Spain
GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS
GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2024-12-10.
Case details
- Authority
- Spanish Data Protection Authority (aepd)
- Date
- 2024-12-10
- Controller / Processor
- GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS
- Sector
- Finance, Insurance and Consulting
- Quoted Articles
- Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR, Art. 35 GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Spanish DPA has imposed a fine on GENERALI ESPAÑA, SOCIEDAD ANONIMA DE SEGUROS Y REASEGUROS. The controller had suffered a data breach where unknown third parties gained access to the customer data management system using credentials of a broker which allowed them to access customer data such as name, IBAN, personal identification number. The incident affected approximately 1.5 million individuals. During its investigation, the DPA found, in particular, that the controller had failed to implement appropriate technical and organizational measures to protect personal data in order to prevent such an incident. The DPA also found that the controller had failed to carry out a risk assessment, although this was deemed necessary given the significant number of customers and the fact that the controller was consequently processing personal data of those data subjects on a large scale. The original fine of EUR 5 million was reduced to EUR 4 million due to immediate payment.
Related fines