Wenance Lending de España S.A. – €72,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 21 August 2020, the data subject saw a job posting online. In order to apply for this position, the data subject was requested to send a selfie of them holding their ID card. After that, they received a request by the controller, a fintech company, to pay back a €200 loan. Since the data subject believed they had never entered in a loan agreement with the controller, they contacted the latter. The controller informed the data subject that on 21 August 2020 it had received a loan request from them and transferred the amount to a bank account. The loan contract had been signed through an electronic signature. In addition, on 12 August 2022 the data subject asked the controller to delete their data. The controller did not reply to the request. As for the deletion request, the controller later argued that it could not delete the data since the contract was still in force. First, the DPA investigation showed that the data subject was victim of a fraud. The data subject sent their picture and ID card to the defrauder. With this documents the latter digitally signed the loan contract with the controller. Therefore, the data subject never expressed their willingness to enter in such an agreement with the controller. Second, the DPA noted that the anti-fraud measures taken by the controller were insufficient. More specifically, the controller argued that one of these measures is that the amount of money cannot be transferred to accounts that have been opened for less than 3 months. However, in the case at hand, the controller transferred the money even though the account had been opened only one day before the loan contract was signed. Thirdly, the DPA pointed out that this lack of checks led to the transfer of the money to a bank account not owned by the data subject. The DPA added that, in Spain, a bank transfer is successful even if the name in the bank transfer form is different from the account’s actual holder name. Therefore, the DPA found that the controller had
GDPR Articles Cited
On 21 August 2020, the data subject saw a job posting online. In order to apply for this position, the data subject was requested to send a selfie of them holding their ID card. After that, they received a request by the controller, a fintech company, to pay back a €200 loan. Since the data subject believed they had never entered in a loan agreement with the controller, they contacted the latter. The controller informed the data subject that on 21 August 2020 it had received a loan request from them and transferred the amount to a bank account. The loan contract had been signed through an electronic signature. In addition, on 12 August 2022 the data subject asked the controller to delete their data. The controller did not reply to the request. As for the deletion request, the controller later argued that it could not delete the data since the contract was still in force. First, the DPA investigation showed that the data subject was victim of a fraud. The data subject sent their picture and ID card to the defrauder. With this documents the latter digitally signed the loan contract with the controller. Therefore, the data subject never expressed their willingness to enter in such an agreement with the controller. Second, the DPA noted that the anti-fraud measures taken by the controller were insufficient. More specifically, the controller argued that one of these measures is that the amount of money cannot be transferred to accounts that have been opened for less than 3 months. However, in the case at hand, the controller transferred the money even though the account had been opened only one day before the loan contract was signed. Thirdly, the DPA pointed out that this lack of checks led to the transfer of the money to a bank account not owned by the data subject. The DPA added that, in Spain, a bank transfer is successful even if the name in the bank transfer form is different from the account’s actual holder name. Therefore, the DPA found that the controller had
Related Enforcement Actions (0)
No other enforcement actions found for Wenance Lending de España S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
8 July 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€72,000
GDPRhub ID
gdprhub-8307About this data
Cite as: Cookie Fines. Wenance Lending de España S.A. - Spain (2024). Retrieved from cookiefines.eu
Last updated: