Contact
The Director of the Catalan Data Protection Authority (APDCAT), Meritxell Borràs i Solé, presented the 2024 annual report this Thursday to the Institutional Affairs Committee of the Parliament of Catalonia, in compliance with current regulations, to explain the activities carried out by the institution throughout the year.
In this context, she highlighted the need to remain vigilant against the threat of cybercrime and personal data theft, noting that in 2025 cyberattacks may have already compromised the data of more than 96,500 people. This figure represents nearly double the number affected during all of 2024, which reached around 52,000 individuals.
Specifically, in the first part of 2025, 23 such incidents have been detected: 8 ransomware attacks, 6 phishing attacks, and 9 hacking incidents. It is worth noting that in five cases, the number of affected individuals remains undetermined, meaning the real figure could be significantly higher. Additionally, in 5 of the 9 hacking cases, the stolen data was sold on the dark web — a trend that appears to be on the rise.
Nevertheless, human error continues to be the main cause of security breaches detected, as was the case in 2024. That year, the number of cyberattacks in the public sector (and publicly mandated companies) dropped from 31% to 17%, while incidents caused by human error rose from 43% to 59%.
In this context, the Director emphasized the need to stay alert and prepared to minimize risks, using robust security systems tailored to the threat in each case. She warned that uncontrolled exposure of personal data can have irreversible consequences and that digital transformation has also moved crime into the digital realm. She reminded the audience that in the current 4.0 revolution, data are a strategic asset — especially when combined with big data and artificial intelligence — as they enable the creation of new, previously unthinkable scenarios in an increasingly competitive market.
Ongoing rise in complaints and claims
The Director also noted the continued rise in complaints and claims received by the Authority, which are being handled year after year with virtually the same staff. In 2024, complaints for violations of data protection regulations increased by 30%, while claims due to the inability to exercise data protection rights (access, rectification, deletion, etc.) rose by 55%. Since 2022, the total increase in complaints and claims has reached 84.6%. Legal advisory services also grew by more than 7% in 2024, along with public consultancy and public assistance, which increased by 25% and 13% respectively.
In this context, the Director warned that this critically strains the institution’s capacity. However, she praised the motivation of the staff to push ongoing projects forward. She noted that in 2024, APDCAT received an award at the Global Privacy Assembly for the project “Who are you? Data that speaks about you,” developed in collaboration with the Library Services of the Department of Culture of the Generalitat and the Provincial Council of Barcelona. The project includes educational activities for children, youth, and adults in libraries to raise awareness about privacy culture.
She also highlighted that data protection authorities such as the Basque Data Protection Authority and Croatia’s authority have already adopted the Catalan FRIA model, promoted by APDCAT, to ensure AI systems are designed in a way that respects fundamental rights. This pioneering model in Europe was developed in 2024 within the "DPD en xarxa" community, led by Alessandro Mantelero — expert of the European Data Protection Board and professor of Private Law and holder of the Jean Monnet Chair in Mediterranean Digital Societies and Law at the Polytechnic University of Turin. The model helps organizations assess the impact of AI systems on fundamental rights, as required by the AI Regulation. The Director emphasized that this model positions Catalonia as a global benchmark. She noted that the methodology has been presented at international forums in Brazil, Colombia, Georgia, and Italy, and many countries and institutions have expressed interest in learning more about it throughout the year.
She also pointed out that 2024 was the year APDCAT modernized its brand identity, in line with the objectives of its Strategic Plan — a brand that was recognized as one of the best rebrandings at the LAUS Awards for graphic design, advertising, and visual communication. Finally, 2024 also marked the relocation of the headquarters to an institutional building in central Barcelona, adapted for people with reduced mobility, at Gran Via de les Corts Catalanes, 635.
During her appearance before the Institutional Affairs Committee to present the 2024 activity report, the Director of the Catalan Data Protection Authority stressed that we cannot lower our guard in the face of the constant threat of cybercrime.