ING Bank Spain – €1,600,000 Fine (Spain, 2025)

The data subject opened a “non-payroll” bank account, one which does not require proof of income, with ING Bank Spain (controller). In 2022, the controller informed her that her account would be reclassified as a “non-account account” if her balance exceeds €30,000 and recommended she open a “non-account account”, different account offering from the bank, and split her balance between the two. In order to open this other account, however, the controller required she provided consent for the controller to contact the General Treasury of the Social Security to verify the origin of funds to be deposited. The controller claimed this was necessary to comply with Spanish money laundering and anti-terrorist financing laws. A clause giving consent for this processing was included in a document containing pre-contractual information, to which the data subject had to click “confirm”. The anti-money laundering law in question, Law 10/2010, requires the verification of origin of funds where prospective clients either present higher than average risks arising from a provision or the bank’s own risk analysis, or, where prospective client’s banking records do not correspond to their declared activity or operating history. On 3 November 2022 the data subject filed a complaint with the AEPD (Spanish DPA). She argued that she falls into neither of the categories envisaged by Law 10/2010 and the controller is using it as an excuse to make the data subject give her consent. The controller argued that consent being sought in this context does not equate to the concept of consent under the GDPR. They noted that they rely on their legal obligation under Article 6(1)(c) GDPR for this processing, and the collection of the consent is to satisfy the envisaged requirement of getting “authorisation” from the prospective account holder, as envisaged in the money laundering law. The controller further argued that the verification of origin of funds by the Treasury is the only meaningful way, gi