The Spanish Data Protection Agency received 2,765 notifications of personal data breaches in 2025, underscoring the scale of cyber incidents and other security failures that can threaten individuals’ rights and freedoms, the regulator said in a statement released January 23, 2026.
According to the agency, roughly 80 percent of the breach notifications came from the private sector, while the remaining 20 percent were reported by public bodies. The volume of reports reflects the General Data Protection Regulation’s requirement that organizations notify supervisory authorities when a breach is likely to pose a risk to data subjects. The AEPD emphasized that notifying the authority is part of a controller’s proactive responsibility and does not automatically trigger an administrative investigation.
Of the 2,765 breaches reported last year, only 11 were referred for further inspection. Those cases involved high-severity incidents where there were signs of insufficient diligence, either in preventive safeguards or in how organizations responded once a breach occurred. By contrast, timely and accurate reporting was cited as evidence of responsible behavior under GDPR obligations.
The breaches affecting the largest number of individuals in 2025 were linked primarily to ransomware attacks and intrusions into information systems that enabled the exfiltration of large volumes of personal data. In several cases, cyberattacks targeting data processors—particularly large customer relationship management platforms—had an outsized impact. The agency noted that compromised credentials used to access corporate VPNs or web applications were a common entry point, adding that two-factor authentication remains one of the most effective preventive measures.
Not all incidents stemmed from cyberattacks. The AEPD also identified frequent breaches caused by human error, including sending personal data to unintended recipients or accidentally exposing information.
Beyond notifying the regulator, organizations were reminded of their duty to inform affected individuals when breaches pose a high risk. In 2025, controllers issued more than 200 million such notifications. The agency stressed that clear communication with individuals is a key factor in assessing whether an organization acted diligently and urged companies to strengthen preventive data protection measures before breaches occur.
Need Help?
If you have questions or concerns about how to navigate the global AI regulatory landscape, don’t hesitate to reach out to BABL AI. Their Audit Experts can offer valuable insight, and ensure you’re informed and compliant.
