Spain

Spanish Data Protection Agency investigation into BBVA over alleged General Data Protection Regulation violations (EXP202408496)

On 4 March 2026, the Spanish Data Protection Agency (AEPD) issued a ruling imposing a sanction of EUR 100'000 on Banco Bilbao Vizcaya Argentaria (BBVA) after confirming that the bank had infringed Article 6 of the General Data Protection Regulation (GDPR) by processing personal data without a valid legal basis. The facts established that the original SEPA mandate was linked to a cancelled account and that BBVA had certified that no active transfer was in place; the claimant’s consent had not ...

Content moderation regulation in proposed legislative package for digital platforms

On 3 February 2026, the President of the Government announced a package of five measures aimed at digital platforms. The announced measures include a proposed legislative reform to hold platform managers legally responsible where illegal or hateful content is not removed. Under the reform, algorithmic manipulation and the amplification of illegal content would also be classified as a criminal offence. Further, the President of the Government announced the creation of a tracking, quantificatio...

Investigation into X, Meta, and TikTok over alleged AI-enabled creation and dissemination of child sexual abuse material

On 17 February 2026, Spain's Council of Ministers voted to request the Public Prosecutor's Office to investigate and, where appropriate, prosecute potential crimes of sexual abuse material against minors on major social media platforms, including X, Meta, and TikTok. The Council of Ministers initiated the action under Article 8 of the Organic Statute of the Public Ministry to request an investigation into whether the platforms are facilitating child sexual abuse material through Artificial In...

Data Protection Agency investigation into Tools for Humanity Corporation and Worldcoin's data processing activities compliance with GDPR

On 16 February 2026, the Spanish Data Protection Agency (AEPD) issued a warning to Tools for Humanity regarding planned Orb-related processing operations in Spain. The company had informed the AEPD that it acts as sole data controller, that operations would relaunch in Barcelona in February 2026, that a new subscription-based rewards model would replace token-based rewards, and that the Worldcoin Foundation is no longer involved in processing due to anonymised multi-party computation. After r...

Caso No. 0000140/2025-00

Lawyer used Unidentified in proceedings before the TSJ Gran Canaria (Spain). Fabricated: Legal Norm | Referencia a una supuesta "Guía de buenas prácticas en la intervención con menores víctimas, 2018" atribuida al CGPJ: no existe constancia de tal guía ni de los datos de publicación alegados. Outcome: Monetary Sanction; Bar Referral.

Caso No. 0000140/2025-00

Fabricated: Legal Norm | Referencia a una supuesta "Guía de buenas prácticas en la intervención con menores víctimas, 2018" atribuida al CGPJ: no existe constancia de tal guía ni de los datos de publicación alegados. || False Quotes: Case Law | Cita atribuida y textual a la STS 494/2020 que no contiene las palabras atribuidas en el recurso; la sentencia existe pero no incluye el pasaje citado. || False Quotes: Case Law | Cita atribuida a la STS 104/2019 que no existe en el texto de la sentencia (la STS 104/2019 trata del 'caso Caronte' y no de la credibilidad de la víctima). || Misrepresented: Case Law | Numerosas sentencias citadas con número/fecha que no coinciden o que, aunque existen, versan sobre temas distintos al alegado (ej.: STS 282/2019, STS 387/2022, STS 845/2016 entre otras). || Fabricated: Case Law | Cita inexistente o numeración que no corresponde a una sentencia con el contenido alegado (p. ej. STS 798/2022 citada con doctrina sobre destrucción de pruebas, cita inexistente en la base de datos). || Fabricated: Other | Resumen del hallazgo del informe documental: 48 de 52 citas generadas por herramienta de IA y ninguna de las notas textuales reproducidas aparece en las sentencias invocadas.

Caso No. 0000140/2025-00

Guide on protecting privacy while using AI tools

On 27 January 2026, the Spanish Data Protection Agency (AEPD) released a guide on protecting privacy while using AI tools. The guide provides ten recommendations, including advising users not to upload personal data and, in particular, to avoid sensitive data such as health, financial, contractual, geolocation and travel or accommodation data. Further, the guide advises users to review AI service terms and select safer versions, noting data flows including cookies, IP addresses, tracking and ...

Updated frequently asked questions on data protection

On 21 January 2026, the Spanish Data Protection Agency (AEPD) published an updated Frequently Asked Questions (FAQ) section, aiming to provide small and medium-sized enterprises (SMEs) and privacy professionals with practical tools for regulatory compliance. The initiative forms part of the Strategic Plan 2025-2030 and addresses over 200 questions commonly raised by data controllers and citizens. The update introduces a new category specifically dedicated to the obligations of data controller...

