Home / Publications / GDPR Enforcement Tracker Report / Spain
Table of contents
  1. Executive Summary
  2. Numbers and Figures
  3. Enforcement Insights by Business Sector
  4. Enforcement Insights per Country
  5. Finance, Insurance and Consulting
  6. Accommodation and Hospitality
  7. Health Care
  8. Industry and Commerce
  9. Real Estate
  10. Media, Telecoms and Broadcasting
  11. Public Sector and Education
  12. Transportation and Energy
  13. Individuals and Private Associations
  14. Employment
  15. Methodology and Contacts
  16. Austria
  17. Bulgaria
  18. Belgium
  19. Croatia
  20. Czech Republic
  21. France
  22. Germany
  23. Hungary
  24. Italy
  25. Luxembourg
  26. Netherlands
  27. Norway
  28. Poland
  29. Spain
  30. Sweden
  31. United Kingdom

Spain

Main takeaways


  • Fines cannot be imposed on public entities and other authorities unless these last authorities (e.g. Bar Associations) are acting in a private capacity.
  • High transparency on DPA fining decisions (anonymisation of natural persons).
  • Fines > Damages: So far, fines imposed by the DPA appear to be more important than damages, but the significance of damage claims before Courts will likely increase in the future (in particular as regards class actions).

Fining practice

Trend: Have the national data protection authorities in Spain focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

During 2023, in the most relevant cases involving fines, the Spanish Data Protection Agency (“Agencia Española de Protección de Datos”, “AEPD”) has focused on personal data breaches (rising from EUR 821,800 in 2022 to EUR 12,907,000 in 2023), financial institutions/creditors (rising from EUR 596,200 in 2022 to EUR 5,321,000 in 2023), data protection rights (EUR 2,633,400), fraudulent contracting (EUR 2,571,500), telecommunications (EUR 1,942,000) and Internet services (EUR 1,058,700). These areas account for 89% of the overall amount of fines.

There is no announcement of investigations referring to certain types of non-compliance.

According to the fines imposed during 2023, the AEPD has mainly focused on security breaches and the financial sector.

Overall, what was the most significant fine in Spain to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The record fine in Spain to date was the EUR 10,000,000 fine imposed on Google LLC published on 18 May 2022, for the infringement of Arts. 6 and 17 GDPR.

The AEPD imposed the fine for the following infringements:

  • EUR 5 million for the infringement of Article 6 GDPR: transferring personal data to third parties unlawfully as Google LLC communicated, without a valid legal basis, information, on the requests made by users to the Lumen Project organisation; and
  • EUR 5 million for the infringement of Article 17 GDPR: hindering data subjects' exercise of the right to erasure of data ("right to be forgotten");

Additionally, the AEPD required Google LLC to adopt the necessary measures within six (6) months after the notification of the sanctioning resolution to bring the processing operations and procedures for the exercise of data subjects' rights that is subject of the proceedings into line with data protection legislation. 

Skyline panorama of Barcelona at sunrise

Organisation of authorities and course of fine proceedings in Spain

How is the data protection authority organised in Spain? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

There are six data protection authorities in Spain.

  • (1) The AEPD, which has jurisdiction over the private sector and the public sector, except in Autonomous Communities where there is a Data Protection Authority and except for the Courts exercising their judicial tasks.
  • (2) The Catalan Data Protection Agency (“Agencia Catalana de Protección de Datos”), (3) the Basque Data Protection Agency (“Agencia Vasca de Protección de Datos), (4) the Council for Transparency and Good Governance of Andalusia (“Consejo de Transparencia y Buen Gobierno de Andalucia”) and (5) the Council for Transparency and Data Protection of the Community of Madrid (“Consejo de Transparencia y Protección de Datos de la Comunidad de Madrid”) which have jurisdiction over Public Administrations in their respective Autonomous Community.
  • (6) The General Council of the Judiciary (“Consejo General del Poder Judicial”) which has jurisdiction over the Courts as regards the performing of their tasks.

The budget for the AEPD in 2023 was almost EUR 19 million.

The number of staff for the AEPD in December 2023 was 247 (according to the information available here regarding number of officials (236) and employees (10)) and the Director. In 2022, the staff number was 216 (officials (207) and employees (8), and the Director).

The DPAs do not report to a specific ministry to ensure their independence. The AEPD is an independent administrative authority at the national level with legal personality and full public and private capacity, it acts with full independence from the public authorities in the exercising of its functions.

AEPD´s staff is subject to a regime of incompatibilities to ensure their independence or objectiveness (Law 53/1984 of 26 December 1984 on Incompatibilities of personnel in the service of the Public Administrations). According to the information published by the AEPD in January 2023, no resolutions of authorization or recognition of compatibility affecting its staff had been issued.

In 2021, Royal Decree 389/2021 of 1 June was published, approving the new statute of the AEPD ("Real Decreto 389/2021, de 1 de junio, por el que se aprueba el Estatuto de la Agencia Española de Protección de Datos"). The AEPD is an independent administrative authority at the state level (Art. 1 of the Royal Decree 389/2021) and has organisational and functional autonomy, acting with full independence from the government, public administrations and any business or commercial interests (Art. 4 of the Royal Decree 389/2021).

