AEPD (Spain) - PS-00437-2024
Spain's AEPD fines Iberia €650,000 for data breach and failure to notify.
Summary
Spain's Data Protection Agency (AEPD) has fined Iberia €650,000 due to a data breach at one of its processors that exposed personal data across multiple EU member states. The airline was found to have failed in implementing appropriate security measures and also failed to notify the affected data subjects, though this latter infringement was time-barred under national law. The AEPD cited breaches of GDPR's integrity and confidentiality principle.
Full text
Help AEPD (Spain) - PS-00437-2024: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 13:42, 2 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators71 edits Tag: submission [1.0] Latest revision as of 13:41, 9 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators71 editsTag: Visual edit Line 65: Line 65: }}}} The DPA fined Iberia €650,000 for failing to ensure appropriate security after a processor-related data breach exposed personal data across several EU Member States.The DPA fined an airline €650,000 for failing to implement appropriate security measures after a data breach at one of its processors exposed personal data across several Member States. The DPA also noted that the airline failed to notify the affected data subjects. == English Summary ==== English Summary == Line 89: Line 89: The DPA therefore concluded that the controller had breached the integrity and confidentiality principle under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. It imposed an administrative fine of €650,000.The DPA therefore concluded that the controller had breached the integrity and confidentiality principle under [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. It imposed an administrative fine of €650,000. The DPA did not impose separate sanctions for Articles 32 and 34 GDPR. As regards [[Article 32 GDPR|Article 32 GDPR]], the alleged lack of appropriate technical and organisational measures was assessed as part of the [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] infringement, since both provisions were based on the same security shortcomings. As regards [[Article 34 GDPR|Article 34 GDPR]], the DPA considered that the controller should have communicated the breach to the data subjects, but archived this infringement because it was time-barred under national law.The DPA did not impose separate sanctions for Articles 32 and 34 GDPR. As regards [[Article 32 GDPR]], the alleged lack of appropriate technical and organisational measures was assessed as part of the [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]] infringement, since both provisions were based on the same security shortcomings. As regards [[Article 34 GDPR]], the DPA considered that the controller should have communicated the breach to the data subjects, but archived this infringement because it was time-barred under national law. In addition to the fine, the DPA ordered the controller, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to prove within six months that it had adopted technical and organisational security measures appropriate to the risk of the personal data processing carried out.In addition to the fine, the DPA ordered the controller, under [[Article 58 GDPR#2d|Article 58(2)(d) GDPR]], to prove within six months that it had adopted technical and organisational security measures appropriate to the risk of the personal data processing carried out. Latest revision as of 13:41, 9 June 2026 AEPD - PS-00437-2024 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 32 GDPR Article 34 GDPR Type: Other Outcome: n/a Started: 23.02.2023 Decided: Published: Fine: 650.000 EUR Parties: Iberia Líneas Aéreas de España, S.A. National Case Number/Name: PS-00437-2024 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined an airline €650,000 for failing to implement appropriate security measures after a data breach at one of its processors exposed personal data across several Member States. The DPA also noted that the airline failed to notify the affected data subjects. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Iberia Líneas Aéreas de España, S.A. Operadora, the controller, notified the DPA of a personal data breach on 23 February 2023. The controller stated that, on 20 February 2023, one of its service providers, acting as processor, informed it of a cybersecurity incident involving unauthorised access to systems containing personal data. The breach affected the confidentiality of personal data. The controller initially stated that the incident involved an external and intentional cyberattack, that the data were not encrypted or otherwise rendered unintelligible, and that the possible consequences included identity theft and phishing or spam campaigns. The affected data included basic personal data, professional contact details, credentials, flight-related information, ticket information, company membership information and travel agency names. The affected data subjects included employees of the controller and representatives of corporate clients. The controller later updated the DPA and confirmed that the incident had involved access to and exfiltration of personal data under its responsibility. The breach affected data subjects in several Member States, including Germany, Austria, Belgium, Denmark, France, Italy, the Netherlands, Portugal and Sweden. The controller did not communicate the breach to the affected data subjects. It argued that, although the DPA’s own breach communication tool indicated that the breach should be communicated to the data subjects, it had adopted sufficient mitigation measures after the incident so that a high risk to the rights and freedoms of the data subjects was no longer likely to materialise. The DPA initiated sanctioning proceedings against the controller for alleged infringements of Articles 5(1)(f), 32 and 34 GDPR. During the proceedings, the controller argued that it had implemented adequate security measures, that the breach resulted from an external attack against the processor, and that no sanction should be imposed. Holding The DPA held that the controller infringed Article 5(1)(f) GDPR, which requires personal data to be processed in a manner ensuring appropriate security, including protection against unauthorised or unlawful processing. The DPA found that the controller had not demonstrated that it had carried out an adequate risk assessment for the processing operation affected by the breach. In particular, the documentation provided by the controller did not identify concrete risks linked to the processing, nor did it set out adequate technical and organisational measures to mitigate such risks. According to the DPA, since the GDPR requires security measures to be appropriate to the risks of the processing, the absence of an adequate risk analysis necessarily undermined the controller’s ability to select and implement effective safeguards. The DPA also considered that the security measures in place were not appropriate in light of the risks. The DPA noted that the incident led to unauthorised access to and downloading of personal data and that the relevant infrastructure remained accessible for more than a month and a half. This showed, in the DPA’s view, insufficient monitoring and detection capabilities. The DPA further referred to weaknesses concerning the protection of credentials and passwords and considered that the controller had not adequately ensured the confidentiality of the affected data. The DPA therefore concluded that the controller had breached the integrity and confidentiality principle under Article 5(1)(f) GDPR. It imposed an administrative fine of €650,000. The DPA did not impose separate sanctions for Articles 32 and 34 GDPR. As regards Article 32 GDPR, the alleged lack of appropriate technical and organisational measures was assessed as part of the Article 5(1)(f) GDPR infringement, since both provisions were based on the same security shortcomings. As regards Article 34 GDPR, the DPA considered that the controller should have communicated the breach to the data subjects, but archived this infringement because it was time-barred under national la