Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito – €500,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito (the data controller), is a Spanish financial institution that provides banking services, including online banking through its platform Ruralvía Clásica. The bank outsourced its IT and data security operations to Rural Servicios Informáticos S.L. ("RSI"), a third-party service provider acting as a data processor. On December 12, 2022, RSI notified the AEPD (Spanish DPA) about a data breach affecting multiple entities within the Caja Rural Group, including Caja Rural de Jaén. The breach resulted from a cyberattack that exploited vulnerabilities in the online banking system. Unauthorized third parties gained access to data subjects, including personally identifiable information. The breach itself occurred on November 10, 2022, but was not detected until December 7, 2022. Following RSI’s initial notification, Caja Rural de Jaén submitted an additional breach notification on January 12, 2023. The AEPD subsequently launched an investigation to determine whether the bank had failed to implement adequate security measures in compliance with GDPR. The investigation revealed that the bank’s security controls were insufficient. Furthermore, the investigation examined whether Caja Rural de Jaén had adequately notified the data breach in accordance with Articles 32 and 33 of the GDPR. On January 23, 2024, the AEPD initiated a sanctioning procedure against Caja Rural de Jaén, proposing a fine for violations of data protection laws. The agency issued its resolution on December 2, 2024, concluding that the bank had violated Article 5.1(f) (failure to ensure data security) and imposed a €500,000 fine. AEPD held that Caja Rural de Jaén, Barcelona y Madrid, S.C.C. violated Article 5.1(f) of the GDPR by failing to implement adequate security measures to ensure the confidentiality of the data subjects. The bank’s online banking system (Ruralvía Clásica) had known security vulnerabilities that were not properly a
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito (the data controller), is a Spanish financial institution that provides banking services, including online banking through its platform Ruralvía Clásica. The bank outsourced its IT and data security operations to Rural Servicios Informáticos S.L. ("RSI"), a third-party service provider acting as a data processor. On December 12, 2022, RSI notified the AEPD (Spanish DPA) about a data breach affecting multiple entities within the Caja Rural Group, including Caja Rural de Jaén. The breach resulted from a cyberattack that exploited vulnerabilities in the online banking system. Unauthorized third parties gained access to data subjects, including personally identifiable information. The breach itself occurred on November 10, 2022, but was not detected until December 7, 2022. Following RSI’s initial notification, Caja Rural de Jaén submitted an additional breach notification on January 12, 2023. The AEPD subsequently launched an investigation to determine whether the bank had failed to implement adequate security measures in compliance with GDPR. The investigation revealed that the bank’s security controls were insufficient. Furthermore, the investigation examined whether Caja Rural de Jaén had adequately notified the data breach in accordance with Articles 32 and 33 of the GDPR. On January 23, 2024, the AEPD initiated a sanctioning procedure against Caja Rural de Jaén, proposing a fine for violations of data protection laws. The agency issued its resolution on December 2, 2024, concluding that the bank had violated Article 5.1(f) (failure to ensure data security) and imposed a €500,000 fine. AEPD held that Caja Rural de Jaén, Barcelona y Madrid, S.C.C. violated Article 5.1(f) of the GDPR by failing to implement adequate security measures to ensure the confidentiality of the data subjects. The bank’s online banking system (Ruralvía Clásica) had known security vulnerabilities that were not properly a
Related Enforcement Actions (0)
No other enforcement actions found for Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 December 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€500,000
GDPRhub ID
gdprhub-9073About this data
Cite as: Cookie Fines. Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito - Spain (2024). Retrieved from cookiefines.eu
Last updated: