Throughout this session, the main legal challenges linked to the digital environment were addressed: artificial intelligence, data protection, cybersecurity, legaltech, digital transformation, and new regulations such as the DSA and DMA. The event brought together representatives from public and private entities such as the Secretary of State for Digitalisation, CNMC, Telefónica, Banco Santander, IKEA, Huawei and ECIJA, among others.
Regulatory challenges and the role of the AEPD
The president of the AEPD, Lorenzo Cotino, outlined the complexity of the current legal landscape, describing it as a "regulatory patchwork", where multiple regulations overlap (RGPD, RIA, DSA, cybersecurity rules, IP, etc.). He announced the creation of a five-year strategic plan for the AEPD, which will be open for public consultation to address the new risks posed by AI.
Cotino stressed that AI affects all fundamental rights, not only privacy, and reminded that regulatory compliance should cover the entire GDPR, not just Article 22. He also clarified that the responsibility for data protection lies primarily with those who implement and operate AI systems, and that 95% of the practices prohibited by the AI Regulation involve the processing of personal data.
The figure of the DPO as a strategic axis
At a round table on the role of the Data Protection Officer (DPO), experts from the public and private sectors agreed that this figure should assume a more strategic and transversal profile, participating in technological governance.
Daniel López Carballo (partner at ECIJA and president of the Madrid chapter of the IAPP) highlighted the key role of the DPO in the definition of compliance models, especially in the face of the barrage of European regulations. Other speakers such as Antonio Muñoz (Telefónica) and Miriam Oñoro (Banco Santander) agreed that the DPO must be a bridge between business and compliance, anticipating risks and providing value from a proactive and integrated vision.
Keys to data protection and digital compliance
The main challenges in data protection were discussed: regulatory interaction, breach management, liability with third parties, and the need to develop solid compliance models that are integrated into the business strategy. Privacy was defined not as a brake, but as a business accelerator.
International aspects such as international data transfers and the adoption of BCRs (Binding Corporate Rules) as a compliance tool were also addressed, sharing experiences from large business groups.
Conclusion
The meeting reflected a consensus on the need to harmonise innovation and protection of rights in a changing regulatory context. The AEPD will assume new competences, especially in AI and biometric data, while the DPO emerges as a key player in the new digital ecosystem, where proactive responsibility, transversal collaboration and adaptation to standards such as the RIA, DSA and DMA will be essential for an ethical, secure and sustainable digital transformation.
