Real Sociedad de Futbol S.A.D – €66,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Real Sociedad de Futbol was fined after a ransomware attack exposed personal data of 60,000 people, including sensitive information like health data. The data protection authority found the club failed to secure its systems properly, leading to the breach. This incident highlights the need for organizations to implement strong security measures to protect personal data.
What happened
Real Sociedad de Futbol experienced a ransomware attack that compromised personal data of 60,000 individuals.
Who was affected
The 60,000 individuals whose personal data, including biometric and health information, was exposed in the breach.
What the authority found
The data protection authority determined that the club violated data protection rules by not ensuring adequate security measures for personal data.
Why this matters
This fine serves as a warning to all organizations about the importance of robust data security practices. Companies must take proactive steps to protect personal information from cyber threats.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Real Sociedad de Futbol (the controller) is a football club who notified the DPA of a personal data breach on 18 October 2023. The breach was caused by a ransomware-type cyber incident that affected the personal data of 60,000 data subjects. This included biometric data, names, images and ID information (including passports and foreigner identification numbers) and contact information. The data breach also involved health information of employees. The controller reported awareness of the attack on 16 October 2023, when it discovered that its systems had been encrypted by ransomware. This encryption caused the loss of availability and confidentiality of the personal data. The controller published a notification of the data breach on its website on the same day, and simultaneously emailed its subscribers. A data subject lodged a complaint to the DPA on 19 October 2023, complaining about the lack of security provided to their personal data on the controller's servers. A forensic report indicated the breach had lasted from at least 14 October 2023 until 6 November 2023. The DPA firstly found that the controller had violated Article 5(1)(f) GDPR (integrity and confidentiality) by not ensuring the protection and availability of personal data stored on all of the controller's virtual servers. Personal data should have only been accessed or modified by those authorized to process it, for the legitimate purpose intended by the controller. The DPA secondly found that the controller had violated Article 32 GDPR. The DPA pointed out that the controller lacked technical and organisational measures of any kind. For instance, the controller stored its back up data copies on the same server as the originals. Therefore, the DPA found that the controller was liable for not having appropriate security measures in relation to the risk of processing, since it was responsible for making decisions aimed at effectively implementing appropriate technical and organizational measures t
Related Enforcement Actions (0)
No other enforcement actions found for Real Sociedad de Futbol S.A.D in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
9 July 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€66,000
GDPRhub ID
gdprhub-9482About this data
Cite as: Cookie Fines. Real Sociedad de Futbol S.A.D - Spain (2025). Retrieved from cookiefines.eu
Last updated: