PROFILE
Mandate and constitution
The Agencia Española de Protección de Datos (AEPD) was established by Organic Law 5/1992 (the precursor to the current framework) and currently operates under Organic Law 3/2018 on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD), which gives effect to the GDPR in Spanish law. The AEPD is designated as the supervisory authority under Article 51 GDPR for the territory of Spain, and as lead authority under Article 56 for any controller with its main EU establishment in Spain.
The AEPD is an independent public-law authority headquartered in Madrid, with statutory independence from the Spanish executive. The autonomous communities of Catalonia, the Basque Country and Andalusia have their own regional data protection authorities (APDCAT, AVPD, CTPDA) with competence over public-sector processing within their respective territories, but the AEPD remains the authority for the private sector throughout Spain and for public-sector processing in the remaining autonomous communities.
Fining philosophy
The AEPD's defining feature is volume. Where the Irish DPC concludes a handful of high-profile inquiries per year, the AEPD adopts hundreds of sanctioning decisions across the full range of GDPR provisions. The fining philosophy is necessarily different: rather than producing landmark precedents on novel questions, the AEPD's body of decisions provides a granular jurisprudence on how the GDPR applies to recurring SMB-level matters. Practical areas of concentration include video-surveillance compliance (Article 5 minimisation and signage requirements), cookie-consent banners (under Spanish implementation of ePrivacy), employment-monitoring (geolocation, email surveillance, biometric attendance), and direct-marketing breaches (consent and opt-out compliance).
Fine amounts reflect the SMB profile. The Article 83(2) factors of size of the undertaking and financial benefits flowing from the infringement consistently weigh against large fines for small Spanish controllers. The €1,000-€10,000 band is typical for first-offence SMB matters; €50,000-€500,000 for larger Spanish enterprises; €1M-€10M for the largest Spanish corporates (CaixaBank, BBVA, Vodafone España). The AEPD's top-end sanctions are well below the EU-wide highs, but the cumulative deterrent across the SMB base is substantial.
Headline Spanish decisions
Several AEPD decisions have set Spanish-market reference points. CaixaBank S.A. (€6M, January 2021) addressed lawful-basis and transparency failures in consent-based marketing processing, applying the AEPD's standard analysis on what constitutes valid consent under the LOPDGDD. BBVA (€5M, December 2020) addressed similar marketing-consent failures plus inadequate response to data-subject access requests. Vodafone España has been the subject of multiple decisions reaching €8M in cumulative amount, addressing direct-marketing consent, contractual processing transparency and breach-notification timeliness.
The Mercadona supermarket-chain decision (€2.52M, July 2021) addressed the use of facial-recognition in supermarket entrance access control. The AEPD found that the processing of biometric data without an Article 9(2) basis was unlawful, and ordered the discontinuation of the technology. The decision is one of the leading early-stage authorities on retail biometrics in the EU.
Mid-sized cases include Glovo (€79k, 2022) for algorithmic-management transparency failures echoing the Italian Garante's Foodinho decision; Iberdrola (€1.5M, 2022) for inadequate security around customer-portal access; and a large body of telemarketing decisions against energy retailers and telecoms providers.
Procedural framework
The AEPD's sanctioning procedure is set out in the LOPDGDD and in the AEPD's Regulation 1/2020 on internal procedure. Decisions follow a structured sequence: admission of the complaint, preliminary investigation (during which the AEPD requests information from the controller), formal initiation of sanctioning proceedings, controller representations, draft decision, controller observations on the draft, and final resolution. Controllers can appeal final decisions to the Audiencia Nacional (the Spanish national court of administrative appeals) and onward to the Supreme Court of Spain.
The AEPD has a notable practice of offering reduced fines for early acknowledgement and remediation: a controller who admits the infringement and pays promptly can obtain reductions of up to 40% on the formally calculated fine. This procedural feature contributes to the high volume of resolved cases and to the SMB-affordable fine distribution.
Role in cross-border inquiries
For Big Tech matters where the lead authority is in Ireland, Luxembourg or France, the AEPD acts as a concerned supervisory authority. It has raised reasoned objections in several major DPC inquiries (including those that escalated to EDPB Article 65 binding decisions). The AEPD's comparative weight in the EDPB cooperation work is significant given the number of Spanish data subjects affected by Big Tech processing.
Recent enforcement trends
The AEPD's 2024-2026 enforcement programme covers AI systems (including a memorandum of understanding with the new Spanish AI Agency on AI Act implementation), employment biometrics (continuing the Mercadona line), telemarketing under the Spanish do-not-call list (Lista Robinson), connected vehicles, and the regulation of consent-management platforms operating in the Spanish market. The AEPD has also been notably active on micro-targeting in political campaigning under LOPDGDD provisions that go beyond the GDPR baseline.