🇪🇸EU Artificial Intelligence Act in Spain
A comprehensive guide to EU Artificial Intelligence Act compliance for organisations operating in Spain. Understand local enforcement, the national data protection authority, key focus areas, and notable enforcement actions.
About EU Artificial Intelligence Act
The world's first comprehensive AI regulation, establishing a risk-based framework for the development, deployment, and use of artificial intelligence systems within the EU.
EU Artificial Intelligence Act Enforcement in Spain
Spain's AEPD is one of Europe's most prolific enforcers by number of decisions, regularly issuing hundreds of sanctions per year across a wide range of sectors. The Spanish Organic Law 3/2018 (LOPDGDD) supplements the GDPR with provisions on the rights of the deceased's digital legacy, employee digital rights (including the right to digital disconnection), video surveillance in the workplace, and whistleblower channel management. The AEPD has been particularly active in sanctioning unlawful video surveillance (CCTV), unsolicited commercial communications, and inadequate data processing in healthcare. Spain sets the age of digital consent at 14. The AEPD publishes detailed guides on practical compliance and maintains an extensive publicly searchable sanctions database.
Data Protection Authority
Agencia Española de Protección de Datos (AEPD)
Key Enforcement Focus Areas in Spain
- Video surveillance and CCTV compliance
- Direct marketing and unsolicited communications
- Healthcare data processing
- Employee digital rights (right to disconnect)
- Telecommunications sector compliance
Notable Enforcement Actions in Spain
CaixaBank S.A.
Processing customer data for commercial communications without valid GDPR-compliant consent
Vodafone España S.A.U.
Repeated unsolicited commercial calls and SMS messages, and failure to demonstrate valid consent
EDP Energía S.A.
Switching customers' energy suppliers using personal data without authorisation or valid consent
Equifax Ibérica
Maintaining inaccurate solvency data and failing to verify debt information accuracy
Check Your Compliance Status
Take our free assessment to evaluate your organisation's compliance posture. Get a personalised report with actionable recommendations in minutes — no sign-up required.
Start Free AssessmentDisclaimer: The information on this page is for educational purposes and does not constitute legal advice. For specific compliance guidance, consult a qualified legal professional in your jurisdiction.
Other Regulations Affecting Spain
General Data Protection Regulation (GDPR)
The EU's landmark data protection law that governs how organisations collect, store, process, and transfer personal data of individuals in the European Economic Area.
Network and Information Security Directive (NIS2)
The updated EU cybersecurity directive that expands security requirements to a broader range of sectors and imposes stricter obligations on essential and important entities.
Digital Operational Resilience Act (DORA)
The EU regulation establishing a comprehensive framework for digital operational resilience in the financial sector, covering ICT risk management, incident reporting, testing, and third-party risk.
ePrivacy Directive (2002/58/EC)
The EU directive governing privacy in electronic communications, covering cookies, direct marketing, traffic data, and the confidentiality of communications — often called the "Cookie Law".