On May 7, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00424-2023, in which it imposed a fine of €480,000 on 4Finance Spain Financial Services, S.A.U. (Vivus) which was subsequently reduced to €360,000, for violations of the General Data Protection Regulation (GDPR), following a data breach.

Background to the decision

The AEPD stated that on February 17, 2023, Vivus notified the AEPD that the company had suffered a data breach which led to the exposure of the financial data of customers. Following the notification, the AEPD ordered Vivus to inform the affected customers of the data breach.

Findings of the AEPD

Following an investigation, the AEPD found that Vivus violated Article 32 of the GDPR by failing to implement appropriate technical and organizational data security measures that could have prevented the breach.

The AEPD noted that the impact assessment Vivus conducted prior to the breach focused on the financial risks to the company rather than the specific risks to individuals' rights and freedoms arising from the processing.

Additionally, the AEPD found that Vivus had violated Article 5(1)(f) of the GDPR for failing to ensure that it processed data securely.

Outcomes

In light of the above, the AEPD imposed a fine of €480,000 on Vivus. On this, the AEPD provided that Vivus had already paid the fine in the amount of €360,000, making use of the voluntary payment procedure and acknowledging its responsibility.

You can read the decision, only available in Spanish, here.