In April 2025, there were again Spanish fine weeks: No other supervisory authority in the EU imposed as many and as high fines as the Agencia Española de Protección de Datos (AEPD). The five highest fines in April were all issued in Spain. The violations at a glance:
Marina Salud, 500,000 euros (Spain)
The Spanish data protection authority Agencia Española de Protección de Datos (AEPD) has imposed a fine of 500,000 euros on the company Marina Salud, S.A.. The reason for this was a complaint by the Conselleria de Sanidad of the Generalitat Valenciana, which had commissioned Marina Salud to process particularly sensitive health data in the area of the Departamento de Salud de Denia under a concession contract that had been in place since 2009. The Conselleria was the data controller under data protection law, while Marina Salud acted as the processor.
The investigation focused on the allegation that Marina Salud had entrusted subcontractors with the processing of personal data without the required prior notification. This constitutes a breach of Article 28(2) GDPR, which requires a processor to obtain the consent of the controller before engaging other processors. Despite repeated requests by the Conselleria and during an official inspection, Marina Salud refused to disclose the relevant contracts with third-party providers of IT systems used for medical care. This was seen by the AEPD as a sign of a lack of transparency and non-compliance with legal requirements.
The investigation revealed that the categories of data concerned included health data, genetic data and other particularly sensitive information. As Marina Salud regularly handles sensitive data as a provider of public health services, the data protection authority considered this to be particularly relevant and therefore a serious breach of duty. In addition, the data protection authority clarified that this was a permanent breach of duty, as the obligation to inform the controller continues to apply even during ongoing processing relationships.
After weighing up the circumstances - in particular the severity of the data concerned, the duration of the infringement and the business significance of the data processing - the fine was set at EUR 500,000. This is well below the legally permissible maximum amount of 2 % of annual turnover.
Source: AEPD fine notice against Marina Salud (published on April 7, 2025)
Vodafone España S.A.U., 200,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine of 200,000 euros on Vodafone España S.A.U. for violating Article 6 (1) GDPR. The background to the proceedings was a case of SIM swapping, in which a third party replaced a customer's SIM card without authorization and thus gained access to the customer's mobile connection and other digital services.
The person concerned was notified of the SIM change by a confirmation text message from Vodafone. Shortly afterwards, it turned out that two unauthorized bank transfers had been made via the account of the person concerned in the course of the SIM change. The analysis revealed that the exchange had been authorized by a Vodafone agent, although the call came from an international number - a clear violation of Vodafone's own security guidelines. According to these guidelines, additional verification by a callback should have been carried out in this case. There was no record of the process and the origin of the SIM card could not be fully traced.
Vodafone acknowledged the error, describing it as a "one-off human error" and referred to security measures already in place such as SMS notifications, internal training and restricting the authorization of sales partners to issue SIM duplicates. Vodafone also argued that misuse by third parties (e.g. through social engineering) was not entirely under its control and therefore did not automatically constitute a breach of data protection obligations.
However, the AEPD took a different view: The authority found that it was not the security systems as such, but their improper use by Vodafone employees that led to the unlawful access to data. The mere existence of security guidelines was not sufficient if they were not adhered to at the crucial moment. The data protection authority emphasized that the processing of personal data is only permissible under clear legal conditions - in particular, the lack of identity verification constitutes a violation of the principle of data processing on a lawful basis.
The data protection authority rejected both the argument of a lack of "fault" and the application of mitigating circumstances such as cooperation or damage limitation. It classified the incident as a serious and culpable breach of duty within the meaning of Article 83(5)(a) GDPR and imposed a fine of EUR 200,000.
Source: AEPD fine notice against Vodafone España S.A.U. (published on April 21, 2025)
Orange Bank S.A., 200,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine of EUR 200,000 on Orange Bank, S.A. for violating Article 5(1)(f) GDPR (principle of integrity and confidentiality).
The background to the proceedings was a security breach at a processor (Marktel), which was triggered by a ransomware attack. This resulted in unauthorized access to personal data, including IBANs, some of which were not sufficiently encrypted. The affected data originated from the processing of bad debts for mobile devices for which Orange Espagne acted as processor for Orange Bank.
The AEPD found that although Marktel was acting as a processor under a contract with Orange Espagne, Orange Bank should be considered as the controller of the personal data affected by the security breach. Third-party access to non-pseudonymized or encrypted data was considered a loss of control over the personal data and therefore a breach of the principle of confidentiality.
In addition to the fine, Orange Bank was ordered to provide evidence within six months of the decision becoming final that all necessary measures have been taken to ensure the confidentiality of the data.
Source: AEPD fine notice against Orange Bank S.A. (published on April 11, 2025)
Reading tip: The five highest fines in March 2025
Vodafone España, S.A.U., 200,000 euros (Spain)
The Spanish data protection authority AEPD has imposed a fine of 200,000 euros on Vodafone España, S.A.U. for violating Article 6 (1) GDPR. The reason for this was a case of SIM swapping, in which a third party fraudulently obtained a copy of a customer's SIM card and thus gained access to her bank account.
The victim had reported the incident and documented that she had received a text message from Vodafone on July 25, 2022 about a SIM card change, which she had not initiated herself. Shortly afterwards, the cell phone was deactivated and an unauthorized money transfer of 600 euros was made via the Bizum payment service. The customer immediately contacted Vodafone and filed a complaint with the police.
The AEPD's investigation revealed that the SIM card change was first initiated via the online channel and then completed in a Vodafone branch. Vodafone was unable to prove that its own security protocols were properly followed during this action - in particular, there was no verifiable identity check of the applicant. In addition, the relevant telephone request was not recorded, in breach of the duty of care.
Vodafone defended itself by arguing that it was a complex, organized fraud that could not be attributed to an inadequate security strategy. The company referred to its constantly updated security guidelines and argued that it could not be held responsible for the criminal activities of third parties. Furthermore, direct access to bank data through the SIM exchange was not possible.
The AEPD rejected this argument and emphasized that the SIM card exchange was a data protection-relevant process that required a particularly careful identity check. The authority found that Vodafone had carried out the processing of personal data without a valid legal basis, in particular because the customer concerned had not consented to the process. Non-compliance with internal security protocols and similar incidents in the past were considered aggravating circumstances.
Source: AEPD fine notice against Vodafone España, S.A.U. (published on April 5, 2025)
Banco Bilbao Vizcaya Argentaria S.A., 120,000 euros (Spain)
The Spanish Data Protection Authority (AEPD) has imposed a fine of 200,000 euros on Banco Bilbao Vizcaya Argentaria, S.A. (BBVA), which was reduced to 120,000 euros following admission of liability and voluntary payment.
This was prompted by a complaint from a customer who claimed that BBVA had signed documents without his and his spouse's consent in which he had agreed to the processing of his personal data, including for advertising purposes and profiling. The persons concerned denied having signed these documents.
The AEPD found that the bank had processed these documents, which contained personal data such as name, date of birth, address and income data, without a valid legal basis. As part of its internal investigation, BBVA admitted that an employee of the bank had not followed the established signature procedures. Although BBVA has internal rules, video training and control mechanisms in place for the proper signing of documents, the bank admitted that this was individual misconduct.
As the data concerned was processed without valid consent, the AEPD found a breach of Article 6(1) GDPR. This was aggravated by the fact that BBVA had already been sanctioned several times for data protection violations. The large volume of personal data processed as part of the banking business was also taken into account as an aggravating factor.
BBVA took advantage of the opportunity to obtain a reduction totaling % 40 by acknowledging its responsibility and paying the fine early, thus formally concluding the proceedings.
Source: AEPD fine notice against Banco Bilbao Vizcaya Argentaria, S.A. (published on April 8, 2025)
At 2B Advice, we support you in identifying and eliminating such risks at an early stage:
✔ Data protection advice according to GDPR
✔ Secure order processing and third country transfers
✔ Check technical and organizational measures (TOMs)
✔ Design legally compliant consent and information processes
✔ Awareness training and employee training courses
👉 Arrange a free initial consultation now - before the supervisory authority does.
English 
German 
Italian 
French