AEPD (Spain) - EXP202404507

Summary

Spain's AEPD (Data Protection Authority) imposed a €400,000 fine on Unicaja Banco for failing to implement proper access controls on its CCTV surveillance system. Staff at a contracted security firm accessed video footage through a single shared username and password, preventing individual attribution of actions and violating GDPR Article 32's requirement for appropriate technical and organizational security measures. The DPA rejected the bank's argument that responsibility lay solely with the processor, holding the controller ultimately accountable for ensuring these protections were implemented and supervised.

Full text

Help AEPD (Spain) - EXP202404507: Difference between revisions From GDPRhub Jump to:navigation, search VisualWikitext Revision as of 12:19, 27 April 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators10 edits Tag: submission [1.0] Latest revision as of 14:12, 29 April 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators10 editsTag: Visual edit Line 63: Line 63: }}}} The DPA fined a bank €400.000 for allowing numerous of its controller’s staff members to access its CCTV system using a single shared username and password in violation of [[Article 32 GDPR|Article 32 GDPR]].In addition, the DPA fined a bank €400.000 for allowing numerous of its controller’s staff members to access its CCTV system using a single shared username and password in violation of [[Article 32 GDPR]]. == English Summary ==== English Summary == Line 77: Line 77: === Holding ====== Holding === The DPA held that the controller infringed [[Article 32 GDPR|Article 32 GDPR]] by failing to implement appropriate technical and organisational measures to ensure the security of the processing of CCTV footage. In particular, the use of a generic shared account for access to surveillance images prevented proper attribution of actions to individual users and undermined access control and traceability in relation to a processing operation involving sensitive security-related footage.The DPA held that the controller infringed [[Article 32 GDPR]] by failing to implement appropriate technical and organisational measures to ensure the security of the processing of CCTV footage. In particular, the use of a generic shared account for access to surveillance images prevented proper attribution of actions to individual users and undermined access control and traceability in relation to a processing operation involving sensitive security-related footage. The DPA rejected the controller argument that the failure was attributable solely to its processor. It found that, even if contractual clauses required nominal accounts and role-based permissions, the controller remained responsible for ensuring that those measures were actually implemented and effectively supervised. The DPA also stressed that the audits and controls carried out by the controller had not focused on the most critical issue in this case, namely who could access the footage, under which profile, and with what degree of traceability.The DPA rejected the controller argument that the failure was attributable solely to its processor. It found that, even if contractual clauses required nominal accounts and role-based permissions, the controller remained responsible for ensuring that those measures were actually implemented and effectively supervised. The DPA also stressed that the audits and controls carried out by the controller had not focused on the most critical issue in this case, namely who could access the footage, under which profile, and with what degree of traceability. Latest revision as of 14:12, 29 April 2026 AEPD - EXP202404507 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 32 GDPR Type: Complaint Outcome: Upheld Started: 24.02.2025 Decided: 16.01.2026 Published: Fine: 400000 EUR Parties: UNICAJA BANCO, S.A. National Case Number/Name: EXP202404507 European Case Law Identifier: n/a Appeal: n/a Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms In addition, the DPA fined a bank €400.000 for allowing numerous of its controller’s staff members to access its CCTV system using a single shared username and password in violation of Article 32 GDPR. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts UNICAJA BANCO, S.A. (the controller) is a bank. In 2023, the controller entered into a service provision contract with a private security firm, GRUPO CONTROL EMPRESA DE SEGURIDAD, S.A. (the processor), under which the processor undertook to provide alarm installation and management services for the controller’s offices, buildings and premises, including the operation of alarm control centres and the verification of alarms via video surveillance or CCTV. In that context, the controller operated a video surveillance system connected to a Central Alarm Receiving Centre (CRA) managed by the processor. The CRA staff, composed of ten operators and one coordinator, could access and review recorded CCTV footage, including footage used to verify suspected fraud and identity impersonation cases reported internally by the controller’s Security Department. A data subject brought a formal complaint with the DPA, prompting it to open an investigation. The controller confirmed that access to the video surveillance system was made through a single shared username and password configured by another contractor responsible for the installation and maintenance of the CCTV system. As a result, the employees assigned to the CRA did not use individual credentials when accessing footage. Although access logs were retained for 90 days, those logs would in any event only show the shared account and the IP address of the terminal used, not the identity of the individual operator who had accessed the images. The investigation also showed that the contractual framework between the controller and the processor formally required nominal user accounts, role-based access, and traceability. However, the authority concluded that these requirements had not been effectively implemented in practice. The investigation further noted that the controller’s DPIA and internal documentation already identified the need for formal user registration, periodic review of access rights, and logging of user activity, but those controls had not been operationalised in the relevant processing environment. In addition, the AEPD considered that the controller had not provided operational instructions with little specificity on how stored images were to be accessed, reviewed, or extracted in response to internal requests. The internal CRA protocol mainly regulated alarm handling, incidents and communications, but did not lay down detailed rules governing access to stored footage. Holding The DPA held that the controller infringed Article 32 GDPR by failing to implement appropriate technical and organisational measures to ensure the security of the processing of CCTV footage. In particular, the use of a generic shared account for access to surveillance images prevented proper attribution of actions to individual users and undermined access control and traceability in relation to a processing operation involving sensitive security-related footage. The DPA rejected the controller argument that the failure was attributable solely to its processor. It found that, even if contractual clauses required nominal accounts and role-based permissions, the controller remained responsible for ensuring that those measures were actually implemented and effectively supervised. The DPA also stressed that the audits and controls carried out by the controller had not focused on the most critical issue in this case, namely who could access the footage, under which profile, and with what degree of traceability. The DPA fined the controller €500,000 in total for the violation of article 32 GDPR. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the DPA informed the controller that it may make a voluntary payment of the proposed fine and waive their right to appeal. This action reduces the imposed fine by 20%. The controller opted to make a voluntary payment and reduced the fine by 20%, paying the reduced sanction amount of €400,000. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of

Entities