Daily Dash: Spanish Data Regulator Fines Iberia Cards €20,000 For GDPR Breach

March 14, 2025
Back
Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has fined Iberia Cards €20,000 for violating the General Data Protection Regulation (GDPR).

Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has fined Iberia Cards €20,000 for violating the General Data Protection Regulation (GDPR). 

Iberia Cards, which issues co-branded credit cards linked to Iberia Airlines’ loyalty programme, was found to have breached Article 6(1) of the GDPR, which governs the lawful processing of personal data.

The penalty was imposed after an individual filed a complaint regarding the right to erasure of their personal data.

Following the ruling, the company voluntarily paid €16,000, benefiting from a 20 percent reduction offered for early payment.

The AEPD has been relatively active in taking action against payment service providers (PSPs) in recent months, including issuing significant fines for data protection failures.

In October 2024, the regulator imposed a €300,000 penalty on Ibercaja Banco over data access violations.

Earlier that month, it had fined Banco Bilbao Vizcaya Argentaria (BBVA) €200,000 for breaches that resulted in a total loss of control over an individual’s data. 

As with Iberia Cards, both banks opted for reduced payments after admitting liability.

Our premium content is available to users of our services.

To view articles, please Log-in to your account, or sign up today for full access:

Opt in to hear about webinars, events, industry and product news

Still can’t find what you’re looking for? Get in touch to speak to a member of our team, and we’ll do our best to answer.
No items found.