Spanish Data Protection Agency clarifies its role in enforcing EU’s AI act
The Agency recommends that entities implementing or providing applications and services based on AI systems, as soon as they become obligated by the future full implementation of the RIA, be prepared to meet their obligations by taking appropriate measures to ensure full compliance.
On 15 July 2025, the Spanish Data Protection Agency (AEPD) issued guidance clarifying its role in supervising AI systems that process personal data, particularly those classified as prohibited under the European Union’s Artificial Intelligence Regulation (Regulation 2024/1689). Although several provisions of the regulation, including the supervisory and sanctioning regime under Article 5, will not come into force until 2 August 2025, the AEPD emphasised that it already has the authority to act when such systems infringe on the right to data protection. This statement comes at a time when Spain has yet to adopt national legislation to implement the regulation, and the AEPD has not been officially designated as a market surveillance authority under the new legal framework.
Despite this legal gap, the AEPD reiterated its existing powers as the competent authority for data protection, which include the ability to supervise and intervene in processing operations involving personal data. These responsibilities extend to AI systems whose use may violate fundamental rights, even if they are not yet addressed under the national AI law. The agency specifically referenced Article 5 of the AI Regulation, which prohibits certain types of AI systems, including remote, real-time biometric identification in public spaces. The AEPD underlined that any AI-based processing of personal data that poses a threat to privacy rights can already be subject to its oversight and possible enforcement actions.
Looking ahead, the AEPD is preparing for the broader responsibilities it expects to assume once the AI Regulation is fully implemented. Internally, the agency is assessing the need to reinforce its technical, human, and budgetary resources to handle the forthcoming supervisory and sanctioning duties related to AI. It also advised organisations developing or deploying AI technologies to begin preparing for compliance with the regulation, particularly those whose systems may fall under the prohibited categories.
