Air Europa Lineas Aereas, SA. – €600,000 Fine (Spain, 2021)

€600,000Agencia Española de Protección de Datos15 March 2021Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Air Europa was fined EUR 600,000 by Spain's data protection authority after a data breach exposed contact and bank details of nearly half a million people. The airline failed to secure its data properly and delayed reporting the breach. This case highlights the importance of quick breach reporting and strong data security measures.

What happened

Air Europa suffered a data breach exposing contact and bank details of 489,000 people and reported it 41 days late.

Who was affected

Individuals whose contact and bank details were exposed in the breach.

What the authority found

The Spanish authority fined Air Europa for not securing data adequately and for delaying breach notification, violating GDPR requirements.

Why this matters

This case underscores the need for businesses to implement strong security measures and promptly report data breaches. It serves as a reminder that delays in reporting can lead to significant fines.

GDPR Articles Cited

AI-verified

Art. 33 GDPR
Art. 32(1) GDPR
View original scraped data
Art. 32(1) GDPR
Art. 33 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll Air Europa Lineas Aereas, SA. actions
Full Legal Summary
Detailed

The Spanish DPA (AEPD) fined Air Europa Lineas Aereas, SA. EUR 600,000 after a serious data breach involving unauthorized access to contact details and bank accounts was reported to the AEPD. Approximately 489,000 individuals and 1,500,000 records were affected. The AEPD announced that it had fined the controller EUR 500,000 for a breach of Art. 32 (1) GDPR due to the failure to take appropriate technical and organizational measures to ensure an adequate level of security, and EUR 100,000 for a breach of Art. 33 GDPR for notifying the AEPD of the security breach 41 days late. In determining the amount of the fine, the fact that the incident was not limited to a local area, but affected a large number of people not only in Spain, but also worldwide, and that sensitive banking and financial data were affected, harming several thousand people, was taken into account as an aggravating factor.

Related Enforcement Actions (0)

No other enforcement actions found for Air Europa Lineas Aereas, SA. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

15 March 2021

Authority

Agencia Española de Protección de Datos

Fine Amount

€600,000

Enforcement Tracker ID

ETid-609

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Air Europa Lineas Aereas, SA. - Spain (2021). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: