IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274 – €1,000,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
The controller, Ibermurta, is an insurance company and partner of the Spanish Social Security System. They digitize and facilitate the management of queries and complaints related to the eligibility of workers in companies using the platform for economic benefits when they fall ill. In July 2024, a weekly email sent by the controller contained a coding error and as a result additional attachments were inadvertently included in emails being sent to partner companies. The personal data of 3,395 data subjects (including special category data), all employees of partner companies, was sent to a total of 354 recipient partner companies. The personal data was comprised of: name and surname, tax identification number, social security number, age, sick leave status, date of employment, date of leaving, number of sick days taken, employee’s company, reason for sick leave, expected number of days sick leave to be taken, total cost of the process, National Occupational Code of the employee, the employee’s eligibility for the financial benefit, whether the illness was due to a work accident, whether the illness was due to a traffic accident, and the sex of each employee. Eight complaints were filed with the Spanish DPA (AEPD) by data subjects between August and September 2024. The DPA found that the controller had infringed Article 5(1)(f) GDPR. This principle requires that personal data is processed in a manner which ensures its security. In doing so, the DPA highlighted the large number of email that were sent by the controller (~250,000 per month) and was critical of the lack of corresponding security measures. The DPA noted that both the volume of emails being sent and the sensitivity of the personal data in question warranted control mechanisms to prevent or detect errors in the configuration of the sending procedure for emails. The DPA considered the infringement to be of a serious nature, considering both the large number of data subjects involved in the breach, as
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
The controller, Ibermurta, is an insurance company and partner of the Spanish Social Security System. They digitize and facilitate the management of queries and complaints related to the eligibility of workers in companies using the platform for economic benefits when they fall ill. In July 2024, a weekly email sent by the controller contained a coding error and as a result additional attachments were inadvertently included in emails being sent to partner companies. The personal data of 3,395 data subjects (including special category data), all employees of partner companies, was sent to a total of 354 recipient partner companies. The personal data was comprised of: name and surname, tax identification number, social security number, age, sick leave status, date of employment, date of leaving, number of sick days taken, employee’s company, reason for sick leave, expected number of days sick leave to be taken, total cost of the process, National Occupational Code of the employee, the employee’s eligibility for the financial benefit, whether the illness was due to a work accident, whether the illness was due to a traffic accident, and the sex of each employee. Eight complaints were filed with the Spanish DPA (AEPD) by data subjects between August and September 2024. The DPA found that the controller had infringed Article 5(1)(f) GDPR. This principle requires that personal data is processed in a manner which ensures its security. In doing so, the DPA highlighted the large number of email that were sent by the controller (~250,000 per month) and was critical of the lack of corresponding security measures. The DPA noted that both the volume of emails being sent and the sensitivity of the personal data in question warranted control mechanisms to prevent or detect errors in the configuration of the sending procedure for emails. The DPA considered the infringement to be of a serious nature, considering both the large number of data subjects involved in the breach, as
Related Enforcement Actions (0)
No other enforcement actions found for IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274 in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€1,000,000
GDPRhub ID
gdprhub-8962About this data
Cite as: Cookie Fines. IBERMUTUA MUTUA COLABORADORA CON LA SEGURIDAD SOCIAL Nº 274 - Spain (2025). Retrieved from cookiefines.eu
Last updated: