ING Bank N.V – €500,000 Fine (Spain, 2025)

A data subject tried to register as a joint account holder with the controller, ING Bank N.V., Spanish Branch. On 24 January 2023, the data subject received a form and instructions from the controller. They contacted the controller’s courier service as instructed and received a shipping label issued by Dynamic Express Courier S.L., a temporary processor used by the controller. On 26 January 2023, an employee of a subcontracted courier, Autoradio, collected an envelope from the data subject. The envelope contained the completed form, a copy of the data subject’s identity document, and the shipping label. The controller did not receive the documentation. Between 2 and 16 February 2023, the data subject contacted the controller several times. The controller informed them that the documentation had not arrived and that inquiries with different courier companies were ongoing. Dynamic had not reported any incident during the contractual relationship, which complicated the controller’s investigation. The controller later confirmed the loss of the documentation and acknowledged that it had attempted unsuccessfully to locate the shipment through all involved providers. The controller ended its contract with Dynamic in February 2023, shortly after the incident. On 9 June 2023, the data subject lodged a complaint with the Bank of Spain, which forwarded the complaint to the AEPD under the applicable administrative rules. During the investigation, the Spanish Data Protection Agency (AEPD) reviewed the contract between the controller and its processor. The contract included a data protection clause and a list of security measures. It also set out situations in which penalties could be applied to the processor, but no penalties had been imposed because Dynamic did not report any incident. The AEPD opened proceedings on 10 January 2025 to assess whether the controller had complied with its obligations under Article 32 GDPR, particularly regarding the supervision of its processor an