The Spanish Data Protection Agency (AEPD) published this week its 2025 report with record numbers: 30,931 complaints filed (64% more than 2024), 48,108,765 euros in total fines, and 77 proceedings opened just for data breaches (157% more than the previous year). The jump isn't marginal, it's a structural signal: citizen awareness rose, case complexity increased, and regulators are scaling capacity. This article lands what that data says for your SaaS and five operational layers that drastically reduce the probability of being the next file.
What the 2025 figures indicate about 2026-2027
- Breach complaints grow at twice the rate of general ones: 77 proceedings in 2025 vs 30 in 2024 (+157%). The user now knows what a breach is and where to report it.
- Cross-border cases lead: 1,118 new cases (+36%) and 47 led by AEPD as principal authority (+114%). If your SaaS operates in several EU countries, your judge is no longer just your home country's.
- Accumulated DPOs registered reached 126,176, normalizing the figure: the regulator no longer accepts "we didn't know we needed one".
The areas where AEPD reported most sanctioning activity
| Area | Why the regulator cares |
|---|---|
| Unnotified security breaches | 19.8 million euros in fines in 2025 |
| Cookies and trackers | Visible cases, easy verification, recurring fines |
| Incomplete user information | Unclear privacy policy, undocumented legal basis |
| Data transfer to third parties without basis | Tracking pixels, marketing tool integrations without consent |
| Processing without designated DPO | When legally required and the company doesn't have one |
The five layers that reduce risk
1. A real per-jurisdiction privacy policy, not copy-paste
A policy that says "we comply with GDPR" without breaking down legal bases, retention, user rights, and complaint procedure is invalid before AEPD. Each personal data flow in your product must map to a legal basis (consent, contract, legitimate interest, legal obligation) and appear documented.
2. Consent banner that logs accepted version
When a cookies complaint arrives, your defense is proving which cookie policy the user accepted on which date. A banner that only records "yes/no" without version traceability doesn't defend. A banner that logs timestamp + document version does.
3. 72-hour breach notification with rehearsed process
GDPR Article 33's deadline is 72 hours. Most small SaaS discover at hour 70 they don't know who to alert internally, what gets notified, what doesn't, and where the AEPD form is filled. Having a 1-page runbook ready is the difference between compliance and non-compliance.
4. Up-to-date processor agreements
If you use Stripe, AWS, SendGrid, HubSpot, or any tool touching personal data, you need a signed and current DPA (Data Processing Agreement). Audits start with "show us the contracts"; if they're missing, the proceeding lengthens.
5. Written Record of Processing Activities (ROPA)
GDPR Article 30: internal document with what data you process, why, where it goes, how long you retain it. Not published, but the regulator can request it. A sheet in Notion works if it has the correct content.
The most common error AEPD sees in small SaaS isn't malice, it's disorganization. The five layers above don't require expensive technology: they require discipline to keep them current. The difference between the SaaS that walks out clean and the one paying 100,000 euros is usually an afternoon of organization.
The "Priority Channel" and why it matters
AEPD enabled a Priority Channel for sensitive content (non-consensual, intimate, minors) with accelerated resolution. If your SaaS manages user profiles, photos, or user-generated visual content, you must have a fast takedown process. Not having it is no longer "good practice", it's regulatory exposure.
Official resources worth bookmarking
- The AEPD's web tools page offers sectoral guides and official templates
- The new interactive tool to consult breach notifications lets you see what other companies report and learn from cases
- AEPD's Strategic Plan 2025-2030 marks priority regulatory approaches (AI, minors, breaches)
The 64% complaint increase "evidences growing complexity in cases due to new technologies" (2025 report from AEPD). Operational translation: the regulator isn't relaxing, it's scaling capacity and focus.
Conclusion
2025 was the year of complaint normalization in Spain. SaaS starting 2026 without the five basic operational layers have a real, not theoretical, probability of appearing in the next AEPD report. Tools to get organized are cheap; the cost of not doing so grows year by year.
If you want to centralize the generation and update of privacy policy, cookies, ToS, and maintain version history per project in a single dashboard, Termerly is free and covers GDPR requirements from day one.
