Global Data and Cyber Handbook

Spain

Select a Topic
Start Comparison
Artificial Intelligence, Profiling and Automated Decision Making
Jump to
Artificial Intelligence, Profiling and Automated Decision Making Start Comparison
Are there any restrictions or requirements related to creating profiles of data subjects or utilizing automated decision-making for decisions related to data subjects, including with respect to artificial intelligence?

[Last reviewed: January 2025]

Yes.

The restrictions or requirements are as follows:

☒   qualified right not to be subject to a decision based solely on automated decision making, including profiling – for example, only applicable if the decision produces legal effects concerning them or similarly significantly affects them

☒   right to information / transparency requirement

☒   right to request human review of the automated decision making

☒   other

The Spanish Law of Data Protection and Guarantee of Digital Rights adds a new article 58bis to the Law of General Electoral System, according to which:

  • political parties, coalitions and electoral groups may use personal data obtained from websites and other publicly accessible sources for the conduct of political activities during the electoral period
  • sending of electoral propaganda by electronic means or messaging systems and the contracting of electoral propaganda in social networks or equivalent media shall not be considered a commercial activity or communication

The informative activities referred to above shall identify their electoral nature in a prominent manner.

The addressee shall be provided with a simple and free means of exercising the right of opposition.

If such restrictions or requirements exist, are they subject to any exceptions?

[Last reviewed: January 2025]

Yes.

The exceptions are as follows:

If the decision:

  • is necessary for entering into, or performance of, a contract between the data subject and a data controller
  • is authorized by Union or Member State law to which the controller is subject and which also lays down suitable measures to safeguard the data subject's rights and freedoms and legitimate interests, or
  • is based on the data subject's explicit consent
Has the data privacy regulator issued guidance on data privacy and artificial intelligence, automated decision-making or profiling?

Last reviewed: January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide guidance.

Yes.

Different guidelines and technical notes from the Spanish Data Protection Agency on Artificial Intelligence: https://www.aepd.es/areas-de-actuacion/innovacion-y-tecnologia#IA

Most relevant documents issued in this sense:

Requirements for data audits on processing activities that include Artificial Intelligence: https://www.aepd.es/documento/requisitos-auditorias-tratamientos-incluyan-ia.pdf

Has the data privacy regulator taken enforcement action in relation to artificial intelligence, including automated decision-making or profiling?

Last review date: January 2025

         Enforcement activity against AI developer(s)

         Enforcement activity against AI user(s)/deployer(s)

         Enforcement activity under existing privacy law

         Enforcement activity by data or cyber regulator

Do other (non-personal data or cybersecurity) laws or regulations impose restrictions on use of artificial intelligence, automated decision-making or profiling?

Last reviewed: January 2025

Please refer to the EU Chapter for detailed information regarding EU-wide legislation.

   Yes, laws in force

☒   Draft legislation in progress

The EU AI Act was passed on 13 March 2024. Please refer to the EU chapter for more information on the EU AI Act.

Under Art. 26 (3) of the DSA, providers of online platforms may not present advertisements to recipients of the service based on profiling as defined in Art. 4 GDPR using special categories of personal data referred to in Art. 9 (1) GDPR. Furthermore, pursuant to Art. 28 (2) of the DSA, providers of online platforms may not present advertisements on their interface based on profiling (within the meaning of Art. 4 GDPR) using personal data of the recipient of the service when they are aware with reasonable certainty that the recipient of the service is a minor. In addition, according to Art. 38 DSA, providers of very large online platforms and of very large online search engines that use recommender systems must provide at least one option for each of their recommender systems which is not based on profiling (within the meaning of Art. 4 GDPR). Lastly, it is worth mentioning that Royal Decree-Law 9/2024, of 23 December adopting urgent measures in economic, tax, transport, and social security matters, and extending certain measures to address situations of social vulnerability entered into force on 25 December 2024. This decree establishes the sanctioning procedure of the DSA in Spain and, among other things, the collaboration between the National Commission on Markets and Competition ("CNMC") and the Spanish Data Protection Agency ("AEPD") regarding Articles 26.3 and 28.2 of the DSA with respect to certain uses of profiling.

Mention of use of artificial intelligence systems in the employment context: https://www.boe.es/buscar/act.php?id=BOE-A-2015-11430

 

{{ $store.state.loadingScreen.message }} ...