Spanish DPA Issues Guidance on Agentic AI and Data Protection Obligations, February 2026

On 18 February 2026, the Spanish Data Protection Authority (Agencia Española de Protección de Datos, AEPD) published a guidance document titled "Inteligencia artificial agéntica desde la perspectiva de la protección de datos" (Agentic artificial intelligence from the perspective of data protection). The document addresses AI systems that operate autonomously to complete tasks, use tools, and process personal data without continuous human intervention. It applies the General Data Protection Regulation (GDPR) and the Spanish Organic Law 3/2018 of 5 December 2018 on Personal Data Protection and Guarantee of Digital Rights (LOPDGDD) to agentic AI deployments.

The AEPD guidance identifies the relevant GDPR provisions applicable to agentic AI systems. It addresses Article 5 (principles of processing), Article 6 (lawfulness of processing), Article 13 and 14 (transparency obligations), Article 22 (automated decision-making), Article 25 (data protection by design and by default), and Article 35 (data protection impact assessments). The guidance states that organisations deploying agentic AI must determine the role of each actor in the AI pipeline — whether as controller, joint controller, or processor under Articles 4(7), 4(8), and 26 GDPR — and that the autonomous character of the system does not dissolve these legal obligations.

Organisations that deploy or integrate agentic AI systems to process personal data of European Union residents must conduct a lawful basis analysis under Article 6 GDPR before deployment. Where the system makes decisions that produce legal or similarly significant effects, Article 22 GDPR applies and restricts fully automated processing unless an exception under Article 22(2) is met. Developers and deployers must implement data protection by design and by default under Article 25 GDPR, which includes minimising the personal data accessible to the AI agent. A data protection impact assessment under Article 35 GDPR is required where processing is likely to result in high risk, and the AEPD guidance indicates that agentic AI systems will ordinarily meet that threshold.

The guidance is non-binding but reflects the AEPD's supervisory position and signals how the authority will approach complaints and investigations involving agentic AI. The AEPD did not set a compliance deadline, but organisations already operating agentic AI systems that process personal data should treat the document as an immediate reference point for internal reviews. The guidance is published in Spanish; the operative framework remains the GDPR and LOPDGDD in their official texts.

Source: Agencia Española de Protección de Datos (AEPD), "Inteligencia artificial agéntica desde la perspectiva de la protección de datos," 18 February 2026, https://www.aepd.es/guias/orientaciones-ia-agentica.pdf (confirmed 18 March 2026).

The information provided is not legal, tax, investment, or accounting advice and should not be used as such. It is for discussion purposes only. Seek guidance from your own legal counsel and advisors on any matters. The views presented are those of the author and not any other individual or organization. Some parts of the text may be automatically generated. The author of this material makes no guarantees or warranties about the accuracy or completeness of the information.