AEPD Resolutions (Spain DPA)

Vodafone Spain €200k GDPR Fine Appeal Dismissed

AEPD dismissed Vodafone Spain's appeal against a €200,000 GDPR fine originally issued on 10 January 2026 for violations of Article 6.1 of the GDPR. The enforcement action arose from Vodafone's processing of a SIM card duplicate request without adequate identity verification, allowing a third party to obtain the claimant's SIM card by first modifying the account email. The DPA upheld the fine, finding Vodafone failed to follow its own security policies requiring verification calls or requests from linked phone lines.

GDPR Appeal Dismissed as Late - Administrative Procedure

The Spanish Data Protection Agency (AEPD) issued Resolution EXP202407584 dismissing a recurso de reposición (administrative appeal) as extemporaneous. The appellant filed the appeal on February 27, 2026, exceeding the one-month deadline from the January 26, 2026 notification of the original resolution. The AEPD found no grounds to admit the late-filed appeal under Article 116.d of the LPACAP.

ARTURO ACOSTA S.L. v. AEPD - Right to Erasure Enforcement Appeal Dismissed

The AEPD dismissed the appeal filed by ARTURO ACOSTA S.L. (NIF: B38094249) against enforcement resolution EXP202512014 (PD/00238/2025), which had upheld a data subject's GDPR erasure complaint. The company argued it could not suppress data because returned devices were factory-restored, but the AEPD upheld the original ruling based on the company's failure to timely respond to the erasure request and lack of documented proof of compliance. The DPA rejected claims of bad faith by the claimant and proportionality violations by the company.

GDPR Appeal Inadmitted - Complainant Lacks Standing

The AEPD issued Resolution EXP202500572 declaring a recurso de reposición inadmissible because the appellant, as a mere complainant under Article 77.2 GDPR, lacked the legal standing to appeal. The decision cites Supreme Court precedent establishing that complainants have neither subjective rights nor legitimate interests in obtaining sanctions against those they denounce.

EUSKALTEL fined €100,000 for GDPR non-compliance

The Spanish Data Protection Agency (AEPD) has fined EUSKALTEL €100,000 for non-compliance with GDPR, specifically related to a violation of Article 58.2 and Article 83.6. The company was ordered to comply with imposed measures within three months. This resolution is on appeal from a prior decision.

INCIBE Fined 2,000 Euros for GDPR Breach

The Spanish Data Protection Agency (AEPD) has upheld a 2,000 Euro fine against INCIBE for a GDPR breach. The breach occurred on INCIBE's Moodle training platform, exposing student names, emails, cities, and countries due to a default privacy configuration error. INCIBE appealed the initial resolution.

AEPD Spain: Appeal REPOSICION-PA-00034-2024 Inadmitted

The Spanish Data Protection Agency (AEPD) has inadmitted an appeal (REPOSICION-PA-00034-2024) filed by A.A.A. against a resolution dated January 16, 2026. The inadmission is based on the appellant's lack of standing as an interested party in the initiated procedure, as per Article 62.5 of the LPACAP.

AEPD Finds RUBICOR FITNESS Infringed GDPR Article 17

The Spanish Data Protection Agency (AEPD) has issued a resolution finding RUBICOR FITNESS in violation of GDPR Article 17 (Right to Erasure). The agency initiated proceedings after the complainant's request for erasure was not adequately addressed by the company. RUBICOR FITNESS failed to provide the required response and justification during the administrative process.

AEPD Resolution: Closure of Employee Biometric Data Tracking Investigation

The Spanish Data Protection Agency (AEPD) has closed an investigation into the Ayuntamiento de Valladolid regarding its use of fingerprint-based employee time tracking. The agency closed the case after the municipality confirmed it had ceased using biometric data for employee time registration on September 2, 2024, following AEPD guidance.

GDPR Resolution on Data Access Rights for VIMCORSA

The Spanish Data Protection Agency (AEPD) issued a resolution regarding a data access rights complaint against VIMCORSA. The complainant alleged VIMCORSA obstructed their right to access personal data and related repair documentation for a property. The AEPD found that VIMCORSA's response was inadequate and potentially obstructed the complainant's rights under GDPR.