IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274 – €1,000,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
IBERMUTUA was fined €1,000,000 for accidentally sending sensitive personal data of over 3,000 employees to partner companies due to a coding error in an email. This breach of data security is serious because it involved sensitive information, and it highlights the need for better security measures. Companies must take steps to protect personal data to avoid costly mistakes.
What happened
IBERMUTUA mistakenly sent sensitive personal data of 3,395 employees to 354 partner companies due to an email error.
Who was affected
Employees of partner companies whose sensitive personal data was exposed.
What the authority found
The DPA found that IBERMUTUA violated GDPR by failing to ensure the security of personal data during email communications.
Why this matters
This ruling underscores the importance of implementing strong security measures when handling personal data. Organizations must be proactive in preventing data breaches to protect their reputation and finances.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller, Ibermurta, is an insurance company and partner of the Spanish Social Security System. They digitize and facilitate the management of queries and complaints related to the eligibility of workers in companies using the platform for economic benefits when they fall ill. In July 2024, a weekly email sent by the controller contained a coding error and as a result additional attachments were inadvertently included in emails being sent to partner companies. The personal data of 3,395 data subjects (including special category data), all employees of partner companies, was sent to a total of 354 recipient partner companies. The personal data was comprised of: name and surname, tax identification number, social security number, age, sick leave status, date of employment, date of leaving, number of sick days taken, employee’s company, reason for sick leave, expected number of days sick leave to be taken, total cost of the process, National Occupational Code of the employee, the employee’s eligibility for the financial benefit, whether the illness was due to a work accident, whether the illness was due to a traffic accident, and the sex of each employee. Eight complaints were filed with the Spanish DPA (AEPD) by data subjects between August and September 2024. The DPA found that the controller had infringed Article 5(1)(f) GDPR. This principle requires that personal data is processed in a manner which ensures its security. In doing so, the DPA highlighted the large number of email that were sent by the controller (~250,000 per month) and was critical of the lack of corresponding security measures. The DPA noted that both the volume of emails being sent and the sensitivity of the personal data in question warranted control mechanisms to prevent or detect errors in the configuration of the sending procedure for emails. The DPA considered the infringement to be of a serious nature, considering both the large number of data subjects involved in the breach, as
Related Enforcement Actions (0)
No other enforcement actions found for IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274 in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€1,000,000
GDPRhub ID
gdprhub-8962About this data
Cite as: Cookie Fines. IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274 - Spain (2025). Retrieved from cookiefines.eu
Last updated: