October 2024

1. Governing Texts

The General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) has been implemented with the Organic Law 3/2018 of 5 December, on the Protection of Personal Data and Guarantee of Digital Rights (only available in Spanish here) (the LOPDGDD).

1.1. Key acts, regulations, directives, bills

Some of the new developments contained in the LOPDGDD are:

• the LOPDGDD allows data controllers to provide the information required by Article 13 of the GDPR through a layer system. This is not an obligation but a mere recommendation;
• regarding the processing of personal data of minors, the LOPDGDD sets the minimum age at 14 years old. Consent granted by a minor under 14 will not be valid and consent from parents or guardians will be required;
• consent of a data subject is not enough to legitimize the processing of special categories of data if the main purpose is to identify an individual's racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, or genetic data;
• regarding the implementation of systems for the recording of internal complaints (i.e. whistleblowing systems), anonymous reports are now allowed. Furthermore, Article 24 of the LOPDGDD has been modified and developed by Law 2/2023 of February 20, 2023, on the Protection of Persons Who Report Regulatory Infringements and on Anti-corruption Measures (only available in Spanish here) (Law 2/2023) transposing the Directive on the Protection of Persons who Report Breaches of Union Law (Directive (EU) 2019/1937) (the Whistleblowing Directive);
• the LOPDGDD includes a list of cases in which entities must appoint a data protection officer (DPO) (for example entities that operate networks and provide electronic communications services, education centers, and public or private universities). The appointment of a DPO must be registered before the Spanish data protection authority (AEPD) even in cases where such appointment is not mandatory;
• the LOPDGDD contains a list of new rights that apply in the work environment:
  • the right to privacy in the use of digital devices in the work environment;
  • the right to digital disconnection;
  • the right to privacy in the case of video monitoring and sound recording devices in the workplace; and
  • the right to privacy in case of location tracking systems used in the workplace.

1.2. Guidelines

The AEPD has issued guidelines including on the following issues:

• CCTV recording operations (only available in Spanish here);
• Data protection guide for citizens (only available in Spanish here);
• Risk Management and Impact Assessment in the Processing of Personal Data (June 2021);
• Guide for compliance with the duty to inform (only available in Spanish here);
• Guide on Personal Data Breach Management and Notification;
• Guidelines for the drafting of contracts between controllers and processors (only available in Spanish here);
• Guidelines for Data Protection by Default;
• Guide on Use of Cookies (January 2021) and 2023 updated version (only available in Spanish here);
• Guidelines on notifying DPOs to the AEPD (only available in Spanish here);
• Guidelines on the DPO certification scheme (only available in Spanish here) (the Certification Scheme Guidelines);
• Section 5 of GDPR FAQs (only available in Spanish here);
• The DPO Handbook, issued jointly with the Italian data protection authority (Garante), the Croatian Personal Data Protection Agency (AZOP), the Bulgarian Commission for Personal Data Protection (CPDP), and the Polish data protection authority (UODO);
• Practical Guide for Analysis of Risks in the Processing of Personal Data Subject under the GDPR (only available in Spanish here);
• Guide on the GDPR for data controllers (only available in Spanish here);
• Guidelines on the adaptation of processing operations incorporating Artificial Intelligence to the GDPR (only available in Spanish here);
• Requirements for Audits of Treatments that include AI (only available in Spanish here);
• Guidelines on the validation of cryptographic systems in data protection (only available in Spanish here);
• An approach to data spaces from a GDPR perspective (only available in Spanish here); and
• Guide on Attendance Control through biometric systems (only available in Spanish here) (the Biometric Attendance Guide).

Additionally, the AEPD has issued several GDPR facilitation tools (only available in Spanish here).

Furthermore, the AEPD has issued lists of activities which require (Blacklist) or do not require (Whitelist) a Data Protection Impact Assessment (DPIA):

• Spain DPIA Blacklist (Spain Blacklist); and
• Spain DPIA Whitelist (Spain Whitelist).

Notably, the European Data Protection Board (EDPB) has published the following Opinion for Spain:

• Opinion 6/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations subject to the requirement of a data protection impact assessment (Article 35.4 GDPR);
• Opinion 12/2019 on the draft list of the competent supervisory authority of Spain regarding the processing operations exempt from the requirement of a data protection impact assessment (Article 35(5) GDPR); and
• Opinion 1/2020 on the Spanish data protection supervisory authority draft accreditation requirements for a code of conduct monitoring body pursuant to article 41 GDPR.

1.3. Case law

Not applicable.

2. Scope of Application

2.1. Personal scope

There are no national law variations from the GDPR.

2.2. Territorial scope

There are no national law variations from the GDPR.

2.3. Material scope

There are no national law variations from the GDPR.

3. Data Protection Authority | Regulatory Authority

3.1. Main regulator for data protection

The AEPD is the main regulatory authority.

3.2. Main powers, duties and responsibilities

The AEPD supervises the implementation of, and compliance with, the LOPDGDD by all data controllers and processors. Moreover, the AEPD examines the sanction procedure in case of an infringement of the data protection legislation, as well as any claims filed by data subjects. The AEPD is also the authority that imposes fines on data controllers and/or processors when they do not comply with the data protection legislation.

4. Key Definitions

Data controller: No national variations from the GDPR.

Data processor: No national variations from the GDPR.

Personal data: No national variations from the GDPR.

Sensitive data: No national variations from the GDPR.

Health data: No national variations from the GDPR.

Biometric data: 

Last November 2023, the AEPD published the Biometric Attendance Guide. The purpose of the Biometric Attendance Guide is to establish the criteria for the processing of biometric data (e.g. fingerprints) for work attendance and access to facilities controlling purposes.

Prior to the publication of the Biometric Attendance Guide, under certain premises and conditions, processing of biometric data for the above-mentioned purposes was permitted and was accepted by the AEPD. However, there has been a change in criteria, and as set out in the aforementioned Biometric Attendance Guide, the processing of biometric data for the purpose of controlling attendance and access to facilities involves the processing of special categories of data, or sensitive data. The AEPD considers that there is no legitimate basis for such processing, and neither the express consent of the data subject nor compliance with a legal obligation can be applied as the legal basis for this processing.

Given this change in criteria, the conclusion would be that such processing is not allowed, and therefore, companies, in the application of the principles of proportionality, necessity, and suitability, would need to seek alternative methods and stop processing biometric data for these purposes. Thus, if organizations decide to continue using fingerprint capture systems, they are taking a risk. Although it is true that this is an AEPD guide and not a binding regulation, it is also true that the guide reflects the current AEPD's position on this matter.

Notwithstanding the above, this guide is prompting numerous comments and opinions from experts in the field, many of whom disagree with the AEPD's criteria, as many companies use biometric data to monitor their employees' working hours. Considering this, we believe that it would be advisable to wait for a reasonable period of time to observe the AEPD's final position. However, under the current guidelines, the use of such systems is not risk-free.

Pseudonymisation: No national variations from the GDPR.

5. Legal Bases

5.1. Consent

There are no national law variations from the GDPR.

5.2. Contract with the data subject

There are no national law variations from the GDPR.

5.3. Legal obligations

There are no national law variations from the GDPR.

5.4. Interests of the data subject

There are no national law variations from the GDPR.

5.5. Public interest

There are no national law variations from the GDPR.

5.6. Legitimate interests of the data controller

There are no national law variations from the GDPR.

5.7. Legal bases in other instances

In relation to the processing of personal data for statistical purposes:

• according to Law 12/1989, of 9 May, on the Public Statistical Function (only available in Spanish here), the processing of personal data for statistical purposes shall be lawful only if based on the express and voluntary consent of the data subject; and
• the competent bodies for the public statistical function can deny a data subject's request for exercising the rights referred to in Articles 15 to 22 of the GDPR when the data is protected by the statistical secrecy guarantees provided by the Spanish legislation.

Processing of personal data for archiving purposes in the public interest is subject to Law 16/1985, of 25 June, on the Spanish Historical Heritage (only available in Spanish here) and other related regulations.

In relation to the processing of personal data for scientific or historical research purposes:

• data subject requests made in accordance with Articles 15, 16, 18, and 21 of the GDPR may be rejected:
  • when they are exercised before the researchers who use anonymized personal data;
  • when the requests refer to the results of the research; or
  • when the research is carried out in the public interest, concerning public safety, defense, or national security; and
• when the processing of personal data is carried out for scientific research purposes in the public interest:
  • it is mandatory to carry out a DPIA;
  • the scientific research shall be subject to quality standards;
  • it is mandatory to implement any measures in order to guarantee that the researchers do not have access to the identification data of the data subjects; and
  • it is mandatory to appoint a legal representative when the clinical trial sponsor is not located in the EU.

6. Principles

There are no national law variations from the GDPR.

7. Controller and Processor Obligations

7.1. Data processing notification

There is no specific requirement in Spain for data processing notifications.

7.2. Data transfers

There are no national law variations from the GDPR.

7.3. Data processing records

There are no national law variations from the GDPR.

7.4. Data protection impact assessment

The Spain Blacklist provides that the following types of processing operations require a DPIA:

• processing that involves profiling or the evaluation of subjects, including the collection of the subject's data in multiple areas of their life (work performance, personality, and behavior), covering various aspects of their personality or habits;
• processing that involves automated decision-making or that makes a significant contribution to such decision-making, including any kind of decision that prevents data subjects from exercising a right or accessing a product or service or forming part of a contract;
• processing that involves the observation, monitoring, supervision, geo-location, or control of the interested party in a systematic and extensive manner, including the collection of data and metadata via networks, applications, or in publicly accessible areas, as well as the processing of unique identifiers that allow the identification of users of services of the information society, such as web services, interactive TV, mobile applications, etc.;
• processing that involves the use of special categories of data as referred to in Article 9(1) of the GDPR;
• data concerning criminal convictions and offenses as referred to in Article 10 of the GDPR, or data that allow the financial situation or solvency to be determined, or that allow personal information in relation to special categories of data to be determined or deduced;
• processing that involves the use of biometric data for the purpose of uniquely identifying a natural person;
• processing that involves the use of genetic data for any purpose;
• processing that involves the use of data on a large scale. In order to determine whether processing can be considered to be on a large scale, the criteria laid down in the Article 29 Working Party's (WP29's) Guidelines on Data Protection Officers must be taken into account;
• processing that involves the association, combination, or linking of records in databases from two or more data processing events with different aims or by different controllers;
• data processing regarding vulnerable subjects or those who are at risk of social exclusion, including the data of persons aged under 14, older people with any kind of disability, the disabled, persons who access social services, and the victims of gender-related violence, as well as their descendants and persons who are in their guardianship or custody;
• processing that involves the use of new technologies or innovative use of consolidated technologies, including the use of technologies on a new scale, for a new purpose, or in combination with others, in a manner that entails new forms of data collection and usage that represents a risk to people's rights and freedoms; and
• data processing that prevents interested parties from exercising their rights, using a service, or executing a contract, such as for example processing where data have been compiled by a controller distinct from the controller who is to process them, and any of the exceptions regarding the information that ought to be provided to the interested parties under Article 14(5)(b), (c), and (d) of the GDPR apply.

Furthermore, the Spain Whitelist provides that the following types of processing operations do not require a DPIA:

• processing carried out strictly under the guidelines established or authorized previously, by way of circulars or decisions issued by supervisory bodies, especially the AEPD, whenever the processing has not changed since it was authorized;
• processing carried out strictly under the guidelines of codes of conduct approved by the European Commission or by supervisory bodies, especially the AEPD, whenever a full DPIA has already been carried out within the context of a validated code of conduct, and is implemented with the measures and safeguards defined in the DPIA;
• processing that is necessary in order to comply with a legal requirement or to complete a mission being carried out in the public interest or in the exercise of official authority vested in the controller, provided that there is no duty to carry out a DPIA within the legal mandate itself, whenever a full DPIA has already been performed;
• processing carried out by self-employed personnel who work on an individual basis in the exercise of their professional duties, especially physicians, healthcare professionals, or lawyers, notwithstanding that it may be required when the processing carried out complies, in a significant way, with two or more criteria established in the list of types of data processing that require impact evaluation relative to data protection published by the AEPD;
• processing carried out in relation to the internal administration of personnel working at small to medium-sized enterprises, in order to face processing operations mandatory by law for the purposes of accounting, human resources management, payroll management, social security, and safety in the workplace, but never in relation to customer data;
• processing carried out by owners' associations and sub-associations in multioccupancy properties, as these are defined in Article 2 (a), (b), and (d) of Law 49/1960, of July 21, on Horizontal Property (only available in Spanish here); and
• processing carried out by professional colleges and non-profit associations in connection with the data of their associates members and donors of the data controllers listed therein concerning the management of their personal data, and in the performance of their tasks, provided that the processing does not extend to sensitive data such as those referred to in Article 9(1) of the GDPR and that Article 9(2)(d) of the GDPR does not apply.

The AEPD has issued the following resources to assist with undertaking a DPIA:

• a DPIA tool (only available in Spanish here);
• Template for Data Protection Impact Assessment Report (DPIA) for Private Sector; and
• Model DPIA report for public administrations (only available to download in Spanish here).

Penalties

In accordance with Article 83(4) of the GDPR, the processing of personal data without having carried out a DPIA is considered a serious violation and will have a two-year statutory limitation period (Article 73(t) of the LOPDGDD).

7.5. Data protection officer appointment

The LOPDGDD requires data controllers to appoint a DPO in specific circumstances even if the GDPR does not require it. Companies that are required to appoint a DPO under the LOPDGDD are:

• professional associations and their general councils;
• teaching centers that offer education at any of the levels established in the legislation regulating the right to education, including public and private universities;
• entities that operate electronic communications networks and provide electronic communications services in accordance with the provisions of their specific legislation, when they habitually and systematically process personal data on a large scale;
• information society service providers carrying out data subject profiling activities on a large scale;
• entities included in Article 1 of Law 10/2014, of 26 June 2014, on the Regulation, Supervision and Solvency of Credit Institutions (as amended), namely, banks, savings banks, credit unions, and the Official Credit Institute;
• credit financial institutions;
• insurance and reinsurance entities;
• investment service companies, regulated by stock market legislation;
• electric power distributors and natural gas distributors;
• entities that develop advertising and commercial prospecting activities, including those of commercial and market research, when they carry out treatments based on the preferences of those affected or carry out activities that involve the preparation of profiles of them;
• health facilities legally obliged to keep patients' medical histories (health professionals acting on their own as freelance are excluded);
• entities carrying out business/credit reports regarding individuals;
• entities offering gambling and gaming services by electronic, informatics, telematics, or interactive means;
• private security companies; and
• sports federations when processing underage individuals' personal data.

Role

Under Article 36(2) of the LOPDGDD, a DPO cannot be dismissed or penalized unless they commit fraud or gross negligence in their exercise. Additionally, the DPO must report directly to the highest level of management.

A DPO may intervene when a complaint is made against a controller or processor to a supervisory authority. Prior to submitting the complaint to the supervisory authority, the DPO, when they have been designated, may intervene and communicate to the complainant the organization's response within two months of the receipt of the complaint (Article 37(1) of the LOPDGDD).

The AEPD, or the corresponding regional data protection authority, i.e. the Catalan Data Protection Authority (APDCAT), the Basque data protection agency (AVPD), and the Council of transparency and data protection in Andalusia, may forward the complaint to the DPO before attending to it (Article 37(1) of the LOPDGDD). The DPO has one month to reply to the complaint (Article 37(2) of the LOPDGDD).

Professional qualifications

The AEPD has issued the Certification Scheme Guidelines, a non-compulsory DPO certification scheme, which verifies that a DPO meets the professional qualifications and knowledge required to practice the profession. Although certification is not mandatory to be able to practice as a DPO, and the profession can be exercised without being certified under this or any other scheme, the Certification Scheme Guidelines note that the AEPD has considered it necessary to offer a reference point to the market on the contents and elements of a certification mechanism that can serve as a guarantee to accredit the qualification and professional capacity of DPO candidates.

The Certification Scheme Guidelines state that only those accredited by the National Accreditation Entity (ENAC) can issue certificates to DPOs, and include a list of organizations that have been accredited or are in the process of being accredited.

Notification

The LOPDGDD also allows organizations to voluntarily appoint a DPO. However, if appointed, it will be mandatory to notify the AEPD of such an appointment.

The LOPDGDD requires data controllers to inform the AEPD or, as the case may be, the regional data protection authorities, of the designations, appointments, and dismissals of DPOs within a period of 10 days (Article 34(3) of the LOPDGDD).

The DPO notification with the AEPD can be made via an online form (only available in Spanish here). There is also an online form for notifying the APDCAT (only available in Catalan here), the Council of transparency and data protection in Andalusia (only available in Spanish here) and the AVPD (only available to access in Spanish here).

The AEPD and the regional authorities have an obligation under Article 34(4) of the LOPDGDD to maintain, within the scope of their respective competencies, an updated list of DPOs that will be accessible by electronic means (the AEPD's list is only available in Spanish here).

Finally, if a data subject files a claim before the AEPD, the latter may first address the DPO in order to obtain an answer to the claim.

7.6. Data breach notification

There are no national law variations from the GDPR.

7.7. Data retention

There are no national law variations from the GDPR.

7.8. Children's data

Whereas the GDPR establishes a minimum age of 16 years for the processing of children's data based on the child's own consent, the LOPDGDD, pursuant to the enablement provided in the GDPR itself, according to which Member States may provide by law for a lower age provided that such lower age is not below 13 years, sets the age of the child at 14 years for the processing of data based on the child's consent.

7.9. Special categories of personal data

Processing of special categories of personal data

According to the LOPDGDD, the consent of the data subject will not be sufficient for processing data where the main purpose is to identify that individual's ideology, trade union membership, religion, sexual orientation, beliefs, or racial or ethnic origin. This is to prevent discrimination. Consequently, additional grounds are needed in order to process this type of personal data.

Moreover, the LOPDGDD states that processing of special categories of personal data in accordance with Article 9(2)(g), (h), and (i) of the GDPR must be based on a law, which could establish additional requirements regarding their security and confidentiality.

Processing of criminal convictions data

The processing of such data for purposes other than the prevention, investigation, detection, or prosecution of criminal offenses, or enforcement may only be carried out when covered by a rule with statutory force and effect or by EU law. In other cases, processing of such data may only be carried out by lawyers and procurators, provided that the purpose of the same is to collect the information provided by clients for the performance of their functions.

7.10. Controller and processor contracts

There are no national variations from the GDPR.

8. Data Subject Rights

8.1. Right to be informed

Data controllers may provide the information required by Article 13 of GDPR through a layer system. The first layer shall contain, as a minimum, the following:

• the identity of the data controller (and the identify of its representative, where applicable);
• a simple description of the purposes for which the data will be processed;
• the possibility of exercising the data privacy rights;
• a reference to the fact that the personal data will be processed for profiling (where applicable); and
• a link to the second layer of information. The second layer must contain further information as required by Article 13 of the GDPR.

The layer system can also be used when the personal data has not been obtained from the data subject (Article 14 of the GDPR), in which case it will be mandatory to include in the first layer of information:

• the categories of personal data concerned; and
• the source from which the personal data originates.

Moreover, the LOPDGDD states that data controllers need to inform the data subjects not only about the possibility of exercising their rights, but also about the mechanism for exercising such rights (for example, via email).

8.2. Right to access

There are no national variations from the GDPR.

8.3. Right to rectification

There are no national variations from the GDPR.

8.4. Right to erasure

The LOPDGDD allows data controllers to block personal data when data subjects have previously exercised their rights to rectification or erasure. Thus, the data controller may keep such personal data duly blocked during the statutory limitation period of any liabilities that may arise as a consequence of the processing.

