Spain: AEPD fines Bankinter Consumer Finance €70,000 for processing data without basis

The Spanish data protection authority (AEPD) has imposed a fine on Bankinter Consumer Finance, E.F.C., S.A. for breach of Article 6(1) of the RODO, based on a complaint filed by a data subject.
The complainant contacted Bankinter Consumer Finance after numerous withdrawals were made from his account using his bank card. These withdrawals were not made by the complainant, but by an unauthorised third party. The complainant found out that without his knowledge the bank had issued a duplicate of his card and sent it to an address other than his own. The criminal who stole the complainant’s funds repeatedly changed the telephone number linked to the bank account. The impersonation of the complainant was facilitated by an incorrect authentication procedure implemented by the bank, as the process only required easily predictable information.

The AEPD found that Bankinter Consumer Finance had processed the complainants personal data without a proper legal basis, as his phone number had been deleted and, at the same time, a new phone number had been assigned to the bank account without his knowledge or approval.