AI Debt Collection in Spain & Italy: Southern European Guide
Regulatory Notice
Spain and Italy have among the strictest consumer protection and data privacy enforcement in the EU. Both countries' data protection authorities - AEPD in Spain and Garante in Italy - have issued guidance specifically addressing automated communications and AI in financial services. Deploying AI debt collection in southern Europe requires country-specific compliance beyond baseline GDPR. This guide covers the key regulations, practical requirements, and compliance steps for AI voice agents in both markets.
Southern European Debt Collection Landscape
Southern Europe presents both a massive opportunity and a complex regulatory challenge for AI debt collection. Spain and Italy together hold approximately 99 billion euros in non-performing loans (NPLs), making them two of the largest debt collection markets in the EU. The volume of consumer and commercial debt, combined with slow judicial recovery processes, creates strong economic incentive for efficient collection methods.
However, both countries have cultural and legal frameworks that prioritize debtor protection more strongly than northern European markets. Consumer protection laws, data privacy enforcement, and communication restrictions are more detailed and more actively enforced. AI systems that work in Germany or the Netherlands may not comply with Spanish or Italian requirements without significant adaptation.
1. Spain's debt collection market is valued at 8.2 billion euros annually
Spain's collection industry handles approximately 47 billion euros in non-performing loans across consumer credit, mortgages, telecommunications, utilities, and commercial debt. The market has grown 12% since 2022, driven by rising consumer credit and post-pandemic debt. Major players include EOS Spain, Hoist Finance, and Axactor. (Source: Deloitte, European Debt Sales Market, 2025)
2. Italy's NPL market is the largest in southern Europe at 52 billion euros
Italy holds approximately 52 billion euros in non-performing loans, down from a peak of 341 billion in 2015 but still substantial. The Italian NPL market is dominated by specialized servicers - doValue, Cerved Credit Management, and AMCO handle the majority of portfolios. The average recovery timeline in Italy is 7-8 years through judicial channels, making pre-litigation collection critical. (Source: KPMG, European NPL Market Report, 2025)
Spain: Regulatory Framework
3. Spain regulates debt collection through multiple overlapping laws
Unlike countries with a single debt collection statute, Spain's regulatory framework combines several laws. The Ley General para la Defensa de los Consumidores y Usuarios (consumer protection), Ley Organica de Proteccion de Datos (LOPDGDD, the Spanish GDPR implementation), and the Codigo Civil all contain provisions affecting collection practices. There is no dedicated debt collection licensing law, but the Banco de Espana supervises financial institution collection practices.
4. Spanish calling hour restrictions: 9:00-21:00, no Sundays or public holidays
Debt collection calls in Spain must occur between 9:00 and 21:00 on weekdays and Saturdays. Calls on Sundays and national or regional public holidays are prohibited. Spain has 14 national public holidays plus additional regional holidays (Catalonia, Basque Country, etc.), so AI systems must track location-specific holiday calendars. Violation of calling hours can result in consumer protection complaints and fines up to 100,000 euros.
5. Spain requires explicit right-to-object disclosure in every AI collection call
Under LOPDGDD Article 21 and GDPR Article 21, Spanish debtors have the right to object to automated processing. The AEPD has clarified that AI collection calls must proactively inform the debtor of this right during the call - not just in a privacy policy. The disclosure must be in Spanish (Castilian) or the co-official language of the autonomous community (Catalan, Basque, Galician, Valencian).
| Requirement | Spain | Italy | EU Baseline (GDPR) |
|---|---|---|---|
| Calling hours | 9:00-21:00, no Sundays | 8:30-21:00, no Sundays/holidays | Not specified |
| AI disclosure | Must disclose in first 15 sec | Must disclose before substantive discussion | Required (Art. 13/14) |
| Call frequency limit | Max 3 per week (AEPD guidance) | Max 1 per day (Garante guidance) | Not specified |
| Recording consent | One-party consent | Two-party consent required | Varies by member state |
| Right to object | Must offer in each call | Must offer in each call | Required (Art. 21) |
| Language requirements | Castilian + co-official languages | Italian only (+ minority languages in designated areas) | Not specified |
| Data retention | Max 10 years (commercial) | Max 10 years (civil obligations) | 5 years recommended |
| DPA enforcement | AEPD - very active | Garante - very active | Varies |
Spain: AEPD Data Protection Requirements
6. The AEPD is one of Europe's most active data protection authorities
Spain's Agencia Espanola de Proteccion de Datos (AEPD) issued more GDPR fines than any other EU data protection authority in 2024 - over 600 sanctions totaling 45 million euros. The AEPD has specifically targeted automated calling systems and AI-driven marketing. Debt collection companies using AI must assume they will face AEPD scrutiny. (Source: AEPD Annual Report, 2024)
7. AEPD requires a DPIA for any AI-powered debt collection system
The AEPD's published list of processing activities requiring a Data Protection Impact Assessment (DPIA) explicitly includes automated decision-making in financial services and systematic monitoring through automated calling. Any AI debt collection deployment in Spain must complete a DPIA before going live. The DPIA must assess risks to debtor rights, data minimization compliance, and the necessity of AI processing.
8. Contact frequency: AEPD guidance limits collection calls to 3 per week per debtor
While not hard law, AEPD guidance and Spanish court precedent establish that more than 3 contact attempts per week constitutes harassment. This includes all channels - phone calls, SMS, email, and physical letters count toward the limit. AI systems must track cross-channel contact frequency per debtor and enforce the limit automatically.
Italy: Regulatory Framework
9. Italy requires registration with the OAM for debt collection activities
The Organismo Agenti e Mediatori (OAM) maintains a registry of authorized debt collection entities. Any company performing debt collection in Italy - including through AI agents - must be registered or work through a registered entity. The registration process takes 60-90 days and requires proof of compliance with anti-money laundering (AML) and consumer protection regulations.
10. Italian law requires two-party consent for call recording
Unlike Spain (one-party consent) or the US (varies by state), Italy requires explicit consent from all parties before a phone call can be recorded. This has significant implications for AI debt collection - the AI agent must ask for and receive verbal recording consent before proceeding. If the debtor declines recording, the system must continue the call without recording while still logging metadata. (Source: Codice della Privacy, Art. 617-quater)
Italy: Garante Privacy Requirements
11. The Garante issued specific guidance on AI in financial services in 2024
Italy's Garante per la protezione dei dati personali published guidance in September 2024 specifically addressing AI systems in banking and debt collection. Key requirements include: human oversight of all automated decisions affecting debtor rights, mandatory explainability of AI-driven collection strategies, and restrictions on profiling debtors without explicit consent. The guidance is not law but informs how the Garante will interpret GDPR in enforcement actions.
12. Garante limits collection call frequency to 1 per day per debtor
The Garante's guidance is stricter than Spain - a maximum of one collection contact per day per debtor across all channels. The Garante views excessive contact as a violation of the proportionality principle under GDPR Article 5(1)(c). Multiple contacts in a single day, even across different channels, can trigger enforcement action. This means AI systems in Italy need robust daily contact tracking per debtor.
13. Italian law provides extensive debtor rights during collection calls
During any collection call in Italy, the debtor has the right to: request the creditor's identity and authorization details, demand written confirmation of the debt amount and origin, challenge the debt amount, request a payment plan, and end the call at any time without penalty. AI agents must be programmed to handle all of these requests. Failing to honor a debtor's right to information can void the collection action entirely.
