The Spanish Data Protection Agency notified a security breach on September 9, 2025, more than five months after having become aware of the incident. The incident dates back to April 2, 2025, when the agency mistakenly sent to a wrong recipient a document from an administrative file with attachments containing personal information of third parties.
That same day, the person who received the documentation formally communicated to the Agency itself that the shipment had occurred by mistake. Despite this, the notification of the breach was not made until September. The examined documentation does not include a detailed explanation for that delay.
A sending error with identifying data of third parties
The breach was not linked to a cyberattack nor to a computer intrusion. It occurred due to a human error in the sending of documentation. The material sent by mistake included names and surnames, DNI numbers and handwritten signatures, data that the Agency itself qualified as identifying.
The General Data Protection Regulation considers any unauthorized disclosure of personal data a security breach, also when it derives from a human error. Article 33 of that regulation establishes that these incidents must be notified without delay and, when possible, within a maximum period of 72 hours from when it is known.
Without specific investigation on the incident
The Agency did not open a specific investigation into this breach. Among the arguments put forward for not doing so are the absence of claims from those affected, that the data was not especially sensitive and that the recipient already knew part of the information.
The Agency also maintained that there was no obligation to communicate the incident to the affected individuals as it did not perceive a high risk to their rights and freedoms. Even so, the documentation shows that the file sent by mistake remained accessible for a time through an electronic verification system with a secure code. The Agency defended that this access was limited, although that mechanism allowed the document to be validated for months.
The Transparency Council forced to reveal the date
The specific notification date was not provided initially. The Agency initially refused to communicate it after a request submitted on the Transparency Portal. The subsequent complaint was upheld by the Council for Transparency and Good Governance, which forced the body to report when it had notified the breach.
In its resolution, the Council understood that that date was of public interest because it allowed verifying if the Agency had acted within the deadlines set by European regulations. It also ruled out that giving that information could harm the investigative functions of the body.
The AEPD is the authority responsible for monitoring compliance with data protection regulations in Spain, as well as investigating possible infringements and sanctioning conduct contrary to the law. As of closing, it had not commented on the delay of more than five months nor on the specific reasons for that delay.