GDPR Enforcement in Finance, Insurance and Consulting

• Total number of fines: 307
   
• Total amount: EUR 87,650,108
   
• Avg./median: EUR 2,853,000
   
• Biggest fine: EUR 6,000,000

• AEPD, Spain | Date: 13 January 2021 | Fine of EUR 6 million

The fine of EUR 6 million was imposed on a Spanish bank mainly due to an insufficient legal basis for data processing. Customers were required to accept new privacy policies allowing the controller to transfer their personal data to all companies within the bank’s group. However, according to the AEPD, the data subjects were not given the option to withhold consent specifically for this transfer. Therefore, the AEPD concluded that the customers' consent did not meet the requirements for effective consent and, as a result, the data was unlawfully transferred to other companies within the bank's group. Additionally, the AEPD determined that the bank had violated its information obligations.

Art. 6, 13, 14 GDPR | ETid-522

• AEPD, Spain | Date: 26 October 2024 | Fine of EUR 5 million

Another Spanish bank was fined due to non-compliance with general data processing principles. A customer filed a complaint after gaining access to a document containing information on a transfer from a third party. The document contained personal data of the third party, such as the data subject’s name and bank details. During its investigation, the AEPD found that the controller had failed to implement appropriate technical and organisational measures to protect personal data and prevent such incidents and to comply with the principle of data protection by design and by default, as it acted reactively rather than proactively in handling the complaint.

Art. 5 (1) f), 25, 32 GDPR | ETid-2216

• AEPD, Spain | Date: 10 December 2024 | Fine of EUR 4 million

A fine of EUR 4 million was imposed on a Spanish bank for insufficient technical and organisational measures to ensure information security. The controller suffered a data breach in which unknown third parties gained access to the customer data management system using a broker’s credentials, which allowed them to access customer data such as name, IBAN and personal identification number. The incident affected approximately 1.5 million individuals. During its investigation, the AEPD found, in particular, that the controller had failed to implement appropriate technical and organisational measures to protect personal data and prevent such an incident. The AEPD also found that the controller had failed to carry out a risk assessment, although this was necessary given the significant number of customers and the fact that the controller was consequently processing personal data on a large scale. The original fine of EUR 5 million was reduced to EUR 4 million due to immediate payment.

Art. 5 (1) f), 25, 32, 35 GDPR | ETid-2514

• Tietosuojavaltuutetun toimisto, Finland | Date: 08 September 2025 | Fine of EUR 1.8 million

A fine of EUR 1.8 million was imposed on a Finnish bank. The controller had implemented a strong authentication method for its online banking services. However, due to a programming error, some customers were able to access the accounts of other customers and obtain full access to all online banking functions. This led to unauthorised payment transactions and, consequently, to financial losses for the data subjects concerned.

ETid-2873

• Autoriteit Persoonsgegevens (AP), The Netherlands | Date: 16 October 2025 | Fine of EUR 2.7 million

A fine of EUR 2.7 million was imposed on the Dutch Division of Experian for insufficient legal basis for data processing. The company provided reports on people's creditworthiness, which were used to assess the terms (e.g. interest rates) on which companies entered into contracts with customers. Experian collected the necessary data for the ratings from various sources, including both public and non-public ones. Experian based the processing on legitimate interest; however, the AP came to a different conclusion after weighing up Experian's interest in processing the data against the interests and fundamental rights of the data subjects. Experian also failed to adequately fulfil its information obligations.  

Following the fine, Experian ceased all activities in the Netherlands and deleted its database.

Art. 5 (1) a) GDPR, Art. 6 (1) GDPR, Art. 12 (1) GDPR, Art. 14 (1) GDPR, Art. 26 (2) GDPR | ETid-2908

• Several of the highest fines in the sector were imposed because banks relied on invalid or ineffective consent mechanisms when processing customer data or sharing data within corporate groups.
• The largest category of fines in this sector now relates to insufficient technical and organisational measures (TOMs) to ensure data security.
• Several enforcement decisions highlight that organisations lacked structured internal compliance processes to ensure GDPR requirements were implemented proactively.  

Data protection authorities are likely to continue focusing on customer data processing practices in the financial sector, particularly where organisations rely on consent as the legal basis for processing. Enforcement cases already show that supervisory authorities closely examine whether consent mechanisms provide a genuine choice and whether customers receive sufficiently transparent information about how their data will be used.

Another key enforcement priority will likely remain data security and the implementation of adequate technical and organisational measures. Financial institutions process large volumes of highly sensitive personal and financial data and are therefore frequent targets for cyberattacks. Regulators across Europe continue to identify weak security measures as one of the most common GDPR violations in the finance sector, particularly where organisations fail to implement robust access controls or other protective safeguards.

Given the ongoing digitalisation of financial services and the increasing use of online banking platforms and apps, organisations in the finance, insurance and consulting sector should expect continued regulatory attention on data security frameworks, consent management and transparency towards customers.