The Spanish Data Protection Agency has received 2,765 notifications of personal data breaches in 2025, a figure that reflects the magnitude of security incidents affecting both companies and administrations in Catalonia and the rest of the State. 80% of these notifications correspond to the private sector, while the remaining 20% come from the public sector.
Eleven cases under investigation for high severity
Of all the breaches reported, only eleven have been forwarded for further investigation due to indications of negligence on the part of the responsible organizations. These situations are considered high severity and are under analysis to determine possible responsibilities or non-compliance with the General Data Protection Regulation
Article 33 of the GDPR obliges to notify the competent supervisory authority of any personal data breach when there is a probable risk to the affected individuals. In this context, the refusal to inform the data subjects is one of the factors that carries the most weight when transferring cases to the Agency's inspection services.
Cyber incidents and unauthorized access, main causes
The breaches that have impacted the largest number of people in 2025 are related to ransomware cyber incidents and intrusions into information systems that have allowed the exfiltration of large volumes of personal data. Cyberattacks on data processors and large customer relationship management platforms have resulted in an extraordinarily high number of people being affectedThe most common entry point in these incidents has been access to corporate VPNs or web applications using compromised user credentials. Two-factor authentication is highlighted as the most effective measure to prevent unauthorized access in these types of breaches
Human Errors and Mass Communications
In addition to cyberattacks, other frequent breaches have been related to sending personal data to incorrect recipients or accidental exposure of information. In 2025, those responsible who reported a breach to the Agency issued more than 200 million communications to individuals affected by the existence of high risk
Agency Recommendations
The Agency reminds organizations of the importance of implementing data protection measures before a breach occurs. Recommendations include data minimization, early deletion or anonymization, blocking, and information segmentation.
- 2,765 personal data breach notifications in 2025
- 80% of incidents correspond to the private sector
- Eleven cases under investigation for high severity
- More than 200 million communications issued to affected parties