Home / Publications / GDPR Enforcement Tracker Report / Finance, Insurance and Consulting

Finance, Insurance and Consulting

To date, DPAs from 23 different countries (+4 in comparison to the 2022 ETR) have imposed 163 fines (+55 in comparison to the 2022 ETR) on banks and other companies in the finance, insurance and consulting sector, amounting to a total of EUR 35.03 million (+5.9 million in comparison to the 2022 ETR; in the case of 7 fines, the amount is unknown). Spain is the leader in the number and amount of fines imposed: 4 of the 50 fines imposed by the Spanish DPA range between EUR 1 – 6 million. Second are Romania (24 fines), followed by Hungary (13 fines), Poland (10 fines) and Norway (7 fines).

The largest group of fines based on numbers (59 fines, as compared to 43 in the 2022 ETR) were issued due to an insufficient legal basis for data processing. In most of these cases, advertising messages were sent to data subjects without their consent. Another high number of fines (42 fines, compared to 29 fines in the 2022 ETR), relates to insufficient technical and organisational measures to ensure information security. This highlights the fact that data security is a key issue in the highly regulated financial and insurance sectors.

Let's take a closer look


  • The highest fine (EUR 6 million) within the sector was imposed on a Spanish bank mainly due to an insufficient legal basis for data processing (ETid-522). Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the bank’s group. However, according to the Spanish DPA (aepd), the data subjects were not given the option of specifically not consenting to this transfer. Therefore, the aepd concluded that the customers' consent did not meet the requirements of an effective consent and, as a result, the data was unlawfully transferred to other companies within the bank's group. Additionally, the DPA determined that the bank had violated its information obligations as set out in Art. 13 and 14 GDPR. This case shows the importance of establishing and implementing comprehensive internal compliance processes before transferring data to other entities, even within the same group of companies.
  • Similarly, the Spanish DPA fined another bank EUR 5 million for both lack of a sufficient legal basis for processing and failure to provide adequate information to its customers in accordance with Art. 13 GDPR, in particular regarding the type of personal data to be processed and the purpose of the processing (ETid-481). Again, the bank had failed to implement an adequate process to obtain the consent of its customers to process their data.
  • In another case, the Spanish DPA imposed a fine of EUR 1 million on a financial service provider for insufficient legal basis for data processing (ETid-656). A total of 96 complaints were filed with the DPA against the controller because it had included personal data of individuals associated with alleged debts in the Judicial Claims and Public Entities File ("FIJ") without their consent. In some cases, these data were not even correct. According to the DPA, the processing of the data subjects' personal data involving the FIJ file had been unlawful and violated several data protection principles. In addition, the controller had not properly informed the data subjects about the processing of their data, thus violating its duty to inform them.
  • Another bank was fined by the Spanish DPA EUR 3 million for insufficient legal basis for data processing (ETid-884). An individual had filed a complaint against the controller. The reason was that the bank had requested information about him from a company even though the latter had not been a customer of the bank since 2014 and he was included in an advertising campaign to offer him a pre-grant credit. The bank had used individuals' data to assess their creditworthiness without their consent. This was used to create financial profiles of the data subjects and to advertise certain financial services (e.g. credit cards or loans) to them on this basis. In doing so, the DPA found that the controller had not obtained effective consent from the data subject. The controller had not adequately informed the data subjects about the data processing, including profiling.
  • The French DPA (CNIL) has fined a private insurance company EUR 1.75 million for non-compliance with general data processing principles (ETid-771). The French DPA had carried out an inspection at the company's group in 2019. On this occasion, the French DPA found that the controller kept the data of millions of individuals for an excessive period of time and did not comply with their information obligations in the context of telephone canvassing campaigns. With regard to the data of prospects, the controller did not comply with the maximum retention period of three years defined in the reference framework and in the company group's processing register. As a result, the controller retained the data of nearly 2,000 customers who had not been in contact with the controller for more than three years, and in some cases five years. In relation to customer data, the controller did not comply with the maximum statutory retention periods stipulated in the Insurance Code and the Commercial Code. In this case, the controller retained the data of more than 2 million customers, some of which were sensitive (health) or specific (banking data), beyond the legally permitted retention periods after the end of the contract.
  • The Danish DPA (Datatilsynet) has imposed its first fine of EUR 1.3 million on a bank because of non-compliance with general data processing principles (ETid-1114). The DPA had opened an investigation against the bank after it informed the DPA that it had a problem with the deletion of personal data. During the investigation, the DPA found that the bank had failed to document the rules for deletion and storage of personal data in more than 400 systems. Consequently, the bank was unable to prove that such rules, which are required under the GDPR, existed. The DPA considered this to be a breach of the bank's accountability obligation under Art. 5 (2) GDPR.

Main takeaways


The significant increase in the number of fines observed in the previous years in this sector continues. However, the amount of imposed fines has decreased, only one fine during the reference period of the 2023 ETR exceeded EUR 1 million compared to the reference period of the 2022 ETR with several fines ranging in the millions. The highest fines have all been imposed due to a lack of adequate internal compliance measures to ensure a sufficient legal basis for the processing of customer data. In each case, the controllers had failed to obtain effective consent for the data processing.

Companies in the finance, insurance and consulting sector should implement comprehensive processes to ensure a clear legal basis for each data processing activity. The establishment of mechanisms to obtain effective consent from their customers where necessary is essential. DPAs seem to focus on how exactly consent was obtained and whether data subjects were fully informed by the controller.

Additionally, insufficient data security measures resulted in significant fines and might also cause considerable reputational damage. Accordingly, companies operating in the financial and insurance sectors as well as consulting companies should focus on strong data security measures.

As digitalization advances in the finance, insurance and consulting sector and more and more services are provided online or via apps, data security becomes increasingly important. This sector is typically highly regulated and the companies are not only subject to strict scrutiny regarding their data security and general IT security by DPAs but also by financial regulators.