Spain vs Italy: Side-by-Side Comparison
| Factor | Spain | Italy |
|---|---|---|
| NPL volume | 47B EUR | 52B EUR |
| Collection market maturity | Mature, consolidated | Mature, fragmented |
| Avg recovery timeline (judicial) | 2-4 years | 7-8 years |
| DPA activity level | Highest in EU (by fine count) | Top 5 in EU |
| AI-specific guidance | AEPD general AI guidance | Garante financial services AI guidance |
| Licensing requirement | None (supervision by BdE) | OAM registration required |
| Debtor protection culture | Strong | Very strong |
| Language complexity | Castilian + 4 co-official | Italian + minority languages |
| AI readiness (infrastructure) | High | Moderate |
| Estimated compliance cost | 80,000-200,000 EUR | 100,000-250,000 EUR |
AI Voice Agent Compliance Checklist
Complete DPIA before deployment
Both Spain (AEPD mandate) and Italy (Garante expectation) require a Data Protection Impact Assessment. The DPIA must assess risks to debtor rights, evaluate data flows, document technical and organizational safeguards, and include a proportionality assessment. Engage local DPO or privacy counsel to prepare the DPIA in the national language.
Implement AI disclosure in the opening script
Within the first 15 seconds (Spain) or before substantive discussion (Italy), the AI agent must disclose that the debtor is speaking with an automated system. The disclosure must be in the appropriate national language and include the right to speak with a human agent and the right to object to automated processing.
Build country-specific calling hour and frequency controls
Spain: 9:00-21:00, max 3 contacts per week, no Sundays or public holidays (including regional). Italy: 8:30-21:00, max 1 contact per day, no Sundays or public holidays. Track frequency across all channels (phone, SMS, email) per debtor. Include regional holiday calendars.
Configure call recording consent flows
Spain: one-party consent is sufficient but best practice is to inform. Italy: two-party consent is legally required - the AI must explicitly ask for recording consent and handle refusal gracefully. Build separate call flows for consent-granted and consent-denied scenarios.
Establish human oversight mechanisms
Both jurisdictions require human oversight of automated decisions. Implement real-time monitoring dashboards, escalation triggers for disputed debts, and human review of all payment arrangements. Document the human oversight process for regulatory review.
Register with OAM (Italy only)
If operating in Italy, register the entity performing collection activities with the Organismo Agenti e Mediatori. Allow 60-90 days for the registration process. Foreign companies can register directly or work through a registered Italian partner.
Portugal & Greece: Additional Considerations
14. Portugal follows CNPD guidance that mirrors AEPD positions closely
Portugal's Comissao Nacional de Proteccao de Dados (CNPD) has not issued AI-specific debt collection guidance but generally follows AEPD interpretations. Portuguese calling hours are 9:00-21:00 on weekdays, 9:00-13:00 on Saturdays. Portugal's NPL market is smaller (8 billion euros) but growing, and the regulatory environment is relatively stable. Portuguese language AI capabilities are important - Brazilian Portuguese and European Portuguese differ enough to affect caller experience.
15. Greece's HDPA has limited AI guidance but strict consumer protection
Greece's Hellenic Data Protection Authority (HDPA) has not published AI-specific guidance for debt collection. However, Greek consumer protection law (Law 2251/1994) provides strong debtor protections including the right to challenge debts and restrictions on collection practices. Greece's NPL market remains significant at 12 billion euros, with recovery timelines of 5-10 years through judicial channels. AI voice agents in Greece must handle Greek language with regional dialect awareness.
Implementation Roadmap
Deploying AI debt collection in Spain and Italy is a 12-18 month process when done properly. The timeline accounts for regulatory analysis, DPIA completion, system development, compliance testing, and staged rollout. Rushing deployment risks regulatory action that can shut down operations entirely.
