Spain
IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA
650,000 €
GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2026-03-11.
Rank · Sector
#37
of 167 in Transportation and Energy
Rank · Spain
#36
of 1,075
Rank · All fines
#215
of 3,050
Case details
- Authority
- Spanish Data Protection Authority (aepd)
- Date
- 2026-03-11
- Controller / Processor
- IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA
- Sector
- Transportation and Energy
- Quoted Articles
- Art. 5 (1) f) GDPR
- Type of violation
- Insufficient technical and organisational measures to ensure information security
Summary
The Spanish DPA has imposed a fine of EUR 650,000 on IBERIA LÍNEAS AÉREAS DE ESPAÑA, S.A. OPERADORA. The controller suffered a data breach due to insufficient technical and organisational measures. The incident occurred after an attacker accessed and exfiltrated the personal data of data subjects from a data processor's system. The breach occurred due to two known vulnerabilities for which the software manufacturer had provided patching options for a long time; however, the controller did not implement these.
Open original source
Links to the regulator's original publication or another source.
Related fines
Spain
2025-04-07
14,400,000 €
ETid-3192
AMADEUS IT GROUP, S.A.
Transportation and Energy
Spain
2025-11-06
10,043,002 €
ETid-2962
Aena, S.M.E., S.A.
Transportation and Energy
Spain
2022-05-18
10,000,000 €
ETid-1176
Google LLC
Media, Telecoms and Broadcasting
Spain
2021-03-11
8,150,000 €
ETid-594
Vodafone España, S.A.U.
Media, Telecoms and Broadcasting
Spain
2023-12-27
6,500,000 €
ETid-2532
THE PHONE HOUSE SPAIN, S.L.
Media, Telecoms and Broadcasting
Spain
2023-10-25
6,100,000 €
ETid-2220
ENDESA ENERGÍA, S.A.U.
Transportation and Energy