More sanctions and higher fines: the AEPD raises the level of fines in 2025
The Spanish Agency for Data Protection (AEPD) has significantly strengthened its sanctioning policy during 2025, with an increase both in the number of fines imposed and in their amount. According to the data published so far, the authority has imposed 299 economic sanctions amounting to 40 million euros, representing an increase of 14% compared to the previous year.
This trend confirms a line of action already anticipated in previous years, with a particular impact on sectors that carry out massive or intensive processing of personal data and that incorporate particularly intrusive technologies, such as biometrics, advanced video surveillance, or algorithmic systems.
Among the most significant fines of the year was 10 million euros imposed on Aena for the improper use of biometric identification systems at airports, one of the highest imposed by the AEPD to date, placing the security and proportionality of these treatments at the center of regulatory debate.
In this context, Daniel López, partner of Privacy and Data Protection at ECIJA, emphasizes that the increase in sanctions cannot be analyzed in isolation, but as a direct consequence of a regulatory framework that is increasingly complex and overlapping. In particular, he highlights that the entry into force and simultaneous application of regulations such as NIS2, DORA, the General Data Protection Regulation, and the Labor Statute creates a particularly demanding compliance environment for organizations.
According to López, this accumulation of regulations "complicates compliance without stepping on legal mines," which creates fertile ground for the AEPD to intensify its oversight with the aim of establishing clear limits, especially in the use of emerging technologies. In his view, the authority is reinforcing its role not only in matters of sanctions but also in the areas of training and governance, at a time when artificial intelligence begins to be widely deployed in critical business processes.
The partner at ECIJA also warns that AI is emerging as one of the main areas of risk for sanctions in the coming years, as it introduces unprecedented technical and legal complexity regarding data protection, proportionality, and transparency. The AEPD has already begun to set the tone with sanctions related to the misuse of AI tools, and greater scrutiny of automated systems, algorithmic profiling, and data-driven decisions is anticipated.
Looking ahead to 2026, all signs point to the Agency maintaining this work stream, with an increasingly defined focus on biometrics, cybersecurity, and data governance, especially in organizations with systemic impact or those operating in highly digitized environments. In this scenario, regulatory compliance ceases to be a formal exercise and becomes a structural element of business strategy.
Access the full article published in Cinco Días here.