How does a fine procedure work in Spain? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

  • The relevant Data Protection Authorities (see above) can impose fines by themselves, without the need to a Court of Justice.
  • The person who files a denounce is not a party in the procedure.
  • During the procedure, the interested person has the opportunity to submit allegations several times (when notified of the opening of the procedure, when given formal period for allegations, and when notified the proposal of decision). It is important that the interested person has an electronic certificate in order to receive notifications.
  • Any fine is subject to a possible appeal before the Courts of Justice.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines of the AEPD are allocated to the state treasury.

Is there a common, official calculation methodology for fines in Spain (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. However, Organic Law 3/2018 adds several factors to the list included in article 83.2.k) GDPR, including, inter alia, the impact on the rights of minors (article 76.2.f) or there being a data protection officer, where this is not mandatory (article 76.2.g).

Can public authorities be fined in Spain? If they can: Where does this money go?

Public authorities and other bodies, both when acting as data controllers or processors, shall be fined with a resolution declaring the infringement and establishing the measures to be adopted to cease the conduct or to correct the effects of the infringement committed, while not being financially sanctioned (article 77 of Organic Law 3/2018). Nevertheless, if one of the other bodies also acts in their private capacity, they will be fined should they violate data protection laws when acting in their private capacity. Finally, courts would only be fined with a reprimand, except where acting in their judicial capacity as in this last case they cannot be fined.

It should be noted that in 2023 the Organic Law 3/2018 was amended to apply a corrigendum to the GDPR by virtue of which reprimand (“apercibimiento”) is no longer a fine, but an adequate measure included into the corrective powers of the supervisory authorities.

In Spain, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

Yes, the AEPD does publish information on individual fine cases, including fines imposed, on its website. When the resolution relates to an individual infringing the applicable legislation, the AEPD shall publish this on an anonymised basis. In the case of companies, the responsible entity (the controller or processor) infringing the law shall be identifiable.

Furthermore, if (i) the fine amount is higher than one (1) million euros; (ii) the responsible entity is a legal entity and (iii) the competent authority is the AEPD, information on the entity responsible, the infringement and the amount fined will be published in the Official Gazette (in Spanish “Boletín Oficial del Estado”).

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines?

Although information on individual cases is published, the AEPD does also provide aggregated information in its annual report.


  • In 2019, the AEPD (i) received 11,590 complaints, (ii) received 709 cross border cases from other supervisory authorities, and (iii) brought 15 actions ex-officio (excluding data breaches) [Source: annual report 2019, p. 107]. The total amount of fines in 2019 was 112 for a total of EUR 6,295,923.
  • In 2020, the AEPD (i) received 10,324 complaints, (ii) received 784 cross border cases from other supervisory authorities, and (iii) brought 26 actions ex-officio (excluding data breaches) [Source: annual report 2020, p. 131]. The total amount of fines in 2019 was 167 for a total of EUR 8,018,800.
  • In 2021, the AEPD  (i) received 13,905 complaints, (ii) received 581 cross border cases from other supervisory authorities, and (iii) brought 9 actions ex-officio (excluding data breaches) [Source: annual report 2021, p. 129]. The total amount of fines in 2021 was 258 for a total of EUR 35,074,800.
  • In 2022, the AEPD (i) received 15,128 complaints, an increase of 9% compared to 2021 (ii) received 651 cross border cases from other supervisory authorities, and (iii) brought 43 actions ex-officio (excluding data breaches) [Source: annual report 2022, p. 139]. The total amount of fines in 2022 was 378 for a total of EUR 20,775,361, a decrease of 41% compared to 2021.
  • In 2023, the AEPD (i) received 21,590 complaints, an increase of 43% compared to 2022 and 55% compared to 2021 (ii) received 708 581 cross border cases from other supervisory authorities, and (iii) brought 50 actions ex-officio (including data breaches) [Source: annual report 2023, p. 131]. The total amount of fines in 2023 was 367 for a total of EUR 29,817,410, an increase of 44% compared to 2022.
Spain Square is a square in the Maria Luisa Park, in Seville, Spain

Other legal consequences of non-compliance in Spain

Does Spain have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

  • There is no model declaratory proceedings/class action for data protection law in Spain.
  • It should be noted that the Congress started the legislative procedure for the transposition into the Spanish legal system of the EU Directive 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of collective interests of consumers. Once that the Organic Law is approved, class actions could be available as well in Spain.

What is more relevant in Spain: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

At present, fines from the Spanish Data Protection Agency are more prominent than court proceedings, such as claims for damages or injunctions.

The trend during the last year and for the coming years is an increase in the amount of fines, in particular for serious and very serious infringements, and more litigation, including legal action on the part of consumers, because consumers associations are submitting complaints on behalf of consumers to the AEPD.


  • During last year the AEPD has focused on biometric data. It has published guidelines on the use of biometric data for time and attendance and access control, has imposed several sanctions for the processing of biometric data, issued a warning to an entity regarding the development of facial recognition system for fan access to football stadiums and ordered a precautionary measure against a company to cease the collection and processing of biometric data, and to block the data already collected.
     

Read more


Key contact

Javier Torre de Silva
Javier Torre de Silva
Partner
Global Co-Head of Communications, TMC
Madrid
T +34 91 451 93 21
Previous 30 / 32 Next