To date, 13 DPAs (three of which are different regional authorities within Germany) have imposed 29 fines on banks and other companies in the finance, insurance and consulting sector, amounting to a total of more than EUR 2.46 million (in the case of two fines, the amount is unknown). The DPAs of Hungary and Romania have been particularly "active" in this sector, imposing six fines each.
The largest group of fines based on the aggregated amount (EUR 2,066,165) were issued due to insufficient technical and organisational measures. This highlights the fact that data security is a key issue in the highly regulated financial and insurance sectors. With an equal number of fines (10 fines each), fines relating to an insufficient legal basis for processing make up the second-largest group. However, their overall amount is considerably lower, coming in at EUR 281,510.
Let's take a closer look
- The highest fine (up to EUR 900,000) within the sector was imposed on Dutch employee insurance service provider UWV due to inadequate data security measures. Security was deemed inadequate because of the lack of a multi-factor authentication system for the online employer portal. This portal allowed employers and health and safety services to collect and display health data of employees. UWV was ordered to replace the existing access system with a modern multi-factor authentication system – and to pay EUR 150,000 for each month it takes them to implement the new GDPR-compliant system. The relatively heavy fine can be partially attributed to the special category of personal data concerned in this case, i.e. health data.
- Another conspicuously high fine (EUR 511,000) was likewise based on inadequate data security measures. It was imposed on a bank in Bulgaria because third parties had access to over 23,000 credit records containing personal data, including copies of identity cards and even biometric data.
- The HDPA, the Greek DPA, issued a fine of EUR 150,000 to a consulting company for processing personal data of their employees based on consent which the HDPA deemed inappropriate. Additionally, the consultancy violated their information obligations as they did not inform their employees correctly about the legal basis for data processing.
It is noteworthy that the fines based on insufficient security measures are considerably higher than those based on other legal reasons. Even more so if the data concerned falls into one of the special categories of personal data, e.g. health data. Accordingly, companies operating in the financial and insurance sectors as well as consulting companies should focus on strong data security measures. In particular, they should ensure that no unauthorised third parties have access to their clients' data. Data security will become even more important as more and more financial and insurance services are performed digitally, e.g. via online banking, payment apps or insurance apps. This applies all the more as these companies operate in a highly regulated environment and are therefore subject to strict scrutiny regarding their data security and general IT security, not only by DPAs but also by financial regulators.