Spain: Data Protection Agency published clarification on General Data Protection Regulation regarding AI

On 11 March 2025, the Spanish Data Protection Agency (AEPD) published an article on artificial intelligence (AI) and data protection, referring to a recent publication by the UK's Information Commissioner's Office (ICO). The ICO's consultation on generative AI identified several points for clarification, including the requirement that incidental processing of personal data falls within the scope of data protection laws. The ICO stated that data protection rules apply to any processing of personal data, regardless of intent. It also noted that common practices do not necessarily reflect individuals' expectations of how their data will be used. The publication notes that the legal definition of personal data includes a wider range of information than 'personally identifiable information' (PII). It also notes that generative AI models may store or disclose personal data. The AEPD outlines that AI systems are subject to existing data protection regulations, referring to compliance requirements and transparency obligations in AI development.