GDPR and Spain’s AEPD: What Every Business Needs to Know About the Spanish Data Protection Authority

Spain is not the EU country with the largest single GDPR fines — that distinction belongs to Ireland, where Big Tech companies park their European headquarters. But Spain is the EU country with the most GDPR fines by a considerable distance. Since 2018, the Agencia Española de Protección de Datos (AEPD) has issued over 1,021 penalties worth approximately €120.75 million — and 2024 was its most aggressive year yet, closing with a record €35.5 million in sanctions.

If your business operates in Spain, serves Spanish customers, or processes the personal data of anyone in the EU, the AEPD is the authority most likely to come knocking. Understanding who they are, how they work, and what they are focused on is foundational to operating legally in the Spanish market. 

What Is the AEPD?

The Agencia Española de Protección de Datos is Spain’s independent national data protection authority, established under Royal Decree 428/1993 and rooted in Article 18(4) of the Spanish Constitution. It operates from Madrid with approximately 250 staff and an annual budget of around €19 million, and enjoys absolute independence from government — it cannot be directed or pressured by any ministry.

Its dual mandate covers both the EU GDPR and Spain’s national data protection law, the LOPDGDD (Ley Orgánica 3/2018). Businesses in Spain must comply with both, and the AEPD enforces both.

Its powers are broad: issuing fines and corrective orders, investigating complaints and self-initiated cases, suspending data processing, approving codes of conduct, handling data subject rights requests, and cooperating cross-border through the European Data Protection Board (EDPB). In 2024, the AEPD participated in 370 GDPR cross-border cooperation procedures, leading 22 as the competent authority.

Every EU member state has its own national DPA, but they differ significantly in enforcement culture and focus. Spain’s AEPD leads Europe in fine volume. Ireland’s DPC leads in fine value, driven by Big Tech headquarters. France’s CNIL is known for cookie and Big Tech transparency enforcement. Germany’s enforcement is decentralised but high-volume. Italy’s Garante focuses on health and energy sectors.

What makes the AEPD distinct is its breadth. It pursues energy companies, banks, insurance providers, telecoms operators, small businesses, and public institutions with equal consistency. A business with 20 employees running cameras without proper signage is as likely to face an AEPD notice as a multinational recovering from a data breach.

What Triggers an AEPD Investigation?

An investigation can begin in three ways: a citizen complaint via the AEPD’s online guided mailbox, a self-initiated inquiry, or a data breach notification that warrants deeper scrutiny. The AEPD received 18,855 complaints in 2024 — the second highest in its history — alongside 2,933 breach notifications, a 46% increase from 2023.

The most common complaint sources in 2024, based on the AEPD’s 2024 Annual Report:

• Video surveillance — 3,411 complaints (the single largest category, up 19% year-on-year)
• Internet services — 3,141 complaints, including cookie and consent violations
• Trade, transport, and hospitality — 1,633 complaints
• Advertising — 1,297 complaints
• Finance and banking — 1,219 complaints

Video surveillance is the most consistent trigger in Spain. If your business has cameras, your legal basis, signage, retention limits, and access controls must be precisely correct.

How the AEPD Investigation Process Works

Most businesses do not know what happens after a complaint is filed. There are critical points in the process where your response determines whether the case closes or escalates to a fine.

The AEPD first reviews admissibility — whether the complaint relates to data protection and has reasonable grounds. If admitted, rather than opening formal proceedings immediately, the AEPD will typically contact your DPO or organisation directly, requesting documentation within one month. This is the most important moment. If you can demonstrate that you have already corrected the issue, the AEPD may close the case without formal investigation. Early, transparent cooperation has resolved many complaints before they became sanctions.

If the case escalates, an inspector is assigned. Since 2023, investigations can be conducted remotely via videoconference or secure digital exchange. Timelines vary: data subject rights failures must be resolved within six months; breaches of data protection law within twelve months; preliminary investigations within eighteen months.

Outcomes range from case closure to a written warning with corrective measures, an administrative fine, suspension of processing, or an order to notify affected individuals directly. The practical lesson: respond promptly, be transparent, and document everything you have already done. Early cooperation materially reduces enforcement risk.

What the AEPD Fines Businesses For

GDPR fines operate on two tiers. Tier 1 covers procedural failures — up to €10 million or 2% of global annual turnover. Tier 2 covers fundamental violations such as unlawful processing or ignoring data subject rights — up to €20 million or 4% of global turnover.

