Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Spain: AEPD fines Open Bank €2.5M for security failures
The Spanish data protection authority (AEPD) published, on July 28, 2023, its decision in Proceeding No. PS-00331-2022, in which it imposed fines totalling €2.5 million on Open Bank, S.A., for violation of the General Data Protection Regulation (GDPR), following a complaint.
Background to the decision
In particular, the AEPD noted that the complainant was requested to prove the origin of several funds received in their bank account, in compliance with anti-money laundering regulations. However, according to the AEPD, the complainant alleged that Open Bank did not offer any mechanism to facilitate the provision of such information in a secure manner, such as by encrypting the information or uploading it to the web portal, and instead requested to receive the documents via email.
Findings of the AEPD
Further to the above, the AEPD found that Open Bank violated Articles 25 and 32 of the GDPR. Particularly, the AEPD noted that the information requested by Open Bank from the complainant is considered 'financial data,' which required the application of a series of reinforced measures to effectively apply the principles of data protection and integrate the necessary guarantees in the processing in order to meet the requirements of the GDPR. The AEPD concluded that Open Bank did not apply the principles of Data Protection by Design and by Default.
Further, the AEPD highlighted that Open Bank's technical and organizational measures for obtaining customer information did not provide adequate security as required by Article 32 of the GDPR, given the sensitive nature of the personal data involved. On this, the AEPD noted that even if the overall data processing was not considered high-risk and did not demand a Data Protection Impact Assessment (DPIA), appropriate security measures should have been applied to address potential risks at specific stages of the processing.
Outcomes
In conclusion, the AEPD issued a €1.5 million fine for violation of Article 25 of the GDPR and a €1 million fine for violation of Article 32 of the GDPR.
You can read the decision, only available in Spanish, here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
