AEPD Inspection: a step-by-step guide for companies

·

Receiving a notification from the Agencia Española de Protección de Datos — AEPD (Spanish Data Protection Agency) can be unsettling for any organisation, whether a small business, a clinic or a service company. However, an inspection is not the end of the road: in many cases it marks the beginning of a dialogue with the supervisory authority, and preparation, documentation and a cooperative attitude largely determine the outcome. This guide explains, with regulatory rigour, what the inspection procedure entails, what rights the inspected party holds, and what documentation should be ready from day one.

What Triggers an AEPD Investigation?

The AEPD may initiate proceedings on its own initiative (ex officio, after detecting signs of an infringement) or following a complaint or report submitted by an individual, a company or any other entity. In both cases, the first formal step is usually the preliminary investigative actions, governed by article 67 of Organic Law 3/2018 of 5 December on the Protection of Personal Data and the Guarantee of Digital Rights (LOPDGDD).

These preliminary actions are investigative rather than punitive: the AEPD gathers information, requests documentation and, if deemed necessary, may visit the premises of the controller or processor. Article 58(1) of Regulation (EU) 2016/679 (GDPR) sets out the investigative powers of supervisory authorities: access to any personal data, access to premises, access to processing equipment and the ability to obtain copies of documents.

A preliminary inquiry does not automatically lead to penalty proceedings. Many cases conclude with a closure, voluntary improvement measures or resolution of the complaint without a fine. The key is to respond promptly, rigorously and with solid documentation.

Phases of the AEPD Inspection Procedure

The AEPD procedure is structured in distinct stages. Understanding them helps prioritise actions and avoids confusing an information request with an already-imposed sanction.

Phase Legal basis What happens Typical response deadline
Preliminary investigative actions Art. 67 LOPDGDD · Art. 58(1) GDPR The AEPD requests information, documentation or access to premises. No formal charge has been filed yet. As specified in the request (usually 10–15 working days)
Closure or referral decision Art. 67 LOPDGDD If no signs of infringement are found, the case is closed. If signs exist, the case is referred to penalty or reprimand proceedings. No deadline for the inspected party at this stage
Reprimand proceedings Art. 77 LOPDGDD For public administrations and certain bodies: the AEPD may issue a reprimand instead of a financial penalty. Plea deadline: minimum 10 working days
Penalty proceedings Arts. 63–69 and 70–78 LOPDGDD · Art. 83 GDPR A formal charge is filed. The respondent may submit pleas, propose evidence and appeal the resolution. Plea deadline: 10 working days from notification of the statement of objections
Final resolution Art. 64 LOPDGDD The AEPD issues a resolution with corrective measures or a fine. Appealable before the Audiencia Nacional (National Court). 12 months from the opening of proceedings (extendable)

It is important to stress that financial penalties are only imposed by a final resolution at the conclusion of penalty proceedings. Until that point, the inspected party retains all its defence rights.

Rights of the Inspected Organisation

Throughout any AEPD action, the inspected organisation holds a set of rights recognised both by the LOPDGDD and by Law 39/2015 of 1 October on the Common Administrative Procedure of Public Administrations:

Knowing these rights and exercising them at the right moment is as important as having documentation in order. At Summum Consultoría we support organisations from the moment they receive the first AEPD communication, helping them structure their response and exercise their rights effectively.

Duties During the Inspection

Alongside rights, the inspected party has obligations whose breach may worsen its position:

A proactively cooperative attitude — responding promptly, submitting well-organised documentation and demonstrating improvement measures already taken or under way — is one of the factors the AEPD expressly considers when calibrating penalties, in accordance with article 83(2)(f) GDPR.

Key Documentation You Must Have Ready

The accountability principle in article 5(2) GDPR requires the controller to be able to demonstrate compliance, not merely to comply. In an inspection, this means having the following documentation readily accessible:

1. Record of Processing Activities (RoPA)

The Record of Processing Activities (RoPA), governed by article 30 GDPR, is the central document in any data protection audit. It must capture, for each processing activity: purposes, categories of data and data subjects, recipients (including international transfers), retention periods and security measures. An outdated, incomplete or inaccurate RoPA is one of the most common findings in AEPD inspections and signals poor data governance.

2. Data Processing Agreements

Article 28 GDPR requires formalising in writing — on paper or in electronic format — all contracts with processors: cloud providers, payroll management platforms, accounting firms, email marketing services, software developers who access client data, etc. The absence of these agreements, or insufficient content, is a standalone infringement that the AEPD investigates systematically. The agreement must include at minimum: the subject matter, duration, nature and purpose of the processing, the type of personal data and categories of data subjects, the obligations and rights of the controller, and documented processing instructions.

3. Legal Basis for Each Processing Activity

Each activity in the RoPA must have a legal basis from those set out in article 6 GDPR (consent, contract, legal obligation, vital interests, public interest or legitimate interest). Where processing is based on consent, records must be kept demonstrating when, how and by whom that consent was given.

4. Privacy Policy and Information Clauses

Information texts addressed to data subjects (web forms, client contracts, job applicants, etc.) must meet the requirements of articles 13 and 14 GDPR. The AEPD verifies that the information is complete, transparent and available at the point of data collection.

