Key data
| Regulation | Resolution of June 17, 2026, AEPD — Publication of sanctions exceeding 1,000,000€ (art. 76.4 LOPDGDD) |
|---|---|
| BOE Publication | June 27, 2026 |
| Effective date | June 27, 2026 |
| Sanctioned companies | Vodafone España and Amadeus IT Group |
| Total amount | 15,450,000€ |
| Category | Data Protection |
| Legal basis for publication | Article 76.4 of the LOPDGDD |
Vodafone España and Amadeus IT Group together accumulate 15,450,000€ in fines imposed by the Spanish Data Protection Authority (AEPD) and published in the BOE on June 27, 2026, in accordance with article 76.4 of the LOPDGDD. The detected breaches point to two recurring failures in any organization that processes data: absence of legal basis and insufficient security measures.
These resolutions are not an isolated warning. They are the clearest signal to date that the AEPD applies the GDPR sanctioning regime with full force, even against large corporations with their own legal departments.
What does this regulation establish?
The resolution publishes, with names and amounts, the sanctions exceeding one million euros imposed on legal entities, as required by article 76.4 of the LOPDGDD. The breakdown of breaches is as follows:
| Company | GDPR Article violated | Description of the breach | Amount |
|---|---|---|---|
| Vodafone España | Art. 6.1 GDPR | Lack of legal basis for data processing (breach 1) | 150,000€ |
| Vodafone España | Art. 6.1 GDPR | Lack of legal basis for data processing (breach 2) | 150,000€ |
| Vodafone España | Art. 32 GDPR | Inadequate technical and organizational security measures | 750,000€ |
| Amadeus IT Group | Arts. 6 and 14 GDPR | Lack of legal basis for processing and failure to comply with information duty | 14,400,000€ |
Article 6 GDPR requires that all processing of personal data has a valid legal basis: consent, contract, legal obligation, vital interest, public task or legitimate interest. Processing data without fitting into any of these categories is a serious breach. Article 14 GDPR requires informing data subjects when data is not obtained directly from them. Article 32 GDPR requires implementing technical and organizational measures proportionate to the risk to ensure data security.
Economic and operational impact
The fine to Amadeus (14.4M€) is particularly relevant because it combines two breaches that often go hand in hand in technology companies that aggregate third-party data: processing data without legal basis and failing to adequately inform those affected. This type of dual sanction can multiply the final amount.
In Vodafone's case, the greatest weight falls on the security breach (750,000€, 71% of its total fine), which shows that the AEPD penalizes technical data protection failures with particular severity, not just documentary non-compliance.
From an operational perspective, these sanctions imply that companies must treat GDPR compliance as a recurring business cost, not as a one-time project. Investment in legal basis audits, records of processing activities and security measures is significantly lower than the cost of a single sanction of this magnitude.
Who does it affect?
- Large technology and telecommunications corporations that process massive volumes of customer or user data.
- Companies that aggregate or reuse data from third-party sources without verifying the legal basis or informing those affected (art. 14 GDPR risk).
- Any organization with information systems that has not reviewed its technical and organizational security measures in accordance with article 32 GDPR.
- Data processing controllers and processors that do not have the legal basis for each processing activity documented in their Record of Processing Activities.
- Compliance, legal and technology departments that must coordinate joint review of legitimation and security.
- Data protection advisors and consultants that manage regulatory compliance for their clients.
Practical example
Imagine a hotel management software company that, to improve its recommendation service, incorporates guest data obtained from third-party booking platforms. If it does not verify that such data has a valid legal basis for the new use it gives them (art. 6 GDPR) and does not inform guests that their data is being processed by a company different from the one they provided it to (art. 14 GDPR), it is replicating exactly the breach pattern for which Amadeus IT Group has been sanctioned with 14,400,000€.
Company size influences the amount, but not the classification of the breach. An SME in the same situation may receive a sanction proportional to its turnover that, in relative terms, is equally devastating.
What should companies do now?
- Audit the Record of Processing Activities: Review each activity and verify that it has a valid legal basis assigned from article 6 GDPR. If any activity lacks one, stop processing or document the legitimation before continuing.
- Review processing with data obtained from third parties: If your company receives data from other sources (partners, suppliers, platforms), verify that you comply with the information duty of article 14 GDPR and that there is a legal basis for the use you make of that data.
- Evaluate technical and organizational security measures: Conduct or update your risk analysis in accordance with article 32 GDPR. Document the measures implemented. Lack of documentation is as sanctionable as lack of measures.
- Review contracts with data processors: Ensure that processing agreements include the security and liability clauses required by the GDPR.
- Train your team: Failures in legal basis and security usually originate in day-to-day operational decisions. Periodic data protection training reduces the risk of involuntary breaches.
Frequently asked questions
Why is the fine to Amadeus so much higher than Vodafone's?
Amadeus IT Group was sanctioned with 14,400,000€ for simultaneously violating articles 6 and 14 of the GDPR: lack of legal basis for processing and failure to comply with the information duty. Vodafone received 1,050,000€ for three separate breaches (two of art. 6.1 and one of art. 32). The difference in amount reflects both the severity of Amadeus's breaches and the volume and scope of data processing in each case.
What is article 32 GDPR and why was Vodafone fined for it?
Article 32 GDPR requires data controllers to implement appropriate technical and organizational measures to ensure a level of security proportionate to the risk. Vodafone was sanctioned with 750,000€ for having inadequate security measures, which represents 71% of its total fine. This includes aspects such as encryption, access control, incident management and risk assessments.
Why does the AEPD publish these sanctions in the BOE?
Article 76.4 of the LOPDGDD requires the AEPD to publish in the BOE sanctions exceeding one million euros imposed on legal entities. This publication has a deterrent and transparency effect: any company or citizen can consult which organizations have been sanctioned and for what amount.
What happens if my company processes data without documented legal basis?
Processing data without a valid legal basis from article 6 GDPR is a serious breach that can result in fines of up to 20,000,000€ or 4% of global annual turnover (whichever is higher). Vodafone was sanctioned with 150,000€ for each of its two breaches of article 6.1. The amount varies depending on the volume of data, the number of affected individuals and intent.
When does this resolution take effect and what does it mean for other companies?
The resolution was published and took effect on June 27, 2026. It does not impose new direct obligations on third-party companies, but reinforces the AEPD's interpretation of articles 6, 14 and 32 of the GDPR. Any company that processes personal data should review its compliance in light of these criteria to avoid equivalent sanctions.
Official source
Consult complete regulation in official source
Disclaimer: This article is for informational purposes only and does not constitute legal advice. For specific decisions, consult a qualified professional. Source: https://www.boe.es/diario_boe/txt.php?id=BOE-A-2026-14010