Why Spain Issues More GDPR Fines Than Almost Any Other EU Country

Spain does not just enforce GDPR. It enforces it more than any other country in the European Union — by a significant margin.

As of September 2025, the Spanish Data Protection Authority — the Agencia Española de Protección de Datos, or AEPD — had issued over 1,021 recorded GDPR fines, totalling approximately €120.7 million since the regulation came into force in 2018. Italy, Romania, and Germany combined have issued fewer fines than Spain alone.

If your business operates in Spain, sells to Spanish customers, or handles the personal data of anyone in the EU, this matters directly to you. The AEPD is not a regulator that waits for problems to escalate. It is proactive, well-resourced, and increasingly focused on more complex violations with larger consequences.

This post explains why Spain leads EU enforcement, what kinds of violations are drawing the biggest penalties right now, and what the pattern of fines tells every business operating in Spain about where the risks lie.

For the full picture of what GDPR requires and how it applies to your business, start with our pillar guide: EU GDPR Compliance for Businesses: The Complete Guide (2026).

How Spain Compares to the Rest of the EU

The numbers tell a clear story. According to the CMS GDPR Enforcement Tracker Report, Spain's AEPD has issued 932 published fines — more than all other EU data protection authorities combined when measured by volume. The next most active are Italy, Romania, and Germany, but those three countries together still fall short of Spain's total.

The reasons are partly structural and partly strategic.

Volume-first enforcement model. For most of its enforcement history, the AEPD pursued a high-volume, lower-fine model — issuing hundreds of sanctions against SMEs, municipal governments, and individual organisations. This created broad compliance pressure across the entire Spanish economy, not just the large corporations that other regulators focus on.

A proactive complaints system. The AEPD receives an exceptionally high volume of public complaints. In 2023 alone, it received 21,590 — a record at the time, and a 43% increase on 2022. In 2024, complaints slightly decreased to 18,855 following the introduction of a guided mailbox system that filters out cases outside the AEPD's jurisdiction. But that figure still represents the second-highest in the agency's history.

Wide-scope enforcement jurisdiction. Unlike some EU regulators that focus primarily on large technology companies headquartered in their territory, the AEPD enforces GDPR across all sectors — healthcare, finance, real estate, hospitality, telecommunications, energy, and more. Small businesses are not exempt. The AEPD regularly fines SMEs for video surveillance violations, unlawful marketing, and failure to respond to data subject rights requests.

A newly elevated enforcement posture. Since 2021, the AEPD has progressively shifted from caution to assertiveness. A single fine in 2021 against Vodafone Spain — €8.15 million — exceeded the AEPD's entire fine total for the year 2020. That shift has continued, and accelerated.

The Strategic Shift: Fewer Fines, Larger Penalties

Something changed in 2024 that every business in Spain should understand.

In previous years, the AEPD's approach was characterised by volume: large numbers of moderate fines spread across a wide range of organisations. In 2024, the pattern shifted. The total number of sanctions decreased, but the total value of fines reached a record high of €35,592,200 — a 19.4% increase over 2023.

The AEPD issued 10 fines exceeding €1 million in 2024. In 2023, there were only three such fines. In 2022, fewer still. The agency itself explained this shift in its annual report, describing it as a deliberate move toward "cases that reflect the greater complexity of data processing activities, their wider scope, and consequently their greater impact on infringements."

In plain terms: the AEPD is now less interested in fining the gym that failed to put up a CCTV notice, and more focused on the energy company that exposed customer data, the insurance provider that failed to secure its systems, or the airport operator that launched a biometric boarding programme without completing a proper risk assessment first.

The headline 2024 fines tell that story directly:

• €5 million — an energy company fined for breaching the principles of fairness, transparency, and accountability during a fraudulent procurement process
• €4 million — an insurance provider fined after a cybercriminal exploited the credentials of an insurance broker, with the AEPD finding inadequate security measures in place
• €3.5 million — a bank fined for design flaws in its computer application that led to a client confidentiality breach
• €3.5 million — a second energy company fined for web application vulnerabilities that led to a data breach
• €3 million — an energy firm fined for storing personal data from different data controllers in a single database without adequate safeguards

This is not a list of small procedural lapses. These are fundamental security and accountability failures — and the AEPD is treating them accordingly.

2025 and 2026: Biometrics and AI Become the Priority

If 2024 was the year of data breaches, 2025 and 2026 have been the years of biometrics and artificial intelligence.

January 2025 opened with the AEPD issuing more and higher fines than any other EU data protection authority in a single month. Two of the largest penalties involved the use of biometric facial recognition systems.

In November 2025, Spain's airport operator Aena was fined €10,043,002 — one of the largest fines the AEPD has ever imposed — after the regulator found that Aena had launched its biometric boarding programme across eight major airports without completing an adequate Data Protection Impact Assessment (DPIA). The AEPD's conclusion was not that the system was insecure or that data had been breached. It was that Aena had not done the legal homework before processing the facial patterns of nearly 40,000 enrolled travellers. Convenience, the AEPD made clear, is not a substitute for legal justification.

In March 2026, Yoti Ltd — a British digital identity and age verification company operating in Spain — was fined €950,000 across three separate violations: €500,000 for unlawfully processing biometric data without a valid legal basis under Article 9 GDPR, €200,000 for obtaining consent via pre-ticked checkboxes, and €250,000 for retaining biometric templates and geolocation data far beyond what was necessary for the stated purpose.

Also in March 2026, FC Barcelona was fined €500,000 for conducting a deficient biometric data impact assessment.

