Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Open Bank €2.5M for security failures

The Spanish data protection authority (AEPD) published, on July 28, 2023, its decision in Proceeding No. PS-00331-2022, in which it imposed fines totalling €2.5 million on Open Bank, S.A., for violation of the General Data Protection Regulation (GDPR), following a complaint.

Background to the decision

In particular, the AEPD noted that the complainant was requested to prove the origin of several funds received in their bank account, in compliance with anti-money laundering regulations. However, according to the AEPD, the complainant alleged that Open Bank did not offer any mechanism to facilitate the provision of such information in a secure manner, such as by encrypting the information or uploading it to the web portal, and instead requested to receive the documents via email.

Findings of the AEPD

Further to the above, the AEPD found that Open Bank violated Articles 25 and 32 of the GDPR. Particularly, the AEPD noted that the information requested by Open Bank from the complainant is considered 'financial data,' which required the application of a series of reinforced measures to effectively apply the principles of data protection and integrate the necessary guarantees in the processing in order to meet the requirements of the GDPR. The AEPD concluded that Open Bank did not apply the principles of Data Protection by Design and by Default.

Further, the AEPD highlighted that Open Bank's technical and organizational measures for obtaining customer information did not provide adequate security as required by Article 32 of the GDPR, given the sensitive nature of the personal data involved. On this, the AEPD noted that even if the overall data processing was not considered high-risk and did not demand a Data Protection Impact Assessment (DPIA), appropriate security measures should have been applied to address potential risks at specific stages of the processing.


In conclusion, the AEPD issued a €1.5 million fine for violation of Article 25 of the GDPR and a €1 million fine for violation of Article 32 of the GDPR.

You can read the decision, only available in Spanish, here.