AEPD (Spain) - PS/00552/2023
Spanish DPA fines e-commerce firm €1.09M for exposed million-record database and GDPR breach notification failures.
Summary
Spain's AEPD fined CECOTEC INNOVACIONES €1,090,000 after over one million customer records were offered for sale on the dark web in April 2023. The company violated GDPR Articles 5(1)(f), 32, 33, and 34 by maintaining an insecure legacy system, delaying breach notification to authorities beyond 72 hours, and failing to notify affected data subjects. The delayed notification—customers were informed nearly two years later—prompted a separate consumer complaint in April 2025.
Full text
Help AEPD (Spain) - PS/00552/2023: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 17:53, 20 March 2026 view sourceNiovi (talk | contribs)16 edits Tag: submission [1.0] Latest revision as of 22:23, 20 March 2026 view source Niovi (talk | contribs)16 edits Tag: Visual edit (2 intermediate revisions by the same user not shown)Line 69: Line 69: }}}} The Spanish DPA fined an e-commerce company €1,090,000 after a database containing over one million records was offered on the dark web, finding breaches of Article 5(1)(f), Article 32, Article 33 and [[Article 34 GDPR|Article 34 GDPR]].The Spanish DPA fined an e-commerce company €1,090,000 after a database containing over one million records was offered on the dark web, finding breaches of Article 5(1)(f), Article 32, Article 33 and [[Article 34 GDPR]]. == English Summary ==== English Summary == Line 76: Line 76: CECOTEC INNOVACIONES, S.L.U. (the controller) operated an e-commerce platform used to manage customer orders and accounts. In early 2021, it decommissioned the platform but kept the legacy system accessible for internal purposes.CECOTEC INNOVACIONES, S.L.U. (the controller) operated an e-commerce platform used to manage customer orders and accounts. In early 2021, it decommissioned the platform but kept the legacy system accessible for internal purposes. On 5 April 2023, the Instituto Nacional de Ciberseguridad (INCIBE), Spain's national cybersecurity authority, informed the controller that a database allegedly belonging to it, containing over one million records, was being offered for sale on the dark web. On 12 April 2023, INCIBE sent a second notification, after which the controller carried out an internal investigation.On 5 April 2023, the Instituto Nacional de Ciberseguridad (INCIBE), Spain's national cybersecurity institute, informed the controller that a database allegedly belonging to it, containing over one million records, was being offered for sale on the dark web. On 12 April 2023, INCIBE sent a second notification, after which the controller carried out an internal investigation. The controller questioned the existence and scope of the breach, arguing that only a limited number of records matched its database and that it could not confirm unauthorised access. It considered the risk to be low. On 19 April 2023, it notified the Spanish Data Protection Authority (AEPD) but did not inform affected data subjects.The controller questioned the existence and scope of the breach, arguing that only a limited number of records matched its database and that it could not confirm unauthorised access. It considered the risk to be low. On 19 April 2023, it notified the Spanish Data Protection Authority (AEPD) but did not inform affected data subjects. Line 82: Line 84: === Holding ====== Holding === First, the Spanish Data Protection Authority (AEPD) held that storing personal data in a legacy system that remained accessible and relied on outdated software without adequate security measures infringed Article 5(1)(f) and [[Article 32 GDPR|Article 32 GDPR]].First, the Spanish Data Protection Authority (AEPD) held that storing personal data in a legacy system that remained accessible and relied on outdated software without adequate security measures infringed Article 5(1)(f) and [[Article 32 GDPR]]. Second, the AEPD held that a controller cannot delay breach notification on the basis of uncertainty as to the existence or scope of a breach and must act upon reasonable indications of compromise. The controller therefore infringed [[Article 33 GDPR|Article 33 GDPR]] by failing to notify the authority within 72 hours.Second, the AEPD held that a controller cannot delay breach notification on the basis of uncertainty as to the existence or scope of a breach and must act upon reasonable indications of compromise. The controller therefore infringed [[Article 33 GDPR]] by failing to notify the authority within 72 hours. Third, the AEPD held that the failure to inform data subjects constituted an infringement of [[Article 34 GDPR|Article 34 GDPR]], as the breach involved a large volume of personal data and potential risks could not be excluded.Third, the AEPD held that the failure to inform data subjects constituted an infringement of [[Article 34 GDPR]], as the breach involved a large volume of personal data and potential risks could not be excluded. The AEPD fined the controller €1,090,000.The AEPD fined the controller €1,090,000. == Comment ==== Comment == ''Share your comments here!''In a related development, in April 2025 consumer association FACUA filed a separate complaint with the AEPD against CECOTEC, criticising the company for only notifying affected customers of the breach nearly two years after it occurred. No outcome of that complaint has been reported as of March 2026. == Further Resources ==== Further Resources == Latest revision as of 22:23, 20 March 2026 AEPD - PS/00552/2023 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 32 GDPR Article 33 GDPR Article 34 GDPR Type: Investigation Outcome: Violation Found Started: 01.04.2024 Decided: Published: 18.03.2026 Fine: 1,090,000 EUR Parties: AEPD CECOTEC INNOVACIONES, S.L.U. National Case Number/Name: PS/00552/2023 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: Niovi Gkioka The Spanish DPA fined an e-commerce company €1,090,000 after a database containing over one million records was offered on the dark web, finding breaches of Article 5(1)(f), Article 32, Article 33 and Article 34 GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts CECOTEC INNOVACIONES, S.L.U. (the controller) operated an e-commerce platform used to manage customer orders and accounts. In early 2021, it decommissioned the platform but kept the legacy system accessible for internal purposes. On 5 April 2023, the Instituto Nacional de Ciberseguridad (INCIBE), Spain's national cybersecurity institute, informed the controller that a database allegedly belonging to it, containing over one million records, was being offered for sale on the dark web. On 12 April 2023, INCIBE sent a second notification, after which the controller carried out an internal investigation. The controller questioned the existence and scope of the breach, arguing that only a limited number of records matched its database and that it could not confirm unauthorised access. It considered the risk to be low. On 19 April 2023, it notified the Spanish Data Protection Authority (AEPD) but did not inform affected data subjects. The AEPD carried out preliminary investigations and, on 1 April 2024, initiated sanctioning proceedings. It found that the data originated from the controller’s database and that the legacy system remained accessible via the internet, relied on outdated software and lacked adequate monitoring, logging and access control measures. Holding First, the Spanish Data Protection Authority (AEPD) held that storing personal data in a legacy system that remained accessible and relied on outdated software without adequate security measures infringed Article 5(1)(f) and Article 32 GDPR. Second, the AEPD held that a controller cannot delay breach notification on the basis of uncertainty as to the existence or scope of a breach and must act upon reasonable indications of compromise. The controller therefore infringed Article 33 GDPR by failing to notify the authority within 72 hours. Third, the AEPD held that the failure to inform data subjects constituted an infringement of Article 34 GDPR, as the breach involved a large volume of personal data and potential risks could not be excluded. The AEPD fined the controller €1,090,000. Comment In a related development, in April 2025 consumer association FACUA filed a separate complaint with the AEPD