8.5. Right to object/opt-out

There are no national variations from the GDPR.

8.6. Right to data portability

There are no national variations from the GDPR.

8.7. Right not to be subject to automated decision-making

There are no national variations from the GDPR.

8.8. Other rights

Not applicable. 

9. Penalties

The LOPDGDD classifies data protection infringements as minor, serious, or very serious, and specifies the statutory limitation period that is one, two, and three years, respectively.

Regarding the sanctions amount, the LOPDGDD refers to the provisions set out in the GDPR.

9.1 Enforcement decisions

The AEPD imposed two sanctions on Caixabank in its resolution published in January 2021 (only available in Spanish here), for infringing the GDPR, which are relevant due to the considerable amount of the penalty. Specifically, a sanction of €4 million was imposed for the bank's lack of compliance with the requirements for obtaining valid consent from users, and another sanction of €2 million for unlawful processing of personal data due to the fact that the bank imposed customers' consent for the processing of their data in the framework contract.

In addition, the AEPD issued, on  July 27, 2021, its decision in proceeding PS/00120/2021 (only available in Spanish here), fining Mercadona, S.A. €2.52 million, following the conclusion of the AEPD's investigation into the use of facial recognition systems carried out in Mercadona's establishments for the purpose of detecting the individuals with criminal convictions or restraining orders. In particular, the decision highlights, among other things, that the processing of biometric data through the facial recognition system did not only occur in relation to the identification of individuals with convictions or criminal offenses, but rather affected any customer who walked into the supermarkets, including children, as well as Mercadona's employees.

Furthermore, the AEPD published, on February 1, 2022, its decision in Proceeding No. PS/00001/2021 (only available in Spanish here), in which it imposed a fine of €3.94 million on Vodafone España, S.A.U., violation of Articles 5(1)(f) and 5(2) of the GDPR for not implementing appropriate security measures to prevent fraudulent replication of SIM cards, and not being able to prove that Vodafone implemented such measures.

The AEPD published, on May 18, 2022, its decision in proceeding PS-00140-2020 (only available in Spanish here), in which it imposed a fine of €10 million on Google LLC for the violation of Articles 6 and 17 of the GDPR following two complaints and subsequent investigation from the AEPD.

In particular, the AEDP noted that the complaints concerned the transfer of requests related to the removal of content from Google's various products and platforms, such as the Google search engine and YouTube, to a third party, the 'Lumen Project'. Specifically, the AEPD explained that to enable the removal of content, Google required users that used the relevant forms to accept the transfer of copies of content removal requests to 'lumendatabase.org', on which they would, subsequently, be published.

On  July 28, 2023, the AEPD fined Open Bank, S.A. €2.5 million (decision only available in Spanish here) for infringing Articles 25 and 32 of the GDPR on data protection by design and security of personal data processing respectively. According to the AEPD, the options offered by the Open Bank to prove the origin of various amounts received in a complainant's bank account (submitting the information by email, post, or in person at any of Open Bank's offices in Madrid), in compliance with anti-money laundering regulations, did not incorporate any security measures, as no encryption mechanism. The AEPD states that 'e-mail cannot be considered an appropriate means of guaranteeing a level of security appropriate to the risk in the sending of documentation containing personal data provided under Chapter II of Law 10/2010 of 28 April, on the prevention of money laundering and terrorist financing (available in Spanish here) (unofficial English translation available here), which require special protection, considering the regulation on the prevention of money laundering, the nature of the processed data and the GDPR.

General Logistics Systems Spain, S.A

The AEPD issued a resolution regarding dossier number EXP202313334, which files the proceedings against General Logistics Systems Spain, S.A. (GLS) following a complaint filed by A.A.A. on August 1, 2023 (only available in Spanish here). The complaint was based on an alleged improper delivery of a package managed by GLS, resulting in the unauthorized disclosure of personal data.

