[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fK7XeoM-YROHPX3AVQf4MRMzSapSoF5zoxpEHpla6w3Y":3},{"article":4,"iocs":46},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":25,"category":26,"article_tags":30},"0e29b553-5688-4b73-b6a6-6d23bd633022","AEPD (Spain) - EXP202408867","aepd-spain-exp202408867-c029bf","← Older revision Revision as of 07:57, 13 May 2026 Line 61: Line 61: }} }} The DPA fined a sports fashion retailer €120,000 for failing to ensure security of processing in relation to a data breach that affected over 300,000 data subjects. The DPA fined a sports fashion retailer €120,000 for failing to ensure security of processing in relation to a data breach that affected over 300,000 data subjects and involved data such as names, contact and ID information. == English Summary == == English Summary ==","Spain's Data Protection Authority (AEPD) fined DÉCIMAS S.L.U., a sports fashion retailer, €120,000 for violating Article 5(1)(f) GDPR by failing to ensure adequate security of personal data processing. A 2024 data breach exposed over 300,000 data subjects' names, contact information, and ID data; the breach was discovered not by the controller but by Spain's National Cybersecurity Institute (INCIBE) through online advertisements selling the stolen data. The controller's inadequate vulnerability monitoring, lack of early incident detection mechanisms, and post-breach security measures with significant vulnerabilities led to the fine, which was reduced from €200,000 through voluntary payment and liability acknowledgment provisions.","Spain's AEPD fined sports retailer €120K for data breach affecting 300K+ people","Help AEPD (Spain) - EXP202408867: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 09:35, 8 May 2026 view sourceAp (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 edits Tag: submission [1.0] Latest revision as of 07:57, 13 May 2026 view source Ap (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators635 editsmTag: Visual edit Line 61: Line 61: }}}} The DPA fined a sports fashion retailer €120,000 for failing to ensure security of processing in relation to a data breach that affected over 300,000 data subjects.The DPA fined a sports fashion retailer €120,000 for failing to ensure security of processing in relation to a data breach that affected over 300,000 data subjects and involved data such as names, contact and ID information. == English Summary ==== English Summary == Latest revision as of 07:57, 13 May 2026 AEPD - EXP202408867 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Type: Complaint Outcome: Upheld Started: 10.01.2026 Decided: Published: 05.05.2026 Fine: 120,000 EUR Parties: DÉCIMAS S.L.U. National Case Number\u002FName: EXP202408867 European Case Law Identifier: n\u002Fa Appeal: n\u002Fa Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: ap The DPA fined a sports fashion retailer €120,000 for failing to ensure security of processing in relation to a data breach that affected over 300,000 data subjects and involved data such as names, contact and ID information. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts DÉCIMAS S.L.U. (the controller) is a sports fashion retailer. In 2024, two data subjects brought a complaint to the DPA after receiving an email from the controller about a data breach. The data breach affected over 300,000 data subjects, and involved data subjects’ personal data such as names, contact information and ID information. The controller’s parent company had a contract with a processor, who provided services to the controller (and other companies in the group) and was the first company to be affected by the data breach. The controller also informed the DPA of the data breach separately to the complaints. During the DPA’s investigations, the controller claimed that the data breach would not affect data subjects, or would cause minor inconveniences. Holding The DPA found a violation of Article 5(1)(f) GDPR, as the controller failed to ensure security of processing. The DPA found that the controller had not implemented measures to monitor vulnerabilities, or report incidents early. The DPA noted that the data breach was not initially detected by the controller, but by INCIBE (the National Cybersecurity Institute, an agency under the Spanish Ministry of Digital Transformation). INCIBE found the data breach through an online advertisement selling personal data of the affected data subjects. Finally, the DPA noted that the controller’s security measures implemented after the data breach were not sufficiently effective, as they had significant vulnerabilities. The fine was initially set at €200,000 but pursuant to Law 39\u002F2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The fine can be reduced by a further 20% if the controller acknowledges its liability. The controller opted for both and reduced the fine by 40%, paying the reduced sanction amount of €120,000. The DPA took into consideration the high number of data subjects affected, as well as the sensitive nature of ID information. In addition, the DPA ordered the controller to demonstrate that it had implemented appropriate technical and organisational measures to ensure security of processing. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1\u002F21 • File No.: EXP202408867 RESOLUTION TERMINATING THE PROCEEDINGS BY ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On January 10, 2026, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against DÉCIMAS, S.L. (hereinafter, DÉCIMAS), by means of the agreement transcribed below: \u003C\u003C File No.: EXP202408867 AGREEMENT TO INITIATE SANCTIONING PROCEEDINGS Based on the actions taken by the Spanish Data Protection Agency and the following FACTS FIRST: On May 10 and 14, 2024, two complaints were filed with the Spanish Data Protection Agency regarding a possible infringement attributable to DÉCIMAS, S.L., with Tax Identification Number B78785219 (hereinafter, DÉCIMAS). The facts brought to the attention of this authority are as follows: The complainants state that they received an email from the respondent informing them that a security incident had occurred affecting its database and that, as a result, their personal data (name and surname, email address, and national identity document number) had been exposed. The following documents are attached to the complaint: - A copy of the email sent on May 10, 2024, by the respondent reporting the breach. SECOND: In accordance with Article 65.4 of Organic Law 3\u002F2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the aforementioned complaint was forwarded to DECIMAS so that it could analyze it and inform this Agency, within one month, of the actions taken to comply with the requirements of the data protection regulations. C\u002F Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2\u002F21 C\u002F Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2\u002F21 The notification of the transfer of the claim, which was carried out in accordance with the rules established in Law 39\u002F2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was made on June 18, 2024, as evidenced by the acknowledgment of receipt included in the file. On July 17, 2024, this Agency received a written response stating the following: \"(...) The entity ***EMPRESA.1 is the data processor for the entity DÉCIMAS, S.L.U., and the former is the one that suffered the security incident. However, DÉCIMAS, S.L.U. is indeed the data controller of the claimant's personal data (...) The following events are described in detail and chronologically: 1. On April 26, 2024, at 9:42 a.m., DÉCIMAS, S.L.U. received a message from INCIBE informing us of a possible attack on our database with the appearance of a message published on April 25, 2024, at 6:12 p.m. by the user ***USUARIO.1 offering the alleged data for sale. 2. On April 26, 2024, at At 10:59 a.m., DÉCIMAS, S.L.U. forwarded the message to ***COMPANY.1. 3. On April 26, 2024, at 1:00 p.m., ***COMPANY.1 commissioned a forensic vulnerability assessment. 4. On April 26, 2024, at 3:00 p.m., ***COMPANY.1 confirmed that it was a data breach and recommended that we report it to the Spanish Data Protection Agency. 5. On April 26, 2024, at 5:55 p.m., DÉCIMAS, S.L.U. submitted the initial report to the Agency electronically. 6. On April 26, 2024, at 8:58 p.m., the attack was resolved. 7. On April 27, 2024, ***COMPANY.1 contacted INCIBE to confirm that the measures The applied measures are correct, receiving confirmation and a request for the IPs, if possible. 8 On April 28 at 10:02 PM, ***COMPANY.1 forwarded the list of found IPs to INCIBE. (...) A copy of the report prepared by NACATA SECURITY, an independent third-party company, which ***COMPANY.1 hired to conduct a security audit and resolve ","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_EXP202408867&diff=51635&oldid=51603","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-05-13T07:57:24+00:00","2026-05-13T08:00:07.614339+00:00",8,[18,21,23],{"name":19,"type":20},"DÉCIMAS S.L.U.","vendor",{"name":22,"type":20},"AEPD",{"name":24,"type":20},"INCIBE","3f0f8451-91df-4b6c-9a73-ef3b2509b7f1",{"id":25,"icon":27,"name":28,"slug":29},null,"GDPR","gdpr",[31,36,41],{"category":32},{"id":33,"icon":27,"name":34,"slug":35},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":37},{"id":38,"icon":27,"name":39,"slug":40},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":42},{"id":43,"icon":27,"name":44,"slug":45},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]