Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), has fined Iberia Cards €20,000 for violating the General Data Protection Regulation (GDPR).
Iberia Cards, which issues co-branded credit cards linked to Iberia Airlines’ loyalty programme, was found to have breached Article 6(1) of the GDPR, which governs the lawful processing of personal data.
The penalty was imposed after an individual filed a complaint regarding the right to erasure of their personal data.
Following the ruling, the company voluntarily paid €16,000, benefiting from a 20 percent reduction offered for early payment.
The AEPD has been relatively active in taking action against payment service providers (PSPs) in recent months, including issuing significant fines for data protection failures.
In October 2024, the regulator imposed a €300,000 penalty on Ibercaja Banco over data access violations.
Earlier that month, it had fined Banco Bilbao Vizcaya Argentaria (BBVA) €200,000 for breaches that resulted in a total loss of control over an individual’s data.
As with Iberia Cards, both banks opted for reduced payments after admitting liability.