To date, DPAs from 24 different countries have imposed 257 fines (+43 in comparison to the 2024 ETR) on banks and other companies in the finance, insurance and consulting sector, amounting to a total of EUR 66.92 million (+EUR 15.13 million in comparison to the 2024 ETR; in the case of 8 fines, the amount is unknown). Spain is leading in the number of fines imposed with 92 fines, followed by Romania (38 fines), Hungary (14 fines) and Poland (16 fines).
The largest group of fines based on numbers (76 fines, as compared to 64 in the 2024 ETR) were issued due to an insufficient legal basis for data processing. In most of these cases, advertising messages were sent to data subjects without their consent. Another high number of fines (67 fines, compared to 59 fines in the 2024 ETR), relates to insufficient technical and organisational measures to ensure information security. This highlights the fact that data security is a key issue in the highly regulated financial and insurance sectors. To date, the Spanish DPA (aepd) is not only leading in the number of fines it has issued but has also imposed the highest fines in this sector, with total 12 fines ranging from EUR 1 to 6 million, such as in the following cases.
Let's take a closer look
- The highest fine of EUR 6 million was imposed on a Spanish bank mainly due to an insufficient legal basis for data processing (ETid-522). Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the bank’s group. However, according to the aepd, the data subjects were not given the option of specifically not consenting to this transfer. Therefore, the aepd concluded that the customers' consent did not meet the requirements of an effective consent and, as a result, the data was unlawfully transferred to other companies within the bank's group. Additionally, the aepd determined that the bank had violated its information obligations as set out in Art. 13 and 14 GDPR. This case shows the importance of establishing and implementing comprehensive internal compliance processes before transferring data to other entities, even within the same group of companies.
- Similarly, the aepd fined another bank EUR 5 million for both lack of a sufficient legal basis for processing and failure to provide adequate information to its customers (Art. 13 GDPR), in particular regarding the type of personal data to be processed and the purpose of the processing (ETid-481). Again, the bank had failed to implement an adequate process to obtain the consent of its customers to process their data.
- Another Spanish bank was fined with EUR 5 million due to non-compliance with general data processing principles (Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR) (ETid-2216). A customer had filed a complaint about having access to a document containing information on a transfer from a third party. The document contained personal data of the third party, such as the name and bank details of the data subject. During its investigation, the aepd found that the controller had failed to implement appropriate technical and organisational measures to protect personal data and prevent such incidents and to comply with the principle of data protection by design and by default, as it acted reactively rather than proactively in handling the complaint.
- A fine of EUR 4 million was imposed on a Spanish bank for insufficient technical and organisational measures to ensure information security (ETid-2514). The controller had suffered a data breach where unknown third parties gained access to the customer data management system using credentials of a broker, which allowed them to access customer data such as names, IBAN and personal identification numbers. The incident affected approximately 1.5 million individuals. During its investigation, the DPA found, in particular, that the controller had failed to implement appropriate technical and organisational measures to protect personal data in order to prevent such an incident. The DPA also found that the controller had failed to carry out a risk assessment, although this was deemed necessary given the significant number of customers and the fact that the controller was consequently processing personal data of those data subjects on a large scale. The original fine of EUR 5 million was reduced to EUR 4 million due to immediate payment.