In 2024, five sectors accounted for 77% of all AEPD fine value: energy and water (€11.6m), finance and banking (€5.3m), internet services (€4.5m), telecoms (€3.3m), and fraudulent hiring (€2.5m). Key recent cases, as documented by the CMS GDPR Enforcement Tracker:

The pattern is consistent with what the Linklaters AEPD FY24 analysis identifies as a deliberate strategic shift: fewer sanctions overall, but larger and more complex cases. Smaller businesses remain in scope for video surveillance, unlawful marketing, and rights request failures.

Where the AEPD Is Headed: The 2025–2030 Strategic Plan

The AEPD’s 2025–2030 Strategic Plan, published July 2025 after a consultation drawing over 450 contributions, signals the next phase of enforcement for any business in Spain.

The central concept is intelligent supervision — risk-based, technology-driven monitoring using an “AI-first” approach within the AEPD’s own operations. The practical implication: the AEPD will increasingly identify compliance failures proactively, not just in response to complaints. Waiting for a complaint to prompt action is no longer a viable strategy.

Priority areas through 2030 include biometrics, AI governance, neurotechnology, digital identity under eIDAS2, and cross-border transfer enforcement. A new Privacy Lab will develop open-source compliance tools, and an “SME clause” commits the AEPD to simplified guidance for smaller businesses.

If your business uses AI tools that process personal data, you are already in scope. The AEPD clarified in July 2025 that it can act under GDPR against prohibited AI systems even before Spain’s national AI legislation is finalised — making this one of the most time-sensitive compliance priorities for Spanish-market businesses heading into 2026.

Practical Steps Your Business Should Take Now

Based on the AEPD’s enforcement record and strategic direction, these are the priority actions:

• Audit video surveillance. The #1 complaint source. Signage, legal basis, retention periods, and access controls must all be correct.
• Register your DPO with the AEPD within 10 days of appointment. The LOPDGDD mandates DPO appointment in 16 specific sectors regardless of company size — including insurance, telecoms, financial institutions, schools, and healthcare providers.
• Use the AEPD’s free tools. ASESORA BRECHA and COMUNICA-BRECHA RGPD for breach assessment; Facilita and Gestiona RGPD for general compliance documentation.
• Run a DPIA before any biometric or AI deployment. The Aena fine is the clearest possible illustration of what skipping this step costs.
• Build a process for data subject rights requests. Failure to respond within one month is one of the AEPD’s most frequently prosecuted violations.
• Apply Spain’s data blocking rule. Under the LOPDGDD, data must be “blocked” — made inaccessible but not yet deleted — before permanent erasure following a subject’s request.
• Respond to AEPD requests transparently and on time. Voluntary compliance demonstrated at the information-request stage can close a case before formal proceedings begin.

The EU GDPR Compliance and Data Protection for Businesses course from the Spanish Compliance Institute covers the complete compliance framework — records of processing, lawful bases, breach response, DPO obligations — with 18 downloadable templates you can apply immediately.

Conclusion

The AEPD’s 2025–2030 strategy makes its direction clear: enforcement will become more proactive, more technology-driven, and increasingly focused on AI, biometrics, and complex processing activities. Businesses that treat compliance as a reactive measure — something triggered by a complaint rather than built into operations — are running a growing financial and reputational risk.

For businesses navigating the GDPR and LOPDGDD requirements that the AEPD enforces, the Spanish Compliance Institute offers structured, practical training tailored to the Spanish regulatory environment. The EU GDPR Compliance and Data Protection for Businesses course is the right starting point — covering the full compliance framework with 18 downloadable templates you can use immediately.

References

• AEPD 2024 Annual Report — Complaint volumes, fine totals, breach notifications
• AEPD 2025–2030 Strategic Plan — Strategic priorities and enforcement direction
• CMS GDPR Enforcement Tracker — Spain — Sector enforcement data, AEPD staffing and budget
• Linklaters TechInsights: AEPD FY24 Analysis — Sector fine breakdown, complaint category analysis
• Biometric Update: Yoti AEPD Fine (2026) — Yoti case detail and biometric enforcement precedent
• LOPDGDD — Ley Orgánica 3/2018 — Spain’s national data protection law