The Agencia Española de Protección de Datos (AEPD) imposed, by decision no. EXP202401683 of October 22, 2025, a fine of €1.56 million on a Spanish company that sells sporting goods, for a serious breach of personal data security.

The case involved a data breach of significant scope, affecting approximately 6.4 million people, including customers and employees, residing in Spain, France, Italy, the Netherlands, and Portugal. The cyberattack led to the compromise of identifying data (first name, last name, tax ID), contact information (address, phone number, email), financial data, and health data, with particular relevance to employee data, including that related to health and disability.

The notification of the breach to the data subjects was deemed late and incomplete in relation to the obligations set forth in Article 34 of EU Regulation 2016/679 (GDPR), which requires timely and clear notification in the event of a data breach posing a risk to the rights and freedoms of data subjects. The breach was also considered serious due to the failure to adopt adequate technical and organizational security measures, as well as the cross-border impact and the categories of data involved, which amplified the risk of abuse and harm to the individuals concerned.