UNICAJA BANCO, S.A. – €400,000 Fine (Spain, 2026)

UNICAJA BANCO, S.A. (the controller) is a bank. In 2023, the controller entered into a service provision contract with a private security firm, GRUPO CONTROL EMPRESA DE SEGURIDAD, S.A. (the processor), under which the processor undertook to provide alarm installation and management services for the controller’s offices, buildings and premises, including the operation of alarm control centres and the verification of alarms via video surveillance or CCTV. In that context, the controller operated a video surveillance system connected to a Central Alarm Receiving Centre (CRA) managed by the processor. The CRA staff, composed of ten operators and one coordinator, could access and review recorded CCTV footage, including footage used to verify suspected fraud and identity impersonation cases reported internally by the controller’s Security Department. A data subject brought a formal complaint with the DPA, prompting it to open an investigation. The controller confirmed that access to the video surveillance system was made through a single shared username and password configured by another contractor responsible for the installation and maintenance of the CCTV system. As a result, the employees assigned to the CRA did not use individual credentials when accessing footage. Although access logs were retained for 90 days, those logs would in any event only show the shared account and the IP address of the terminal used, not the identity of the individual operator who had accessed the images. The investigation also showed that the contractual framework between the controller and the processor formally required nominal user accounts, role-based access, and traceability. However, the authority concluded that these requirements had not been effectively implemented in practice. The investigation further noted that the controller’s DPIA and internal documentation already identified the need for formal user registration, periodic review of access rights, and logging of user activity,