AInora
Back to Blog
SpainAEPDLOPDGDDComplianceVoice AI

AI Voice Agents in Spain: AEPD & LOPDGDD Compliance 2026

JB
Justas ButkusFounder, Ainora
··14 min read

Important Disclaimer

This article provides general guidance on Spanish compliance considerations for AI voice systems. It is not legal advice. Consult a Spanish data protection specialist (DPO or abogado especializado en protección de datos) before deploying any AI calling system in Spain.

AI voice agents deployed in Spain must comply with three overlapping regimes: GDPR (Regulation (EU) 2016/679), the Spanish LOPDGDD (Ley Orgánica 3/2018), and the EU AI Act (Regulation (EU) 2024/1689) — supervised by the Agencia Española de Protección de Datos (AEPD). For outbound commercial calling, the Lista Robinson exclusion register applies under the LGT (Ley General de Telecomunicaciones). Violations can reach EUR 20 million or 4% of global turnover for GDPR breaches and up to EUR 35 million or 7% of turnover for prohibited AI practices under the AI Act.

€20M
Max GDPR Fine (Art. 83)
Source: EUR-Lex
€35M
Max EU AI Act Fine (Art. 99)
Source: EUR-Lex
72h
AEPD Breach Notification Window
Source: AEPD
€1.2M
AEPD Sanction Telefónica Móviles 2022
Source: AEPD Resolution PS/00037/2021

Spain has one of the most active data protection authorities in Europe. The AEPD issues hundreds of sanction decisions per year, many touching call centres and telemarketing, and has explicitly addressed automated voice systems in its 2020 guide on AI and GDPR adequacy. Any business calling Spanish residents — inbound or outbound — needs to map this stack before going live.

Key Spanish compliance terms

AEPD
Spain's national data protection authority. Issues binding sanctions, publishes guidance, and supervises GDPR + LOPDGDD enforcement. Source
LOPDGDD
Spanish organic law implementing GDPR and guaranteeing digital rights. Adds Spain-specific provisions beyond GDPR baseline. Source
Lista Robinson
Spanish opt-out register operated by ADigital. Telemarketers must screen against it before outbound commercial calling. Source
LGT
Spanish General Telecommunications Act 11/2022, governs commercial communications including voice calls. Source
EU AI Act
EU Regulation 2024/1689 on AI. Article 50 requires disclosure when users interact with an AI system. In force August 2024, transparency obligations apply from 2 August 2026. Source

What Is the Spanish Compliance Framework for AI Voice?

The Spanish framework stacks four layers on every AI voice call: (1) the GDPR baseline; (2) the LOPDGDD national overlay; (3) sector telecom rules (LGT + Lista Robinson) when calls are commercial or outbound; and (4) the EU AI Act transparency and risk classification rules from 2 August 2026 onwards (Source: European Commission AI Act overview).

Each layer adds an obligation the others do not. GDPR sets lawful basis, data subject rights, and breach notification. LOPDGDD adds rules on the right not to be subjected to decisions based solely on automated processing (Article 22 LOPDGDD), and on consent for minors. The LGT and Lista Robinson regulate when you may call someone commercially. The AI Act adds the disclosure obligation: a Spanish resident must be told they are speaking to an AI.

Who Is the AEPD and What Does It Regulate?

The Agencia Española de Protección de Datos is the Spanish supervisory authority under GDPR Article 51. It investigates complaints, issues sanctions, publishes binding guidance, and represents Spain on the European Data Protection Board (EDPB).

For AI voice systems, two AEPD publications are particularly relevant. The Guía sobre adecuación al RGPD de tratamientos que incorporan IA sets out 18 specific obligations for AI-based data processing. The Audit Requirements for Personal Data Processing Activities Involving AI guide gives a controllable checklist auditors and DPOs use to verify deployments.

The AEPD also actively sanctions call-centre and telemarketing operators. A representative recent decision: AEPD imposed a EUR 1,200,000 fine on Telefónica Móviles España in resolution PS/00037/2021 for unsolicited commercial calls to subscribers registered with Lista Robinson.

How Does LOPDGDD Differ from GDPR?

LOPDGDD does not replace GDPR — it operates on top of it as Spain's national implementing law. The most relevant LOPDGDD additions for AI voice agents:

  • Article 22 LOPDGDD — Right to digital education on AI. Citizens have the right to receive understandable information about how automated systems are used to make decisions about them.
  • Article 7 LOPDGDD — Consent of minors. Children must be at least 14 years old to give valid consent for personal data processing. Below that age, parental consent is required.
  • Article 11 LOPDGDD — Transparency. Layered information notices are explicitly endorsed, but the first layer must contain the controller identity, processing purposes, and rights exercise channel.
  • Article 32 LOPDGDD — Blocking of data. When data is no longer used but retention is required by law, it must be technically blocked, not just retained.
  • Article 91 LOPDGDD — Workers' rights. Recording and monitoring of employees in call centres requires explicit prior notice; covert monitoring is generally unlawful.

For an AI voice deployment, the practical impact is twofold: (1) your transparency notice must be layered, with a short first layer disclosed on the call and a full second-layer notice referenced (URL or callback); and (2) any internal QA monitoring of agents (human or AI-assisted) must be pre-disclosed to staff (Source: BOE LOPDGDD consolidated text).

What Lawful Basis Applies to AI Voice Calls in Spain?

The AEPD recognises the same six GDPR Article 6 lawful bases. For AI voice agents, the practical mapping:

Call typePrimary lawful basisAdditional Spanish rule
Inbound customer serviceArticle 6(1)(b) — contract performanceProvide layered transparency notice (Art. 11 LOPDGDD)
Inbound appointment bookingArticle 6(1)(b) — contract performanceDisclose AI nature (EU AI Act Art. 50)
Outbound B2C commercialArticle 6(1)(a) — consent OR 6(1)(f) — legitimate interestMust screen against Lista Robinson + LGT Art. 66
Outbound B2B commercialArticle 6(1)(f) — legitimate interestScreen against Lista Robinson if number is personal
Outbound debt collectionArticle 6(1)(b) or 6(1)(f) — depends on contract statusAEPD guide on morosos + Banco de España conduct rules
Call recording for QAArticle 6(1)(f) — legitimate interestDocument LIA; offer opt-out where feasible
Sensitive data (health, legal)Article 9(2)(a) — explicit consent (most cases)Heightened security under Art. 32 GDPR

For outbound B2C marketing in particular, the AEPD has consistently held that legitimate interest is overridden by the data subject's right to privacy when no prior relationship exists. The 2023 PS/00040/2022 decision against Vodafone España (EUR 3.94 million sanction) reinforced this: commercial calls without consent or relationship are unlawful regardless of how the data was obtained.

How Does Lista Robinson Affect AI Outbound Calls?

Lista Robinson is Spain's opt-out register, operated by the Asociación Española de la Economía Digital (ADigital). Consumers register their phone number, email, postal address, or fax to refuse unsolicited commercial communications.

Article 23 LOPDGDD and Article 66 of the LGT 11/2022 together require any organization sending commercial communications to consult exclusion lists before contacting consumers. In practice this means:

  • Before any outbound commercial campaign, screen your call list against Lista Robinson.
  • Update the screen at least every 30 days for ongoing campaigns (industry best practice — Lista Robinson refreshes monthly).
  • Keep records of the screen (timestamps, batch IDs) for at least 3 years to defend against AEPD inquiries.
  • If a Spanish recipient asks during a call to be added to your internal do-not-call list, honour that immediately — Article 21 GDPR right to object is absolute for direct marketing.

Failure to screen is treated as a serious infraction under the LGT, with sanctions ranging up to EUR 2 million per offence in addition to AEPD GDPR fines. The two regimes can be applied cumulatively for the same call campaign.

Spanish call recording follows the GDPR pattern with three LOPDGDD-specific tightenings.

Inform Before Recording

Recording must be disclosed at the start of the call, with the controller's identity, the purpose of recording, the lawful basis, and a reference to the full privacy notice (typically a URL). The AEPD has held that a generic "this call may be recorded" is insufficient if the purpose is not specified.

Layered Notice Pattern

The AEPD model layered notice clause recommends a short first-layer disclosure on the call (controller name, purpose, where to find full notice, data subject rights channel) followed by a full second-layer notice at the URL or by post. For AI voice agents, the first layer is typically the agent's opening line; the second layer is the linked privacy policy.

Worker Notification

Under Article 89 and 91 LOPDGDD, if call recordings are used for staff performance monitoring or QA, employees and their legal representatives must be pre-informed. AI-assisted QA scoring (sentiment analysis, compliance flagging) falls within this obligation.

Retention

AEPD guidance accepts 30 days as a standard retention period for QA recordings, extendable to the relevant statute of limitations when retention is justified by dispute resolution (typically 5 years for consumer contracts under Article 1964 Spanish Civil Code).

How Does the EU AI Act Apply to Voice Agents in Spain?

The EU AI Act (Regulation 2024/1689) entered into force on 1 August 2024. Three articles are particularly relevant to voice agents deployed in Spain:

  • Article 5 — Prohibited practices. Subliminal techniques and exploitation of vulnerabilities are banned. A voice agent that detects elderly callers and pushes urgency tactics would risk falling within this prohibition.
  • Article 50 — Transparency obligation. Natural persons must be informed they are interacting with an AI system, unless this is obvious from context. The AEPD has signalled this disclosure must be made at the start of the call, not buried in a privacy notice.
  • Article 6 + Annex III — High-risk classification. Voice agents used for creditworthiness assessment, employment decisions, or access to essential services may be classified as high-risk, triggering full conformity assessment obligations.

Spain is preparing a national AI supervisory authority (AESIA, Agencia Española de Supervisión de la Inteligencia Artificial) established by Real Decreto 729/2023. AESIA will share enforcement authority with the AEPD on AI matters that involve personal data processing.

What Has the AEPD Decided About Automated Calling?

Recent AEPD resolutions specifically addressing automated and AI-assisted calling include:

The pattern across these decisions: the AEPD focuses on (a) whether outbound calls had a valid lawful basis at the moment of dialling, (b) whether opt-outs (Lista Robinson or direct requests) were properly screened, and (c) whether the first-layer transparency notice was delivered at the start of the call.

AEPD-Aligned Vendor Checklist

Before contracting an AI voice vendor for Spanish deployment, verify the following.

  • EU/EEA data residency for raw audio, transcripts, and model inputs — ideally with documented Spanish or Iberian data centres.
  • GDPR Article 28 Data Processing Agreement available without negotiation, in Spanish on request.
  • Documented support for layered transparency notices at call start (controller name, purpose, full-notice URL).
  • Explicit AI-disclosure phrase configurable per language (Spanish required).
  • Native screening against Lista Robinson for outbound campaigns, with audit log.
  • Configurable retention period for call recordings, defaulting to a value the controller can justify under Article 5(1)(e) GDPR (commonly 30 days for QA).
  • Data subject access (Article 15) and erasure (Article 17) workflows that complete inside the 30-day GDPR window.
  • Documented incident response with sub-72-hour AEPD notification capability under Article 33 GDPR.
  • EU AI Act readiness: documented system card, GPAI provenance, transparency disclosure, risk classification analysis per use case.
  • Spanish-language support for any control plane the data subject may need to interact with (privacy notice page, rights-exercise form).

The Layered Transparency Notice on a Live Call

The AEPD's preferred opening for an AI-mediated call in Spain looks roughly like: "Hola, soy [name], asistente automatizado de [Controller]. Esta llamada puede ser grabada por motivos de calidad. Sus datos serán tratados conforme al RGPD; encontrará información completa en [URL]. ¿Cómo puedo ayudarle?" This delivers AI disclosure (AI Act Art. 50), recording notice (LOPDGDD Art. 11), and second-layer pointer in one sentence.

Frequently Asked Questions

Frequently Asked Questions

Yes, provided the calls have a valid lawful basis under GDPR Article 6, the AI nature is disclosed on the call under EU AI Act Article 50, and (for commercial outbound calls) the recipient is not on Lista Robinson and has not exercised an Article 21 right to object. The AEPD has not banned AI calling; it sanctions deployments that fail any of these three conditions.

Under GDPR Article 83 the AEPD can impose fines up to EUR 20 million or 4% of global annual turnover, whichever is higher. Under the LGT (telecommunications law) additional sanctions up to EUR 2 million per infraction can be added. Under the EU AI Act, fines can reach EUR 35 million or 7% of global turnover for prohibited practices. AEPD has issued seven-figure sanctions against telecom and energy companies for outbound calling failures.

No standalone registration is required. However, the controller (your business) must maintain a Record of Processing Activities (Article 30 GDPR) that includes the AI voice processing, must complete a Data Protection Impact Assessment (Article 35) if the deployment is large-scale or involves systematic monitoring, and must designate a DPO if the AEPD criteria are met (Article 37 GDPR and LOPDGDD Article 34).

Register as a corresponsable (data user) at https://www.listarobinson.es. After verification, you receive batch-screening access to upload your call lists; the system returns the list with excluded numbers flagged. ADigital charges a per-record fee. You must rescreen at least once per campaign and retain proof of the screen for at least 3 years.

Raw voice audio is personal data. It becomes biometric data (special category under GDPR Article 9) only when processed for the specific purpose of uniquely identifying a person through their voiceprint. A standard AI voice agent that converts speech to text without identifying callers by voice is not processing biometric data, but a fraud-detection layer that builds voiceprints to authenticate callers is, and triggers Article 9 explicit consent or another Article 9(2) basis.

Only with appropriate safeguards under GDPR Chapter V. For transfers to the US, the EU-US Data Privacy Framework (adequacy decision adopted July 2023) can be relied on if the recipient is certified. For other third countries, Standard Contractual Clauses plus supplementary measures under the EDPB Schrems II recommendations are required. The AEPD scrutinises such transfers heavily; EU/EEA-only architectures are the safer default.

Yes, under Article 50 of Regulation (EU) 2024/1689, providers of AI systems intended to interact directly with natural persons must ensure those persons are informed they are interacting with an AI system, unless this is obvious to a reasonably well-informed and observant person from the context. Transparency obligations apply from 2 August 2026. For phone calls, the AEPD position is that disclosure must be made at the start of the conversation, before any data exchange.

Spain follows the GDPR baseline (notice before recording, lawful basis required) and adds LOPDGDD Article 11 layered-notice requirements plus Article 91 worker-side notification obligations. Unlike one-party-consent jurisdictions, Spanish doctrine treats call recording as personal data processing of both parties; the recording itself can be lawful under legitimate interest, but the disclosure obligation is non-negotiable.

JB
Justas Butkus

Founder & CEO, AInora

Building AI digital administrators that replace front-desk overhead for service businesses across Europe. Previously built voice AI systems for dental clinics, hotels, and restaurants.

View all articles

Ready to try AI for your business?

Hear how AInora sounds handling a real business call. Try the live voice demo or book a consultation.

Try Voice DemoBook Consultation

Related Articles

GDPR-Compliant AI Voice Agents for B2B Cold Calling (DACH 2026)

How to deploy AI voice agents under GDPR with the right lawful basis, consent, and four compliance patterns.

AI Receptionist for Spanish Dental Clinics

Vertical-specific AI for clinicas dentales: language, integration, and AEPD-aligned deployment.

AI Voice Agent Italy: Garante Compliance Guide

Sibling country guide for Italian compliance: Garante, Codice Privacy, and Registro Pubblico delle Opposizioni.