AEPD (Spain) - EXP202304633

From GDPRhub
AEPD - EXP202304633
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 5(1)(f) GDPR
Article 32 GDPR
Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas
Type: Investigation
Outcome: Violation Found
Started: 11.04.2023
Decided: 07.05.2024
Published:
Fine: 360,000
Parties: 4Finance Spain Financial Services
National Case Number/Name: EXP202304633
European Case Law Identifier: n/a
Appeal: Not appealed
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: lm

The DPA fined a lending institution €600,000 for inadequate security measures, including its lack of two-factor authentication when approving loans. The controller acknowledged its fault and paid a reduced fine of €360,000 in accordance with national law.

English Summary

Facts

On 10 August 2022, a data subject notified 4Finance Spain Financial Services, S.A.U. (the controller) that they had received an unsolicited loan to their bank account with the controller. By 1 September 2022, the controller had received 10 more complaints of a similar nature from clients. The controller assessed the risk levels and severity of these breaches in August, September and November of the same year using an internal method based on European Union Agency for Cybersecurity (ENISA) standards. Based on these assessments, the controller determined that it was not necessary to notify the violation to the AEPD or to affected parties.

Between 3 and 23 February 2023, the AEPD received various complaints from data subjects, who were clients of the controller, alleging similar unsolicited loans to their accounts. On 14 February 2023, the controller claimed to become aware of a data breach affecting personal data of its clients and employees. The breach ultimately affected 9636 data subjects and included names, birth dates, national identification numbers, foreigner identity numbers, passport or identification document numbers, payment data (such as banks and cards) and contact information.

The breach was a brute force attack that attempted different combinations of national identity numbers and emails with passwords. Once the attackers gained access to client accounts, they took out loans in the data subjects’ names, which the controller accepted and placed into client accounts. The hackers then contacted data subjects via WhatsApp, pretending to be the controller and requesting the refund of the amount to an account number controlled by the attackers. 139 of the affected data subjects were victims of this fraud.

The controller notified the Spanish DPA (AEPD) of the data breach on 17 February 2023. It expressed that it did not consider the breach to pose a high risk to the rights and liberties of affected data subjects and that it thus would not communicate the breach to them directly.

On 11 April 2023, the AEPD initiated an investigation against the controller and ordered the controller to communicate the breach to data subjects, which the controller did on the same day.

In response to the breach, the controller registered the breach in the register of incidents, filed a police report, circulated a communication to clients noting that it did not communicate with clients via Whatsapp, reset certain user passwords and amended its password policy to require more complexity and implemented two-factor authentication.

Holding

The AEPD found likely violations of Articles 5(1)(f) and 32 GDPR and recommended a €600,000 fine. The controller acknowledged its fault and paid a reduced fine of €340,000 in accordance with national law.

In finding a likely violation of Article 5(1)(f) GDPR, the AEPD focused on the sensitive nature of the data, the method of attack and the number of affected data subjects. The types of personal data acquired in the breach, including data subjects’ contact information as well as their financial information and history, amplified the security risks. Such combinations of data, the AEPD noted, could be used to construct detailed financial profiles of data subjects that make them more vulnerable to identity theft, fraud and other cyberattacks – such as in this case, where attackers were able to contact data subjects after manipulating their finances.

Due to the controller’s inadequate risk assessments and security measures, the AEPD also found a probable infraction of Article 32 GDPR. The AEPD noted that the controller’s handling of financial data and identification information is sensitive and thus obliges greater caution in implementing security measures. It thus considered the lack of a two-factor authentication prior to requesting a loan a serious oversight that facilitated the breach. Though it commended the controller’s adoption of mitigating measures including two-factor authentication after the breach, the AEPD found that these changes emphasised the shortcomings in its prior security system. Even after the controller was made aware of the risks by client complaints and internal risk assessments, it failed to adequately estimate the severity of the data breach. The inadequacy of the controller’s risk assessment was further demonstrated by its failure to communicate the incident to affected data subjects until ordered to do so by the AEPD.

Given these likely violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of €600,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €360,000.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

1/33








     File No.: EXP202304633

       RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE

                                   VOLUNTEER

From the procedure instructed by the Spanish Data Protection Agency and based
to the following



                                 BACKGROUND

FIRST: On April 8, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against 4FINANCE SPAIN

FINANCIAL SERVICES, S.A.U. (hereinafter, the claimed party), through the
Agreement transcribed:

<<



File No.: EXP202304633


           AGREEMENT TO START SANCTIONING PROCEDURE


Of the actions carried out by the Spanish Data Protection Agency and in
based on the following

                                     FACTS


FIRST: On February 17, 2023, the Innovation Division was notified
Technological of this Agency a security breach of personal data
sent by 4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. with NIF A86521309
(hereinafter, VIVUS) as data controller. As a consequence of the
known facts, on April 11, 2023, the Director of the Spanish Agency

of Data Protection ordered the General Subdirectorate of Data Inspection
(SGID) carry out the appropriate prior investigations in order to determine a
possible violation of data protection regulations.

SECOND: The General Subdirectorate of Data Inspection proceeded to carry out

of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:


On February 17, 2023, the person responsible for 4FINANCE SPAIN FINANCIAL
SERVICES (hereinafter VIVUS) makes an initial notification of the data breach
personal with entry registration REGAGE23e00010208403, in which he states
having suffered a confidentiality breach due to unauthorized access to customer data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid Seeagpd.gob.es 2/33








clients, including basic, identifying and contact data of a total of 427
employees. The person in charge indicates that they continue to investigate the incident.

On March 31, 2023, additional notification of the data breach is received
personal with entry registration REGAGE23e00021779018, in which

states:

    - Description of the incident: consisting of unauthorized access to profiles
       of clients in the VIVUS database. The incident was investigated
       internally.
    - Regarding the start date, they claim that it is unknown, while it is

       determines February 14, 2023 as the detection date.
    - They indicate that the affected data was not encrypted.
    - Regarding the consequences for the affected people, they affirm that they do not
       are affected, except for some very limited inconveniences, but in
       in any case reversible.

    - Regarding the categories of data affected, there are: basic data
       (Ex: name, surname, date of birth), DNI, NIE, Passport and/or
       any other identification document, payment method data (Card
       bank, etc.…), and contact information.
    - Number of affected: 9636 (There are no minors), they affirm that they will not be
       communications.

    - They claim that they have brought it to the attention of police authorities.
    - Detection method: Communication from someone affected.
    - A summary is included in which it is stated that through a force attack
       raw testing combinations of ID/password and Email/password, the
       Cybercriminals had access to the personal data of the customer profile of
       9636 natural persons. These data included name and surname, DNI/NIE, date

       of birth, postal address, email, IBAN, mobile phone and bank card
       pseudonymized. They claim that 139 clients have been victims of fraud
       have requested credit in your name through the application, and once
       granted, they have contacted the customer via WhatsApp to request a refund
       immediately to a bank account number of cybercriminals.
    - They claim that as a reactive measure they have implemented 2FA.

    - The person responsible states that he will not inform those affected as he does not consider
       high risk.

From this authority, the person responsible was ordered to carry out the
communication of the personal data breach to the interested parties in accordance with the article
34 of the GDPR without undue delay and so that the measures can be adopted

that they consider appropriate to avoid those risks that could affect their
person.

On April 11, 2023 and entry registration REGAGE23e00023503645,
receives a letter from VIVUS confirming the sending of the communication

individualized to all clients affected by the breach, providing capture of
screen of an email where only the sender address is visible
(vivus@sm.vivus.es) (but not the destination addresses). The body of this email
contains information about the incident that occurred, about the data that has been possible
be affected, the measures adopted by the company after the incident, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/33








recommendations on possible measures to be adopted by the affected client and
the possible means of contact for more information.

Likewise, in relation to the indicated gap, the following have been received:
claims in this Agency by affected people:


Claim 1: on February 3, 2023 and check-in
REGAGE23e00007166247, A.A.A. claim is received. related to the
alleged identity theft by having requested a loan in his name and
This having been granted by VIVUS and deposited into a bank account of your
ownership. The transfer of this claim to VIVUS was carried out on March 16

2023 and a response is subsequently received on April 13, 2023 and registration
input REGAGE23e00024080156.

Claim 2: on February 5, 2023 and check-in
REGAGE23e00007349177, complaint received from B.B.B. related to the

alleged identity theft by having requested a loan in his name and
This having been granted by VIVUS and deposited into a bank account of your
ownership. The transfer of this claim is made on March 16, 2023 and
Response is received on April 13, 2023 and with check-in
REGAGE23e00024080388.


Claim 3: on February 5, 2023 and check-in
REGAGE23e00007333527, C.C.C claim is received. related to the
alleged identity theft by having requested a loan in his name and
This having been granted by VIVUS and deposited into a bank account of your
ownership. The transfer of this claim to VIVUS was carried out on March 16
2023 and response was received on April 13, 2023 and check-in

REGAGE23e00024082969.

Claim 4: on February 6, 2023 and check-in
REGAGE23e00007574937, D.D.D. claim is received. related to the
alleged identity theft when a loan was requested in his name
and having been granted by VIVUS and deposited into a bank account of your

ownership. Provide a copy of the complaint to the Police and a copy of your ID. The transfer of
This claim to VIVUS was made on March 16, 2023 and was received
response on April 13, 2023 and check-in
REGAGE23e00024084764.

Claim 5: on February 11, 2023 and check-in

REGAGE23e00008763533, claim is received from E.E.E. related with
the alleged identity theft when a loan was requested in his name
and having been granted by VIVUS and deposited into a bank account of your
ownership of which this company was aware. A copy of the complaint is attached
filed with the National Police. The transfer of this claim to VIVUS is

carried out on March 16, 2023 and a response was received on April 13,
2023 and with registration REGAGE23e00024084642.

Claim 6: on February 23, 2023 and check-in
REGAGE23e00011468445, claim received from F.F.F. related to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/33








alleged identity theft in the application for a loan granted by
VIVUS and deposited into a bank account owned by you. The transfer of this
claim to VIVUS was made on March 16, 2023 and a response was received
dated April 13, 2023 and check-in REGAGE23e00024084525.


On March 16, 2023, the VIVUS person responsible for the different
claims received, requesting the following information:
    - Detailed and chronological description of the facts and specification of the
       causes of the incident.
    - Number of people affected, category of data involved and possible
       consequences for those affected.

    - Actions taken to solve the incident and measures to prevent it from happening again.
       happen.
    - Treatment risk analysis, preventive safety measures
       implemented and impact evaluation where appropriate.
    - Copy of the Record of Treatment Activities.

    - If it has been communicated to those affected, the channel used, date of communication
       and details of the message sent. If the
       communication, indicate the reasons.

VIVUS responded on April 13, 2023 and individually to each one
of the transfers made by this entity. Content of the aforementioned writings

The following relevant information is extracted:

    - For each of the claims, a detailed analysis of the
       scenario of impact on the specific client, indicating the dates on which
       They were aware of the corresponding incident, as well as the details
       regarding the communications they had with each client.

    - In relation to the causes that caused the incident, he states:
            That on August 10, 2022 was when he received the first
               notification from a client, who reported having received money in
               his bank account under a loan he had not requested.
            That the attackers made numerous login attempts

               using different IP addresses and using the ID or email of the
               client (as username) and a password, obtained from
               from external and non-VIVUS sources. Once they agreed, they requested
               loans on behalf of the client which were accepted and
               disbursed into his account. Later, the attackers

               They proceeded to contact said client through WhatsApp
               requesting the refund of the amount to an account number that was
               controlled by them.
    - It states that there are a total of 9,636 affected and that the type of data
       affected was the one existing in the web user's personal area. So
       specifically, there was: Name and Surname, Date of Birth, Address

       Postcard, Email, Mobile Phone, DNI/NIE, IBAN, Pseudonymized bank card,
       as well as data on active loans that the user had granted.
       not yet finalized such as the amount, accrued interest, term and
       expiration.
    - Regarding the possible consequences for those affected, he maintains that the
       nature of the set of personal data accessed is not

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/33








       provided substantial information about the financial situation and that
       They considered that it did not entail a high risk for the rights and freedoms
       of those affected.
    - In relation to the actions taken by the person responsible to solve the problem.
       incident, communicate the adoption of the following measures:

            Record the gap in the incident log.
            Complaint to the Police.
            Official communication to different clients and through the website
               on information that the entity does not use WhatsApp.

            Reset all user passwords dated December 11
               February 2022.
            Implementation of a two-factor authentication system
               implemented on February 21, 2023.

            Modification of the login password policy,
               increasing its complexity and forcing every user to modify it.
            Improvement of the operation of the SIEM system, reviewing the
               internal incident response procedure.
            Inclusion of clients affected by fraud in a certain category

               in order to avoid derived consequences.
            Sending communication to all affected clients. Your
               accreditation in new requirement.
    - In response to our request to provide risk analysis and
       security measures that were concluded, state the following: “The treatment

       of customer access data to web profiles and the acquisition of
       Online applications do not pose high risks for data protection,
       Therefore, an Impact Assessment of these has not been carried out.
       treatments. However, to guarantee technical and organizational measures
       The following security measures were specifically implemented

       relevant to the reported security incident:
            Security monitoring.
            Password policy: minimum complexity rules are defined for
               Passwords used to log into user profiles
               customers.

            Protection of web applications.
            Firewalls and intrusion prevention systems. Protection against
               Malware.
            Reporting, management and investigation of security incidents: management

               of security incidents is well established and complies with the
               expectations of the 4finance Group.”
    - States that, from September to the end of November 2020, the
       information security department conducted a comprehensive assessment of
       information security risks with the objective of evaluating and improving the
       security measures in the areas of software, network and data distribution,

       people and processes. As a result, measures of
       security to protect the organization against automated attacks from
       brute force related to password guessing.
    - Indicates having performed an external penetration test of the application
       vivus.es by a professional services firm on dates between
       on February 9 and 17, 2022.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/33








    - They provide the Registry of Treatment Activities, in English, with the
        treatment activity affected by the gap: “Customer Registration and
        Contract Signing”.
    - They point out that the violation has been communicated to all affected clients in
        dated April 11, 2023 and which was initially notified to the AEPD on April 17

        February 2023.
    - They affirm that among the measures adopted to avoid new incidents has been
        the implementation of the double authentication system (2FA) in the service is key
        Web.

Within the framework of this investigation, on June 30, 2023, a first

information request to the VIVUS responsible:

    - That the communication of the breach made is accredited, since it is only
        had provided the text of the communication.
    - The adoption of existing organizational measures in the

        organization to manage security incidents that affect data
        personal (the management of personal data breaches).
    - That the communications that the entity maintained with the first party be accredited.
        affected customer who contacted the company on August 10, 2022.
    - That the risk analysis is accredited to guarantee both the safety of
        the treatments as well as the rights and freedoms of the affected people, as well as

        such as, where appropriate, impact evaluations.
    - That they certify the reactive measures implemented after the security breach,
        influencing those measures aimed at stopping brute force attacks
        and to monitor user traceability.
    - That the complaint filed with the security forces be accredited.
    - Investigate the details of the existing procedure to identify customers

        who request loans through the web area.

On July 19, 2023 and entry records REGAGE23e00048973515 and
REGAGE23e00049304085, response to the previous request is received,
The following relevant information for the investigation was extracted from its analysis:


    - Claims that the access credentials used were already available by
        part of the attackers prior to the breach, possibly
        coming from leaks from third parties and external sources, so the
        This attack does not correspond to a brute force attack but to an attack
        “credential stuffing”.
    - They provide a document with the total volume of failed login attempts

        broken down by date. From his analysis, the days between
        4 and 14 February 2023, with peaks of up to 18 million failed attempts
        in a single day.
    - Indicates that in the moments prior to the breach, the VIVUS systems
        were protected against a high number of failed connections from the

        following way:
            Protection against "brute force" attacks was implemented in the
               vivus.es web application, increasing the waiting time of
               authentication after a failed attempt for a specific user.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/33








               After subsequent failed authentication attempts, the waiting time
               wait was doubled for these users.
            Protection against a large number of fake web requests is
               implemented in the Imperva WAF software, mainly with the

               purpose of preventing denial of service (DoS) attacks. He
               configuration setting was to block any source that generates
               more than 450 requests per second.
            They affirm that the security systems for the vivus.es product
               were prepared to detect and alert about attack patterns

               common in web applications (SQL Injections, Cross Site Scripting
               (XSS), File Inclusion Attacks, Directory Traversal Attacks, DoS/DDoS
               attacks etc), but they did not detect or alert about a high number
               of failed connection attempts.
    - Recording of the telephone call received by the client is provided
       affected on August 11, 2022 at 8:46 p.m., in which the user

       affected person reports having received money from a loan that was not
       required. Subsequently, on August 12, 2022, this client sent
       via email the copy of the complaint filed, an email that was responded to by
       VIVUS on August 17, 2022 informing the client of the following: “our
       company has proceeded to activate the procedure applicable to these cases, which
       includes the management of the file as a fraud case, which implies the

       paralysis of all debt recovery actions since once
       Once the facts have been reported, there will be no claim from us.”
    - From the preliminary report of the director of INFOSEC (Department of Security
       of VIVUS) written on March 15, 2023, the following are extracted
       affirmations:
            On February 21, 2023, 2FA was implemented, which paralyzed the attack.

            There were 3905 success cases out of 218401 attempts made using
               ID/PASSWORD combination.
            There were 6977 success cases out of 2728941 access attempts
               performed by attackers using combinations of

               EMAIL/PASSWORD.
            Of the total number of successful accesses, they affirm evidence of data access
               from a total of 9497 VIVUS clients.
    - Two penetration analyzes carried out in February 2022 are accredited (at
       VIVUS mobile application) and June 2023 (to the web application that gave

       access to the personal client area). From the analysis of said reports,
       concludes that the vulnerabilities that were detected are not linked to the
       attack vector of the present security breach.
    - States that each incident detected was analyzed and managed by the
       incident management procedure and that the incident analysis was updated
       risks. The management procedure is documented

       previous incidents.
    - Four documents are provided with different analyzes and evaluations of the
       severity of the incident, carried out at different temporal moments (at
       as cases were discovered), using a
       internal methodology based on ENISA's own methodology. In these
       analysis, the risk level of the incident was assigned a quantitative value,

       evaluating three main parameters:
            The context of the gap (1 being minimum and 4 maximum).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/33








            The ease of identification of the affected person (with a value between 0 and
               1 maximum)
            The circumstances in which the breach occurred (with a value of
               severity from 0 to 2 maximum).


       After the analysis, a final value was assigned to the risk level of the incident,
       making use of the following formula: [Incident Severity=
       (Context*Ease of Identification of the Affected) + Circumstances].
       From the analysis of each document provided with the previous evaluations,

       extracts for this report:

            A first document is provided with the initial evaluation of the incident
               when only one affected case was known, which is signed on
               dated August 11, 2022 by the entity's DPD. For
               To quantify the risk, the minimum value was assigned to the context (1), a value

               from 0.75 to the Ease of Identification (which had the following
               meaning according to methodology “Identification is possible from
               the data breached, with the need for investigation to discover the
               identity of the individual“), concluding the evaluation that the incident DOES NOT
               was sufficiently important to communicate it to the AEPD. This contrasts

               with the type of data filtered through the client web area, since
               that the set of these data allowed an easy identification of the
               individual without the need for additional special investigation.
            A new document is provided with a second evaluation of the
               incident when 11 clients were known to be affected, signed by the DPD
               on September 1, 2022 and concluding with a value of

               LOW risk, stating that “the severity of the incident is NOT
               sufficient entity to require notification to the competent authority
               nor to those interested.” In the risk assessment, a
               value of 0.75 for ease of identification, the maximum value being
               the scale used 1, with the meaning “Identification is possible through

               from leaked data without the need to carry out an investigation
               special to discover the identity of the individual.” The data set
               that were being filtered through the client's web area were, among
               others, the name and surname, date of birth, postal address,
               Email, Mobile Phone, DNI/NIE, which are sufficient to
               obtain identification of the affected person without the need to

               conduct special investigation.
            A third document is provided with the evaluation of the incident when
               83 affected clients were known, signed by the DPD on 14
               November 2022, the result of which was a LOW risk value,
               stating that “the incident is NOT of sufficient magnitude to

               that the security breach must be reported to the Spanish Agency
               of Data Protection nor to the interested parties, while the information
               personnel allegedly violated was minimal, and taking into account
               that access has been completely restricted.” The same was assigned
               value for Context and Ease of Identification than in points
               previous.

            A document with the evaluation of the incident when the information was available
               following information: “less than 35000 successful logins, but
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/33








               the scope of the access data is unknown, currently 427
               customers have been defrauded (as of February 17, 2022).” This
               document is signed by the DPD on February 17, 2023 and in the
               evaluation, a MEDIUM risk level is concluded, assigning in this
               case a maximum value of 1 to the Ease of Identification of the client

               affected (higher than the value of 0.75 given in the previous documents).
               However, the set of personal data leaked was the same as
               for previous affected customers. The result of this analysis
               led to the following conclusion: “[…] it must be communicated to the Agency
               Spanish Data Protection. However, in view of the
               violated data category, it is not considered that there are risks for

               the rights and freedoms of the interested parties, while the
               personal information violated is minimal, so it is concluded that
               It is not necessary to communicate to clients.”
            Within the four previous documents there is a section
               which refers to the assessment of the incident by the

               VIVUS security department: “Severity classification
               determined by the Information Security Unit in accordance
               with the Security Incident Response Procedure of the
               Information: HIGH SEVERITY (Level 1) due to financial impact”,
               Despite this statement, it was assessed that it was not necessary to notify the
               incident.

    - In relation to the four documents previously analyzed in which
       VIVUS concluded a level of risk and severity of the breach, by this
       inspection, a simulation is carried out with the Advisory tool.
       Gap, using the same data that was already available from VIVUS
       in September 2022, and resulting in the obligation to

       notify the breach to this Agency without undue delay. In the same way,
       The Communica-Brecha tool is used with the information that
       the person in charge had in September 2022, resulting in
       “You should communicate the breach to the AEPD.” The input data used in
       Both tools were the following:
            Sector of activity: Financial Entity

            The breach is a consequence of a cyber incident with unauthorized access
               to personal data.
            Data affected: basic, DNI number, postal address, telephone, email,
               financial without means of payment.

            People affected: 56 (information that was already available by the
               responsible as of September 27, 2022, date on which VIVUS
               files a complaint providing the list of known affected persons at that time
               moment).
            For the possible consequences, the simulation has considered the

               least possible damage (despite the fact that the real and known consequences
               on this date were possibly of greater severity), assigning the
               value: “people may find some very inconvenient
               limited and reversible that they will overcome without problem.”
    - Taking into consideration the severity assessment procedure of
       ENISA, Recommendations for a methodology of the assessment of severity of

       personal data breaches, which VIVUS has established as a reference:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/33








            The Context (DPC) was valued with a value of 1, however, it should have been assigned
               higher value, since according to this methodology (it is hereby made
               inspector the unofficial translation into the Spanish language):
                    Simple data, Preliminary basic score = 1. The score

                      DPC could be increased by 1, for example, when the volume
                      of the "simple data" or the characteristics of the person responsible for the
                      treatment are such that the elaboration of
                      profiles of the person or assumptions can be made about the
                      social/financial situation of the person), with DPC = 2, or:

                    Financial data, Preliminary base score = 3. The
                      DPC score could be reduced by 1, for example, when
                      the specific data set includes certain information
                      financial, but does not yet provide any meaningful insight
                      of the person's financial situation (for example, numbers
                      simple bank accounts without further details), with DPC = 2, or

                      good:
                    Financial data, Preliminary base score = 3. The
                      DPC score could be increased by 1, for example,
                      when, due to the nature or volume of the set of
                      specific data, complete financial information is disclosed

                      (for example, credit card) that may allow fraud or
                      A detailed social/financial profile is created. DPC=4.
            The Ease of Identification of the affected person should be valued as EI =
               1, and not a lower value (VIVUS gives a value EI=0.75), as stated
               has analyzed in the previous point.


From this it is concluded that the value assigned from VIVUS to the different variables of the
severity calculation formula was lower than what should have been assigned, given the
scenario that was being known about the security incident, due to
have obtained a final result of severity that could be between MEDIUM and VERY
HIGH. This result would have led VIVUS to communicate the incident to the

AEPD and those affected since the first event.

    - In relation to the complaint filed by the person responsible, in the
       response to the request states: “the affected cases were collected from
       manually and given the difficulty in identifying them through the
       partial information available, up to 4 extensions of the

       initial complaint”, providing the following documentation in the response.
            Copy of the initial complaint filed on August 12, 2022 with the
               affected customer information on August 11, 2022.
            Copy of the extension to the previous complaint filed on December 28

               September 2022 in which they affirm that in subsequent days they have been
               new clients affected, requesting loans
               fraudulent with a global amount of 42,610 euros and having been
               scammed 19830 euros. In this extension they provide a list with the
               data of the affected clients to whom VIVUS made the entry of the
               amount of the loan requested fraudulently, being in

               This listing approximately 56 bank account numbers
               different clients. From the analysis of this list by the present inspector
               It is striking that the same IP used in the loan application
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/33








               of August 10, 2022 (which was recorded on August 11,
               2022 after receiving communication from the affected client), was used
               subsequently to successfully apply for two new loans
               fraudulent at a later date, October 8, 2022 at 10:53 and
               11:11.

            In the accredited complaints, VIVUS states that the attackers had
               entered the personal area of each of these clients and had
               requested a new loan in the contracting modality
               distance on behalf of the affected customer.
    - Provide a copy of a document with the general conditions of the loan

       that are accepted (by marking a checkbox) at the time of
       online loan application.
    - In response to our request to detail the procedures
       existing to identify a client when requesting a loan from
       Through the web portal, they affirm that there are two possible ways of identification:
            To request a FIRST LOAN, the so-called

               “onboarding procedure”. They claim that this procedure was not the
               used by the attackers, since all affected clients requested
               previously a first loan. This identification procedure
               initial consists of:
                    On a first screen where contact information is requested and

                      collects consent for privacy policy and
                      commercial communications.
                    On a second screen, a DNI number and a
                      password to create the account or profile.
                    On a third screen, the name, surname and date are requested.

                      birth.
                    On a fourth screen, an address in Spain is requested.
                    On a fifth screen, a phone number is requested and
                      subsequently verified by sending an SMS with a

                      Unique one-time use code that the user must enter.
                    On a sixth and final screen, different options are offered.
                      identity accreditation, either by providing the credentials of
                      Online Banking (through the TINK service), either providing the
                      supporting documentation through a form and wait

                      phone call that would verify the data.
            To request SECOND AND LATER loans (only way
               affected by the security incident), only the
               identification in the client's personal web area, using the
               user credentials (ID or EMAIL + Password). Once

               entered in the web area it was enough to select the amount of money
               that you wish to request, the desired return period and accept the
               contract conditions by activating a checkbox
               (check box).
    - In relation to this identification process they claim to have adopted and
       implemented the following reactive measures after the security breach:

            Resetting all customer passwords
               that, when clients access their personal area, they are obliged to
               set a new password.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/33








            Implementation of a second factor of authentication (2FA),
               generating a 4-digit verification code that is sent through
               from the SMS channel to the customer's registered phone number. This
               2FA dual-factor authentication system was strengthened

               later in April 2023 by adding two new
               rules (5 minute block after 3 failed attempts, being necessary
               new verification code, and the need for a new code if the
               client connects and disconnects from their profile).
    - They certify an updated document of the internal protocol for the management of
       incidents, whose update is dated April 29, 2023. The

       The modifications introduced therein have consisted of:
            Adjust the deadlines for the response phases to internal incidents, in
               case of delay in detection, to meet the notification period of the
               GDPR.
            The possibility of involving external legal experts in the

               response to personal data breaches.
            Data breach risk assessment template revised
               including new improved gravity calculator.
    - They certify the following reactive technical measures implemented to improve
       detecting security incidents:

            When failed authentication attempts from a single address
               Source IPs exceed defined daily thresholds, Splunk system
               SIEM generates an alert in real time that is sent to an email
               alert email to the security department and a communication channel
               Slack.

            When authentication success events originate from a
               single source IP address and are accessing more than 4 accounts
               different clients on the same day, a real-time alert is
               generated by the Splunk SIEM system and sent to an email
               security department email.

            When attackers use static IP addresses during a
               prolonged period these are entered into a special black list and in
               In the event of a subsequent authentication attempt, an alert is generated
               real time by the Splunk SIEM system and sent to email
               alert the security department.

    - In response to our request for risk analysis to be accredited
       for treatment activities affected by the gap, perform the
       following statement: “In May 2022, based on the planning of a
       new onboarding process (completed in October 2022) was carried out on
       corresponding Risk Analysis regarding Data Protection
       related to the Processing Activity called CUSTOMER

       REGISTRATION AND CONTRACT SIGNING.” Document is provided
       accrediting this risk analysis for the rights and freedoms of
       natural persons affected by the treatments of the aforementioned activity. Of
       Its analysis is extracted:
            It has a creation date of May 6, 2022.
            Threats and risk factors for the rights and

               freedoms of the interested parties, differentiating between inherent risk and the
               residual risk, referring to whether the risk has been fully mitigated

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/33








               or partially. However, security measures are not listed.
               concluded as a result of this analysis to mitigate risks.
            A conclusions section is included where it is stated that the level of
               inherent risk is HIGH and residual MEDIUM, also performing the

               following statement: “the activity analyzed involves, among others, the
               creation of profiles on the basis of which decisions are made that
               can produce legal effects for natural persons. The above,
               based on the document called LISTS OF TYPES OF
               DATA PROCESSING THAT REQUIRES EVALUATION OF
               IMPACT RELATING TO DATA PROTECTION of the Agency

               Spanish Data Protection, implies an obligation to
               4FINANCE as data controller to carry out a
               mandatory EIPD of the analyzed treatment.”
    - Document is accredited for the treatment activity “Customer Registration
       And Contract Signing”, with date of completion May 13, 2022. In it
       a systematic analysis and description of the treatment is carried out, an analysis of

       the intervening parties, an evaluation of the necessity and proportionality of the
       treatment and an evaluation and management of risks, listing measures
       adopted in its mitigation.
    - In response to our request to certify the sending of the
       communication made about the incident to the affected people, provide
       Excel list containing the Email and Name/Surname of people

       communicated, but the date on which the shipment was made is not detailed.

On August 2, 2023, a new information requirement is made to the
VIVUS responsible for the following actions:
    - The correct accreditation of the communications made.

    - The start date of the treatment activity “Customer Registration And
       Contract Signing”.
    - Confirmation of whether there were risk analyzes prior to May
       2022, and its accreditation if applicable.

On August 18, 2023 and entry registration REGAGE23e00056162842,

receives a response to the previous requirement from whose analysis the following is extracted
information relevant to the investigation:
    - Mass communication sent to affected clients on the date is credited
       April 11, 2023 at 8:09 p.m.
    - They affirm that the processing activity called “Customer Registration
       And Contract Signing” began on December 20, 2012 on the occasion of the

       registration of the first client on the platform.
    - In relation to confirmation of whether there were risk analyzes carried out in
       date prior to the one they had already contributed (May 2022), the
       following:
            That after the entry into force of the RGPD, audits have been carried out

               internal and external data protection, one of them at the end of
               2019 and in which the need to carry out and document
               risk analysis that complies with art 32 of the RGPD. As
               As a result, “in May 2020, the company prepared a
               risk analysis in excel format (Risk Assessment Spain) that
               It included the probability of occurrence of certain risks. No

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/33








               However, according to what was included in the subsequent report of
               external audit of the year 2021, said risk analysis did not include
               appropriately the risks to the rights and freedoms of
               affected.” Screenshot of this Excel document is credited.
               From the analysis by this inspector it is concluded that the

               risk factors in a generalized way and not for an activity of
               concrete treatment. Furthermore, it is carried out from the perspective of the
               consequences and impact for the company itself (losses
               economic and financial impact), not being, therefore, a
               risk analysis for the treatment activity affected by the
               gap that took into account threats to both the security of the

               treatments as well as for the rights and freedoms of the interested parties.
            A new document “ANALYSIS REPORT OF
               RISKS RELATING TO DATA PROTECTION” dated
               drafted May 29, 2021 and signed by the Protection Delegate
               of data. From the analysis of this document by the present inspector,

               concludes:
                   In the introduction the following text is stated: “The present
                      document is the result of carrying out the activities
                      constituents of the Impact Assessment regarding
                      Data Protection (hereinafter DPIA), in accordance with the

                      established in article 35 and 36 of Regulation (EU) 2016/679
                      of the European Parliament and of the Council of April 27, 2016 and
                      the Practical Guides prepared by the AEPD”.
                   Contains the following sections Preparatory Aspects and
                      Organizational, Identification of Affected Data and Evaluation

                      of the Risk Level.
                   In the section referring to the evaluation of the risk level,
                      They analyze the following identified risk factors:
                           Illegitimate intrusion into systems.
                           Internal fraud.

                           Human and technological errors (both in the management of
                              loans, claims management, communications
                              business and employee data management).
                   This analysis is not specific to the treatment activity

                      affected by the gap and does not take into account risk factors
                      for the rights and freedoms of people affected by the
                      treatment activity.
            It is stated that a risk analysis was prepared at a later date
               specific by treatment activity following the Treatment Management Guide

               Risks of this Agency. This analysis corresponds to the one provided
               in response to the previous request and which has a writing date
               May 2022.
            They affirm that the company is working on the implementation of a
               computer tool (CompaaS) that will allow more management

               effective and agile compliance with its obligations, as well as registering and
               periodically review your protection risk analysis
               of data.

                                   CONCLUSIONS
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/33









1. The attack vector of the breach was caused by illegitimate access by
of attackers to the web area of multiple clients, using valid credentials that

these were previously known (ID or Email + Password pairs), possibly as a result
of some leak. The modus operandi was the following:

    - Once the attackers accessed the personal area of the affected client,
       They proceeded to request loans that were automatically accepted,
       the amount being entered into the bank account associated with the client.

    - Subsequently, the attackers contacted via WhatsApp posing as
       by VIVUS, informing them that a new
       loan in their name and in which they requested its return at a number of
       account that it was controlled by the attackers themselves.

2. It has been confirmed that the breach affected 9,497 VIVUS clients whose

identity was impersonated, having requested on behalf of many of them
personal loans that were granted automatically by the platform.

3. Regarding the data filtered through the client's web area, it consisted of:
name and surname, date of birth, postal address, email, mobile phone, DNI/NIE,
IBAN, pseudonymized bank card, as well as data relating to loans that are
were in force against the company.

4. It has been proven that VIVUS initially detected the breach on August 11
of 2022 following the communication received from an affected client.

Subsequently, on September 1, 2022, the company was aware of at
at least 11 cases affected, and as of November 14, 2022 at least 83 clients
affected. However, the breach was not notified to the present authority until
on February 17, 2023, when there was evidence of the impact of at least
427 defrauded.

5. It has been proven that VIVUS analyzed the level of risk and severity of the
gap on different dates (August 11, 2022, September 1, 2022 and

November 2022), using an internal methodology based on ENISA
consisting of the use of a formula to calculate the final value of the risk to
based on variables such as the Context of the Incident, the Ease of Identification and the
Circumstances of the incident, assigning a value to each of these variables according to
a detailed scale in the methodology itself. From the final value of the risk obtained from the

previous formula, the claimed party considered that it was NOT necessary to notify the
violation of the AEPD or those affected.

6. It has been found that the value assigned to some of these variables was lower than the
that should have been assigned, taking into account the knowledge that was had about the
incident at this time. After the use, by the present inspector, of the
Gap Advisor and Gap Communicate tools using the information VIVUS
known in September 2022, has been obtained as a result in both

tools the need to notify both the AEPD and those affected.

7. In relation to the communication of the breach to those affected, it has been
proven that the person responsible finally communicated the incident to all those affected
on April 11, 2023, after receiving the order to communicate from this
authority.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/33








8. It has been proven that there were no specific risk analyzes for the
rights and freedoms of people interested in the treatment activity
affected by the gap until May 6, 2022. Prior to this date
there were risk analyzes that were not specific to a treatment activity
and directed at the possible financial impact on the person responsible, not

analyzing risks to the rights and freedoms of people affected by the
treatments. It has also been proven that the treatment activity affected
due to the breach was recorded in the VIVUS Treatment Activities Registry and that
It started in December 2012.

9. The existence of an Impact Assessment for the
Data Protection (EIPD) of the processing activity affected by the breach,
carried out on May 13, 2022 and which includes the following information:

           - A systematic analysis and description of the treatment

           - An analysis of the necessity and proportionality of the treatment

           - An analysis and management of risks.

10. In relation to the preventive measures implemented in moments prior to the
gap, the following list is found:

           - Security monitoring: event review, security testing
               security and vulnerability assessment.

           - Password policy with minimum complexity rules to start
               session in the client web area.

           - Measures against brute force attacks based on waiting times
               after failed login attempts.

           - Firewall and anti-malware protection.

           - Prevention of DDOS attacks, SQL injection and other threats to
               through Imperva Web Application Firewall software.

           - Penetration analysis of the vivus.es web portal in June 2023,

               Previously (February 2022), another analysis of
               penetration, but with the focus on the VIVUS mobile application.

           - Internal procedure to manage security incidents.

11. In relation to the reactive measures implemented by the person responsible after
Once the security breach is known, the following have been confirmed:

           - Implementation of a Double Factor Authentication (2FA) system
               implemented on February 21, 2023. They affirm that the implementation
               This measure was key to solving the gap since it was not
               later cases were detected.

           - Reset of all customer passwords on date 11
               February 2022.

           - Inclusion of clients affected by fraud in a special category
               to avoid possible derived consequences.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/33








           - Improvement of the SIEM monitoring system with the implementation of
               new real-time event analysis functionalities, in
               concrete:

                   Generating alerts when authentication attempts
                      failed messages from the same IP exceed a defined daily threshold.

                   Generating alerts when security events occur.
                      successful authentication from the same IP in more than four

                      client accounts.

                   Blacklists of suspicious IPs to track before
                      new authentications received.

           - A communication was made to all clients informing them that the
               entity does not use WhatsApp as a means of contact.

           - The internal incident management procedure was updated (as of today).
               April 29, 2023) reviewing the template to evaluate the risk and
               severity of an incident that affects personal data, entering
               adjustments in response times to be able to comply with the

               GDPR notification.
12. In relation to the client identification process for the granting of

loans, it has been confirmed that all affected clients had already
requested a first loan previously and, therefore, had already made the
identification process and initial registration in the system (which requires the user to provide
identification documentation or make use of the external identification service of
TINK online banking). However, it is proven that, for the request for seconds
and subsequent loans, VIVUS only required correct authentication in the

client's web area using the username (DNI or Email) and their
password. Subsequently and as a reactive measure after the breach, VIVUS implemented
double factor authentication (2FA) in the customer authentication (login) process
in the web area, using the sending of SMS with a secure one-time use code and
valid for a single connection to the client's personal web area, not knowing

new cases of fraud as a result of the implementation of this measure.
13. From the analysis of accredited preventive and reactive measures, it is confirmed

insufficiencies in the implementation of technical measures to guarantee the identity of
users who requested second (and subsequent) loans through the web area.
The introduction of the second factor of authentication (2FA) as a reactive mechanism,
Although it is not a method that ensures total protection against attacks, it offers a level
superior security, avoiding cases of identity theft even when the
Customer passwords have already been compromised. Maximize the

security of the authentication process was adequate, taking into account the
potential impact of the possibility of requesting loans with the only requirement
to authenticate correctly on the web portal.

14. On the other hand, deficiencies have also been detected in the technical measures
preventive measures implemented to monitor and, fundamentally, alert against
existence of multiple failed login attempts.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/33








THIRD: According to the report collected from the AXESOR tool, the entity
4FINANCE SPAIN FINANCIAL SERVICES, S.A.U. It is a great company with a
turnover of 66,551,000 euros in 2022.

                           FOUNDATIONS OF LAW


                                           Yo
                                    Competence

In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each

control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.


Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."


                                          II
                                 Previous issues

In the present case, in accordance with the provisions of article 4.1 of the RGPD, there is

the processing of personal data, since VIVUS carries out this
activity in his capacity as data controller, given that he is the one
determines the purposes and means of such activity, pursuant to article 4.7 of the GDPR:

"Controller" or "responsible": the natural or legal person, authority
public, service or other body that, alone or together with others, determines the purposes and
means of treatment; whether Union or Member State law

determines.

For its part, article 4.2 of the Regulation defines the “processing” of personal data
as “any operation or set of operations performed on data

personal data or sets of personal data, whether through procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,

communication by transmission, broadcast or any other form of enabling
access, collation or interconnection, limitation, deletion or destruction”


                                          III

                  Unfulfilled obligation of article 5.1 f) of the GDPR



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/33








Article 5.1 of the GDPR establishes the principles regarding processing, indicating,
among other issues, that the personal data will be:


“f) processed in such a way as to ensure adequate security of the data
personal data, including protection against unauthorized or unlawful processing and against
its loss, destruction or accidental damage, through the application of technical measures

or organizational arrangements (“integrity and confidentiality”).”

The principle of confidentiality, within the framework of the RGPD, implies the obligation to
ensure that personal data is kept protected and can only be
be accessible by those who have authorization for their treatment, in order

planned and/or consented to by the data owners.

In this sense, the GDPR defines personal data as “any information about
an identified or identifiable natural person (“the interested party”); shall be deemed
identifiable natural person any person whose identity can be determined, directly or
indirectly, in particular by means of an identifier, such as a name,

an identification number, location data, an online identifier or one or
various elements of physical, physiological, genetic, psychological identity,
economic, cultural or social of said person;”

In the case at hand, the investigative actions carried out by the

present authority, an alleged violation of the aforementioned principle of
confidentiality. This violation is manifested through the following
circumstances:

     The fact, confirmed by the claimed party, that the attackers accessed

       to personal data of clients through illegitimate access using
       Valid credential combinations (ID or Email + Password pairs). With
       Regardless of the way in which they accessed said credentials, their use
       to access the personal information of those affected constitutes a
       manifestation of the violation of the aforementioned principle.


     The subsequent contact of the attackers with the affected clients, becoming
       go through the claimed part to request the return of the money to accounts
       controlled by the attackers. It must also be taken into account that the
       favorable outcome of the fraud was not only based on personal information

       obtained illegitimately, but also took advantage of the trust that the
       clients deposited in VIVUS.


     The different claims presented by those affected herein

       authority that emerge in response to illicit actions and that expose
       I manifest both the exposure of your personal data without your consent
       such as the subsequent and reactive management of the situation by VIVUS.

     The complaint presented by the claimed party and subsequently expanded before

       the security forces and bodies in which they revealed the number
       of affected persons known at that time, in order for them to carry out the
       timely actions.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/33









     The communication of the breach by the claimed party itself made both to the
       present authority as well as those affected themselves. Although said communication

       was carried out late and progressively, it represents a recognition of the
       violation of the confidentiality of the personal data of those affected.

It should be noted that the violation of the principle of confidentiality in this
case involves a set of personal data whose nature amplifies the

implications of the security breach. This follows from the circumstance that
among them, in addition to identifying or contact data such as names,
addresses, DNI/NIE, and telephone numbers, various data were also found
users' financial information, such as IBAN and information on existing loans
in force.


The combination of this type of personal data, including knowledge about the
financial status of clients, significantly increases the level of risk and the
implications of breach of confidentiality. This is due to the circumstance
that such a combination not only increases the amount of information available to
a malicious actor, but also widens the spectrum of possible abuses. Given the

It is not about isolated data or individual pieces of information, but about the
exposure of an integrated set of personal and financial data, when
combine, they can be used to construct a complete and detailed profile of the
financial and personal situation of an individual, which can allow an attacker
carry out fraud and identity theft operations with a higher rate of

success.

Specifically, profiling affected individuals allows
Attackers devise highly personalized deception strategies, such as
phishing or scamming, significantly increasing the probability of success. Must
Keep in mind that detailed information makes it easier to create messages

credible that can trick victims into revealing even more information or
carry out actions that compromise their financial and personal security.

Likewise, unauthorized access and exposure of financial data, such as
information on loans, put those affected in a position of

significant financial vulnerability. This level of access, in addition to putting into
risk the financial assets of those affected, it can also have an impact
long-lasting negative impact on your credit history and financial reputation. Of the same
form, the information on loans requested, apart from being sensitive from a
financial point of view, it may contain details about the economic situation and

personal needs of clients that could be used against your
willpower. This information can motivate, not only fraudulent behavior, but
also manipulation and blackmail, since malicious actors can
exploit knowledge of a person's financial vulnerabilities to
pressure her or induce her to take actions against her will or interests.


Finally, the considerable number of people affected by the gap cannot be ignored.
magnitude affected 9,497 clients. This circumstance, likewise, broad
significantly the seriousness of the violation of the principle of confidentiality.
It must be taken into account that a high number of those affected not only manifest the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/33








scale of the incident, but also multiplies opportunities for misuse of
personal information, which exponentially increases the risk of fraud or
identity theft, in the terms indicated above.


                                            IV
          Classification and qualification of the violation of article 5.1.f) of the RGPD

If confirmed, the aforementioned violation of article 5.1.f) of the RGPD could mean the
commission of the infractions classified in article 83.5 of the RGPD that under the

The section “General conditions for the imposition of administrative fines” provides:

“Infringements of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20 000 000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the

global total annual business volume of the previous financial year, opting for
the largest amount:

a) the basic principles for the treatment, including the conditions for the
consent under articles 5, 6, 7 and 9; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 72 “Infringements considered very
“serious” of the LOPDGDD indicates:

"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe violations that involve three years

a substantial violation of the articles mentioned therein and, in particular, the
following:

a) The processing of personal data violating the principles and guarantees
established in article 5 of Regulation (EU) 2016/679. (…)”


                                            V
                  Penalty for violation of article 5.1.f) of the RGPD

According to article 83.2 of the RGPD “Administrative fines will be imposed, depending on
of the circumstances of each individual case, in addition to or in lieu of the

measures referred to in Article 58, paragraph 2, letters a) to h) and j). When deciding the
imposition of an administrative fine and its amount in each individual case will be
due account:

a) the nature, severity and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question, as well as
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/33








c) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person responsible or in charge of the treatment,

taking into account the technical or organizational measures that have been implemented under
of articles 25 and 32;
e) any previous infringement committed by the controller or processor;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;

h) the way in which the supervisory authority became aware of the infringement, in
particular whether the person responsible or the person in charge notified the infringement and, if so, in what
extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the

same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”


In the same way, article 76 of the LOPDGDD establishes a series of criteria
to graduate the possible sanction, following the provisions of section k) of the previous
article:


“In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, also
may be taken into account:

a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatment.

personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.

f) The impact on the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
"There are disputes between them and any interested party."


Taking into account these precepts, in the present case it is considered that
The sanction to be imposed should be graduated in the following terms:

a) the nature, severity and duration of the infringement, taking into account the

nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages suffered.
suffered;


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/33








The concurrence of the aggravating circumstance in the violation of the principle of manifests itself in the
nature, severity and duration of the violation. The nature of the violation, which
involved the exposure of personal and financial data, highlights the risk

significant for the rights and freedoms of the affected persons, especially
considering the potential for financial fraud and identity theft. The
severity is manifested by the direct impact on financial and personal integrity
of customers, as well as the potential long-term damage to their trust and confidence.
perception of security. Furthermore, the duration of the infringement, which ceased after the
effective implementation of corrective measures, unnecessarily extended the period

of vulnerability of clients' personal data, expanding the time frame
in which the data was exposed to security risks.
Likewise, the concurrence of the aggravating circumstance is also manifested in the number of
affected stakeholders, given that it impacted more than 9,000 clients, which highlights both
the scale of the incident as well as the considerable volume of individuals whose rights and

freedoms were compromised. This widespread impact amplifies the severity of the
infringement, given that each affected customer represents a potential case of fraud,
identity theft, or financial loss, exponentially multiplying the
negative repercussions of the incident.
Aggravating circumstance provided for in section b) of article 83.2 of the RGPD:


b) intentionality or negligence in the infringement;

The Supreme Court has been understanding that imprudence exists whenever
disregards a legal duty of care, that is, when the offender does not behave with
the required diligence. In this sense, it establishes that in assessing the degree of

diligence, the professionalism or otherwise of the subject must be especially considered,
professionalism that occurs in this case, given that the activity of the
recurring is constant and abundant management of personal data, which
It implies greater rigor and care in order to comply with legal provisions.


In this case, although direct intentionality is not suggested, negligence emerges
both in the delay in notifying those affected of the breach (which took place
after request from this entity) as in the delayed reaction after knowledge of
the violation of the confidentiality of the personal data of its clients. Sayings
elements reflect an omission in the duty of care that VIVUS had towards the
protection of their customers' data, which reinforces and amplifies the severity of the

infringement and justifies, consequently, the occurrence of this aggravating circumstance.

Aggravating circumstance provided for in section b) of article 76 of the RGPD:

b) The linking of the offender's activity with the performance of medical treatment.

personal information.

Taking into account that the core of VIVUS' business activity is based on the
granting loans and, therefore, in the intensive processing of personal data and
financial, said link deepens the seriousness of the infringement. The company

operates in a sector where trust and information security is
fundamental, and for this reason it has the responsibility to guarantee with greater rigor
the data protection principles regarding the information managed under
of said activity, among which are sensitive data, such as bank details

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/33








and/or financial. The nature of VIVUS activity, consequently, amplifies the
consequences of the alleged infringement, a circumstance that justifies the concurrence of
the present aggravating circumstance.


Depending on the aforementioned circumstances, in accordance with the provisions of the
article 83.5 of the RGPD, and without prejudice to what results from the instructions herein
procedure, it is considered appropriate to establish as a possible sanction a fine of an amount
of €200,000 (TWO HUNDRED THOUSAND EUROS)


                                           SAW
                      Unfulfilled obligation of article 32 GDPR

Article 32 “Security of processing” of the GDPR establishes:


 "1. Taking into account the state of the art, the application costs, and the
nature, scope, context and purposes of the processing, as well as risks of
variable probability and severity for people's rights and freedoms
physical, the person responsible and the person in charge of the treatment will apply technical and
appropriate organizational measures to guarantee a level of security appropriate to the risk,
which, if applicable, includes, among others:

a) pseudonymization and encryption of personal data;
b) the ability to guarantee confidentiality, integrity, availability and resilience
permanent treatment systems and services;
c) the ability to restore the availability and access to personal data of
quickly in case of a physical or technical incident;

d) a process of regular verification, evaluation and assessment of the effectiveness of the
technical and organizational measures to guarantee the security of the treatment.

2. When evaluating the adequacy of the security level, particular consideration will be given to
takes into account the risks presented by data processing, in particular as

consequence of accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or
unauthorized access to said data.

3. Adherence to a code of conduct approved under Article 40 or to a
certification mechanism approved pursuant to article 42 may serve as an element

to demonstrate compliance with the requirements established in section 1 of the
present article.

4. The controller and the person in charge of the treatment will take measures to ensure that
any person acting under the authority of the person responsible or in charge and

has access to personal data can only process said data following
instructions of the person responsible, unless it is obliged to do so by virtue of the Law of
the Union or the Member States.”

It is necessary to point out that the aforementioned precept does not establish a list of measures

specific security measures in accordance with the data being processed, but
establishes the obligation for the person responsible and the person in charge of the treatment to apply
technical and organizational measures that are appropriate to the risk entailed by the
treatment, taking into account the state of the art, the costs of application, the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/33








nature, scope, context and purposes of the processing, the probability risks
and seriousness for the rights and freedoms of the interested parties.


Likewise, security measures must be appropriate and proportionate to the
detected risk, determining those appropriate technical and organizational measures
taking into account pseudonymization and encryption, the ability to ensure the
confidentiality, integrity, availability and resilience, the ability to restore the
availability and access to data after an incident, verification process (which does not
audit), evaluation and assessment of the effectiveness of the measures.


In any case, when evaluating the adequacy of the security level, one must take into account
particularly taking into account the risks presented by data processing, such as
consequence of the accidental or unlawful destruction, loss or alteration of data
personal data transmitted, preserved or otherwise processed, or the communication or

unauthorized access to said data and that could cause damages and losses
physical, material or immaterial.

In this sense, recital 83 of the GDPR states that “(83) In order to maintain the
security and prevent the treatment from violating the provisions of this Regulation,
The person responsible or the person in charge must evaluate the risks inherent to the treatment and

apply measures to mitigate them, such as encryption. These measures must guarantee a
appropriate level of security, including confidentiality, taking into account the
state of the art and the cost of its application with respect to the risks and
nature of the personal data that must be protected. When assessing the risk in
Regarding data security, the risks involved must be taken into account.

arise from the processing of personal data, such as the destruction, loss or
accidental or illicit alteration of personal data transmitted, preserved or processed
otherwise, or unauthorized communication or access to said data, susceptible
in particular of causing physical, material or immaterial damages.”


In the present case, in accordance with the evidence available in this
agreement to initiate the sanctioning procedure, and without prejudice to what results
of the instruction, it is considered that the known facts could constitute
an infraction, attributable to the claimed party, for violation of article 32 of the
GDPR.


The imputation under Article 32 of the GDPR in the context of VIVUS is based on the
alleged deficiencies identified in the application of technical security measures
and organizational measures to guarantee a level of security appropriate to the risk
what the processing of personal data entails. Of the investigative actions
carried out by this authority, various circumstances have emerged that

manifest a non-compliance in relation to the specific requirements of the
article.

Thus, although VIVUS carried out risk analysis on different dates using a
internal methodology based on ENISA, it emerges from previous actions a

incorrect assignment of values to key variables which implies underestimation
significant risk and severity of the breach. This shows a possible
inadequacy in risk assessment by not taking into account the state of the art,
the costs of implementation, and the risks to people's rights.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/33









In the same way, the delay in communicating the incident to those affected until
on April 11, 2023, after receiving the order from the competent authority, highlights

a limitation on VIVUS's ability to ensure confidentiality,
permanent integrity, availability and resilience of security systems and services
data treatment. This delay in notification could pose greater risks
for the affected individuals, thus failing to comply with the obligation of article 32
to quickly restore availability and access to personal data in
case of incident.


Likewise, the lack of analysis of specific risks for the rights and freedoms of
the people interested in the treatment activity, and the concentration on
financial impacts for VIVUS rather than risks to individuals
affected, highlights an inadequate approach to data protection from a

individual-centered perspective.

The implementation of reactive measures by VIVUS, although necessary and useful to
address the consequences of the security breach, while revealing
insufficiencies in the anticipation and mitigation of data security risks
personal. This highlights the importance of continuous risk assessment,

proactive security planning and agile incident response, in accordance with
the requirements of article 32 of the RGPD, all circumstances that have not been
taken into account by VIVUS, as deduced from the actions carried out.

In this sense, VIVUS's initial decision to allow new applications for

successive loans based solely on a form of authentication with
username and password reveals an underestimation of the risks associated with theft
identity and financial fraud. Based on the fact that the affected customers had already
completed an identification process for your first loan, the system
VIVUS did not require rigorous identity verification for transactions

subsequent. This practice opens the door for malicious actors, if they manage to
obtain access credentials from clients, they can apply for loans
fraudulently.

The implementation of Double Factor Authentication (2FA) by VIVUS constitutes, without
Without a doubt, a significant advance in the protection of data security and

integrity of your financial transactions. However, this advance comes in a
reactive moment, after critical vulnerabilities have manifested and
a security breach has occurred with broad effects. The adoption of 2FA,
Although crucial, it manifests a missed opportunity to have anticipated and mitigated
proactively address risks before they materialize into real harm to

clients, which is, in essence, the purpose pursued by the aforementioned article 32.

The aforementioned deficiencies detected in the preventive measures prior to
gap, especially with regards to user authentication for
application for successive loans, underline an adequate risk assessment

appropriate in accordance with the provisions of article 32 of the GDPR. As indicated in the
conclusions of the research actions, despite the significant improvement
that 2FA represents, the situation highlights shortcomings in technical measures
preventive measures prior to the breach, particularly with regard to monitoring

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 27/33








of failed login attempts and the generation of alerts. The lack of a
effective system for detecting anomalous authentication patterns makes it easier for potential
attackers exploiting compromised credentials without being detected

timely.

In the present case, the nature of VIVUS's activity cannot be ignored, which
operates in the financial sector, which means that the processing of personal data
involves sensitive information, including financial and identification details
staff. The circumstances related to said activity represent a greater demand

regarding technical and security measures in order to protect the rights in
matter of user data protection.

Finally, it should be noted that the lack of adequate security measures by
part of VIVUS is an issue that goes beyond the specific security breach

produced. Although the implementation of reactive measures such as the Double Factor of
Authentication (2FA) and the improvement of the SIEM monitoring system were steps
important in response to the breach, VIVUS's non-compliance lies in a
broader and pre-existing omission: the lack of adoption of a data security framework
Comprehensive and proactive data.


This lack of adequate security measures, regardless of the breach,
points out a disconnect between the assessment of potential risks and the
implementation of technical and organizational measures necessary to prevent such
incidents. The situation shows a disconnection in the safety culture of the
VIVUS information, where measures tend to be reactive rather than

focused on a proactive and risk-based security strategy. This
reactive posture limits the effectiveness of security measures and increases the
vulnerability to future breaches, since not all necessary security measures
are not directly related to the prevention of specific incidents, but rather to
creating a comprehensively safe environment.


In short, the measures adopted by VIVUS, the nature of its activity and its
reactive management regardless of the security breach that occurred underline a
alleged non-compliance with article 32 of the GDPR) which requires the implementation of
appropriate technical and organizational measures to guarantee a level of security
appropriate to the risk of personal data processing. Although VIVUS took measures

reactive, these actions came in response to an already exploited vulnerability,
rather than as part of a proactive risk management strategy.

                                          VII
           Classification and classification of the violation of article 32 of the RGPD


If confirmed, the aforementioned violation of article 32 of the RGPD could mean the
commission of the infractions classified in article 83.4 of the RGPD that under the
The section “General conditions for the imposition of administrative fines” provides:
“Infractions of the following provisions will be sanctioned, in accordance with the

paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or,
In the case of a company, an amount equivalent to a maximum of 2% of the
global total annual business volume of the previous financial year, opting for
the largest amount:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 28/33









 a) the obligations of the controller and the processor in accordance with articles 8, 11, 25
at 39, 42 and 43; (…)”


In this regard, the LOPDGDD, in its article 71 “Infringements” establishes that
“The acts and conduct referred to in sections 4,
5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that result
contrary to this organic law.”


For the purposes of the limitation period, article 73 “Infringements considered serious”
of the LOPDGDD indicates: “Based on what is established in article 83.4 of the
Regulation (EU) 2016/679 are considered serious and will expire after two years.
infringements that involve a substantial violation of the aforementioned articles
in that and, in particular, the following:


(…) f) The lack of adoption of those technical and organizational measures that result
appropriate to guarantee a level of security appropriate to the risk of the treatment,
in the terms required by article 32.1 of Regulation (EU) 2016/679.

                                           VIII

                   Penalty for violation of article 32 of the GDPR

In the terms indicated by the aforementioned article 83.4 of the RGPD, the violation of the
Article 32 will be sanctioned, “with administrative fines of 10,000,000 EUR as
maximum or, in the case of a company, an amount equivalent to 2% as

maximum of the total global annual turnover of the previous financial year,
opting for the highest amount”

Likewise, according to the previously established criteria, it is assumed that
considers that in the present case it is appropriate to graduate the sanction to be imposed in the

following terms:

Aggravating circumstance provided for in section a) of article 83.2 of the RGPD:

a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question, as well as

such as the number of interested parties affected and the level of damages suffered.
suffered;

In the present case, the occurrence of the aforementioned aggravating circumstance emerges.

considering the nature, severity and duration of the alleged infraction committed.
In the case of the nature of the violation, it manifests itself in inadequate treatment
of personal and financial data, a critical aspect taking into account the sensitivity

of the information involved. For its part, gravity arises from the potential
significant harm to the rights and freedoms of affected individuals who possess
failure to adopt appropriate security measures, including fraud risks

and financial loss. Furthermore, the duration of the violation, extending from the
time of breach to late implementation of corrective measures, justifies
the concurrence of the aforementioned aggravating circumstance.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/33









Aggravating circumstance provided for in section b) of article 83.2 of the RGPD:


b) intentionality or negligence in the infringement;

In the terms previously indicated regarding the doctrine of the Supreme Court
Regarding recklessness, in the present case negligence is manifested in the lack
forecasting and the late adoption of measures such as 2FA, which are essential
for the protection of personal data. This negligence indicates an omission in the

application of a proactive and risk-based data security approach,
essential to prevent unauthorized access and other forms of compromise of
data. Negligence, therefore, manifests itself in this case in not anticipating and mitigating
the risks, especially in a sector as sensitive as the financial one, which justifies
the concurrence of the aforementioned aggravating circumstance.


Aggravating circumstance provided for in section b) of article 76 of the RGPD:

b) The linking of the offender's activity with the performance of medical treatment.
personal information.


The violation of Article 32 by VIVUS is particularly aggravated by the close
linking your business activity with the intense and continuous treatment of
personal data, given that granting loans involves the management of
personal and financial information in an ordinary and massive manner. In this sense, the lack
of adequate security measures puts at risk the essence of the operation in

that this type of entities is based on and undermines confidence in the digital financial sector.
In the same way, the nature of said activity required greater rigor in the
adoption of security measures, a requirement that was not materialized in the case
that concerns us.


Taking into account the general conditions for the imposition of fines
administrative procedures established by the aforementioned article 83.2 of the RGPD, taking into account
to the circumstances of this case and without prejudice to what results from the
instruction of this procedure, a fine of
amount of €400,000 (FOUR HUNDRED THOUSAND EUROS).



                                           IX
                                 Adoption of measures

If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of

appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a

specified period…” The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 30/33








It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as

infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.

Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,


HE REMEMBERS:

FIRST: START SANCTIONING PROCEDURE against 4FINANCE SPAIN
FINANCIAL SERVICES, S.A.U., with NIF A86521309, for the alleged violation of the
Article 5.1.f) of the RGPD and Article 32 of the RGPD, typified in Article 83.5 of the

GDPR and Article 83.4 of the GDPR.

SECOND: APPOINT R.R.R. as instructor. and, as secretary, to S.S.S.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).


THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
different claims filed and their documentation, as well as the documents
obtained and generated by the General Subdirectorate of Data Inspection in the
actions prior to the start of this sanctioning procedure.


FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be:, without prejudice to what results from the
instruction:


- For the alleged violation of article 5.1.f) of the RGPD, typified in article 83.5
of said rule, administrative fine of 200,000.00 euros.

- For the alleged violation of article 32 of the RGPD, typified in article 83.4 of
said rule, administrative fine of 400,000.00 euros.


FIFTH: NOTIFY this agreement to 4FINANCE SPAIN FINANCIAL
SERVICES, S.A.U., with NIF A86521309, granting it a hearing period of ten
business days for you to formulate the allegations and present the evidence you consider
convenient. In your written allegations you must provide your NIF and the number of

file that appears at the head of this document.

If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of Law 39/2015, of October 1, on the Common Administrative Procedure of

Public Administrations (hereinafter, LPACAP).

In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/33








present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this

reduction, the penalty would be established at 480,000.00 euros, resolving the
procedure with the imposition of this sanction.

Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which

will mean a 20% reduction in the amount. With the application of this reduction,
The penalty would be established at 480,000.00 euros and its payment will imply the
termination of the procedure, without prejudice to the imposition of the measures
corresponding.


The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In

In this case, if both reductions were applicable, the amount of the penalty
It would be established at 360,000.00 euros.

In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.

administrative against the sanction.

In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (480,000.00 euros or 360,000.00 euros), you must do so
cash by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000

(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction in the amount to which it applies.


Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.

The procedure will have a maximum duration of twelve months from the date

of the initiation agreement. After that period has elapsed without it having been issued and notified
resolution will expire and, consequently, the proceedings will be archived;
in accordance with the provisions of article 64 of the LOPDGDD.

Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,

There is no administrative appeal against this act.


                                                                              935-18032024
Sea Spain Martí
Director of the Spanish Data Protection Agency


 >>

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 32/33








SECOND: On April 25, 2024, the claimed party has proceeded to pay
the penalty in the amount of 360,000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the

recognition of responsibility.

THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the waiver of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.




                            FOUNDATIONS OF LAW


                                            Yo
                                      Competence


In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to

initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.

Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions

regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."

                                            II

                             Termination of the procedure

Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading

“Termination in sanctioning procedures” provides the following:

"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.

2. When the sanction has only a pecuniary nature or a penalty can be imposed

pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.


3. In both cases, when the sanction has only a pecuniary nature, the
competent body to resolve the procedure will apply reductions of, at least,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 33/33








20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.

of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.

The reduction percentage provided for in this section may be increased

“regularly.”

According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:


FIRST: DECLARE the termination of procedure EXP202304633, of
in accordance with the provisions of article 85 of the LPACAP.

SECOND: NOTIFY this resolution to 4FINANCE SPAIN FINANCIAL

SERVICES, S.A.U..

In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.


Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of

the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.



                                                                                936-040822
Sea Spain Martí
Director of the Spanish Data Protection Agency





















C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es