ThinkTank_Logo_black
The wait is over
Ailance™ ThinkTank is here!

These are the highest GDPR fines in January 2025

The highest fines in January 2025 were imposed in Spain.
Categories:

The year 2025 starts with Spanish weeks: No data protection authority in the EU issued as many and as high fines in January 2025 as the Agencia Española de Protección de Datos (AEPD). Two large fines were levied for the use of biometric facial recognition systems. A new trend? The mobile communications giant Vodafone is at it again. The company does not seem to be able to get a grip on the misconduct of individual employees.

Generali España: 4 million euros (Spain)

The Spanish Data Protection Authority Agencia Española de Protección de Datos (AEPD) has a Fine proceedings vs. Generali España, Sociedad Anónima de Seguros y Reaseguros opened on October 5, 2022, after a Security incident was detected. The incident involved a Brute force attack to Generali's customer data management system. By misusing the access data of an insurance broker, unauthorized persons gained access to the personal data of customers and former customers. It was not until November 11, 2022 that it became known that a Database with ex-customer data for sale in a Telegram forum was offered. This affected the data of a total of over 1.6 million people affected. The data in question was Names, addresses, telephone numbers, dates of birth, identity card numbers (DNI) and IBAN account numbers.

Generali informed those affected between November 15 and 28, 2022 by e-mail or post about the incident. For those affected whose contact details were not available, a Public announcement on the website published. During the investigation, it emerged that Generali no sufficient technical and organizational measures to protect the data. In particular, there was no Risk assessment and a Data protection impact assessment for the applications concerned. In addition, insurance brokers had continue to have access to the data of former customerswhich violates the data protection principle of Data minimization violated. Protocols for the Traceability of accesses to the data concerned.

According to the AEPD, Generali violated several articles of the GDPR:

  • Article 5 para. 1 lit. f GDPRViolation of the Principle of confidentiality through unauthorized access to personal data.
  • Article 25 GDPR: Missing Data protection measures from the outset (privacy by design).
  • Article 32 GDPR: Inadequate safety measures for the prevention of data breaches.
  • Article 35 GDPR: Lack of data protection impact assessment for particularly risky data processing.


Due to the seriousness of the infringements, a total fine of 4 million euros was imposed.

Source: Fine notice from the Agencia Española de Protección de Datos v Generali España, Sociedad Anónima de Seguros y Reaseguros

Sambla Group Oy: 950,000 euros (Finland)

The Finnish Data Protection Authority Tietosuojavaltuutetun toimisto has against Sambla Group Oy a Fine proceedings initiated after the December 23, 2022 one Complaint was received. The complaint concerned the inadequate Data security with online credit brokerage platforms lainaparkki.fi and rahoitu.fi.

It was determined that the personal data of prospective borrowers were accessible via individual but insecure URL links. These links were easy to guess, so that third parties with knowledge of the structure could access Sensitive personal data could access.

On March 25, 2024 the data protection authority imposed a provisional orderwhich prohibited Sambla Group Oy from making personal data of credit applicants accessible via insecure URL links. The authority found that in these credit forms Sensitive information such as full name, date of birth, personal number, e-mail address, telephone number, address, income, employment and credit information were included. It was documented that Tens of thousands of unauthorized accesses to this data partly through automated Brute force attacks or through Indexing by search engines like Google.

The data protection authority assessed the behavior of Sambla Group Oy as Violation of several articles of the GDPRin particular:

  • Article 5.1(f) GDPRViolation of the Principle of confidentiality and integrity.
  • Article 25 GDPR: Missing Data protection measures from the outset (privacy by design).
  • Article 32 GDPR: Inadequate safety measures for the prevention of data breaches.


Although the company subsequently took measures such as the Deactivation of unsafe linkswhich Introduction of two-factor authentication and the Shortening the validity period of URL links, the authority assessed these measures as too late and insufficient. The data breach concerned a large number of people and Sambla Group Oy would have must react earlier.

Reading tip: The highest fines in December 2024

The fine was set by the data protection authority at 950,000 euros was determined. The justification for the penalty was based on the Seriousness of the infringementwhich Duration of the problem (over several years) and the Lack of initiative of the company to remedy the data protection problems.

Source: Fine notice from the Tietosuojavaltuutetun toimisto has against Sambla Group Oy

Cartonajes Bañeres, S.A.: 220,000 euros (Spain)

The Spanish Data Protection Authority Agencia Española de Protección de Datos (AEPD) has a Fine proceedings vs. Cartonajes Bañeres, S.A. initiated after a former employee at the October 11, 2022 one Complaint had filed. The complaint related to the use of a biometric recognition system for recording working time, in which the Employees' faces scanned were made. The employee had concerns regarding the Storage of biometric data expressed his opinion. He also requested access to their personal data on August 29, 2022but received from the company No appropriate response.

During the investigation, it emerged that Cartonajes Bañeres was a Face recognition system for the Time sheet used. The company denied that Face shots were stored. However, it stated that an algorithm captures certain features of the face and these as biometric hash stores. These Hash values were then compared with a database to identify the employee. According to the AEPD, this technology represents a Highly sensitive processing of biometric data represent.

It was also determined that the former employee's request for information was not processed properly. Although the company claimed that a response via Fax was sent, but the address was not correctand the applicant did not receive complete information about the stored biometric data.

The AEPD found that Cartonajes Bañeres had violated several Article of the GDPR has violated:

  • Article 35 GDPRThe Required data protection impact assessment for the use of biometric data was not carried out.
  • Article 12 GDPRThe Access request of the employee was not processed properly, which constitutes a violation of the Rights of data subjects represents.

The AEPD therefore imposed a fine in the amount of 220,000 euros against Cartonajes Bañeres, divided into:

  • 200,000 euros for the Violation of Article 35 GDPR (no data protection impact assessment).
  • 20,000 euros for the Violation of Article 12 GDPR (inadequate response to the data access request).

Source: Fine notice from the Agencia Española de Protección de Datos vs. Cartonajes Bañeres, S.A.

Club Atlético Osasuna: 200,000 euros (Spain)

The Agencia Española de Protección de Datos (AEPD) has Fine proceedings against the Club Atlético Osasuna initiated after the November 22, 2022 one Complaint had been received. The complaint was directed against the introduction of a biometric facial recognition system (SBRF) for access control in the stadium El Sadarwhich is April 2022 was introduced. According to the complaint, the system restricted the Fundamental rights and freedoms of stadium visitors in a disproportionate manner, even if consent for use had been given.

With the Investigation by the AEPD, it turned out that the system was developed in cooperation with La Liga and the technology companies DAS-GATE and VERIDAS was developed. It was intended to facilitate access to the stadium for season ticket holders through facial recognition, but remained a Voluntary optionwhich could still be used alongside the physical membership card or digital access via smartphone.

It was also noted that Osasuna has a Data protection impact assessment had carried out in order to Legal basis for the processing of biometric data to legitimize the system. The club argued that the system on a voluntary basis used and that the persons concerned have a explicit consent to process their biometric data. The system is also secure, as no images are used, only mathematical data. biometric vectors would be stored.

The AEPD found that the Necessity and proportionality of the measure was questionable. Even if the system is considered voluntary was declared, the authority noted that there could be some social or psychological pressure, especially since the club advertised the system as a "faster and more convenient" alternative. The AEPD also referred to Lack of transparency in informing the persons concerned and on the Lack of a clear legal basis for the use of such technologies in soccer stadiums.

Osasuna was finally nominated for the unlawful use of biometric facial recognition in access control is sanctioned with a fine of 200,000 euros. In the opinion of the AEPD, the Legal basis questionable was and the measure violates the principle of Data minimization and necessity. In its decision, the AEPD emphasizes that the use of facial recognition systems must meet particularly strict requirements in order to guarantee the rights of the persons concerned.

Source: Fine notice from the Agencia Española de Protección de Datos (AEPD) has Fine proceedings vs. Club Atlético Osasuna

Vodafone España: 200,000 euros (Spain)

The Agencia Española de Protección de Datos (AEPD) has a Fine proceedings vs. Vodafone España, S.A.U. initiated after a customer on March 7, 2023 one Complaint had filed. The complaint concerned a unauthorized SIM card duplicatewhich was published on April 8, 2022 was issued without the consent of the person concerned. As a result of this identity fraud, unauthorized Bank transactions made to the customer's account.

According to the AEPD investigation April 8, 2022 at 7:47 pm a first attempt was made to develop a new SIM card for the mobile phone number in question. This attempt initially failed, but already Five minutes later a new application was submitted, which was finally approved. The fraudulent SIM card was sent via a Vodafone call center was activated, which gave the perpetrator control over the affected telephone number. Only on April 9, 2022 at 12:26 pm the fraudulent SIM card was blocked after the victim informed Vodafone that she no longer had access to her mobile connection.

The AEPD found that Vodafone had not consistently enforced its own security guidelinesbecause call center agents actually were not authorized to approve SIM duplicates for alleged Vodafone store employees. This indicates a Negligence in the implementation of internal safety measures there.

In addition, Vodafone had filed Art. 6 para. 1 GDPR as the processing of the customer's personal data is in breach of the without their lawful consent. The authority therefore decided, a fine in the amount of 200,000 euros to impose a fine. The AEPD did not consider reducing the penalty because similar infringements had already occurred several times in the past.

Source: Fine notice from the Agencia Española de Protección de Datos vs. Vodafone España, S.A.U.

Correo Inteligente Postal, S.L.: 200,0000 euros (Spain)

The Agencia Española de Protección de Datos (AEPD) has a Fine proceedings against the company Correo Inteligente Postal, S.L. (CI POSTAL) initiated after the September 22, 2022 the Policía Local of Palma de Mallorca submitted a report. It stated that overall 1,404 letters with personal data were found in an abandoned site. These letters came from several companies, including La Caixa, BBVA, Endesa and Naturgyand should actually have been distributed to recipients.

A representative of CI POSTAL recognized the company logo on the letters left behind and confirmed that the mailing had been delegated to four employees. However, it was not possible to determine which employees were responsible for the non-delivery.

On November 17, 2022 another incident was reported: The Jefatura Superior de Policía de las Islas Baleares took place again 5,354 undelivered lettersthat had been deposited in two different areas of Palma de Mallorca. Some of the letters had been opened, while others were completely intact. The letters contained sensitive information from banks, energy suppliers and mobile phone providers.

The AEPD found that CI POSTAL has violated several articles of the General Data Protection Regulation (GDPR):

  • Article 5.1(f) GDPR: The company did not take sufficient measures to ensure that the Confidentiality and Integrity of the personal data.
  • Article 32 GDPR: Lack of safety measures led to unauthorized third parties being able to access personal data.

The AEPD imposed CI POSTAL a fine totaling 200,000 euros. In addition, the company was obligated to provide six months a System for tracking and monitoring mail deliveries to ensure that letters are delivered correctly.

Reaction from CI POSTAL: The company dismissed the employees concerned and carried out training to prevent similar incidents in the future. However, no technological system was implemented to ensure the traceability of shipments.

Source: Fine notice from the Agencia Española de Protección de Datos vs. Correo Inteligente Postal, S.L. (CI POSTAL)

Tags:
Share this post :
en_USEnglish