To date, 15 DPAs (+4 in comparison to the ETR 2020) have imposed 60 fines (+31 in comparison to the ETR 2020) on banks and other companies in the finance, insurance and consulting sector, amounting to a total of EUR 17 million (+14.54 million in comparison to the ETR 2020; in the case of 2 fines, the amount is unknown ). The DPAs of Spain, Hungary and Romania have been particularly "active" in this sector, imposing 10 or more fines each.
The largest group of fines based both on number (21 fines) and on the aggregated amount (EUR 6,383,970) were issued due to an insufficient legal basis for data processing. It is worth noting that in many of these cases, advertising messages were sent to data subjects without their consent. With an almost equally high number of fines (20 fines), fines relating to insufficient technical and organisational measures to ensure information security make up the second-largest group. This highlights the fact that data security is a key issue in the highly regulated financial and insurance sectors.
Let's take a closer look
- The highest fine (EUR 6 million) within the sector was imposed on a Spanish bank mainly due to an insufficient legal basis for data processing (ETid-522). Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the CaixaBank Group. However, the data subjects were not given the option of specifically not consenting to this transfer. The Spanish DPA concluded that the customers' consent did not meet the requirements of an effective consent and, as a result, the data was unlawfully transferred to other companies within the bank's group. Additionally, the DPA determined that the bank had violated its information obligations as set out in Art. 13 and 14 GDPR. The bank had not completely overlooked the need to obtain consent as well as its information obligations, but rather made avoidable mistakes in several steps of the data transfer. This case shows the importance of establishing and implementing comprehensive internal compliance processes before transferring data to other entities, even within the same group of companies.
- Similarly, the Spanish DPA fined another bank EUR 5 million for both lack of a sufficient legal basis for processing and failure to provide adequate information to its customers in accordance with Art. 13 GDPR, in particular regarding the type of personal data to be processed and the purpose of the processing (ETid-481). Again, the bank had failed to implement an adequate process to obtain the consent of its customers to process their data.
- The DPA of Baden-Wuerttemberg in Germany imposed a fine of over EUR 1.2 million on an insurance organisation for failing to establish adequate technical and organisational measures to ensure that only the data of data subjects who had given their effective consent would be used for marketing purposes (ETid-306).
It is noteworthy that the fines in this sector have increased significantly over the past 12 months, with several fines now ranging in the millions. Strikingly, the highest 3 fines have all been imposed due to a lack of adequate internal compliance measures to ensure a sufficient legal basis for the processing of customer data. In each case, the controllers had failed to obtain effective consent for the data processing.
Therefore, businesses in the finance, insurance and consulting sector should firmly establish and implement comprehensive processes to ensure a clear legal basis for each data processing activity. In particular, they should put in place adequate mechanisms to obtain effective consent from their customers where necessary and to ensure that data is only processed in accordance with this consent. DPAs seem to look more closely at how exactly consent was obtained and whether data subjects were fully informed by the controller.
Additionally, insufficient data security measures resulted in significant fines and might also cause considerable reputational damage. Accordingly, companies operating in the financial and insurance sectors as well as consulting companies should focus on strong data security measures.
Data security will become even more important as more and more financial and insurance services are performed digitally, e.g. via online banking, payment apps or insurance apps. This applies all the more as these companies operate in a highly regulated environment and are therefore subject to strict scrutiny regarding their data security and general IT security, not only by DPAs but also by financial regulators.