AEPD (Spain) – EXP202410843

20 February 2026

Rp: Created page with “{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=EXP202410843 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/documento/ps-00476-2024.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__Code…”

{{DPAdecisionBOX

|Case_Number_Name=EXP202410843
|ECLI=

|EU_Law_Name_1=
|EU_Law_Link_1=
|EU_Law_Name_2=
|EU_Law_Link_2=

|National_Law_Name_1=
|National_Law_Link_1=
|National_Law_Name_2=
|National_Law_Link_2=

|Party_Name_1=
|Party_Link_1=
|Party_Name_2=
|Party_Link_2=

|Appeal_To_Body=
|Appeal_To_Case_Number_Name=
|Appeal_To_Status=
|Appeal_To_Link=

|Initial_Contributor=RP
|
}}

The Spanish DPA fined a financial institution €8,000 for violating [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] by requesting unnecessary ID photos for loan cancellations and ordered the use of less intrusive verification methods.

== English Summary ==

=== Facts ===
On 8 January 2024, a data subject filed a complaint against KVIKU SPAIN, S.L. (the controller). The controller is an online financial institution that handles sensitive personal and financial data as part of its core operations. The data subject alleged that the controller required them to submit a photograph holding their identity card to cancel a loan.

The Spanish DPA (AEPD) examined the complaint and opened an investigation for the possible infringement of [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]], requesting information from the controller.

=== Holding ===
The AEPD held that the controller violated [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]]. The investigation established that the requested photograph was not necessary to verify the identity of the data subject. Alternative verification methods existed that would achieve the same purpose without collecting additional sensitive personal data. The practice affected not only the data subject who filed the complaint but all customers wishing to cancel a loan. The controller acted negligently by requiring the photograph without assessing the privacy risks or considering less intrusive options.

Consequently, The AEPD imposed an administrative fine of €10,000. Additionally, they ordered the controller to implement procedures within one month to ensure that identity verification in loan cancellation processes complies with [[Article 5 GDPR#1c|Article 5(1)(c) GDPR]] using less intrusive methods.

== Comment ==
Under Spanish administrative law, the controller chose voluntary payment, which reduced the fine by 20% to €8,000.

== Further Resources ==
”Share blogs or news articles here!”

== English Machine Translation of the Decision ==
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

<pre>
1/19

• File No.: EXP202410843

RESOLUTION OF TERMINATION OF PROCEEDINGS DUE TO VOLUNTARY PAYMENT

From the proceedings initiated by the Spanish Data Protection Agency and based on the following

BACKGROUND

FIRST: On February 3, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against KVIKU SPAIN, S.L.

(hereinafter, KVIKU). Having been notified of the initiation agreement and after analyzing the allegations

submitted, on December 3, 2025, the proposed resolution was issued, which is transcribed below:

File No.: EXP202410843

PROPOSED RESOLUTION OF SANCTIONING PROCEEDINGS

From the proceedings initiated by the Spanish Data Protection Agency and based on the following:

BACKGROUND

FIRST: On June 6, 2024, a complaint was filed with the Spanish Data Protection Agency regarding a possible infringement attributable to KVIKU

SPAIN, S.L., with Tax Identification Number B09804295 (hereinafter, KVIKU).

The facts brought to the attention of this authority:

The complainant states that they took out a loan with KVIKU. He adds that, upon realizing

that the fees were excessive, he contacted KVIKU to cancel the contract. He states that the company required him to provide “a photo of himself holding his ID card” in order to process the loan cancellation request.

He includes the following with his complaint:

– Screenshots of his loan history, showing the disputed portion, as well as proof of the transfer made on May 21, 2024, for the full repayment.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 2/19

– Screenshots of emails exchanged with KVIKU regarding outstanding payment requests.

– Responses regarding how to request early repayment.

– Message regarding the repayment request.

– Communication dated May 8, 2024, regarding the payment made, as well as

the response received in which the respondent states the following: “Good morning, here is the response to your request (…): your photo with your ID card.”

– Copy of the requested ID card photo.

– Copies of subsequent emails, dated May 17 and 18, 2024, in which the claimant reiterates the request for loan cancellation, attaching two files: proof of the transfer made for the full refund and copies of various responses from the respondent indicating, on the one hand, that they are processing the request, and on the other hand, a copy of a generic response alluding to a clause in the contract.

– Emails from the respondent, dated May 23 and 27, 2024, demanding outstanding payments.

SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the complaint was forwarded to KVIKU so that it could analyze it and inform this Agency, within one month, of the actions taken to comply with the requirements of data protection regulations.

The notification of the complaint, which was carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), by electronic notification, was not received by the respondent within the deadline, and was therefore considered rejected pursuant to Article 65.4 of the LOPDGDD. 43.2 of the

LPACAP dated August 12, 2024, as evidenced by the certificate included in the file.

