The Spanish Data Protection Agency (AEPD) has recently published its FY23 report. The report shows that AEPD has imposed a total number of 367 fines in 2023, amounting to approximately EUR 30 million. This represents an increase of 44% in value compared to the previous FY22. Accordingly, AEPD maintains its position as one of the most active data protection regulators in the EU.
The report also shows that the number of complaints filed with AEPD has reached record-breaking levels: a 43% increase compared to FY22.
In this post, we examine some of the key findings of the report and outline the high-risk areas in which companies may expect future enforcement from AEPD.
You can also take a look at our post on the AEPD's enforcement activities in the previous year here.
Record-breaking number of complaints
The FY23 report shows that the AEPD received a record-breaking number of 21,590 data protection complaints in 2023. This represents a 43% increase from the 15,128 complaints filed in the previous FY22.
Over the last three years, we have witnessed a new phase of explosive growth in the number of complaints filed with the AEPD, culminating in 2023 with 21,590 complaints. Accordingly, the number of complaints filed has doubled in the last 3 years.
Top 5 sectors in which most data protection complaints were filed with AEPD in 2023 are:
- Advertising (excluding spam): 4,279 complaints
- Online services: 2,897 complaints
- Video surveillance: 2,843 complaints
- Commerce, transportation, and hospitality: 1,504 complaints
- Finance entities / creditors: 1,362 complaints
Particularly, the number of complaints in the AdTech sector have more than doubled compared to the previous year.
The report shows that only 8% of the complaints received by the AEPD in year 2023 eventually resulted in sanctioning proceedings. Also, 65% of the complaints received were not even admitted.
Increasing total value of fines
According to the report, the AEPD imposed a total of 367 fines in 2023. These fines amount to a total of approx. EUR 30 million, which represents an increase of 44% in value compared to the previous FY.
The total number of fines imposed decreased by 3% compared to the previous year.
However, the average fine imposed by AEPD in 2023 was in the region of EUR 81,000, which increased almost by 50%.
The highest fines of 2023
In 2023, AEPD issued three fines exceeding a million euros, all of them to large Spanish banks:
- EUR 5m for a security breach that allowed one of its customers to access data related to another customer’s transactions.
- EUR 2.5m for inadequate handling of customers’ personal data, as customers were only able to submit documents or information requested by the bank via email, a method deemed insecure by the AEPD.
- EUR 1.18m for failing to prevent the identity theft of a customer whose card was stolen and for not having a procedure of security measures in place to protect data against risks.
Further, in 2023, Spain has also been involved, as a concerned authority alongside other supervisory authorities within the EU, in four proceedings against social media platforms. These proceedings are very significant given the magnitude of the sanctions imposed, with fines ranging from EUR 5.5 million to EUR 1.2 billion.
Top 6 most sanctioned sectors
The top 6 sectors in which the highest aggregated fines were imposed by the AEPD in 2023 are approximately:
- Personal data breaches – EUR 13m
- Finance – EUR 5.3m (due to the fines mentioned above to Spanish banks)
- Data subject rights – EUR 2.6m
- Fraudulent contracting – EUR 2.5m
- Telecommunications – EUR 2m
- Internet services – EUR 1m
The aggregated fines in relation to personal data breaches has increased from circa EUR 822,000 in 2022 to EUR 13 million in 2023, which represents an 1,500% increase.
Upcoming high-risk areas for enforcement
Given the worldwide rise in both the number and sophistication of cybersecurity attacks, coupled with the upward trend in aggregated fines in relation to these incidents by the AEPD, we anticipate that security breaches will become one of the enforcement priorities for the AEPD in the coming years.
Moreover, in recent months, we have seen a growing interest from the AEPD in the processing of biometric data. The AEPD has issued guidelines on the use of biometric data for access controls, as well as imposed several sanctions on entities for unlawful processing of biometric data, such as fingerprints.
The AEPD is also concerned about new data processing models based on AI. Accordingly, one of its enforcement priorities for the upcoming years will be the processing of personal data through the use of AI, such as automated decision-making and profiling. AEPD is expected to ensure that such AI systems meet the GDPR standards from their development. The EU’s AI Act will also play a key role in regulating AI systems.
Looking ahead
Given the increasing number of complaints from data subjects and enforcement appetite of the AEPD, companies processing personal data need to prioritise and reinforce their data protection compliance.
If you would like to learn more about strategies for avoiding or managing regulatory enforcement, reach out to us.