Spain

Air Europa Lineas Aereas, SA.

600,000 €

GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2021-03-15.

Rank · Sector

#41

of 597 in Industry and Commerce

Rank · Spain

#37

of 1,075

Rank · All fines

#219

of 3,050

Case details

Authority: Spanish Data Protection Authority (aepd)
Date: 2021-03-15
Controller / Processor: Air Europa Lineas Aereas, SA.
Sector: Industry and Commerce
Quoted Articles: Art. 32 (1) GDPR, Art. 33 GDPR
Type of violation: Insufficient technical and organisational measures to ensure information security

Summary

The Spanish DPA (AEPD) fined Air Europa Lineas Aereas, SA. EUR 600,000 after a serious data breach involving unauthorized access to contact details and bank accounts was reported to the AEPD. Approximately 489,000 individuals and 1,500,000 records were affected. The AEPD announced that it had fined the controller EUR 500,000 for a breach of Art. 32 (1) GDPR due to the failure to take appropriate technical and organizational measures to ensure an adequate level of security, and EUR 100,000 for a breach of Art. 33 GDPR for notifying the AEPD of the security breach 41 days late. In determining the amount of the fine, the fact that the incident was not limited to a local area, but affected a large number of people not only in Spain, but also worldwide, and that sensitive banking and financial data were affected, harming several thousand people, was taken into account as an aggravating factor.

Open original source Links to the regulator's original publication or another source.