<\/p>\n\n\n\n
In February 2026, the Spanish Data Protection Agency (AEPD) published guidelines on agentic artificial intelligence, a technology that is gradually being incorporated into companies and public administrations. Its importance lies in the fact that it is not just a new tool, but a different way of carrying out personal data processing.<\/p>\n\n\n\n
The guidelines do not aim to resolve specific cases, but to provide a framework for understanding what changes when processing relies on AI agents.<\/p>\n\n\n\n
The guidelines describe AI agents as systems that use language models to achieve objectives, adapting to their environment and acting according to circumstances.<\/p>\n\n\n\n
Unlike simpler systems, these do not merely respond to requests. They can organize tasks, break them down into stages, access different sources of information, and execute actions within digital systems.<\/p>\n\n\n\n
In other words, these are not passive tools, but systems capable of actively intervening in organizational processes.<\/p>\n\n\n\n
<\/p>\n\n\n\n
One of the key points of the document is that the use of agentic AI can change how data processing is structured.<\/p>\n\n\n\n
When these systems are integrated, they may alter:<\/p>\n\n\n\n
For this reason, their implementation requires a review of regulatory compliance, even in existing processing activities.<\/p>\n\n\n\n
Additionally, agents may access both internal information and external sources, which may involve the use of personal data that was not initially foreseen..<\/p>\n\n\n\n
<\/p>\n\n\n\n
The guidelines emphasize that risks do not arise solely from language models, but from the interaction between multiple components. It is precisely this complexity that creates new vulnerabilities.<\/p>\n\n\n\n
Among the most relevant:<\/p>\n\n\n\n
The AEPD distinguishes between two key levels:<\/p>\n\n\n\n
Both may contain personal data and require differentiated handling.<\/p>\n\n\n\n
<\/p>\n\n\n\n
One of the most interesting aspects of the guidelines is their approach to risk. The AEPD highlights that agentic AI changes the nature of processing and therefore requires a specific analysis.<\/p>\n\n\n\n
As a guiding tool, it refers to the so-called \u201crule of 2\u201d, which states that three elements should not occur simultaneously:<\/p>\n\n\n\n
Although this is a simplification, it serves as a warning to identify particularly risky configurations.<\/p>\n\n\n\n
However, the AEPD itself notes that the analysis must go further, incorporating factors such as data quality, the presence of bias, and compliance with the principle of data minimization.<\/p>\n\n\n\n
<\/p>\n\n\n\n
The use of these systems requires careful attention to several issues:<\/p>\n\n\n\n
<\/p>\n\n\n\n
Rather than merely identifying risks, the guidelines propose a broad set of measures. Among the most relevant:<\/p>\n\n\n\n
All of this is based on a key idea: data protection must be integrated by design<\/strong>.<\/p>\n\n\n\n <\/p>\n\n\n\n Agentic AI introduces real risks, derived from its autonomy, its integration capacity, and its high technical complexity.<\/p>\n\n\n\n However, it can also become a powerful ally in strengthening data protection, provided that its implementation is carried out properly.<\/p>\n\n\n\n The key lies in the approach: it is not just about using the technology, but about understanding it, controlling it, and defining the limits within which it should operate.<\/p>\n\n\n\n Because in this new scenario, the greatest risk is not artificial intelligence\u2026 but using it without understanding it.<\/p>\n","protected":false},"excerpt":{"rendered":" The Spanish Data Protection Agency (AEPD) has published a 2026 guide on agentic AI. Discover what it is, its risks, the legal obligations involved, and its impact on the processing of personal data.<\/p>\n","protected":false},"author":7,"featured_media":11057,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"content-type":"","inline_featured_image":false,"footnotes":""},"categories":[4,20,452,453,627,65,73],"tags":[437,438,488],"class_list":["post-11004","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-privacy","category-proteccion-de-datos","category-ai-2","category-artificial-intelligence","category-privacidad-y-proteccion-de-datos-ue","category-ia","category-inteligencia-artificial","tag-ia","tag-inteligencia-artificial","tag-proteccion-de-datos"],"acf":[],"_links":{"self":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/11004","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/users\/7"}],"replies":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/comments?post=11004"}],"version-history":[{"count":2,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/11004\/revisions"}],"predecessor-version":[{"id":11060,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/posts\/11004\/revisions\/11060"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/media\/11057"}],"wp:attachment":[{"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/media?parent=11004"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/categories?post=11004"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/lawwwing.com\/en\/wp-json\/wp\/v2\/tags?post=11004"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}Conclusion: A Risky Technology\u2026 and an Opportunity<\/h2>\n\n\n\n