Spain: Data Protection Agency published information note analysing risks arising from using third-party images in artificial intelligence systems

On 13 January 2026, the Spanish Data Protection Agency (AEPD) published an information note analysing the data protection implications of using third parties’ images in Artificial Intelligence (AI) systems. The note applies to AI providers, platforms, and users that upload, generate, modify, or disseminate images or videos of identifiable persons. It highlights visible risks, including sexualisation and synthetic intimate content, attribution of false events with reputational effects, decontextualisation, wide dissemination, and heightened impact on minors and vulnerable persons. It also identifies less visible risks arising merely from uploading images, including effective loss of control due to third-party processing, hidden retention and copies, involvement of multiple actors, additional provider purposes, metadata and internal inferences, persistent identification across generated content, information asymmetry limiting the exercise of rights, and exposure through errors or security incidents. The note clarifies that some uses may fall outside the General Data Protection Regulation in strictly personal or household contexts, that images of deceased persons are generally excluded, and that other legal regimes, including image rights and criminal law, may apply. The note signals particular supervisory attention where risks are amplified, including loss of control over one’s image, generation of plausible but false content, sexualisation, humiliation or discredit, involvement of minors or vulnerable individuals, and dissemination with significant personal, social, or professional impact.