Document management for firms in Spain: a 2026 guide
by Ivor Padilla
Co-Founder & Engineering Director
Document management for firms in Spain: a 2026 guide
By Ivor Padilla, co-founder of Gradion · Published on 10 April 2026 · Last updated: 10 April 2026 · 15 min read
If someone in your firm is searching for "document management", they are almost certainly not looking for an enterprise DMS with AES-256 encryption. They are looking for the answer to a much more practical question: how do we stop wasting hours every week moving invoices, payslips and deeds into folders nobody can find again? This post is written for that question.
Document management inside a Spanish law firm, accountancy practice or tax advisory is not the same as document management in a manufacturing company. You are dealing with overlapping retention periods, documents arriving through five different channels, mandatory integrations with the Spanish Tax Agency (AEAT) and the judicial filing system (Lexnet), and personal data in almost everything you touch — with a client who sent you a receipt over WhatsApp last week and nobody can now locate it.
TL;DR: Document management for a professional firm in Spain is not "buying a DMS". It is designing a six-step flow — intake, classification, extraction, validation, archive, retention — that simultaneously satisfies four non-uniform legal retention periods: four years under article 66 of Spain's General Tax Law (tax); six years under article 30 of the Commercial Code (commercial); the period set by article 19 of the invoicing regulation for VAT records; and the storage-limitation principle of article 5(1)(e) of the GDPR (personal data). The real time saving lives in the first three steps — intake, classification and extraction — not in the final archive.
What document management actually means inside a firm
The textbook definition of document management is the set of policies, processes and tools an organisation uses to capture, classify, store, retrieve, preserve and ultimately destroy its documents. The enterprise software industry has been selling against that definition for thirty years.
Inside a professional services firm the reality is different. Most firms already have something in place for the final archive — an organised network drive, a repository built into the accounting software, a shared drive with consistent naming. The break usually happens before the archive: in the documents that come in through the main mailbox, through the firm's WhatsApp line, through the scanner on the office photocopier, through portals of the tax agency or the Ministry of Justice, through professional associations. Those documents arrive without a label, without an assigned client file, without an identified type. Somebody on the team then has to open each one, decide which client and which file it belongs to, rename it according to the firm's convention and move it into the archive.
That invisible work is where the hours go. Not the storing.
This is why "I have a document management system" so rarely solves the real problem a partner is trying to solve. The DMS is the last 20 % of the flow. The other 80 % is at the front door.
The four legal frameworks that decide how long to keep each document
Before talking about tools you have to talk about deadlines. In a firm operating under Spanish law, every document lives inside four separate, non-uniform retention regimes that stack. The longest one wins.
| Framework | Period | Source |
|---|---|---|
| Tax | 4 years (limitation period) from the end of the filing window | Art. 66 Ley 58/2003 (LGT) |
| Commercial | 6 years from the last accounting entry | Art. 30 Spanish Commercial Code |
| VAT / invoicing | Period set by the General Tax Law, with additional formal requirements | Art. 19 RD 1619/2012 |
| Personal data | "No longer than necessary" + post-use block | Art. 5(1)(e) GDPR + art. 32 LOPD-GDD |
The tax clock
Article 66 of Spain's General Tax Law (Ley 58/2003) sets a four-year limitation period on the Tax Administration's right to assess and collect the tax due. That is the real floor on how long a professional firm needs to keep supporting documentation — if the tax office asks within those four years, the document has to be producible.
Article 29 of Ley 58/2003 lists the formal tax obligations of the taxpayer. One of them is expressly the duty to keep and preserve accounting books, records, and the software, files and archives that support them. The duty isn't only to store the PDF — it extends to the environment that lets anyone interpret it later.
Working that down to the invoice level, Article 19 of Royal Decree 1619/2012 — the Spanish invoicing regulation — requires businesses to keep received invoices and copies of issued invoices for the period set by the General Tax Law, anchored by the four-year limitation in LGT article 66. It also requires originals to be preserved with their original content, properly ordered, and in a condition that allows reading and audit — not as loose, compressed JPGs in a folder.
The commercial clock
Article 30 of Spain's Commercial Code requires businesses to keep their books, correspondence, documentation and supporting records for six years from the date of the last entry made in the books. This is a separate clock from the tax limitation period and runs concurrently: it starts at the last book entry, not the issue date of each individual document.
In practical terms, a firm keeping a client's books has a clear operational duty: keep it for at least six years, because the commercial clock is usually more generous than the tax clock and both run in parallel.
The GDPR clock: "no longer than necessary"
Article 5(1)(e) of the GDPR (Regulation (EU) 2016/679) sets the storage-limitation principle: personal data must not be kept in identifiable form for longer than is necessary for the purposes for which it was processed. In plain terms for a firm partner: "keeping it just in case" is not a valid policy, and the retention period has to be documented by purpose — not by file type, but by why it is being stored. We cover the practical side in our earlier post on GDPR and AI-based automation in firms.
The obvious tension: what do you do when the GDPR says "delete it" but the tax office says "keep it for four more years"? Spanish law resolves that tension with a specific mechanism.
