The Spanish Data Protection Authority (“AEPD“) has published its 2024 annual report, which includes the AEPD’s awareness-raising activities; the collaboration and inspection activities of the Spanish authorities; relevant reports and procedures published during 2024; and an analysis of regulatory trends and key privacy challenges for the coming months. The annual report’s key elements are summarised below:
- Key Milestones & Strategy:
In 2024, a key objective of the AEPD was to establish its leadership in some of the most critical areas of the digital age — artificial intelligence, ethical data governance, and online child protection.
The AEPD has aimed to proactively align with upcoming EU regulations such as the AI Act, eIDAS2, the Data Act, and the Digital Services Act. It has also issued guidance on emerging challenges including biometric data processing, addictive platform design, and age verification tools to protect minors. Through initiatives like FACILITA-RGPD and COMUNICA-BRECHA, it aims to support entrepreneurs and public institutions, while promoting privacy-by-design in digital environments.
- Main regulatory risks and challenges:
The AEPD is preparing to play a pivotal role in supervising high-risk AI systems, highlighting the need for enhanced technical capacity, coordinated oversight, and ethical implementation aligned with fundamental rights. In the field of biometrics, it has pushed for strong safeguards around facial recognition and other surveillance tools.
On data governance, the AEPD has promoted privacy-enhancing data sharing in key sectors like healthcare and research — calling for clear purpose limitation, pseudonymisation, and transparent governance frameworks. Its role under eIDAS2 is also expanding, where it will oversee the rollout of European Digital Identity Wallets, with an emphasis on data minimisation, user control, and robust authentication standards.
- Increased Enforcement:
Enforcement by the AEPD intensified in the last year. In 2024, the AEPD imposed €35.5 million in fines, up 19% from the previous year. Enforcement has targeted sectors such as internet platforms, telecommunications, and employment, with common violations including lack of transparency, unlawful marketing, and disproportionate surveillance. The agency also took a leading role in cross border supervision, with 370 GDPR cooperation procedures, including 22 as the lead authority.
The Spanish authority is increasing its proactive oversight, specially on the use of AI and biometric systems, monitoring workplace technologies and school surveillance systems.
- Awareness:
The AEPD has launched several awareness and education campaigns targeted diverse audiences, particularly:
- Children and adolescents, on safe digital use
- General public, under campaigns like Protege tu privacidad
At DLA Piper, we are closely monitoring these developments as part of our commitment to helping clients navigate privacy trends and challenges. As enforcement grows more complex and technically demanding, organisations must take a proactive, privacy-by-design approach to compliance.
As digital transformation accelerates, ensuring ethical, legally sound, and rights-based regulation is more essential than ever.