Analítica en España. Sin banner de cookies.

Public-sector and regulated industries

Spanish public-sector procurement (administraciones públicas, universities, hospitals, regional governments) applies stricter rules than commercial eCommerce — and the architectural exemption fits the procurement requirements cleanly:

• —Schrems II clean — processing in Dublin, no US sub-processors.
• —Signed DPA under GDPR Art. 28, available pre-filled for counter-signature.
• —TPSR package covering data flows, retention, encryption and access control.
• —ENS / ISO posture documented (we are not currently ISO 27001 or SOC 2 certified — the roadmap and controls operated today are documented in full).
• —Lawful basis under Art. 6(1)(f) plus LSSI-CE 22.2 exemption — no consent banner required for the analytics layer.

Common DPO questions

Does the AEPD exemption mean no cookie banner at all?

It means no cookie banner is required for the analytics layer specifically, provided the analytics meets the conditions: aggregate, anonymous, no cross-site tracking, no personal data. Other tools on your site (Google Ads pixels, Meta pixels, A/B testing platforms that set cookies) still require consent. Many Spanish eCommerce teams reduce the banner scope to those specific tools instead of running a catch-all banner.

What does the LSSI-CE say about cookies?

Article 22.2 of the Ley de Servicios de la Sociedad de la Información y de Comercio Electrónico (LSSI-CE, 2002 with later amendments) is the Spanish implementation of ePrivacy Art. 5(3). It requires informed consent before storing or accessing information on the user's terminal device. The AEPD has issued guidance (most recently the 2024 cookies guide) describing when the exemption applies — and aggregate audience measurement is explicitly included.

Did the AEPD change position with the Digital Omnibus?

Not on the exemption itself. The Omnibus tightened banner-design enforcement and harmonised national approaches, but the AEPD's position on anonymous audience measurement survived intact. If anything, the new floor on banner design makes the cookie-based path more expensive while leaving the exempt architectures unchanged.

Is SealMetrics suitable for Spanish public-sector sites?

Yes. Public-sector procurement in Spain typically requires Schrems II clean processing (no US transfer), a signed DPA under GDPR Art. 28, and either explicit consent or an exemption. SealMetrics ships all three: EU-only processing in Dublin, a pre-filled DPA, and the architectural exemption under LSSI-CE 22.2. Several Spanish public-sector operators run SealMetrics for that reason.

What does the privacy policy still need to say?

The privacy policy must mention the analytics tool, its purpose, the data categories processed (channel-level aggregates), the retention period, and the lawful basis (Art. 6(1)(f) legitimate interest, paired with the LSSI-CE 22.2 exemption). The transparency obligation under GDPR Art. 13/14 applies regardless of whether consent is collected. A template is included in our TPSR package.

Does the AEPD position align with the CNIL?

Yes, on the exemption itself. Both authorities accept anonymous aggregate audience measurement without consent provided the architecture meets specific conditions. The AEPD guide is less prescriptive than the CNIL's 14-point self-assessment but converges on the same outcome: no identifier on the device, no cross-site tracking, no personal data, EU residency.