Article 32 of Spain's Organic Law 3/2018 (LOPD-GDD) resolves a tension every firm hits eventually: what to do when a record can no longer be used for its original purpose, but cannot be deleted either because tax or commercial law still requires it to be kept. The answer is a formal block: the data is flagged and reserved under technical and organisational controls that forbid any processing, except making it available to courts, prosecutors or competent authorities. Only once the derived liability period expires are the records finally destroyed.
The operational consequence: your document management flow has to know how to block a file, not only archive or delete it. Three states, not two.
A modern document management flow, in six steps
If you reduce the real flow inside a firm to its essentials, it is six steps. The first three are where the hours go. The last three are where the problem looks like it is, but usually isn't.
- Intake. The document arrives at the firm through email, WhatsApp, the office scanner, the AEAT portal, Lexnet, a scanned letter or a hand delivery. Each channel has its own format and its own rhythm.
- Classification. Deciding what type it is — received invoice, payslip, deed, judicial resolution, notification, contract — and which client and file it belongs to. Today, in most firms, a person is doing this by hand.
- Extraction. Pulling the 3-5 key fields — tax ID, amount, date, subject, counterparty — that feed the ERP, the accounting software or the firm's invoicing system.
- Validation. A professional reviews the classification and the extracted fields, corrects errors, approves what is correct, decides what goes to the client and what does not. This step never goes away.
- Archive. The classified and validated document is deposited in the definitive repository with consistent naming and the metadata the firm needs to find it again.
- Retention and deletion. The system knows when a document can move to blocked status (end of active use + start of the legal retention period) and when it must be destroyed (end of every applicable period).
The big lie of generic document management is selling "the six steps" with equal weight. They do not carry equal weight. In the 10-day pilots we have run in professional firms so far, between 60 % and 80 % of the time categorised by the partner as "document management" sits in steps 1, 2 and 3 — intake, classification and extraction — not in the archive.
Mandatory integrations: AEAT, Lexnet, VERIFACTU and your ERP
A firm document flow that ignores its mandatory integrations is not a flow, it is an island. There are four connections that are almost never optional.
AEAT and VERIFACTU. If your firm — or your clients — issues invoices, the invoicing system can no longer simply "store the PDF". Spain's VERIFACTU regime imposes integrity and audit requirements on the invoicing software itself.
Royal Decree 1007/2023, which implements the VERIFACTU regime, requires invoicing software to guarantee the integrity, preservation, accessibility, legibility, traceability and immutability of billing records — with every change logged inside the system itself. Keeping the invoice is no longer the bar: the system that generates it has to keep it in an auditable way, and that requirement climbs upstream through the entire document flow of a professional firm. We cover the details in our VERIFACTU guide for 2026.
Mandatory B2B e-invoicing. Over the medium term, the firm will have to receive and issue electronic invoices to any other business — even when the client is a five-person SL.
Article 12 of Ley 18/2022 (the "Crea y Crece" Act) amends Ley 56/2007 to require every business and self-employed professional in Spain to issue, send and receive electronic invoices in commercial dealings with other businesses and professionals. The obligation is on the books, but its real start date depends on the still-pending implementing regulation — the exact calendar by firm size should be verified against the current text of the e-invoicing regulation and AEAT/Economic Affairs Ministry notices at time of reading. For four years from issuance, recipients can request a free copy.
Public-sector portals. Every time the firm files anything against a Spanish administration — the AEAT portal, Lexnet, Social Security, the Commercial Register, the Ministry of Justice — it is touching an administrative archive with its own standard.
Article 17 of Ley 39/2015 sets Spain's electronic-archive standard for public administrations: a format that guarantees authenticity, integrity and long-term preservation; the ability to migrate to other formats; and security measures consistent with the Esquema Nacional de Seguridad. A professional firm is not a public administration — but whenever it handles filings with the Tax Office, the Ministry of Justice or Social Security, it's touching that archive, and its own document handling is measured against that benchmark.
Article 70 of Ley 39/2015 defines an administrative file (expediente) as the "ordered set of documents and actions that serve as background and foundation for the administrative decision", and requires it to be kept in electronic format with a numbered, authenticated index. When a firm files a permit request, an appeal or a formal statement on behalf of a client, it is contributing a slice of that administrative file — and it inherits the order-and-integrity standard that the law imposes on the whole.
Your firm's ERP. Whether it is A3, Holded, Sage Despachos, Aranzadi, Kleos or something else, it is the piece you already have. A modern document flow is not there to replace it. It is there to feed it: extracted documents arrive as journal entries, received invoices and client files inside the ERP you already know.
Where AI belongs in the flow (and where it should stay out)
Artificial intelligence is a genuinely useful tool in the document flow of a professional firm in three specific steps — and in no others. Let's be specific about this, because it matters.
It fits in steps 2 and 3. Classifying a PDF as "received invoice from supplier X" or "AEAT notification" is exactly the kind of task current models handle well. Extracting tax ID, amount, date and subject from an invoice — same story. AI here decides nothing on its own: it speeds up a repetitive task that a person is currently doing one file at a time.