Although the notification was made electronically, a copy was sent by mail for informational purposes and was duly served on August 21, 2024.

In this notification, the respondent was reminded of their obligation to interact electronically with the Administration and was informed of the means of accessing such notifications, reiterating that, henceforth, they would be notified exclusively electronically.

It should be noted that no response was received to the transfer document within the one-month period stipulated. However, approximately one year after its notification and outside the established deadline, on June 10, 2025, KVIKU submitted a response stating, in summary, that:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 3/19

1) KVIKU has been unable to delete the interested party’s personal data, since the interested party has not fully repaid the loan.

2) KVIKU must comply with the provisions of the Law on the Prevention of Money Laundering and the Financing of Terrorism, which obliges financial institutions to reliably verify the identity of their clients through the presentation of their National Identity Document.

3) Regarding measures to prevent similar incidents, no measures have been adopted, as no incident has occurred to justify them. The legal basis for processing the data subject’s personal data lies in the existing contractual relationship between the parties.

4) Regarding the request for a photograph of the data subject holding their ID card, if the Spanish Data Protection Agency (AEPD) considers that this practice does not comply with current data protection regulations and expressly requires its cessation, this entity will proceed to delete it.

THIRD: On September 6, 2024, in accordance with Article 65 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), the complaint was admitted for processing.

FOURTH: According to the report obtained from the AXESOR tool, the entity

KVIKU SPAIN, S.L. is an SME (Microenterprise), established in 2022 with a share capital of €3,000, for which no profit and loss statement information is available.

FIFTH: On February 3, 2025, the Spanish Data Protection Agency (AEPD) agreed to initiate sanction proceedings against the respondent, in accordance with the provisions of Articles 63 and 64 of the LPACAP (Law on the Common Administrative Procedure of Public Administrations), for the alleged infringement of Article 5.1.c) of the GDPR, as defined in Article 83.5 of the GDPR.

SIXTH: The aforementioned Notice of Initiation was served in accordance with the provisions of the LPACAP, and since electronic notification is mandatory in this case, there is no record that the interested party accessed its content. In accordance with applicable regulations, when electronic notification is mandatory, it will be considered rejected once ten calendar days have elapsed since its availability without its content having been accessed.

SEVENTH: A list of documents included in the proceedings is attached as an annex.

From the actions taken in this proceeding and the documentation contained in the file, the following facts have been established:

PROVEN FACTS
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 4/19

FIRST: The parties, KVIKU and the claimant, have a loan agreement

identified by number (…).

SECOND: To process the cancellation of a loan, KVIKU requires the claimant to provide a photograph in which they are holding their National Identity Document (DNI)
in order to verify their identity.

LEGAL BASIS

Jurisdiction

In accordance with the powers conferred upon each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR) and as established in Articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to resolve this procedure.

Likewise, Article 63.2 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights) stipulates that: “The procedures

processed by the Spanish Data Protection Agency shall be governed by the provisions
of Regulation (EU) 2016/679, by this Organic Law, by the implementing regulations issued thereunder, and, insofar as they do not contradict them,
subsidiarily, by the general rules on administrative procedures.”

II
Response to the letter dated June 10, 2025, regarding the transfer of the
complaint

In response to the letter submitted on June 10, 2025, by the

respondent, the following should be noted:

Regarding the denial of the data subject’s right to erasure of personal data:

According to the respondent, the right to erasure cannot be granted, given that the

parties have a current loan agreement and the retention of the data
is necessary for its execution. Pursuant to Article 17.3(b) of the GDPR, the
data controller may refuse erasure when the processing is

necessary for compliance with a legal obligation. Likewise, Article 6.1(b) of the
GDPR legitimizes the processing of personal data when it is necessary for the

performance of a contract to which the data subject is a party.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 5/19

In this regard, this Agency wishes to point out that the failure to process a request for the erasure of personal data is not the subject of this procedure.

Compliance with sector-specific regulations. Principle of data minimization:

The entity argues that it must comply with its sector-specific regulations, specifically the Law on the Prevention of Money Laundering and the Financing of Terrorism.

In this respect, this Agency wishes to point out that the applicable sector-specific regulations are neither contrary to nor incompatible with the principles established in data protection legislation. On the contrary, both regulatory frameworks can and should be applied concurrently, without compliance with one excluding or preventing compliance with the other.

In this respect, the GDPR is cross-cutting and applies to all
processing of personal data, regardless of the sector, unless expressly provided otherwise.

Sector-specific regulations do not exempt entities from respecting the fundamental
principles of processing, particularly those of lawfulness, fairness, transparency,
data minimization, and purpose limitation. Therefore, the entity is obligated to adopt the

necessary measures to reconcile the requirements of its sector-specific regulations with
full compliance with data protection regulations, and cannot invoke

a supposed incompatibility that does not exist.

