GDPR for law firms: obligations, processing records and fines 2026

Why GDPR is particularly demanding for law firms

Law firms are data controllers for clients, employees and third parties (Art. 4.7 GDPR). They frequently process special category data: health data in accident files, data relating to criminal convictions (Art. 10 GDPR), financial data and private life data.

Organic Law 3/2018 (LOPDGDD), in its additional provisión 17, recognises the lawyer's duty of professional secrecy as a limit on exercising data subject rights (access, portability), but this does not exempt from the rest of GDPR obligations.

Records of processing activities (Art. 30 GDPR)

All firms with more than 250 employees must maintain written records (paper or electronic) of their processing activities. Even below that threshold, records are mandatory if processing involves risk to rights and freedoms: which is almost always the case in a law firm.

Records must include for each processing activity:

• Name and contact details of the controller and DPO (if any).
• Purpose of processing.
• Categories of data subjects and data.
• Categories of recipients (including third countries).
• Planned retention periods.
• General description of technical and organisational security measures.

AEPD fines 2024-2025

The AEPD has fined law firms and legal professionals in recent years for:

• Improper access to other professionals' client file data.
• Sending non-anonymised documents to non-parties.
• Absence of processing records in ex officio inspections.

Fines can reach €20,000,000 or 4% of global turnover (Art. 83.5 GDPR).

Research GDPR obligations with Lexiel →