The Spanish Data Protection Agency became aware of on April 2, 2025 a security breach caused by the erroneous sending of documentation with personal data to a wrong recipient, but the official communication did not occur until September 9, 2025, more than five months later.
The incident originated within an ongoing administrative procedure and not in a cyberattack. The person who received the files formally notified what happened that same April 2. Among the documentation sent were names and surnames, DNI numbers, and handwritten signatures.
A term far superior to that foreseen in the GDPR
Article 33 of the General Data Protection Regulation sets a maximum of 72 hours to notify a security breach, unless there is an adequate justification for the delay. In the examined documentation, there is no detailed explanation that justifies a delay of more than five months.
The exact date of the notification was not provided at first by the AEPD, despite having been requested through the Transparency Portal. That refusal forced the filing of a complaint before the Council for Transparency and Good Governance.
The date came to light after a claim
The Council for Transparency and Good Governance granted the request and obliged the AEPD to reveal when it had communicated the breach. In its resolution, the body understood that this information had public interest because it allowed to verify if the deadlines foreseen in the GDPR had been respected.
It also rejected the Agency's arguments about the possible harms that, in its opinion, the dissemination of that data could cause in the exercise of its functions.
Without specific investigation on the incident
The AEPD did not open a specific investigation into what happened. Among the reasons given for not doing so are the absence of complaints from those affected, that the data sent was not especially sensitive and that the recipient already partially knew the information.
The Agency itself classified the exposed data as identifying and considered that they did not imply a high risk for those affected. Even so, the documentation sent by mistake remained accessible for a prolonged period through an electronic verification system using a secure code, although the AEPD maintains that this access was restricted.
The case leaves open the discussion about compliance with communication times in a breach that the data protection authority itself knew from day one and whose notification date only became public after the intervention of the transparency body.