The resolution, issued on July 8, 2025, concludes that the institution committed two serious infringements. The first stems from the omission of the mandatory Data Protection Impact Assessment (DPIA) before implementing these devices, citing high costs and appealing to a «principle of economy of means» as justification.
The second infringement relates to irregularities in the processing activities register. It was found that the information provided to citizens about the retention of recordings was inaccurate; while a one-month period was stated, this was extended in cases of ongoing investigations, thus depriving individuals of truthful information regarding the processing of their data.
“"The resolution demonstrates that no institution is exempt from complying with data protection regulations."
The original complaint was filed in September 2023 by a unified association of agents, which subsequently expanded it on four occasions. This organization maintains that the recording system linked to these devices operated for over two years without adhering to the guarantees required by current regulations.
The AEPD granted the Civil Guard Directorate General a six-month period to rectify the identified deficiencies. The complaining association now demands public disclosure on whether the required measures have been adopted, who prepared the impact assessment, and if it was communicated to the supervisory authority.
