The Spanish Data Protection Agency (AEPD) has recently published its FY22 report. The report shows that AEPD has imposed a skyrocketing number of 378 fines in 2022 and becomes one of the most active data protection regulators in the European Economic Area (EEA). The report also shows that the number of complaints filed with AEPD has reached record-breaking levels. We examine some of the key findings of the report and outline the high-risk areas in which we expect future enforcement from AEPD.

Record-breaking number of fines

The AEPD’s record-breaking total of 378 fines in 2022 represents a 47% increase to the 258 fines issued in 2021. According to the report (citing a third-party source), this represents 40% of all fines imposed in the EEA.

The 378 fines amount to a total of EUR 20.7 million, which represents a decrease of 40% in value compared to the previous FY. The reason for such decrease is that AEPD had imposed several multi-million euro fines (EUR 5 million imposed on BBVA and EUR 6 million imposed on Caixa Bank) in 2021. However, the average fine imposed by AEPD in 2022 was in the region of EUR 55,000, a relatively significant amount.

The highest fines of 2022

In 2022, AEPD has issued three fines exceeding a million euros:

  1. Google - fined EUR 10m for unlawfully disclosing personal data to Lumen, an independent research project, and for infringing the GDPR’s right to be forgotten. This is so far the highest fine ever imposed by the AEPD in Spain.
  2. Caixa – EUR 2.1m, for unlawful processing of data and not meeting the GDPR’s consent requirements. AEPD has already imposed several significant fines in the banking sector.
  3. Amazon – EUR 2m, for unlawful processing of personal data and data relating to criminal convictions and offences.

Top 5 most sanctioned sectors

The top 5 sectors in which the highest aggregated fines were imposed by the AEPD in 2022 are:

  1. Internet services (due to the Google fine mentioned above) – EUR 11.5m
  2. Advertising (excluding spam) – EUR 2.3m
  3. Employment – EUR 2.2m
  4. Personal data breaches – EUR 822,000
  5. Fraudulent contracting – EUR 707,000

Record-breaking number of complaints

The report also shows that AEPD received a record-breaking number of 15,128 data protection complaints in 2022. This represents a 9% increase from the 13,905 complaints filed in the previous FY21.

This significant increase may be explained by the fact that Spanish citizens are becoming increasingly aware of the importance of their personal data and their rights.

Top 5 sectors in which most data protection complaints were filed with AEPD in 2022 are:

  1. Internet services: 2,221 complaints
  2. Video surveillance: 2,196 complaints
  3. Advertising (excluding spam): 2,001 complaints
  4. Bad debtor files: 1,161 complaints
  5. Debt claims: 913 complaints

The report shows that only 11% of the complaints received by the AEPD in year 2022 eventually resulted in sanctioning procedures. Almost 60% of the complaints received were not even admitted.

Upcoming high risk areas for enforcement

AEPD is particularly concerned about new data processing models based on AI. Accordingly, one of its enforcement priorities for the upcoming years will be the processing of personal data through the use of AI, such as automated decision-making and profiling. AEPD is expected to ensure that such AI systems meet the GDPR standards from their development. The EU’s AI Act will also play a key role in regulating AI systems. For instance, AEPD has already initiated an investigation against ChatGPT, and its decision is yet to be released.

Another high-risk area for enforcement relates to the protection of children. The number of children with access to the Internet and to a wide range of devices has been steadily increasing. AEPD is expected to scrutinise more thoroughly how companies respect the privacy and security of minors.

Looking ahead

Given the increasing enforcement appetite of the AEPD, companies processing personal data need to double down on data protection compliance. If you would like to learn more about strategies for avoiding or managing regulatory enforcement, please get in touch.