Duyurular

The Spanish DPA Imposes an Administrative Fine on an Asset Management Company for Failing to Implement Appropriate Security Measures Against a Data Breach and for Not Establishing Storage Limitation Periods in a Contract

Data Protection Law

The Spanish Data Protection Authority (“Authority”), by its Decision dated 04.09.2025 and numbered EXP202318311 (“Decision”), imposed an administrative fine of EUR 180,000 on an asset management company (“Company”) due to a personal data breach affecting 360 employees and the absence of a storage limitation clause in the contract concluded with a consulting company acting as processor.

The Decision can be summarised as follows:

  • The controller had argued that, since the contract concluded with the processor contained instructions regarding the processing of personal data, it was therefore not the controller. However, the Authority had stated that, pursuant to Article 4(7) of the GDPR, the entity determining the purposes and means of processing qualifies as the controller, and this argument had been rejected.
  • The Authority had found that the controller had failed to implement the necessary technical and organisational measures to ensure the security of personal data, and this had been considered a violation of Article 5(1)(f) GDPR.
  • The absence of a storage limitation clause in the contract concluded between the controller and the processor had resulted in personal data being stored by the processor until the termination of the contract. The Authority had stated that, pursuant to Article 28(3) GDPR, it is the responsibility of the controller to ensure that the contract complies with the GDPR.
  • The Authority had imposed an administrative fine of EUR 250,000 for the violation of Article 5(1)(f) GDPR and EUR 50,000 for the violation of Article 28 GDPR.
  • In addition, the controller had been instructed to implement appropriate security measures and to ensure that the contract concluded with the processor was brought into compliance with the provisions of the GDPR.
  • The controller had made use of the possibilities of voluntary payment and waiver of appeal under the Spanish legislation on administrative proceedings, and the fine had been reduced by 20%.
  • • In addition, the fine had been further reduced by 20% due to the acknowledgement of liability. Accordingly, a total reduction of 40% had been applied, and the controller had paid the reduced administrative sanction of EUR 180,000.

 

You can access the  full text of the Decision here.

 

Kind regards,

Zumbul Attorneys-at-Law

info@zumbul.av.tr

 

All information and documents on our website have been prepared by Zumbul Attorneys at Law for general informational purposes only, in accordance with the Attorneyship Law, other relevant legislation and the Professional Rules of Attorneyship of the Union of Turkish Bar Associations. These publications are not intended for advertising or commercial purposes. The information and documents provided are of a general nature and under no circumstances, do they guarantee or warrant that the content is complete, accurate, up-to-date, or reliable. You should not rely on the information and documents on this website without first consulting a lawyer or expert. The links included in our website’s publications are sourced from publicly available materials and are provided solely for the convenience of visitors in accessing additional information. These links do not constitute any form of recommendation or endorsement of the linked persons, institutions or organizations. The information on this website does not in any way constitute legal advice or establish an attorney-client relationship with visitors to the site. All content on this website is the property of by Zumbul Attorneys at Law, and no content may be copied, reproduced, or used without prior written permission.