Details:
| Summary | The Spanish DPA (AEPD) fined Air Europa Lineas Aereas, SA. EUR 600,000 after a serious data breach involving unauthorized access to contact details and bank accounts was reported to the AEPD. Approximately 489,000 individuals and 1,500,000 records were affected. The AEPD announced that it had fined the controller EUR 500,000 for a breach of Art. 32 (1) GDPR due to the failure to take appropriate technical and organizational measures to ensure an adequate level of security, and EUR 100,000 for a breach of Art. 33 GDPR for notifying the AEPD of the security breach 41 days late. In determining the amount of the fine, the fact that the incident was not limited to a local area, but affected a large number of people not only in Spain, but also worldwide, and that sensitive banking and financial data were affected, harming several thousand people, was taken into account as an aggravating factor. |
| Link: | link |
| Related articles: | Art. 32 (1) GDPR, Art. 33 GDPR |
| Type: | Insufficient technical and organisational measures to ensure information security |
| Fine: | EUR 600,000 |
| Sector | Industry and Commerce |
All data is based on The CMS’s Law GDPR Enforcement Tracker Source: https://www.enforcementtracker.com/