AEPD Fines 2025–2026: The Biggest Penalties and How to Avoid Being Next

The Agencia Española de Protección de Datos has consistently ranked among Europe’s most prolific data protection enforcement authorities. In volume of sanctions issued, in the range of sectors targeted, and in the willingness to pursue large telecommunications, banking, and technology companies alongside smaller organisations, the AEPD has developed a reputation that every compliance professional operating in Spain needs to take seriously.

The 2025–2026 enforcement cycle has continued this pattern with several high-profile resolutions and a clear signal about where the AEPD’s investigative interest is focused. Understanding the pattern behind these sanctions—not just the headline figures—is the most direct route to reducing your organisation’s exposure.

The pattern behind AEPD enforcement

Before reviewing specific sanction categories, it is worth understanding how AEPD enforcement typically begins. The majority of formal investigations are triggered by data subject complaints—not by proactive AEPD audits. This means the initial exposure event is almost always a real customer experiencing a real problem: receiving marketing messages they did not consent to, having their data shared with a third party without their knowledge, being unable to exercise a data subject right within the legal window, or discovering a breach that was not communicated to them.

The AEPD investigates the complaint, requests documentation from the organisation, and makes a determination based on whether the organisation can produce evidence of compliant processes. The outcome—whether a warning, a reprimand, or a fine—depends substantially on the quality of that documentation, the seriousness of the violation, and whether the organisation can demonstrate that the conduct was isolated or systemic.

Organisations that produce clear evidence of compliant processes tend to receive lower sanctions even when a technical violation is found. Organisations that cannot produce documentation—or whose documentation reveals systemic failures—receive proportionally higher sanctions.

The highest-impact sanction categories

Unlawful processing of personal data (Article 6 GDPR)

Violations of Article 6—processing personal data without a valid lawful basis—represent the largest category of significant AEPD fines. Common scenarios:

• Telecommunications companies processing customer data for commercial purposes beyond the original service contract without renewed consent or documented legitimate interests assessment
• Financial institutions sharing customer data with affiliates for cross-selling without clear lawful basis or adequate disclosure in the privacy notice
• Employers processing employee health or location data beyond what is necessary for employment purposes, without documented legal basis

The fine levels for systemic Article 6 violations have consistently reached the upper ranges of the GDPR Article 83(4) framework (up to EUR 10 million or 2% of global annual turnover).

Direct marketing without valid consent (Article 7 GDPR / LSSI)

Unlawful electronic direct marketing remains the highest-volume enforcement category by number of cases, if not always by fine amount. The AEPD applies both GDPR consent requirements and Spain’s Ley de Servicios de la Sociedad de la Información (LSSI) to electronic commercial communications.

Common violations:

• Sending commercial email to addresses harvested from professional directories or social networks without direct consent
• Failing to remove recipients from mailing lists after unsubscribe requests within a reasonable period
• Using soft opt-in (prior customer relationship) for categories of communication that go beyond the original service context

The consent record for each commercial communication recipient must demonstrate: when consent was obtained, through which channel, for which purposes, and that an unsubscribe mechanism was present and functional. Organisations that cannot produce this record for each recipient on their lists are exposed every time they send a campaign.

Failure to respond to data subject rights requests (Articles 15–22 GDPR)

AEPD resolutions on data subject rights violations typically arise from complaints where a data subject attempted to exercise a right—access, rectification, erasure, or objection—and received either no response, a late response, or an incomplete response.

The GDPR window for rights response is one month (extendable by two months for complex requests with notification). The AEPD treats exceeding this window as a violation regardless of the reason. Organisations citing workload or technical difficulty as justifications receive little sympathy in resolution proceedings.

What the AEPD looks for during investigation: a documented intake process for rights requests, evidence that requests were acknowledged within a defined period, evidence that the substantive response was produced within the legal window, and the content of the response itself.

Insufficient security measures (Article 32 GDPR)

Security-related sanctions following data breaches are among the most visible in the AEPD’s enforcement record. The resolution framework is consistent: a breach occurs, the AEPD investigates whether the pre-breach security measures were appropriate given the nature of the data and the processing activities, and fines are issued where measures are found inadequate.

Common findings: insufficient access controls allowing former employees or unauthorised staff to access personal data; lack of encryption for sensitive data in transit or at rest; inadequate third-party security requirements in processor agreements; failure to conduct security risk assessments for high-risk processing.

Breach notification failures (Article 33–34 GDPR)

The GDPR’s 72-hour notification window to the supervisory authority is treated as an absolute requirement. Late notification—whether by days or weeks—is regularly cited as an aggravating factor in breach-related sanctions. Failure to notify affected data subjects when the breach creates a high risk to their rights is an additional and separate violation.

The AEPD expects breach notification records to document: when the breach was detected, when the 72-hour clock started, the decision-making process for determining notification obligation, the content of the notification, and the outcome for affected individuals.

The checklist for reducing your AEPD exposure

Lawful basis

• Every category of personal data has a documented lawful basis
• Legitimate interests processing has a documented balancing test
• Privacy notice accurately reflects actual processing activities
• Data sharing with third parties and affiliates has documented basis and disclosure

Direct marketing

• Consent for electronic marketing is specific, documented, and retrievable per recipient
• Unsubscribe mechanism is functional and tested (response within 10 working days)
• Purchased or harvested email lists are not used for electronic marketing
• Soft opt-in scope is limited to what the customer relationship legally permits

Data subject rights

• Intake process for rights requests is documented and monitored
• Response SLA is calibrated to the one-month legal window
• Access responses are complete and accurate
• Erasure requests are verifiable across all systems

Security

• Risk assessment conducted and documented for all high-risk processing activities
• Encryption applied to personal data at rest and in transit
• Access controls enforced with least-privilege
• Third-party security requirements documented in processor agreements

Breach response

• 72-hour notification decision tree documented and tested
• Breach register maintained with all required fields
• Post-incident review conducted after each significant incident

The documentation principle

Every AEPD sanction resolution contains a section in which the regulator assesses the organisation’s documentation of its compliance measures. Organisations that produce clear, contemporaneous records consistently receive lower sanctions than those that produce retrospectively assembled documentation or none at all.

The inverse is also true. An organisation that has invested in genuine compliance but cannot produce the documentation to demonstrate it is effectively in the same position as one that did nothing—at least during the enforcement proceeding.

Build the evidence at the time of the process, not at the time of the investigation.