AEPD and Agentic AI: How Spain Is Regulating Autonomous Generative AI
The Spanish Data Protection Agency (AEPD) has, in recent years, been one of Europe's most active authorities in clarifying how GDPR applies to artificial intelligence. In 2026, its focus has shifted to a new target: autonomous agents. If your organization is experimenting with agentic AI, here's what the AEPD expects from you.
From Chatbots to Autonomous Agents
During 2023 and 2024, the regulatory debate centered on generative models: hallucinations, reproduction of personal data, lack of transparency. In 2025, the debate shifted toward general-purpose AI (GPAI) models and their obligations under the AI Act. In 2026, the center of gravity has moved again: the conversation now is about agentic AI, systems that don't just generate text or images but act: invoking tools, writing to databases, completing transactions, browsing the web, executing code.
The difference is fundamental. A chatbot recommends; an agent acts. And action multiplies both productivity opportunities and risk surfaces. The AEPD has identified this and, with its tradition of publishing technically solid guidance, has begun mapping the problem with an approach aligned with the European Data Protection Board (EDPB).
Why Agents Pose New Risks for Data Protection
Classic data protection assumes well-defined processing: one purpose, one legal basis, identifiable data, one controller. Autonomous agents break several of these assumptions at once:
1. Chained Purposes
An agent "helping the user plan a trip" can end up checking their calendar, sending emails, booking services, and sharing data with third parties. Each action is processing with its own purpose, but the user only consented to the first one. The chain of derived purposes was never explicitly covered.
2. Prompt Injection
Unlike a traditional program, an agent reads external content (emails, websites, documents) and can be persuaded by instructions hidden within that content to take unauthorized actions: sending personal data out, modifying records, executing transactions. It's an attack vector with no direct equivalent in non-agentic systems.
3. Persistent Memory and Covert Profiling
Many agents retain information from previous sessions to improve performance. That memory, if not bounded, can build up a user profile without an explicit legal basis and without the data subject perceiving it as data processing.
4. Insufficient Traceability
When something goes wrong with an agent — improper data was sent, a wrong decision was made — reconstructing the causal chain is very different from reviewing logs of a deterministic program. The agent may have queried three tools, called the model five times, received inputs from external sources. Without specific observability, exercising the right of access or investigating incidents becomes impractical.
The AEPD's Approach
In recent months, the AEPD has published guidance extending to agents the general framework it already applied to generative systems. The guiding principles, simplified, are:
Privacy by Design Also Applies to Agents
Art. 25 of GDPR requires data protection by design and by default. The AEPD insists this applies to the agent's design, not just the underlying model: limiting which tools the agent can invoke, explicitly defining which personal data it can read and write, and applying the principle of least privilege to every connection.
Impact Assessment (DPIA) as a Default Requirement
The AEPD considers that agents processing personal data must undergo a data protection impact assessment before deployment. The reason: the characteristics the AEPD associates with "high probability of high risk" (innovative use, automated decisions, mass processing, sensitive data, profiling) tend to converge in agentic systems.
Meaningful Human Oversight
An "approve" button at the end of the chain isn't enough. The AEPD agrees with the AI Act in requiring meaningful human oversight: the person supervising must have understandable information, reasonable time, and a real ability to interrupt or correct the agent's actions.
Enhanced Transparency
Users must know they are interacting with an agent, which tools it can invoke on their behalf, what personal data of theirs is processed at each step, and how that memory is retained. Generic clauses like "we use AI to improve the service" don't meet this standard.
Specific Legal Bases per Action
If an agent's action involves a new purpose (for example, booking an external service on the user's behalf), it must have its own legal basis. Chaining everything under an initial generic consent is not valid.
Expected Mitigations for Companies Deploying Agents
Under the current doctrine, an organization putting an agent that processes personal data into production should be able to demonstrate at least the following:
- Agent capability inventory: which tools it can invoke, over what data, with what effects. Documented and reviewed.
- Granular permissions: the agent accesses only the data strictly necessary for each task, with permissions differentiated by user and use case.
- Test sandbox: environments where the agent is tested against prompt injection attacks before deployment.
- Extended logging: recording every interaction the agent has with external tools, with time, parameters, and result, to reconstruct any action after the fact.
- Human review for high-impact actions: defined by policy, not technical default. Irreversible actions or those affecting rights require human approval before execution.
- Documented DPIA: analyzing the specific risks of agentic systems (chaining, injection, persistent memory).
- Clear retention policy for agent memory: what is stored, for how long, under what legal bases, and how the user can review or request its deletion.
Coordination With AESIA and the AI Act Dimension
The AEPD doesn't act alone. AESIA (the Spanish AI Supervision Agency) is the national market surveillance authority for the AI Act, and jurisdictions overlap in many practical cases. An agent deployed in HR for hiring decisions falls simultaneously under the AI Act's high-risk category (Annex III) and under GDPR (automated decisions, Art. 22). The two authorities can investigate the same system from different angles.
This isn't duplication — it's the current European reality. Serious organizations are building their agentic AI compliance files with a single body of evidence that serves both authorities, with specific sections for each regulation.
What's Next
The European landscape is converging. The EDPB published specific guidelines during 2025 and 2026 on agentic AI and generative models under GDPR, and the European Commission has expanded the AI Act Service Desk with agent-specific FAQs. The AEPD operates within that European framework and generally anticipates or quickly incorporates common doctrine.
For any organization experimenting with agents, the practical takeaway is: treat them as high-risk systems from day one, even if they're not formally classified as such. Document the DPIA, define granular permissions, audit the logs, and prepare your compliance file assuming the AEPD or AESIA may ask for it someday. Those who start with that discipline gain an advantage; those who don't, sooner or later end up rebuilding the system.
Where does your organization stand?
Free maturity assessment for AI Act, Data Governance, NIS2 and GDPR. Instant results with your priority gaps.
Take the assessment → View templates →