AEPD launched a public consultation on the draft of its 2025–2030 Strategic Plan, a document whose final version will establish the Agency’s priority lines of action for the next five years. Submitting this draft to a participatory process of active listening reflects a strong commitment to enrich the text with contributions from citizens, privacy professionals, the public and private sectors, associations, foundations and the like.
The draft is structured around eight guiding principles and six lines of action, which in turn include various initiatives aimed at achieving the set objectives:
Number one is smart supervision, supported by technology and efficient management. The goal is to enhance the Agency’s ability to anticipate and prevent data protection risks, prioritizing high-impact actions.
Technological innovation is number two, reflecting a clear commitment to responsible innovation. Notable initiatives include the Privacy and Technology Lab, developed in close collaboration with leading research centers, universities, and other European authorities.
Another principle is strategic cooperation and influence, through strengthened alliances and collaboration at national and international levels, integrating data protection into key sectors.
A further guiding line is facilitating regulatory compliance, with a particular focus on SMEs and strengthening the role of privacy professionals.
Digital transformation and excellence, aimed at optimizing the Agency’s internal organization and increasing its resources to deliver better services, is one of its principles too.
Last but not least, an open and approachable Agency, with measures such as new tools and service channels, collaboration with professional sectors, and active listening to anticipate emerging risks, has been proposed by the authority.
In response to the AEPD draft Strategic Plan for 2025–2030, ENATIC—Spain’s National Association of ICT Law Experts—has presented a comprehensive set of proposals aimed at reinforcing the effectiveness, adaptability, and integrity of the country’s data protection regime.
As the digital landscape rapidly evolves, so too must the frameworks governing data privacy and protection, and so their proposals would be as follows:
Towards Smarter Supervision: ENATIC commends the AEPD’s commitment to "smart supervision"—a more strategic, anticipatory, and preventive model of oversight. The association stresses the importance of recognizing continuous improvement as a positive governance practice rather than evidence of non-compliance. They urge the AEPD to assess organizational diligence and contextual factors before imposing sanctions, particularly in cases of minor errors or interpretative discrepancies.
Fostering Technological Innovation with Legal Clarity: ENATIC recommends adopting a collaborative approach to guideline development, involving professionals from the legal, technical, and digital law sectors.
Of particular concern is the guidance on biometric technologies, which ENATIC believes warrants further review to align with both privacy standards and existing investments in cybersecurity infrastructure. They advocate for proportionate and technologically viable regulations that balance innovation with fundamental rights, following the European principle of responsible innovation.
Further, they advocate for strategic cooperation at all levels, harnessing AI for legal excellence, making compliance achievable and practical, and the like. The preparation of the comments was lead by ENATIC’s board members José Leandro Núñez and Esther Garcia.
The full comments of ENATIC and the rest of organizations can be reached here https://www.aepd.es/la-agencia/participacion/plan-estrategico-aepd-2025-2030
Article provided by INPLP member: Belén Arribas Sánchez (BAS Abogada, Spain)
Discover more about the INPLP and the INPLP-Members
Dr. Tobias Höllwarth (Managing Director INPLP)