The Spanish Data Protection Agency has sanctioned the General Directorate of the Civil Guard for the deployment of incapacitating electric stun guns with integrated video cameras without previously complying with several data protection obligations. The resolution, signed on July 8, 2025, finds two infringements of Organic Law 7/2021 in relation to the impact assessment and the record of processing activities.
The file was opened after the complaint filed in September 2023 by the Unified Association of Civil Guards, which was later expanded on four occasions with documentation, concrete facts, and legal argumentation. In May 2024, an incident of involuntary recording in an official dependency was also incorporated, accompanied by supporting documentation.
"The DGGC has infringed Organic Law 7/2021, on data protection for police and criminal purposes, in two different provisions" - Presidency of the AEPD
The Agency sees impact assessment as mandatory
The first declared infringement affects the Data Protection Impact Assessment, regulated in article 35 of Organic Law 7/2021. The AEPD maintains that the processing linked to the PEI met several criteria that made this assessment mandatory before its deployment.
Among these elements are the use of new technology in the police field, the processing of data linked to criminal offenses, the possible collection of health data, the nationwide implementation affecting units in all provinces, and the risk of recording vulnerable individuals, such as minors, people with disabilities, or victims of gender-based violence.
The resolution concludes that the DGGC did not carry out the impact assessment either before the deployment or during the two years that the investigation lasted. The Guardia Civil alleged that this procedure was not necessary because it derived from a legal obligation, an argument that the Agency rejected by recalling that the list of exempted treatments requires as a condition that a complete impact assessment already exists.
The registry did not reflect the real conservation deadlines
The second infringement pointed out by the AEPD refers to the Register of Processing Activities, within the framework of article 32 of the same law. That precept is linked to serious infringements according to article 59.
In the resolution, it is stated that the registry published by the Ministry of the Interior for the processing of PEIs set a single retention period of one month. However, the Agency describes that recordings linked to police investigations or to open judicial or administrative proceedings are kept for longer periods. That difference between what was declared and the actual practice is part of the reproaches included in the file.
The case highlights a deployment that, according to the complaint, lasted more than two years without impact assessment and with a transparency record that reported retention periods different from those applied in practice.
The order to correct the situation would have already expired
The sanctioning resolution ordered the DGGC to carry out the Data Protection Impact Assessment within a maximum period of six months from the resolution's becoming effective. As it is a decision from July 2025, that maximum period would have expired.
The AUGC now demands that it be publicly clarified whether the General Directorate of the Civil Guard has complied with that obligation, on what date the evaluation was carried out, who prepared it, and if it was communicated to the AEPD under the required terms. The file information itself recalls that non-compliance with an order for measures imposed in a sanctioning resolution may constitute a new administrative infraction.
The explanations given during the investigation
During the processing, the DGGC maintained that the evaluation was not necessary and even justified that position by the "costly" nature of the process and by a supposed "principle of economy of means". The AEPD did not accept that thesis. When the regulatory discussion narrowed, the General Directorate offered to carry out the evaluation in the future if the Agency indicated so.
The complaint was driven by AUGC and the technical work that allowed the alleged irregularities in the deployment of the PEI to be detected and the action before the Agency to be articulated is attributed to Javier Cancelas, a member of the association and a reference in data protection. To this day, the issue remains focused on whether the Guardia Civil has already implemented the corrective measure ordered by the state data protection authority.