[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fMQpXtgY26SEHd5rBy-jC2B3Bm5ElIXRuiLDkVsqO4OY":3},{"article":4,"iocs":47},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":21,"category":22,"article_tags":26},"d47ab4b2-72be-4a4d-8238-ac519f96c453","AEPD (Spain) - PS-00020-2025","aepd-spain-ps-00020-2025-bd216f","Show changes","Spain's data protection authority (AEPD) has fined a data controller €200,000 for insufficient security measures following a cyberattack. The AEPD rejected the controller's claim that the attack was an external criminal act, finding that internal vulnerabilities allowed attackers access to personal data. The controller also violated Article 35 of the GDPR by failing to conduct a Data Protection Impact Assessment (DPIA) despite processing high-risk data categories like health data and data concerning minors.","Spain's AEPD fines a controller €200,000 for insufficient security measures and failure to conduct a DPIA.","Help AEPD (Spain) - PS-00020-2025: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 10:20, 3 July 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators134 edits Tag: submission [1.0] Latest revision as of 10:33, 3 July 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators134 editsTag: Visual edit (2 intermediate revisions by the same user not shown)Line 23: Line 23: |Date_Started=|Date_Started= |Date_Decided=|Date_Decided= |Date_Published=|Date_Published=01.07.2026 |Year=|Year= |Fine=200,000|Fine=200,000 Line 86: Line 86: The DPA rejected the controller’s argument that the attack was an external criminal act that could not be attributed to it. The DPA found that the controller was aware of an extreme cyber risk and that its internal vulnerabilities and security posture allowed the attackers to move through the systems, access personal data and encrypt files. The DPA therefore considered that the controller’s measures were clearly insufficient.The DPA rejected the controller’s argument that the attack was an external criminal act that could not be attributed to it. The DPA found that the controller was aware of an extreme cyber risk and that its internal vulnerabilities and security posture allowed the attackers to move through the systems, access personal data and encrypt files. The DPA therefore considered that the controller’s measures were clearly insufficient. The DPA also held that the controller violated [[Article 35 GDPR|Article 35 GDPR]]. The controller processed high-risk categories of data, including health data and data concerning minors. In these circumstances, it should have carried out a DPIA before the processing. The DPA found that the controller’s 2019 risk analysis wrongly concluded that no high risk existed, while its later documentation acknowledged that a DPIA was necessary.The DPA also held that the controller violated [[Article 35 GDPR]]. The controller processed high-risk categories of data, including health data and data concerning minors. In these circumstances, it should have carried out a DPIA before the processing. The DPA found that the controller’s 2019 risk analysis wrongly concluded that no high risk existed, while its later documentation acknowledged that a DPIA was necessary. The DPA proposed a fine of €150,000 for the infringement of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and €100,000 for the infringement of [[Article 35 GDPR|Article 35 GDPR]], totalling €250,000. The controller paid voluntarily without acknowledging liability, obtaining a 20% reduction under Spanish Administrative Law (39\u002F2015). The final payable amount was therefore €200,000.The DPA proposed a fine of €150,000 for the infringement of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] and €100,000 for the infringement of [[Article 35 GDPR]], totalling €250,000. The controller paid voluntarily without acknowledging liability, obtaining a 20% reduction under Spanish Administrative Law (39\u002F2015). The final payable amount was therefore €200,000. The DPA also ordered the controller, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to prove within three months from the enforceability of the decision that it had carried out the mandatory DPIA required under [[Article 35 GDPR|Article 35 GDPR]].The DPA also ordered the controller, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to prove within three months from the enforceability of the decision that it had carried out the mandatory DPIA required under [[Article 35 GDPR]]. == Comment ==== Comment == Line 101: Line 101: The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. \u003Cpre>\u003Cpre>Case No.: EXP202400624 File No.: EXP202411980 RESOLUTION TERMINATING THE PROCEEDINGS DUE TO ACKNOWLEDGMENT OF LIABILITY AND