SANTANDER CONSUMER FINANCE, S.A. – €500,000 Fine (Spain, 2025)

SANTANDER CONSUMER FINANCE, S.A. (the controller) is a bank. In October and November 2022, two companies acting as a processor for the controller reported a data breach to the DPA. The DPA began investigating following two complaints by data subjects against the processors, however, the controller was also investigated. The DPA found that the data breach affected over 100,000 data subjects, with data such as names, contact information, IBAN and ID information being available on the dark web. Some of the DPA’s findings were also based on previous data breach reports from processors contracted by the controller. The controller informed affected data subjects of the data breach in December 2022. The controller argued that it was not the controller in this case, as the data breach was targeted towards the processors. The DPA first dismissed the arguments by the controller. The DPA emphasised that the controller was responsible for the processing of personal data of its customers, and the negligence of third parties does not completely exempt it from responsibility. The DPA noted that, for example, the controller gave the processors insufficient instructions regarding security measures when processing personal data. The DPA found a violation of Article 5(1)(f) GDPR. During its investigations, the DPA found that until 2021 the controller stored data subjects’ IBAN without pseudonymising it. This meant there was a high risk of the data being accessed and misused by third parties. According to the DPA, the unauthorised access would have not occurred if the controller had pseudonymised or anonymised the data. The DPA fined the controller €500,000. The DPA considered this a serious violation, taking into account the high number of data subjects affected. In addition, the DPA ordered the controller to implement appropriate security measures.