In an increasingly regulated business environment, it is essential for the self-employed and companies to be aware of their legal duties in order to avoid penalties and ensure responsible management. In 2025, both companies with employees and those without employees (including the self‑employed) must comply with key regulations that affect areas such as data protection, occupational risk prevention, time control, or equality. In addition, certain activities are subject to specific requirements depending on their sector.
In this article we review the main regulatory duties in force, differentiating according to company size, so that you can check whether your organisation is up to date.
Companies without employees or self‑employed workers
Even without hired staff, companies without a workforce and self‑employed workers must also comply with various obligations, including:
Personal data protection (LOPDGDD and GDPR)
Any company or self‑employed professional that handles clients’, suppliers’ or users’ data (even if it is only a contact database) is obliged to comply with data protection regulations: risk analysis, privacy clauses, contracts with data processors, etc.
Basic Occupational Risk Prevention (PRL)
If they carry out activities with risks (such as technical installations, construction, transport, etc.), they must comply with the principles of self‑protection and coordination of activities.
Protocol against workplace and/or sexual harassment (Royal Decree 901/2020)
Mandatory since 2021 for all companies (regardless of their size), with or without legal representation of the workforce.
Tax and accounting obligations
Census declaration, taxes, accounting books, and any other obligation derived from the applicable tax regime. For example: Veri*Factu, electronic invoicing, etc.
Sector‑specific licences and authorisations
For example, municipal activity licences, health registrations, environmental declarations, etc., if the activity requires it.
Companies with employees
All companies with at least one employee are required to comply with the following regulations, in principle regardless of their size (we will indicate cases where this is not so and a minimum size is required):
Personal data protection (LOPDGDD and GDPR)
In addition to customer and supplier data, companies manage specially protected employee data (health, payroll, etc.), which requires additional safeguards.
Occupational Risk Prevention (Law 31/1995)
Initial risk assessment, prevention plan, health surveillance, training, information, and preventive measures.
Pay register (Royal Decree 902/2020 and Workers’ Statute)
All companies must have an up‑to‑date wage register including information broken down by sex and professional group. Companies with more than 50 employees must also have a “Pay Audit”.
Working time recording (Royal Decree‑Law 8/2019)
Since 2019 it has been mandatory to record the daily working time of each employee, regardless of contract type or working hours. In 2025, time recording will include significant changes, among them the obligation for it to be in digital format.
Internal reporting channel (Law 2/2023)
Mandatory for companies with 50 or more employees, although recommended for smaller companies as a good compliance and reputational risk prevention practice.
Protocol against workplace and/or sexual harassment (Royal Decree 901/2020)
Mandatory since 2021 for all companies (regardless of their size), with or without legal representation of the workforce.
Protocol for dealing with harassment or violence against LGTBI persons (Law 4/2023 and Royal Decree 1026/2024)
Mandatory for companies with 50 or more employees to have a protocol for dealing with harassment or violence against LGTBI persons.
Equality Plan (Royal Decree 901/2020)
Mandatory for companies with 50 or more employees. It involves diagnosis, negotiation with legal employee representatives, and registration in REGCON. Companies with fewer than 50 employees may prepare it voluntarily.
Specific sectoral obligations (where applicable)
In addition to the general obligations, there are additional regulations depending on the sector of activity, such as:
Health regulations
For companies in the food, education, health or beauty sectors (health registration, good practices, hygiene and health training, etc.).
Environmental regulations
Packaging declarations (Ecoembes), waste, emissions, compliance with Extended Producer Responsibility (EPR), etc.
Prevention of money laundering (Law 10/2010)
Mandatory for certain sectors: tax and accounting consultancy, real estate, jewellery, cryptocurrencies, art trade, among others.
Before finishing, we would like to point out that you can complement the content of this article with another one: Learn about the main labour obligations of companies for a fair and safe environment.
It is important to bear in mind that the regulatory framework is in constant evolution, and every year new obligations are introduced that affect different sectors and types of companies. Recent examples include regulations on radon gas measurement in workplaces located in areas of potential risk (which may apply to schools, academies, sports centres, or street‑level premises); the obligation to use verifiable invoicing systems (VERI*FACTU); or the new regulations on employees’ working time control (where digital time recording will be required, for example).
For all these reasons, it is essential to keep informed and have up‑to‑date advice that allows anticipation of legislative changes and ensures regulatory compliance proactively.
If you need advice in this area, remember you can request the free advisory service of the Oficina Económica de Galicia.