Specifically, the complainant reported that she received an email confirming the delivery of her package on August 1, 2023, despite not being at home. The email indicated that the package had been delivered to her address, with her name listed as the recipient, alongside an anonymized ID that did not match her own. The package was delivered to a third party without her consent.

GLS clarified that the package delivery was contracted through SHEIN, with ENVIPAQ handling the delivery. An investigation revealed that, while the courier was at the correct address, an incorrect DNI number was recorded, leading to a false delivery. As a result, the courier was no longer affiliated with ENVIPAQ. GLS submitted a copy of its data processor agreement with ENVIPAQ, outlining the responsibilities and obligations regarding personal data protection.

Furthermore, GLS implemented additional measures to mitigate future incidents, including updates to their delivery protocols and enhanced training for employees regarding data protection responsibilities. These efforts reflect GLS's dedication to safeguarding personal data throughout its delivery processes.

Following the examination of the provided evidence and the absence of proof indicating that additional personal data beyond the name and address were disclosed to unauthorized third parties, the AEPD determined that there was no breach of the confidentiality of the complainant's data. Consequently, on November 1, 2023, the AEPD decided to close the proceedings. The AEPD closed the case because no breach of confidentiality was proven. Although the package was delivered to a third party, only basic data (name and address) were exposed, which did not compromise privacy if the third party already knew them. There was no evidence of access to additional sensitive information

All findings are subject to further investigations or corrective actions as required by law. Given that no liability was established regarding the exposure of the complainant's personal data, the AEPD has resolved to proceed with the filing of the case.

Air Europa Breach of Security

The National Audience – Chamber for Contentious-Administrative Proceedings First Section

Appeal by Air Europa Líneas Aéreas S.A (only available in Spanish here)

Air Europa Líneas Aéreas, S.A.(Air Europa), filed an appeal against the decision of December 2, 2021, of the Director of the AEPD, upholding on appeal the decision of  March 15, 2021, imposing a fine of €500,000 for an infringement of Article 32 of the GDPR and another fine of €100,000 for an infringement of Article 33 of the GDPR. Both infringements are classified as serious in Article 83(4)(a) of the GDPR, as decided in the sanctioning procedure PS/00179/2020 (only available in Spanish here).

The proven facts on which the sanctions imposed are based are:

• • On 29/11/2018, a letter was received at the AEPD from Air Europa stating that on 16/10/2018, it had received notification from Banco Popular regarding a security incident, activating the incident response plan on 17/10/2018.
  • On 18/01/2019, Air Europa provided a full notification to the AEPD, outlining preventive and containment measures.
  • Air Europa submitted a technical forensic report from IBM detailing a breach and its recommendations.
  • On 14/11/2019, further forensic evidence confirmed a breach at Air Europa.
  • On 04/06/2020, Air Europa provided an impact assessment relating to customer sales data.

The analysis of the first infringement is based on Article 32(1) of the GDPR regarding appropriate technical and organizational measures to ensure data security. The system breach likely originated from unpatched vulnerable devices exposed to the internet, such as CITRIX, VPN, and Office365, which lack multi-factor authentication. It was found that the compromised account used a weak password, making unauthorized access easier. Although the attackers did not access sensitive personal data (such as IDs, passports, or birth dates), they did obtain banking information for fraudulent purposes, which aggravated the violation.

The AEPD considered several aggravating factors:

• the nature of the affected data, the way the breach was discovered (reported by a third party, Banco Popular);
• the ongoing nature of the violation, and the company's activity related to the processing of personal data, given its business volume; and
• constant contact with customers.

Air Europa is part of the Globalia group, with significant revenues in 2018 and 2019. As a result, a fine of €500,000 was imposed for non-compliance with Article 32(1) of the GDPR. The second infringement concerned Article 33(1) of the GDPR, requiring notification to the supervisory authority without undue delay

Air Europa argued against the proportionality of the imposed sanctions, referencing a lack of consistency compared to other cases. The AEPD's decisions and the imposed fines have, however, been found lawful, considering the severity of the infringements and their impact on personal data security. Therefore, the appeal was dismissed.