Spain's AEPD launched a public interactive tool in April 2026 to browse personal data breach notifications. Filter by sector, year, severity, type of breach. For any SaaS that operates in Spain (or with Spanish customers under one-stop-shop), this is now the most useful free benchmark. This article extracts the operational uses for a founder or DPO.
What the tool actually shows
Each entry surfaces the public record of a breach notification:
- Sector and approximate size of the affected entity
- Type of breach (loss, unauthorized access, accidental disclosure, ransomware)
- Categories of personal data affected
- Number of affected subjects (range, not exact)
- Whether the regulator opened a procedure or closed without action
Names of companies are redacted in the public view. Categories and patterns are what you mine.
Three uses for your SaaS
1. Calibrate your own threshold
One recurring founder question: "is this incident bad enough to notify?". The tool gives empirical answers. Browse incidents in your sector with similar data categories and similar volumes. You will see what other companies notified and how the AEPD reacted.
2. Stress-test your runbook
Use real incidents as scenarios. Pick three from your sector, hand them to your engineering and support leads, time how long they take to draft the notification form. If it is more than 4 hours, the runbook needs work.
3. Pre-empt likely incidents
Patterns in the tool reveal common failure modes: phishing in customer support flows, misconfigured backup buckets, leaked CSV exports, sub-processor compromises. Audit your stack against the top 5 patterns of your sector.
| Sector pattern (2025) | Frequency | Typical cause |
|---|---|---|
| SaaS B2B | ~22% | Misconfigured storage, sub-processor compromise |
| Healthcare | ~18% | Email misdirection, lost device |
| Ecommerce | ~15% | Web skimmer, credential stuffing |
| Education | ~12% | Misconfigured permissions, phishing |
| Public sector | ~10% | Ransomware, accidental disclosure |
The AEPD reported 77 procedures opened by breach alone in 2025, a 157% increase over 2024. The tool is partly a transparency play; it is also a soft pressure mechanism. Companies seeing peers in the public record adjust their own posture.
What the tool teaches about notification quality
Reviewing the entries reveals what "good" looks like to the regulator:
- Notifications under 72 hours: ~74% closed without procedure
- Notifications between 72 hours and 7 days with justification: ~62% closed without procedure
- Late notifications without justification: ~12% closed without procedure
- No notification, discovered by complaint: ~3% closed without procedure
The signal is unambiguous: speed and self-disclosure matter more than the breach severity itself.
How to use the tool monthly
- Filter by your sector and last 90 days
- Skim 5-10 entries to see what patterns are escalating
- Cross-check against your stack: do you have the same exposure surface
- Adjust your runbook or detection priorities if a new pattern emerges
This is 30 minutes a month and replaces a lot of vendor-sold threat intelligence for a SaaS that operates in EU.
The AEPD's framing in the launch note is worth repeating: transparency about breaches helps the ecosystem learn. Treating the tool as both a benchmark and a hint about where regulator attention is heading is the practical posture.
Conclusion
Public breach registries are no longer a curiosity; they are a calibration tool. For any SaaS with Spanish exposure, the AEPD tool is the cheapest competitive intelligence on the market for incident readiness. Thirty minutes a month and a refreshed runbook beat a six-figure threat intelligence subscription.
If you want a privacy policy that already includes the AEPD breach notification language and contact channel (so your incident communications are pre-staged), try Termerly free and align with the 2026 disclosure standard.
