Wenance Lending de España S.A. – €72,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Wenance Lending de España S.A. was fined €72,000 for failing to protect a user from fraud. A person unknowingly became a victim of fraud when their identity was used to take out a loan without their consent. The company did not have adequate checks in place to prevent this misuse of personal data.
What happened
The fintech company allowed a fraudulent loan to be taken out using a person's identity without their knowledge.
Who was affected
The individual whose identity was used to fraudulently obtain a loan from the company.
What the authority found
The Spanish Data Protection Agency found that the company failed to implement sufficient anti-fraud measures, violating GDPR requirements for protecting personal data.
Why this matters
This case emphasizes the need for companies to have strong fraud prevention measures in place. Businesses should review their security practices to protect users' personal information.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On 21 August 2020, the data subject saw a job posting online. In order to apply for this position, the data subject was requested to send a selfie of them holding their ID card. After that, they received a request by the controller, a fintech company, to pay back a €200 loan. Since the data subject believed they had never entered in a loan agreement with the controller, they contacted the latter. The controller informed the data subject that on 21 August 2020 it had received a loan request from them and transferred the amount to a bank account. The loan contract had been signed through an electronic signature. In addition, on 12 August 2022 the data subject asked the controller to delete their data. The controller did not reply to the request. As for the deletion request, the controller later argued that it could not delete the data since the contract was still in force. First, the DPA investigation showed that the data subject was victim of a fraud. The data subject sent their picture and ID card to the defrauder. With this documents the latter digitally signed the loan contract with the controller. Therefore, the data subject never expressed their willingness to enter in such an agreement with the controller. Second, the DPA noted that the anti-fraud measures taken by the controller were insufficient. More specifically, the controller argued that one of these measures is that the amount of money cannot be transferred to accounts that have been opened for less than 3 months. However, in the case at hand, the controller transferred the money even though the account had been opened only one day before the loan contract was signed. Thirdly, the DPA pointed out that this lack of checks led to the transfer of the money to a bank account not owned by the data subject. The DPA added that, in Spain, a bank transfer is successful even if the name in the bank transfer form is different from the account’s actual holder name. Therefore, the DPA found that the controller had
Related Enforcement Actions (0)
No other enforcement actions found for Wenance Lending de España S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
8 July 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€72,000
GDPRhub ID
gdprhub-8307About this data
Cite as: Cookie Fines. Wenance Lending de España S.A. - Spain (2024). Retrieved from cookiefines.eu
Last updated: