Banco Pichincha – €50,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Banco Pichincha was fined €50,000 for failing to protect a customer's account from an impersonator. This is important because it highlights the bank's responsibility to ensure secure customer service practices. Other banks should review their security measures to prevent similar incidents.
What happened
Banco Pichincha allowed an impersonator to access a customer's account due to inadequate security checks.
Who was affected
A customer of Banco Pichincha whose account was accessed by an impersonator.
What the authority found
The Spanish data protection authority ruled that Banco Pichincha was ultimately responsible for the security breach.
Why this matters
This case shows that companies must ensure their service providers follow strict security protocols. It serves as a warning for all businesses to prioritize customer data protection.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
On the 20 January 2023, the data subject filed a complaint against Banco Pichincha, the controller. The data subject had been experiencing issues with her mobile phone and asked her phone network provider for a copy of her SIM card and the calls which had been made. Upon receipt of the list of calls made, she noticed that three calls had been made to her bank which she had not made herself. The data subject then tried to login to her online banking but her password generated an access error. She then contacted the bank’s customer support service in order to change her password. It turned out that someone had impersonated the data subject and accessed her account. The impersonator had contacted the bank via telephone. The bank was obliged to ask certain security questions in order to identify the data subject as the rightful bank account holder. The bank had outsourced its customer service to another company, here the processor. The processor did not follow the required protocol for security questions as it continued the phone call even though the impersonator could not say how much money is supposed to be in the bank account as well as what her exact profession was. Upon the phone call, the password was changed and the impersonator was able to carry out financial transactions. A total of €50,000 was therefore missing from the data subject’s account. The controller argued that it lawfully processed the data subject’s data and that instead the impersonator should be charged with unlawful processing of personal data. The Spanish DPA (Agencia Española de Protección de Datos - AEPD) held that the ultimate responsibility for the processing of personal data remained with the controller as it determined the purpose of the processing. It further explained that if the controller was not held accountable this would mean that controllers would not be liable for the unlawful actions of processors. With reference to the CJEU case Deutsche Wohnen, the AEPD reiterated that
Related Enforcement Actions (0)
No other enforcement actions found for Banco Pichincha in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
3 January 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€50,000
GDPRhub ID
gdprhub-8725About this data
Cite as: Cookie Fines. Banco Pichincha - Spain (2025). Retrieved from cookiefines.eu
Last updated: