AEPD Spain: DNI, NIE, and LATAM Identifiers
Spain's data protection authority, the AEPD, issued 847 enforcement decisions in 2023. That is the highest count of any EU regulator. Single fines are often smaller than Irish DPC or Dutch AP cases. But the volume creates real risk for any company with Spanish operations.
AEPD's AI Enforcement Framework
Spain's regulator has published the EU's most detailed AI guidance for data protection. It covers two areas.
AI and GDPR guide (2020, updated 2024): This guide requires a DPIA for any AI system that processes personal data. It applies even when GDPR Article 35 thresholds are not met. That is one of the EU's broadest DPIA rules. Every company running AI on Spanish data must complete a DPIA before launch.
Spanish AI Act implementation: Spain is among the first EU states with a national AI registry for high-risk systems. The AEPD works with Spain's AI supervision body. Together they enforce both AI Act and GDPR rules. Companies face audit risk from both authorities.
Spanish National Identifiers: The Detection Gap
Generic NLP tools detect DNI and NIE with only 34% accuracy in Spanish documents. The AEPD reported this in its 2024 report. Each identifier has a structure that explains why generic tools fail.
DNI: Eight digits plus one control letter. The letter comes from the number's remainder when divided by 23. That value maps to a fixed letter sequence. Certain letters are excluded — it is not A-to-Z. This algorithm is Spain-specific. Generic tools skip it. A tool that checks only the digit pattern, without the modulus step, produces wrong results.
NIE: One prefix letter (X, Y, or Z), seven digits, then a control letter. The NIE is for foreign nationals in Spain. It covers tax and administrative use. Each prefix reflects a different issuance period. The control letter uses the same algorithm as the DNI. The NIE appears in employment contracts, tax filings, and residency records.
CIF business tax ID: One letter plus seven digits plus a control character. The opening letter shows company type. The control character uses a separate algorithm from the DNI and NIE.
Health card: Spain's health card format varies by region. Each autonomous community uses its own format. This makes automated detection harder than with a single national standard.
For more on identifier gaps across EU countries, see our EU identifier gap guide.
Latin American Identifiers: Compliance Across Markets
Spain's ties to Latin America push compliance demands beyond Spain. Any company serving Spanish-speaking markets needs broader PII coverage.
Mexico: The CURP is an 18-character alphanumeric code. It encodes birth date, sex, birth state, and name initials. The RFC is a 13-character tax ID for individuals and 12 characters for companies. Both appear in employment and tax records.
Argentina: The CUIL is an 11-digit number with a check digit. The CUIT uses the same format. The Argentine national ID is 7 to 8 digits. All three appear in payroll, banking, and government records.
Chile: The RUT and RUN are 7 to 9 digits, a dash, and a check digit. The check uses a modulus-11 algorithm. Every person and business in Chile has one. Detection must implement the check-digit step to avoid false matches.
Colombia: The national ID card is 8 to 10 digits. The NIT is nine digits plus a check digit and applies to businesses.
Full coverage for Spanish-speaking markets means both Spanish EU identifiers and Latin American national IDs. Our global PII identifier guide compares these to the US SSN, Indian Aadhaar, and other national IDs.
AEPD's 2024 Enforcement Breakdown
847 enforcement decisions is the EU's highest count. Spain's regulator achieves this through high complaint intake and active sector sweeps. Cases break down by sector:
Telecoms and financial services: 42% of resolutions. Main issues: unauthorized credit checks, excessive retention, and missing consent for marketing.
Healthcare and insurance: 22% of resolutions. Health data shared without consent, weak de-identification for research, and biometric processing for appointment systems.
Employment: 19% of resolutions. Employee monitoring, social media screening, and video surveillance without proper notice.
AI systems: A growing category. The authority found multiple Spanish companies running AI without completed DPIAs. That violates the AEPD's own AI guide.
The technical baseline for Spanish PII compliance is DNI and NIE detection with control letter validation. Add Spanish-language named entity recognition. Then add CURP, RUT, CUIL, and national ID card coverage for full Latin American support.
See our AEPD AI DPIA compliance guide for the full DPIA workflow under Spanish rules.