Real Sociedad de Futbol S.A.D – €66,000 Fine (Spain, 2025)

Real Sociedad de Futbol (the controller) is a football club who notified the DPA of a personal data breach on 18 October 2023. The breach was caused by a ransomware-type cyber incident that affected the personal data of 60,000 data subjects. This included biometric data, names, images and ID information (including passports and foreigner identification numbers) and contact information. The data breach also involved health information of employees. The controller reported awareness of the attack on 16 October 2023, when it discovered that its systems had been encrypted by ransomware. This encryption caused the loss of availability and confidentiality of the personal data. The controller published a notification of the data breach on its website on the same day, and simultaneously emailed its subscribers. A data subject lodged a complaint to the DPA on 19 October 2023, complaining about the lack of security provided to their personal data on the controller's servers. A forensic report indicated the breach had lasted from at least 14 October 2023 until 6 November 2023. The DPA firstly found that the controller had violated Article 5(1)(f) GDPR (integrity and confidentiality) by not ensuring the protection and availability of personal data stored on all of the controller's virtual servers. Personal data should have only been accessed or modified by those authorized to process it, for the legitimate purpose intended by the controller. The DPA secondly found that the controller had violated Article 32 GDPR. The DPA pointed out that the controller lacked technical and organisational measures of any kind. For instance, the controller stored its back up data copies on the same server as the originals. Therefore, the DPA found that the controller was liable for not having appropriate security measures in relation to the risk of processing, since it was responsible for making decisions aimed at effectively implementing appropriate technical and organizational measures t