Welcome to the ANRO Privacy AEPD Resolutions Tracker. In an era defined by the principle of "proactive responsibility," staying informed of the Spanish Data Protection Agency’s latest rulings is no longer just a legal necessity—it is a strategic business advantage.
Our monthly tracker provides a filtered, expert analysis of the most impactful decisions affecting SMEs and the self-employed in Spain. This month’s update focuses on critical precedents regarding the Right of Access, the non-negotiable requirement for technical encryption on portable devices, and the high cost of administrative silence.
Below you will find a summary of the most significant resolutions for February 2026.
The Summary: Provides an immediate overview of the infraction and the penalty.
Deep Dive: For a full exegesis—including the specific articles of the LOPDGDD/GDPR infringed and Actionable Steps to protect your company—simply click on the blue reference numbers (e.g., EXP202406965) to expand the full legal report.
The AEPD issued a formal warning to Tools for Humanity GmbH ahead of its planned relaunch in Spain, concluding that its iris-scanning World ID system likely constitutes biometric data processing under Article 9 GDPR, requiring stronger legal justification and a more rigorous DPIA. The case establishes that "proof of uniqueness" technology does not escape special category data obligations merely because identification is not its stated purpose.
A patient requested their medical records from the Balearic Islands public health service (IbSalut) but received no response for six months, including ignoring AEPD regulatory enquiries. The AEPD ordered IbSalut to provide the records or a reasoned refusal within 10 days, warning that non-compliance would trigger very serious sanctions under Article 72.1(m) LOPDGDD.
A Spanish landlord installed a 360-degree camera with audio inside a shared rental flat, surveilling female tenants' private lives including access to bedrooms and bathrooms, claiming it was for security.
The AEPD fined the landlord €1,800 (reduced from €3,000) and ordered immediate camera removal, ruling that rental accommodation is a constitutionally protected home where interior surveillance violates Article 6 GDPR regardless of claimed justifications.
A Spanish telecoms operator emailed a customer's username and password in plaintext to access a portal containing extensive personal and financial data, claiming it was a one-time human error with no actual harm. The AEPD imposed a €10,000 fine, ruling that emailing passwords violates Article 32 GDPR regardless of encryption technologies or lack of exploitation, because adequate security requires preventing such errors through automated controls and secure reset protocols.
A SIM swap fraud victim requested voice recordings proving fraudsters had ported their phone number, but the telecoms operator refused for 11 months, falsely claiming a court order was required to release the data. The AEPD ruled that voice recordings are personal data subject to Article 15 GDPR access rights without judicial authorisation, and noted the company's security failures may trigger separate enforcement proceedings.
An identity theft victim contacted a telecoms company requesting verification of whether fraudsters had used their data to open accounts, but received no response for 14 months until the AEPD opened a formal investigation.
The AEPD rejected the company's defence that the email was filtered as spam, ruling that data controllers are responsible for maintaining systems that reliably receive and process rights requests within 30 days.
A homeowner filed a GDPR complaint after their Homeowners' Association completely ignored their data access request for months, only responding after the AEPD opened a formal investigation.
The AEPD ruled in favour of the complainant, formally confirming the association violated the mandatory 30-day response deadline, establishing that volunteer-run community organisations have the same GDPR obligations as commercial businesses.
A citizen filed a GDPR complaint after Madrid's Regional Health Department ignored their medical data access request for months, only responding after the AEPD opened a formal investigation. The AEPD ruled in favour of the complainant, formally confirming the Health Department violated the mandatory 30-day response deadline, though no additional action was required since the data had finally been provided.
A homeowners' association failed to respond to a data subject's Right of Access request within the mandatory 30-day deadline under Article 12.3 GDPR. The AEPD formally upheld the claim on procedural grounds, establishing that responding only during the subsequent investigation—even when providing the requested information—does not cure the original timing violation.