Data Protection Agency published information note analysing risks arising from using third-party images in artificial intelligence systems

On 13 January 2026, the Spanish Data Protection Agency (AEPD) published an information note analysing the data protection implications of using third parties’ images in Artificial Intelligence (AI) systems. The note applies to AI providers, platforms, and users that upload, generate, modify, or disseminate images or videos of identifiable persons. It highlights visible risks, including sexualisation and synthetic intimate content, attribution of false events with reputational effects, decontextu

Sentencia 000126/2025

Lawyer appeared before the TSJ Gran Canaria. False Quotes: Case Law | Cita atribuida a la STS 494/2020 (08-10-2020) con pasajes sobre la idoneidad de explicar la tardanza en la denuncia por trauma; la Sala comprobó que la STS 494/2020 trata del tráfico de drogas y no contiene esos pasajes.

Sentencia 000126/2025

False Quotes: Case Law | Cita atribuida a la STS 494/2020 (08-10-2020) con pasajes sobre la idoneidad de explicar la tardanza en la denuncia por trauma; la Sala comprobó que la STS 494/2020 trata del tráfico de drogas y no contiene esos pasajes. || False Quotes: Case Law | Pasaje entrecomillado atribuido a la STS 104/2019 (26-02-2019) que la Sala no halló en las bases de datos; se trata de una cita textual apócrifa atribuida al Tribunal Supremo. || Fabricated: Case Law | Listado de numerosas sentencias del Tribunal Supremo (STS 282/2019; STS 387/2022; STS 845/2016; STS 65/2023; STS 798/2022; STS 381/2019; STS 787/2021) que, según la Sala, son invocadas en el recurso con afirmaciones o pasajes que no se constatan en las bases de datos consultadas. || Fabricated: Doctrinal Work | Mención de un 'Informe del Consejo General del Poder Judicial (CGPJ) sobre la credibilidad del testimonio infantil, 2019' que la Sala declara inexistente en las bases consultadas. || Misrepresented: Other | El tribunal identifica como práctica reiterada la inclusión de citas y extractos no verificables en el escrito de la acusación particular y lo atribuye a la confianza del letrado en lo que 'el algoritmo le propuso', calificando la conducta de negligente.

Sentencia 000126/2025

User recommendations regarding TikTok's international data transfers

On 22 December 2025, the Spanish Data Protection Agency issued user recommendations stating that TikTok continues to transfer European users’ personal data to third countries, including China, despite prior findings by European data protection authorities that such transfers do not comply with the General Data Protection Regulation (GDPR). The Agency noted that an Irish court temporarily lifted the suspension on these transfers pending a final ruling, but only subject to TikTok meeting strict...

National Commission for Markets and Competition order on on self and co-regulation systems for age-based content ratings

On 28 November 2025, the National Commission for Markets and Competition (CNMC) opened a consultation on draft Co-Regulation Agreement for rating of audiovisual programmes and content. The agreement sets a framework for applying the Code of Conduct for classifying audiovisual programmes and content, including a descriptor system. It involves the CNMC, the Ministry for Digital Transformation and Public Administration, audiovisual service providers, relevant user associations, and social organi...

Code of Conduct for the age rating of audiovisual programs and content

On 28 November 2025, the National Commission for Markets and Competition closes the consultation on the draft Code of Conduct for the age rating of audiovisual programs and content. It replaces the previous self-regulation code from 2004 and its subsequent updates, creating a unified framework for age ratings, content descriptors, and viewer protection, particularly for minors. The draft Code applies to signatory audiovisual service providers, including television and video-on-demand services...

Lawsuit concerning unfair competition as a result of data protection violations (Europa Press and others v Meta Platforms Ireland Limited / Ordinary Procedure 109/2024)

On 19 November 2025, the Commercial Court No. 15 of Madrid issued ruling No. 98/2025 in the case Europa Press and others v Meta Platforms Ireland (Ordinary Procedure 109/2024), partially upholding a claim brought by 87 Spanish media companies against Meta for unfair competition under Article 15.1 of the Unfair Competition Act (LCD). The court found that Meta had unlawfully processed the personal data of Facebook and Instagram users in Spain for behavioural advertising purposes between 25 May ...

Investigation into Meta over allegations that it tracked Android users' web activity and linked it to Facebook and Instagram identities

On 19 November 2025, the Prime Minister announced an investigation into Meta following findings by research centres in Spain, Belgium, and the Netherlands that the company allegedly used a hidden mechanism to track the web activity of Android users and link it to their Facebook and Instagram identities. The alleged practice may be in breach of the General Data Protection Regulation, the ePrivacy Directive, the Digital Markets Act, and the Digital Services Act. The Prime Minister noted that Me...

