Spain's Agencia Española de Protección de Datos (AEPD) issued 847 sanctioning resolutions in 2023 — the highest number of enforcement decisions of any EU DPA. While individual fines are often smaller than headline GDPR cases from the Irish DPC or Dutch AP, the AEPD's high enforcement volume creates significant compliance exposure for any organization with Spanish operations.
AEPD's AI-First Enforcement Framework
The AEPD has published the EU's most comprehensive AI-specific data protection guidance, including:
"Adecuación al RGPD de tratamientos que incorporan IA" (2020, updated 2024): The AEPD's AI guide requires a DPIA for any AI system processing personal data — regardless of whether the AI processing meets the GDPR Article 35 risk threshold for mandatory DPIAs. This is one of the most expansive DPIA requirements in the EU.
Spanish AI Act implementation: Spain is among the first EU member states with a national AI registry for high-risk AI systems. The AEPD coordinates with Spain's AI supervision body to enforce combined AI Act + GDPR requirements.
Spanish National Identifiers: The Detection Gap
Generic NLP tools detect DNI and NIE with only 34% accuracy in Spanish documents (AEPD 2024 analysis). Understanding why requires understanding the identifier structures:
DNI (Documento Nacional de Identidad): 8 digits + 1 control letter. The control letter is calculated as the remainder of the number divided by 23, mapped to a specific letter sequence (not A-Z — certain letters are excluded). This letter-from-number algorithm is Spain-specific and not implemented in generic tools.
Example: DNI 12345678Z — the letter Z is determined by 12345678 mod 23 = position in the letter sequence. Tools that detect 8-digit numbers without the letter validation, or that validate only the pattern without the modulus calculation, generate false positives and false negatives.
NIE (Número de Identificación de Extranjeros): Format X/Y/Z + 7 digits + control letter. NIE is assigned to foreign nationals in Spain for tax and administrative purposes. The three formats (X, Y, Z prefix) reflect different issuance periods. The same control letter algorithm applies. NIE appears in employment records, contracts, and tax documents for Spain's significant foreign national population.
CIF/NIF empresarial: The company tax identification number, format 1 letter + 7 digits + control character (digit or letter). The first letter indicates company type (A=S.A., B=S.L., etc.), and the control character uses a different algorithm from DNI/NIE.
Tarjeta Sanitaria Individual: Spain's national health card number. Format varies by region — Spanish autonomous communities (Cataluña, Madrid, Andalucía, etc.) use different health card formats. This fragmentation makes automated detection challenging.
Latin American Spanish: AEPD Compliance in a Global Context
Spain's linguistic and historical connection to Latin America creates a compliance dimension that extends beyond Spain's borders. Organizations with operations across Spanish-speaking markets need PII tools covering:
Mexico: CURP (Clave Única de Registro de Población) — 18-character alphanumeric encoding birth date, sex, birth state, and name initials. RFC (Registro Federal de Contribuyentes) — 13-character alphanumeric tax ID for individuals, 12 for companies.
Argentina: CUIL (Código Único de Identificación Laboral) — 11-digit format with check digit (prefix + CUIT + check). CUIT (Código Único de Identificación Tributaria) — same format as CUIL. DNI argentino — 7-8 digit national ID.
Chile: RUT (Rol Único Tributario) / RUN — 7-9 digits + dash + check digit (digit or K). The check digit uses a modulus-11 algorithm. Every Chilean individual and business entity has a RUT.
Colombia: Cédula de Ciudadanía — 8-10 digit national ID. NIT (Número de Identificación Tributaria) — 9 digits + check digit for businesses.
For multinational organizations serving Spanish-speaking markets across Spain and Latin America, PII tool coverage of both Spanish EU identifiers (DNI, NIE, CIF) and Latin American national identifiers (CURP, RUT, CUIL, Cédula) is required for AEPD compliance and LGPD/local DPA compliance in each country.
AEPD's Enforcement Focus in 2024
847 enforcement decisions — the EU's highest count — reflect AEPD's high complaint intake and systematic enforcement. Key sectors:
Telecommunications and financial services: 42% of AEPD resolutions. Unauthorized credit checks, excessive data retention, and inadequate consent for marketing.
Healthcare and insurance: 22% of resolutions. Health data sharing without consent, inadequate de-identification for research use, and biometric processing for appointment management.
Employment: 19% of resolutions. Employee monitoring, social media screening, and video surveillance without adequate notification.
AI systems: Growing category — AEPD found multiple Spanish companies deploying AI without completed DPIAs, in violation of the AEPD's AI guide's mandatory DPIA requirement.
DNI/NIE detection with control letter validation, Spanish-language NER (spaCy es_core_news), and Latin American identifier coverage for CURP, RUT, CUIL, and Cédula represent the baseline technical requirements for comprehensive Spanish-language PII compliance.
Sources: