EdTech compliance in Spain.

Regulatory landscape for EdTech in Spain

Spain's education technology sector operates under a layered regulatory framework that extends well beyond traditional data protection. EdTech businesses processing student data must navigate GDPR requirements administered by the Spanish Data Protection Authority (AEPD), alongside emerging artificial intelligence governance under the EU AI Act. The EEA (European Electronic Communications Code) adds connectivity and accessibility dimensions, particularly for platforms serving public or semi-public educational institutions.

What distinguishes Spain's approach is the intersection of national education law (Ley Orgánica de Educación, or LOE) with these EU frameworks. Educational institutions in Spain have statutory obligations to ensure data controllers meet GDPR standards, which transfers downstream pressure to EdTech vendors. The AEPD publishes sector-specific guidance on educational data processing, recognising that student information involves special categories of data (children's data, health records, learning disabilities) requiring heightened protection. Additionally, Spain's implementation of the AI Act has created compliance obligations for systems deploying algorithmic decision-making in student assessment or personalisation—areas many EdTech platforms already occupy.

The regulatory environment crystallised in late 2023 and continues evolving. Budget for ongoing compliance monitoring, particularly around AI governance, which lacks the maturity of GDPR enforcement. Your compliance programme should centre on data minimisation (a foundational principle across all three regulations), audit trails, and transparency mechanisms that satisfy both EU-level and Spanish sectoral expectations.

Applicable regulations and deadlines

General Data Protection Regulation (GDPR)

The GDPR (Regulation 2016/679) remains the baseline for EdTech compliance in Spain. Under Article 13 and 14, you must provide explicit, transparent information to students and parents about data processing before collection occurs. The AEPD enforces GDPR through Spain's Organic Law 3/2018 (LOPDGDD), which adds national-level safeguards and higher penalties for certain breaches affecting minors.

Key EdTech obligations: designate a Data Protection Officer (DPO) if processing large-scale student data or educational profiling; conduct Data Protection Impact Assessments (DPIAs) before deploying learning analytics or recommendation algorithms; ensure Processor Agreements (Article 28) are signed with schools before any data transfer; and implement privacy by design, including technical measures like encryption and anonymisation where feasible.

The AEPD has issued specific guidance on educational data (available via aepd.es) emphasising parental consent requirements for minors under 14 and institutional consent when schools act as controllers. No hard deadline applies—GDPR is enforceable now—but expect heightened scrutiny if your platform lacks documented compliance measures. Penalties reach €20 million or 4% of global turnover for serious breaches.

Source: EUR-Lex: Regulation 2016/679

EU AI Act (Regulation 2024/1689)

The AI Act entered into force in August 2024, with significant compliance deadlines already active. Recital 71 and Article 6 classify educational assessment and personalised learning recommendations as "high-risk" AI systems if they can substantially affect educational outcomes or opportunities. EdTech platforms using algorithmic ranking, automated essay scoring, or adaptive learning pathways likely fall into this category.

High-risk obligations include: maintaining detailed documentation of training and testing data; implementing explainability features so students/parents understand why an algorithm made a decision; conducting conformity assessments before deployment; and maintaining audit logs for two years post-deployment. As of 12 August 2024, these requirements are binding. The AEPD and Spain's relevant digital authority (Secretaría de Estado para la Digitalización e Inteligencia Artificial) jointly oversee compliance.

If your system uses general-purpose language models (e.g., GPT-based tutoring assistants), Article 53 requires transparency disclosures explaining that students interact with AI, plus measures to prevent content generation of educational material without human review. Non-compliance risks fines up to €30 million or 6% of global revenue.

Source: EUR-Lex: Regulation 2024/1689

European Electronic Communications Code (EEA / Directive 2014/61)

The EEA (transposed in Spain via Law 9/2014) establishes accessibility and non-discrimination standards for digital services, including educational platforms. Article 20 requires that services funded wholly or partly by public bodies must be accessible to persons with disabilities. For EdTech platforms sold to Spanish public schools or subsidised educational initiatives, compliance is mandatory.

Specifically, your platform must meet WCAG 2.1 Level AA accessibility standards (colour contrast, keyboard navigation, screen reader compatibility, captions on video content). No single enforcement deadline exists, but accessibility reviews typically occur during procurement cycles with Spanish educational authorities. The Spanish National Commission of Markets and Competition (CNMC) and Ministry of Inclusion provide guidance.

