Jurisdictions — Spain, EU, and UK

What each jurisdiction adds, how to choose when you serve more than one, and how RGPD differs from GDPR proper.

miniterms supports three jurisdictions today: Spain, EU, and UK. Each ships its own regulator citation set, and the right choice is determined by where you are established — not where your users live.

Spain (default)

The Spain set is the largest. It includes:

  • The General Data Protection Regulation, Regulation (EU) 2016/679, in full
  • Ley Orgánica 3/2018, de Protección de Datos Personales y Garantía de los Derechos Digitales — LOPDGDP, BOE-A-2018-16673
  • AEPD circulars and guidance referenced from the Agency's "Documentos" library
  • The cookie-specific guidance from the AEPD's "Guía sobre el uso de las cookies" (current edition)
  • Spanish accounting / commercial law minimums (Código de Comercio art. 30) for retention of billing records

Pick Spain if your business is incorporated in Spain, regardless of where your customers are. The LOPDGDP layers Spain-specific obligations on top of the GDPR — for example a more demanding regime for minors' consent ([BOE LOPDGDP art. 7]) and explicit rules on processing for purposes of journalism and freedom of expression.

A note on terminology: in Spanish, the GDPR is called RGPD (Reglamento General de Protección de Datos). Same instrument, same article numbers, same paragraphs. The Spanish output uses RGPD; the English output uses GDPR. Citations point to the same EUR-Lex URL either way.

EU

The EU set is Spain minus the LOPDGDP-specific layer and minus the AEPD-specific guidance. It includes the GDPR in full, the EDPB common guidelines, and the e-Privacy Directive (2002/58/EC, as amended by 2009/136/EC) for cookie obligations.

Pick EU if you are established in any EU or EEA member state other than Spain. The EU output is appropriate for an Italian, German, French, Irish, or Dutch controller. It will not include AEPD-specific clauses, and the citations will not include BOE references.

If you operate from a country with its own national transposition (e.g. Germany's BDSG, France's Loi Informatique et Libertés), you may want to take the EU output and have local counsel add the national layer. miniterms does not generate those national layers today.

UK

The UK set replaces the GDPR with the UK GDPR (the post-Brexit retained version) and adds the Data Protection Act 2018. The ICO is the supervisory authority. Cookie obligations are covered by the Privacy and Electronic Communications Regulations 2003 (PECR).

Pick UK if you are established in the UK. Note that the UK regime is currently diverging from the EU regime — particularly on international data transfers, where the UK has its own International Data Transfer Agreement (IDTA). The UK output reflects the divergence.

I serve users in several countries — which do I pick?

You pick the country where your business is established (registered office, principal place of business). The GDPR's one-stop-shop mechanism means your lead supervisory authority is the one in your country of establishment, regardless of where your users are. So a Spanish SL serving customers across the EU still has a Spanish-led regulatory posture and should use the Spain jurisdiction.

There is one exception: if you have specific operations in another EU country — say, a German branch with German employees — you may have local obligations there. miniterms does not handle multi-establishment controllers today; if that is you, generate the primary country and ask counsel to layer the secondary obligations.

Switching jurisdictions later

You can switch jurisdictions in the dashboard at any time. Switching does not delete prior versions — your policy history retains the previously generated documents. Customers who already saw the old version are not retroactively affected; the change applies from the publish date forward.

Español