Spain logs 64% rise in complaints

Spain’s privacy regulator just posted a number big enough to matter outside legal circles. In 2025, Spain’s data-protection agency — the AEPD — received 30,931 complaints. That was a 64% jump from the year before, and the highest total in the agency’s history. If you run a business in Spain, or handle Spaniards’ data from somewhere else in Europe, the message is pretty simple: more people are filing, more cases are getting complicated, and the regulator is seeing a lot more to chase. (aepd.es) ### What actually happened? On May 6, the AEPD published its 2025 annual report. The headline number was the complaint surge, but the report also showed 1,118 cross-border cases from other European authorities and 14 investigations opened on the agency’s own initiative, bringing total new inspection entries to 32,063. This is not a blip in one narrow category — it is a broad increase in the regulator’s workload. (aepd.es) ### Why are complaints jumping so fast? The AEPD’s own explanation is pretty direct. More people know they have privacy rights, and more people know they can complain. That sounds basic, but it matters — complaint systems often stay quiet until the public learns how to use them. Spain also sits in a much more digital daily li(aepd.es)nce can go wrong. (aepd.es) ### Where is the pressure showing up? The biggest enforcement areas were video surveillance, internet services, personal-data breaches, public administrations, commerce/transport/hospitality, and health. That mix tells you a lot. This is not just a Big Tech story. It reaches into cameras in buildings, hotel check-in practices(aepd.es)s everyday operations, not just edge-case misconduct. (aepd.es) ### Is this only about complaints? No — the money moved too. Sanctions imposed by the authority exceeded €48 million in 2025. Higher fines do not automatically mean harsher policy in every single case, but they do show that the cases landing on the regulator’s desk are larger, more complex, or more damaging than before. The AEPD itself framed the rise in total sanctions as a sign of both more cases and more serious data-processing problems. (aepd.es) ### What about data breaches? This is where the story gets sharper. Separate 2025 breach statistics showed 2,765 breach notifications in Spain. That was a bit lower than 2024, but the impact was much larger — more than 200 million individuals were notified after high-risk incidents. Basically, the count of breaches did not ex(aepd.es)n if one raw incident metric looks stable. (techinsights.linklaters.com) ### Why do cross-border cases matter? Because Spain is not regulating in a vacuum. The AEPD said it led 47 cross-border cases as the main authority and cooperated in 419 as a concerned authority. Once a case crosses borders inside the EU, it usually gets slower, heavier, and more procedural. Companies need cleaner records, clearer legal bases, and better internal coordination — because one messy incident can suddenly involve several regulators at once. (aepd.es) ### Does this change anything for companies now? Yes — mostly in the boring places. Logging. Access controls. Data minimization. Breach response. Complaint handling. The catch is that these are not flashy AI-policy issues; they are operational hygiene issues. But when complaints hit record highs, weak processes stop being bac(aepd.es)d with the agency by year-end, which shows how institutionalized this compliance layer has become. (aepd.es) ### Bottom line? Spain’s complaint surge is really a signal that privacy enforcement has moved closer to normal life. More people are willing to complain, more incidents are sprawling across borders, and the regulator is dealing with a larger, tougher caseload. For companies, the lesson is not mysterious — if your data practices are sloppy, Spain is getting less likely to let that slide. (aepd.es)