What Happens If You Get a GDPR Fine in Spain? A Step-by-Step Breakdown

Most businesses do not think about what happens after a GDPR fine until they receive one. By then, the clock is already running.

Spain’s data protection authority — the Agencia Española de Protección de Datos (AEPD) — issued a record €35.5 million in GDPR fines in 2024 alone, a 19% increase on the year before. Those fines went to energy companies, banks, insurance providers, telecoms operators, and small businesses. The violations that triggered them range from inadequate security measures to unlawful biometric processing to simply failing to respond to a customer’s data request on time.

This guide covers what happens after the AEPD has you in its sights:

the full procedure from first contact to final outcome, your appeal rights, the factors that move the fine amount up or down, and exactly what you should do at each stage.

How the AEPD Gets to You: Investigation Triggers

Before the fine, there is always an investigation. An AEPD investigation begins in one of three ways:

• A citizen complaint — filed via the AEPD’s online guided mailbox. The AEPD received 18,855 complaints in 2024, the second highest in its history.
• A self-initiated inquiry — the AEPD proactively monitors sectors, responds to media reports, and conducts intelligence-led sweeps. Under its 2025–2030 Strategic Plan, it has committed to “intelligent supervision” using AI-driven monitoring.
• A data breach notification — 2,933 breach notifications were received in 2024, a 46% increase from 2023. Some trigger deeper investigation into whether the breach was itself caused by a compliance failure.

The most common violations that lead to formal proceedings — drawn from the AEPD’s own enforcement record — include: processing personal data without a valid lawful basis, inadequate security measures, failure to respond to data subject rights requests within one month, unlawful video surveillance, and failure to conduct a Data Protection Impact Assessment (DPIA) before high-risk processing.

Stage 1 — The First Contact: What an AEPD Notification Means

The first formal communication from the AEPD arrives as a written notification — typically via registered post or Spain’s mandatory electronic notification system for businesses. Understanding which type of notification you have received is critical, because it determines how much time and leverage you have.

Information Request vs. Formal Sanctioning Procedure

Information request: The AEPD asks for documentation and an explanation of your data processing activities. This is not yet a formal fine proceeding. It is your first and most important opportunity to resolve the matter without a financial penalty. If you can demonstrate that you have already corrected the issue, the AEPD may close the case before formal proceedings ever open.

Formal opening of sanctioning procedure: More serious. This means the AEPD has already formed a preliminary view that a violation occurred and is opening a formal investigation. You still have rights and response opportunities — but the window for pre-emptive resolution has narrowed.

The One-Month Response Window

Whether you receive an information request or a formal notice, you will typically have one month to respond. The notification will state the alleged violation, the legal basis for the investigation, what information or documentation is being requested, and the exact deadline.

Stage 2 — The Investigation: What the AEPD Can Do

If the case proceeds past the information request stage, an AEPD Inspector is assigned. Since a 2023 legal reform, investigations can be conducted remotely — via videoconference and secure digital document exchange — as well as on-site. During this stage the AEPD can:

• Request documents, records, policies, and processing registers
• Interview staff and responsible personnel
• Conduct on-site or remote inspections of systems and data
• Request information from third parties connected to the processing
• Access data processing systems where necessary to verify compliance

Investigation Timelines — Your Legal Protections

Spanish law sets maximum timelines for AEPD proceedings. These are legally enforceable — if the AEPD exceeds them, the case can expire. Understanding them gives your business a framework for what to expect:

• Data subject rights failure cases: must be resolved within 6 months
• Breach of data protection law: up to 12 months (case expires if deadline is exceeded)
• Warning or corrective measures only: up to 6 months
• Preliminary investigation proceedings: up to 18 months
• Cross-border EDPB cooperation cases: timelines can be suspended during coordination

Throughout the investigation you have the right to submit evidence and arguments, access the investigation file, be heard before any sanction is proposed, and be represented by legal counsel. Cooperating transparently — providing requested documents promptly and demonstrating corrective steps already taken — is one of the most material factors in determining the final outcome.

Stage 3 — The Proposed Sanction: How GDPR Fines Are Calculated

If the investigation confirms a violation, the AEPD issues a proposed sanction. Understanding how that number is arrived at — and what moves it up or down — is essential for any business in this position.

The Two-Tier Fine Structure

As established in GDPR Article 83 and enforced by the AEPD under the LOPDGDD:

• Tier 1 — up to €10 million or 2% of global annual turnover: procedural violations — failing to maintain records, not appointing a DPO when required, failing to notify a data breach within 72 hours
• Tier 2 — up to €20 million or 4% of global annual turnover: fundamental violations — processing without a lawful basis, ignoring data subject rights, unlawful international data transfers
• EU AI Act overlay — up to €35 million or 7% of global turnover: for the most serious prohibited AI practices, applied in addition to GDPR penalties where both frameworks are breached

What Moves the Fine Amount Up or Down

The AEPD does not automatically impose the maximum. It assesses a range of factors — drawn from GDPR Article 83(2) — that either aggravate or mitigate the final penalty:

The 20% voluntary payment reduction: Under Spanish administrative law, businesses that voluntarily acknowledge the fine and pay promptly — without contesting — are entitled to an automatic 20% reduction on the penalty amount. This option must be weighed carefully against the merits of any appeal.

