Banco Pichincha – €50,000 Fine (Spain, 2025)

On the 20 January 2023, the data subject filed a complaint against Banco Pichincha, the controller. The data subject had been experiencing issues with her mobile phone and asked her phone network provider for a copy of her SIM card and the calls which had been made. Upon receipt of the list of calls made, she noticed that three calls had been made to her bank which she had not made herself. The data subject then tried to login to her online banking but her password generated an access error. She then contacted the bank’s customer support service in order to change her password. It turned out that someone had impersonated the data subject and accessed her account. The impersonator had contacted the bank via telephone. The bank was obliged to ask certain security questions in order to identify the data subject as the rightful bank account holder. The bank had outsourced its customer service to another company, here the processor. The processor did not follow the required protocol for security questions as it continued the phone call even though the impersonator could not say how much money is supposed to be in the bank account as well as what her exact profession was. Upon the phone call, the password was changed and the impersonator was able to carry out financial transactions. A total of €50,000 was therefore missing from the data subject’s account. The controller argued that it lawfully processed the data subject’s data and that instead the impersonator should be charged with unlawful processing of personal data. The Spanish DPA (Agencia Española de Protección de Datos - AEPD) held that the ultimate responsibility for the processing of personal data remained with the controller as it determined the purpose of the processing. It further explained that if the controller was not held accountable this would mean that controllers would not be liable for the unlawful actions of processors. With reference to the CJEU case Deutsche Wohnen, the AEPD reiterated that