IBERDROLA, S.A. – €3,000,000 Fine (Spain, 2024)

€3,000,000Agencia Española de Protección de Datos7 February 2024Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

IBERDROLA, S.A. was fined €3 million after a cyberattack compromised customer data from millions of people. The Spanish data protection authority found that IBERDROLA did not have enough security measures in place to prevent the attack. This case highlights the importance of strong cybersecurity for companies handling personal data.

What happened

IBERDROLA failed to implement sufficient security measures, leading to a cyberattack that compromised customer data.

Who was affected

Millions of customers whose personal data was compromised during the cyberattack on I-DE Redes.

What the authority found

The Spanish DPA ruled that IBERDROLA did not take adequate steps to protect personal data, violating GDPR's security requirements.

Why this matters

This ruling emphasizes that companies must prioritize cybersecurity to protect customer data. It serves as a warning that failure to do so can lead to significant financial penalties.

GDPR Articles Cited

AI-verified

Art. 32(GDPR)
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll IBERDROLA, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA has fined IBERDROLA, S.A. EUR 3 million following a cyberattack on I-DE Redes, which led to the compromise of customer data from millions of individuals. Although the cyberattack targeted the GEA web application of I-DE Redes, Iberdrola, as the entity responsible for managing the group's IT systems and security infrastructure, was found to have failed in implementing sufficient security measures to prevent the incident.

Related Enforcement Actions (0)

No other enforcement actions found for IBERDROLA, S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

7 February 2024

Authority

Agencia Española de Protección de Datos

Fine Amount

€3,000,000

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. IBERDROLA, S.A. - Spain (2024). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: