AEPD: Agent-Based Artificial Intelligence: How to Govern Autonomy in Data Processing.
On February 18, 2026, the Spanish Data Protection Agency (AEPD) published guidelines dedicated to “agent-based” artificial intelligence, i.e., systems that do not merely generate responses but interact autonomously with the digital environment to pursue complex objectives. From a legal standpoint, the agent’s autonomy radically expands privacy risks: it is no longer sufficient to evaluate inputs and outputs; rather, one must govern a dynamic, adaptive, and only partially predictable process.
In this scenario, principles such as transparency, data minimization, purpose limitation, and privacy by design cannot be managed using standard approaches. If the agent learns from the context, selects sources, performs actions, and modifies its own behavior, the data subject’s control risks becoming merely theoretical, just as generic notices, abstract internal instructions, or purely formal forms of supervision prove insufficient.
The robustness of the system is measured by the organization’s ability to correctly assign roles and responsibilities, reconstruct information flows, define the agent’s operational scope in advance, ensure effective human oversight, and align these aspects with policies, internal procedures, supplier relationships, and accountability mechanisms. Operationally, this requires at least: mapping the areas in which the agent operates and the data it uses; defining functional limits, instructions, and thresholds for human intervention; adapting governance and documentation to actual operations; assessing the impacts on rights in advance; and establishing continuous supervision with periodic review. With agentic AI, therefore, it is not enough to control the tool: its actual behavior must be governed over time.
A fine of €15,000 was imposed on a legal training and publishing company for GDPR violations regarding consent and access to data.
he Italian Data Protection Authority, in Decision No. 87 of February 12, 2026, imposed a fine of 15,000 euros on a company active in legal training and publishing for violations of Articles 6, 12, and 15 of the GDPR and Article 130 of the Privacy Code. The proceedings stem from complaints filed by two professionals who had received unsolicited promotional emails and had not received a response to their requests for access to their personal data.
The company attributed the incidents to “human error” and organizational restructuring, but the Authority deemed these justifications irrelevant, reiterating the central importance of explicit consent for sending automated commercial communications and the obligation to respond fully and promptly to requests from data subjects.
In addition to the monetary penalty, the Data Protection Authority issued a formal warning to the data controller, urging strict compliance with the regulations governing direct marketing and access rights.
EDPB: The 2026 Coordinated Action on the Right to be Forgotten and Technical Challenges.
On February 18, 2026, the European Data Protection Board (EDPB) published the final report of the coordinated action on the right to erasure under Article 17 of the GDPR. The survey, conducted in 2025 by 32 supervisory authorities among 764 data controllers—including businesses and public bodies—highlighted seven main critical issues. Among these, the lack of effective internal procedures, insufficient information provided to data subjects, the use of insecure anonymization techniques, and uncertainty regarding retention periods and the deletion of data in backups stand out.
The report highlights the gap that still exists between the technical concept of “erasure” and its correct legal application. In fact, many data controllers consider operations such as hashing (i.e., transforming data into an alphanumeric string via an algorithm), masking (partial obscuring of data, such as hiding part of a tax ID), or other reversible methods (techniques that make the link to the individual less visible but do not eliminate it) to be equivalent to permanent deletion. However, if the data remains traceable to an individual, it continues to be subject to the provisions of the GDPR.
Similarly, the obligation is not considered fulfilled if the information remains in backup or disaster recovery systems, even if it is no longer visible in the operational systems.
The EDPB emphasizes that the right to be forgotten is no longer measured solely in formal terms, but in terms of the actual organizational and technological capacity to ensure the effective and definitive erasure of data.
France - CNIL: €5 Million Fine. Accountability Beyond Documentary Formalities.
On January 22, 2026, the CNIL imposed a €5 million fine on France Travail (formerly Pôle Emploi), underscoring a fundamental principle: compliance with the GDPR is not merely a matter of documentary compliance, but an obligation of effective accountability. The investigation revealed a serious discrepancy between the stated procedural framework and the technical security measures actually implemented.
In this case, the CNIL found the ineffectiveness of the authentication systems and the lack of access monitoring protocols, leaving the data of millions of data subjects vulnerable. Furthermore, a penalty was imposed for non-compliance with the principle of data retention limitation: the continued storage of datasets relating to users who had been inactive for years revealed the absence of automated deletion or anonymization procedures.
Although the risks had been identified in the impact assessments, the organization failed to implement the necessary countermeasures. In addition to the fine, a penalty of 5,000 euros per day was imposed for the delay in compliance.
■ AI ACT: legal responsibility for using AI
Many organizations continue to view Regulation (EU) 2024/1689 on artificial intelligence as legislation aimed almost exclusively at major tech players. In reality, the AI Act applies across the entire supply chain: to those who develop AI systems, but also to those who integrate them into their products, distribute them on the market, or use them in business processes, based on a risk-based approach and the protection of fundamental rights.
The most common misconception is that the “ordinary” use of AI tools in a company is legally neutral. This is not the case: every company is required to assess the system it uses, verifying whether it falls under prohibited practices, high-risk systems, or those subject to specific transparency obligations, with direct impacts on internal governance, contracts with suppliers, control procedures, and the allocation of responsibilities.
For companies, the question is not “whether” to use artificial intelligence, but “how” to legally oversee its use. This involves mapping actual uses, understanding the role assumed in the technology chain (supplier, distributor, deployer), verifying disclosure obligations and requirements for human supervision, and coordinating the AI Act with the GDPR, cybersecurity, and internal controls. In the coming years, the degree of organizational maturity will be measured precisely by the ability to integrate these regulatory frameworks into a coherent system of AI governance.




