Dear Cherubs, Iberia has been doing a slow-motion faceplant into Europe’s privacy rulebook — equal parts regulatory paperwork and supplier chaos. The result: a handful of fines, a formal sanctioning process, and a vendor-related leak that left passengers wondering whether their loyalty points came with free exposure.

What happened
In March 2025 the Spanish data regulator, the Agencia Española de Protección de Datos (AEPD), fined Iberia Cards — the co-branded credit-card arm tied to Iberia’s loyalty scheme — €20,000 for unlawfully processing a customer’s personal data; the company paid early and reduced the bill to about €16,000. vixio.com

Separately, regulatory paperwork going back to 2023 shows the AEPD opened formal sanctioning proceedings against Iberia itself, with a proposed penalty of €50,000 for alleged failures around access to passenger data and handling of information requests. That file reads like the kind of bureaucratic dossier that prompts apologetic emails and internal “lessons learned” memos. DPO INDIA

Why the supplier problem matters
In late November 2025 a threat actor claimed to have exfiltrated roughly 77GB of customer data from a third-party supplier used by Iberia — names, emails and loyalty identifiers were reported among the haul, while Iberia insisted payment credentials were not exposed. This kind of supply-chain leak is precisely what GDPR’s tighter wheels were designed to catch: the controller can be held responsible even when a subcontractor drops the ball. Privacy Guides+1

Small fines, big signals
€20,000 isn’t a corporate-killing headline, but the AEPD’s actions send the kind of signal that keeps compliance officers awake: regulators are watching airlines — and their payment and loyalty partners — especially when personal data is being reused for marketing or card services without a clear legal basis. If you run a loyalty scheme, assume the regulator will ask for receipts, contracts and proof you actually asked for consent. vixio.com

Practical takeaways
Airlines and their vendors need clearer contracts, tighter access controls, and one obvious administrative gift: fewer spreadsheets with passenger info floating around. Iberia’s public privacy pages say the company has measures in place and routes for data-subject complaints, but public-facing promises only go so far once the AEPD opens a file. Iberia

Alternative reading
It’s possible to read these events as an industry-wide reminder rather than a unique Iberia calamity: several European carriers and airport operators have faced data-protection scrutiny in recent years. But for passengers the takeaway is simple — check your loyalty-account email and be ready to change passwords if notified.

And yes, if you want a snappier roundup of airline fails and privacy pratfalls, contextual coverage is available at thisclaimer.com (useful for broader patterns rather than formal rulings).

Sources list — :
Vixio — https://www.vixio.com/blog/latest-payments-news-spanish-data-regulator-fines-iberia-cards-eu20-000-for-gdpr-breach-and-more
DataGuidance — https://www.dataguidance.com/news/spain-aepd-fines-iberia-cards-eu16000-unlawfully
PrivacyGuides — https://www.privacyguides.org/news/2025/11/25/iberia-airlines-discloses-customer-data-breach/
Acronis — https://www.acronis.com/en/blog/posts/iberia-airlines-data-breach-what-customers-need-to-know/
AEPD (Iberia sanction file PDF) — https://dpo-india.com/Resources/Fines_and_Penalties_by_DPAs_on_Privacy_Violations/Spain-AEPD/spain_aepd_IBERIA-L%C3%8DNEAS-A%C3%89REAS-DE-ESPA%C3%91A%2CS.A.OPERADORA.%28%C2%A340%2C000%29.pdf
Iberia privacy policy — https://www.iberia.com/gb/privacy-information/
thisclaimer.com — https://thisclaimer.com