Spain's AEPD Issues Guidance on Agentic AI Systems and GDPR Compliance, February 2026

On 18 February 2026, Spain's Agencia Española de Protección de Datos (AEPD) published a non-binding guide titled "Agentic Artificial Intelligence from the perspective of Data Protection." The guide addresses data protection obligations that apply when organizations deploy autonomous AI agent systems capable of planning, executing multi-step tasks, and acting without continuous human direction. The AEPD issued the guide in its capacity as Spain's national supervisory authority under Regulation (EU) 2016/679 (GDPR). The guide does not amend existing law; it clarifies how existing GDPR obligations apply to agentic AI deployments.

The AEPD identifies the data protection principles under GDPR Article 5 as the primary controlling authority. The guide focuses on Article 5(1)(b) (purpose limitation), Article 5(1)(c) (data minimisation), and Article 5(2) (accountability), together with Article 6 (lawfulness of processing), Article 25 (data protection by design and by default), and Articles 13–14 (transparency obligations toward data subjects). Where an agentic AI system involves multiple agents, each processing step must have a documented lawful basis under Article 6. Controllers must designate responsibility across multi-agent chains and record those designations under Article 30.

Organizations deploying agentic AI systems that process personal data must take specific practical steps. They must identify the controller and any processors at each stage of the agent pipeline and document those roles before deployment. They must restrict the agent's memory and context window to data strictly necessary for the defined task, applying Article 5(1)(c) data minimisation at the design stage. They must define the specific purpose for each agent action and not allow agents to repurpose data beyond that scope. Where agents interact with data subjects directly, controllers must provide transparency notices under Articles 13–14. Human oversight mechanisms must be built in at decision points where agents produce outputs that affect natural persons.

The guide is non-binding. It does not create new legal obligations beyond those already set out in the GDPR. The AEPD notes that agentic AI systems classified as high-risk under Annex III of the EU AI Act (Regulation (EU) 2024/1689) will be subject to additional requirements under that regulation, including conformity assessments and registration in the EU database, and that GDPR and the EU AI Act apply concurrently where both are triggered. The AEPD has been designated as Spain's competent authority for AI Act market surveillance in the areas within its existing supervisory mandate.

Source: Agencia Española de Protección de Datos (AEPD), "Agentic Artificial Intelligence from the perspective of Data Protection," published 18 February 2026, available at https://www.aepd.es/en/guides/agentic-artificial-intelligence.pdf. Confirmed 9 March 2026.

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.