The Spanish data protection authority ('AEPD') published, on 15 November 2022, its decision in Proceeding No. PS/00634/2021, in which it imposed a fine of €100,000, subsequently reduced to €80,000, on Bankinter, S.A., for violations of Articles 5(1)(f) and 32 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following an individual's complaint.

Background to the decision

In particular, the AEPD noted that the complainant had access to the data of a third party alongside to their personal data, whilst accessing their monthly statement on Bankinter's website. Moreover, the AEPD highlighted that the incident occurred due to an error in managing the ownership of the accounts.

Findings of the AEPD

In its findings, the AEPD confirmed that the incident violated the duty of confidentiality and consequently sanctioned Bankinter €60,000 for the violation of Article 5(1)(f) of the GDPR.

Furthermore, the AEPD highlighted that the documentation provided in the complaint proved that Bankinter did not have an adequate level of security and failed to implement necessary technical and organisational measures which violated Article 32 of the GDPR, and therefore imposed a fine of €40,000 on Bankinter.

Moreover, the AEPD considered, among other things, that the sanction imposed had been based on the following aggravating factors:

• the nature, seriousness, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation in question, as well as the number of affected parties; and
• the intention or negligence in the infringement.

Outcomes

As a result, the AEPD imposed a fine of €100,000 on Bankinter for violations of Articles 5(1)(f) and 32 of the GDPR. Moreover, the decision provides that, on 22 September 2022, Bankinter proceeded to the payment of the fine in the amount of €80,000 making use of voluntary payment and acknowledging its responsibility.

You can read the decision, only available in Spanish, here.