What is the AEPD?

What is the AEPD?

Table of Contents

Across the world, businesses and individuals are now commonly aware of the GDPR. That is a legislative framework governing the collection and use of EU citizen personal data. What’s often less appreciated is the role individual member states play in data protection.

That’s where the Spanish AEPD comes in.

Below we’ll discuss what the AEPD is, its effects on businesses, and how it relates to the GDPR.

What is the AEPD?

The Spanish Data Protection Agency, known as the AEPD (Agencia Española de Protección de Datos), is tasked with regulating data privacy within the Spanish borders. It ensures that the collection, storage, and use of personal data is conducted in accordance with Spanish and EU legislation. Moreover, the AEPD also acts to inform Spanish citizens about their data rights, as well as the ways the AEPD can help.

The AEPD is headquartered in Madrid and is an independent agency of the government of Spain. It was established on 26 March 1999, in the context of Article 18(4) of the Spanish Constitution of 1978:

“The law shall restrict the use of informatics in order to protect the honour and the personal and family privacy of Spanish citizens, as well as the full exercise of their rights.”

That remains the guiding principle into the present day.

What are the primary AEPD responsibilities?

Though the AEPD is a government agency, it enjoys “absolute independence from the Public Administration.” That means it has total authority over data protection within Spain. Its responsibilities include:

  • Raising awareness about the activities of the AEPD and the right to personal data protection
  • Provide direct assistance in response to Spanish citizen queries
  • Protect rights of individuals to access, rectify, cancel, and object to data collection and usage
  • Registry of filing systems
  • Inspection of data collection and the administration of penalties.
  • Cooperation with international agencies and intra-national autonomous communities (including Catalonia, the Basque Country, and Madrid)
  • Evaluate emerging risks, including internet personal data trends, employer video surveillance, biometrics, internet usage, and more.

What are the regional Spanish data protection agencies?

In addition to the AEPD, there exists the Catalan Data Protection Authority and the Basque Data Protection Agency. The Data Protection Agency of the Community of Madrid also existed from 1995 to 2013.

What does the PDPA apply to?

Like other data protection legislation, such as the UK and EU GDPR and Brazil’s LGPD, the PDPA contains “extra-territorial effects.” That means that organizations not based in Singapore can find themselves obligated to accord with the PDPA if an organization collects, uses, or discloses data within Singapore.

For instance, if a non-Singaporean company – like Facebook – collects data from Singaporeans online, then it is subject to the PDPA. It will also face penalties should it be found to not be in accordance with the regulation.

How does the AEPD relate to the EU?

Under the EU Charter of Fundamental Rights, it stipulates that all EU citizens have the right to the protection of their personal data. With the passage of the GDPR, further data protection was put in place: the most stringent worldwide.

Originally, the AEPD was set up to protect personal data according to Article 8(3) of the EU Charter of Fundamental Rights. Prior to the GDPR, the European Data Protection Directive provided standards to guide the drafting of legislation in each member state. This responsibility was then subsumed into the EU with the GDPR.

This legislation works in concordance with the European Data Protection Board (EDPB). It is an independent European body created to ensure the consistent application of data protection rules through the EU.

That’s because, while the EU develops the GDPR and analyses trends in data protection, it is ultimately not capable of enforcing the law. Member states receive general guidance from the EDPB on key concepts of the GDPR and the Law Enforcement Direction. The EDPB is composed of representatives from the national data protection authorities of EU member states, including the AEPD.

For example, the AEPD recently issued updated guidance regarding cookies after the EDPB published new guidelines.

Notable cases of the AEPD

The most notable case brought by the AEPD is commonly referred to as Google v. Spain. Although the actual name is Google Spain v. AEPD & Mario Costeja.

The background: A Spanish newspaper published two announcements about the forced sale of properties arising from social security debts. Mario Costeja González, an owner of one of the properties named in the announcements, contacted the newspaper asking for his name to be removed. The newspaper refused, as the story had since been published by the Spanish Ministry of Labour and Social Affairs. Costeja then contacted Google, requesting the erasure of the announcement links. Google Spain resisted their removal, which led to Costeja and AEPD bringing a lawsuit against Google Spain.

The case is widely believed to revolve around the “right-to-be-forgotten.” However, this is mistaken.

In the ruling, the court did not grant such a right explicitly. Rather, search engines were obligated to remove search results where they “appear to be inadequate, irrelevant, or no longer relevant or excessive in the light of the time that had elapsed.”

Nevertheless, this was one of the fundamental reasons the right-to-be-forgotten was proposed for inclusion in the GDPR. Before being changed to erasure under specific circumstances, as per the Spanish judge’s ruling.


The AEPD is the official data protection agency of the government of Spain. Like all member states, it is the national authority responsible for enacting the GDPR and other relevant laws. However, it also has additional responsibilities enshrined in the Spanish Constitution and Spanish law to inform Spanish citizens about their data protection rights.

Suppose you are a business who violates the GDPR in relation to a Spanish citizen. In that case, it is likely to be the AEPD who handles your case. Therefore, if you are a Spanish-facing business, it’s essential to be aware of the basics of who and what the AEPD is.

Hopefully, after reading this article, you now have that understanding.

For further information, please refer to the AEPD website.



Sales & Support