Spain’s Data Protection Authority (AEPD) has published its 2025 Annual Report, revealing far more than simply another year of GDPR enforcement activity.
While the headline figures are substantial – including record fines and a sharp increase in sanctions, which we analyse separately in our companion article on the AEPD’s 2025 enforcement trends – perhaps the more significant development is the regulator’s broader strategic evolution.
The report strongly suggests that the AEPD is no longer positioning itself merely as a traditional data protection authority. It is increasingly emerging as a broader digital governance regulator focused on artificial intelligence, cybersecurity resilience, biometrics and the societal impact of data-driven technologies.
For businesses operating in Spain, this shift matters.
The era of “light-touch GDPR compliance” is fading
For many years, organisations often approached GDPR compliance primarily as a documentation exercise centred around privacy notices, policies, cookie banners and internal procedures.
The AEPD’s 2025 report indicates that this approach is becoming increasingly insufficient.
The regulator is now concentrating far more heavily on issues capable of creating genuine operational, technological and reputational risk. In practice, this means organisations are increasingly likely to face scrutiny in areas such as cybersecurity failures, data breaches, AI tools, biometric systems, employee monitoring, governance deficiencies and large-scale analytics.
The AEPD itself expressly states that it intends to prioritise cases with the “greatest real impact” on individuals and fundamental rights.
This marks an important evolution in regulatory thinking. Privacy supervision is becoming more operational, more risk-based and increasingly connected to broader digital governance concerns.
AI is now central to the regulator’s thinking
If one theme dominates the 2025 report, it is artificial intelligence.
The AEPD repeatedly identifies AI as one of the defining regulatory challenges of the coming years. Importantly, this is not merely theoretical positioning. The authority has already started adapting internally, adopting its own “AI-first” strategy, launching internal AI initiatives and deploying generative AI tools within the organisation itself.
At the same time, the regulator is actively preparing for the implementation of the EU AI Act and positioning itself as a key institutional actor in the governance of emerging technologies.
Particularly noteworthy is the AEPD’s recent publication of detailed technical guidance on agentic artificial intelligence from a data protection perspective, making it one of the first supervisory authorities in Europe to focus specifically on so-called “agentic” AI systems.
This is significant. While much of the current regulatory debate remains focused on chatbots and generative AI, the AEPD is already examining more advanced autonomous and semi-autonomous systems capable of independently interacting with users, digital environments and external systems.
The report also highlights a broad range of technologies now falling within the regulator’s field of attention, including:
- automated decision-making;
- biometric systems;
- neurotechnologies;
- digital identity systems;
- addictive design patterns;
- and algorithmic profiling.
The regulator is therefore increasingly engaging not only with traditional privacy compliance issues, but also with the wider societal and governance implications of emerging technologies.
Cybersecurity and privacy are becoming inseparable
Another major theme running throughout the report is the growing convergence between privacy, cybersecurity and digital resilience.
The AEPD expressly refers to the increasing “tension between privacy, cybersecurity and public security” as one of the central regulatory challenges ahead.
This reflects what many organisations are already experiencing in practice. Today, a data protection issue is rarely just a legal issue. It is often simultaneously a cybersecurity issue, a governance issue, a reputational issue, and potentially a board-level concern.
The authority’s growing focus on resilience, security failures and operational risk management closely mirrors wider EU regulatory developments such as NIS2, DORA and the Cyber Resilience Act.
In practical terms, privacy compliance is becoming increasingly operational. Businesses are now expected not only to maintain formal compliance documentation, but also to demonstrate robust governance, accountability and security structures capable of responding to evolving technological risks.
Biometrics remain under intense scrutiny
The report also confirms that biometric technologies continue to attract particularly close regulatory attention.
Facial recognition, fingerprint systems and AI-driven identity verification tools remain especially sensitive areas, particularly in workplace and access-control environments. The AEPD confirms that it is currently updating its biometric guidance and actively examining the use of biometric systems in employment contexts.
This is likely to be highly relevant for employers, retailers, security providers and technology companies.
The regulator’s concern is straightforward: biometric data is uniquely sensitive and, unlike passwords or credentials, cannot realistically be changed once compromised.
The message is therefore increasingly clear: organisations deploying biometric systems must be able to demonstrate necessity, proportionality and robust safeguards.
From GDPR watchdog to digital governance authority
One of the most interesting aspects of the report is institutional rather than statistical.
The AEPD openly states that it intends to move away from a purely reactive model and evolve into a more proactive regulator focused on prevention, technological anticipation and strategic supervision.
This includes engaging earlier with organisations, publishing more technical guidance and interpretative criteria, strengthening cooperation with industry and academia, and investing heavily in technical expertise.
The creation of the new AEPD Privacy Lab is a particularly good example. The initiative is designed to bring together regulators, researchers and technology specialists to analyse emerging privacy challenges before they evolve into large-scale enforcement issues.
In many respects, the AEPD increasingly resembles a broader digital governance authority – not merely a traditional GDPR watchdog.
Looking ahead
The overall direction is becoming increasingly difficult to ignore.
Privacy regulation in Spain is evolving into something broader, more operational and far more closely connected to cybersecurity, AI governance and technological resilience.
For organisations deploying AI systems, biometric technologies, extensive monitoring tools or large-scale analytics, regulatory scrutiny is likely to intensify significantly over the coming years.
As discussed in our separate analysis of the AEPD’s FY25 enforcement activity, this broader strategic shift is already being accompanied by record enforcement figures and increasingly high-impact sanctions.
The days when privacy compliance could be managed primarily through templates and paperwork are rapidly disappearing.
If you would like to discuss the implications of the AEPD’s 2025 report or review your organisation’s data governance framework, please feel free to get in touch with us.
