AEPD Spain: AI and Employee DPA Rules
Updated for 2026
AEPD: EU's Top Enforcer by Volume
AEPD (Agencia Española de Protección de Datos) is Spain's privacy watchdog. It issued 847 fines in 2023. No other EU body came close. Total penalties that year topped €12M.
The agency works differently from most EU peers. It does not focus only on big fines. It also targets small firms, town halls, and mid-size groups. This spreads pressure across Spain's economy.
Top areas enforced in 2024:
- Camera and biometric checks (29% of cases)
- Marketing and unsolicited contacts (24% of cases)
- Staff monitoring and HR files (18% of cases)
- AI systems and auto decisions (15% of cases — rising)
- Health and special-class records (14% of cases)
AEPD's AI DPIA Rule
The regulator's 2024 Guía de adecuación al RGPD de tratamientos con IA sets one clear rule. Any AI tool that handles personal records needs a DPIA (Data Impact Assessment).
GDPR Article 35 asks for DPIAs when processing poses a high risk. That is a context test. The Spanish body takes a stricter view. Its guide says any ML tool that touches personal records triggers the DPIA rule. No case-by-case risk check is needed first.
Spanish groups must run and file DPIAs for:
- Customer-service chatbots
- Hiring screening tools
- Marketing tools
- Text-processing models (including anonymization tools)
- Any AI tool that handles staff or customer records
Each tool used in Spain needs its own DPIA file. This applies even if the tool seems low-risk.
AEPD Anonymization Standards
The agency's anonymization guide builds on CNIL's work. It adds Spain-specific rules for national IDs:
Spanish ID types:
- DNI (Documento Nacional de Identidad): 8-digit number plus a check letter
- NIE (Número de Identificación de Extranjero): Letter + 7 digits + letter, for foreign nationals
- NIF (Número de Identificación Fiscal): Same format as DNI, used for tax
- Número de Seguridad Social: Spanish Social Security number
The body notes that NER models often miss NIE numbers. Spain has a large immigrant population. Check your tools can find NIEs when you process files from non-Spanish nationals.
Spanish name patterns:
Spanish naming uses two surnames (apellidos compuestos). NER models trained on single-surname sets can fail here. The name "García López, Juan Carlos" has two surnames, not one. Spanish NER models must handle this.
AEPD Employee Monitoring Cases
Eighteen percent of cases involve staff monitoring. Spain limits employer control under the Estatuto de los Trabajadores (Workers' Statute). The regulator enforces these limits alongside GDPR.
Key positions from the authority:
- Keyloggers: Covert keylogger use is a GDPR breach in most cases. Screenshot tools need written proof and a fair-use check.
- GPS tracking: Allowed on work vehicles with clear notice to staff. Not allowed on personal vehicles.
- Email checks: Allowed with prior written notice and a policy. Content review needs extra proof.
- AI tracking tools: Any model that tracks staff behavior needs a DPIA. EDPB rules also apply.
Automated monitoring draws the most scrutiny from Spain's DPA.
AEPD-Compliant AI Documentation
Four document sets are required for Spanish groups using AI tools.
1. AI system inventory
List each tool that handles Spanish personal records. Note: system name, vendor, purpose, record types, keep period, and DPA status.
2. DPIA per system
Use the agency's published DPIA template. Cover:
- Purpose, legal basis, record types, and recipients
- A fair-use check
- A risk review for people affected
- Risk controls: both tech and process
- DPO notes (where a DPO is required)
3. Technical controls record
For each tool, note the controls that block unauthorized access:
- Pre-send filtering (PII removal before the model runs)
- Access controls on outputs
- Retention limits and their enforcement
- Breach detection and response steps
4. Staff monitoring policy
If any tool monitors staff, add a written policy. State the scope, give notice to staff, name the legal basis, and show a fair-use check.
AEPD audits start with the inventory and DPIAs. Groups with these files ready resolve audits much faster. Our GDPR compliance guide covers document scope. Our security compliance overview explains tech controls. For Spanish PII detection, see our multilingual PII detection guide.