Lorenzo Cotino Hueso and Francisco Pérez Bes, appointed president and deputy, respectively, of the Spanish Agency for Data Protection

26 February 2025. Lorenzo Cotino Hueso and Francisco Pérez Bes have been appointed, respectively, president and deputy, of the Spanish Agency for Data Protection (AEPD), appointments that follow an evaluation of their merit, capacity, competence and suitability by a selection committee and after having obtained the favorable vote of the Congress of Deputies.

Lorenzo Cotino Hueso holds a PhD and a degree in Law from the University of Valencia, where he has been a lecturer for thirty years, a master's degree in fundamental rights in Barcelona from ESADE, a degree and a diploma in Advanced Studies in Political Science from the UNED and a Professor of Constitutional Law from the University of Valencia (2017).

He has received national research awards, as well as the Extraordinary Doctorate Award or recognition as doctor honoris causa or honorary professor from foreign universities. He is the author of 14 monographs, coordinator of 26 others and has written more than two hundred scientific articles or chapters, most of them related to privacy, data protection and transparency. He has also directed and managed some twenty research projects in these areas and has coordinated the network of specialist www.derechotics.com since 2024.

He has been deputy judge of the High Court of Justice of the Valencian Community (administrative litigation 2000‒2019), member of the Transparency Council of the Valencian Community and vice-president of the Open Government Forum of Spain.

He has also participated in consulting activities for the Administration related to compliance with the AI Regulation and the preparation of an AI sandbox in Spain, with similar experiences in different companies under agreements signed between them and the University of Valencia. Since 2020 he has been director of privacy of OdiseIA, the Observatory of the Ethical and Social Impact of Artificial Intelligence.

For his part, Francisco Pérez Bes holds a degree in Law and has a master's degree in International Business Law, a postgraduate degree in corporate finance and an IP&IT programme from ESADE. He holds a research proficiency granted by the UNED and, at present, is a PhD student at the USAL. He has completed the course for security chiefs of the protection service and control bodies taught by the National Security Office.

He has been general secretary and data protection delegate of the National Cybersecurity Institute of Spain (INCIBE) between 2014 and 2019 and was Compliance Officer at Ladbrokes Betting & Gaming between 2011 and 2014. He has management experience in different companies and entities linked to the legal field and has been a partner of Digital Law in Ecix Group until today.

He has received various awards such as the medal for cyberdefense awarded by the Spanish Association of Computer Experts, the medal for merit with white badge of the Civil Guard and the medal for merit of the Lawyers of Castilla y León. He has extensive teaching experience and has published works and articles on data protection, cybersecurity and other related subjects.

Favourable vote of Congress

Article 48 of the Organic Law on Data Protection and Guarantee of Digital Rights establishes that the presidency of the Spanish Data Protection Agency and its deputy shall be appointed by the Government, on a proposal from the Ministry of Justice, among persons of recognized professional competence, in particular in the field of data protection.

For its part, Article 20 of the Statute of the Spanish Data Protection Agency establishes that the proposal of the most suitable candidates must be made by a selection committee after evaluating their merit, capacity, competence and suitability.

Once this proposal was made, the Government submitted it to the Congress of Deputies, being ratified by the Congressional Justice Commission on February 19 in a public vote by an absolute majority.

The terms of office of the President and Deputy of the Spanish Data Protection Agency have a duration of five years and may be renewed for another period of equal duration.