Home / Publications / GDPR Enforcement Tracker Report / Spain
Table of contents
  1. Executive Summary
  2. Numbers and Figures
  3. Finance, Insurance and Consulting
  4. Accommodation and Hospitality
  5. Health Care
  6. Industry and Commerce
  7. Real Estate
  8. Media, Telecoms and Broadcasting
  9. Public Sector and Education
  10. Transportation and Energy
  11. Individuals and Private Associations
  12. Employment
  13. Methodology and Contacts
  14. Germany
  15. United Kingdom
  16. Belgium
  17. Czech Republic
  18. France
  19. Hungary
  20. Italy
  21. Norway
  22. Poland
  23. Austria
  24. Bulgaria
  25. Spain
  26. Netherlands
  27. Enforcement Insights by Business Sector
  28. Enforcement Insights per Country

Spain

Main takeaways


  • Fines cannot be imposed on public entities and other authorities unless the latter authorities (e.g. Bar Associations) are acting in a private capacity.
  • High transparency on DPA fining decisions (anonymisation of natural persons).
  • Fines > Damages: So far, fines imposed by the DPA appear to be more important than damages, but the significance of damage claims before Courts will likely increase in the future (in particular as regards class actions).

Fining practice

Trend: to date, have the national data protection authorities in Spain focused on certain types of non-compliance with data protection law, or have the authorities stated that they will investigate certain types of non-compliance more closely in future? Do you see a focus on certain industries/sectors? If so, which ones?

During 2022, in the most relevant cases involving fines, the Spanish Data Protection Agency (“Agencia Española de Protección de Datos”, “AEPD”) has focused on consent as the legal basis for the processing of personal data and other legal bases (e.g. legitimate interest), general data processing principles, information provided to data subjects, security measures and data subjects’ rights.

There is no announcement of investigations referring to certain types of non-compliance.

According to the fines imposed during 2022, the AEPD has mainly focused on big tech companies and the financial and telecommunications sectors.

Overall, what was the most significant fine in Spain to date (please specify the recipient, the amount, the type of violation, the sector, and provide a brief summary)? Has the fine been challenged in court? If it has: was this successful, or what is the status of the proceedings?

The record fine in Spain to date was the EUR 10,000,000 fine imposed on Google LLC published on 18 May 2022, for the infringement of Arts. 6 and 17 GDPR.

The AEPD imposed the fine for the following infringements:

  • EUR 5 million for the infringement of Article 6 GDPR: transferring personal data to third parties unlawfully as Google LLC communicated, without a valid legal basis, information, on the requests made by users to the Lumen Project organisation; and
  • EUR 5 million for the infringement of Article 17 GDPR: hindering data subjects' exercise of the right to erasure of data ("right to be forgotten").

Additionally, the AEPD required Google LLC to adopt the necessary measures within six (6) months after the notification of the sanction decision to bring the processing operations and procedures for the exercise of data subjects' rights that was the subject of the proceedings in line with data protection legislation.

Skyline panorama of Barcelona at sunrise

Organisation of authorities, procedure and publicising of fine proceedings

How is the data protection authority organized in Spain? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

  • There are five data protection authorities in Spain:

    (1) The AEPD, which has jurisdiction over the private sector and the public sector, except in Autonomous Communities where there is a Data Protection Authority and except for the Courts exercising their judicial tasks.

    (2) The Catalan Data Protection Agency (“Agencia Catalana de Protección de Datos”),

    (3) the Basque Data Protection Agency (“Agencia Vasca de Protección de Datos) and

    (4) the Council for Transparency and Good Governance of Andalusia (“Consejo de Transparencia y Buen Gobierno de Andalucia”) which have jurisdiction over Public Administrations in their respective Autonomous Communities.

    (5) The General Council of the Judiciary (“Consejo General del Poder Judicial”) which has jurisdiction over the Courts as regards the performing of their tasks.
     
  • The budget for the AEPD in 2022 was EUR 16.88 million.
  • The number of staff for the AEPD in January 2023 was 216 (according to the lists of positions for officials (207) and employees (8)) and the Director. In 2021, the staff number was 201 (according to the lists of positions for officials (194) and employees (7)).
  • The DPAs do not report to a specific ministry to ensure their independence. The AEPD is an independent administrative authority at the national level with legal personality and full public and private capacity, it acts with full independence from the public authorities in the exercise of its functions.
  • AEPD´s staff is subject to a regime of incompatibilities to ensure their independence or objectiveness (Law 53/1984 of 26 December 1984 on Incompatibilities of personnel in the service of the Public Administrations). According to the information published by the AEPD in January 2023, no resolutions of authorization or recognition of compatibility affecting its staff had been issued.
  • In 2021, Royal Decree 389/2021 of 1 June was published, approving the new statute of the AEPD ("Real Decreto 389/2021, de 1 de junio, por el que se aprueba el Estatuto de la Agencia Española de Protección de Datos"). The AEPD is an independent administrative authority at the State level (Art. 1 of the Royal Decree 389/2021) and has organisational and functional autonomy, acting with full independence from the government, public administrations and any business or commercial interests (Art. 4 of the Royal Decree 389/2021).

How does a fine procedure work in Spain? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?


  • Fines can be directly imposed by the AEPD as part of sanctioning administrative proceedings.
  • Sanctioning administrative proceedings are governed by administrative law.
  • Proceedings usually start with a formal notification to the relevant company on the opening of sanctioning administrative proceedings (frequently as the result of ongoing general administrative proceedings in which the AEPD has requested and has obtained information from the controller/processor). The company in question has the option to provide its views on factual and legal aspects of the case before the authority issues its resolution imposing the fine.
  • Companies may appeal a fine with the administrative courts.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the State treasury, the authority's budget)?

Fines are allocated to the State treasury.

Is there a common, official calculation methodology of fines in Spain (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. However, Organic Law 3/2018 adds several factors to the list included in article 83.2.k) GDPR, including, inter alia, the impact on the rights of minors (article 76.2.f) or there being a data protection officer, where this is not mandatory (article 76.2.g).

Can public authorities be fined in Spain? If they can: Where does this money go?

Public authorities and other bodies, both when acting as data controllers or processors, shall be sanctioned with reprimands (“apercibimiento”), while not being financially sanctioned (article 77 of Organic Law 3/2018). Nevertheless, if one of the other bodies also acts in their private capacity, they will be fined should they violate data protection laws when acting in their private capacity. Finally, courts would only be sanctioned with a reprimand, except where acting in their judicial capacity as in this last case they cannot be sanctioned.

In Spain, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

Yes, the AEPD does publish information on individual fine cases, including fines imposed, on its website. When the resolution relates to an individual infringing the applicable legislation, the AEPD shall publish this on an anonymised basis. In the case of companies, the responsible entity (the controller or processor) infringing the law shall be identifiable.

Furthermore, if (i) the fine amount is higher than EUR 1 million; (ii) the responsible entity is a legal person and (iii) the competent authority is the AEPD, information on the entity responsible, the infringement and the amount fined will be published in the Official Gazette (in Spanish “Boletín Oficial del Estado”).

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Although information on individual cases is published, the AEPD does also provide aggregated information in its annual report.
 

  • In 2019, the AEPD (i) received 11,590 complaints, (ii) received 709 cross border cases from other supervisory authorities, and (iii) brought 15 actions ex-officio (excluding data breaches) [Source: annual report 2019, p. 107]. The total amount of fines in 2019 was 112 for a total of EUR 6,295,923.
  • In 2020, the AEPD (i) received 10,324 complaints, (ii) received 784 cross border cases from other supervisory authorities, and (iii) brought 26 actions ex-officio (excluding data breaches) [Source: annual report 2020, p. 131]. The total amount of fines in 2019 was 167 for a total of EUR 8,018,800.
  • In 2021, the AEPD (i) received 13,905 complaints, (ii) received 581 cross border cases from other supervisory authorities, and (iii) brought 9 actions ex-officio (excluding data breaches) [Source: annual report 2021, p. 129]. The total amount of fines in 2021 was 258 for a total of EUR 35,074,800.
  • Data for 2022 has not been published yet. Nevertheless, according to the information available, the amount of fines issued in 2022 is almost EUR 23 million.
Spain Square is a square in the Maria Luisa Park, in Seville, Spain

Other legal consequences of non-compliance

Does Spain have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

There is no model declaratory proceedings/class action for data protection law in Spain.

What is more relevant in Spain: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?


  • At present, fines from the Spanish Data Protection Agency are more prominent than court proceedings, such as claims for damages or injunctions.
  • The trend during the last year and for the coming years is an increase in the amount of fines, in particular for serious and very serious infringements, and more litigation, including legal action on the part of consumers, because consumers associations are submitting complaints on behalf of consumers to the AEPD.

Read more


Key contact

Javier Torre de Silva
Javier Torre de Silva
Partner
Global Co-Head of Communications, TMC
Madrid
T +34 91 451 93 21
Previous 26 / 29 Next