News & Press

Spanish DPA Fines Open Bank €2.5 mil over GDPR Violation

Press Release
Aug 1, 2023
min read

The Spanish Data Protection Authority, AEPD, announced several days ago its largest fine given out this year, a €2.5 million decision against Open Bank S.A.

AEPD's decision against the bank continues the regulator's push against GDPR violations big and small across Europe, with Spain issuing over 50 separate fines in the past two months alone. The €2.5 million figure is by far the largest fine, and was given over violations to articles 25 and 32, or "Insufficient technical and organisational measures to ensure information security."

In this particular case, Open Bank had requested verification of financial information from a customer via email, but failed to provide adequate data security standards or extra security measures to process such sensitive information, instead simply asking for the data over email.

Typically fines that reach into 7 figures tend to have to do with improper data processing or failure to receive proper consent before processing data, so to see a fine this large for security failures is interesting and should serve as a wake-up call to many organizations on how they communicate with customers and protect sensitive data in said communications.

The full guidelines can be found
Press release can be found