AEPD Publishes 10 Key Recommendations for AI Safety

Published: 27 January 2026

The Spanish Data Protection Agency (AEPD) has released a new guidance document titled "Cuidado con lo que le confIAs" (Be Careful What You Trust to AI), offering citizens practical advice for AI safety and responsible and conscious use of artificial intelligence tools. The publication coincides with International Data Protection Day, celebrated on 28 January.

Growing AI Adoption Drives Need for Privacy Guidance

According to a December 2025 survey by Spain's Centre for Sociological Research (CIS), nearly 63% of the Spanish population believes artificial intelligence will experience significant development over the next ten years. Recognising both AI's potential and its growing adoption, the AEPD emphasises the importance of understanding and preventing privacy risks associated with improper use of these technologies.

This guidance forms part of the AEPD's Strategic Plan 2025-2030, which promotes a culture of privacy and data protection amongst citizens and organisations whilst supporting technological innovation with appropriate safeguards.

The 10 Key Recommendations

The AEPD's guidance provides ten essential recommendations for protecting privacy when using AI tools:

1. Don't Upload Your Personal Information to AI

Be prudent and avoid sharing personal data such as your full name, address, phone number, DNI/NIE, or your image with AI systems. Such information could be leaked online or indexed by search engines unintentionally. When describing a situation to AI, use fictional cases and avoid details that could identify you.

2. Avoid Uploading Sensitive or Delicate Information

Even if you don't provide personal identifiers, any information you share could be used to identify you for unintended purposes. Don't reveal sensitive information such as medical details, financial information, contractual terms, geolocation data, or information about visits to specific places.

3. Respect Others' Privacy

Exercise caution when describing situations involving other people, particularly minors. Remove information that could identify them. Never use images of other people to generate new content. What begins as a joke could become a data protection violation or even a criminal offence.

4. Don't Include Professional Information

If using AI at work, follow your organisation's information security policies. Specifically, don't include information that could reveal confidential data about your entity (such as contracts, reports, or strategies) or about its staff or clients.

5. Review Service Terms Before Use and Choose More Secure Versions

Beyond the explicit content you include in prompts, other information is being sent to AI systems including cookies, IP addresses, tracking and usage data, metadata, device information, contact information, and location data. Select AI services that guarantee they don't collect more information than necessary to provide the service. Remember that nothing is truly free.

6. If You Need Professional Advice or Emotional Support, Consult a Professional Rather Than AI

If you find yourself in a delicate personal situation, seek appropriate professionals. Artificial intelligence may appear to understand what you describe, but it doesn't truly comprehend or empathise with your personal situation and cannot offer qualified advice or accurate professional diagnosis.

7. Don't Believe Everything AI Says: Maintain a Critical Stance

AI tools can provide convincing-sounding answers on all types of topics, though they may be incorrect. Don't let AI decide for you, and always maintain a critical attitude towards its responses or advice. It's your responsibility to verify the accuracy of information provided by cross-referencing with other sources.

8. Advise and Guide Minors in Your Care

Children and adolescents may not be fully aware of the risks involved in sharing information with AI tools. Explain in simple terms the advantages and risks of their use, what data they shouldn't reveal, and foster their critical thinking.

9. Use Different Accounts and Delete Your History

When experimenting with AI, don't use your personal or professional email to create accounts. To protect your privacy and security, use different email addresses for different services and ensure these email addresses don't reflect your personal data.

Additionally, check whether the platform allows you to delete your conversations and do so frequently. Deleting history reduces risk in case of potential leaks that could have negative consequences for your privacy.

10. Your Questions Can Define You

Consulting apparently innocuous matters such as advice for everyday situations could reveal an image (partial or complete) of what you like, what interests you, or what worries you, contributing to the creation of a profile that reveals more about you than you imagine. A profile reveals your strengths, preferences, and weaknesses.

Special Warning on Images and Minors

The AEPD has previously warned about both visible and invisible risks of using third-party images in AI systems, even in apparently trivial or recreational contexts. The guidance specifically emphasises that images of other people (especially minors) should never be used to generate new content. Such practices could constitute data protection violations or even criminal offences.

Actionable AI Safety Steps for Organisations Operating in Spain

To align with the AEPD's guidance and Spain's regulatory requirements under GDPR and LOPDGDD, we recommend the following immediate actions:

1. Implement an AI Acceptable Use Policy (AUP)

Every organisation must formally define which AI tools are permitted and explicitly ban the input of personal data into non-enterprise models. Your AUP should:

• Maintain a whitelist of approved AI tools that have undergone security and privacy assessments
• Explicitly prohibit the use of consumer-grade AI tools (ChatGPT free tier, Gemini, Claude.ai, etc.) for work-related queries
• Define clear consequences for policy violations
• Require employees to acknowledge the policy annually
• Specify which types of information are never permissible to share with AI tools, including client data, employee information, trade secrets, financial data, and commercially sensitive information

2. Conduct Data Protection Impact Assessments (DPIAs)

Before deploying any AI tool that processes personal data or performs profiling, a DPIA is mandatory under Article 35 of the GDPR. Your assessment must:

• Identify what personal data the AI tool will process
• Document the legal basis for processing under GDPR Article 6 and, where applicable, Article 9 for special category data
• Assess risks to data subjects' rights and freedoms
• Evaluate the AI provider's data processing practices, including training data sources, model retention policies, and subprocessor arrangements
• Implement measures to mitigate identified risks
• Obtain sign-off from your Data Protection Officer (if your organisation is required to have one under LOPDGDD Article 34)

3. Training and Awareness Programmes

Integrate the AEPD's decalogue into employee onboarding and continuous training programmes to foster a culture of data hygiene. Effective training should:

• Include real-world examples of data breaches caused by improper AI use
• Provide practical scenarios relevant to employees' roles
• Test comprehension through assessments
• Refresh training at least annually
• Cover both the "why" (regulatory requirements and risks) and the "how" (practical alternatives and approved tools)
• Address the specific risks highlighted by the AEPD, particularly the extensive metadata collection by AI platforms

4. Audit "Shadow AI" Usage

IT departments should monitor network traffic to identify unauthorised use of AI platforms and block access to non-compliant tools if necessary. Shadow AI auditing involves:

• Deploying network monitoring tools to detect traffic to known AI service domains
• Reviewing browser history and installed applications on company devices
• Conducting anonymous surveys to understand which AI tools employees are using and why
• Implementing DNS filtering or proxy rules to block unapproved AI services
• Providing approved alternatives to meet legitimate business needs that employees might otherwise fulfill with unauthorised tools
• Creating a process for employees to request assessment of new AI tools they believe would benefit their work

5. Review Existing AI Vendor Contracts

For organisations already using AI tools, conduct an immediate review of vendor agreements to ensure:

• Data processing terms comply with GDPR Article 28 requirements
• The vendor's role (controller vs processor) is clearly defined
• Data retention and deletion policies align with LOPDGDD's "bloqueo" (data blocking) requirements
• Sub-processing arrangements are disclosed and approved
• The vendor commits to data minimisation principles as emphasised in the AEPD guidance
• UK or US-based providers have appropriate transfer mechanisms in place (adequacy decisions or Standard Contractual Clauses)

Frequently Asked AI Safety Questions

Can we use AI tools at all, or is the AEPD saying they're too risky?

The AEPD is not prohibiting AI use. Rather, it's promoting "safe, responsible, and conscious" use of AI with appropriate safeguards. Organisations can and should use AI tools, but they must select enterprise-grade solutions with robust data protection guarantees and implement proper governance frameworks.

Does this guidance have legal force, or is it just recommendations?

Whilst the guidance itself doesn't create new legal obligations, it reflects how the AEPD interprets existing GDPR and LOPDGDD requirements in the context of AI tools. Organisations that ignore this guidance and subsequently experience data breaches or non-compliance issues are likely to face harsher regulatory scrutiny and potential enforcement action.

What's the difference between consumer AI tools and enterprise AI tools?

Consumer tools (free versions of ChatGPT, Gemini, Claude, etc.) typically train their models on user inputs, lack robust data processing agreements, don't offer data residency controls, and provide limited audit capabilities. Enterprise versions typically offer: contractual commitments not to train on your data, Data Processing Agreements compliant with GDPR Article 28, options for data residency within the EU, audit logs and usage monitoring, and BAA/NDA protections for sensitive information.

Are there specific LOPDGDD requirements beyond GDPR that affect AI use?

Yes. LOPDGDD Article 28 requires organisations to implement appropriate technical measures, which in the AI context means ensuring AI tools support data minimisation, purpose limitation, and the "bloqueo" (blocking) requirement for data that should be preserved but not actively processed. Additionally, organisations in the 16 sectors requiring mandatory DPOs under LOPDGDD Article 34 must ensure their DPO is consulted before deploying AI tools that process personal data.

What should we do if we discover employees are already using unauthorised AI tools?

First, don't create a climate of fear. Many employees use AI tools because they genuinely improve productivity. Instead: conduct a risk assessment to understand what data may have been shared, implement the AI AUP immediately, provide approved alternatives that meet legitimate business needs, offer amnesty for voluntary disclosure of past unauthorised use in exchange for completing compliance training, and document your remediation efforts in case of future regulatory inquiry.

Do the recommendations apply to AI tools we use for HR purposes?

Absolutely, and with heightened scrutiny. AI tools used for recruitment, performance evaluation, or workforce monitoring constitute automated decision-making under GDPR Article 22 and are subject to Spain's enhanced workplace protections under LOPDGDD Articles 87-89 and 91. These uses almost always require a DPIA, must be disclosed to employee representatives, and require clear transparency to affected employees.

We're a small business. Do these requirements really apply to us?

Yes. GDPR and LOPDGDD apply to all organisations processing personal data, regardless of size. Whilst a sole trader might have simpler compliance needs than a multinational corporation, the fundamental requirements remain the same. The key is proportionality: your measures should be appropriate to your scale, but you cannot simply ignore these obligations because you're small.

Where can I access the original AEPD guidance?

The complete guidance document is available on the AEPD website: Recomendaciones para proteger la privacidad al usar herramientas de IA (PDF, Spanish language)

International Data Protection Day

The publication's timing coincides with International Data Protection Day on 28 January. This commemoration dates back to 2006, when the Council of Europe established the date to celebrate the anniversary of the signing of Convention 108, the cornerstone of data protection in Europe. The observance has since expanded beyond Europe to become recognised internationally as Data Protection and Privacy Day.

Disclaimer: This article is provided for informational purposes only and does not constitute legal advice. No attorney-client or professional relationship is created by reading this content. For specific compliance guidance regarding AI tool usage in your organisation, consult a qualified Data Protection Officer or privacy lawyer familiar with Spanish data protection law.