Spain’s AEPD Steps Up Supervision of AI Systems Ahead of EU AI Act
As artificial intelligence (AI) becomes deeply embedded in everyday operations, regulatory bodies are stepping in to guarantee fundamental rights are protected.
With the EU’s Artificial Intelligence Act (Regulation 2024/1689) set to begin partial enforcement on August 2, 2025, national authorities are adjusting their oversight responsibilities.
In Spain, the Agencia Española de Protección de Datos (AEPD) is preparing to take a more active role, particularly regarding AI systems that involve the processing of personal data.
Key Takeaways
• The AEPD can already act against prohibited AI systems that process personal data, even before Spain’s national AI law is finalised.
• As of August 2, 2025, the supervisory and sanctioning regime for Article 5 of the EU AI Act will take effect, targeting prohibited AI systems, including real-time biometric surveillance.
• Organisations using AI must start preparing now, as the AEPD recommends taking steps to align with both data protection laws and forthcoming AI regulations.
Overview of the EU AI Act
The EU Artificial Intelligence Act (Regulation 2024/1689) aims to establish a comprehensive legal framework for trustworthy AI in the European Union. One of its central elements is Article 5, which identifies certain AI practices as inherently unacceptable due to their high risk to fundamental rights.
These include:
• Real-time remote biometric identification in public spaces.
• Social scoring by public authorities.
• Manipulative or exploitative AI techniques targeting vulnerable individuals.
Starting August 2, 2025, enforcement mechanisms related to these prohibited practices will come into force.
AEPD’s Current Competencies and Future Role
The AEPD is Spain’s data protection authority, playing an important role in supervising the processing of personal data. Although it is not yet formally designated as the national market surveillance authority under the AI Act, the AEPD retains full power to act on data protection infringements, especially where AI tools are used to process personal data unlawfully.
The Spanish government is working on a draft AI law, which may eventually give the AEPD additional responsibilities to monitor the AI market. For now, AEPD’s intervention is tied to GDPR-related infringements, including those committed by prohibited AI systems.
Legal Status and National Legislation in Spain
Spain has not yet finalised its national AI legislation, which is necessary to assign surveillance responsibilities to national authorities formally. The current draft envisions that AEPD will serve as the market surveillance authority for specific high-risk and prohibited AI systems, where independence is mandated by EU law.
Until then, AEPD’s supervisory actions are grounded in its mandate under the GDPR and Spanish data protection laws, allowing it to intervene where AI affects individuals’ data protection rights..
Supervisory Actions AEPD Can Currently Undertake
Even without the full implementation of the AI Act, the AEPD can investigate and take action against any unlawful data processing by AI systems, particularly those classified as prohibited. For example, if an organisation deploys real-time facial recognition in public without a lawful basis, the AEPD can initiate enforcement under existing data protection law.
This reinforces that compliance with GDPR remains a prerequisite for all AI systems handling personal data, regardless of their risk classification under the AI Act.
Preparing for Compliance with the EU AI Act
The AEPD advises organisations to:
• Map and review existing AI systems that process personal data.
• Identify whether any systems could fall under the “prohibited” category.
• Establish governance practices that align with both GDPR and the upcoming AI Act.
• Begin implementing measures to ensure transparency, accountability, and data minimisation in AI workflows.
This early action can prevent costly remediation or sanctions when the AI Act is fully enforced.
Internal Strengthening of the AEPD
Recognising the complexity of supervising AI systems, the AEPD is actively reviewing its internal capabilities. This includes:
• Increasing technical expertise in AI systems.
• Expanding its team to manage a higher volume of inspections and enforcement activities.
• Allocating additional financial resources to support its future role as an AI market regulator.
These efforts underscore the AEPD’s commitment to upholding individuals’ rights in the age of AI.
Broader EU Context and Comparative Perspectives
Other EU data protection authorities, such as CNIL in France and the DPA in Germany, are also preparing for AI oversight, often by publishing guidance and launching consultations with stakeholders. Spain’s AEPD is following a similar trajectory, positioning itself as a proactive enforcer of both GDPR and AI-specific obligations.
As enforcement capacity builds across the EU, organisations should anticipate harmonised scrutiny of AI deployments, particularly those involving sensitive personal data or automated decision-making.
Conclusion
The AEPD’s announcement is a clear signal that the transition to regulated AI has begun. While Spain’s national law is still pending, organisations operating in the country must recognise that the AEPD already has teeth when it comes to unlawful data processing via AI.
With enforcement on the horizon and regulatory expectations rising, now is the time for AI providers, developers, and users to reassess their compliance posture, especially in how they handle personal data.
How Can GDPRLocal Help:
In addition to our services and expertise in all frameworks and AI, we provide a free AI Literacy Policy Template and run interactive workshops that transform it into a living training programme, ensuring your workforce can recognise, assess, and responsibly use AI in line with forthcoming regulations.
You can learn more on this link: https://gdprlocal.com/ai-literacy-policy/
FAQs:
Can the AEPD penalise companies for using prohibited AI systems before the AI Act is fully enforced?
Yes, if the AI system involves unlawful personal data processing under GDPR, the AEPD can investigate and enforce existing data protection laws.
What AI practices are considered prohibited under the EU AI Act?
Examples include real-time remote biometric identification in public spaces, social scoring by public bodies, and systems that exploit vulnerabilities for malicious purposes.
When does the AI Act take effect in Spain?
From August 2, 2025, enforcement of the prohibited AI systems regime begins. Full implementation of the Act continues through 2026.
Is the AEPD the official AI regulator in Spain?
Not yet. The Spanish national AI law must be passed before AEPD becomes the designated market surveillance authority under the AI Act.
What should companies do now to prepare?
Start aligning internal practices with both GDPR and the AI Act. Conduct AI impact assessments and stay informed on upcoming legal requirements.