ING Bank Spain – €1,600,000 Fine (Spain, 2025)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
ING Bank Spain was fined for improperly requiring a customer's consent to verify the origin of funds for a bank account. This is significant because it shows that banks must follow strict rules about how they handle personal data. Small businesses should understand that they can't use legal obligations as an excuse to collect consent improperly.
What happened
The bank required a customer to give consent to verify the origin of funds, which was deemed unnecessary.
Who was affected
A customer who opened a non-payroll bank account with ING Bank Spain was affected.
What the authority found
The authority found that ING Bank Spain did not have a valid legal basis for requiring consent in this situation.
Why this matters
This case emphasizes that companies must be transparent and have valid reasons for collecting personal data. Small businesses should review their consent practices to ensure compliance with data protection laws.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
The data subject opened a “non-payroll” bank account, one which does not require proof of income, with ING Bank Spain (controller). In 2022, the controller informed her that her account would be reclassified as a “non-account account” if her balance exceeds €30,000 and recommended she open a “non-account account”, different account offering from the bank, and split her balance between the two. In order to open this other account, however, the controller required she provided consent for the controller to contact the General Treasury of the Social Security to verify the origin of funds to be deposited. The controller claimed this was necessary to comply with Spanish money laundering and anti-terrorist financing laws. A clause giving consent for this processing was included in a document containing pre-contractual information, to which the data subject had to click “confirm”. The anti-money laundering law in question, Law 10/2010, requires the verification of origin of funds where prospective clients either present higher than average risks arising from a provision or the bank’s own risk analysis, or, where prospective client’s banking records do not correspond to their declared activity or operating history. On 3 November 2022 the data subject filed a complaint with the AEPD (Spanish DPA). She argued that she falls into neither of the categories envisaged by Law 10/2010 and the controller is using it as an excuse to make the data subject give her consent. The controller argued that consent being sought in this context does not equate to the concept of consent under the GDPR. They noted that they rely on their legal obligation under Article 6(1)(c) GDPR for this processing, and the collection of the consent is to satisfy the envisaged requirement of getting “authorisation” from the prospective account holder, as envisaged in the money laundering law. The controller further argued that the verification of origin of funds by the Treasury is the only meaningful way, gi
Related Enforcement Actions (0)
No other enforcement actions found for ING Bank Spain in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
27 March 2025
Authority
Agencia Española de Protección de Datos
Fine Amount
€1,600,000
GDPRhub ID
gdprhub-9205About this data
Cite as: Cookie Fines. ING Bank Spain - Spain (2025). Retrieved from cookiefines.eu
Last updated: