AEPD Inspection Guide (2026): GDPR Audit Checklist for SaaS


Table of Contents

Introduction

This AEPD inspection guide explains how SaaS companies can prepare for GDPR inspections, organize compliance documentation, respond to regulatory requests, and reduce the risk of enforcement actions through practical, audit-ready processes.

If your SaaS company serves customers in Spain, GDPR compliance isn’t just a legal checkbox. A single complaint can trigger an AEPD inspection, and your ability to respond depends on the quality of your documentation, processes, and evidence — not how quickly you can create them after the request arrives.

The Agencia Española de Protección de Datos (AEPD) is Spain’s data protection authority. It actively investigates complaints and compliance issues under the General Data Protection Regulation (GDPR) and Spain’s LOPDGDD, and its enforcement workload has been growing fast. According to the AEPD’s own 2025 annual activity report, the agency received 30,931 complaints in 2025, the highest number in the authority’s history, marking a 64% increase over the previous year. Sanctioning procedures tied specifically to personal data breaches also rose 157%, from 30 cases in 2024 to 77 in 2025—a trend worth noting if your SaaS product has ever had a security incident. Legal TodayLegal Today

This guide walks you through what an AEPD inspection actually involves, how to prepare before an inspector ever reaches out, what documents you need, how the AEPD compares to other EU authorities, and what happens if gaps are found. You’ll also get a 90-day readiness roadmap and two original frameworks you can use to benchmark your program.

If you’d rather compare purpose-built platforms that handle much of this for you, our GDPR compliance software comparison for Spain-based SaaS startups breaks down the leading options in detail.

Key Takeaways

  • Who this is for: US-based SaaS founders, compliance managers, and IT leaders serving customers in Spain.
  • What an AEPD inspection covers: documented evidence of GDPR compliance — not just a privacy policy, but records, contracts, and tested procedures.
  • The most important documents: your ROPA, signed DPAs, legal basis records, transfer safeguards, and a tested breach response plan.
  • The biggest risk: having controls that exist informally but aren’t documented, current, or provable on demand.
  • First three steps: audit your existing documentation, assign clear compliance ownership, and run a tabletop breach-response test.
AEPD inspection guide

What Is an AEPD Inspection?

This AEPD inspection guide begins by explaining what an inspection is, why the Spanish Data Protection Agency conducts them, and what organizations should expect during the process.

An AEPD inspection is a formal review to check whether an organization processes personal data in line with GDPR and the LOPDGDD (Ley Orgánica de Protección de Datos Personales y garantía de los derechos digitales), Spain’s national data protection law.

Inspections can be triggered by a user complaint, a data breach notification, a routine sector-wide sweep, or referrals from other EU authorities coordinated through the European Data Protection Board (EDPB).

For SaaS companies, this matters even if you’re not incorporated in Spain. If your platform processes personal data of individuals located in Spain, you can fall under Spanish jurisdiction through GDPR’s territorial scope (Article 3).

Why an AEPD Inspection Guide Matters for SaaS Founders

Most SaaS founders think about GDPR in terms of a cookie banner and a privacy policy. An AEPD inspection goes deeper.

Inspectors want documented evidence tied to specific GDPR articles: Article 30, records of processing; Article 32, security measures; and—where applicable—Article 35, Data Protection Impact Assessment documentation. They want proof these controls function, not just that they’re described somewhere.


Who Needs to Prepare?

This AEPD inspection guide helps determine whether your organization falls within the AEPD’s enforcement scope and what steps to take next.

You’re a realistic candidate for AEPD scrutiny if any of these apply:

  • You have paying customers or free users located in Spain.
  • You process employee, customer, or applicant data on behalf of a Spanish company (making you a processor under Article 28).
  • You’ve had a data breach affecting Spanish data subjects.
  • A user in Spain has filed a complaint about how their data was handled.
  • You operate in a sector the AEPD has flagged for oversight, such as adtech, fintech, or health tech.

If any apply, treat inspection readiness as an ongoing function. Our Spain GDPR checklist for SaaS companies is a useful companion for turning this into a recurring process.


Quick-Reference: The AEPD Inspection Timeline

Use this AEPD inspection guide timeline to understand what typically happens from the initial complaint through the final regulatory decision.

  1. Complaint or proactive review — a data subject complaint, breach notification, or sector sweep opens a file.
  2. Information request — the AEPD sends a written request for documentation.
  3. Formal inspection (if needed) — deeper review of evidence, data flows, and technical measures.
  4. Findings — the AEPD determines whether a compliance gap exists.
  5. Corrective action or closure — the case is closed, a warning is issued, or a formal sanctioning procedure begins.

How the Process Actually Works

The following section of this AEPD inspection guide explains each stage in greater detail so your team knows what to expect.

Step 1: Trigger Event.
Most inspections start with a complaint. For example, a Spanish user might report that you didn’t honor a deletion request under Article 17.

Step 2: Preliminary Information Request.
This is your first real signal. Companies that respond late or incompletely often escalate their own risk. Route every request to whoever owns compliance immediately — ideally your DPO, if your processing requires one under Article 37.

Step 3: Formal Inspection.
If concerns remain, the AEPD can request the following:

  • Article 30 records of processing and Article 28 DPAs.
  • Details on international transfers, including Standard Contractual Clauses (SCCs) under Article 46.
  • Your privacy notices and consent mechanisms.
  • In some cases, on-site or remote technical review.

Step 4: Findings and Resolution.
Outcomes range from no action to formal sanctioning under Articles 83–84. Fine thresholds change over time and depend on case specifics—confirm current figures through the AEPD’s official guidance or qualified counsel rather than relying on numbers cited elsewhere.

A Practical Example

A US-based SaaS company uses a cloud CRM, an analytics platform, and a customer support tool. During an inspection, the AEPD asks for its ROPA, signed DPAs with each vendor, the legal basis for processing customer data, and evidence of international transfer safeguards.

Because these records are current and organized in one place, the company responds within days. A competitor without this documentation would need weeks to reconstruct the same evidence under pressure—and that delay itself becomes a compliance signal to the inspector.


Visual checklist of GDPR documents commonly requested during an AEPD inspection.

How Does the AEPD Compare to Other EU Supervisory Authorities?

The following section of this AEPD inspection guide explains each stage in greater detail so your team knows what to expect

The core GDPR obligations are the same across the EU/EEA since the regulation applies directly in every member state. But enforcement style and procedural details vary by authority.

AuthorityCountryCommon Focus AreasTypical Enforcement StyleNotes for SaaS
AEPDSpainCookie/consent compliance, adtech, video surveillance, data breachesComplaint-driven, formal written proceduresMost relevant if you have Spanish users or clients
CNILFranceAdtech, facial recognition, large-scale breachesMix of complaints and proactive sweepsRelevant if you also serve French customers
ICOUnited Kingdom (UK GDPR)Data breaches, direct marketing, AI governanceStructured enforcement notices, phased escalationSeparate regime from EU GDPR post-Brexit

If you serve customers across multiple EU countries, you may need to track more than one authority’s guidance. Cross-border cases are coordinated through the EDPB’s one-stop-shop mechanism rather than resolved by a single country alone.


AEPD Inspection Checklist: What to Prepare in Advance

One of the most valuable sections of this AEPD inspection guide is the document checklist below, which covers the records inspectors commonly request.

1. Records of Processing Activities (ROPA)

Under Article 30, you need a documented record of what personal data you process, why, how long it’s kept, and who it’s shared with.

Why inspectors ask for this: It’s the fastest way to see your entire data footprint in one document.
Common mistake: A ROPA was created once during fundraising due diligence and never updated since.
How to prepare: Review and update it every quarter, and whenever you add a new vendor or data flow.

2. Data Processing Agreements (DPAs)

If you’re a processor working with Spanish businesses, or you use subprocessors that touch personal data, you need signed DPAs reflecting Article 28 requirements.

Why inspectors ask for this: It shows accountability flows through your entire vendor chain, not just your own systems.
Common mistake: Using a subprocessor for months before a DPA is actually signed.
How to prepare: Maintain a live subprocessor list with DPA status and renewal dates.

3. Legal Basis Documentation

For every category of data you process, document the legal basis under Article 6.

Why inspectors ask for this: “We assumed consent was fine” isn’t documentation—it’s a guess.
Common mistake: Relying on legitimate interest without recording the balancing test that justifies it.
How to prepare: Map each data category to its legal basis in your ROPA, not in a separate memory-only decision.

4. International Data Transfer Mechanisms

Most US-based SaaS companies transfer data outside the EU. You need a documented mechanism, such as SCCs, plus a Transfer Impact Assessment (TIA).

Why inspectors ask for this: International transfers are one of the highest-risk areas for US SaaS companies specifically.
Common mistake: Having SCCs signed but no TIA showing you evaluated the actual transfer risk.
How to prepare: Pair every SCC with a completed TIA, and revisit both annually.

5. Breach Response Procedure

You need a written, tested incident response plan covering detection, risk assessment, and notification timelines.

Why inspectors ask for this: A plan that’s never been tested usually fails when it’s actually needed.
Common mistake: A generic template no one on the team has read.
How to prepare: Run a tabletop exercise at least twice a year.

6. Data Subject Rights Workflow

You need a documented, repeatable process for access, correction, and deletion requests.

Why inspectors ask for this: It directly reflects whether you respect the rights the regulation was built to protect.
Common mistake: Handling requests manually and inconsistently with no log of past requests.
How to prepare: Keep a simple request log with dates, actions taken, and resolution times.

7. Technical and Organizational Security Measures

Article 32 requires encryption, access controls, staff training records, and vendor security reviews.

Why inspectors ask for this: Policies on paper don’t protect data — implemented controls do.
Common mistake: A security policy that doesn’t match what your engineering team actually does.
How to prepare: Cross-check your written policy against your actual system configuration.

If your team is mapping this against broader security frameworks, our guide to AI security compliance tools for SaaS startups covers how these controls overlap with AI-specific risk areas.

8. Privacy Notices and Consent Mechanisms

Your privacy policy and consent banners need to reflect what you actually do with data.

Why inspectors ask for this: Transparency is a core GDPR principle, and mismatches here are easy for inspectors to spot.
Common mistake: A privacy policy written once and never updated as your product evolved.
How to prepare: Review your privacy notice every time you add a new data-processing feature.

Documentation Matrix: What Maps to What

DocumentGDPR ArticleWho Typically Requests It First
ROPAArticle 30AEPD inspector, first request
DPAs with subprocessorsArticle 28AEPD inspector, enterprise customers
Legal basis recordsArticle 6AEPD inspector, DPO
Transfer Impact AssessmentArticle 46AEPD inspector, EU enterprise customers
Breach response planArticles 33–34AEPD inspector, cyber insurers
Security measures documentationArticle 32AEPD inspector, security-conscious buyers
DPIA (where applicable)Article 35AEPD inspector, high-risk processing reviews

Circular framework illustrating six stages of preparing for an AEPD inspection.

The 90-Day AEPD Inspection Readiness Roadmap

Follow this AEPD inspection guide roadmap over 90 days to build a structured, repeatable GDPR compliance program.

This is the resource to bookmark. Rather than treating inspection prep as an abstract goal, work through it in three concrete phases.

Days 1–30: Assess and Document

  • Inventory every data flow touching Spanish or EU personal data.
  • Draft or update your ROPA.
  • Identify every subprocessor and confirm which ones lack a signed DPA.
  • Document the legal basis for each processing activity.

Days 31–60: Validate and Test

  • Have someone outside the original drafting team — legal counsel, a fractional DPO, or a compliance platform — review your documentation for gaps.
  • Run a tabletop exercise of your breach response plan.
  • Process a sample data subject access request end-to-end and time how long it takes.
  • Complete your Transfer Impact Assessment for any non-EU data flows.

Days 61–90: Monitor and Operationalize

  • Set a recurring review cadence — quarterly is standard for growth-stage SaaS.
  • Assign a named owner for compliance documentation, even if that’s the founder.
  • Build a lightweight internal log of subprocessors, DPAs, and renewal dates.
  • Revisit your privacy notices to confirm they match what you documented in phase one.

By day 90, your organization should be able to assemble and provide its core compliance documentation promptly in response to an AEPD information request.


The AEPD Readiness Framework

This AEPD inspection guide framework helps organizations maintain compliance even after an inspection has ended.

Once you’ve completed the 90-day roadmap, maintain readiness using this six-stage cycle:

  1. Assess — Identify every data flow and where you stand against each GDPR obligation.
  2. Document—Build or update your ROPA, DPAs, legal basis records, and TIAs.
  3. Validate — Have an outside reviewer check for gaps.
  4. Test — Run a tabletop exercise of your breach response plan and a sample data subject request.
  5. Monitor — Review on a recurring cadence rather than annually.
  6. Improve—Update documentation as your product, vendors, and data flows change.

AEPD Readiness Maturity Model

LevelDescriptionTypical Risk Exposure
Level 1 — ReactiveNo documented ROPA; compliance handled ad hocHigh
Level 2 — Basic ComplianceCore documents exist but are outdated or incompleteModerate-high
Level 3 — Audit ReadyDocumentation is current, DPAs signed, breach plan testedModerate-low
Level 4 — Continuous ComplianceAutomated tracking, quarterly reviews, real-time subprocessor monitoringLow

Most early-stage SaaS companies sit at Level 1 or 2. Moving to Level 3 before you have any reason to expect an inspection is the highest-leverage compliance investment you can make.


Common Mistakes SaaS Companies Make Before an AEPD Inspection

This AEPD inspection guide highlights the most common compliance mistakes that increase regulatory risk.

  • Treating GDPR as a US-only compliance afterthought. If your team has invested in SOC 2 compliance tools, that’s valuable groundwork. But SOC 2 and GDPR test different things. AEPD inspectors probe GDPR-specific obligations that don’t map directly onto SOC 2 controls.
  • No documented subprocessor list. If you can’t produce a current list of every vendor touching personal data, that’s an immediate red flag.
  • Stale or templated ROPA documents. A record created once during fundraising and never updated doesn’t reflect your actual data flows.
  • Ignoring or delaying preliminary information requests. Silence or a slow response signals a lack of a functioning compliance program.
  • No documentation trail for compliance claims. Marketing that claims “GDPR compliant” without backing documentation becomes a liability during an inspection.

Common Myths About AEPD Inspections

This AEPD inspection guide also addresses several misconceptions that often prevent organizations from preparing effectively.

Myth: “Only large companies get inspected.”
Inspections are frequently triggered by individual complaints. A two-person startup can face the same scrutiny as an enterprise if a user files a complaint.

Myth: “A privacy policy is enough.”
A privacy policy tells users what you claim to do. An inspection tests whether your documented processes actually match that claim.

Myth: “SOC 2 automatically means GDPR compliance.”
SOC 2 and GDPR overlap in some security controls but test fundamentally different things. SOC 2 doesn’t require a ROPA, a documented legal basis for each processing activity, or GDPR-specific data subject rights workflows.

Myth: “US companies don’t need to worry about the AEPD.”
GDPR’s territorial scope under Article 3 applies based on whose data you process, not where your company is incorporated.


Choosing a Compliance Automation Tool

As this AEPD inspection guide demonstrates, automation platforms can simplify evidence collection, documentation management, and ongoing compliance monitoring.

Manually maintaining a ROPA, a subprocessor list, and a DPA tracker becomes harder to sustain as you scale. Many growth-stage SaaS companies adopt a compliance automation platform instead.

ToolBest ForStrengthConsideration
VantaCompanies wanting broad framework coverage (SOC 2, GDPR, ISO 27001)Wide integration ecosystemCan require more setup for Spain-specific workflows
SprintoFast-growing startups wanting automated evidence collectionStrong automation for continuous monitoringBest suited to teams already comfortable with automated compliance tooling
KertosCompanies prioritizing EU-specific GDPR workflowsBuilt with EU/Spain data protection requirements in mindSmaller ecosystem than more established US-first platforms

For a deeper breakdown of how each platform handles Spain-specific requirements, see our full comparison of Vanta vs. Sprinto vs. Kertos. If you want the broader market view first, our GDPR compliance tools roundup covers additional options.


Comparison infographic showing common GDPR compliance mistakes and best practices for AEPD inspections.

What Happens If the AEPD Finds Gaps?

This AEPD inspection guide explains the possible outcomes when inspectors identify documentation or compliance deficiencies.

Outcomes depend on severity and whether the gap is a one-time oversight or a systemic failure. Lower-severity cases may result in a warning or required corrective action within a set timeframe.

More serious cases — repeated infringements, ignored requests, or breaches affecting many data subjects — can move toward formal sanctioning under Articles 83–84. As noted above, breach-related sanctioning procedures increased 157% in a single year, which suggests the AEPD is paying closer attention to security incidents specifically. Because thresholds change and depend on case specifics, consult the AEPD’s official guidance or qualified counsel rather than relying on secondhand figures. Legal Today


How Long Does an AEPD Inspection Take?

Timelines vary. A straightforward information request and response might resolve in weeks. A formal inspection with multiple rounds of document review can extend over several months.

Companies with organized, ready-to-produce documentation move through the process faster than companies scrambling to reconstruct records on demand.


Frequently Asked Questions

The FAQs in this AEPD inspection guide answer the questions businesses most commonly ask before and during an inspection.

Does the AEPD have jurisdiction over US-based SaaS companies?

Yes. If you process personal data of individuals located in Spain, GDPR’s territorial scope (Article 3) can bring you under AEPD jurisdiction regardless of where your company is incorporated.

What’s the difference between a preliminary request and a formal inspection?

A preliminary request is a written ask for documentation and explanation. A formal inspection is a deeper, escalated review that can include technical assessment.

Do I need a Spain-based representative?

Companies without an EU establishment that process EU residents’ data at scale are generally required to designate an EU representative under Article 27. Confirm your specific obligation with qualified counsel, since exceptions exist.

Can a small startup really get inspected by the AEPD?

Yes. Inspections are frequently triggered by individual complaints, so company size doesn’t determine whether you’re a target — your data practices do.

Can the AEPD inspect cloud providers directly or only my company?

The AEPD can investigate any controller or processor in scope, including cloud providers. As the controller, you remain responsible for ensuring your processors meet GDPR obligations under your DPAs.

What happens if I miss a response deadline during an inspection?

Missing a deadline without communicating a valid reason typically escalates scrutiny and can itself be treated as a lack of cooperation.

Can AEPD inspections be conducted remotely?

Yes. Many proceed entirely through written information requests and document review.

What evidence should I keep, and for how long?

Retain ROPA versions, signed DPAs, consent logs, data subject request records, and breach documentation per your retention policy — and never delete records related to an open inquiry.

How often should compliance documentation be reviewed?

Quarterly is a reasonable baseline for growth-stage SaaS. Review immediately after any change to your product, data flows, or subprocessor list.


Final Thoughts and Next Steps

This AEPD inspection guide shows that successful inspection readiness depends on continuous documentation, tested processes, and ongoing GDPR compliance rather than last-minute preparation.

An AEPD inspection isn’t something you can improvise your way through. Companies that come out clean are the ones that treated GDPR compliance as an operational discipline long before an inspector made contact.

If you’re starting from scratch, here’s where to begin this week:

  1. Review your documentation against the matrix above and flag anything missing or outdated.
  2. Start the 90-day roadmap, beginning with a full data flow inventory.
  3. Test your breach response process with a tabletop exercise, even a 30-minute one.
  4. Assign a named compliance owner and schedule a quarterly review.

Quick Action Checklist

☐ Review your ROPA and confirm it’s current.
☐ Verify all subprocessor DPAs are signed.
☐ Confirm and document the legal basis for each data category.
☐ Pair every SCC with a completed Transfer Impact Assessment.
☐ Test your breach response plan with a tabletop exercise.
☐ Schedule a recurring quarterly compliance review.

If your documentation currently lives in scattered folders or hasn’t been touched since your last fundraising round, that’s the gap to close first. Our GDPR compliance software comparison for Spain-based SaaS startups is a good next stop if you want to see how automation platforms handle most of this framework for you.

Leave a Comment