Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines 4Finance Spain €480,000 for data security failures

On May 7, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00424-2023, in which it imposed a fine of €480,000 on 4Finance Spain Financial Services, S.A.U. (Vivus) which was subsequently reduced to €360,000, for violations of the General Data Protection Regulation (GDPR), following a data breach.

Background to the decision

The AEPD stated that on February 17, 2023, Vivus notified the AEPD that the company had suffered a data breach which led to the exposure of the financial data of customers. Following the notification, the AEPD ordered Vivus to inform the affected customers of the data breach.

Findings of the AEPD

Following an investigation, the AEPD found that Vivus violated Article 32 of the GDPR by failing to implement appropriate technical and organizational data security measures that could have prevented the breach.

The AEPD noted that the impact assessment Vivus conducted prior to the breach focused on the financial risks to the company rather than the specific risks to individuals' rights and freedoms arising from the processing.

Additionally, the AEPD found that Vivus had violated Article 5(1)(f) of the GDPR for failing to ensure that it processed data securely.

Outcomes

In light of the above, the AEPD imposed a fine of €480,000 on Vivus. On this, the AEPD provided that Vivus had already paid the fine in the amount of €360,000, making use of the voluntary payment procedure and acknowledging its responsibility.

You can read the decision, only available in Spanish, here.