Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. – €180,000 Fine (Spain, 2025)

€180,000Agencia Española de Protección de Datos4 September 2025Spain
reduced
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Spain's data protection authority fined Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. €180,000 after a cyber attack revealed their weak security measures. The company also failed to have a proper agreement with a third-party data processor. This case highlights the importance of strong data protection practices.

What happened

The company was fined for inadequate security measures that led to a cyber attack and for lacking a proper data processing agreement with a third party.

Who was affected

Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. and the individuals whose data was compromised in the cyber attack.

What the authority found

The Spanish data protection authority found that the company did not implement sufficient technical and organizational measures to protect personal data.

Why this matters

This fine underscores the necessity for businesses to invest in robust data security measures and to ensure proper agreements with any third-party service providers. It serves as a warning that neglecting data protection can lead to significant financial penalties.

GDPR Articles Cited

AI-verified

Art. 28(GDPR)
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 28 GDPR

Original data from scraper before AI verification against source document.

Source verified 6 March 2026
verified correct
Spain enforcementAgencia Española de Protección de Datos actionsAll Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. actions
Full Legal Summary
Detailed

The Spanish DPA has imposed a fine of EUR 180,000 on Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. The controller suffered a cyber attack due to insufficient technical and organisational measures. The controller also used a third party data processor with which the controller had no sufficient data processing agreement. The original fine of EUR 300,000 was reduced to EUR 180,000 due to immediate payment and admission of responsibility by the controller.

Related Enforcement Actions (0)

No other enforcement actions found for Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Fine Date

4 September 2025

Authority

Agencia Española de Protección de Datos

Fine Amount

€180,000

Enforcement Tracker ID

ETid-2875

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. Sociedad de Gestión de Activos Procedentes de la Reestructuración Bancaria S.A. - Spain (2025). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: