Receiving a notification from the Spanish Data Protection Agency (AEPD) can understandably cause concern. The Agency is the authority responsible for ensuring compliance with data protection law in Spain, and its requests usually mean that an investigation is under way or that it needs clarification about how you’re handling personal data.
However, receiving a request doesn’t necessarily mean that you’re going to be fined. The key is to understand what the Agency is asking for, why, and how to respond correctly within the set deadline. Here's what you need to know to deal with it securely and effectively.
Written by Abigail Sked
Data Protection Specialist
How to respond to a notification from the Spanish Data Protection Agency
Abigail Sked, Data Protection Specialist (Subtitles available in English and Spanish)
WHAT IS THE Spanish Data Protection Agency AND WHAT DOES IT DO?
The Spanish Data Protection Agency (Agencia Española de Protección de Datos (AEPD)) is the independent public authority responsible for ensuring compliance with data protection legislation in Spain, primarily the General Data Protection Regulation (GDPR) and Organic Law 3/2018 (LOPDGDD).
Its role isn’t purely punitive; it also carries out supervisory, investigative, preventive and advisory functions. The Agency can act on its own initiative or following a complaint or claim made by an individual.
WHY MIGHT I RECEIVE A REQUEST FROM THE AEPD?
Requests are formal demands for information or documentation addressed to a company, professional, or public body.
The most common reasons are:
-
A complaint or claim submitted by a citizen (for example, for failing to respond to a data subject rights request or for sending marketing communications without consent).
-
An investigation launched by the Agency itself after detecting possible non-compliance.
The aim is to gather information to determine whether the data controller or processor has met their obligations. You might therefore be asked to provide documents such as:
-
Data protection policies or processing records.
-
Copies of information notices or consent clauses.
-
Evidence of security measures implemented.
-
Proof of how you handled a data subject request or complaint.
Responding correctly and within the given timeframe is a legal obligation.
WHEN DOES THE AEPD ADMIT A COMPLAINT FOR PROCESSING?
Before opening a formal procedure, the AEPD assesses whether the complaint meets the requirements to be admitted for processing. It may reject it if the issue isn’t related to data protection, lacks sufficient grounds, is abusive, or if there are no reasonable indications of a breach.
In some cases, before making a decision, the Agency may forward the complaint to the Data Protection Officer or to the controller itself, requesting relevant information within one month.
If the controller or processor voluntarily corrects the deficiencies identified, for example, by taking steps to fully safeguard the data subject’s rights, the AEPD may decide not to continue with the complaint.
The decision to admit or reject the complaint will be communicated to the complainant within three months. If no communication is made within that period, it is understood that the complaint will proceed.
HOW LONG DOES THE AEPD PROCEDURE TAKE?
When the AEPD initiates a procedure, the duration and structure of the process depend on the type of complaint.
If it concerns a failure to respond to a data subject rights request (access, rectification, erasure, etc.), the case must be resolved within six months from admission.
If the procedure is to determine a potential breach of data protection law, it can last up to twelve months from its initiation; if this period is exceeded, the case expires and is archived. The AEPD may also issue a warning or require corrective measures, in which case the procedure can last up to six months from the start date.
These time limits may be suspended if the Agency needs to obtain information or assistance from other national or European authorities.
HOW ARE AEPD DEADLINES CALCULATED?
The request will state the exact deadline for your response, so when responding to a request or carrying out any procedure before the Spanish Data Protection Agency, it’s crucial to understand how deadlines are calculated and when your reply is deemed submitted.
-
When the deadline is given in days, these are working days; Saturdays, Sundays, and public holidays don't count.
The period starts on the day after the notification is received. -
If the deadline is expressed in months, it also starts the following day and ends on the same calendar day in the following month.
If that month doesn’t have the same date (e.g. starting on the 31st of January), the deadline ends on the last day of that month.
Importantly, the official date and time of the AEPD’s Electronic Headquarters are the only ones that count, not the clock on your computer or device. What matters legally is the exact moment you complete the submission and sign it electronically, as that’s when the electronic receipt is generated.
Example:
If your deadline ends on the 10th of October and you start completing the form at 23:45 but sign and submit it at 00:05 on the 11th of October, it will be considered late.
It is therefore essential to check the notification date and act promptly.
HOW SHOULD I RESPOND TO AN AEPD REQUEST?
Communications with the AEPD are made through its electronic headquarters (https://sedeaepd.gob.es).
You’ll need to access the platform using a digital certificate or Cl@ve system and submit your written response along with any supporting documents.
Some practical tips:
-
Always reply clearly, precisely and with supporting evidence; avoid vague statements.
-
Clearly identify the request and reference numbers.
-
Keep a copy of your submission receipt and all documents sent.
IS IT SAFE TO USE THE AEPD’S ELECTRONIC SERVICES?
Yes. The AEPD guarantees that communication through its electronic headquarters is completely secure. All exchanges are encrypted, ensuring that data remains protected at all times.
Digital certificates also verify the identity of both the user and the administration, preventing impersonation or unauthorised access.
WHAT ARE MY OBLIGATIONS AS A DATA CONTROLLER?
Under Article 31 of the GDPR, controllers and processors must cooperate with the supervisory authority when requested to provide information.
This means you are legally required to:
-
Respond within the specified deadline.
-
Provide truthful and complete information.
-
Grant access to the requested data and documents.
-
Allow, if necessary, inspections of your systems or records.
Failure to cooperate, or doing so inadequately, may constitute a very serious infringement. Such infringements can result in administrative fines of up to €20 million or, in the case of a company, up to 4% of its total global annual turnover, whichever is higher.
What Happens If I Don’t Respond or Cooperate with the AEPD?
Ignoring a request won’t make the problem go away; it can actually make things worse.
If you fail to respond within the deadline or do not cooperate properly, the AEPD may:
-
Initiate formal sanction proceedings.
-
Impose a fine for obstruction (even before confirming a substantive breach) of up to €20 million or 4% of global annual turnover.
-
Treat your lack of cooperation as an aggravating factor in any subsequent penalty.
Remember that AEPD inspectors have extensive powers. They can, for example, request any information needed, conduct on-site inspections, examine documents where the data are stored or processed, and review physical or logical systems.
However, if your organisation acts quickly and in good faith to correct the issue, the AEPD may close the case without imposing a sanction. If you can demonstrate that you’ve adopted appropriate measures to comply with data protection regulations, the Agency may decide to close the complaint, provided that no formal investigation or penalty process has yet begun.
The best strategy is always to respond on time, transparently and constructively.
CONCLUSION: DON’T IGNORE THE REQUEST, RESPOND WITH EXPERT SUPPORT
In many cases, if you act promptly and sensibly, you can prevent an AEPD request from becoming a long-term problem. Understanding what’s being asked, preparing a thorough response and following the proper procedure are key to avoiding sanctions and demonstrating compliance.
If you’ve received a request from the Spanish Data Protection Agency, don’t face it alone. At Conesa Legal, our data protection specialists can help you analyse the situation, draft an appropriate response, and manage communication with the Agency.
Contact us today for tailored advice and an effective, compliant response.
