GDPR Enforcement in Spain

Trend: Have the national data protection authorities in Spain focused on certain types of non-compliance... Do you see a focus on certain industries/sectors? If so, which ones?

During 2025, in the most relevant cases involving fines, the Spanish Data Protection Agency (“Agencia Española de Protección de Datos”, “AEPD”) has focused on the unlawful processing of biometric personal data (e.g. without an appropriate data protection impact assessment (DPIA), personal data breaches due to insufficient security measures or non-compliance with general data processing principles).

There is no announcement of investigations referring to certain types of non-compliance.

According to the fines imposed during 2025, the AEPD has mainly focused on personal data breaches.

Overall, what was the most significant fine in Spain to date (recipient, amount, violation, sector, short summary)? Has it been challenged in court?

The record fine in Spain to the date was the EUR 10,043,002 imposed on AENA, S.M.E, S.A. for the infringement of Art. 35 GDPR. This fine exceeds the previous record fine of EUR 10 million imposed on Google for the infringement of Arts. 6 and 17 GDPR. The AEPD imposed the fine for not carrying out an appropriate DPIA as the DPIA provided does not indicate that the processing was compliant with the requirements of necessity and proportionality.

Additionally, the AEPD temporarily suspended all processing of biometric data, and in particular data relating to the facial recognition identification system used to control passenger access to certain areas of airports managed by AENA, until AENA has carried out a DPIA in accordance with Art. 35 GDPR.

How is the data protection authority organised in Spain? Budget, staff, assignment to a ministry?

There are six data protection authorities in Spain.

•  (1) The AEPD, which has jurisdiction over the private sector and the public sector, except in Autonomous Communities where there is a Data Protection Authority and except over the courts exercising their judicial tasks.
• (2) The Catalan Data Protection Agency (“Agencia Catalana de Protección de Datos”), (3) the Basque Data Protection Agency (“Agencia Vasca de Protección de Datos), (4) the Council for Transparency and Good Governance of Andalusia (“Consejo de Transparencia y Buen Gobierno de Andalucia”) and (5) the Council for Transparency and Data Protection of the Community of Madrid (“Consejo de Transparencia y Protección de Datos de la Comunidad de Madrid”), which have jurisdiction over public administrations in their respective Autonomous Community.
• (6) The General Council of the Judiciary (“Consejo General del Poder Judicial”) which has jurisdiction over the courts as regards the performance of their tasks.

The budget for the AEPD in 2025 has not been published yet. For 2024 it was almost EUR 19 million, the same as in 2023.

The number of staff for the AEPD in September 2025 was 250 (according to the information available here consisting of officials (239) and employees (10)), the president and a deputy (in Spanish “Adjunto”). In 2023, the staff number was 247 (officials (236), employees (10) and the director).

The DPAs do not report to a specific ministry to ensure their independence. The AEPD is an independent administrative authority at the national level with legal personhood and full public and private capacity. It acts with full independence from the public authorities in exercising its functions.

The AEPD’s staff is subject to a regime of incompatibilities to ensure their independence and objectivity (Law 53/1984 of 26 December 1984 on Incompatibilities of personnel in the service of the Public Administrations). According to the information published by the AEPD in September 2024, no resolutions of authorisation or recognition of compatibility affecting its staff had been issued.

In 2021, Royal Decree 389/2021 of 1 June was published, approving the new statute of the AEPD ("Real Decreto 389/2021, de 1 de junio, por el que se aprueba el Estatuto de la Agencia Española de Protección de Datos"). The AEPD is an independent administrative authority at the state level (Article 1 of the Royal Decree 389/2021) and has organisational and functional autonomy, acting with full independence from the government, public administrations and any business or commercial interests (Article 4 of the Royal Decree 389/2021).

In 2024 the Royal Decree 1323/2024 of 23 December providing for the dismissal of the Director of the Spanish Data Protection Agency was published in the Official Gazette (in Spanish “Boletín Oficial del Estado”). A President and a Deputy (in Spanish “Adjunto”) of the Spanish Data Protection Agency were appointed in February 2025.

How does a fine procedure work in Spain? Can the authority impose fines itself? Procedural steps? Legal remedies?

• The relevant data protection authorities (see above) can impose fines by themselves, without the need to appeal to a Court of Justice.
• The person who files a denouncement is not a party in the procedure.
• During the procedure, the interested person has the opportunity to submit allegations several times (when notified of the opening of the procedure, when given a formal deadline for allegations and when notified of the preliminary decision). It is important that the interested person has an electronic certificate in order to receive notifications.
• Any fine is subject to a possible appeal before the Courts of Justice.

When fines are imposed: Where does the money go? (state treasury / authority budget / other)

Fines of the AEPD are allocated to the state treasury.

Is there an official calculation methodology for fines in Spain?

There is no common, official calculation methodology for fines. However, Organic Law 3/2018 adds several factors to the list included in Article 83 (2) (k) GDPR, including the impact on the rights of minors (Article 76 (2) (f)) or there being a data protection officer where this is not mandatory (Article 76 (2) (g)).

Can public authorities be fined in Spain? If yes: Where does this money go?

Public authorities and other bodies, both when acting as data controllers and as processors, can be sanctioned with a resolution declaring the infringement and establishing the measures to be adopted to cease the conduct or to correct the effects of the infringement committed, while not being fined (Article 77 of Organic Law 3/2018). Nevertheless, if one of the other bodies also acts in their private capacity, they can be fined should they violate data protection laws. Finally, courts can only be reprimanded, except when acting in their judicial capacity, in which case they cannot be sanctioned.

It should be noted that in 2023 the Organic Law 3/2018 was amended to apply a correction to the GDPR, by virtue of which a reprimand (“apercibimiento”) is no longer considered a fine but is instead an adequate measure included in the corrective powers of the supervisory authorities.

Does the authority publish information on individual fine cases (website/annual report)? Are companies identifiable?

Yes, the AEPD does publish information on individual fine cases, including fines imposed, on its website. When the resolution relates to an individual who has infringed the applicable legislation, the AEPD will publish this on an anonymised basis. In the case of companies, the responsible entity (the controller or processor) that infringed the law will be identifiable.

Furthermore, if (i) the fine amount is higher than EUR one (1) million; (ii) the responsible entity is a legal person and (iii) the competent authority is the AEPD, information on the entity responsible, the infringement and the amount fined will be published in the Official Gazette (in Spanish “Boletín Oficial del Estado”).

If no individual publication: aggregated figures? Provide annual figures from 2020 onwards (if available).

Although information on individual cases is published, the AEPD also provides aggregated information in its annual report

• In 2020, the AEPD (i) received 10,324 complaints, (ii) received 784 cross-border cases from other supervisory authorities and (iii) brought 26 actions ex officio (excluding data breaches) [Source: annual report 2020, p. 131]. The total number of fines in 2019 was 167 for a total of EUR 8,018,800.
• In 2021, the AEPD (i) received 13,905 complaints, (ii) received 581 cross-border cases from other supervisory authorities and (iii) brought 9 actions ex officio (excluding data breaches) [Source: annual report 2021, p. 129]. The total number of fines in 2021 was 258 for a total of EUR 35,074,800.
• In 2022, the AEPD (i) received 15,128 complaints, an increase of 9% compared to 2021, (ii) received 651 cross-border cases from other supervisory authorities and (iii) brought 43 actions ex officio (excluding data breaches) [Source: annual report 2022, p. 139]. The total number of fines in 2022 was 378 for a total of EUR 20,775,361, a decrease of 41% compared to 2021.
• In 2023, the AEPD (i) received 21,590 complaints, an increase of 47% compared to 2022, (ii) received 708 cross-border cases from other supervisory authorities and (iii) brought 50 actions ex officio (excluding data breaches) [Source: annual report 2023, p. 131]. The total number of fines in 2023 was 367 for a total amount of EUR 29,817,410, a decrease of 3% in the number of fines but an increase of 44% in the total amount compared to 2022.
• In 2024, the AEPD (i) received 18,855 complaints, a decrease of 13% compared to 2023, (ii) received 825 cross-border cases from other supervisory authorities and (iii) brought 42 actions ex officio (including data breaches) [Source: annual report 2024, p. 121]. The total number of fines in 2024 was 281 for a total amount of EUR 13,180,800, a decrease of 23% in the number of fines but an increase of 20% in the total amount compared to 2023.
• Data for 2025 have not been published yet. Nevertheless, according to the information available, the amount of fines imposed in 2025 exceeds EUR 40 million.

Does Spain have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

• There are no model declaratory proceedings/class actions for data protection law in Spain.
• It should be noted that in 2024 the Congress started the legislative procedure for the transposition into the Spanish legal system of the EU Directive 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of collective interests of consumers. The transposition was not carried out then, but a new draft law has been proposed for this purpose.

What is more relevant in Spain: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

At present, fines from the Spanish Data Protection Agency are more prominent than court proceedings, such as claims for damages or injunctions.

The trend during the last year and expected for the coming years is an increase in the amount of fines, in particular for serious and very serious infringements, and more litigation, including legal action on the part of consumers, because consumer associations are submitting complaints on behalf of consumers to the AEPD.

• Last year the AEPD mainly focused on personal data breaches for insufficient security measures and non-compliance with general data protection principles. The AEPD imposed several relevant fines, including fines for amounts of EUR 5 million for non-compliance with general data protection principles or EUR 4 million for insufficient technical and organisational measures to ensure information security.