The Spanish data watchdog ramps up enforcement with fines totalling over €35.5 million in FY24

The Spanish Data Protection Agency (AEPD) has recently published its FY24 report. The report shows a significant rise in the total value of fines, despite a notable decrease in the number of sanctions, reflecting a shift in the AEPD’s strategy towards addressing more severe breaches with higher penalties.

In this post, we explore the report’s key findings and examine the AEPD’s priorities for enforcement over the past year.

This post is part of our annual series analysing AEPD enforcement trends. For further insights, feel free to revisit our reviews of FY23 here and FY22 here.

Record-breaking fine amounts despite fewer sanctions

In FY24, the total value of fines imposed by the AEPD reached a record-high €35,592,200, compared to €29,817,410 last year – representing an increase of 19.4%.

The number of sanctions, however, did not follow the AEPD’s previous upward trend. The agency issued fewer fines (281 compared to 367), but with an average value of €127,000 – 57% higher than the previous year.

This trend highlights a key shift in the AEPD’s priorities: the agency is now focused on more complex cases involving significant fines, rather than minor, lower-risk infringements. As stated in the report, these cases reflect “the greater complexity of data processing activities, their wider scope, and consequently their greater impact on infringements”.

The AEPD's focus appears to lean towards high-impact breaches rather than smaller, less critical violations.

The highest fines of 2024

In 2024, the AEPD issued 10 fines exceeding €1 million, a sharp rise compared to only 3 such fines in 2023 – all of which were imposed on Spain’s largest banks.

Below are the top five fines:

1. €5 million – Imposed on an energy company for breaching principles of fairness, transparency, and accountability in a fraudulent procurement process.
2. €4 million – Issued to an insurance provider after a cybercriminal exploited the credentials of an insurance broker. The AEPD investigation found inadequate security measures in place.
3. €3.5 million – Issued to a bank for flaws in its computer application design, resulting in a breach of client confidentiality.
4. €3.5 million – Fined an energy company for vulnerabilities in its web application that led to a data breach.
5. €3 million – Issued to another energy firm for failing to analyse risks inherent in its data processing practices, such as storing personal data from different data controllers in a single database without adequate safeguards.

The other five fines ranged between €1 million and €1.3 million and targeted two telecommunications companies, two banks, and the national football league.

These substantial fines were predominantly connected to security breaches, insufficient security measures, and violations of data protection principles such as data protection by design and by default. The AEPD prioritised cases that affected data confidentiality and integrity, reflecting an increased focus on safeguarding against security threats and privacy breaches.

Top 5 most sanctioned sectors

In total, five industries accounted for nearly 77% of the entire fine amount (€27.5 million). This concentration of enforcement highlights the AEPD’s focused scrutiny of a few high-risk sectors:

1. Energy and water supply – €11.6m, 33% of the total.
2. Finance and banking – €5.3m, 15% of the total.
3. Internet services – €4.5m, 13% of the total.
4. Telecommunications – €3.3m, 9% of the total.
5. Fraudulent hiring – €2.5m, 7% of the total.

The remaining industries accounted for €8.1 million, or 23% of all fines.

Decrease in number of complaints

For the first time in recent years, the total number of complaints filed with the AEPD decreased. In 2024, 18,855 claims were recorded, a 13% reduction compared to last year. Nevertheless, this figure remains the second highest in the AEPD’s history, marking sustained public attention to personal data protection.

One factor driving this decline may be the AEPD’s “guided mailbox system”, which helps users evaluate whether their complaint falls under the AEPD’s jurisdiction before they file. This likely streamlined the volume of misfiled or irrelevant complaints.

Sectors receiving the highest volume of complaints include:

1. Video surveillance – 3,411 complaints (up 19% from last year).
2. Internet services – 3,141 complaints (up 8%).
3. Trade, transport, and hospitality – 1,633 complaints (up 7%).
4. Advertising – 1,297 complaints (down 74%). This sector saw a dramatic improvement, falling from the top complaint source in 2023.
5. Finance and banking – 1,219 (down 12%).

These five sectors accounted for 57% of all complaints received by the AEPD.

Rise in personal data breaches reported

The AEPD reported a total of 2,933 notifications of personal data breaches in 2024 – a sharp 46% increase compared to 2023.

Approximately 16% of breaches originated in the public sector, while the remaining 84% came from private organisations.

The AEPD issued resolutions in 13 cases requiring organisations to notify individuals of data breaches. An additional 15 cases were referred for deeper investigation by the AEPD Inspectorate.

Over 100 million people may have been affected by data breaches in some capacity during 2024. This highlights the growing need for robust security measures and rigorous risk analyses.

Future challenges for privacy

The AEPD’s report highlights key areas that will shape the future of privacy regulation in Spain and within the broader EU framework.

1| AI Regulation: Aligning with the GDPR

The EU AI Act introduces a new compliance landscape, complementing the GDPR but adding complexity. AI systems, particularly those involving profiling or decision-making, often process sensitive personal data, creating heightened risks of non-compliance.

The AEPD has emphasised the need for cross-disciplinary collaboration between AI and data protection regulators. Businesses using AI must account for GDPR principles such as fairness, transparency, and proportionality while complying with the AI Act’s requirements for risk management, algorithm accountability, and non-discrimination.

Past AEPD enforcement categories, such as facial recognition and automated decision-making, suggest these will remain high-risk areas of scrutiny in the coming years.

2| Genetic and biometric data handling

Sensitive data types like genetic and biometric data present unique challenges. They hold deep personal insights and, if compromised, cannot be revoked or replaced, unlike passwords or user IDs.

The Worldcoin case (where iris scans were used in exchange for cryptocurrency) is a notable example of the concerns surrounding such processing. The AEPD ordered its suspension in Spain, citing insufficient safeguards and transparency.

In response, the AEPD issued a biometric guidance document in 2024, emphasising mandatory DPIAs and urging entities to evaluate adequacy, necessity, and proportionality before adopting such technologies. Expect similar scrutiny of workplace applications using biometrics for tracking or access control.

3| Rising cybersecurity threats

Growth in data breaches has made security an even more critical concern for data protection authorities globally, and Spain is no exception. As discussed, according to the FY24 report, there were over 2,933 personal data breach notifications – a 46% increase compared to the previous year.

This trend is likely to intensify, given the continued rise in cybersecurity threats such as ransomware attacks, phishing, and insider risks. Organisations must not only strengthen security measures but also step up internal governance structures to ensure resilience.

Looking ahead

The FY24 report highlights the AEPD’s shift towards addressing more significant data protection challenges through stronger enforcement and record-high fines.

Looking forward, the AEPD’s approach highlights the importance of proactive compliance strategies that incorporate privacy-by-design and strong governance practices. 

If you would like to learn more, feel free to reach out to us.