| Phase | Timeline | Key Activities | Deliverables |
|---|---|---|---|
| 1. Regulatory analysis | Months 1-3 | Legal review, DPA guidance analysis, gap assessment | Compliance requirements document |
| 2. DPIA and documentation | Months 3-5 | Data mapping, risk assessment, proportionality analysis | Approved DPIA, processing records |
| 3. System development | Months 4-8 | Call flow design, language/dialect config, CRM integration | Configured AI system |
| 4. Compliance testing | Months 8-10 | Script review, frequency limit testing, consent flows | Test reports, audit trails |
| 5. Pilot deployment | Months 10-14 | Limited rollout, performance monitoring, regulatory feedback | Pilot results, compliance metrics |
| 6. Full deployment | Months 14-18 | Scale-up, ongoing monitoring, DPA reporting | Production system, compliance dashboard |
Southern Europe represents a significant opportunity for AI debt collection, but the compliance requirements are non-negotiable. Companies that invest in proper regulatory analysis and build compliance into their AI systems from the start will find a large market with limited competition. Those that cut corners on compliance risk fines that dwarf the cost of doing it right. The AEPD and Garante are not theoretical threats - they are among the most active enforcement bodies in Europe.
Frequently Asked Questions
Yes, AI debt collection is legal in Spain provided it complies with GDPR (via LOPDGDD), consumer protection law, and AEPD guidance. Key requirements include completing a DPIA, disclosing AI use in every call, limiting contact to 3 times per week, and offering the right to object to automated processing.
Yes, with significant restrictions. Italian law requires OAM registration, two-party recording consent, Garante-compliant data processing, and human oversight of automated decisions. The Garante limits collection contacts to once per day per debtor. AI must disclose its automated nature before substantive discussion.
The AEPD (Agencia Espanola de Proteccion de Datos) is Spain's data protection authority. It issued more GDPR fines than any other EU DPA in 2024 - over 600 sanctions totaling 45 million euros. The AEPD actively targets automated calling systems, making it critical for AI debt collection compliance.
The Garante per la protezione dei dati personali is Italy's data protection authority. In September 2024, it published guidance on AI in financial services requiring human oversight, explainability of AI strategies, and consent for debtor profiling. It limits collection contact to once per day.
Debt collection calls in Spain must occur between 9:00 and 21:00 on weekdays and Saturdays. Calls on Sundays and public holidays (national and regional) are prohibited. Spain has 14 national holidays plus additional regional holidays that AI systems must track.
Yes. Italy requires two-party consent for call recording. The AI agent must explicitly ask for recording consent and handle refusal by continuing the call without recording. This is different from Spain (one-party consent) and many US states.
12-18 months is a realistic timeline for compliant deployment. This includes regulatory analysis (3 months), DPIA completion (2 months), system development (4 months), compliance testing (2 months), pilot deployment (4 months), and full rollout.
AI agents must support Castilian Spanish at minimum. Best practice is to also support co-official languages: Catalan (Catalonia, Balearic Islands, Valencia), Basque (Basque Country, Navarre), and Galician (Galicia). Debtors have the right to communicate in the co-official language of their autonomous community.
Spain has 47 billion euros in NPLs with a mature, consolidated market and shorter recovery timelines (2-4 years). Italy has 52 billion euros in NPLs with a fragmented market and longer recovery timelines (7-8 years). Italy has stricter regulations but larger opportunity. Most companies enter Spain first due to lower compliance costs.
Portugal largely follows Spanish regulatory patterns through its CNPD. Calling hours are similar (9:00-21:00 weekdays, 9:00-13:00 Saturdays). Greece has strict consumer protection but limited AI-specific guidance from its HDPA. Both markets are smaller but have significant NPL volumes (8B and 12B euros respectively).
Founder & CEO, AInora
Building AI digital administrators that replace front-desk overhead for service businesses across Europe. Previously built voice AI systems for dental clinics, hotels, and restaurants.
View all articlesReady to try AI for your business?
Hear how AInora sounds handling a real business call. Try the live voice demo or book a consultation.
Related Articles
GDPR and AI Debt Collection in Europe (2026)
How GDPR applies to AI-powered debt collection across the EU.
AI Voice Agent Garante Compliance: Italy Guide
Detailed guide to Italian Garante requirements for AI voice agents.
AI Debt Collection in France: Consumer Code Compliance
French regulations for AI debt collection under the Consumer Code.
Why Debt Collection Is the Perfect Use Case for AI Voice Agents
The economic and operational case for AI in debt collection.