Openbank fined 2.5 million euro for data security violations

The AEPD has fined Openbank with 2.5 million euros for (i) not implementing strengthened measures to ensure data protection principles and (ii) the lack of appropriate technical and organizational measures to guarantee an adequate level of security, when sending financial information requested by the bank for the compliance of anti-money laundering and terrorism financing prevention regulations.

This sanction arises after an Openbank customer claimed for a mechanism to submit the requested information encrypted or through direct upload on the web portal. The only valid option was to send it via email, as the customer was asked to declare the origin of several amounts received in their bank account according to anti-money laundering regulations. After an investigation, the AEPD concluded that email was the only communication channel offered to customers at that time, which was not suitable given the potential threat to the rights and freedoms of the data subjects.

Furthermore, the AEPD also considered that there is a lack of design in the treatment by Openbank because the activity of collecting customer data had not been included in the "treatment lifecycle" of the impact assessment. Thus, despite protocols being defined for handling data required by regulations, they are not implemented correctly.

The resolution indicates that the information requested by Openbank from the client is considered financial data and required the application of strengthened measures to comply with GDPR requirements and protect the rights of data subjects. The AEPD has considered that Openbank has committed an infringement by violating Articles 25 (Data protection by design and by default) and 32 (Security of processing) of the GDPR, and the joint sanction is 2.5 million euros. Openbank has already filed an appeal against the decision of the AEPD.

Authors: Cristina Grande, Counsel; Carmen Gordillo, Associate