Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Bayard €52,000 for insufficient data security measures

The Spanish data protection authority ('AEPD') published, on 27 September 2022, its decision in Proceeding No. PS-00246-2022, in which it imposed a fine of €52,000 on Bayard Revistas S.A., which was subsequently reduced to €31,200, for violations of Articles 5(1)(f), 32, and 33 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the AEPD noted that, according to the complainant, they had received an email from the individual in charge of Bayard's web portal, informing them about the unauthorised access, by a third party, to Bayard's database containing location and contact details provided by the users through a registration form. Furthermore, the AEPD specified that Bayard assured that it had fixed all the vulnerabilities that made the access possible, implemented security incident protocols, and adopted a series of measures, such as the encryption of the stored information.

Findings of the AEPD

In light of its investigations, the AEPD stated that the users' personal data within Bayard's database had been unlawfully disclosed to a third party, thus violating the integrity and confidentiality principles under Article 5(1)(f) of the GDPR. Additionally, the AEPD specified that Bayard had failed, as the data controller, to implement appropriate technical and organisational measures to ensure an adequate level of security, breaching Article 32 of the GDPR. Finally, the AEPD found that Bayard violated Article 33 of the GDPR since Bayard was aware that it had suffered a security breach on 28 October 2021 and had not informed the AEPD until 11 November 2021.


Given the above, the AEPD imposed a fine of €52,000 for the aforementioned violations. However, the AEPD provided that, due to an admission of guilt and a voluntary payment on part of the defendant, the fine was reduced to €31,200.

You can read the decision, only available in Spanish, here.