commission of infractions of the same nature.
  8. The nature of the damage caused to the persons concerned or to third parties.
  9. The accreditation that, prior to the facts constituting an infringement, the imputed entity had implemented adequate procedures for action in the collection and processing of personal data, the infringement being the result of an anomaly in the operation of said procedures not due to a lack of diligence required of the infringer.
  10. Any other circumstance that is relevant to determine the degree of anti-juridicality and culpability present in the specific infringing action.

Once the infraction has been classified as minor, serious or very serious; the Spanish Agency for Data Protection moderates the sanctions of the LOPD of 2017 according to a series of criteria.

Some violations have to do with the magnitude of the business. The most eventual are usually for violation of the LOPD or the time for which said infraction has been prolonged.


Among the minor infractions are considered the following actions:

  • Do not register personal data in the General Registry of Data Protection, inaddition to not sending to the Spanish Agency for Data Protection (AEPD)those notifications to which the law obliges.
  • Failure to comply with formal duties in the communication of data can also lead to this type of sanction. If the customer is not informed in advance about how their data will be treated, there is also a risk of being fined lightly.
  • Failure to respond to customer requests for rectification or cancellation of their personal data.
  • Failure to respond to inquiries by the Data Protection Agency.


The LOPD establishes a long list of conduct constituting a serious infraction in its article 44.3.

Some infractions are related to the use of files with personal data without obtaining authorization,either from the affected persons, when legally required, or from the Administration.


In the case of infractions considered serious, we could specify the following assumptions:

  • The violation of the duty of secrecy in the processing of personal data.
  • The impediment or hindrance to the exercise of the rights of rectification, cancellation and opposition.
  • Failure to implement the proper security measures to safeguard the data is considered a serious breach of the LOPD.
  • Obstruction of inspectors’ investigative tasksis also considered a serious offence.
  • Not to collaborate with the Spanish Agency for Data Protection, when it requests documentation.
  • Transfer personal data to unauthorized third parties or use the files for a purpose other than that for which they were created.
  • And not to follow the principles and guarantees of the LOPD.



As for very serious sanctions, the following cases constitute this type of infraction:

  • Data collection in a deceptive or fraudulent way.
  • Not to correct the illegality in the processing of some data even when a request has been received from the director of the AEPD.
  • The transfer of data temporarily or permanently, to countries that do not have a level of data protection comparable to that of Spain. It is allowed to do so, however, with the express authorization of the AEPD.
  • The transfer to third parties of the personal data that the law, in its article 7, considers that they must be specially protected (those related to ideology, religion, trade union membership, health, criminal record,… etc.)
  • Not to attend or hinder in a repetitive and systematic way the requests for cancellation or rectification of personal data.
  • Treat the data illegitimately or with contempt for the principles and guarantees that are applicable in the LOPD.


The benefit obtained from the infringement or the damages caused to third parties will also be taken into account, as well as the degree of intentionality of the infringement committed.

Sanctions for non-compliance with the LOPD can be a real obstacle to the development of business activity.

Therefore, in case of any legal doubt, it is highly recommended to seek the appropriate advice.

A good business data protection policy not only avoids penalties, but always offers greater security and confidence to our customers.