The legal cost of not training: OHS + GDPR fines in Spain (2026)

Blog

Álvaro Martínez

Content Specialist

Digitization

Reading time: 9 minutes

Make content work for you

Book a personalized demo

From experience
to knowledge

In 2024, the Labor Inspectorate in Catalonia alone imposed €49.4 million in fines, a historic record for that region across more than 13,000 sanctions.¹ The trend is consistent across the rest of Spain, with a sustained increase in penalties for OHS and labor condition violations. That same year, the Spanish Data Protection Agency (AEPD) exceeded €35 million in enforcement actions.² In many of those rulings, the root cause was the same: employees who had never received proper training.

This article breaks down the legal framework that makes training mandatory, what it costs to skip it, and what the companies that end up paying have in common. If you manage corporate training or handle regulatory compliance, the numbers ahead are relevant for your 2026 budget.

What the law says: training obligations in Spain

The obligation to train employees is not a recommendation. It is established across multiple regulations that affect virtually every company operating in Spain.

Occupational health and safety (PRL)

Law 31/1995 on Occupational Risk Prevention (Ley de Prevención de Riesgos Laborales) states in Article 19 that employers must provide theoretical and practical training to every worker, both at the time of hiring and whenever working conditions change. This training must be sufficient, role-specific, and updated whenever risks evolve.³

It is neither optional nor delegable. The responsibility falls on the employer, not the external prevention service.

The General Data Protection Regulation does not literally say "train your employees." But the combined reading of Articles 5.2, 24, 32, and 39 establishes that any solid compliance system must include training for personnel involved in data processing.⁴ The AEPD has confirmed this in multiple rulings: when a breach occurs and there is no evidence of training, the penalty gets worse.

Other mandatory training

Beyond OHS and data protection, there are additional obligations that many companies overlook or postpone:

Equality and non-discrimination: Royal Decree 1026/2024, in effect since April 2025, expands equality training requirements for companies with more than 50 employees.⁵
Whistleblowing channel: Law 2/2023 requires that employees be informed about the existence and operation of the internal reporting channel.
Harassment prevention: Organic Law 10/2022 mandates training in the prevention of sexual and gender-based harassment.

Mandatory training in Spain: OHS (Law 31/1995), data protection (GDPR, Arts. 5.2, 24, 32, 39), and equality (RD 1026/2024). Fines for non-compliance range from €2,451 to nearly €1M for OHS violations, and up to €20M or 4% of global annual turnover under GDPR.

How much do fines for not training actually cost

The amounts depend on the severity of the infringement and the regulatory area. Below is the current framework according to LISOS (Spain's Law on Social Order Infractions and Sanctions) and the GDPR itself.

OHS sanctions (LISOS)

Severity	Minimum range	Mid range	Maximum range
Minor	€45 - €485	€486 - €975	€976 - €2,450
Serious	€2,451 - €9,830	€9,831 - €24,585	€24,586 - €49,180
Very serious	€49,181 - €196,746	€196,747 - €491,865	€491,866 - €983,736

*Source: LISOS, Arts. 40.2, updated by Law 10/2021.*⁶

In practice, insufficient or inadequate training falls under Article 12.8 LISOS as a serious infringement. But when that gap coincides with a severe risk or an actual accident, it can be reclassified under Article 13.4 as very serious, with access to the top sanction bracket: over €900,000.

An important detail: since Law 10/2021, sanctions can be applied per affected worker, not per company. A single infringement at a plant with 200 operators can multiply the total amount significantly.

Level	Maximum amount
Minor infractions	Up to €40,000
Serious infractions	Up to €300,000
Very serious infractions	Up to €20,000,000 or 4% of annual global turnover

*Source: GDPR, Art. 83; LOPDGDD, Art. 76.*⁷

The AEPD issued 242 fines in 2024, totaling €35.6 million.² The volume of complaints is also rising: over 19,000 received that year.⁸

Real cases: when the lack of training gets expensive

Aggregate data helps identify the trend. But specific cases show how this plays out in practice.

Ibermutua: €600,000 for a preventable human error

In 2025, the AEPD fined Ibermutua €600,000 (reduced from an initial €1 million after the company accepted responsibility). An employee accidentally sent a file containing data from 3,395 individuals to 354 recipients. The cause: a flaw in the email system combined with a lack of employee training in data security.⁹

The ruling highlighted that there was no evidence of a structured training program on confidentiality. The human error was the direct cause, but the absence of training was the aggravating factor that escalated the penalty.

In Catalonia alone, the Labor Inspectorate (ITSS) processed 1,949 accident-related infractions in 2024, a 12.6% increase over the previous year, totaling €9.27 million.¹ The most affected sectors: manufacturing, construction, retail, and hospitality.

Fatal workplace accidents also rose: 796 deaths in 2024, a 10.4% increase compared to 2023.¹⁰ The recurring causes identified by Spain's National Institute for Occupational Safety (INSST) include failure to provide worker training and information, and the absence of adequate protective equipment.

