Transparency Seu electrònica

The APDCAT celebrates 10 years of the approval of the General Data Protection Regulation in the Parliament of Catalonia

24/04/2026

The Catalan Data Protection Authority has organized an event to commemorate the 10th anniversary of the GDPR, with a day of debate and reflection on what this pioneering regulation has meant in Europe and the future challenges in relation to artificial intelligence and innovation.
Borras during the event

The Catalan Data Protection Authority (APDCAT) celebrated the 10th anniversary of the General Data Protection Regulation (GDPR) this Friday with an institutional event that brought together experts from all over the country to share the relevance of this pioneering regulation for data protection in Europe, and to analyze the present and future challenges linked to the development of artificial intelligence, technology and innovation.

With the title ‘GDPR: 10 years, beyond regulatory compliance’, the meeting hosted a panel and three round tables, to take a look back and also analyze the challenges facing privacy in the context of today and tomorrow. In her speech, the director of the APDCAT, Meritxell Borràs i Solé, highlighted this pioneering regulation. 

He also stressed that this is an area in constant transformation and updating, which faces challenges such as those represented by neurotechnologies, capable of revealing and monitoring unconscious thoughts.

He added that fundamental rights are currently facing significant threats.. However, he was optimistic, given that personal data protection is sufficiently consolidated in Europe to face the changes that will come, he assured.

Nearly 200 attendees

The event was attended by nearly 200 attendees, including the public, authorities and experts in the field. The Deputy First Secretary of the Bureau of the Parliament of Catalonia, Glòria Freixa i Vilardell, welcomed them.

For his part, the Professor of Labor Law and Social Security and Dean of Law and Political Science Studies at the UOC, Ignasi Beltran de Heredia Ruiz, spoke about technological inertia and the last frontier of privacy. Thus, his intervention revolved around the risks derived from the growing proliferation of algorithms extracting personal data, at the same time that citizens tend not to give importance to their privacy.

For Beltran de Heredia, the combined effect of these two factors suggests that some very important dimensions of the freedom and identity of people in liberal democracies are being seriously threatened and, he defended the creation of a legal shield that effectively protects them.

Acte

Three discussion panels

On the other hand, the event hosted several panels to promote debate. In the first, the area managers of the APDCAT took stock of these ten years of the GDPR. Moderated by Ester Santiago Lozano, Data Protection Officer (DPO) of the Barcelona City Council, the event was attended by Xavier Urios Aparisi, Head of the Legal Department; Fina Valls Vila, Head of the Inspection and Technical Area; Albert Serra Pagès, Coordinator of Information Technology and Security, and Joana Marí Cardona, DPO and Head of Strategic Projects.

Subsequently, there was a debate on proactive responsibility in the public sector, in a table moderated by Guillem López Sanz, head of institutional relations and organization of the APDCAT, with Mireia Bosch Acarreta, DPO of the Department of Justice and Democratic Quality of the Generalitat of Catalonia; Mª José Campo Salas, director of the Office of the Health Data Protection Officer of the TIC Salut i Social Foundation, and Sònia Oliveras i Artau, DPO of the Girona City Council.

On the other hand, the private sector perspective was addressed in the panel 'Focus on risk: from theory to practice', moderated by Olga Rierola Forcada, head of the DPO registry and Training and Cooperation programs at APDCAT. The panelists included Esther Garcia Encinas, head of the Privacy and AI Office at CaixaBank; Eduard Blasi Casagran, lawyer specializing in privacy and AI, and partner at Tech&Law Abogados, and Patrícia Lozano del Valle, DPO at the UOC.

13 million affected by security breaches

The GDPR is the regulation that established the obligation to notify security breaches (NVS) to the competent supervisory authority, both by companies and public organizations. Within this framework, the APDCAT has recorded an increase in NVS of 161% since the effective application of the regulation. Within these NVS are cyberattacks, which in all this time have increased by 141%. The total approximate number of people affected by security breaches in the scope of the APDCAT since the application of the GDPR is around 13 million people, taking into account that there are violations in which it is not possible to determine the number of people affected.

Regarding complaints and claims for breaches of data protection regulations, the APDCAT has recorded an increase of 335% in this period. This is related to the gradual increase in citizen awareness of their rights and how to exercise them before the corresponding public authorities.

Last update: 27.04.2026