The Spanish AEPD imposes sky-high 367 fines and breaks record of complaints filed under GDPR in 2023, Ceyhun Pehlivan, Elena Valín, Casilda de Urbina

Knowledge

Welcome to the Knowledge Portal. You can browse, search or filter our publications, seminars and webinars, multimedia and collections of curated content from across our global network. Create an account and set your email alert preferences to receive the content relevant to you and your business, at your chosen frequency.

The Spanish Data Protection Agency (AEPD) has recently published its FY23 report. The report shows that AEPD has imposed a total number of 367 fines in 2023, amounting to approximately EUR 30 million. This represents an increase of 44% in value compared to the previous FY22. Accordingly, AEPD maintains its position as one of the most active data protection regulators in the EU.

The report also shows that the number of complaints filed with AEPD has reached record-breaking levels: a 43% increase compared to FY22.

In this post, we examine some of the key findings of the report and outline the high-risk areas in which companies may expect future enforcement from AEPD.

You can also take a look at our post on the AEPD's enforcement activities in the previous year here.

Record-breaking number of complaints

The FY23 report shows that the AEPD received a record-breaking number of 21,590 data protection complaints in 2023. This represents a 43% increase from the 15,128 complaints filed in the previous FY22.

Over the last three years, we have witnessed a new phase of explosive growth in the number of complaints filed with the AEPD, culminating in 2023 with 21,590 complaints. Accordingly, the number of complaints filed has doubled in the last 3 years.

Top 5 sectors in which most data protection complaints were filed with AEPD in 2023 are:

Advertising (excluding spam): 4,279 complaints
Online services: 2,897 complaints
Video surveillance: 2,843 complaints
Commerce, transportation, and hospitality: 1,504 complaints
Finance entities / creditors: 1,362 complaints

Particularly, the number of complaints in the AdTech sector have more than doubled compared to the previous year.

The report shows that only 8% of the complaints received by the AEPD in year 2023 eventually resulted in sanctioning proceedings. Also, 65% of the complaints received were not even admitted.

Increasing total value of fines

According to the report, the AEPD imposed a total of 367 fines in 2023. These fines amount to a total of approx. EUR 30 million, which represents an increase of 44% in value compared to the previous FY.

The total number of fines imposed decreased by 3% compared to the previous year.

However, the average fine imposed by AEPD in 2023 was in the region of EUR 81,000, which increased almost by 50%.

The highest fines of 2023

In 2023, AEPD issued three fines exceeding a million euros, all of them to large Spanish banks:

EUR 5m for a security breach that allowed one of its customers to access data related to another customer’s transactions.
EUR 2.5m for inadequate handling of customers’ personal data, as customers were only able to submit documents or information requested by the bank via email, a method deemed insecure by the AEPD.
EUR 1.18m for failing to prevent the identity theft of a customer whose card was stolen and for not having a procedure of security measures in place to protect data against risks.

Further, in 2023, Spain has also been involved, as a concerned authority alongside other supervisory authorities within the EU, in four proceedings against social media platforms. These proceedings are very significant given the magnitude of the sanctions imposed, with fines ranging from EUR 5.5 million to EUR 1.2 billion.

Top 6 most sanctioned sectors

The top 6 sectors in which the highest aggregated fines were imposed by the AEPD in 2023 are approximately:

Personal data breaches – EUR 13m
Finance – EUR 5.3m (due to the fines mentioned above to Spanish banks)
Data subject rights – EUR 2.6m
Fraudulent contracting – EUR 2.5m
Telecommunications – EUR 2m
Internet services – EUR 1m

The aggregated fines in relation to personal data breaches has increased from circa EUR 822,000 in 2022 to EUR 13 million in 2023, which represents an 1,500% increase.

Upcoming high-risk areas for enforcement

Given the worldwide rise in both the number and sophistication of cybersecurity attacks, coupled with the upward trend in aggregated fines in relation to these incidents by the AEPD, we anticipate that security breaches will become one of the enforcement priorities for the AEPD in the coming years.

Moreover, in recent months, we have seen a growing interest from the AEPD in the processing of biometric data. The AEPD has issued guidelines on the use of biometric data for access controls, as well as imposed several sanctions on entities for unlawful processing of biometric data, such as fingerprints.

The AEPD is also concerned about new data processing models based on AI. Accordingly, one of its enforcement priorities for the upcoming years will be the processing of personal data through the use of AI, such as automated decision-making and profiling. AEPD is expected to ensure that such AI systems meet the GDPR standards from their development. The EU’s AI Act will also play a key role in regulating AI systems.

Looking ahead

Given the increasing number of complaints from data subjects and enforcement appetite of the AEPD, companies processing personal data need to prioritise and reinforce their data protection compliance.

If you would like to learn more about strategies for avoiding or managing regulatory enforcement, reach out to us.

{

For especially severe violations, listed in Art. 83(5) GDPR, the fines can be up to 20 million euros, or in the case of an undertaking, up to 4 % of their total global turnover of the preceding fiscal year, whichever is higher.

https://www.edpb.europa.eu/our-work-tools/our-documents/guidelines/guidelines-042022-calculation-administrative-fines-under_en