The Spanish Data Protection Agency intensifies its sanctioning activity in 2023

In today's digital age, where information has become an invaluable resource for the economy, the protection of personal data has emerged as a fundamental pillar for preserving citizens' rights. In this context, the Spanish Data Protection Agency (AEPD), acting as an independent supervisory authority, plays a crucial role in monitoring compliance with data protection regulations in Spain.

The AEPD's annual report published on 11 April provides a detailed analysis of its activity over the course of 2023. The report sets out the various initiatives carried out by the agency, from awareness-raising campaigns to inspection activities, along with a comprehensive analysis of legal and privacy trends, both domestically and globally.

Increase in the number of complaints

However, the AEPD also reports a very high increase in the number of complaints it received in 2023.

For the third consecutive year, the AEPD received a record number of complaints, which exceeded 21,590 and represented an increase of 43% from 2022 and 55% from 2021. The increase is partly due to complaints related to the receipt of unwanted advertising, which have risen by 114% from the previous year.

Fewer sanctions but a higher total amount

In 2023, the AEPD imposed 367 sanctions, a slight decrease of 3% from the 378 sanctions imposed in 2022. However, the total amount of fines in 2023 amounted to almost €30 million, an increase of 44% compared to the previous year. This phenomenon suggests a possible strategy of the AEPD to focus its efforts on pursuing infringements of greater economic relevance.

Some of these fines reached million-dollar figures and in order to understand how such high amounts can be reached, it is crucial to analyse the factors that influence the determination of penalties. The Guidelines 04/2022 on the calculation of administrative fines under the GDPR, issued by the European Data Protection Committee, provide clear guidance on the criteria used.

The six areas of activity with the highest cumulative amount of fines, making up 89% of the total, are breaches related to personal data breaches − rising from around €821,000 in 2022 to almost €13 million in 2023 − financial institutions and creditors, data protection rights, fraudulent contracting, telecommunications and internet services.

The use of biometric systems in the spotlight

In relation to its disciplinary authority –and apart from the general upward trend reflected in the annual report for 2023– the AEPD has been paying increased attention during 2024 to the inappropriate use of biometric fingerprint systems for access control.

This new line of action follows the publication in November 2023 of the AEPD guidelines on clocking attendance control processing using biometric systems. The guide establishes the requirements and measures in order for the processing of personal data using biometric technology for access control, whether for work or non-work purposes, to comply with current legislation on personal data protection.

The AEPD has begun to apply the criteria established in these guidelines and is being forceful with companies that commit irregularities and mishandle biometric data. An example of this is the sanction imposed on a gymnasium, which was fined €27,000 for requiring its users' fingerprints for access to its facilities.

Likewise, an outsourcing company was fined €365,000 for requesting the fingerprint of its employees for the registration of the working day, without duly informing them of this and without applying adequate security measures. Recently, a football club was also fined €200,000 for requiring this type of biometric data for stadium access control, in breach of current regulations.

These rulings by the AEPD highlight the rigorousness and complexity involved in the processing of biometric data following the publication of this guide. Although the use of biometric data for clocking and attendance is not directly prohibited, in practice, it is very complicated due to the difficulty of justifying a legal basis that legitimises its use.

In addition, a prior data protection impact assessment is necessary to demonstrate that the triple test of necessity, appropriateness and proportionality has been passed and sufficient measures to ensure the security of personal data processed by biometric systems need to be properly implemented.

Osborne Clarke comment

The significant increase in the number of complaints filed before the AEPD is a clear indication of greater public awareness of privacy and the right to data protection.

This phenomenon, coupled with the increased consultative and supervisory role of the AEPD that is expected in 2024, highlights once again the need for companies to consider compliance with data protection regulations as a critical component of their corporate strategy.