Spain AEPD Fines Unlawful AI Deepfake Image Processing | TLY

AI Regulation Tracker  /  Regulator decision

Spain's Data Protection Regulator Treats Deepfake Creation as Unlawful Data Processing

Spain's data protection authority, the AEPD, closed an enforcement case holding that manipulating a real person's image with AI to fabricate nude photos, and then sharing them, is a processing of personal data with no lawful basis under the GDPR. It is a decision that ended with a fine, not a guidance note, and it puts a marker down that reaches any firm whose tools generate synthetic imagery of EU residents.

The Leveraged Years AI Regulation News

The facts are ugly and simple. Someone used AI to manipulate a real person's images so that the face was placed on a naked body, and those fabricated images were shared through a messaging group and posted to sites like OnlyFans and various pornographic pages. The AEPD learned of it through press coverage, opened an investigation under Spain's data protection law, and ran a full sanctioning procedure. What matters for anyone building or using generative AI is not the sordid detail. It is the legal reasoning the regulator used to get to a fine.

Why the AEPD called it a data processing

The starting point is that a person's image is personal data. Once you accept that, manipulating and spreading that image is not a free-for-all. It is an operation on personal data, which the GDPR calls processing, and processing needs a legal basis. The AEPD said this plainly. The ellipsis below is the agency's own redaction of identifying detail.

"la difusión de fotografías manipuladas con inteligencia artificial (…) supone un tratamiento de datos personales por cuanto la imagen es un dato personal."

Translation: "the dissemination of photographs manipulated with artificial intelligence (...) amounts to a processing of personal data, because the image is personal data."

From there the AEPD treated the person who decided the purposes and the means of that activity as the data controller under Article 4.7 of the GDPR. That is the same definition that applies to any company. Whoever decides what the processing is for and how it happens carries the responsibility for having a lawful basis.

Why it was unlawful

Article 6.1 of the GDPR lists the grounds that can make processing lawful: consent, a contract, a legal obligation, vital interests, a public task, or a legitimate interest that is not overridden by the rights of the person affected. If none of those is present, the processing is unlawful. The AEPD found that none applied here.

"dicho tratamiento se efectuó sin que concurriera ninguna de las causas de legitimación enumeradas en el artículo 6.1 del RGPD."

Translation: "that processing was carried out without any of the grounds for lawfulness listed in Article 6.1 of the GDPR being present."

That is the whole spine of the case. The image is personal data. Manipulating and sharing it is processing. Processing needs a lawful basis. There was none. So it was an infringement of Article 6.1, which the AEPD tied to the penalty framework in Article 83.5 of the GDPR. The person acknowledged responsibility and paid, which under Spanish administrative law cut the proposed 2,000 euro figure down to 1,200 euros through reductions for early payment and admission.

Be precise about what this is

I want to be careful here, because it is easy to inflate a single case into a new law. This is an enforcement decision against one person, resolved because that person admitted the breach and paid. It is not a fresh regulation. It does not add a deepfake clause to the GDPR. The AEPD did not need to. Its point is that the existing rules already cover this, and that fabricating and spreading a real person's likeness with AI is not some novel gap in the law but ordinary unlawful processing of personal data.

It is also worth separating this from the AEPD's public awareness work. Earlier in 2026 the agency ran an education campaign warning that manipulating other people's images with AI is not harmless. That campaign is guidance and outreach. This case is different. It is an actual decision, with a named legal basis and a paid fine, that shows the agency will treat deepfake creation and dissemination as unlawful data processing when it enforces.

What this means for US firms and their AI tools

The AEPD is not a US regulator, and this decision does not bind a US company on its own. But the GDPR reaches processing that touches people in the EU, and that is where the exposure lives. If your product or your team uses AI to generate or distribute synthetic images, video, or audio of an identifiable person in the EU, you are processing that person's personal data, and you need a lawful basis for it. This case is a clean illustration of what happens when there is not one.

For US CPAs, attorneys, and finance and marketing leaders, the practical read is about controls, not panic. If you deploy or resell generative tools that can render a real person, ask the same questions the AEPD asked. Is there a lawful basis for creating and using this person's likeness. Did the person consent, and can you prove it. Could someone use your tool to fabricate intimate or defamatory imagery, and what stops them. A regulator has now shown, with a fine attached, that "the AI made it" is not an answer. The controller is whoever decides the purpose and the means, and that is you.

Questions professionals are asking

Did Spain pass a new deepfake law here?

No. This is an enforcement decision in which the AEPD applied the existing GDPR to a deepfake. It held that manipulating and sharing a real person's image with AI is a processing of personal data with no lawful basis under Article 6.1. No new statute or rule was created.

Is this guidance or an actual decision?

An actual decision. Case PS/00132/2025 was a sanctioning procedure that ended with a finding of infringement and a fine, resolved when the person acknowledged responsibility and paid. That is different from the AEPD's separate 2026 public awareness campaign about deepfakes, which is education, not enforcement.

What was the penalty?

The AEPD set an initial fine of 2,000 euros for the Article 6.1 breach. After reductions available under Spanish administrative law for early acknowledgment of responsibility and voluntary payment, the amount paid was 1,200 euros.

Does this affect US companies?

It can. The AEPD is a Spanish regulator, but the GDPR applies to processing that involves people in the EU. A US firm whose AI tools generate or distribute synthetic images, video, or audio of EU residents is processing their personal data and needs a lawful basis. This case shows the consequence when there is none.

Who is the controller when an AI tool creates the image?

The person or organization that decides the purposes and means of the processing, under Article 4.7 of the GDPR. The AEPD applied that definition to the individual who directed the manipulation and dissemination. "The AI generated it" does not move that responsibility off the controller.

RELATED BRIEFINGS

Browse the full AI Regulation News tracker

Informational analysis for working professionals, not legal advice. The AEPD decision is in Spanish; English renderings of quoted passages are our translations. Confirm how the GDPR or any requirement applies to your situation with qualified professionals in the relevant jurisdiction.