Duyurular

Spanish Data Protection Authority Imposes Administrative Fine of EUR 3,200,000 on Data Controller in the Retail Sector for Multiple Violations of GDPR Obligations

The Spanish Data Protection Authority (AEPD) has imposed a total administrative fine of EUR 3,200,000 on a data controller operating in the retail sector, on the grounds that adequate security measures were not implemented in relation to multiple data breaches and that data subjects were not informed in a timely manner.

The key findings of the decision are as follows:

  • The data controller submitted five data breach notifications to the AEPD between January and September 2023.
  • Although the first breach occurred in October 2022, it was not reported until January 2023.
  • The breaches were reported to have occurred via credential stuffing; however, the source of the credentials could not be identified.
  • While the data controller claimed that only 974 accounts had been affected, the AEPD determined that approximately 119,000 accounts were impacted.
  • It was considered highly likely that the attackers were able to authenticate login credentials and access personal data such as names, contact information, and addresses contained within the accounts.
  • Following the third breach, the email sent to data subjects referred only to a password reset and did not disclose that a breach had occurred.
  • Two-factor authentication was implemented only after the fifth breach.
  • Data subjects were not adequately informed; the notifications sent failed to mention the existence, scope, impact of the breach, or the measures taken in response. This was found to be in violation of Article 34 of the GDPR.

According to the AEPD:

  • It was found that the data controller failed to comply with Article 5(1)(f) of the GDPR concerning data security.
  • The lack of appropriate technical and organisational security measures constituted violations of Articles 24(1) and 32 of the GDPR.
  • The delayed implementation of preventive measures, such as two-factor authentication, was criticised.
  • Security vulnerabilities identified in regular audit reports were known, yet the recommended measures were not implemented.
  • The volume of data processed and the nature of the retail sector were considered aggravating factors.
  • The data controller’s arguments concerning the number of affected accounts and claims of cooperation were not accepted by the AEPD. The authority confirmed a high number of affected accounts and emphasised that the notification obligation under Article 33 of the GDPR is a legal requirement.
  • The AEPD imposed a total fine of €3,200,000, consisting of:
  • €2,000,000 for the violation of Article 5(1)(f) GDPR,
  • €1,000,000 for the violation of Article 32 GDPR,
  • €200,000 for the violation of Article 34 GDPR.

Additionally, the controller was ordered to inform the affected data subjects in accordance with Article 34 GDPR, under penalty of further sanctions in case of failure to comply.

You can access the full text of the decision (in Spanish) here.  

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.