The invisible cost: beyond the fines

The fine is the visible part. But the real cost of not training extends well beyond the administrative ruling.

Benefit surcharge. When a workplace accident occurs due to a lack of safety measures (training included), the Social Security system can impose a surcharge of 30 to 50% on all benefits derived from the accident. The company pays this surcharge directly, with no option to insure against it.

Criminal liability. In cases of severe accidents resulting in death or injury, Article 316 of the Criminal Code provides for prison sentences of six months to three years for those who, being legally obligated, fail to provide the necessary means for worker safety.

The aggregate economic cost. According to AEPSAL data, workplace accidents cost the Spanish economy over €15.3 billion per year, roughly 3% of GDP.¹¹ Across the EU, the figure reaches €476 billion annually.

The data protection connection. Over 60% of data security breaches originate from human error.¹² That is why the AEPD specifically evaluates the existence of training programs when investigating a breach. Not having a training program documented does not mean it is understood, but not having one at all is a direct aggravating factor.

How to structure training that complies (and actually works)

The problem is rarely that the company does not want to train. It is that the training model does not scale.

Four-hour in-person sessions happen once a year, get forgotten in two weeks, and leave no traceable record. Data protection policy PDFs collect digital dust in a SharePoint folder nobody opens. And when the inspection arrives, the company needs to prove not only that it trained, but that the training was adequate, up to date, and verifiable.

We call this Document Inertia: the tendency to keep using static formats (PDF, PowerPoint, one-off sessions) because the perceived cost of switching seems high, even though the evidence shows these formats generate neither retention nor traceability.

What actually works for compliance and knowledge retention:

Modularity. Break training into short blocks (5-10 minutes) that can be completed on the job, not in a meeting room on a Tuesday afternoon.
Traceability. Every module should generate a record of who completed it, when, and with what result. This is what the inspectorate asks for.
Continuous updates. Regulations change. Processes change. Training needs to be updatable without rebuilding it from scratch. Platforms like Vidext allow you to update training content in minutes using AI, while maintaining traceability and without relying on external production.
Multilingual delivery. For companies with diverse workforces or operations across multiple plants, training has to reach each worker in the language they understand.

Example: a company with 400 employees distributes a data policy PDF once a year. With 7-minute interactive video modules, automatically translated and fully traceable, you can show in seconds who completed what, when, and with what result, whether for a Labor Inspectorate visit or an AEPD audit.

Moving from a four-hour annual session to a modular system with traceability tends to reduce time lost to unproductive training and, more importantly, eliminates the risk of "I can't prove that we trained."

The goal is not "having training." It is having a knowledge infrastructure that stays alive, scales with the company, and keeps the documentation ready when the inspection comes, without scrambling.

The cheapest training is the one that prevents the fine

We have reviewed the numbers: up to €983,736 for a very serious OHS infraction. Up to €20 million for a data breach with no training to back it up. Over €15 billion per year in workplace accident costs across Spain. And a benefit surcharge that comes directly out of the company's pocket.

But beyond the numbers, there is a clear pattern. The companies that end up paying are not the ones that did something wrong on purpose. They are the ones that lacked a structured system to train at scale and prove it when the time came.

Mandatory training is not a cost. It is the cheapest insurance policy a company can buy. And in 2026, with the Labor Inspectorate breaking records and the AEPD increasingly active, the risk of not having it only keeps growing.

Frequently asked questions

What fines can a company receive for not providing OHS training?

Fines for lack of occupational health and safety training are classified as a serious infraction under Article 12.8 of LISOS, with sanctions ranging from €2,451 to €49,180. If the lack of training creates a severe and imminent risk, it escalates to very serious, with fines of up to €983,736. Since 2021, these sanctions can be applied per affected worker.

Is data protection training mandatory for employees?

There is no single article that says so explicitly, but the combined reading of Articles 5.2, 24, 32, and 39 of the GDPR establishes that training is a necessary component of any compliance system. The AEPD has confirmed this in multiple rulings: the absence of training is considered an aggravating factor when investigating a data breach.

How much do workplace accidents cost Spanish companies?

According to AEPSAL data, the total cost of workplace accidents in Spain exceeds €15.3 billion per year, equivalent to roughly 3% of GDP. This includes direct costs (healthcare, benefits) and indirect costs (absenteeism, lost productivity, replacements).

How often should mandatory training be updated?

Law 31/1995 establishes that training must be updated whenever job conditions change, new technologies are introduced, or risks evolve. In practice, annual review is recommended as a minimum, with immediate updates for relevant regulatory changes, such as those introduced by RD 1026/2024 on equality.

What types of training are legally mandatory in Spain in 2026?

The main ones are: occupational health and safety (Law 31/1995), personal data protection (GDPR + LOPDGDD), equality and non-discrimination (RD 1026/2024, LO 3/2007), sexual harassment prevention (LO 10/2022), and internal whistleblowing channels (Law 2/2023). Requirements vary by company size and sector, but OHS and data protection apply to all.