Generali España, Sociedad Anónima de Seguros y Reaseguros – €4,000,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller is an insurance company. On 5 October 2022, the controller experienced high traffic on one of its servers, namely the one hosting the client managing tool. The controller noticed that an unauthorised third party stole the login details of an insurance broker and used them to access the platform. The controller investigated the matter and came to the conclusion that the breach at hand affected 37 data subjects, i.e. only the data subjects that were being handled by the controller’s broker whose login details were stolen. The controller did not have a log system tracking the logins and, therefore, was not able to identify the entity of the attack. However, it deemed that the data breach was unlikely to result in a risk to the rights and freedoms of natural persons and, thus, did not notify the DPA pursuant to Article 33(1) GDPR. However, on 11 November 2022, it was noticed that a database containing a sample of 24315 records concerning personal data of the controller’s former clients was being sold on a Telegram group. At the same time, the controller discovered that, due to a bug on its IT system, the third party that performed the attack could not only access the data of that specific broker’s clients, but also the data of all the other clients of the controller. This data involved name, national number, telephone number, date and place of birth, civil status and IBAN. At this point, the controller performed a new assessment of the risks involved by the data breach, deeming that it was indeed necessary to notify both the DPA and the data subjects involved. Therefore, the DPA opened an investigation on this matter. Moreover, some data subjects filed a complaint with the DPA. First, the DPA pointed out that, at the moment of the unauthorised access, the controller had not performed any data protection impact assessment concerning the processing activity at hand. Secondly, the DPA noted that the controller had not implemented a 2-factor authenticati
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller is an insurance company. On 5 October 2022, the controller experienced high traffic on one of its servers, namely the one hosting the client managing tool. The controller noticed that an unauthorised third party stole the login details of an insurance broker and used them to access the platform. The controller investigated the matter and came to the conclusion that the breach at hand affected 37 data subjects, i.e. only the data subjects that were being handled by the controller’s broker whose login details were stolen. The controller did not have a log system tracking the logins and, therefore, was not able to identify the entity of the attack. However, it deemed that the data breach was unlikely to result in a risk to the rights and freedoms of natural persons and, thus, did not notify the DPA pursuant to Article 33(1) GDPR. However, on 11 November 2022, it was noticed that a database containing a sample of 24315 records concerning personal data of the controller’s former clients was being sold on a Telegram group. At the same time, the controller discovered that, due to a bug on its IT system, the third party that performed the attack could not only access the data of that specific broker’s clients, but also the data of all the other clients of the controller. This data involved name, national number, telephone number, date and place of birth, civil status and IBAN. At this point, the controller performed a new assessment of the risks involved by the data breach, deeming that it was indeed necessary to notify both the DPA and the data subjects involved. Therefore, the DPA opened an investigation on this matter. Moreover, some data subjects filed a complaint with the DPA. First, the DPA pointed out that, at the moment of the unauthorised access, the controller had not performed any data protection impact assessment concerning the processing activity at hand. Secondly, the DPA noted that the controller had not implemented a 2-factor authenticati
Related Enforcement Actions (0)
No other enforcement actions found for Generali España, Sociedad Anónima de Seguros y Reaseguros in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
27 January 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€4,000,000
GDPRhub ID
gdprhub-8794About this data
Cite as: Cookie Fines. Generali España, Sociedad Anónima de Seguros y Reaseguros - Spain (2025). Retrieved from cookiefines.eu
Last updated: