• Home
  • Cyber monday flash - May

Cyber monday flash - May

Regulatory and jurisprudential updates on privacy and cyber-security issues

AEPD

The AEPD received more than 30,000 complaints in 2025, 64% more than the previous year.

The Spanish Data Protection Agency (AEPD) registered 30,931 complaints in 2025, 64% more than the previous year, according to the Annual Report published on 6 May 2026. Sanctioning activity also soared: fines exceeded 48 million euros, with a notable increase in both the number of cases and the average amount, and a clear focus on infringements with the greatest real impact on citizens.


The most striking fact is the explosion in data breach proceedings, which grew by 157% (77 cases) and accounted for nearly 40% of the total amount sanctioned. The AEPD is thus consolidating a change of strategic focus towards a more proactive and technological model, prioritising high-impact risks in areas such as artificial intelligence, cybersecurity and biometrics, and strengthening its role as the key authority for digital governance in Spain.

+64%%

claims in respect of 2024 - 30,931 in total

48M€

in fines, with increase in average amount per case

+157

Data gaps

40%%

of the total amount sanctioned

200,000 fine for forcing workers to use tracking apps on their personal mobile phones

The AEPD has fined ARES CAPITAL 200,000 euros for forcing its VTC drivers to install applications on their personal mobile phones that intensively monitored their activity (geolocation, communications, contacts and health data). The ruling is particularly relevant in the BYOD field, as the Agency rejects both the execution of the employment contract and consent, considered not free in the context of the employment relationship, as legitimate bases for the processing, and also appreciates the violation of the principles of minimisation and the duty to inform.


In addition to the financial penalty, the AEPD ordered corrective measures: limiting the data collected to those strictly necessary, documenting a valid legal basis and reinforcing information to workers. The resolution is a clear warning to any company that imposes the use of personal devices for labour monitoring purposes: monitoring practices must strictly comply with the principles of proportionality and necessity.

AEPD tool to view information on reported breaches

The AEPD makes available to the public an interactive dashboard based on Power BI that allows for dynamic consultation and analysis of the information on personal data breaches reported to the Agency. Through this tool, users can explore and filter the data by criteria such as sector, type of breach or time period.

The information is updated regularly, making it easier to monitor trends and understand the scope and impact of these incidents in different areas. You can access the tool from the AEPD website, in the section dedicated to personal data breach notifications.

La imagen muestra dos manos, una sosteniendo un bloc de notas y la otra una tablet con la palabra 'AI', sobre un fondo rojo.

The AEPD brings the RGPD requirements for the use of voice transcription with AI down to earth

The AEPD points out that the use of voice transcription tools with AI converts that activity into a processing of personal data when an organisation integrates them into processes such as minutes, meetings or customer service. In this case, the organisation will be responsible for the processing if it decides the purposes and means, and must select the solution diligently, assessing not only its usefulness, but also the associated risks: systematic errors, linguistic bias, inference of sensitive information or lack of sufficient guarantees from the provider.

European legislation

AI Act: EU simplifies obligations and strengthens prohibitions against abusive uses of AI

The European Parliament and the Council have reached a provisional agreement in the framework of the "digital omnibus" package to simplify certain obligations of the IA Regulation without abandoning the risk-based approach.

Regulatory overlap is reduced: AI products already regulated by sectoral safety regulation will not have to duplicate obligations under the AI Act.

The agreement introduces a new express prohibition of AI systems intended to generate non-consensual intimate content or illegal material related to minors. The interim agreement must be formally approved by 2 August 2026.

New registration deadlines


  • Operators with illegal/non-consensual content systems must adapt their systems.

  • Expected date of formal approval of the agreement by Parliament and Council

  • High-risk systems: biometrics, critical infrastructure, education, employment, public services


  • Integrated systems as safety components subject to sectoral regulations

La imagen muestra una multitud de esferas brillantes en tonos rojos y grises, creando un efecto visual interesante.

European Commission v. Meta

DSA - European Commission

The European Commission has preliminarily concluded that Meta is in breach of the Digital Services Act (DSA) by failing to effectively prevent children under the age of 13 from accessing Instagram and Facebook, despite the fact that their own terms and conditions set this minimum age. According to the investigation, between 10-12% of users of both networks in the EU are under 13. The Commission is requiring Meta to strengthen its mechanisms for verification, prevention and removal of underage accounts, and if the findings are confirmed, the company could face a fine of up to 6% of its annual global turnover.

Case law

Limits of the GDPR on requesting and accessing data

The SC requires compliance with the GDPR from the moment data is collected

In this ruling, the Supreme Court has established that the mere request for personal data constitutes in itself a processing of data subject to the GDPR, regardless of whether or not the data subject provides them. In the case analysed, a penitentiary centre required a prison officer to provide his medical diagnosis and treatment to justify a three-day absence from work, despite the fact that he had already submitted the corresponding medical certificate. The High Court upheld the warning sanction imposed by the AEPD, considering that such a request was excessive and unnecessary for the control of absenteeism, thus violating the principle of data minimisation set out in Article 5.1.c) of the GDPR.

The practical implication of this ruling is relevant for any organisation, public or private: before requesting personal data, the controller must assess whether the request is adequate, relevant and proportionate to the purpose pursued, given that the mere fact of making the request triggers the set of obligations imposed by European data protection law.

CJEU allows refusal of abusive access applications

The CJEU, in Brillen Rottler (C-526/24, 19 March 2026), examines whether a request for access under Art. 15 GDPR can be rejected as abusive, even if it is the first request addressed to that data controller. The case concerns a person who subscribed to the newsletter of a German optician's shop and, a few days later, exercised his right of access. The company refused on the grounds that the data subject followed a systematic pattern of subscribing to newsletters, submitting access requests and claiming compensation.

The Court concludes that a first access request can be considered "excessive" or abusive if the controller demonstrates that it does not seek to know or verify the processing of his data, but to artificially create the conditions for claiming compensation. However, the threshold is high and the burden of proof is on the controller. Furthermore, the CJEU confirms that an infringement of the right of access can give rise to compensation under Art. 82 GDPR, but only if actual damage and causal link are established, which can be broken when the data subject's own abusive behaviour is the cause of the alleged damage.

Analysis

Una serie de bombillas encendidas emitiendo luz roja y cálida.

DPD and RSII: is compatibility possible?

The compatibility between the functions of Data Protection Officer (DPO) and Internal Information System Manager (IISM) is a particularly sensitive issue from the perspective of the principle of independence of the former. In this respect, both the AEPD and the National Court agree that, although there is no automatic prohibition of the accumulation of both roles, their possible concurrence requires strictly guaranteeing the absence of a conflict of interests. In particular, it is essential to prevent the DPO from assuming decision-making or operational functions that could compromise his or her supervisory role. Thus, although the separation of functions continues to be the general rule, compatibility could only be considered exceptionally when there is a clear delimitation of responsibilities.

In this analysis, the set of elements that would make it possible to adequately delimit the functions entrusted to the DPD and the RSII in order to avoid a conflict of interest are particularly relevant: the organisational structure, the availability of resources, the possible outsourcing of the channel or the collegiate configuration of the system.

Meet our team

We support organisations in the comprehensive management of privacy and cybersecurity risks.