It helps a little in step 4. In validation, AI can flag inconsistencies — the amount does not reconcile with the VAT base, the tax ID does not exist, the date falls outside the quarter being declared — and propose corrections. The decision stays with the professional.
It should not enter steps 1, 5 or 6. Intake is connectivity (APIs, mailboxes, webhooks), not "intelligence". The final archive is plain software done well, not a language model. And retention and deletion are deterministic logic on legal rules — you do not want a probabilistic model making the decision to destroy a client file.
This distribution matters, because the classic failure when a firm buys "AI for document management" is paying to apply AI to step 5 (the archive, which already works) while leaving steps 2 and 3 untouched (where the hours really are). And because AI does not replace professionals: it speeds up classification and extraction, while validation and decision-making stay where they belong — inside the firm. If you want to understand the GDPR framework that applies to the whole flow, we have a dedicated post on GDPR and AI-based automation; and if traceability during a possible inspection is a concern, we have gone deep on it in our post on what Spain's AEPD expects from firms using AI.
Frequently asked questions about document management for firms
How long do I have to keep invoices in my firm?
In practice, six years is the safe minimum for any document with accounting or tax significance — because the commercial clock under article 30 of the Commercial Code outlasts the four-year tax limitation under article 66 LGT, and both clocks run in parallel. If the document supports an employment matter, the Labour Inspectorate's own timelines take over and each case needs to be checked separately. General rule of thumb: six years.
Is it legal to keep client files in Google Drive?
It depends. What matters is not "Google", it is where the servers actually sit, what the provider offers in its data processing agreement, and whether your firm has signed that agreement before uploading anything. Google Workspace can be configured in a GDPR-compliant way when the processing is properly formalised and the data stays in EU regions. Keeping the same files in the partner's personal free account, on the other hand, is not compliant.
Does mandatory e-invoicing change how I store documents?
Yes, in two ways. First, the format is no longer a scanned PDF — it becomes a structured file (FacturaE or an equivalent interoperable format) that your system must be able to issue and receive. Second, the software itself becomes regulated — VERIFACTU requires the system to guarantee integrity and audit, not only the file. Both changes point in the same direction: your "document management" stops being a warehouse and becomes an auditable flow.
What is data blocking, and when can I finally delete a client file?
Blocking is the in-between state between "active" and "deleted" that article 32 of the LOPD-GDD defines. When you stop using a file for its original purpose but the law still requires you to keep it (because of the tax period, for example), it enters the blocked state: flagged, reserved, and unusable by anyone except to make it available to courts or competent authorities. Deleting it is only lawful once every derived liability period has expired — tax, commercial, data protection.
Can I use a generic document manager, or do I need one designed for firms?
You can use a generic one for the final archive if it already works for you. What generic systems rarely solve is what comes before: intake from the real channels of a professional firm (email, WhatsApp, AEAT/Lexnet portals), classification by document type and client file, and extraction of fields into the ERP you already have. That is where a "firm-specific" solution earns its place — not in the warehouse.
Can I keep documents on servers outside the European Union?
For personal data belonging to your clients, the default answer is no, not without extra conditions. International transfers of personal data are regulated by the GDPR and require either an adequacy decision covering the destination country, standard contractual clauses, or equivalent safeguards. The simple, safe answer for a Spanish firm is to keep the data in EU-based data centres and treat any exception as its own compliance project.
How we're solving this at Gradion
In the pilots we have run with firms so far, the first thing we automate is not the final archive. It is the document inbox. We connect the three or four real channels through which documents actually arrive at the firm — the main mailbox, the WhatsApp Business line, the scanner folder, the AEAT portal — and run every incoming document through automatic classification against the 5-7 real categories the firm uses (received invoice, payslip, resolution, deed, contract, judicial notification, AEAT communication). We extract the 3-5 key fields for each type — tax ID, amount, date, client file, counterparty — and drop the document, already classified and tagged, into the archive the firm was already using. The final archive does not change. The front door does.
Every operation in the flow leaves an audit trail from day one. Our technical reference is Royal Decree 311/2022, which regulates Spain's National Security Framework (ENS) — it lists traceability among the security dimensions to protect, alongside confidentiality, integrity, authenticity, availability and preservation. The ENS is not formally binding on a private firm, but it is the de-facto technical benchmark we measure against — because it is the yardstick an inspector uses when judging the proportionality of a firm's controls.
Data is processed on infrastructure hosted inside the European Union, with per-client isolation and a signed data processing agreement from day one. The pilot runs for 10 days at a fixed price, and at the end of it we deliver the automation in production — together with the associated compliance dossier, not as an extra line item.
What we do not do: replace your team. The professional keeps reviewing the classification proposals, correcting what needs correcting, and making the decisions that are theirs to make. The difference is that they no longer spend four hours a day opening PDFs one at a time to decide which file each one belongs to.
Is your team losing 15 hours a week to paperwork?
We solve it in 10 days with a fixed-price pilot.
Tell us about your case →