5. Data Protection Impact Assessments (DPIAs) Where Required

For high-risk processing — large-scale video surveillance, profiling of individuals, large-scale processing of special categories of data — article 35 GDPR requires a Data Protection Impact Assessment (DPIA) before the processing begins. If the organisation carries out any such processing without a DPIA, its absence is a direct non-compliance that an inspection will detect.

6. Security Breach Register

Article 33(5) GDPR requires documenting all security breaches, both those notified to the AEPD and those that are not. This register evidences that the organisation has active detection and response mechanisms. If you want to review your notification protocol, see our guide on how to notify a security breach to the AEPD within 72 hours.

How to Act in the First Days After Receiving the Communication

The first moves are decisive. These are the priorities when receiving any AEPD communication:

  1. Read the notification carefully: identify whether it is an information request within preliminary investigations, a statement of objections in penalty proceedings or another type of communication. The type of notice determines the deadline and the appropriate response.
  2. Note the response deadline and do not wait until the last moment. If the deadline is insufficient, a reasoned extension may be requested before it expires.
  3. Designate an internal point of contact (or the DPO, if one exists) to coordinate document collection and communication with the AEPD.
  4. Gather the relevant documentation: RoPA, processing agreements, legal bases, privacy policies, consent records and any other documentation related to the processing under investigation.
  5. Assess whether external support is needed: in penalty proceedings, obtaining specialised advice from the outset — before responding to the statement of objections — can make a significant difference in the pleas and in proposing corrective measures.
  6. Do not delete or modify documentation related to the processing under investigation: any alteration after the notification could be interpreted as obstruction.

The Sanctioning Framework Under the GDPR and the LOPDGDD

Article 83 GDPR establishes two tiers of administrative fines. The most serious infringements — including violating the processing principles of article 5, lacking a legal basis (art. 6) or failing to meet the conditions for consent (art. 7) — may attract fines of up to €20,000,000 or 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. Second-tier infringements — absence of processing agreements, failure to notify breaches, lack of a DPIA — carry a ceiling of €10,000,000 or 2% of worldwide annual turnover, whichever is higher.

The LOPDGDD (Organic Law 3/2018) supplements this framework in its article 72 (very serious infringements), article 73 (serious infringements) and article 74 (minor infringements), aligning it with the GDPR categories. For public administrations and certain bodies, article 77 LOPDGDD provides for a reprimand rather than a financial penalty, although the resolution is made public.

When determining the level of the fine, the AEPD takes into account factors such as the severity of the infringement, the number of data subjects affected, the categories of data involved, intent or negligence, measures taken to limit the damage and the degree of cooperation with the supervisory authority (art. 83(2) GDPR). Demonstrating that robust corrective measures have been or are being adopted can significantly influence the final resolution.

The Role of the DPO During an Inspection

The Data Protection Officer (DPO), whose designation is mandatory in the cases set out in article 37 GDPR, plays a central role during an inspection. Functions include acting as point of contact with the AEPD (art. 39(1)(e) GDPR), coordinating document collection and ensuring the organisation's response is coherent and complete. The DPO must have direct access to the organisation's senior management and may not receive instructions regarding the exercise of their tasks.

Organisations that do not have a mandatory DPO but that are facing AEPD proceedings may benefit from engaging an external DPO to act as a specialised point of contact throughout the process, without needing to add a permanent headcount.

If your organisation needs to prepare its documentation ahead of a potential inspection, or has just received a communication from the AEPD, the Summum Consultoría team offers support through all phases of the procedure from our offices in Castilla y León and the Canary Islands.

Frequently Asked Questions

Can the AEPD visit my premises without prior notice?

Article 58(1)(f) GDPR empowers supervisory authorities to access the premises of the controller or processor, including any data processing equipment. In practice, the AEPD typically begins proceedings with written information requests before conducting in-person visits, but it is not required to give advance notice of a visit when there are indications of a risk of evidence concealment. In any case, the organisation has the right to demand the identification of the inspectors and the presentation of the authorisation document enabling the inspection.

Am I required to answer all of the AEPD's questions?

The duty to cooperate with the AEPD is broad but not unlimited. The organisation must provide the information requested within the scope of the inspection, but it has the right for that information to be used exclusively for the purposes of the procedure and for its procedural rights to be respected. If any of the questions asked could affect interests protected by professional secrecy or other sector-specific rules, it is advisable to seek legal advice before responding.

What happens if I correct the non-compliance before the AEPD issues its resolution?

Adopting corrective measures during the procedure — before the final resolution — is one of the mitigation factors that article 83(2)(f) GDPR expressly recognises. The AEPD may take this into account to reduce the severity of the fine or, in less serious cases, to resolve without a financial penalty. However, subsequent correction does not automatically eliminate the infringement: its value depends on the type of non-compliance, when the measures are taken and the organisation's prior compliance history.

Can I appeal the AEPD's penalty resolution?

Yes. AEPD resolutions may be challenged directly before the Administrative Chamber of the Audiencia Nacional (National Court) within two months of notification, pursuant to Law 29/1998 of 13 July governing Administrative Jurisdiction. It is not necessary to lodge a prior administrative appeal before the AEPD itself, although this is possible within one month if the organisation considers it appropriate. During the appeal process, the organisation may request that enforcement of the resolution be suspended if the appeal appears to have a sound legal basis.