AEPD (Spain) - PS-00437-2024

Summary

Spain's DPA (AEPD) issued a €650,000 fine to Iberia Líneas Aéreas de España for violating GDPR Articles 5(1)(f), 32, and 34 following a February 2023 data breach caused by unauthorized access to a processor's systems. The breach exposed personal data of employees and corporate clients across nine EU Member States, but the controller failed to conduct adequate risk assessments and implement appropriate security measures. The DPA also found the controller failed to notify affected data subjects despite indicators that breach notification was required.

Full text

Help AEPD (Spain) - PS-00437-2024: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 13:42, 2 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators53 edits Tag: submission [1.0] (No difference) Latest revision as of 13:42, 2 June 2026 AEPD - PS-00437-2024 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 32 GDPR Article 34 GDPR Type: Other Outcome: n/a Started: 23.02.2023 Decided: Published: Fine: 650.000 EUR Parties: Iberia Líneas Aéreas de España, S.A. National Case Number/Name: PS-00437-2024 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined Iberia €650,000 for failing to ensure appropriate security after a processor-related data breach exposed personal data across several EU Member States. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts Iberia Líneas Aéreas de España, S.A. Operadora, the controller, notified the DPA of a personal data breach on 23 February 2023. The controller stated that, on 20 February 2023, one of its service providers, acting as processor, informed it of a cybersecurity incident involving unauthorised access to systems containing personal data. The breach affected the confidentiality of personal data. The controller initially stated that the incident involved an external and intentional cyberattack, that the data were not encrypted or otherwise rendered unintelligible, and that the possible consequences included identity theft and phishing or spam campaigns. The affected data included basic personal data, professional contact details, credentials, flight-related information, ticket information, company membership information and travel agency names. The affected data subjects included employees of the controller and representatives of corporate clients. The controller later updated the DPA and confirmed that the incident had involved access to and exfiltration of personal data under its responsibility. The breach affected data subjects in several Member States, including Germany, Austria, Belgium, Denmark, France, Italy, the Netherlands, Portugal and Sweden. The controller did not communicate the breach to the affected data subjects. It argued that, although the DPA’s own breach communication tool indicated that the breach should be communicated to the data subjects, it had adopted sufficient mitigation measures after the incident so that a high risk to the rights and freedoms of the data subjects was no longer likely to materialise. The DPA initiated sanctioning proceedings against the controller for alleged infringements of Articles 5(1)(f), 32 and 34 GDPR. During the proceedings, the controller argued that it had implemented adequate security measures, that the breach resulted from an external attack against the processor, and that no sanction should be imposed. Holding The DPA held that the controller infringed Article 5(1)(f) GDPR, which requires personal data to be processed in a manner ensuring appropriate security, including protection against unauthorised or unlawful processing. The DPA found that the controller had not demonstrated that it had carried out an adequate risk assessment for the processing operation affected by the breach. In particular, the documentation provided by the controller did not identify concrete risks linked to the processing, nor did it set out adequate technical and organisational measures to mitigate such risks. According to the DPA, since the GDPR requires security measures to be appropriate to the risks of the processing, the absence of an adequate risk analysis necessarily undermined the controller’s ability to select and implement effective safeguards. The DPA also considered that the security measures in place were not appropriate in light of the risks. The DPA noted that the incident led to unauthorised access to and downloading of personal data and that the relevant infrastructure remained accessible for more than a month and a half. This showed, in the DPA’s view, insufficient monitoring and detection capabilities. The DPA further referred to weaknesses concerning the protection of credentials and passwords and considered that the controller had not adequately ensured the confidentiality of the affected data. The DPA therefore concluded that the controller had breached the integrity and confidentiality principle under Article 5(1)(f) GDPR. It imposed an administrative fine of €650,000. The DPA did not impose separate sanctions for Articles 32 and 34 GDPR. As regards Article 32 GDPR, the alleged lack of appropriate technical and organisational measures was assessed as part of the Article 5(1)(f) GDPR infringement, since both provisions were based on the same security shortcomings. As regards Article 34 GDPR, the DPA considered that the controller should have communicated the breach to the data subjects, but archived this infringement because it was time-barred under national law. In addition to the fine, the DPA ordered the controller, under Article 58(2)(d) GDPR, to prove within six months that it had adopted technical and organisational security measures appropriate to the risk of the personal data processing carried out. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/59 • File No.: EXP202312854 RESOLUTION OF TERMINATION OF PROCEEDINGS DUE TO VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On April 16, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against CAIXABANK, S.A. (hereinafter, CAIXABANK). Having been notified of the initiation agreement and after analyzing the allegations presented, on March 4, 2026, the following proposed resolution was issued: << File No.: EXP202312854 PROPOSED RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND Contents FIRST: Complaint 1.........................................................................................3 SECOND: Complaint 2........................................................................................3 THIRD: Preliminary investigative actions......................................................4 FOURTH: Agreement to initiate sanctioning proceedings:......................................4 FIFTH: Allegations against the initiation agreement:................................................................5 1. Context in which the processing of personal data affected by the Personal data breaches......................................................5 2. Article 5.1 f) of the GDPR......................................................................................5 3. Article 25 of the GDPR..........................................................................................6 4. Lack of proportionality...................................................................................6 5. Existence of a medial concurrence.......................................................................6 SIXTH: Trial period:.....................................................................7 SEVENTH: List of documents included in the proceedings:........................7 PROVEN FACTS..................................................................................................7 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/59 INDEX OF PROVEN FACTS:...........................................................................7 FIRS

Entities