The Spanish Data Protection Agency (AEPD) has published today its FY25 Annual Report, confirming a significant intensification of enforcement activity across Spain.
The figures are striking. In 2025, the regulator imposed 325 GDPR fines totalling approximately €48.1 million – the highest enforcement amount in the authority’s history and roughly 35% higher than the previous year, when fines totalled €35.6 million.
At the same time, the number of sanctions also increased materially, rising from 281 in FY24 to 325 in FY25. While enforcement levels remain below the exceptionally high figures seen in 2022 and 2023 – when 378 and 367 sanctions were imposed respectively – the overall trend clearly points towards renewed enforcement growth.
The significance of these figures goes beyond the headline numbers. They confirm that the AEPD’s stronger enforcement posture is no longer limited to a small number of exceptional “mega fines”. Enforcement is now increasing both in value and in volume.
This post forms part of our annual series analysing AEPD enforcement trends. For our separate analysis of the AEPD’s growing focus on AI, cybersecurity and digital governance, see our companion article here.
Record fines – and a return to increasing sanction volumes
One of the most notable aspects of the FY25 report is that both key enforcement indicators increased simultaneously.
Last year, the AEPD imposed fewer sanctions but significantly higher-value fines, suggesting a strategic focus on more serious and complex infringements. In FY25, however, both the number of sanctions and the total value of fines increased sharply.
According to the authority itself, this reflects not only the increasing number of complaints and investigations reaching the regulator, but also the growing complexity, scale and impact of the processing activities under scrutiny.
The broader trend is becoming increasingly clear: the AEPD is focusing less on formalistic or low-level infringements and more on operational failures capable of creating real-world harm.
In practice, this means increasing scrutiny of cybersecurity failures, personal data breaches, governance deficiencies, large-scale customer data processing activities, insufficient technical and organisational measures, and broader accountability failures.
Eleven fines above €1 million
The AEPD imposed 11 fines exceeding €1 million during 2025 – another indication of the regulator’s increasingly robust enforcement posture.
The largest sanction of the year was a €10 million fine imposed on Aena, the state-owned airport operator and one of the largest airport management companies globally.
The case concerned the use of biometric identification systems for passengers across eight Spanish airports. According to the AEPD, Aena carried out a “high-risk” biometric processing operation without adequately justifying the necessity and proportionality of the system or conducting a sufficiently robust data protection impact assessment (DPIA).
The authority was particularly critical of the use of “one-to-many” (1:N) biometric identification technology, which involves actively comparing an individual against a pre-existing database of identities. According to the AEPD, this type of processing creates elevated risks for individuals’ fundamental rights and freedoms.
The case is particularly significant because it confirms the regulator’s increasingly strict approach towards biometric technologies, especially where large-scale identification systems are deployed in public-facing environments.
Other major fines included:
- €4 million against Xfera Móviles;
- €3.2 million against Carrefour;
- €1.8 million against Informa;
- €1.6 million against ING;
- €1.6 million against Hyundai;
- €1.5 million against Sprinter Megacentros del Deporte;
- €1.5 million against Carrefour Soluciones Financieras;
- €1.4 million against Repsol;
- €1.2 million against IDCQ Hospitales; and
- €1 million against Cecotec Innovaciones.
Under Spanish law, fines exceeding €1 million that become final and enforceable must be published in the Official State Gazette, adding a significant reputational dimension to major GDPR infringements.
Internet services, retail and data breaches dominate enforcement
The sectors attracting the highest overall sanction amounts in FY25 were internet services, commerce/transport/hospitality, personal data breaches, energy and water, financial services and telecommunications.
Internet services ranked first, accounting for approximately €11.4 million in fines – around 24% of the total amount imposed during the year.
Commerce, transport and hospitality followed closely behind with €10.7 million in sanctions, representing approximately 22% of the total. Particularly noteworthy was the sharp increase in enforcement affecting this sector compared to previous years.
Cases involving personal data breaches also featured prominently, with almost €9.8 million in fines, equivalent to roughly 20% of the annual total.
Together, these six sectors accounted for more than €40 million in sanctions – approximately 83% of the total value of fines imposed during the year – illustrating the increasingly concentrated nature of GDPR enforcement in Spain.
The broader pattern mirrors a trend increasingly visible across Europe. Regulators are focusing more heavily on sectors that process large volumes of customer data, rely extensively on digital platforms, operate complex customer ecosystems or face elevated cybersecurity risks.
The growing importance of breach-related enforcement is particularly notable. Increasingly, GDPR enforcement is becoming closely intertwined with cybersecurity governance and operational resilience.
More than 30,000 complaints – the highest figure ever recorded
The increase in enforcement activity also coincided with an unprecedented rise in complaints.
The AEPD received 30,931 complaints during FY25 – the highest number in the regulator’s history and a dramatic 64% increase compared to the previous year, when 18,855 complaints were recorded.
According to the authority itself, this increase reflects growing public awareness both of privacy rights and of the possibility of filing complaints directly with the regulator.
Internet services generated the highest number of complaints overall, with 5,134 complaints received during the year – a 63% increase compared to FY24. This aligns closely with the enforcement figures, as internet services also represented the most heavily sanctioned sector overall.
Video surveillance followed closely behind with 4,050 complaints, approximately 19% more than the previous year.
Spain has historically been one of the stricter EU jurisdictions when it comes to CCTV and workplace monitoring, and this remains one of the regulator’s most active supervisory areas.
More broadly, however, the figures highlight something important: individuals are increasingly aware of their privacy rights and increasingly willing to exercise them.
For organisations, this significantly increases the likelihood of regulatory exposure – including in relation to relatively routine operational practices.
A more strategic and operational regulator
The FY25 report confirms that the AEPD is becoming increasingly operational, strategic and technologically focused in its enforcement approach.
The authority is no longer concentrating primarily on documentation deficiencies or purely formal compliance failures. Instead, it is increasingly targeting systemic weaknesses capable of affecting individuals at scale.
As discussed in our separate article on the AEPD’s broader regulatory strategy, this increasingly includes areas such as AI governance, cybersecurity resilience, biometric technologies and digital risk management.
For businesses operating in Spain, GDPR compliance is therefore becoming progressively less about paperwork and increasingly about operational governance, cybersecurity and organisational accountability.
The overall direction is difficult to ignore: enforcement pressure in Spain continues to intensify, and the regulator appears increasingly willing to pursue large-scale and high-impact cases.
If you would like to discuss the implications of the AEPD’s FY25 enforcement trends or review your organisation’s data governance framework, please feel free to get in touch with our team.
