What is the difference between GDPR and LOPD?

LetsLaw / data protection  / What is the difference between GDPR and LOPD?
diferencia rgpd lopd

What is the difference between GDPR and LOPD?

It is so important for your business to learn about the main differences between LOPD and GDPR as well as the latest news about the regulatory framework in data protection.

Almost everything we do in our day to day life has some effect on our privacy, even if many times we are not aware of these details. This is the main reason for the existence of a normative that regulates everything that happens with our data.

Due to the cross-border nature of the Internet a primary purpose of the GDPR is to harmonize data privacy protection regulations across the EU member nations, regardless of where that information is sent, processed, or stored.

What does LOPD mean?

The repealed Spanish legislation on Data Protection, Law 15/1999 of Data Protection (LOPD) is the Law that transposes the repealed Directive 95/46/EC of the European Parliament and of the Council of 24 October 1995 on the protection of individuals with regard to the processing of personal data and on the free movement of such data.

In particular, the Directive created a regulatory framework aimed at striking a balance between a high-level protection of the private lives and the free movement of personal data within the European Union (EU), setting strict limits for the collection and use of personal data and requesting the creation, in each Member State, of an independent national body responsible for the supervision of any activity related to the processing of personal data.

What does GDPR mean?

On May 25, 2016, the General Data Protection Regulation (GDPR) came into force. This new Regulation is applicable from May 25, 2018.

Unlike what happened with Directive 95/46 / EC, the GDPR is directly applicable and therefore does not need any national law to implement it.

Therefore, from May 25, 2018, the GDPR applies to all companies operating in the European Union, replacing the LOPD.


While many of the concepts and principles of the LOPD are similar to the current standard, the RGPD introduces new elements, which entail new obligations for EU companies and organizations.
Compliance with the new standards becomes necessary, not only because it imposes important sanctions of up to 4% of the annual global turnover or 20 million euros for the breach of the established obligations, but also because for the first time many digital advertising businesses will have to necessary comply with data protection standards.

Obligations for the companies

The first step that all companies should execute is to identify and analyse the risk areas during the processing of personal data, by preparing an inventory of all the treatment activities carried out by the company. This approach requires a proactive attitude from each organization, that should establish the necessary measures to minimize their risks.

In cases in which treatments with a high-level risk to the rights and freedoms of the interested parties are detected, a Data Protection Impact Assessment (DPIA) should be additionally carried out and the company should introduce the necessary measures to mitigate the risks.

This obligation also extends to what we know as security breaches, which can have important consequences.
Therefore, companies must ensure that they put in place all the procedures that allow detecting, reporting and investigating a security breach.

Data subject rights

The GDPR added new rights to the LOPD list. Data Subjects under GDPR have eight fundamental rights: (1) right of access (2) right to rectification (3) right to erasure or right to be forgotten (4) right to restriction of processing (5) right to be informed (6) right to data portability (7) right to object (8) right not to be subject to a decision based solely on automated processing.

Finally, among the obligations included in the General Data Protection Regulation (RGPD), there is the need for companies to have a data protection expert called Data Protection Officer (DPO). This figure did not exist until the entry into force of the new Regulation. The DPO can be a stuff member or be hired as external and must be an expert in the legislation that regulates the protection of personal data.

Among the main tasks that the new Regulation attributes to the Data Protection Officer are, for instance, informing and advising the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation, monitoring compliance with this Regulation or Cooperating with the supervisory authority.


Letslaw is a law firm specialized in data protection. We offer our clients an efficient service, clarifying any doubts that may arise regarding data protection. Compliance with the GDPR ensures companies the correct treatment of personal data and can avoid high-risk data protection situations.

Contact Us

    By clicking on "Send" you accept our Privacy Policy - + Info

    I agree to receive outlined commercial communications from LETSLAW, S.L. in accordance with the provisions of our Privacy Policy - + Info