GDPR Enforcements in Finance, Insurance and Consulting

To date, DPAs from 24 different countries (+ 1 in comparison to the 2023 ETR) have imposed 215 fines (+52 in comparison to the 2023 ETR) on banks and other companies in the finance, insurance and consulting sector, amounting to a total of EUR 57.3 million (+22.2 million in comparison to the 2023 ETR; in the case of 9 fines, the amount is unknown). Spain is the leading in the number of fines imposed with 64 fines, followed by Romania (37 fines), Hungary (14 fines), Poland (12 fines) and Germany (11 fines).

The largest group of fines based on numbers (64 fines, as compared to 59 in the 2023 ETR) were issued due to an insufficient legal basis for data processing. In most of these cases, advertising messages were sent to data subjects without their consent. Another high number of fines (59 fines, compared to 42 fines in the 2023 ETR), relates to insufficient technical and organisational measures to ensure information security. This highlights the fact that data security is a key issue in the highly regulated financial and insurance sectors.

To date, the Spanish DPA (aepd) is not only leading the number of fines but has also imposed the highest fines in this sector with in total 6 fines ranging from EUR 1 to 6 million, such as in the following cases.

Let's take a closer look

• The highest fine of EUR 6 million was imposed on a Spanish bank mainly due to an insufficient legal basis for data processing (ETid-522). Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the bank’s group. However, according to the aepd, the data subjects were not given the option of specifically not consenting to this transfer. Therefore, the aepd concluded that the customers' consent did not meet the requirements of an effective consent and, as a result, the data was unlawfully transferred to other companies within the bank's group. Additionally, the aepd determined that the bank had violated its information obligations as set out in Art. 13 and 14 GDPR. This case shows the importance of establishing and implementing comprehensive internal compliance processes before transferring data to other entities, even within the same group of companies.
   
• Similarly, the aepd fined another bank EUR 5 million for both lack of a sufficient legal basis for processing and failure to provide adequate information to its customers (Art. 13 GDPR), in particular regarding the type of personal data to be processed and the purpose of the processing (ETid-481). Again, the bank had failed to implement an adequate process to obtain the consent of its customers to process their data.
   
• Another Spanish bank was fined EUR 5 million due to non-compliance with general data processing principles (Art. 5 (1) f) GDPR, Art. 25 GDPR, Art. 32 GDPR) (ETid-2216). A customer had filed a complaint about having access to a document containing information on a transfer from a third party. The document contained personal data of the third party, such as the name and bank details of the data subject. During its investigation, the aepd found that the controller had failed to implement appropriate technical and organizational measures to protect personal data and prevent such incidents and to comply with the principle of data protection by design and by default, as it acted reactively rather than proactively in handling the complaint.
   
• A fine of EUR 3 million was imposed on a Spanish bank for insufficient legal basis for data processing (ETid-884). An individual had filed a complaint against the controller. The reason was that the bank had requested information about them from a company even though they had not been a customer of the bank since 2014 and they were included in an advertising campaign to offer them a pre-grant credit. The bank had used individuals' data to assess their creditworthiness without their consent. This was used to create financial profiles of the data subjects and to advertise certain financial services (e.g. credit cards or loans) to them on this basis. In doing so, the aepd found that the controller had not obtained effective consent from the data subject. The controller had not adequately informed the data subjects about the data processing, including profiling.
   
• Further, the aepd fined another bank with EUR 2.5 million for insufficient technical and organizational measures to ensure information security) Art. 25 GDPR, Art. 32 GDPR) (ETid-2201). A data subject had been asked by the bank to provide proof of origin for payments on its account to ensure compliance with anti-money laundering regulations. However, the bank did not provide a secure mechanism for submitting this information but requested the data subject to submit the documents by email. The aepd therefore found that the controller had failed to take appropriate technical and organizational measures to protect personal data, which would have been necessary given the sensitivity of the data concerned.