GDPR Enforcement in Spain

Trend: Have the national data protection authorities in Spain focused on certain types of non-compliance with data protection law so far or have the authorities announced that they will investigate certain types of non-compliance more closely in the future (e.g. incorrect use of cookie banners, monitoring of employees - possibly also due to - Covid related home office, etc.)? Do you see a focus on certain industries/sectors? If so, which ones?

During 2024, in the most relevant cases involving fines, the Spanish Data Protection Agency (“Agencia Española de Protección de Datos”, “AEPD”) has focused on personal data breaches, followed by the gas, electricity and water supply sector, fraudulent contracting and the financial sector.

There is no announcement of investigations referring to certain types of non-compliance.

According to the fines imposed during 2024, the AEPD has mainly focused on personal data breaches.

Overall, what was the most significant fine in Spain to date (please specify recipient, amount, type of violation, sector, brief summary)? Has the fine been challenged in court? If yes: With success or what is the status of the proceedings?

The record fine in Spain to date was the EUR 10,000,000 fine imposed on Google LLC published on 18 May 2022, for the infringement of Arts. 6 and 17 GDPR.

The AEPD imposed the fine for the following infringements:

• EUR 5 million for the infringement of Article 6 GDPR: transferring personal data to third parties unlawfully as Google LLC communicated, without a valid legal basis, information on requests made by users to the Lumen Project organisation; and
• EUR 5 million for the infringement of Article 17 GDPR: hindering data subjects' exercise of the right to erasure of data ("right to be forgotten").

Additionally, the AEPD required Google LLC to adopt the necessary measures to bring the processing operations and procedures to allow data subjects to exercise the rights addressed in the proceedings in line with data protection legislation within six (6) months of Google LLC having been notified of the sanctioning resolution.

How is the data protection authority organised in Spain? In particular: What is the annual budget? How many staff are employed? Is the authority assigned to a specific ministry? If so, which one?

There are six data protection authorities in Spain.

• (1) The AEPD, which has jurisdiction over the private sector and the public sector, except in Autonomous Communities where there is a Data Protection Authority and except for the courts exercising their judicial tasks.
• (2) The Catalan Data Protection Agency (“Agencia Catalana de Protección de Datos”), (3) the Basque Data Protection Agency (“Agencia Vasca de Protección de Datos), (4) the Council for Transparency and Good Governance of Andalusia (“Consejo de Transparencia y Buen Gobierno de Andalucia”) and (5) the Council for Transparency and Data Protection of the Community of Madrid (“Consejo de Transparencia y Protección de Datos de la Comunidad de Madrid”), which have jurisdiction over public administrations in their respective Autonomous Community.
• (6) The General Council of the Judiciary (“Consejo General del Poder Judicial”) which has jurisdiction over the courts as regards the performance of their tasks.

The budget for the AEPD in 2024 was almost EUR 19 million, the same as in 2023.

The number of staff for the AEPD in December 2024 was 250 (according to the information available here regarding number of officials (239) and employees (10)) and the Director. In 2023, the staff number was 247 (officials (236), employees (10) and the Director).

The DPAs do not report to a specific ministry to ensure their independence. The AEPD is an independent administrative authority at the national level with legal personality and full public and private capacity. It acts with full independence from the public authorities in exercising its functions.

The AEPD’s staff is subject to a regime of incompatibilities to ensure their independence and objectivity (Law 53/1984 of 26 December 1984 on Incompatibilities of personnel in the service of the Public Administrations). According to the information published by the AEPD in September 2024, no resolutions of authorisation or recognition of compatibility affecting its staff had been issued.

In 2021, Royal Decree 389/2021 of 1 June was published, approving the new statute of the AEPD ("Real Decreto 389/2021, de 1 de junio, por el que se aprueba el Estatuto de la Agencia Española de Protección de Datos"). The AEPD is an independent administrative authority at the state level (Article 1 of the Royal Decree 389/2021) and has organisational and functional autonomy, acting with full independence from the government, public administrations and any business or commercial interests (Article 4 of the Royal Decree 389/2021).

In 2024 the Royal Decree 1323/2024 of 23 December providing for the dismissal of the Director of the Spanish Data Protection Agency was published in the Official Gazette (in Spanish “Boletín Oficial del Estado”). A President and a Deputy (in Spanish “Adjunto”) of the Spanish Data Protection Agency were appointed in February 2025.

How does a fine procedure work in Spain? In particular: can the authority itself impose fines? How does the procedure work (e.g., notification as to the opening of proceedings (public/addressed to the company alone?), notification as to the intention to impose a fine (public/addressed to companies alone?), formal penalty notice)? What legal remedies are possible against an imposed fine?

• The relevant data protection authorities (see above) can impose fines by themselves, without the need to appeal to a Court of Justice.
• The person who files a denouncement is not a party in the procedure.
• During the procedure, the interested person has the opportunity to submit allegations several times (when notified of the opening of the procedure, when given a formal deadline for allegations and when notified of the preliminary decision). It is important that the interested person has an electronic certificate in order to receive notifications.
• Any fine is subject to a possible appeal before the Courts of Justice.

When fines are imposed by the data protection authority: Where does the money go? (e.g., the state treasury, the authority's budget)?

