Anyone introducing biometric access systems should be careful: In Spain, the data protection authority AEPD has imposed a hefty fine on the Spanish soccer association LALIGA because no data protection impact assessment was carried out before the use of fingerprint scanners. In Poland, the digital minister of all people took the cake: With conditional intent, he violated basic principles of the GDPR; around 80 percent of the Polish population is affected. The minister himself got off lightly - unlike the Polish psot. For the first time, a fine from South Korea "made it" into the highest fines of the month. During a hacker attack on a tour operator, not only were over 3 million customer data stolen. During an inspection, the data protection officers discovered that around three million non-customer data had been stored, even though the deadline had long since expired. The fine was correspondingly high.
Poczta Polska S.A.: 6.44 million euros (Poland)
In a decision dated 18 March 2025, the Polish data protection authority Urząd Ochrony Danych Osobowych (UODO) imposed fines of PLN 27,124,816 (approx. EUR 6.44 million) on Poczta Polska S.A. (Polish Post) and PLN 100,000 on the Minister of Digitization. The background to this is the unlawful transfer and processing of personal data from the PESEL register as part of the preparations for the presidential elections in May 2020.
At the request of Poczta Polska S.A., the Minister for Digitization had transferred data from the PESEL register on around 30 million adult citizens. This data was then processed by the post office. This was done without a sufficient legal basis and violated the basic principles of the GDPR, in particular Art. 5 para. 1 lit. a (lawfulness) and Art. 6 para. 1 (legal basis for processing).
The data processing affected almost 80 percent of the Polish population. It was classified as particularly serious as it violated the fundamental rights of those affected and was committed by two central public bodies - a ministry and a state-owned company.
According to the authority, both the ministry and Poczta Polska acted not only unlawfully, but also with conditional intent. The parties involved were aware of the legal uncertainty, but acted anyway. There were already court rulings questioning the legality of the measures.
The UODO based its assessment of the fine on the EDSA Guidelines 04/2022. A "dynamic maximum" fine amount was determined for Poczta Polska. The actual penalty corresponds to only around 2.8 % of the state compensation payments that the company received in 2025 - i.e. not an excessively onerous amount in relation to its financial strength.
The amount of the fine against the minister was set at the maximum amount permitted by law for public bodies (PLN 100,000). This is intended to have a deterrent effect despite the limited scope of the sanction.
Source: Notice of fine issued by the Urząd Ochrony Danych Osobowych
CaixaBank: 3.5 million euros (Spain)
The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has taken action against the CaixaBank S.A. a fine in the total amount of 3.5 million euros was imposed. This was prompted by a complaint from two customers who held a joint account with the bank. They had repeatedly and explicitly stated to the bank that the complainant's mother should not be allowed to view or access any information about this account. Access was granted because the complainant's mother had previously acted as an authorized representative for one of her daughter's accounts. Although this power of attorney was later revoked and access was expressly prohibited, access was still possible due to inadequately implemented internal control mechanisms.
The bank failed to take appropriate technical or organizational measures to prevent access - even after repeated complaints from the data subjects. According to the AEPD, this constitutes a breach of the principles of data processing in accordance with Article 5(1)(f) GDPR. According to this, personal data must be processed in a manner that ensures appropriate security, in particular protection against unauthorized access. In addition, the authority found a violation of Article 25 GDPR, which obliges companies to ensure data protection through technology design ("privacy by design") and data protection-friendly default settings ("privacy by default").
The AEPD imposed a fine of EUR 500,000 for the breach of Article 5(1)(f) GDPR. The infringement was classified as particularly serious. A further fine of EUR 3,000,000 was imposed for the infringement of Article 25 GDPR, with this infringement being assessed as serious.
CaixaBank must also take appropriate measures to ensure the confidentiality of the data concerned within three months. Within nine months, the bank must also introduce technical and organizational measures that meet the requirements for data protection through technology design and data protection-friendly default settings.
Source: Notice of fine AEPD
Liga Nacional de Fútbol Profesional: 1 million euros (Spain)
The Spanish data protection authority AEPD has imposed a fine of 1,000,000 euros on the Liga Nacional de Fútbol Profesional (LALIGA). The reason for this was the use of a biometric access system (fingerprint recognition) for access to certain areas of the stadium, the so-called "Gradas de animación" (fan zones).
The AEPD objected to the fact that fingerprints are biometric data with particularly high protection requirements in accordance with Article 9 GDPR. Strict requirements apply to the processing of such data, in particular a data protection impact assessment (DPIA), which LALIGA had not carried out correctly in accordance with Article 35 GDPR.
In addition, the authority criticized the fact that LALIGA, as a central player within the league system, takes on a coordinating role and therefore bears responsibility for the introduction and use of the system - even if the technical implementation is carried out by the clubs. The AEPD also ordered LALIGA to suspend the use of the biometric system until a correct and complete data protection impact assessment has been submitted.
Finally, the authority found that there were less intrusive alternatives to access control, e.g. with personalized ID cards or codes. The principle of data minimization pursuant to Art. 5 GDPR was therefore not complied with.
The amount of the fine was determined on the basis of various factors, including the economic importance of LALIGA and the potential number of data subjects affected. The measure must be dissuasive, proportionate and effective in accordance with Article 83 GDPR.
Source: Notice of fine from the AEPD
Ibermutua: 600,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine of 1,000,000 euros on Ibermutua, a mutua working with social security, for a serious data protection breach. On July 15, 2024, an incident came to light in which a programming error in the email notification of the health status of employees resulted in the personal data of 3,395 affected persons being inadvertently transmitted to 354 incorrect recipients (companies and consulting firms). The information transmitted included names, NIF/NIE, social security numbers, health data, data on accidents at work, employer information and information on the duration and nature of absences from work - in some cases sensitive data within the meaning of Art. 9 GDPR.
The error was caused by a faulty change in the source code of the sending platform, which resulted in email attachments accumulating and being sent repeatedly to different recipients. Ibermutua took immediate technical and organizational measures after the incident, including correcting the error, introducing additional control mechanisms and informing the affected persons and recipients. However, the AEPD found that the security measures prior to the incident were inadequate, especially given the high sensitivity and volume of data regularly sent (250,000 emails per month on average).
In the course of the proceedings, Ibermutua acknowledged his responsibility, paid the fine voluntarily and waived his right to appeal. This reduced the fine to 600,000 euros. In addition, Ibermutua was obliged to take specific measures to improve the protection of personal data in email communication within three months of the decision becoming final and to provide evidence of their implementation to the data protection authority.
Source: Notice of fine from the AEPD
Modetour Network: Around 479,000 euros (752.2 million won, Korea)
The South Korean data protection authority Personal Information Protection Commission (PIPC) has imposed a fine totaling 757.2 million won (equivalent to 479,000 euros) on the tour operator Modetour Network Co, Ltd.
In July 2024, Modetour Network reported a data breach and the PIPC launched an investigation. It was discovered that in June 2024, an unknown hacker had exploited vulnerabilities in the file upload function on the company's website to upload multiple webshell files. By executing malicious code, the attacker was able to access the customer database and steal personal data from around 3.06 million customers, including names, dates of birth, gender and cell phone numbers.
The investigation found that Modetour Network had not taken adequate security measures to prevent such attacks. In addition, the company did not inform the persons concerned about the incident until September 2024, although the law requires notification within 72 hours of becoming aware of the incident.
The investigation also revealed that personal data of around 3.16 million non-members collected since March 2013 had not been properly deleted, even though the retention period had expired.
In addition to the fine, the company was ordered to publicly disclose the penalty and improve its internal data protection management systems to prevent future breaches.
Source: PIPC fine notice
Avoid fines and make your company GDPR-compliant. We offer tailor-made solutions for your organization - get in touch with us.
English 
German 
Italian 
French