CENTROS COMERCIALES CARREFOUR, S.A. ("Carrefour") – €3,200,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Carrefour S.A. (the controller) reported five data breaches to the DPA between January and September 2023. According to the controller, all breaches were likely related to the unlawful access to client’s accounts using Credential Stuffing, however it was unable to identify the original source of the stolen credentials. The controller was aware of the first breach in October 2022, but did not report it until January 2023. According to the DPA, the breaches affected a high number of data subject's accounts (almost 119,000 in total). This was disputed by the controller, who argued that a much lower number of accounts (974) was affected. The data breach revealed personal data related to their clients; at the very least, the attacker was able to confirm that the credentials were correct, and there was a high risk that they also had access to personal information in the accounts (such as their full name, contact information and address). The controller claimed to have communicated with its clients following the third breach, however, the e-mail only informed the client of a change in their password, and did not specify that there was a data breach. The controller merely stated that it had reset the passwords to improve their services, and how the data subject could set a new password. The DPA began investigating in May 2023. The DPA stated that the controller had not adhered to its security obligations under Article 5(1)(f) GDPR. The controller infringed on Article 24(1) GDPR and 32 GDPR by not having appropriate security measures in place. This is a proactive obligation that requires the controller to go beyond reacting to data breaches and implement preventative measures if necessary; the DPA criticised the controller for its delay in implementing measures. For example, the controller did not introduce two factor authentication until the fifth breach. The DPA considered two aspects as aggravating factors: First, that the data breaches posed a serious securi
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Carrefour S.A. (the controller) reported five data breaches to the DPA between January and September 2023. According to the controller, all breaches were likely related to the unlawful access to client’s accounts using Credential Stuffing, however it was unable to identify the original source of the stolen credentials. The controller was aware of the first breach in October 2022, but did not report it until January 2023. According to the DPA, the breaches affected a high number of data subject's accounts (almost 119,000 in total). This was disputed by the controller, who argued that a much lower number of accounts (974) was affected. The data breach revealed personal data related to their clients; at the very least, the attacker was able to confirm that the credentials were correct, and there was a high risk that they also had access to personal information in the accounts (such as their full name, contact information and address). The controller claimed to have communicated with its clients following the third breach, however, the e-mail only informed the client of a change in their password, and did not specify that there was a data breach. The controller merely stated that it had reset the passwords to improve their services, and how the data subject could set a new password. The DPA began investigating in May 2023. The DPA stated that the controller had not adhered to its security obligations under Article 5(1)(f) GDPR. The controller infringed on Article 24(1) GDPR and 32 GDPR by not having appropriate security measures in place. This is a proactive obligation that requires the controller to go beyond reacting to data breaches and implement preventative measures if necessary; the DPA criticised the controller for its delay in implementing measures. For example, the controller did not introduce two factor authentication until the fifth breach. The DPA considered two aspects as aggravating factors: First, that the data breaches posed a serious securi
Related Enforcement Actions (0)
No other enforcement actions found for CENTROS COMERCIALES CARREFOUR, S.A. ("Carrefour") in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
14 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€3,200,000
GDPRhub ID
gdprhub-9313About this data
Cite as: Cookie Fines. CENTROS COMERCIALES CARREFOUR, S.A. ("Carrefour") - Spain (2025). Retrieved from cookiefines.eu
Last updated: