Banner2.png

AEPD (Spain) - EXP202400055

From GDPRhub
AEPD - EXP202400055
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Article 33 GDPR
Article 83(5)(a) GDPR
Type: Complaint
Outcome: Upheld
Started: 23.01.2024
Decided: 02.12.2024
Published: 13.02.2025
Fine: 500,000 EUR
Parties: Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito
Rural Servicios Informáticos, S.L.
National Case Number/Name: EXP202400055
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: Arran

A Spanish financial institution was fined €500,000 for failing to ensure the confidentiality and security of customer data under Article 5.1(f) GDPR. A cyberattack exposed sensitive data due to inadequate security measures, violating Article 32 GDPR.

English Summary

Facts

Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito (the data controller), is a Spanish financial institution that provides banking services, including online banking through its platform Ruralvía Clásica. The bank outsourced its IT and data security operations to Rural Servicios Informáticos S.L. ("RSI"), a third-party service provider acting as a data processor. On December 12, 2022, RSI notified the AEPD (Spanish DPA) about a data breach affecting multiple entities within the Caja Rural Group, including Caja Rural de Jaén. The breach resulted from a cyberattack that exploited vulnerabilities in the online banking system. Unauthorized third parties gained access to data subjects, including personally identifiable information. The breach itself occurred on November 10, 2022, but was not detected until December 7, 2022.

Following RSI’s initial notification, Caja Rural de Jaén submitted an additional breach notification on January 12, 2023. The AEPD subsequently launched an investigation to determine whether the bank had failed to implement adequate security measures in compliance with GDPR. The investigation revealed that the bank’s security controls were insufficient. Furthermore, the investigation examined whether Caja Rural de Jaén had adequately notified the data breach in accordance with Articles 32 and 33 of the GDPR.

On January 23, 2024, the AEPD initiated a sanctioning procedure against Caja Rural de Jaén, proposing a fine for violations of data protection laws. The agency issued its resolution on December 2, 2024, concluding that the bank had violated Article 5.1(f) (failure to ensure data security) and imposed a €500,000 fine.

Holding

AEPD held that Caja Rural de Jaén, Barcelona y Madrid, S.C.C. violated Article 5.1(f) of the GDPR by failing to implement adequate security measures to ensure the confidentiality of the data subjects. The bank’s online banking system (Ruralvía Clásica) had known security vulnerabilities that were not properly addressed, allowing unauthorized third-party access to personal data. The AEPD concluded that these deficiencies directly contributed to the data breach and exposed customers to risks such as identity theft and financial fraud.

The AEPD further ruled that the bank breached Article 32 GDPR by failing to implement effective security mechanisms, including intrusion detection systems and real-time monitoring tools, which could have prevented or at least mitigated the attack. The bank relied on its IT provider, Rural Servicios Informáticos, S.L. (RSI), without proper oversight, despite its obligation as the data controller to ensure compliance with data protection regulations according to Article 28 GDPR. The investigation found that internal security audits had previously flagged risks, but corrective measures were either insufficient or not properly enforced.

Additionally, the AEPD found a violation of Article 33 GDPR, as the bank failed to detect and respond to the breach on time. The attack occurred on November 10, 2022, but was not detected until December 7, 2022, nearly a month later. This delay prolonged the exposure of sensitive customer data, and the official notification to the AEPD did not take place until December 12, 2022. The prolonged unauthorized access period indicated a lack of effective monitoring and threat detection measures.

As a result, the AEPD imposed a €500,000 fine on Caja Rural de Jaén for violations of Articles 5.1(f), 32, and 33 GDPR.

Comment

The decision highlights how important it is for financial institutions handling personal data to exercise direct oversight over third-party IT providers to ensure compliance with GDPR.

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 

1 / 8
 File No.: EXP202403615
RESOLUTION TERMINATING THE PROCEDURE FOR VOLUNTARY PAYMENT
From the procedure initiated by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: On April 12, 2024, the Director of the...
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_EXP202400055&oldid=46654"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki