THE SPANISH DPA ISSUES ITS LATEST REPORT: HOW DID THEY REDEFINE PRIVACY AND INNOVATION IN 2025

In 2025, AEPD experienced a period of intense institutional activity aimed at consolidating the seven strategic axes established in its Strategic Plan. The agency focused on technological modernization, regulatory compliance, innovation, collaboration, and adapting data protection governance to the challenges created by digital transformation and artificial intelligence.

One of the most important developments was the implementation of “A Smart Agency”, a strategy centered on integrating AI into administrative processes. The AEPD introduced its Generative AI Use Policy, becoming the first Spanish public institution to establish a structured framework for AI adoption and one of the first internationally. Following an “AI first” approach, the initiative seeks to improve efficiency, response speed, and service quality while ensuring appropriate governance and risk management.

This strategy led to several practical initiatives, including pilot projects using AI systems to support compliance campaigns and automated supervision activities. The agency also introduced AI tools for internal staff, combined with training programs and the setting of governance rules. Additional projects included AI-powered search systems, anonymization tools, and automated summaries. To support these developments, investments were made in local infrastructure and secure on-premise AI systems, especially for medium- and high-risk applications.

The second strategic axis focused on innovation with safeguards, highlighted by the launch of the Privacy Laboratory, conceived as a research and collaboration platform connecting the AEPD with universities, scientific institutions, and technological organizations. The laboratory promoted specialized publications, privacy dialogues, and academic initiatives aimed at strengthening research and knowledge exchange in data protection.

The agency also strengthened its proactive role regarding emerging technologies. Particular attention was given to neurotechnologies, with the creation of dedicated working groups and future research initiatives. At the same time, the AEPD prepared for responsibilities linked to the European AI Regulation and reviewed the use of biometric systems, particularly in employment contexts, while updating existing guidance documents.

Another major priority was promoting regulatory compliance. The AEPD reinforced its advisory role through strategic consultations, early interpretative guidance, and stronger communication with organizations. Special importance was given to Data Protection Officers (DPOs) and privacy professionals, recognized as key actors in ensuring compliance. In addition, more than one hundred guidance documents were reviewed to identify outdated materials and establish future priorities.

Collaboration and institutional partnerships also expanded significantly. The agency strengthened cooperation with regional data protection authorities, judicial institutions, and international organizations such as the Ibero-American Data Protection Network (RIPD). Participation in European forums also increased to improve coordination on emerging regulatory issues.

Finally, the AEPD emphasized the need for additional human, technological, and financial resources to address growing numbers of complaints and new responsibilities arising from European regulations, including the AI Act, Digital Services Act, and Data Governance Act.

Overall, 2025 represented a year of major transformation for the AEPD, characterized by technological innovation, stronger cooperation networks, and a proactive strategy aimed at protecting privacy while supporting digital progress.

Article provided by INPLP members: Belén Arribas Sánchez (BELEN ARRIBAS SANCHEZ, ABOGADA, Spain)

Discover more about the INPLP and the INPLP-Members

Dr. Tobias Höllwarth (Managing Director INPLP)