A microloan customer requested their complete loan history, but the lender refused, claiming loan records were "commercial information" rather than personal data and dismissively told the customer to "check your email." The AEPD ruled that loan histories are unequivocally personal data, rejected the company's arguments, and issued an enforcement order requiring full disclosure within 10 days or face very serious sanctions.

A Spanish funeral home sent a client's funeral invoice to her sister after the sister falsely impersonated the client during a phone call requesting email addresses for document delivery.

The AEPD archived the case without sanction, finding the company was a victim of deliberate identity fraud, had reasonable data protection measures in place, and responded diligently by requesting deletion and issuing formal apologies.

A professional filed a GDPR complaint after receiving unsolicited job recruitment messages via personal email and WhatsApp from a Spanish flight school that never explained how it obtained their contact details. The AEPD archived the case without sanction, applying the presumption of innocence principle because insufficient evidence existed to prove unlawful data processing, despite the company's complete failure to respond to the regulator's enquiries.

A parent complained that their child's school forced consent for Google Workspace by making it mandatory for digital education without alternatives, and failed to adequately explain Google's data processing practices. The AEPD's preliminary investigation expired after exceeding the 18-month legal deadline, but the Agency immediately reopened the case under a new file, transferring all documentation to continue examining whether the school violated consent and information obligations under GDPR.

A customer complained that a swimming pool facility sent her an unsolicited email about food consumption rules to a personal email address she claims she never provided, with the message also visible to an unknown second recipient. The AEPD archived the case due to insufficient evidence to prove GDPR violations, applying the constitutional presumption of innocence principle when the company failed to cooperate but the complainant's evidence (incomplete email addresses in screenshots) couldn't conclusively establish unlawful processing or data disclosure.

A holiday rental company ignored a guest's GDPR access and erasure requests for six months, claiming they couldn't identify him because his email sender name appeared to be a pseudonym, then eventually responded only to the access request whilst completely ignoring the deletion request. The AEPD upheld both violations, ordering the company to properly respond to the erasure request within 10 days or face potential fines up to €20 million for non-compliance with supervisory authority orders.

The Extremadura Regional Government violated GDPR by publishing full names and complete DNI numbers of 492 job applicants on an openly accessible public website from September 2019 until March 2025, exposing them to serious identity fraud risks for over five years. The AEPD formally declared the infringement, ruling that administrative transparency principles do not justify making complete identity documents publicly accessible to anyone with internet access rather than limiting visibility to authenticated participants.

An employer was found to have violated GDPR by displaying an employee's disciplinary sanction on a public notice board and sharing it in a staff WhatsApp group, exposing her personal data and disciplinary details to colleagues with no need to know.

The AEPD confirmed the violations but archived the sanction procedure because the company dissolved in November 2025 before penalties could be imposed.

Spanish travel company Logitravel received a formal warning for failing to respond to a German consumer's Article 15 GDPR access request for over 13 months, only providing the requested information after the AEPD intervened in October 2024.

The company's staff mistakenly believed that processing the consumer's unsubscribe request eliminated the obligation to respond to the separate data access request, revealing fundamental gaps in their understanding of distinct GDPR rights.

A Spanish dental clinic was fined €1,200 for installing video surveillance cameras that continuously recorded patients during dental procedures, including audio capture of private conversations between patients and staff. The AEPD ruled that whilst security cameras are permissible, constant surveillance of medical treatment rooms violates the GDPR's data minimisation principle and is disproportionate to legitimate security needs.

A real estate agency violated a data subject's Right of Access by failing to respond within the legally required one-month timeframe under Article 12.3 RGPD, even though they eventually provided the requested information during the AEPD investigation. The AEPD formally ruled against the company on procedural grounds, establishing that responding late, even with substantively correct information—still constitutes a GDPR violation worthy of formal censure.

An administrative appeal was filed against an AEPD resolution exactly one day after the legal deadline expired, resulting in automatic inadmissibility under Article 116(d) LPACAP. The AEPD ruled that appeals must be filed within precisely one month of notification, so missing the deadline by even a single day means permanent loss of the right to appeal, with judicial review as the only remaining option.

The Spanish Data Protection Agency (AEPD) declared proceedings against Naturgy Iberia lapsed after exceeding the 18-month investigation deadline, following a complaint alleging identity theft was used to fraudulently cancel the complainant's energy supply contracts. Naturgy had demonstrated that sophisticated fraudsters, using complete personal data including obscured bank account digits, successfully impersonated the customer and passed security verification protocols before the fraud was discovered and reversed the same day.

The AEPD upheld a complaint against SMILE2IMPRESS, S.L. for failing to provide a patient with their full medical history within the statutory one-month period. The clinic acknowledged the request immediately, promising to send the data "as soon as possible", but failed to deliver the files until two months later, after the AEPD had intervened. This resolution reinforces that vague promises of future delivery do not pause the strict GDPR countdown.

The AEPD partially upheld a complaint against El Corte Inglés, S.A. regarding the mishandling of a Right of Access request following a security breach. The resolution clarifies that a company cannot deny access to personal data by claiming it has been "deleted" if, in reality, it is legally blocked.

Furthermore, it reprimands the entity for failing to notify the deadline extension within the first month, establishing that late notifications are legally invalid under Article 12.3 GDPR.

The AEPD ruled that providing secure, remote access to data via an intranet portal fully satisfies the "Right of Access," meaning businesses are not required to provide specific formats like paper or hashed files. While the Tax Agency avoided a fine for this, they were formally sanctioned for a procedural error: failing to notify the user of a deadline extension within the first 30 days. This case sets a vital precedent that businesses can refuse "bespoke" data exports as long as they offer a functional self-service portal.

A school was fined €3,000 after an unencrypted laptop containing sensitive health data of 150 minors was stolen and notifications to families were severely delayed. The AEPD ruled that basic password protection is insufficient, reinforcing that technical encryption is a mandatory legal standard for portable devices.

An individual filed a complaint against YOU MOBILE TELECOM SPAIN, S.L. after the company completely ignored their formal request to access their personal data. The AEPD ruled that "administrative silence" is illegal under the GDPR, determining that companies must always provide an explicit response to rights requests, even if they hold no data on the requester. Consequently, the Agency ordered the company to reply to the user within 10 business days, warning that failure to comply constitutes a "very serious infringement" subject to severe penalties.

Case Overview: A citizen received 12 unsolicited marketing emails regarding the "Kit Digital" from EUROEMPRESAS.ES. When the citizen exercised their Right of Access to ask where the company got their email, the company failed to respond within the legal one-month deadline.

The Ruling: The AEPD ruled that the company's eventual response was insufficient. The company claimed the email was a "professional contact" under Article 19 of the LOPDGDD, but the AEPD rejected this, stating that Article 19 does not authorize unsolicited commercial advertising (spam). Most importantly, the company failed to identify the source of the data, which is a mandatory requirement of the Right of Access under Article 15 of the GDPR.