AEPD (Spain) - EXP202404507

Summary

Spain's AEPD issued a €400,000 fine (reduced from €500,000 via voluntary payment) to UNICAJA BANCO for failing to implement proper access controls on its CCTV surveillance system. Multiple employees accessed recorded footage using a single shared username and password, preventing individual attribution and audit trails. The controller remained responsible despite contractual requirements with its processor, as it failed to operationalize and supervise the technical and organizational measures required under GDPR Article 32.

Full text

Help AEPD (Spain) - EXP202404507: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Latest revision as of 12:19, 27 April 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators1 edit Tag: submission [1.0] (No difference) Latest revision as of 12:19, 27 April 2026 AEPD - EXP202404507 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 32 GDPR Type: Complaint Outcome: Upheld Started: 24.02.2025 Decided: 16.01.2026 Published: Fine: 400000 EUR Parties: UNICAJA BANCO, S.A. National Case Number/Name: EXP202404507 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The DPA fined a bank €400.000 for allowing numerous of its controller’s staff members to access its CCTV system using a single shared username and password in violation of Article 32 GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts UNICAJA BANCO, S.A. (the controller) is a bank. In 2023, the controller entered into a service provision contract with a private security firm, GRUPO CONTROL EMPRESA DE SEGURIDAD, S.A. (the processor), under which the processor undertook to provide alarm installation and management services for the controller’s offices, buildings and premises, including the operation of alarm control centres and the verification of alarms via video surveillance or CCTV. In that context, the controller operated a video surveillance system connected to a Central Alarm Receiving Centre (CRA) managed by the processor. The CRA staff, composed of ten operators and one coordinator, could access and review recorded CCTV footage, including footage used to verify suspected fraud and identity impersonation cases reported internally by the controller’s Security Department. A data subject brought a formal complaint with the DPA, prompting it to open an investigation. The controller confirmed that access to the video surveillance system was made through a single shared username and password configured by another contractor responsible for the installation and maintenance of the CCTV system. As a result, the employees assigned to the CRA did not use individual credentials when accessing footage. Although access logs were retained for 90 days, those logs would in any event only show the shared account and the IP address of the terminal used, not the identity of the individual operator who had accessed the images. The investigation also showed that the contractual framework between the controller and the processor formally required nominal user accounts, role-based access, and traceability. However, the authority concluded that these requirements had not been effectively implemented in practice. The investigation further noted that the controller’s DPIA and internal documentation already identified the need for formal user registration, periodic review of access rights, and logging of user activity, but those controls had not been operationalised in the relevant processing environment. In addition, the AEPD considered that the controller had not provided operational instructions with little specificity on how stored images were to be accessed, reviewed, or extracted in response to internal requests. The internal CRA protocol mainly regulated alarm handling, incidents and communications, but did not lay down detailed rules governing access to stored footage. Holding The DPA held that the controller infringed Article 32 GDPR by failing to implement appropriate technical and organisational measures to ensure the security of the processing of CCTV footage. In particular, the use of a generic shared account for access to surveillance images prevented proper attribution of actions to individual users and undermined access control and traceability in relation to a processing operation involving sensitive security-related footage. The DPA rejected the controller argument that the failure was attributable solely to its processor. It found that, even if contractual clauses required nominal accounts and role-based permissions, the controller remained responsible for ensuring that those measures were actually implemented and effectively supervised. The DPA also stressed that the audits and controls carried out by the controller had not focused on the most critical issue in this case, namely who could access the footage, under which profile, and with what degree of traceability. The DPA fined the controller €500,000 in total for the violation of article 32 GDPR. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The controller opted to make a voluntary payment and reduced the fine by 20%, paying the reduced sanction amount of €400,000. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/55 • File No.: EXP202404507 RESOLUTION OF TERMINATION OF PROCEEDINGS DUE TO VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On February 24, 2025, the Spanish Data Protection Agency (AEPD) agreed to initiate sanctioning proceedings against UNICAJA BANCO, S.A.U., with Tax Identification Number (NIF) A93139053. Having been notified of the initiation agreement and after analyzing the allegations presented, on January 16, 2026, the following Proposed Resolution was issued: << File No.: EXP202404507 PROPOSED RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: Complaints to the Spanish Data Protection Agency As a result of a complaint, the Spanish Data Protection Agency has become aware of certain facts that could constitute a possible breach of data protection regulations, attributable to UNICAJA BANCO, S.A.U. with Tax Identification Number (NIF) A93139053 (hereinafter, UNICAJA), in relation to the system established for the processing, analysis, management, and safekeeping of images captured by the video surveillance systems used by UNICAJA as a preventative measure against the commission of crimes. According to the reported facts, UNICAJA had an Alarm Receiving Centre (hereinafter, ARC) staffed by eleven operators who worked for Gestión de Actividades y Servicios Empresariales S.L. (hereinafter, GDA), a service company within the UNICAJA group of companies. In addition to the ARC service, GDA also performed private security functions, despite not being registered on the list of security companies of the Private Security Unit of the National Police Directorate, a requirement for carrying out such functions. According to the complaint, on March 18, 2019, UNICAJA contracted the CRA (Centralized Alarm Receiving) service with the private security company Grupo Control Empresa de Seguridad, S.A. (hereinafter, Grupo Control). The eleven GDA employees were then incorporated into Grupo Control. In addition to their CRA functions, they were responsible for the processing, analysis, management, and safekeeping of images captured by the video surveillance systems. They had unrestricted access to all equipment, software, and materials, regardless of their position, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/55 sharing user profiles and accessing highly sensitive information. SECOND: Agreement to Carry Out Preliminary Investigative Actions As a consequence of the known facts, on March 22, 2024, the Director of the Spanish Data Protection Agency instr

Entities