Package of measures to address threats in digital space, including disinformation and child protection

On 19 November 2025, the Prime Minister of Spain announced a package of measures to address threats in the digital space. The package focuses on online platforms and covers four areas, including disinformation, child protection, hate speech and social polarisation, and privacy. The package aims to implement the Prime Minister's proposals at the World Economic Forum's annual meeting of 2025. The proposal highlighted verifying identities through the European Digital Identity Wallet, mandating e...

Encryption Guide for Self-Employed Workers and Small and Medium-Sized Enterprises

On 18 November 2025, the Spanish Data Protection Agency (AEPD) released the Encryption Guide for Self-Employed Workers and Small and Medium-Sized Enterprises (SMEs), providing self-employed professionals and SMEs with a practical approach to implementing secure and appropriate encryption measures for a number of relevant scenarios. The Guide explains the purpose of encryption and sets out practical measures in a number of scenarios, such as email transmission, cloud storage and device protect...

Data Protection Agency clarification on General Data Protection Regulation regarding AI

On 11 March 2025, the Spanish Data Protection Agency (AEPD) published an article on artificial intelligence (AI) and data protection, referring to a recent publication by the UK's Information Commissioner's Office (ICO). The ICO's consultation on generative AI identified several points for clarification, including the requirement that incidental processing of personal data falls within the scope of data protection laws. The ICO stated that data protection rules apply to any processing of pers...

SAP A 1558/2025 - ECLI:ES:APA:2025:1558

Lawyer appeared before the AP Alicante. False Quotes: Case Law | Appellant's brief quoted paragraphs allegedly from STS 450/2025 that do not appear in that decision Outcome: Bar referral.

SAP A 1558/2025 - ECLI:ES:APA:2025:1558

False Quotes: Case Law | Appellant's brief quoted paragraphs allegedly from STS 450/2025 that do not appear in that decision

SAP A 1558/2025 - ECLI:ES:APA:2025:1558

Data Protection Authority investigation into World 2 Meet over alleged unnecessary collection of personal data

On 22 August 2025, the Spanish Data Protection Authority (AEPD) fined World 2 Meet EUR 70’000 for the unnecessary collection of personal data. The amount was reduced by 20 per cent to EUR 56’000 for acknowledgement of liability, and by a further 20 per cent to EUR 42’000 for voluntary payment. World 2 Meet, the travel division of the Iberostar Group, required a complainant to submit a copy of his identity document to complete traveller registration. The complainant argued this was unnecessary...

Data Protection Authority investigation into Vodafone over alleged direct marketing violations

On 18 July 2025, the Spanish Data Protection Authority (APED) rejected Vodafone Spain's appeal of an AEPD ruling, which found the company liable for direct marketing violations. On 8 May 2025, Vodafone Spain appealed the ruling from the AEPD in which it issued fines totalling EUR 20'000 for sending unsolicited commercial emails and failing to include an opt-out mechanism in emails. Vodafone claimed that there was a recording error in which another client, who had opted into the emails, was li...

Data Protection Agency guidance on its authority in accordance with EU's Artificial Intelligence Act

On 15 July 2025, the Spanish Data Protection Agency (AEPD) issued guidance clarifying that it can already act against prohibited AI systems that process personal data, before the EU Artificial Intelligence (AI) Act is fully in force. From 2 August 2025, supervisory and sanctioning provisions under Article 5 of the AI Act covering banned AI systems such as real-time biometric identification in public spaces, will begin to apply. Although Spain has not yet adopted its national AI law and the AE...

Data Protection Agency investigation into Spanish Tax Agency, Camerdata S.A. and Chamber of Commerce over alleged misuse of self-employed workers' personal data (Case No.: EXP202404644)

On 14 April 2025, Spain's Data Protection Agency issued a final ruling imposing EUR 1.8 million in fines against Informa D&B, a commercial data broker, over alleged misuse of self-employed workers’ personal data. The data flow begins with the Spanish Tax Agency providing personal information of self-employed workers to Chambers of Commerce for legitimate public purposes, including census creation, then moves to Camerdata, a company owned by the Chamber of Commerce, and finally reaches Informa...

