BIZUM, S.L. – €80,000 Fine (Spain, 2025)

BIZUM, S.L. (the controller) is a payment service provider. The controller suffered a data breach in September 2022, and reported it to the DPA in November 2023. The data breach involved contact information and names of data subjects who were in the controller’s database, and a third party published an ad on the internet selling said personal data. The data breach affected more than 20,000 data subjects, and the data of approximately 2,000 data subjects were published online. In its report, the controller acknowledged that the data was not encrypted, and that the data breach was resolved a month later. The DPA first stated that both BIZUM and REDSYS (a payment gateway) were controllers for the BIZUM database, as REDSYS was responsible for the service infrastructure and carried out the technical and operational management of the database. In this case, however, the DPA focused on BIZUM. The DPA found a violation of Article 32 GDPR, as the controller failed to implement appropriate technical and organisational measures to ensure security of processing. The DPA noted that while the controller noticed an unusual increase in requests in its database and quickly blocked the user, it failed to notice the fact that data subjects’ data was published on the internet; according to the DPA, the controller did not become aware of this until a year later. Therefore, the DPA concluded that the controller did not have measures in place to carry out a follow up investigation after the unusual number of requests. The DPA also analysed the measures the controller implemented following a data breach two years before, and the reactive measures taken after the most recent data breach. These measures, however, were considered insufficient by the DPA to ensure security of processing. The fine was initially set at €100,000 but pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the propo