Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito – €500,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Caja Rural de Jaén was fined €500,000 for not securing its online banking system properly, which led to a data breach. This case is important because it shows that financial institutions must take data security seriously to protect their customers' information. Other banks should learn from this and improve their security measures.
What happened
Caja Rural de Jaén failed to implement adequate security measures, resulting in a data breach that exposed customer information.
Who was affected
Customers of Caja Rural de Jaén whose personal information was compromised in the data breach.
What the authority found
The Spanish data protection authority found that the bank violated GDPR by not ensuring the security of personal data.
Why this matters
This fine highlights the need for financial institutions to prioritize data security. It serves as a warning to all businesses that insufficient security measures can lead to significant penalties.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
Entities Involved
Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito (the data controller), is a Spanish financial institution that provides banking services, including online banking through its platform Ruralvía Clásica. The bank outsourced its IT and data security operations to Rural Servicios Informáticos S.L. ("RSI"), a third-party service provider acting as a data processor. On December 12, 2022, RSI notified the AEPD (Spanish DPA) about a data breach affecting multiple entities within the Caja Rural Group, including Caja Rural de Jaén. The breach resulted from a cyberattack that exploited vulnerabilities in the online banking system. Unauthorized third parties gained access to data subjects, including personally identifiable information. The breach itself occurred on November 10, 2022, but was not detected until December 7, 2022. Following RSI’s initial notification, Caja Rural de Jaén submitted an additional breach notification on January 12, 2023. The AEPD subsequently launched an investigation to determine whether the bank had failed to implement adequate security measures in compliance with GDPR. The investigation revealed that the bank’s security controls were insufficient. Furthermore, the investigation examined whether Caja Rural de Jaén had adequately notified the data breach in accordance with Articles 32 and 33 of the GDPR. On January 23, 2024, the AEPD initiated a sanctioning procedure against Caja Rural de Jaén, proposing a fine for violations of data protection laws. The agency issued its resolution on December 2, 2024, concluding that the bank had violated Article 5.1(f) (failure to ensure data security) and imposed a €500,000 fine. AEPD held that Caja Rural de Jaén, Barcelona y Madrid, S.C.C. violated Article 5.1(f) of the GDPR by failing to implement adequate security measures to ensure the confidentiality of the data subjects. The bank’s online banking system (Ruralvía Clásica) had known security vulnerabilities that were not properly a
Related Enforcement Actions (0)
No other enforcement actions found for Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
2 December 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€500,000
GDPRhub ID
gdprhub-9073About this data
Cite as: Cookie Fines. Caja Rural de Jaén, Barcelona y Madrid, Sociedad Cooperativa de Crédito - Spain (2024). Retrieved from cookiefines.eu
Last updated: