AEPD as EU's Most Prolific Enforcer by Volume
Spain's Agencia Española de Protección de Datos (AEPD) is the EU's most active DPA by number of enforcement actions, issuing 847 sanctioning resolutions in 2023 — more than all other EU DPAs combined by volume. Total AEPD fines in 2023 exceeded €12M across these resolutions.
The high volume reflects AEPD's enforcement approach: unlike DPAs that focus on landmark fines against major corporations, AEPD issues significant numbers of smaller fines against SMEs, municipal governments, and individual organizations, creating broad compliance pressure across the Spanish economy.
AEPD's enforcement focus areas in 2024:
- Video surveillance and biometric data (29% of cases)
- Marketing and unsolicited communications (24% of cases)
- Employee monitoring and HR data (18% of cases)
- AI systems and automated decision-making (15% of cases — increasing year-over-year)
- Healthcare and special category data (14% of cases)
AEPD's Unique AI DPIA Requirement
AEPD's 2024 "Guía de adecuación al RGPD de tratamientos con IA" (Guide on GDPR Compliance for AI Treatments) goes beyond the GDPR baseline in one significant requirement: AEPD requires a Data Protection Impact Assessment (DPIA) for any AI system that processes personal data.
Under GDPR Article 35, DPIAs are required for processing "likely to result in a high risk" to data subjects' rights and freedoms — a contextual assessment. AEPD's guidance takes a more categorical approach: any AI system processing personal data triggers the DPIA requirement.
This means Spanish organizations must conduct and document DPIAs for:
- Customer service chatbots
- HR recruitment screening tools
- Marketing personalization algorithms
- Document processing AI (including anonymization AI)
- Any AI tool that processes employee or customer data
The practical implication: organizations using AI tools in Spain must have DPIA documentation for each tool, even if the tool is widely used and considered low-risk by the organization.
AEPD's Technical Anonymization Standards
AEPD's anonymization guidance is influenced by CNIL's "Guide pratique de l'anonymisation" but adds Spanish-specific requirements:
Spanish national identifiers:
- DNI (Documento Nacional de Identidad): 8-digit number + letter check digit
- NIE (Número de Identificación de Extranjero): Letter + 7 digits + letter, for foreign nationals
- NIF (Número de Identificación Fiscal): Equivalent to DNI for tax purposes
- Número de Seguridad Social: Social Security number format
AEPD's guidance notes that Spanish NER models frequently miss NIE numbers, which are common in Spain's significant immigrant population. Organizations processing data of non-Spanish nationals in Spain must verify NIE detection capability.
Spanish-specific context: AEPD guidance addresses the specific challenge of Spanish names — the tradition of two-surname naming (apellidos compuestos) creates name detection challenges for NER models trained primarily on single-surname naming conventions. Spanish-language NER must handle: "García López, Juan Carlos" — where both "García" and "López" are surnames, not a compound surname + given name.
AEPD's Employee Monitoring Enforcement
AEPD's 18% of cases involving employee monitoring reflects Spain's active enforcement of restrictions on employer surveillance. The Spanish Workers' Statute (Estatuto de los Trabajadores) limits employer monitoring rights, and AEPD has been aggressive in enforcing these limits alongside GDPR.
Key AEPD rulings on employee monitoring:
- Keyloggers and screenshot monitoring: AEPD considers covert keylogger installation a GDPR violation in most contexts; transparent screenshot monitoring requires documented justification and proportionality assessment
- GPS tracking: Permitted for work vehicles with transparent notice; prohibited for personal vehicles
- Email monitoring: Permitted with prior notice and documented policy; content analysis requires additional justification
- AI performance monitoring: AI systems that assess employee performance through behavioral analysis require explicit DPIA and EDPB guidance compliance
Organizations deploying AI tools that monitor or analyze employee behavior (including productivity analytics, communication monitoring, and attendance tracking) face specific AEPD scrutiny.
Building AEPD-Compliant AI Documentation
For Spanish organizations implementing AI tools, the AEPD-compliant documentation stack:
1. AI System Inventory: Document all AI systems processing Spanish personal data: system name, vendor, purpose, data categories processed, retention period, DPA status.
2. DPIA for each AI system: Following AEPD's simplified DPIA template (available on AEPD's website):
- Description of processing: purpose, legal basis, data categories, recipients
- Necessity and proportionality assessment
- Risk assessment: risks to data subjects
- Risk mitigation measures: technical and organizational controls
- DPO consultation record (if DPO required)
3. Technical controls documentation: For each AI system, document the technical measures preventing unauthorized personal data access:
- Pre-submission filtering (PII detection + removal before AI processing)
- Access controls on processed data
- Retention enforcement
- Breach detection and response
4. Employee monitoring policy: If any AI system monitors employees: written policy documenting the monitoring scope, notice to employees, legal basis, and proportionality assessment.
AEPD inspections typically request the AI system inventory and DPIAs first. Organizations with pre-existing documentation resolve inspections significantly faster than those conducting assessments reactively.
Sources: