Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Spain: AEPD fines 4Finance Spain €480,000 for data security failures
On May 7, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00424-2023, in which it imposed a fine of €480,000 on 4Finance Spain Financial Services, S.A.U. (Vivus) which was subsequently reduced to €360,000, for violations of the General Data Protection Regulation (GDPR), following a data breach.
Background to the decision
The AEPD stated that on February 17, 2023, Vivus notified the AEPD that the company had suffered a data breach which led to the exposure of the financial data of customers. Following the notification, the AEPD ordered Vivus to inform the affected customers of the data breach.
Findings of the AEPD
Following an investigation, the AEPD found that Vivus violated Article 32 of the GDPR by failing to implement appropriate technical and organizational data security measures that could have prevented the breach.
The AEPD noted that the impact assessment Vivus conducted prior to the breach focused on the financial risks to the company rather than the specific risks to individuals' rights and freedoms arising from the processing.
Additionally, the AEPD found that Vivus had violated Article 5(1)(f) of the GDPR for failing to ensure that it processed data securely.
Outcomes
In light of the above, the AEPD imposed a fine of €480,000 on Vivus. On this, the AEPD provided that Vivus had already paid the fine in the amount of €360,000, making use of the voluntary payment procedure and acknowledging its responsibility.
You can read the decision, only available in Spanish, here.