HISPAPOST, S.A. – €36,000 Fine (Spain, 2024)

€36,000Agencia Española de Protección de Datos1 February 2024Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

HISPAPOST, a Spanish company, was fined for not reporting a data incident involving abandoned letters quickly enough. This is important because it shows that companies must act promptly when handling personal data issues. Small businesses should ensure they have clear procedures for reporting data breaches.

What happened

The Spanish DPA fined HISPAPOST for failing to timely report a data protection incident involving abandoned letters.

Who was affected

The companies that contracted HISPAPOST to deliver letters and the individuals whose data was potentially exposed.

What the authority found

The DPA determined that HISPAPOST did not meet its obligations to report the incident in a timely manner, violating GDPR requirements.

Why this matters

This case emphasizes the importance of quick reporting in data protection incidents. Small business owners should have a clear plan in place for responding to data breaches to avoid penalties.

GDPR Articles Cited

AI-verified

Art. 28(3) GDPR
View original scraped data
Art. 28(3) GDPR

Original data from scraper before AI verification against source document.

Source verified 12 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll HISPAPOST, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA has imposed a fine on HISPAPOST, S.A.. The police had found over a thousand abandoned letters containing the Hispapost logo. Hispapost had been contracted by several companies to deliver the letters. During its investigation, the DPA found that Hispapost, as a processor, had failed to report the data protection incident to the data controllers in a timely manner. The original fine of EUR 60,000 was reduced to EUR 36,000 due to admission of responsibility and voluntary payment.

Related Enforcement Actions (0)

No other enforcement actions found for HISPAPOST, S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

1 February 2024

Authority

Agencia Española de Protección de Datos

Fine Amount

€36,000

Enforcement Tracker ID

ETid-2246

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. HISPAPOST, S.A. - Spain (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: