The Spanish Data Protection Agency received a total of 2,765 notifications of personal data breaches across the country during 2025. Eighty percent of these incidents originated from the private sector, while the remaining 20% correspond to public bodies. Only eleven of the registered cases have been referred for further investigation by the authority.
Impact and Communications to Affected Parties
In the last year, more than 200 million communications have been sent to individuals affected by breaches considered high-risk. Article 33 of the General Data Protection Regulation requires notification of any incident that could pose a risk to citizens' rights. The Agency emphasizes that reporting an incident is a legal obligation and a sign of diligence on the part of responsible entities.
Among the most serious incidents recorded in 2025 are those related to ransomware attacks and the exfiltration of large volumes of data. The Agency has identified that one of the most common entry points in these cases has been the use of compromised credentials, especially in services exposed to the internet or remote access via VPN. The absence of multi-factor authentication continues to be one of the factors that most facilitate these types of intrusions.
Human Errors and Prevention Tools
A significant portion of breaches originate from human error. Among the most frequent are sending information to incorrect recipients, accidentally publishing data, or inadequate configuration of internal systems. To facilitate incident management, the Agency provides organizations with specific tools such as Asesora Brecha and Comunica-Brecha RGPD
Agency Performance and Focus on Diligence
The Agency emphasizes that its focus is not on penalizing those who report, but rather on cases where there are indications of a lack of diligence or non-compliance with basic data protection obligations. Only a minimal portion of cases end up under further investigation.