GDPR Complience service

GDPR compliance service In Spain for your website or application.

Request Assistance

Data security is a key element of providing the best experience to your clients or visitors of our website. Make sure that your website complies with GDPR and Data protection laws to avoid unnecessary fees.

What is General Data Protection Regulation (GDPR)?

The General Data Protection Regulation (GDPR) (Regulation 2016/679) is a regulation by which the European Parliament, the Council of the European Union and the European Commission intend to strengthen and unify data protection for all individuals within the European Union (EU). It also deals with the export of personal data outside the EU. The main objective of the GDPR is to give citizens and residents control over their personal data and simplify the regulatory environment for international business by unifying the regulation within the EU.

Reach our answered questions to know more about mediation.

When the GDPR is applied?

The GDPR applies if:

  • your company processes personal data and is based in the EU, regardless of where the actual data processing takes place
  • your company is established outside the EU but processes personal data in relation to the offering of goods or services to individuals in the EU, or monitors the behaviour of individuals within the EU

Non-EU based businesses processing EU citizen’s data have to appoint a representative in the EU.

Cooperation that changes businesses

Process of complying with GDPR ?

  1. COMPANY DATA COLLECTION. We study the traceability of data and the electronic devices used, among others.
  1. RECORDING OF PROCESSING ACTIVITIES. We will generate and update the Register of Processing Activities (RPA) and the Security document – containing information on:
  • the processing of the data, the personal data processed
  • the recipients of the data
  • the deadlines are foreseen for their deletion
  • the purpose of the processing
  • the technical and security measures adopted by the company to carry out the processing.
  1. RISK ASSESSMENT REPORT. We will provide a GDPR compliance information checklist for the client to complete on the company’s data processing and activity. This risk assessment will enable us to generate the necessary legal documentation and keep it up to date to comply with the new regulation – as well as propose any security measures that need to be implemented.
  1. REVIEW AND DRAFTING OF CLAUSES, CONTRACTS AND DOCUMENTATION. Review and drafting of all types of documents in which personal data is processed in accordance with the GDPR.
  1. WEB AUDIT AND DRAFTING OF LEGAL TEXTS. Analysis of forms and adequacy of the Legal Notice, Privacy Policy and Cookies Policy.
  1. DRAFTING OF ALL NECESSARY DOCUMENTS. Drafting of the necessary documentation in order to comply with and be able to accredit the principle of proactivity, as well as the rest of the obligations.
  1. TRAINING OF STAFF IN DATA PROTECTION. In order to ensure that the security protocols implemented in the company are complied with.

Meet your GDPR experts in Spain

Aina Segui Corporate Expert

Aina Segui

Corporate Expert

Chloé Pluta-Gillet Corporate expert

Chloé Pluta-Gillet 

Corporate Expert


Litigation cases assisted


Clients assisted in 2020


Our Score on Google Maps

About us

Lexidy Law Boutique is a modern, dynamic, and innovative law firm. We always put customers at the center of our work. Our team is committed to providing a client with an exceptional experience. Our expertise in Sapin and Portugal allows us to solve complex problems thoroughly and cut all the risks before they may happen.

Frequently Asked Questions

My company is small, I have few employees and I do not deal with final consumers, am I affected by this new regulation?
Yes, it does affect you. Any company or organisation that processes personal data (whether of its employees, customers, suppliers, etc.) must comply with the new regulation regardless of its size or the volume of data it handles.
If I have a data protection audit, it is assumed that I am already in compliance, isn't it useful?
Yes, it is, but it is not enough. It is clear that if you already have a data protection policy in your company it is a good starting point, but you must bear in mind that the GDPR establishes new obligations. Therefore, you will have to review them and adapt your privacy policies to the new Regulation.
My company provides services to third parties, known as outsourcing, do I also have to comply with this regulation?
Yes, you must comply with it to the extent that, in order to provide the services, you access or process the personal data of their clients. Keep in mind that when choosing suppliers, companies look for trustworthy brands that comply with the law, otherwise they face fines running into millions of dollars. Therefore, you must be able to prove and guarantee to your customers that you have adapted and comply with this regulation.
I am a company based outside the EU, but I sell online in some European countries, do I have to comply with the law?
Yes, this is precisely one of the most important new features: as of 25 May, all companies that offer goods and services and handle data of European Union citizens will have to comply with the regulation, even if you are based outside the EU.
My company has offices in other countries around the world and in order to provide a good service we share information on clients and employees, am I skipping the new regulation?
It depends: has the data subject given you their express consent to transfer their data? Have you informed them of the risks involved in transferring their data to a country that does not have adequate European safeguards? Do you need to communicate the information in order to carry out or execute a contract between your company and the data subject? If not, do you have the authorization of the Spanish Data Protection Agency? As you can see, the best thing to do is to call in a data protection expert to help you comply with all the requirements.
I have heard that the new regulation is based on the principle of proactive responsibility, what does that mean?
Basically, it means that it is up to the company itself to decide what security measures it puts in place to protect the data and privacy of individuals. In addition, it must be able to demonstrate that these measures are effective and comply with the regulation.
So what criteria must be followed to comply with the regulation?
The new regulation requires that data should not be collected for the sake of it, and that only the minimum personal data necessary for the achievement of the legitimate purposes of the company should be processed. To this end, you should analyse what measures, both technical and organisational, your company has in place to avoid jeopardising the rights and freedoms of data subjects.
Can I continue to use my database as before and send them advertising, promotions, etc.?
Here you have to be careful because the new regulation requires that the person who is going to receive this advertising or these promotions must have given their express consent. It is no longer sufficient, for example, for you to have a pre-ticked box in which they give their consent. Therefore, you need to check that all database records are aware of what and how their data will be used and you need to make sure that they have given you a clear and unequivocal yes. Vague and vague terms will not do. This requires a review of all the information clauses that have been used up to now.
Do data files still have to be registered with the Spanish Data Protection Agency?
No, it is no longer obligatory. What does have to be done is a Register of Processing Activities. This is nothing more than documenting who is responsible for the data and making an inventory of the type of data, how it is processed and protected. If your company has more than 250 employees or processes special categories of data (e.g. health, ideology...), this register is mandatory. If it is smaller, it is not, but it is advisable. It will serve to demonstrate that you comply with the new regulation, and you must have it at the disposal of the Spanish Data Protection Agency.
Who is the data protection officer and do I have to appoint this figure within my company?
This is the person designated by the company, whether internal or external, to supervise, coordinate and disseminate the data protection policy that you follow. In addition, he/she will be the liaison with the Spanish Data Protection Agency. Their appointment is only mandatory in certain cases: if you are a public body or company (except the courts); if your company carries out regular and systematic observation of people on a large scale (internet tracking, location of users through apps, profiling, decisions based on behaviour -tracking, profiling, scoring-, loyalty programmes) or if you handle large-scale data on people on sensitive subjects (health, ideology, sexual orientation, criminal records...).


Google Review User

“Laura Fusté and her support team responded to every question and need we had very quickly and thoroughly. We had and continue to have complete confidence in their support and direction. Never once did we feel we were “on our own” to figure out our original residency process, nor our renewal.”

Rebecca del Rio Google Reviews
Google Review user

“I initially went to another lawyer, who showed no interest in assisting at all. Luckily I came across Lexidy, who provided me with a professional, knowledgeable, and very efficient service. Would thoroughly recommend David and his team!”

Google reviews user

“I had a great experience with Lexidy’s Immigration department. They have been very professional and above all, very responsive in answering my queries and dealing with the applications.”

Andreea Pascu Google Reviews
Google review User

“I must give MEGA thanks to Mònica and Max at Lexidy Law Boutique. They were very helpful with a legal matter that I had, answering 60+ emails and patiently explaining to me the various options available to address my needs. They were EXTREMELY responsive, attentive to my needs at every moment, very clear communication, and super helpful.”

Ronda Zelezny-Green Google Reviews

Leading lawyers in Spain and Portugal you can rely on. Legal assistance in one click.

We are English speaking Spanish lawyers in Spain and Portugal that speak your language. If you would like more information or have any questions on any of our services, please do not hesitate to contact us directly.


Save our contact to your device | +34 938 074 056

Scan QR
Lawyers that always here to help Contact us for any legal need

Avinguda Diagonal, 442, 3º 1ª, 08037

Calle Villalar 7, Bajo Izquierda, 28001

Rua Joaquim António de Aguiar n.º 43, RC Esq, 1070-150

Subscribe to our newsletter

Get the latest Immigration, Corporate, Tax, and family news with our legal advices.