If your product processes or stores any user data over networks, you must also comply with EEA Article 3 requirements around network security, resilience and availability—effectively mandating secure infrastructure and incident response procedures. This overlaps with GDPR but is separately auditable.

Source: EUR-Lex: Directive 2014/61

Three high-risk compliance pitfalls in Spanish EdTech

Pitfall 1: Parental consent confusion with institutional authority

Many EdTech founders assume that a contract with a Spanish school satisfies consent requirements for student data. In practice, the school—as a public body—often acts as a joint controller, but parental consent for minors under 14 remains legally required under Spanish law (LOPDGDD Article 7). The AEPD has investigated cases where EdTech platforms collected student behavioural data (e.g., login patterns, quiz performance) without explicit parental notice.

Case study: A Madrid-based adaptive learning platform signed a pilot agreement with a regional education authority in 2022, deploying to 500 students without obtaining separate parental consent forms. The AEPD issued a preliminary enforcement notice (not yet public) flagging GDPR Article 14 violations. The company remediated by issuing consent requests to all parents within six weeks, but lost credibility with the school and faced reputational damage.

Mitigation: Build a consent workflow that distinguishes between institutional agreements and individual student/parent consent. Use age-gating to determine whether to request parental consent. Partner with schools to draft consent templates compliant with Spanish education law and GDPR.

Pitfall 2: AI transparency gaps in algorithmic personalisation

EdTech platforms often use machine learning to adapt course difficulty, recommend topics, or flag struggling students for intervention. Many founders treat these systems as "business intelligence" exempt from transparency requirements. The AI Act categorises such systems as high-risk and mandates explainability, especially where decisions affect educational progression or special education referrals.

Case study: A Barcelona-based platform deployed a recommendation engine that flagged students for remedial intervention based on quiz performance and engagement metrics. The algorithm was never documented as AI; the company marketed it as a "teacher assistant feature." When a parent questioned why their child was recommended for additional support, no one could explain the algorithm's logic. The school's data protection officer raised the issue with the AEPD, initiating a preliminary inquiry under both GDPR Article 22 (automated decision-making) and the AI Act.

Mitigation: Document all ML-driven features as high-risk AI systems. Conduct a conformity assessment and maintain technical files. Provide in-product explanations of algorithmic decisions (e.g., "This topic was recommended because your recent quiz showed gaps in X topic"). Train customer success teams to explain algorithms to schools and parents.

Pitfall 3: Accessibility non-compliance in public education procurement

Spanish schools increasingly vet EdTech accessibility before purchasing. Founders often overlooked WCAG compliance, treating it as a "nice-to-have" feature. When a school with deaf or blind students enquires about captions or screen reader support, compliance gaps become deal-blockers and reputational liabilities.

Case study: A Seville EdTech startup pitched its interactive chemistry lab to a public secondary school in 2023. The platform was feature-rich but lacked video captions and relied on colour-coded visual feedback without alternative indicators. During procurement, the school's accessibility officer flagged these gaps. Under EEA Article 20, the school could not legally purchase the product for students with hearing or colour-blindness disabilities. The startup lost the contract and spent six months retrofitting.

Mitigation: Build accessibility from day one. Use WCAG 2.1 AA as your development standard, not a post-launch afterthought. Test with assistive technologies (NVDA, JAWS screen readers) early and often. Conduct an accessibility audit before approaching public schools; factor remediation costs into your go-to-market budget.

Next steps: align your compliance calendar

Spain's EdTech regulatory environment is defined by three overlapping frameworks: GDPR's strict data governance (active now, enforced by the AEPD), the AI Act's algorithmic transparency requirements (live as of August 2024), and EEA accessibility standards (continuously enforced in public procurement). Success requires integrated compliance, not siloed efforts. Start with a Data Protection Impact Assessment to identify your highest-risk processing activities, then layer in AI conformity assessments if you use automated decision-making, and accessibility audits if you serve public schools.

To build a compliance roadmap tailored to your EdTech model and target Spanish market, set up your personalised compliance calendar here. You'll receive a structured timeline covering regulatory deadlines, audit windows, and renewal cycles, ensuring your team stays ahead of enforcement action and procurement requirements.