The pattern is consistent and deliberate. The AEPD is sending a sector-wide message: if your organisation uses any technology that processes biometric data — facial recognition, fingerprinting, iris scanning, even certain forms of behavioural tracking — a DPIA is not optional. Proportionality must be demonstrated. Consent must be explicit, not assumed. And data retention periods must be defined and enforced.

What Types of Violations Draw the Most Fines?

Across the full enforcement history, the most common grounds for GDPR fines in Spain are:

Insufficient legal basis for data processing. This is the most frequent single violation category across the EU as a whole, and Spain is no exception. Using personal data for advertising, profiling, or marketing without a valid lawful basis — most commonly proper consent or legitimate interests — accounts for hundreds of cases.

Non-compliance with general data processing principles. Violations of the seven core GDPR principles — particularly transparency, purpose limitation, and data minimisation — make up the second most common category.

Inadequate technical and organisational security measures. As the AEPD's focus on data breaches has intensified, failures to implement appropriate security controls have attracted increasingly large penalties.

Failure to fulfil information obligations. Businesses that do not provide adequate privacy notices, fail to explain how they use personal data, or deploy cookie banners that obscure the reject option regularly appear in AEPD enforcement decisions.

Failure to respond to data subject rights requests. Ignoring or mishandling Subject Access Requests, erasure requests, or objections to marketing is both a common violation and one the AEPD takes seriously. The failure to communicate with individuals affected by a high-risk breach is specifically flagged in the AEPD's 2025 findings.

Sectors Under the Sharpest Scrutiny Right Now

The AEPD does not distribute enforcement equally across industries. Based on recent annual reports and fine data, the sectors under the most active scrutiny in 2025 and 2026 are:

Energy and utilities. Multiple €3–5 million fines in 2024 alone, primarily linked to data breaches, fraudulent contracting processes, and inadequate database security.

Telecommunications. Vodafone Spain has been fined repeatedly, accumulating approximately €8.15 million in sanctions at one point — a figure that has since been compounded by additional fines. Unlawful marketing, SIM swapping failures, and inadequate internal security controls are recurring themes.

Financial services. Banks and insurance providers have faced some of the AEPD's largest penalties for security failures and unlawful data sharing.

Biometrics and AI technology. The Aena, Yoti, and FC Barcelona cases in 2025–2026 signal a new enforcement front. Any organisation using facial recognition, fingerprint access, or AI-powered identification systems is operating in the highest-risk category.

Internet services and digital platforms. Ongoing scrutiny of cookie compliance, consent mechanisms, and data subject rights across e-commerce and digital marketing platforms.

Small and medium enterprises. Despite the shift toward high-value cases, the AEPD continues to fine SMEs. Video surveillance, unlawful marketing, and failure to honour data subject rights requests remain common triggers for smaller sanctions.

What This Means for Your Business

Whether you run a small online shop selling to Spanish customers or a large enterprise with physical operations across Spain, the AEPD's enforcement record carries a direct message.

Compliance is not a one-time exercise. The AEPD does not reward past good behaviour when it finds current violations. Several companies that have been fined in recent years had previously received warnings. The agency's willingness to impose escalating penalties on repeat violators — Vodafone being the clearest example — makes clear that compliance must be continuous and documented.

Documentation is your strongest defence. In almost every major AEPD case, the question is not only whether a violation occurred, but whether the company had adequate processes, assessments, and records in place. Aena's fine was not primarily about whether biometric boarding is a good idea. It was about the absence of a proper DPIA. Documented compliance — even imperfect compliance — puts an organisation in a fundamentally different position than undocumented processes.

The fines are no longer theoretical. The AEPD's total sanction value has grown from €6.3 million in 2019 to €35.6 million in 2024. The trajectory is upward. For businesses that have been treating GDPR as a box-ticking exercise, the enforcement record is a financial risk signal worth taking seriously.

The Risk Is Real — and It Is Growing

Spain is not an outlier in European data protection. It is a preview of where the rest of the EU is heading. The AEPD's enforcement posture — proactive, sector-spanning, increasingly focused on high-impact violations — reflects a broader European commitment to making GDPR consequences real for every type of organisation.

If your business is not currently structured around documented, evidence-based compliance, the enforcement record makes the risk clear.

Understanding the fines landscape is the first step. Building the compliance framework that keeps your business out of it is the next one.

The EU GDPR Compliance and Data Protection for Businesses course from Spanish Compliance Institute walks you through every layer of what compliant operations look like in practice — from the legal fundamentals to advanced risk assessment — including 18 downloadable templates you can implement immediately.

Also in this series:

• EU GDPR Compliance for Businesses: The Complete Guide (2026) 
• GDPR and Spain's AEPD: What Every Business Needs to Know About the Spanish Data Protection Authority 
• GDPR Compliance for SMEs in Spain: What the New Simplified Rules Mean for Your Business 
• What Happens If You Get a GDPR Fine in Spain? A Step-by-Step Breakdown 
• GDPR Consent Rules in 2026: What Spanish Businesses Must Update Now 
• Do You Need a Data Protection Officer (DPO) in Spain? The Rules Just Changed for SMEs 
• GDPR and AI: What Spanish Companies Using AI Tools Must Do Before August 2026 
• How to Handle a GDPR Data Breach as a Business in Spain: The 72-Hour Rule Explained 
• Transferring Customer Data Outside the EU? What Spanish Businesses Need to Know in 2026 
• GDPR vs. Spain's LOPDGDD: Understanding Both Laws and Why Your Business Must Comply With Both