Spanish Data Protection Agency

The Spanish Data Protection Agency (AEPD, Agencia Española de Protección de Datos) is an independent agency of the government of Spain which oversees the compliance with the legal provisions on the protection of personal data. The agency is headquartered in the city of Madrid and it extends its authority to the whole country.

Apart from the AEPD, there are regional data protection agencies. These agencies have limited access to the files of public administrations because all that information remains the responsibility of the national agency. Currently there are only two regional agencies: the Catalan Data Protection Authority and the Basque Data Protection Agency. From 1995 to 2013, there was also the Data Protection Agency of the Community of Madrid.

Legal basis and foundation
The AEPD was established by Royal Decree 428/1993 of 26 March, as amended by Organic Act 15/1999 on the Protection of Personal Data. This amendment implemented Directive 95/46/EC. The agency was created in the context of the Spanish Constitution of 1978, Article 18.4, stating that "the law shall restrict the use of informatics in order to protect the honour and the personal and family privacy of Spanish citizens, as well as the full exercise of their rights" as elaborated by Organic Law 5/1992.

Major activities
The AEPD is a public law authority enjoying "absolute independence from the Public Administration". It is responsible for:

In response to the latter point, the AEPD advocated:
 * Information awareness about its activities and the right to protection of personal data (including 450 interviews and 850 "impacts" on media)
 * Direct assistance in response to citizen queries (47,741 in 2007)
 * Procedures to protect rights of individuals to access, rectify, cancel, and object. Most common are processes to cancel (62%) and access (32%)
 * Registry of filing systems (1,017,266 total entries)
 * Inspection and sanction procedures (399 sanction procedures resolved with €19.6 million in fines)
 * Advocacy leading to Royal Decree 1720/2007
 * Cooperation with international agencies and those of the autonomous communities of Catalonia, the Basque Country, and Madrid
 * Evaluation of emerging risks, including personal data on the Internet, generalisation of video surveillance systems, employer monitoring of labor by video surveillance, biometrics, and Internet usage, and intensification of international data flows


 * Developing procedures allowing copyright protection in a manner compatible with the fundamental right to data protection
 * Regulating the anonymized publication of judgements passed by Courts of Law
 * Regulating internal whistleblowing systems available to workers within companies, outlining the activities in which it may be necessary to establish these systems and guaranteeing the confidentiality of those reporting and the rights of those being reported on
 * Development of specific public policy plans for the protection of minors on the Internet
 * Increased caution in order to prevent the undesirable exchange of sensitive personal data on the Internet via P2P networks
 * Fostering of self-regulation among the media to guarantee privacy and the protection of personal data, by encouraging more respect for the usage in relation to the data protection provisions
 * Citizen guideline actions regarding the use of guarantees of confidentiality for the recipients of emails
 * Plan for the Fostering of Good Practices in terms of guaranteeing privacy in Official Gazettes and Journals, by adopting measures that, without affecting their purpose, will limit the gathering of personal information by Internet search engines
 * Local Strategy aimed at conforming the installation of traffic control cameras to the provisions on the protection of personal data

Notable cases
The AEPD has been conducting anti-spam investigations since 2004, collaborating with foreign agencies such as the United States Federal Trade Commission.

The AEPD has come into conflict with Google over information gathered from Wi-Fi networks as Google Street View images were taken, asserting that "it has been verified that data on the location of wifi networks, with the identification of their owners, and personal data of a diverse nature in communications, such as names and surnames, messages associated with such accounts and message services, or user codes or passwords" had been collected. It has also demanded the removal of approximately 90 names from search results, claiming a "right to be forgotten". Google is contesting both actions.