CENTROS COMERCIALES CARREFOUR, S.A. – €3,200,000 Fine (Spain, 2025)

€3,200,000Agencia Española de Protección de Datos14 March 2025Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Carrefour faced a EUR 3,200,000 fine after a cyberattack leaked personal data due to poor security measures. The company failed to protect customer information and didn't notify affected individuals properly. This case highlights the importance of strong data security practices for businesses.

What happened

Carrefour suffered a cyberattack that led to the leak of personal data due to inadequate security measures.

Who was affected

Customers whose personal data was leaked during the cyberattack.

What the authority found

The Spanish data protection authority found that Carrefour did not implement sufficient security measures, violating GDPR's requirements for data protection.

Why this matters

This ruling emphasizes that companies must prioritize data security to protect customer information. It serves as a warning for businesses to strengthen their security protocols to avoid similar penalties.

GDPR Articles Cited

AI-verified

Art. 32(GDPR)
Art. 34(GDPR)
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 32 GDPR
Art. 34 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll CENTROS COMERCIALES CARREFOUR, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA imposed a fine of EUR 3,200,000 on CENTROS COMERCIALES CARREFOUR, S.A. The controller suffered a cyberattack, resulting in the leak of a large amount of personal data. The controller failed to implement sufficient technical and organizational measures to ensure data security. Additionally, the notification of the data subjects in regards to the data breach was insufficient.

Related Enforcement Actions (0)

No other enforcement actions found for CENTROS COMERCIALES CARREFOUR, S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

14 March 2025

Authority

Agencia Española de Protección de Datos

Fine Amount

€3,200,000

Enforcement Tracker ID

ETid-2655

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. CENTROS COMERCIALES CARREFOUR, S.A. - Spain (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: