Last year, some hefty fines were issued often to repeat offenders. We review the largest penalties dished out in 2025 so far and the breaches behind them.
With the first quarter of the year behind us, there is sufficient information to state that it has been a relatively quiet year on the fines front. That being said, penalties have already broken the million euro mark. The biggest breach of the year has its roots in insufficient technical and organisational measures to ensure information security. We investigate the breaches that resulted in the fines so that your company can avoid similar penalties.
We continuously track the largest data protection fines throughout the year and have highlighted the biggest GDPR fines of all time.
GDPR breaches - Art. 6, Art. 25
Spain’s data protection authority (AEPD) has fined Orange Espagne €1.2 million for unlawful data processing related to a SIM-swapping fraud. A franchise employee fraudulently issued a duplicate SIM card without the customer's consent, enabling attackers to steal €9k from the victim's accounts.
The AEPD found Orange in violation of Articles 6 and 25 of the GDPR, citing inadequate identity verification processes. Despite Orange claiming it was individual misconduct, the regulator held the company accountable for failing to implement sufficient safeguards. The fine and required remedial actions were upheld following Orange's appeal.
GDPR breach - Art. 5 (1) f)
The AEPD has fined Caja Rural de Jaén, Barcelona y Madrid €500,000 following a cyberattack that exposed sensitive customer data due to insufficient security measures. The breach was found to violate Article 5(1)(f)of the GDPR.
The bank attempted to shift blame to its IT provider, but the AEPD maintained that the bank held ultimate responsibility for data protection. Although the bank appealed, the authority upheld the decision. After agreeing to pay without admitting fault, the fine was reduced to €400,000.
We've created a comprehensive GDPR roadmap to help you navigate the compliance landscape, supported by a comprehensive library of GDPR Courses.