Navigating data protection compliance, Spain
In Spain, legal counsel is part of a Southern European legal team, focusing on business operations, compliance, and data protection. Key responsibilities include reviewing contracts, ensuring GDPR and Spanish data law compliance, and advising on data controller vs. processor roles.
In 2025, Spain’s data protection authority (AEPD) increased oversight of data breaches and security practices. Legal counsel addresses our obligations to candidates, workers, and clients by clarifying data roles, raising awareness of requirements, and addressing sector-specific compliance.
Hays typically acts as an independent data controller, especially in recruitment services where CVs are shared under existing privacy policies. When clients require access to or processing of their internal data, Hays may act as a data processor, requiring a Data Processing Agreement (DPA).
Clients and consultants are not always clear on when a DPA is needed. Legal counsel intervenes to clarify the data involved, processing scope, and legal obligations.
In Spain, permanent recruitment and contracting are most common, with Hays maintaining controller status. MSP models are less frequent and often still fall under controller roles due to Spain’s labour supply contract rules.
Proactive legal guidance, clear documentation, and training are essential to ensure GDPR compliance and avoid delays.