Stage 4 — Challenging the Fine: Your Full Appeal Rights

Receiving a proposed sanction is not the end of the road. Spanish and EU law provide a structured set of opportunities to challenge the AEPD’s decision — and businesses that engage seriously at each stage regularly achieve reduced penalties or full reversals.

Step 1: Allegations Statement (Pliego de Cargos)

After proposing a sanction, the AEPD issues a formal statement of allegations. You have the right to submit written arguments — called alegaciones — challenging the factual findings, the legal basis, or the proposed fine amount. The deadline is typically 15 working days. This is not the final decision: it is your opportunity to influence the outcome before it becomes binding.

Step 2: The Final Resolution

After reviewing your alegaciones, the AEPD issues its final resolution. The final fine may be the same as, lower than, or — in rare cases — higher than the originally proposed amount if new aggravating evidence emerges. The resolution is a formal, legally binding administrative act.

Step 3: Administrative Appeal (Recurso de Reposición)

The final resolution can be challenged through an administrative appeal to the AEPD itself. The deadline is one month from notification of the final resolution. In most cases this step must be completed before proceeding to court.

Step 4: Judicial Review (Recurso Contencioso-Administrativo)

If the administrative appeal fails or is bypassed, you can challenge the fine before Spain’s administrative courts. This is a full judicial review — the court examines both the factual findings and the legal basis of the AEPD’s decision. Judicial proceedings in Spain typically take one to three years.

After the Fine: Publication, Corrective Orders, and What Comes Next

A paid fine is rarely the end of the matter. There are three consequences that extend beyond the financial penalty itself.

Public Publication of Decisions

The AEPD publishes its resolutions — including full fine decisions — on its official resolutions database. Significant fines are permanently publicly searchable. For SMEs, this reputational dimension is often as damaging as the financial penalty. The AEPD anonymises decisions involving private individuals in some cases, but business entities are typically named.

Ongoing Corrective Obligations

Most AEPD resolutions include corrective orders alongside the financial penalty — instructions to delete data, implement security measures, update consent mechanisms, or appoint a DPO. The AEPD actively monitors compliance with its resolutions. Failure to implement corrective orders can trigger fresh proceedings, independent of the original fine.

Impact on Future Enforcement

A prior sanction is formally recorded and treated as an aggravating factor in any subsequent AEPD investigation against the same organisation. Repeat violations attract significantly higher penalties — as the enforcement record demonstrates, organisations with prior warnings face near-maximum fines for subsequent breaches. Building a robust compliance programme after a fine is the most effective protection against that outcome. The EU GDPR Compliance and Data Protection for Businesses course gives you the documentation, templates, and processes that function as your strongest defence in any future regulatory investigation.

What Real AEPD Cases Tell Businesses About the Process

Three recent cases from the AEPD’s enforcement record illustrate how the procedure works in practice — and what the authority is really looking for.

The pattern across all three cases is consistent: the AEPD examines not just what happened, but what preventive measures were in place beforehand. This is why documented compliance — maintained before any incident — is the single most protective investment a business can make.

A GDPR Fine Is Not the End — But How You Respond Determines What Comes Next

Receiving an AEPD notification is serious. But it is a process with defined stages — and at each stage, your response shapes the outcome. Businesses that respond promptly, cooperate transparently, demonstrate corrective action, and engage qualified specialists consistently achieve better outcomes than those that do not.

The businesses that navigate AEPD proceedings most effectively are also those with documented compliance programmes already in place before any investigation begins. That documentation — the records of processing, lawful bases, DPIA assessments, consent records, and breach response plans — is what the AEPD’s inspectors are looking for when they arrive.

For the complete GDPR compliance framework that protects your business before any investigation begins. And if you are building or rebuilding your compliance programme from the ground up, the EU GDPR Compliance and Data Protection for Businesses course from the Spanish Compliance Institute gives you the structure, the templates, and the practical tools to get it done.

References

• AEPD Official Resolutions Database — Published AEPD fine decisions and resolutions
• AEPD 2024 Annual Report — Complaint volumes, breach notifications, enforcement totals
• CMS GDPR Enforcement Tracker — Spain — Sector-level fine data and AEPD enforcement statistics
• Fox Rothschild — Lessons from Spain’s Fine of Equifax — Case analysis of AEPD enforcement against Equifax for inadequate security measures
• GDPR Article 83 — General conditions for imposing fines — Legal basis for the two-tier GDPR fine structure and assessment criteria
• LOPDGDD — Ley Orgánica 3/2018 — Spain’s national data protection law