The Spanish data protection authority ('AEPD') published, on 16 May 2023, its decision in Proceeding No. PS-00037-2023, in which it imposed a fine of €70,000 on Bankinter Consumer Finance, E.F.C., S.A., which was subsequently reduced to €42,000, for violation of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint submitted by an individual.

Background to the decision

In particular, the AEPD stated that the complainant contacted Bankinter Consumer Finance after several cash withdrawals and payments had been made with their bank card by a third party and found out that a duplicate of their card had been issued without their consent and sent to an address other than their own. Further, the AEPD detailed that the unauthorised third party changed the mobile phone number associated with the bank account multiple times via phone, as the authentication process only required easily inferable information.

Findings of the AEPD

In light of its investigation, the AEPD held that Bankinter Consumer Finance processed the complainant's personal data without an appropriate legal basis, since their telephone number was deleted and, at the same time, a new telephone number was assigned to the bank account without their consent or any legitimate basis as provided for under Article 6(1) of the GDPR, resulting in a breach of the same.

Outcomes

In light of the above, the AEPD imposed the abovementioned fine on Bankinter Consumer Finance. In this regard, the AEPD provided that Bankinter Consumer Finance had already paid the fine in the amount of €42,000, making use of voluntary payment and acknowledging its responsibility.

You can read the decision, only available in Spanish, here.