AEPD (Spain) - EXP202309453

Summary

Spain's data protection authority (AEPD) fined insurance company AXA SEGUROS GENERALES €200,000 for violating Article 5(1)(f) of the GDPR by failing to implement adequate security measures. A former employee was able to impersonate a data subject using only their insurance number and last four digits of a payment method to access and modify the subject's online account. The DPA found the security controls insufficient and systematic in their negligence, particularly given the sensitive nature of insurance data.

Full text

Help AEPD (Spain) - EXP202309453: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 11:24, 17 April 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators571 edits Tag: submission [1.0]Newer edit → (No difference) Revision as of 11:24, 17 April 2026 AEPD - EXP202309453 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Type: Complaint Outcome: Upheld Started: 28.05.2023 Decided: 15.04.2026 Published: 15.04.2026 Fine: 200,000 EUR Parties: AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS National Case Number/Name: EXP202309453 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined an insurance company €200,000 for failing to ensure security of processing, which allowed a former employee to access a data subject’s account. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS (the controller) is an insurance company. In 2023, a former employee of the controller contacted a data subject, requesting them to provide information on their insurance to match the price on bhalf of a different company. The data subject later received two SMS with a temporary code to access their online account, and a confirmation that their access data had been changed. The data subject contacted the controller, as they had not used the codes or accessed their account. In response, the controller blocked their account, but later informed them that the former employee had stolen their identity to access their account. The data subject filed a complaint with the DPA in 2023. During the DPA’s investigations, the controller confirmed that the data subject’s password was changed. In addition, the controller stated that it implemented additional security measures after the incident to prevent future identity theft incidents. The controller argued that the DPA could not find a violation of Article 5(1)(f) GDPR based solely on the fact that the incident took place, as this article does not require controllers to have completely effective security measures in place. Holding The DPA found a violation of Article 5(1)(f) GDPR. The controller did not properly manage the process of changing the data subject’s password, which allowed a third party to access the data subject’s insurance account information. The DPA considered the controller’s security measures insufficient to ensure security of processing; for example, the third party was able to impersonate the data subject based on their insurance number and the last four digits of their payment method. The DPA noted that this was a systematic error and evidence of the lack of diligence from the controller, as it had not implemented measures to ensure that former employees could not impersonate data subjects. The DPA fined the controller €200,000. In addition, the DPA ordered the controller to implement adequate technical and security measures. The DPA stated that the fact that the controller operated in the insurance sector meant it was essential to ensure security of processing. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/53 • File No.: EXP202309453 RESOLUTION OF DISCIPLINARY PROCEEDINGS TABLE OF CONTENTS BACKGROUND..........................................................................................................2 FIRST: Complaint received...............................................................................2 SECOND: Transfer of the complaint.....................................................................3 THIRD: Admission of the complaint......................................................4 FOURTH: Preliminary investigative actions........................................................5 FIFTH: Agreement to initiate disciplinary proceedings......................................13 SIXTH: Allegations against the initiation agreement................................................................13 SEVENTH. Change of instructor of the proceedings.................................................13 EIGHTH: Proposed resolution..........................................................................13 NINTH: Turnover and number of clients..............................................13 PROVEN FACTS................................................................................................14 LEGAL GROUNDS.................................................................................16 I. Jurisdiction.........................................................................................................16 II. Preliminary issues...............................................................................................16 III. Objections to the initiation agreement and response thereto............................17 FIRST. Possible expiration of the preliminary investigative proceedings.........17 SIXTH. Possible concurrence of infringements............................................................19 SECOND. On the factual scenario..............................................................21 THIRD. Infringement of Article 5.1.f) of the GDPR...............................................21 FOURTH. Infringement of Article 32 of the GDPR......................................................24 FIFTH. Role of the Data Controller.......................................................26 SEVENTH. Proportionality of the Sanction...........................................................27 IV. Allegations against the proposed resolution and response thereto..............33 FIRST. – ON THE EXPIRY OF THE PRELIMINARY INVESTIGATIVE PROCEEDINGS..................................................................................................33 SECOND. – ON THE FACTUAL BACKGROUND.............................................36 THIRD. – ON THE ALLEGED INFRINGEMENT OF ARTICLE 5.1 F)..............38 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/53 FOURTH. - ON THE ROLE OF THE DATA CONTROLLER AND THE ASSOCIATED LIABILITY.........................................................................42 FIFTH. – ON THE COMPLAINT FILED AGAINST ***COMPANY.1....43 SIXTH. – ON THE AEPD'S CRITERIA IN PREVIOUS SIMILAR RESOLUTIONS......................................................................................................43 SEVENTH. – PROPORTIONALITY OF THE SANCTION.......................................43 V. Breach of Obligation. Article 5.1.f) GDPR Integrity and Confidentiality..........44 VI. Classification of the Infringement of Article 5.1.f) of the GDPR and its Qualification for the Statute of Limitations..............................................................................................................48 VII. Sanction for the Infringement of Article 5.1.f) GDPR.............................................49 VIII. Corrective Measures..........................................................................................51 RESOLVES:.................................................................................................................52 RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: Complaint Received On May 28, 2023, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS, with Tax Identification Number A60917978 (hereinafter, AXA or the respondent). The following facts are brought to the attention

Entities