SERVICIOS FINANCIEROS CARREFOUR, E.F.C., S.A – €1,500,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
SERVICIOS FINANCIEROS CARREFOUR, E.F.C., S.A (the controller) is a financial service provider supervised by the Spanish National Bank (Banco de España). One of the products it sells is related to the supermarket Carrefour. The controller informed the DPA of a data breach involving data subjects’ personal data (including payment methods, contact information and ID numbers). The DPA began investigating as a result of the data breach, as well as 16 complaints from data subjects filed between December 2023 and September 2024. Several data subjects received phishing emails containing personal data obtained by unauthorised third parties. The controller informed the DPA that it had communicated the data breach to most data subjects, including those who filed a complaint. The DPA found a violation of Article 5(1)(f) GDPR, for failing to ensure integrity and confidentiality of processing. Specifically, the DPA found that the controller did not have appropriate security measures in place to prevent unauthorised third parties from accessing data subjects’ accounts. The fine was initially set at €2,500,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The fine can be reduced by a further 20% if the controller acknowledges its liability. The controller opted for both and reduced the fine by 40%, paying the reduced sanction amount of €1,500,000. The DPA considered it a serious violation of the GDPR, as third parties were able to access a large volume of data, as well as the fact that the data breach exposed the data subject to phishing attempts using their personal data. Finally, the DPA took into consideration the implications of third parties accessing ID information; this exposed data subjects to the risk of identity theft. The DPA also emphasised the sensitive nature of
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
SERVICIOS FINANCIEROS CARREFOUR, E.F.C., S.A (the controller) is a financial service provider supervised by the Spanish National Bank (Banco de España). One of the products it sells is related to the supermarket Carrefour. The controller informed the DPA of a data breach involving data subjects’ personal data (including payment methods, contact information and ID numbers). The DPA began investigating as a result of the data breach, as well as 16 complaints from data subjects filed between December 2023 and September 2024. Several data subjects received phishing emails containing personal data obtained by unauthorised third parties. The controller informed the DPA that it had communicated the data breach to most data subjects, including those who filed a complaint. The DPA found a violation of Article 5(1)(f) GDPR, for failing to ensure integrity and confidentiality of processing. Specifically, the DPA found that the controller did not have appropriate security measures in place to prevent unauthorised third parties from accessing data subjects’ accounts. The fine was initially set at €2,500,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The fine can be reduced by a further 20% if the controller acknowledges its liability. The controller opted for both and reduced the fine by 40%, paying the reduced sanction amount of €1,500,000. The DPA considered it a serious violation of the GDPR, as third parties were able to access a large volume of data, as well as the fact that the data breach exposed the data subject to phishing attempts using their personal data. Finally, the DPA took into consideration the implications of third parties accessing ID information; this exposed data subjects to the risk of identity theft. The DPA also emphasised the sensitive nature of
Related Enforcement Actions (0)
No other enforcement actions found for SERVICIOS FINANCIEROS CARREFOUR, E.F.C., S.A in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
17 September 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€1,500,000
GDPRhub ID
gdprhub-9553About this data
Cite as: Cookie Fines. SERVICIOS FINANCIEROS CARREFOUR, E.F.C., S.A - Spain (2025). Retrieved from cookiefines.eu
Last updated: