GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026

If your business uses artificial intelligence — and in 2026, most do — you are operating inside two regulatory frameworks simultaneously. One of them you almost certainly know about. The other is three months away from its most significant enforcement deadline.

The GDPR has governed how you collect, store, and use personal data since 2018. The EU AI Act entered into force in August 2024 and will be fully enforceable on 2 August 2026. These two regulations do not cancel each other out. They stack. And Spain has added a third layer: its own dedicated AI supervisory authority, the AESIA, which is already operational and already producing enforcement guidance.

For Spanish companies using AI tools — whether that means a chatbot on your website, an AI-powered recruitment screening tool, a fraud detection system, or a customer profiling algorithm — the question is no longer whether you need to understand these obligations. It is whether you have enough time to meet them before August.

This guide explains what the EU AI Act requires, how it interacts with GDPR for businesses operating in Spain, what Spain's own AI regulatory framework adds to the picture, and what your business needs to have in place before 2 August 2026.

The EU AI Act: What It Is and Why August 2026 Matters

The EU AI Act — Regulation (EU) 2024/1689 — entered into force on 1 August 2024 as the world's first comprehensive legal framework specifically governing artificial intelligence. It does not replace GDPR. It operates alongside it, adding AI-specific obligations that apply on top of existing data protection requirements.

The Act has been rolling out in phases. The first wave — covering prohibited AI practices and AI literacy obligations — came into force on 2 February 2025. The second wave — governance rules and obligations for general-purpose AI models — became applicable on 2 August 2025.

The third and most operationally demanding wave lands on 2 August 2026. This is when the full framework for high-risk AI systems under Annex III becomes enforceable — covering most of the AI applications that businesses across Spain are already using in employment, finance, healthcare, education, and customer services.

There is one important caveat to note. The European Commission's Digital Omnibus proposal, published in November 2025, includes a provision that would delay certain high-risk AI deadlines by up to 16 months — linking the application date to the availability of harmonised standards. This proposal has not become law. Legal experts across the EU, including Spain's own AESIA, are advising businesses to treat August 2026 as the binding deadline. Planning around a delay that has not been enacted is a material compliance risk.

The Risk-Based Framework: Where Does Your AI Tool Sit?

The AI Act regulates based on functional risk — the higher the potential harm an AI system could cause, the more stringent the obligations. Understanding where your business's AI tools sit in this hierarchy is the essential first step.

Prohibited AI — Already Banned Since February 2025

Eight categories of AI practices are outright prohibited and have been since 2 February 2025. If your business uses any of the following, it is already in breach:

• Subliminal, manipulative, or deceptive techniques that exploit psychological weaknesses to distort behaviour
• Social scoring systems that evaluate individuals based on social behaviour or personal characteristics
• Real-time remote biometric identification in publicly accessible spaces for law enforcement purposes
• AI systems that exploit the vulnerabilities of specific groups — children, elderly people, people with disabilities
• Biometric categorisation systems that infer sensitive characteristics such as political opinions, religious beliefs, or sexual orientation from biometric data
• Predictive policing systems that assess the likelihood of an individual committing a crime based on profiling
• Indiscriminate scraping of facial images from the internet or CCTV footage to build facial recognition databases
• Emotion recognition systems in the workplace or educational settings

If your business is using any vendor product or internal tool that falls into these categories, it must be removed from service immediately. The prohibition has been in force for over a year.

High-Risk AI — The August 2026 Deadline

This is the category that affects most businesses. High-risk AI systems are those listed in Annex III of the AI Act and cover applications in the following areas:

Biometrics — systems used for the remote identification, categorisation, or emotion recognition of natural persons.

Critical infrastructure — AI components used in safety-critical systems for energy, water, transport, or digital infrastructure.

Education and vocational training — AI used to determine access to educational institutions, evaluate student performance, or assess examination results. If your business is a training provider or educational institution using AI to assess learners, this applies to you directly.

Employment, worker management, and access to self-employment — AI used in recruitment screening, CV sorting, interview analysis, performance evaluation, and work monitoring and task allocation systems. If your business uses AI to screen job candidates, this is high-risk. If it uses AI to monitor remote worker productivity, this is also high-risk.

Access to essential private and public services — AI used for credit scoring, insurance pricing, or social benefit eligibility. Any fintech, insurtech, or financial services company using AI for creditworthiness assessments or risk scoring is operating a high-risk system.

Law enforcement, migration, administration of justice — AI used for risk assessment of individuals in criminal, migration, or judicial contexts.

For most Spanish businesses, the most relevant high-risk categories are employment and HR, education, financial services, and biometrics. If your business uses an AI tool in any of these areas — including tools provided by third-party vendors — you are operating a high-risk AI system and the August 2026 obligations apply to you.

Transparency-Only AI — Also Applies from August 2026

Even if your AI system is not high-risk, transparency obligations under Article 50 of the AI Act apply from 2 August 2026 to all AI systems that:

• Interact with humans (chatbots, virtual assistants) — users must be informed they are interacting with an AI, not a human
• Generate synthetic content — deepfakes, AI-generated images, audio, or video must be labelled as AI-generated
• Use emotion recognition or biometric categorisation — disclosure is required

If you have a customer-facing chatbot or any AI that produces synthetic media, these rules apply regardless of risk level.

What High-Risk AI Deployers Must Have in Place by August 2026

If your business is a deployer — meaning you use a high-risk AI system professionally, without having built it yourself — these are your core obligations under Article 26 of the AI Act:

Use AI systems according to their instructions. Deployers must follow the technical documentation and intended use scope provided by the provider. Using an AI tool for purposes outside its defined scope is a violation.

Maintain human oversight. A designated person must be capable of understanding the system's outputs, identifying when it is producing inappropriate results, and suspending the system if necessary. This oversight must be genuinely operational, not nominal.

Monitor the system in operation. Deployers must actively monitor high-risk AI systems throughout their use and report serious incidents or malfunctions to the provider and, in some cases, to national authorities.

Conduct a fundamental rights impact assessment before deployment. Before putting a high-risk AI system into use — or by August 2026 for systems already deployed — a formal documented assessment of its potential impact on fundamental rights must be completed.

Maintain logs and records. Deployers must retain records of their use of high-risk AI systems — including the automated logs generated by the system — for at least six months.

Inform affected individuals. Where a high-risk AI system supports or makes decisions affecting individuals — recruitment, credit, benefits — those individuals must be informed that an AI system is involved.

Ensure AI literacy. Staff who operate, oversee, or interpret the outputs of a high-risk AI system must have sufficient understanding of what the system does, its limitations, and when to apply human judgement over its outputs.

The Dual Obligation: Where the AI Act and GDPR Overlap

This is the area most Spanish businesses are underestimating — the point where AI Act compliance is not separate from GDPR compliance but directly connected to it.

Almost every high-risk AI application processes personal data. An AI recruitment tool processes CVs, names, and assessments. An AI credit scoring system processes financial history and identity data. An AI performance monitoring system processes employee behaviour and productivity metrics. Wherever personal data is involved, GDPR applies simultaneously with the AI Act.

Lawful basis for AI processing. Using personal data in an AI system requires a documented GDPR lawful basis before processing begins. Consent is rarely appropriate at scale — legitimate interests, contract, or legal obligation are more commonly applicable. Every AI-driven processing activity needs a documented basis.

Automated decision-making under GDPR Article 22. Where an AI system makes decisions about individuals that produce legal or similarly significant effects — a job rejection, a credit refusal, a benefit denial — GDPR Article 22 applies. Individuals have the right not to be subject to solely automated decisions of this kind without the ability to request human review, express their point of view, and contest the outcome. This right has existed since 2018 and is entirely independent of the AI Act.

Data Protection Impact Assessments. High-risk AI processing almost always triggers the GDPR requirement for a DPIA. The AI Act's fundamental rights impact assessment and the GDPR's DPIA are separate documents — but they address overlapping concerns and should be developed together. They are not interchangeable.

Data minimisation and purpose limitation. AI systems often process far more personal data than strictly necessary — a common feature of machine learning systems trained on large datasets. The GDPR principles of data minimisation and purpose limitation apply directly. Training an AI model on data collected for a different purpose without a separate legal basis is a GDPR violation.

In February 2026, the AEPD published specific guidance on agentic AI — AI systems that autonomously perform actions, access systems, and make decisions with minimal human intervention. The AEPD confirmed clearly that where an AI agent autonomously performs data-handling operations, the controller deploying the agent remains fully legally responsible under GDPR for all of those operations. Technological autonomy does not reduce legal accountability.

Spain's AI Regulatory Framework: Two Authorities, One Compliance Obligation

Spain has moved faster on AI governance than almost any other EU member state, and understanding who enforces what is critical.

AESIA — the Agencia Española de Supervisión de Inteligencia Artificial — was established by Royal Decree 729/2023 and has been operational since June 2024. It is the first dedicated national AI supervisory agency in the entire EU. AESIA will act as Spain's primary market surveillance authority for AI under the AI Act once Spain's national AI law is fully enacted. In December 2025, AESIA published 16 detailed guidance documents — available in both Spanish and English — covering conformity assessments, risk management, human oversight, transparency, and specific use cases including biometric systems and HR AI tools. AESIA has also run Spain's AI regulatory sandbox since 2023, with 12 AI projects tested under regulatory supervision.

The AEPD retains full enforcement competence wherever AI systems process personal data — which covers almost every commercially deployed AI system. On 15 July 2025, the AEPD confirmed it is already empowered to take action against AI systems that unlawfully process personal data, even before Spain's national AI law is fully in force. In December 2024, the AEPD fined the National Professional Football League €1,000,000 for implementing a biometric facial recognition system at stadium entrances without complying with GDPR requirements.

For Spanish businesses, this means two authorities can examine your AI operations simultaneously — AESIA on AI Act compliance, the AEPD on GDPR compliance. An AI deployment that fails both standards faces enforcement exposure from both directions.

The maximum penalty under the AI Act for prohibited AI systems is €35 million or 7% of global annual turnover. GDPR violations by the same system could add a further €20 million or 4% of global annual turnover. These fines are not mutually exclusive.

For a full breakdown of how GDPR and Spain's LOPDGDD interact for businesses operating in Spain, see: GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both.

Your Pre-August 2026 Action Plan

With three months remaining, here is a practical framework ordered by urgency:

Step 1 — Build your AI inventory. List every AI tool your business uses, whether built internally or provided by a third-party vendor. For each tool, document its intended purpose, the personal data it processes, the decisions it supports or makes, and the individuals it affects.

Step 2 — Classify each AI system by risk level. Map each tool against the prohibited list and the Annex III high-risk categories. Be conservative — if a system could plausibly be high-risk, treat it as high-risk until confirmed otherwise. AESIA's guidance documents include practical examples to support classification.

Step 3 — Remove any prohibited practices immediately. If the inventory reveals any tool that constitutes a prohibited practice — emotion recognition in the workplace, social scoring, indiscriminate facial scraping — it must be taken out of service now. The prohibition has been in force since February 2025.

Step 4 — Conduct DPIAs for all AI systems processing personal data at scale. Begin with the highest-risk systems — recruitment AI, performance monitoring, biometrics, credit scoring — and work through the inventory systematically.

Step 5 — Complete fundamental rights impact assessments for high-risk deployments. This is a separate requirement from the DPIA under the AI Act. It must be documented before August 2026 for systems already in operation.

Step 6 — Establish human oversight procedures. For each high-risk system, designate a responsible person with the ability to monitor, question, and if necessary suspend the system's outputs.

Step 7 — Review vendor contracts. If you use third-party AI tools, your Data Processing Agreements should address AI Act compliance — documentation the provider can supply, log retention, and incident notification. Many existing DPAs do not cover these requirements.

Step 8 — Train your team on AI literacy. Document training delivered to anyone operating, overseeing, or using the outputs of AI systems.

Step 9 — Implement transparency disclosures. For any customer-facing AI system, ensure disclosure is in place before users interact with the system.

Step 10 — Consult AESIA's published guidance. Spain's 16 AI Act compliance guides — available in English at aesia.digital.gob.es — include checklists and templates specifically designed for August 2026 preparation. They represent the most detailed national AI compliance guidance available anywhere in the EU.

August 2026 Is Not a Warning — It Is a Deadline

The EU AI Act has been in force since August 2024. Prohibited AI practices have been enforceable since February 2025. Spain's AEPD has already confirmed it will act against AI deployments that violate GDPR — with a €1,000,000 fine against a football league for a biometric system issued in December 2024. AESIA is operational, has published detailed guidance, and is building an enforcement infrastructure explicitly modelled on the AEPD's assertive approach.

Businesses operating AI tools in Spain without having addressed these obligations are not in a grace period. They are in a compliance gap that closes on 2 August 2026.

The Official EU GDPR Compliance and Data Protection for Businesses course from Spanish Compliance Institute covers the intersection of GDPR and AI compliance in depth — including Module 4 on advanced risk assessment and technological regulation, and Module 5 on future privacy trends and supervisory developments. It includes 18 downloadable templates you can begin implementing immediately.

Also in this series:

• EU GDPR Compliance for Businesses: The Complete Guide (2026) 
• Why Spain Issues More GDPR Fines Than Almost Any Other EU Country 
• GDPR and Spain's AEPD: What Every Business Needs to Know About the Spanish Data Protection Authority 
• GDPR Compliance for SMEs in Spain: What the New Simplified Rules Mean for Your Business
• What Happens If You Get a GDPR Fine in Spain? A Step-by-Step Breakdown 
• GDPR Consent Rules in 2026: What Spanish Businesses Must Update Now 
• Do You Need a Data Protection Officer (DPO) in Spain? The Rules Just Changed for SMEs 
• GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026 
• How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained 
• Transferring Customer Data Outside the EU? What Spanish Businesses Need to Know in 2026 
• GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both