AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS – €200,000 Fine (Spain, 2026)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
AXA SEGUROS GENERALES was fined for failing to protect a user's account from unauthorized access by a former employee. This case is significant because it underscores the need for strong security measures to protect personal information. Insurance companies and others handling sensitive data should prioritize user account security to prevent identity theft.
What happened
AXA SEGUROS GENERALES allowed a former employee to change a user's password and access their insurance account without proper security measures.
Who was affected
The user whose account was accessed without their consent was affected.
What the authority found
The Spanish Data Protection Authority found that AXA SEGUROS GENERALES violated GDPR by not managing the password change process securely, allowing unauthorized access to personal information.
Why this matters
This ruling serves as a warning to companies about the importance of implementing effective security measures to protect user data. It reinforces the need for vigilance in preventing identity theft.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS (the controller) is an insurance company. In 2023, a former employee of the controller contacted a data subject, requesting them to provide information on their insurance to match the price on behalf of a different company. The data subject later received two SMS with a temporary code to access their online account, and a confirmation email that their access data had been changed. The data subject contacted the controller, as they had not used the codes or accessed their account. In response, the controller blocked their account, but later informed them that the former employee had stolen their identity to access their account. The data subject filed a complaint with the DPA. During the DPA’s investigations, the controller confirmed that the data subject’s password was changed. In addition, the controller stated that it implemented additional security measures after the incident to prevent future identity theft incidents. The controller argued that the DPA could not find a violation of Article 5(1)(f) GDPR based solely on the fact that the incident took place, as this article does not require controllers to have completely effective security measures in place. The DPA found a violation of Article 5(1)(f) GDPR. The controller did not properly manage the process of changing the data subject’s password, which allowed a third party to access the data subject’s insurance account information. The DPA considered the controller’s security measures insufficient to ensure security of processing; for example, the third party was able to impersonate the data subject based on their insurance number and the last four digits of their payment method. The DPA noted that this was a systematic error and evidence of the lack of diligence from the controller, as it had not implemented measures to ensure that former employees could not impersonate data subjects. The DPA fined the controller €200,000. In addition, the DPA ordered the
Related Enforcement Actions (0)
No other enforcement actions found for AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
15 April 2026
Authority
Agencia Española de Protección de Datos
Fine Amount
€200,000
GDPRhub ID
gdprhub-9941About this data
Cite as: Cookie Fines. AXA SEGUROS GENERALES, S.A. DE SEGUROS Y REASEGUROS - Spain (2026). Retrieved from cookiefines.eu
Last updated: