Receiving a notification from the Spanish [Data Protection](/en/glossary/data-protection-spain) Agency (AEPD — Agencia Española de Protección de Datos) is a situation that understandably causes alarm in any company. However, as with any administrative penalty procedure, the right response in the early stages largely determines the outcome: proper management can reduce the penalty, demonstrate the company's good faith and, in some cases, result in the case being closed.
Types of AEPD Actions
Not every contact between the AEPD and a company has the same scope. It is essential to identify from the outset which type of action is being faced:
Prior information request: The AEPD requests information about data processing activities, the legal bases applied, security measures or the response to a rights request. This does not mean a penalty procedure has been opened, but it may be a precursor to one.
Prior investigation actions: The AEPD investigates whether potential infringements exist before deciding whether to open formal penalty proceedings. At this stage the company can voluntarily provide information to improve its position.
Decision to open penalty proceedings: This is the formal notification that the AEPD has decided to open a penalty file. From this point, the company has specific rights and deadlines.
Draft resolution: The investigating officer formulates their draft resolution, setting out the specific infringement and the proposed penalty. The company has a period to submit observations.
Final decision: The AEPD issues its final decision with the definitive penalty, which can be appealed.
What to Do in the First 48 Hours
Upon receiving any AEPD notification:
-
Identify the type of action and the response deadline. Deadlines in administrative penalty proceedings are strict. Failing to correctly identify the deadline from the outset can result in the loss of defence rights.
-
Do not respond directly without professional advice. Incorrect responses in the early stages can consolidate positions that are difficult to reverse later.
-
Designate representation. If you do not have an external DPO or a specialist data protection firm, this is the time to engage one. The AEPD acknowledges and values the company’s cooperation in resolving the issue.
-
Gather internal documentation. Collect all information about the data processing in question: legal bases applied, Records of Processing Activities (RoPA), privacy policy, contracts with data processors, security measures implemented.
-
Assess available remedial measures. Taking measures to correct the identified problem before the decision is issued is one of the factors the AEPD takes into account when reducing penalties.
The Main Causes of AEPD Penalties
Analysis of penalty decisions published by the AEPD identifies the most common issues:
- Lack of a legal basis for processing customer or employee data
- Failure to comply with the information duty (no privacy policy or incomplete information clauses)
- Processing data without adequate security measures and unreported security breaches
- Sharing data with third parties without a data processing agreement (where a supplier accesses the company’s customer data)
- Inadequate response to rights requests (access, rectification, erasure, objection)
- International data transfers without adequate safeguards (use of US cloud services without standard contractual clauses)
How to Minimise the Penalty
The AEPD takes several factors into account that can significantly reduce the penalty amount:
- Active, transparent cooperation during the investigation
- Adoption of remedial measures before the decision is issued
- Evidence that the company had a prior data protection system (even if incomplete)
- Limited harm to data subjects
- Absence of prior penalty history
- Voluntary notification of the security breach to the AEPD
How BMC Can Help
Our data protection team manages representation of companies in AEPD penalty proceedings, from the initial notification analysis through to the submission of observations and, if necessary, judicial review before the Audiencia Nacional.
If you have just received an AEPD notification or would like a preventive review of your company’s GDPR compliance before an inspection occurs, contact our team. Our outsourced DPO service includes ongoing compliance monitoring and a prompt response to any AEPD action.
Specific Legal Framework
The AEPD penalty procedure is governed by several rules that the investigated party should know in order to exercise their rights:
- Regulation (EU) 2016/679 of 27 April (GDPR), Arts. 58 and 83: Powers of investigation of the supervisory authority (Art. 58.1) and criteria for imposing administrative fines (Art. 83). Article 83.2 lists the factors that determine the amount: nature, gravity and duration of the infringement, intent, measures taken to mitigate the damage, degree of responsibility, cooperation with the authority.
- Organic Law 3/2018 of 5 December (LOPDGDD), Arts. 64–72: Governs the AEPD’s procedure for actions and penalties. Article 64 establishes the presumption of innocence; Article 71 sets the maximum procedure duration at 12 months. Article 72 lists very serious infringements (up to €20M or 4% of global turnover); Article 73, serious infringements (up to €10M or 2%); Article 74, minor infringements (up to €40,000).
- Ley 39/2015 of 1 October, Common Administrative Procedure Act (LPAC), Arts. 63–95: Procedural framework for penalty proceedings: investigation, draft resolution, observations, decision and appeals. Article 89 governs the infringement prescription period (1 year for minor, 2 for serious, 3 for very serious).
- GDPR, Art. 77 and LOPDGDD, Art. 51: Right to file a complaint with the AEPD as a data subject. Both rules are relevant for understanding how and why the AEPD receives the complaint that initiates the procedure.
- Judicial review: The Audiencia Nacional has first-instance jurisdiction over appeals against AEPD decisions (Article 26.2 of Ley 29/1998 on Administrative Judicial Review). The deadline is 2 months from notification of the decision.
Most Common Penalties for SMEs (AEPD data 2024–2025)
| Infringement | Type | Typical penalty range for SMEs |
|---|---|---|
| Lack of legal basis for processing | Very serious (Art. 72 LOPDGDD) | €10,000 – €150,000 |
| No information provided to data subjects | Serious (Art. 73) | €5,000 – €60,000 |
| Unreported security breach | Very serious | €20,000 – €300,000 |
| Data shared with processor without contract | Serious | €8,000 – €80,000 |
| Failure to respond to ARCO rights | Serious | €5,000 – €40,000 |
Practical Example: Penalty Procedure at a Dental Practice (36 Employees)
Scenario: The AEPD receives a complaint from a patient because the clinic shared their dental record with an external professional without consent. The clinic has no DPO or Records of Processing Activities (RoPA).
| Phase | Clinic’s action | Outcome |
|---|---|---|
| Prior information request | Without legal advice: vague response, no mention of existing security measures | AEPD considers response insufficient and opens proceedings |
| Decision to open proceedings (with BMC representation) | Appointment of external DPO, preparation of RoPA, updated privacy policy, documented staff training | Remedial measures evidenced before draft resolution |
| Draft resolution | Very serious infringement (GDPR Art. 9, health data): proposed penalty €80,000 | Observations: cooperation, no prior history, remedial measures adopted, limited harm |
| Final decision | 50% reduction for mitigating circumstances | Penalty: €40,000 vs initial €80,000 |
| Appeal (not filed) | — | Penalty becomes final |
The difference between acting without legal advice and acting with specialist representation was a €40,000 reduction, plus correction of the system to prevent future penalties.
Common Mistakes BMC Helps Avoid
- Responding directly to the prior information request without legal advice. The prior information request is not a penalty procedure, but what is declared in it forms part of the file and can be used as evidence. A response that acknowledges the problem without context can aggravate the company’s position.
- Not adopting remedial measures before the draft resolution. The GDPR (Art. 83.2.c) and the LOPDGDD specifically value measures adopted to mitigate harm prior to the decision. Waiting for the penalty to correct the system eliminates one of the main reduction factors.
- Confusing the deadline for the administrative review with the judicial review deadline. The administrative review (reposición) before the AEPD is optional and has a 1-month deadline. If filed, the 2-month period for judicial review runs from the reposición decision. Confusing the deadlines can result in the right of action lapsing.
- Not voluntarily notifying the security breach within the deadline. The GDPR requires security breaches to be notified to the AEPD within 72 hours of becoming aware of them (Art. 33). Voluntary notification is a mitigating factor; omission is an aggravating factor.
- Not evidencing the prior compliance system. The existence of a data protection system — even if incomplete — before the infringement is a penalty reduction factor. Without documented evidence (privacy policy, registers, training), the company cannot establish this point.
Next Steps
- Identify the exact type of AEPD action (information request, prior investigation or formal penalty procedure) and the response deadline
- Appoint a professional representative before the AEPD before making any response or statement
- Gather all documentation on the affected processing: legal bases, RoPA, privacy policy, processor contracts, security measures
- Identify and adopt available remedial measures to evidence correction before the draft resolution
- Review the Records of Processing Activities (RoPA) and update it in accordance with GDPR Article 30
- Assess whether the situation that triggered the AEPD action also constitutes a security breach that must be notified within 72 hours
