SOCIEDAD DE GESTIÓN DE ACTIVOS PROCEDENTES DE LA REESTRUCTURACIÓN BANCARIA, S.A. – €180,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
SOCIEDAD DE GESTIÓN DE ACTIVOS PROCEDENTES DE LA REESTRUCTURACIÓN BANCARIA, S.A. (also known as “Sareb”, the controller) is an asset management company. On 30 August 2023, STRATESYS TECHNOLOGY SOLUTIONS S.L. (a consulting company, the processor) notified a data breach to the DPA. The data breach happened to the processor, however, it affected approximately 360 employees of the controller. The DPA began investigating after a data subject presented a complaint against the controller. The controller informed data subjects of the data breach. The controller argued that it was not the controller in this case, as its contract with the processor contained instructions on the processing of personal data. The DPA first dismissed the controller’s argument, stating that it is the one determining the purposes and means of processing in accordance with Article 4(7) GDPR. The DPA found a violation of Article 5(1)(f) GDPR, as the controller did not implement appropriate technical and organisational measures to ensure security of processing. In addition, the DPA noted that the contract between the controller and processor was vague, and contained only a series of objectives in terms of security rather than exact measures the processor should take. The DPA also found a violation of Article 28 GDPR. The contract between the controller and processor did not include a storage period limitation. This meant the processor would store the data until the end of the contract. The DPA stated that, in accordance with Article 28(3) GDPR, the controller is responsible in ensuring that the contract complies with the GDPR. The fine was initially set at €300,000 in total: €250,000 for the violation of Article 5(1)(f) GDPR, and €50,000 for the violation of Article 28 GDPR. The DPA considered it a serious violation, as it involved unauthorised access to data subjects’ ID information. According to the DPA, ID information is of sensitive nature, as it verifies a data subject’s identity. In additio
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
SOCIEDAD DE GESTIÓN DE ACTIVOS PROCEDENTES DE LA REESTRUCTURACIÓN BANCARIA, S.A. (also known as “Sareb”, the controller) is an asset management company. On 30 August 2023, STRATESYS TECHNOLOGY SOLUTIONS S.L. (a consulting company, the processor) notified a data breach to the DPA. The data breach happened to the processor, however, it affected approximately 360 employees of the controller. The DPA began investigating after a data subject presented a complaint against the controller. The controller informed data subjects of the data breach. The controller argued that it was not the controller in this case, as its contract with the processor contained instructions on the processing of personal data. The DPA first dismissed the controller’s argument, stating that it is the one determining the purposes and means of processing in accordance with Article 4(7) GDPR. The DPA found a violation of Article 5(1)(f) GDPR, as the controller did not implement appropriate technical and organisational measures to ensure security of processing. In addition, the DPA noted that the contract between the controller and processor was vague, and contained only a series of objectives in terms of security rather than exact measures the processor should take. The DPA also found a violation of Article 28 GDPR. The contract between the controller and processor did not include a storage period limitation. This meant the processor would store the data until the end of the contract. The DPA stated that, in accordance with Article 28(3) GDPR, the controller is responsible in ensuring that the contract complies with the GDPR. The fine was initially set at €300,000 in total: €250,000 for the violation of Article 5(1)(f) GDPR, and €50,000 for the violation of Article 28 GDPR. The DPA considered it a serious violation, as it involved unauthorised access to data subjects’ ID information. According to the DPA, ID information is of sensitive nature, as it verifies a data subject’s identity. In additio
Related Enforcement Actions (0)
No other enforcement actions found for SOCIEDAD DE GESTIÓN DE ACTIVOS PROCEDENTES DE LA REESTRUCTURACIÓN BANCARIA, S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
4 September 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€180,000
GDPRhub ID
gdprhub-9509About this data
Cite as: Cookie Fines. SOCIEDAD DE GESTIÓN DE ACTIVOS PROCEDENTES DE LA REESTRUCTURACIÓN BANCARIA, S.A. - Spain (2025). Retrieved from cookiefines.eu
Last updated: