The amendment to Spain’s Data Protection Act updated relevant aspects of Organic Law 3/2018, especially in relation to the Spanish Data Protection Authority, procedural rules and the role of warnings as corrective measures.
For companies, the practical message is not that all GDPR obligations have changed, but that data protection compliance must be kept up to date and aligned with current procedures and regulatory criteria.
In this article we will discuss...
Which law amended the Spanish Data Protection Act?
The amendment is reflected in the consolidated version of Organic Law 3/2018 in the Spanish Official Gazette. The Spanish Data Protection Authority explained in its note on the amendment to the Data Protection Act that warnings should be treated as corrective measures rather than sanctions.
Main points
- Warnings: reinforced as corrective measures within supervisory authority powers.
- AEPD procedures: certain procedural aspects were adjusted and streamlined.
- Consistency with the GDPR: Spanish law must be read together with the directly applicable EU Regulation.
- Digital rights: the law remains the Spanish reference for digital rights, employment-related privacy and minors.
What companies should review
Companies should keep their compliance framework updated: lawful bases, records of processing activities, processor agreements, breach procedures, privacy notices and data subject rights processes.
Internal policies should also reflect current business practices, including corporate email, video surveillance, geolocation, remote work, artificial intelligence, cookies and technology providers.
Common mistakes
- Assuming the Spanish Act replaces the GDPR.
- Keeping legal texts from 2018 without updating them.
- Failing to document compliance decisions.
- Not reviewing processor agreements after supplier changes.
- Treating a warning as a harmless notice with no practical consequences.
Conclusion
The amendment does not change the core of GDPR compliance, but it confirms that data protection is a living framework. Companies should keep documents, procedures and security measures aligned with their actual processing activities.





Leave a Reply
Want to join the discussion?Feel free to contribute!