In February 2025, the Spanish data protection authority Agencia española protección datos again issued numerous fines for violations of the GDPR. The five highest GDPR fines were all imposed in Spain. February was dominated by fines for missing or inadequate security measures.
Reading tip: The five highest GDPR fines in January 2025
Orange España, 1,200,000 euros (Spain)
The Spanish data protection authority Agencia española protección datos (AEPD) has imposed a fine totaling 1.2 million euros on the mobile communications company Orange España, S.A.U.. The reason was unlawful data processing in connection with the issuing of SIM card duplicates. A fraudulent employee of a franchise company had created a SIM card without the permission of a customer. This made it possible to commit financial fraud through so-called SIM swapping attacks. A total of 9,000 euros was stolen from the customer's accounts as a result. The authority found violations of Art. 6 and Art. 25 GDPR.
Orange argued that this was a case of individual misconduct. The authority rejected this as the company had not taken sufficient protective measures. In particular, a duplicate SIM card was issued to fraudulent third parties without verifying their identity. Orange was ordered to take measures to verify the identity of SIM duplicates within six months. Orange appealed on the grounds that the sanction was disproportionate. The authority rejected the appeal and confirmed the original decision.
Caja Rural de Jaén, 400,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine on the cooperative bank Caja Rural de Jaén, Barcelona y Madrid S.C.C. for a massive data protection breach caused by a cyberattack on the online banking system. Inadequate security measures led to the unauthorized disclosure of sensitive customer data and thus violations of Art. 5 para. 1 lit. f, Art. 32 para.1 and Art. 33 GDPR.
The bank argued that its IT service provider Rural Servicios Informáticos S.L. was responsible. The authority rejected this claim, as the bank is considered to be responsible for data protection. The fine was set at 500,000 euros and is intended to prevent future infringements. The bank appealed and requested a reduction or annulment of the fine. The AEPD rejected the appeal and emphasized the obligation to ensure data security.
After the bank paid without admitting guilt, the original fine of 500,000 euros was reduced to 400,000 euros.
Source: Fine imposed by the AEPD on Caja Rural de Jaén, Barcelona y Madrid S.C.C.
Línea Directa Aseguradora, 300,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine on the insurance company Línea Directa Aseguradora S.A.. The company had unlawfully processed customer data via its insurance intermediary Majorel SP Solutions S.A.. A Majorel employee called up the customer's points score from the DGT traffic authority without the customer's express consent. To do so, he used personal data such as the identity card number and the date of issue of the driving license. He also provided a third-party e-mail address in order to obtain the access data for the query.
The company argued that the customer had impliedly consented to the query. The data protection authority objected and found violations of Art. 6 and Art. 28 GDPR. As a result, it imposed a fine of 300,000 euros. In addition, Línea Directa was obliged to take measures to comply with data protection regulations.
Source: Fine imposed by the AEPD on Línea Directa Aseguradora S.A.
Atrium Lex SFC S.L., 100,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine on the IT service provider Atrium Lex SFC S.L. for violating the duty to provide information pursuant to Art. 13 GDPR and failing to take security measures pursuant to Art. 32 para. 1 GDPR. An investor had complained that the company had requested a copy of his identity card without providing information about the data processing. Atrium Lex claimed that this was necessary for identity verification.
The AEPD found that insufficient data protection measures had been taken. In particular, the transmission of the copy of the ID card by email was considered insecure. The authority imposed two fines of 50,000 euros each on the company. The sanctions are based on the inadequate information provided to those affected and the inadequate security measures. Atrium Lex was also obliged to take data protection measures within six months.
Source: AEPD fine notice against Atrium Lex
Caja Rural de Extremadura, 88,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine on the cooperative bank Caja Rural de Extremadura S.C.C. for a data breach resulting from a cyber attack on the online banking system. The security vulnerability allowed unauthorized access to customers' personal and financial data. The AEPD found violations of Art. 5 para. 1 lit. f and Art. 32 GDPR.
Caja Rural de Extremadura lodged an appeal against the decision. Its IT service provider Rural Servicios Informáticos S.L. was responsible for the security measures. The authority rejected this, as the bank is considered to be the data controller. A fine of 110,000 euros was imposed to prevent future breaches. The bank then lodged an appeal and applied for the sanction to be reduced or lifted. The data protection authority rejected the appeal and emphasized the obligation to ensure data security.
After the bank paid without admitting guilt, the original fine of 110,000 euros was reduced to 88,000 euros.
Source: Fine imposed by the AEPD on Caja Rural de Extremadura S.C.C.
English 
German 
Italian 
French