Preliminary Draft Law for the proper use and governance of Artificial Intelligence, for the purposes set forth in Article 26.4 of Law 50/1997 was approved by Council of Ministers

On 11 March 2025, the Council of Ministers approved the Preliminary Draft Law for the proper use and governance of Artificial Intelligence (AI), for the purposes set forth in Article 26.4 of Law 50/1997, aligning Spanish legislation with the European AI regulation to ensure ethical, inclusive, and beneficial AI use. The draft law introduces a digital right to withdraw AI systems that cause serious incidents and mandates clear labelling of AI-generated content. Oversight responsibilities are assi

Catalan Data Protection Authority model for developing Artificial Intelligence solutions respecting fundamental rights

On 28 January 2025, the Catalan Data Protection Authority (APDcat) published a document titled: "Model for the EIDF: Guide and Use Cases”, which provides a practical methodology for conducting Fundamental Rights Impact Assessments (EIDF) in the design and development of artificial intelligence (AI) systems. This model aims to ensure that AI systems are developed in compliance with fundamental rights and data protection regulations. The first part of the document outlines the EIDF methodology,...

AEPD code of conduct for resolution of data protection disputes in electronic communications sector

On 17 December 2024, the code of conduct for regulating data protection disputes in the electronic communications sector adopted by the Spanish Data Protection Agency (AEPD) enters into force. The code introduces a mediation procedure for resolving disputes between citizens and member entities, covering issues such as data processing without legitimacy, unmet rights, improper credit system insertion, and fraudulent contracting. The procedure, supervised by the Advertising Jury of the Associat...

AEPD Outline on Blockchain and the Right of Deletion

On 13 November 2024, the Spanish Data Protection Agency (AEPD) published a technical note demonstrating the feasibility of constructing Blockchain infrastructures that comply with the General Data Protection Regulation (GDPR). The note outlines the fundamentals of Blockchain infrastructures, clarifies data protection concepts within this technology, and analyses real application cases. It proposes policies, including organisational and technical measures, to implement the right of deletion in...

Updated AEPD Guidelines on the use of cookies

On 11 January 2024, the updated guidelines on the use of cookies, aligning with the European Data Protection Board (EDPB) Guidelines 03/2022 on deceptive design patterns in social media platform interfaces, were implemented. The new version incorporates the Spanish Data Protection Authority (AEPD) criteria for presenting cookie acceptance and rejection options. The guideline outlines examples of how these options should be displayed, including colour, size, and placement considerations. The m...

AEPD technical note on LIINE4DU 1.0 methodology for threat modelling for privacy and data protection

On 24 October 2024, the Spanish Data Protection Agency (AEPD) adopted a technical note on LIINE4DU 1.0 methodology for threat modelling for privacy and data protection. The note seeks to aid organisations within the European Union in managing privacy risks while ensuring compliance with the General Data Protection Regulation. The note focuses on legitimate data processing and provides tools to assess and mitigate risks to data subjects' rights and freedoms. The methodology covers threat categ...

Extended Collective Licensing for the use of copyrighted works in Artificial Intelligence training

On 10 December 2024, the Ministry of Culture closes its consultation on a draft Royal Decree to introduce Extended Collective Licensing (ECL) for the use of copyrighted works in Artificial Intelligence training. The proposal, based on Article 12 of Directive (EU) 2019/790 on Copyright and Related Rights in the Digital Single Market (DSM Directive), would allow collective management organisations to grant non-exclusive licences for works whose rightholders have not individually authorised thei...

AEPD Report on addictive patterns in the processing of personal data

On 10 July 2024, the Spanish Data Protection Agency (AEPD) issued a Report on addictive patterns in the processing of personal data. The Report analyses platforms' uses of deceptive and addictive design patterns such as social engineering, and interface interference to increase user engagement and data collection. The Report establishes a three-tiered categorisation of deceptive patterns, providing examples of their respective uses. Finally, the Report emphasises the implications for data pro...

Anonymous Spanish Lawyer

Lawyer used Unidentified in proceedings before the Tribunal Constitucional. Outcome: Formal Reprimand (Apercibimiento) + Referral to Barcelona Bar for Disciplinary Action.

ATSJ NA 38/2024

Lawyer used CHATGPT 3 in proceedings before the TSJ Navarra. Fabricated: Legal Norm | Inclusion in the complaint of a quoted statutory provision 'artículo 454B del Código Penal' attributed to the Spanish Supreme Court; the Sala found the provision does not exist in Spanish law and corresponds to the Penal Code of Colombia, and traced the source to use of C...

ATSJ NA 38/2024

Fabricated: Legal Norm | Inclusion in the complaint of a quoted statutory provision 'artículo 454B del Código Penal' attributed to the Spanish Supreme Court; the Sala found the provision does not exist in Spanish law and corresponds to the Penal Code of Colombia, and traced the source to use of ChatGPT 3.

ATSJ NA 38/2024