As reported in Global Data Review, two big GDPR fines against large banks in Spain suggest the country’s data protection authority, AEPD, is starting to move away from a strategy of cautious enforcement and towards a much tougher approach. 

The fines of €5 million imposed on BBVA and €6 million imposed on Caixa Bank were made in respect of the processing data without a proper legal basis and failing to provide the necessary information to data subjects.

The Spanish data protection regulatory issued between 250 and 300 warnings and fines in 2020 – with an approximate average fine of €55,000 and the largest being €250,000. This is significantly more than other key European data regulators which have imposed somewhere between a handful and 50 fines since the GDPR came into force. 

However the two most recent AEPD fines are in a different league and signal that the Spanish regulator may be running out of patience with companies that struggle with GDPR compliance, particularly large businesses.

BBVA and Caixa Bank are both fighting back and we await the outcome of their appeals with interest, they certainly present AEPD with its greatest challenge to date.