VOLUNTARY PAYMENTDECISION TO TERMINATE THE PROCEEDINGS DUE TO VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following:Regarding the proceedings conducted by the Spanish Data Protection Agency and based on the following BACKGROUNDBACKGROUND FIRST: On April 15, 2025, the Presidency of the Spanish Data Protection Agency decided FIRST: On October 22, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against TBO WORKINGto initiate disciplinary proceedings against ALKORA EBS CORREDURIA DE SEGUROS Y REASEGUROS SAU (hereinafter, ALKORA). SEGURIDAD, S.L. (hereinafter, TBO), by means of the agreement transcribed below:Following notification of the decision to initiate proceedings and after analyzing the arguments submitted, a proposed resolution was issued on February 16, 2026, the text of which is transcribed below: \u003C\u003C\u003C\u003C Case No.: EXP202400624 File No.: EXP202411980PROPOSED RESOLUTION ON DISCIPLINARY PROCEEDINGS Regarding the proceedings conducted by the Spanish Data Protection Agency and based AGREEMENT TO INITIATE SANCTIONING PROCEEDINGSon the following: Contents BACKGROUND..................................................................................................................3 Based on the actions taken by the Spanish Data Protection Agency, and on the followingFIRST: On April 22, 2023, this Agency was notified of a data breach involving ALKORA EBS CORREDURIA DE SEGUROS Y REASEGUROS SAU, with Tax ID No. FACTSA01051747 (hereinafter, ALKORA) .............................................................................................3 SECOND: On December 27, 2023, a complaint was filed with the Spanish Data FIRST: On July 30, 2024, a complaint was filed with the Spanish Data Protection Agency.Protection Agency regarding the previously reported data breach of personal data...........5 THIRD: Pursuant to Article 65.4 of Organic Law 3\u002F2018, of December 5, on Data The complaint is directed against the party identified as TBO WORKING SEGURIDAD, S.L., with Tax Identification Number B55500185 (hereinafter, the respondent), for the installation of a video surveillance system located atProtection and the Guarantee of Digital Rights (hereinafter LOPDGDD), said complaint ***ADDRESS.1, there being indications of a possible breach of the provisions of current data protection regulations.was forwarded to ALKORA so that it could analyze it and inform this Agency, within one month, of the actions taken to comply with the requirements set forth in data protection The grounds for the claim are as follows:regulations .......................................................................................................................................7 FOURTH: On March 27, 2024, in accordance with Article 65 of the LOPDGDD, the “The defendant (a company whose administrator is her husband) has four security cameras on the exterior facade overlooking the street, four cameras on the first-floor landing, and two in the hallways inside the coworking offices (one with a view into the bathroom). The defendant is identified as responsible in all of them.complaint was accepted for processing ....................................................................................20 6 Jorge Juan The claimant rented a coworking office on the same floor as the defendant's branch from February 2021 to May 2024. From March to September 2023, the company captured more than 400 images of her and her children under 14 years of age. These images were submitted as evidence in the divorce proceedings on February 1, 2024, as evidence of alleged work activity.Street, 28001 – Madrid2\u002F76 C\u002F Jorge Juan, 6 www.aepd.eswww.aepd.es 28001 – Madrid sedeaepd.gob.es 2\u002F12sedeaepd.gob.es FIFTH: The Subdirectorate General for Data Inspection conducted preliminary The following documentation is atta","https:\u002F\u002Fgdprhub.eu\u002Findex.php?title=AEPD_(Spain)_-_PS-00020-2025&diff=52053&oldid=52050","https:\u002F\u002Fgdprhub.eu\u002Fimages\u002F5\u002F59\u002FLogoES.jpg","2026-07-03T10:33:05+00:00","2026-07-03T12:00:19.318363+00:00",8,[18],{"name":19,"type":20},"AEPD","vendor","c5c77cdb-f7d7-4990-9436-c81dcbff1163",{"id":21,"icon":23,"name":24,"slug":25},null,"Policy","policy",[27,32,37,42],{"category":28},{"id":29,"icon":23,"name":30,"slug":31},"2e06f76c-d5b9-4f54-9eef-4d3447b10730","Breaches","breaches",{"category":33},{"id":34,"icon":23,"name":35,"slug":36},"3f0f8451-91df-4b6c-9a73-ef3b2509b7f1","GDPR","gdpr",{"category":38},{"id":39,"icon":23,"name":40,"slug":41},"53f9c4b6-8bc6-4964-9169-d09e5cd41d72","Compliance","compliance",{"category":43},{"id":44,"icon":23,"name":45,"slug":46},"d95477d7-eb04-4fad-a2dc-be1428040ce7","Privacy Fines","privacy-fines",[]]