CENTROS COMERCIALES CARREFOUR, S.A. ("Carrefour") – €3,200,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Carrefour was fined EUR 3,200,000 after reporting multiple data breaches that exposed customer accounts. The company failed to implement adequate security measures and delayed notifying customers about the breaches. This case serves as a reminder for businesses to act quickly and responsibly in protecting customer data.
What happened
Carrefour reported five data breaches affecting nearly 119,000 customer accounts due to inadequate security measures.
Who was affected
Customers whose accounts were compromised during the data breaches.
What the authority found
The Spanish data protection authority found that Carrefour did not meet its security obligations, violating GDPR requirements for data protection.
Why this matters
This ruling stresses the importance of proactive security measures and timely communication with customers about data breaches. Businesses should enhance their security practices to prevent similar incidents.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Carrefour S.A. (the controller) reported five data breaches to the DPA between January and September 2023. According to the controller, all breaches were likely related to the unlawful access to client’s accounts using Credential Stuffing, however it was unable to identify the original source of the stolen credentials. The controller was aware of the first breach in October 2022, but did not report it until January 2023. According to the DPA, the breaches affected a high number of data subject's accounts (almost 119,000 in total). This was disputed by the controller, who argued that a much lower number of accounts (974) was affected. The data breach revealed personal data related to their clients; at the very least, the attacker was able to confirm that the credentials were correct, and there was a high risk that they also had access to personal information in the accounts (such as their full name, contact information and address). The controller claimed to have communicated with its clients following the third breach, however, the e-mail only informed the client of a change in their password, and did not specify that there was a data breach. The controller merely stated that it had reset the passwords to improve their services, and how the data subject could set a new password. The DPA began investigating in May 2023. The DPA stated that the controller had not adhered to its security obligations under Article 5(1)(f) GDPR. The controller infringed on Article 24(1) GDPR and 32 GDPR by not having appropriate security measures in place. This is a proactive obligation that requires the controller to go beyond reacting to data breaches and implement preventative measures if necessary; the DPA criticised the controller for its delay in implementing measures. For example, the controller did not introduce two factor authentication until the fifth breach. The DPA considered two aspects as aggravating factors: First, that the data breaches posed a serious securi
Related Enforcement Actions (0)
No other enforcement actions found for CENTROS COMERCIALES CARREFOUR, S.A. ("Carrefour") in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
14 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€3,200,000
GDPRhub ID
gdprhub-9313About this data
Cite as: Cookie Fines. CENTROS COMERCIALES CARREFOUR, S.A. ("Carrefour") - Spain (2025). Retrieved from cookiefines.eu
Last updated: