In April 2025, there were Spanish fine weeks again: No other Supervisory authority No other authority in the EU has imposed as many and as high fines as the Agencia Española de Protección de Datos (AEPD). The five highest fines in April were all issued in Spain. The infringements at a glance:
Marina Salud, 500,000 euros (Spain)
The Spanish data protection authority, Agencia Española de Protección de Datos (AEPD), has filed a complaint against the company Marina Salud, S.A. Fine was imposed in the amount of 500,000 euros. The reason was a Complaint of the Conselleria de Sanidad of the Generalitat Valenciana, the Marina Salud under a concession agreement in place since 2009 with the Processing particularly sensitive Health data in the area of the Departamento de Salud de Denia. The Conselleria was responsible for data protection Responsible personswhile Marina Salud acted as a processor.
The investigation focused on the allegation that Marina Salud commissioned subcontractors to carry out the work without the required prior notification. Processing of personal data. This constitutes a Infringement against Article 28(2) GDPR according to which a processor requires the consent of the person responsible for the Processing responsible before using other processors. Despite repeated requests from the Conselleria and during an official inspection, Marina Salud refused to disclose the relevant contracts with third-party providers of IT systems used for medical care. This was seen by the AEPD as a sign of a lack of Transparency and non-compliance with legal regulations.
The investigation revealed that the categories of data concerned include, inter alia Health datagenetic data and other particularly sensitive information. Since Marina Salud, as a provider of public health services, regularly handles sensitive data, the data protection authority considered this to be particularly relevant and therefore a serious breach of duty. Furthermore, the data protection authority clarified that this was a permanent breach of duty, as the obligation to inform the controller continues to apply even during ongoing processing relationships.
After weighing up the circumstances - in particular the severity of the data concerned, the duration of the breach and the business significance of the data processing - the Fine set at 500,000 euros. This is well below the legally permissible maximum amount of 2 % of annual turnover.
Source: AEPD fine notice against Marina Salud (published on April 7, 2025)
Vodafone España S.A.U., 200,000 euros (Spain)
The Spanish data protection authority AEPD has initiated proceedings against Vodafone España S.A.U. Fine in the amount of EUR 200,000 for infringement of Article 6 (1) GDPR was imposed. The background to the proceedings was a case of SIM swapping, in which a third party replaced a customer's SIM card without authorization and thus gained access to the customer's mobile connection and other digital services.
The Affected parties was notified of the SIM change by a confirmation text message from Vodafone. Shortly afterwards, it turned out that two unauthorized bank transfers had been made via the account of the person concerned in the course of the SIM change. The analysis revealed that the exchange had been authorized by a Vodafone agent, although the call came from an international number - a clear Infringement against Vodafone's own security guidelines. According to these guidelines, additional verification by means of a callback should have been carried out in this case. There was no record of the process and the origin of the SIM card could not be fully traced.
Vodafone acknowledged the error, describing it as a "one-off human error" and pointing to security measures already in place such as SMS notifications, internal training and restricting the authorization of sales partners to issue SIM duplicates. Vodafone also argued that the abuse by Third (e.g. through Social engineering) is not fully under its control and therefore does not automatically constitute a breach of data protection obligations.
However, the AEPD took a different view: The authority found that it was not the security systems as such, but their improper use by Vodafone employees that led to the unlawful access to data. The mere existence of security guidelines was not sufficient if they were not adhered to at the crucial moment. The data protection authority emphasized that the Processing of personal data is only permissible under clear legal conditions - in particular, the absence of an identity check constitutes a breach of the law. Infringement against the principle of data processing on a lawful basis.
The data protection authority rejected both the argument of a lack of "culpability" and the application of mitigating circumstances such as cooperation or damage limitation. It classified the incident as a serious and culpable breach of duty within the meaning of Article 83 para. 5 lit. a GDPR and imposed a fine of 200,000 euros.
Source: AEPD fine notice against Vodafone España S.A.U. (published on April 21, 2025)
Orange Bank S.A., 200,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine of EUR 200,000 on Orange Bank, S.A. for breach of Article 5(1)(f) GDPR. GDPR (Principle of Integrity and Confidentiality) was imposed.
The background to the proceedings was a security breach at a processor (Marktel), which was triggered by a ransomware attack. This resulted in unauthorized access to personal dataincluding IBANs, some of which were not sufficiently encrypted. The affected data originated from the processing of bad debts for mobile devices for which Orange Espagne acted as processor for Orange Bank.
The AEPD found that although Marktel was acting as a processor under a contract with Orange Espagne, Orange Bank should be considered as the controller of the personal data affected by the security breach. Third-party access to non-pseudonymized or encrypted data was considered a loss of control over the personal data and therefore a Infringement against the principle of Confidentiality viewed.
In addition to the fine, Orange Bank was ordered to provide evidence within six months of the decision becoming final that all necessary measures have been taken to ensure the Confidentiality of the data were made.
Source: AEPD fine notice against Orange Bank S.A. (published on April 11, 2025)
Reading tip: The five highest fines in March 2025
Vodafone España, S.A.U., 200,000 euros (Spain)
The Spanish data protection authority AEPD has initiated proceedings against Vodafone España, S.A.U. Fine in the amount of EUR 200,000 for infringement of Article 6 (1) GDPR was imposed. The reason for this was a case of SIM swapping, in which a third party fraudulently obtained a copy of a customer's SIM card and thus gained access to her bank account.
The Affected parties had reported the incident and documented that she had received a text message from Vodafone on July 25, 2022 about a SIM card change, which she had not initiated herself. Shortly afterwards, the cell phone was deactivated and an unauthorized money transfer of 600 euros was made via the Bizum payment service. The customer immediately contacted Vodafone and filed a complaint with the police.
The AEPD's investigation revealed that the SIM card change was first initiated via the online channel and then completed in a Vodafone branch. Vodafone was unable to prove that its own security protocols were properly followed during this action - in particular, there was no verifiable identity check of the applicant. In addition, the relevant telephone request was not recorded, in breach of the duty of care.
Vodafone defended itself by arguing that it was a complex, organized fraud that could not be attributed to an inadequate security strategy. The company referred to its constantly updated security guidelines and argued that it could not be held responsible for the criminal activities of third parties. Furthermore, direct access to bank data through the SIM exchange was not possible.
The AEPD rejected this argument and emphasized that the SIM card exchange was a data protection-relevant process that required a particularly careful identity check. The authority found that Vodafone had not carried out the Processing of personal data without a valid legal basis, in particular because the affected customer had not consented to the process. Non-compliance with internal security protocols and similar incidents in the past were considered aggravating circumstances.
Source: AEPD fine notice against Vodafone España, S.A.U. (published on April 5, 2025)
Banco Bilbao Vizcaya Argentaria S.A., 120,000 euros (Spain)
The Spanish Data Protection Authority (AEPD) has imposed a fine of EUR 200,000 on Banco Bilbao Vizcaya Argentaria, S.A. (BBVA), which was imposed after recognizing the Liability and voluntary payment was reduced to 120,000 euros.
The occasion was the Complaint of a customer who had claimed that BBVA would not have Consent and that of his spouse had signed documents with which he had given the Processing of their personal data, including for advertising purposes and profiling. The data subjects denied having signed these documents.
The AEPD found that the bank had failed to provide these documents, which personal data such as name, date of birth, address and income data, without a valid legal basis. As part of its internal investigation, BBVA admitted that an employee of the bank had not followed the established signature procedures. Although BBVA has internal rules, video training and control mechanisms in place for the proper signing of documents, the bank acknowledged that this was individual misconduct.
As the data concerned is stored without a valid Consent were processed, the AEPD provided a Infringement against Article 6(1) GDPR was established. This was aggravated by the fact that BBVA had already been sanctioned several times for data protection violations. The large amount of personal data processed as part of the banking business was also taken into account as an aggravating factor.
BBVA took advantage of the opportunity to obtain a reduction totaling % 40 by acknowledging its responsibility and paying the fine early, thus formally concluding the proceedings.
Source: AEPD fine notice against Banco Bilbao Vizcaya Argentaria, S.A. (published on April 8, 2025)
At 2B Advice, we support you in identifying and eliminating such risks at an early stage:
✔ Data protection advice according to GDPR
✔ Order processing and third country transfers
✔ Check technical and organizational measures (TOMs)
✔ Design legally compliant consent and information processes
✔ Awareness training and employee training courses
👉 Arrange a free initial consultation now - before the Supervisory authority does.
German 
English 
Italian 
French