Fines of the AEPD are allocated to the state treasury.

Is there a common, official calculation methodology for fines in Spain (such as the fining models in the Netherlands or Germany)?

There is no common, official calculation methodology for fines. However, Organic Law 3/2018 adds several factors to the list included in Article 83 (2) (k) GDPR, including the impact on the rights of minors (Article 76.2.f) or there being a data protection officer, where this is not mandatory (Article 76.2.g).

Can public authorities be fined in Spain? If they can: Where does this money go?

Public authorities and other bodies, both when acting as data controllers and as processors, can be sanctioned with a resolution declaring the infringement and establishing the measures to be adopted to cease the conduct or to correct the effects of the infringement committed, while not being fined (Article 77 of Organic Law 3/2018). Nevertheless, if one of the other bodies also acts in their private capacity, they can be fined should they violate data protection laws when acting in their private capacity. Finally, courts would only be reprimanded, except where acting in their judicial capacity, in this case they cannot be sanctioned.

It should be noted that in 2023 the Organic Law 3/2018 was amended to apply a correction to the GDPR, by virtue of which a reprimand (“apercibimiento”) is no longer considered a fine but is instead an adequate measure included in the corrective powers of the supervisory authorities.

In Spain, does the data protection authority publish information on cases involving individual fines, including fines imposed or other procedural steps (e.g. on its website or in its annual report)? Are the affected companies identifiable in such publications?

Yes, the AEPD does publish information on individual fine cases, including fines imposed, on its website. When the resolution relates to an individual who has infringed the applicable legislation, the AEPD will publish this on an anonymised basis. In the case of companies, the responsible entity (the controller or processor) that infringed the law will be identifiable.

Furthermore, if (i) the fine amount is higher than EUR one (1) million; (ii) the responsible entity is a legal person and (iii) the competent authority is the AEPD, information on the entity responsible, the infringement and the amount fined will be published in the Official Gazette (in Spanish “Boletín Oficial del Estado”).

If no information on individual fine cases is published: does the data protection authority provide aggregated information on the total number of cases and/or the total amount of fines? What were the annual figures from 2019?

Although information on individual cases is published, the AEPD also provides aggregated information in its annual report

• In 2019, the AEPD (i) received 11,590 complaints, (ii) received 709 cross border cases from other supervisory authorities and (iii) brought 15 actions ex-officio (excluding data breaches) [Source: annual report 2019, p. 107]. The total number of fines in 2019 was 112 for a total of EUR 6,295,923.
• In 2020, the AEPD (i) received 10,324 complaints, (ii) received 784 cross border cases from other supervisory authorities and (iii) brought 26 actions ex-officio (excluding data breaches) [Source: annual report 2020, p. 131]. The total number of fines in 2019 was 167 for a total of EUR 8,018,800.
• In 2021, the AEPD (i) received 13,905 complaints, (ii) received 581 cross border cases from other supervisory authorities and (iii) brought 9 actions ex-officio (excluding data breaches) [Source: annual report 2021, p. 129]. The total number of fines in 2021 was 258 for a total of EUR 35,074,800.
• In 2022, the AEPD (i) received 15,128 complaints, an increase of 9% compared to 2021, (ii) received 651 cross border cases from other supervisory authorities and (iii) brought 43 actions ex-officio (excluding data breaches) [Source: annual report 2022, p. 139]. The total number of fines in 2022 was 378 for a total of EUR 20,775,361, a decrease of 41% compared to 2021.
• In 2023, the AEPD (i) received 21,590 complaints, an increase of 47% compared to 2022, (ii) received 708 cross border cases from other supervisory authorities and (iii) brought 50 actions ex-officio (excluding data breaches) [Source: annual report 2023, p. 131]. The total number of fines in 2023 was 367 for a total amount of EUR 29,817,410, a decrease of 3% in the number of fines but an increase of 44% in the total amount compared to 2022.
• Data for 2024 has not been published yet. Nevertheless, according to the information available, the amount of fines imposed in 2024 exceeds EUR 27 million.

Does Spain have model declaratory proceedings/class actions in data protection law, i.e., are several data subjects able to join forces and take legal action together against the data controller?

• There are no model declaratory proceedings/class actions for data protection law in Spain.
• It should be noted that in 2024 the Congress started the legislative procedure for the transposition into the Spanish legal system of the EU Directive 2020/1828 of the European Parliament and of the Council of 25 November 2020 on representative actions for the protection of collective interests of consumers. The transposition was not carried out then, but a new draft law has been proposed for this purpose.

What is more relevant in Spain: fines from authorities or court proceedings such as claims for damages or injunctions? Can a trend be discerned for the coming years?

At present, fines from the Spanish Data Protection Agency are more prominent than court proceedings, such as claims for damages or injunctions.

The trend during the last year and expected for the coming years is an increase in the amount of fines, in particular for serious and very serious infringements, and more litigation, including legal action on the part of consumers, because consumer associations are submitting complaints on behalf of consumers to the AEPD.

• Last year the AEPD mainly focused on personal data breaches for insufficient security measures and non-compliance with general data protection principles. The AEPD imposed several relevant fines, including fines for amounts of EUR 5 million for non-compliance with general data protection principles or EUR 4 million for insufficient technical and organisational measures to ensure information security.