Spanish data watchdog imposed €20 million in data breach fines in 2025

The Spanish data protection agency said it levied data protection penalties of close to €20 million in 2025 as data protection complaints rose by 64% compared to the previous year.

 

The Agencia Espanola de Proteccion de Datos, or AEPD, announced in its Performance Report 2025 that it received a record 30,931 complaints of data security and privacy violations in the year, up 64% from the previous year. The agency attributed the astronomical rise to increasing awareness among citizens about their rights and the ease of filing complaints.

 

The rising number of complaints resulted in a corresponding rise in enforcement proceedings. AEPD said the number of sanctions and warning proceedings concerning data breach incidents increased by 157% year-on-year, with the data security watchdog levying fines of €19.8 million over the course of the year. This represented 40% of all financial penalties levied by the agency across industries such as internet services, commerce, transport, and hospitality.

 

In total, the data protection agency issued sanctions and warnings over 46 incidents of personal data breaches which represented a 229% rise over the number of enforcement proceedings in the previous year. In comparison, enforcement proceedings related to video surveillance and public administrations saw marginal declines compared to 2024 figures.

 

"The increase in the number of fines imposed and their amount compared to 2024 reflects both the rise in cases brought before the Agency and the complexity of the data processing activities analyzed, their broader scope, and therefore, the impact of the infringements committed on individuals’ rights and freedoms," AEPD said.

 

The agency said the rising number of complaints had put increasing pressure on its resources as the increasing workload has not been matched by a proportional increase in staffing. 

 

To ensure its continued effectiveness, the watchdog has rolled out a 2025-2030 Strategic Plan that emphasises technology-driven oversight to focus the most in areas that that the highest impact on citizens’ rights, the adoption of AI with safeguards and the development of advanced monitoring systems.

 

AEPD said in its 2025 Performance Report that the year also saw enhanced cross-border sanctioning procedures and international investigations related to data breach incidents. Over the course of the year, it received 1,558 requests of assistance and consultation from other authorities and led 47 investigations as the lead authority compared to 22 such cases in the previous year. The agency also participated in 419 cross-border investigations as an interested party.

 

"It is worth noting that this is not only an exorbitant increase, but also that these cases are becoming increasingly complex due to the impact of new technologies and the growing threats they pose to privacy, as well as the cross-border procedures that must be carried out in coordination with other European authorities," AEPD added.