The Spanish Data Protection Authority (AEPD) publishes its Annual Report summarizing last year’s activities including enforcement cases


This Annual Report comprehensively collects the activities carried out by this institution, most relevant facts and figures, outstanding trends, the most relevant decisions and procedures of the year. It includes further an analysis of present and future challenges in the privacy arena in Spain.

The AEPD underlines that its activity through 2020 has been marked by the work carried out to guarantee health care measures, control of the pandemic and the fundamental right to data protection, as well as by the adoption of organizational decisions to maintain the internal level of activity in the circumstances required by COVID-19, so that the system of guarantees for citizens set out in the personal data protection regulations could not be affected.

The DPA has continued to respond to the challenge of assuming the effects that the General Data Protection Regulation (RGPD) has for the development of data protection policies. The work of the AEPD in the EDPB has increased and so has the number of cross-border procedures.

AEPD issued a total of 393 enforcement procedure decisions (16% more than the previous year), although of them only in 172 cases a sanction was imposed. The most frequent areas in enforcement procedures are video surveillance (24%), internet services (19%), Public Administrations (10%) and telecommunications (7%). The most punished sectors with a fine are financial institutions / creditors (5.045.000 euros) and telecommunications (1.009.000 euros). Both account for 76% of the global amount of penalties, which in 2020 amounted to 8.018.800 euros, an increase in amount of 27% compared to 2019. Note that a few months later, in early 2021, major sanctions amounting to 6 and 8,1 Mio euros were imposed to financial institutions and telecoms respectively.

A few of the rest of figures pointed out by the AEPD are the following:

  • 10.324 claims have been filed, a figure that rises to 11,215 including cross-border cases, cases in which the Agency acts on its own initiative and security breaches.
  • The rate of claims resolved versus claims received has increased by 5% compared to the previous year, a remarkable figure considering the pandemic situation, clearly showing that such circumstances have not diminished the operational capacity of the authority.
  • The complaints most frequently raised by citizens in 2020 refer to internet services (16%), improper usage of delinquency files (15%), video surveillance (12%), advertising (except spam) (7%) and debt claim (6%).
  • 2.157 claims have been resolved as a result of having obtained, after their communication to the data controller, a satisfactory response from the data controller ore the data processor.

The number of cooperation procedures in which the participation of the DPA has been requested by other European data protection authorities is noteworthy. In general, they have increased by 15% (1.210 cases) compared to 2019.Draft decisions in which another European data protection authority has requested the DPA's participation have increased by 114% and requests for assistance by 123%.

Regarding the judgments of the National Court ( Audiencia Nacional) relapsed in the appeals filed against resolutions of the DPA, of the 77 judgments handed down in 2020, 56 (73%) were dismissed or inadmissible. On the other hand, the Supreme Court ( Tribunal Supremo) has issued 18 judgments, with a percentage favorable to the AEPD of 95%.

As far as notifications of personal data breaches are concerned, these are initially received by the Division of Technological Innovation (DIT), which carries out a first analysis. The DIT has received and analyzed 1.370 notifications of data breaches in 2020, of which only 6% (81) have been referred to the Inspection Division (i.e. requiring an in-depth investigation). Moreover, the tool Comunica Brecha was launched in order to help data controllers in their decision to communicate the security breach to the data subjects.

Almost 1.400 questions have been raised with the DPA's “Youth Channel”. The most frequently asked queries have been related to the processing of personal data of the students for the exercise of the educational function, largely associated with the situation caused by the pandemic.

Finally, a lot of attention has been put on the a tool called “Priority Channel”, whose objective is urgent handling in the event of illegitimate dissemination on the Internet of sensitive content, a relevant project that was consolidated during last year. The involvement of the AEPD has achieved, in a very short time, the withdrawal of photographs and videos of sexual or violent content disseminated through the internet without the consent of the data subjects, often belonging to vulnerable groups. A total of 358 requests have been received through the Priority Channel, of which 174 have entered through the channel for minors. After their analysis, 49 of these requests have been processed as urgent because they are within the objectives pursued by this Channel. Of the 49, 29 urgent withdrawals of the content have been requested from service providers, achieving the withdrawal in more than 86% of the cases.


Article provided by: Belén Arribas (Belén Arribas Sánchez Abogada, Spain)



Discover more about INPLP, the INPLP-Members and the GDPR-FINE database

Dr. Tobias Höllwarth (Managing Director INPLP)

What is the INPLP?

INPLP is a not-for-profit international network of qualified professionals providing expert counsel on legal and compliance issues relating to data privacy and associated matters. INPLP provides targeted and concise guidance, multi-jurisdictional views and practical information to address the ever-increasing and intensifying field of data protection challenges. INPLP fulfils its mission by sharing know-how, conducting joint research into data processing practices and engaging proactively in international cooperation in both the private and public sectors.