Transparency Seu electrònica

The Data Protection Advisory Council speaks out on the APDCAT's challenges in the field of artificial intelligence

11/04/2025 | 12:28h

At the request of the director of the Catalan Data Protection Authority, this body has issued a report on the role that the Authority must assume in applying the new powers attributed following the entry into force of the Artificial Intelligence Regulation (AI Act).
IA

The Data Protection Advisory Council, the advisory and participation body of the Catalan Data Protection Authority (APDCAT), has issued a statement on the role of the Authority in the face of the challenges of artificial intelligence (AI). Specifically, it has issued a report at the request of the director, Meritxell Borràs, on the role that APDCAT must assume following the approval of the Artificial Intelligence Regulation (RIA), in terms of new powers. These would be in addition to the powers additionally assumed by the Authority due to having been designated by the Spanish State as the authority for the protection of fundamental rights, within the framework of the RIA.

In this sense, the report determines that the RIA, which is a directly applicable European standard, adds new powers to the APDCAT, in addition to those already provided for in the data protection regulations, and that the Authority must exercise its powers with full powers and independence. Therefore, the report includes the need to have an adequate budget to provide the Authority with the appropriate personal and material resources to ensure that the use of AI systems does not affect private life or the confidentiality of communications. This requires sufficient staff, with appropriate and up-to-date experience and knowledge regarding AI technologies, data and data computing, cybersecurity and risks to fundamental rights, health and safety. It also includes that this would involve organizational changes, adaptation of new profiles, training of staff and also providing the necessary technological training to deploy its new functions.

Regarding the model for controlling artificial intelligence, the report highlights that although the European Parliament's RIA proposal envisaged the creation of supervisory authorities responsible for "enforcing the application and implementation" of the RIA, the model finally agreed upon by the European Union institutions foresees that each State must specify it and that several authorities can coexist, depending on the market in question. Thus, the final and current wording of the RIA instructs member states to designate at least one market surveillance authority, which in the European institutions is the European Data Protection Supervisor.

The report also includes the opinion of the European Data Protection Board on this issue, which recommends that Member States designate data protection authorities as market surveillance authorities for high-risk AI systems referred to in Article 74.8 of the RIA, and also consider this for the other high-risk AI systems listed in Annex III, in particular where such high-risk AI systems are located in sectors which may affect the rights and freedoms of natural persons with regard to the processing of personal data. Furthermore, the Board notes the need for Member States to provide the additional human and financial resources that this entails.

The Advisory Board also recalls that this designation would not be contradictory to the regulation made in the State of the Spanish Agency for the Supervision of Artificial Intelligence, prior to the RIA, since the coexistence of several market surveillance authorities is possible.

New powers assumed by the APDCAT

The report includes the five new tasks for data protection supervisory authorities included in the RIA, which are:

  • Receipt of notifications on the use of remote biometric identification systems “in real time”.
  • Submission of annual reports to the Commission in relation to notifications on the use of “in real time” identification systems
  • Access to documentation on the use of remote biometric identification systems in deferred time documented in the relevant police file.
  • Receipt of annual reports on the use of remote biometric identification systems in deferred time
  • Participation in controlled testing spaces for AI

However, the designation of the APDCAT by the Spanish State as the authority for the protection of fundamental rights in the field of AI grants the following additional powers to the Authority:

  • Access documentation created or maintained in accordance with the RIA, necessary to fulfil its mandate regarding the use of high-risk AI-systems referred to in Annex III of the RIA.
  • Inform the market surveillance authority about requests for documentation created or maintained in accordance with the Regulation, necessary to fulfil its mandate regarding the use of high-risk AI-systems referred to in Annex III of the RIA.
  • Request tests of high-risk AI-systems and cooperate in the organisation of tests, where the documentation is not sufficient.
  • Receive notifications from the market surveillance authority about serious incidents.
  • Be informed by the market surveillance authorities of the risks to fundamental rights of an AI-system and, in such cases, cooperate with it and with the relevant operators.
Training and awareness-raising

On the other hand, the report determines the need for the APDCAT to immediately promote actions to raise awareness, disseminate information and educate people about the correct use of AI systems, because it has the responsibility to promote privacy and raise awareness among citizens about their rights with regard to data protection, and in relation to the new powers assumed. This implies working on the AI ​​literacy of administrations, their data processors and citizens, to guarantee, in the terms of the Statute, “that these technologies are put at the service of people and do not negatively affect their rights.”

Last update: 11.02.2026