Now, Law 10/2010, of April 28, on the prevention of money laundering and

the financing of terrorism (hereinafter LPBC), imposes on obliged entities,
in this case the defendant, as a due diligence measure, the obligation to

identify individuals who intend to establish business relationships with them or

participate in any transactions.

Article 7.3 of the LPBC (Law on the Prevention of Money Laundering and Terrorist Financing) prohibits obligated entities from establishing business relationships or executing transactions when they cannot apply the aforementioned due diligence measures.

Therefore, the respondent must identify the individuals carrying out an early loan repayment transaction.

Non-face-to-face transactions require the due diligence measures for customer identification established in Article 12 of the LPBC and Article 13 of the LPBC. Article 21 of Royal Decree 304/2014, of May 5, approving the Regulations of the AML/CFT Law,

provides the following:

Article 12 AML/CFT Business Relationships and Non-Face-to-Face Transactions

1. Obligated entities may establish business relationships or execute transactions via telephone, electronic, or telematic means with clients who are not physically present, provided that one of the following circumstances applies:

a) The client’s identity is verified by means of a qualified electronic signature regulated in Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Regulation (EU) No 910/2014.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 6/19 Directive 1999/93/EC. In this

case, obtaining a copy of the document will not be necessary, although it will be
mandatory to retain the identification data that justifies the

validity of the procedure. In all other cases, when the electronic signature
used does not meet the requirements of a qualified electronic signature, obtaining a copy of the identification document within one month will still be mandatory.

b) The first payment comes from an account in the name of the same client opened

with an entity domiciled in Spain, in the European Union, or in equivalent
third countries.

c) The requirements established by regulation are met.

In any case, within one month of establishing the business relationship, the obliged parties must obtain from these clients a copy of
the documents necessary to carry out due diligence.

When discrepancies are found between the data provided by the client and
other information accessible to or held by the obliged entity, it will be mandatory

to proceed with in-person identification.

Obliged entities will adopt additional due diligence measures

when, in the course of the business relationship, they identify risks exceeding the
average risk.

2. Obliged entities will establish policies and procedures to address
the specific risks associated with business relationships and transactions

conducted remotely.

Article 21. Requirements in business relationships and transactions conducted remotely.

1. Obligated entities may establish business relationships or execute

transactions via telephone, electronic, or telematics means with
clients who are not physically present, provided that
one of the following circumstances applies:

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 7/19

a) The client’s identity is verified in accordance with the provisions

of the applicable regulations on electronic signatures.

b) The client’s identity is verified by means of a copy of the

identity document, as established in Article 6, provided that
said copy is issued by a notary public.

c) The initial payment originates from an account in the client’s name opened
with an entity domiciled in Spain, the European Union, or equivalent

third countries.

d) The client’s identity is verified through the use of other

secure client identification procedures in non-face-to-face transactions, provided that such procedures have been previously
authorized by the Executive Service of the Commission for the Prevention of

Money Laundering and Monetary Offenses (hereinafter, the Commission’s Executive Service).

In any case, within one month of establishing the non-face-to-face business relationship, the obliged entities must obtain from these

clients a copy of the documents necessary to carry out due diligence.

2. The criteria for verifying customer identity in relation to
the obligated entities subject to Law 13/2011 of May 27, on
the regulation of gambling, and its implementing regulations, will be determined in the

general licensing process by the Directorate General for
Gambling Regulation, following a favorable report from the Executive Service of the

Commission.

The regulations on the prevention of money laundering establish an obligation of

identification, but have not provided for the identification of customers through the system
used by the respondent.

Therefore, in the case at hand, this allegation must be rejected, since the
respondent has established an identification procedure for loan cancellation transactions
with requirements that are not supported by the
sectoral regulations. Therefore, the use of means in addition to those expressly provided for in
the law must respect the principle of data minimization (Article 5.1.c of the GDPR).

Therefore, identity verification in these types of transactions must

be carried out using only the data strictly necessary for the intended purpose.

In this case, there are less intrusive means to comply with anti-money laundering regulations, such as providing a copy of the National Identity Document (DNI) issued by a notary public, or an electronic signature. Alternatively, if the claimant is

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 8/19

the client, verification can be done using identification systems already enabled by the entity.

These systems allow the claimant’s identity to be verified without needing to obtain a photograph of them holding their identity document, a more invasive measure that

the respondent has not justified.

Guidelines 4/2019 on Article 25, Data Protection by Design and by Default, state the following: the controller must verify whether the

purposes pursued can be achieved by processing less personal data, using less detailed or aggregated data, or even without processing personal data at all. This verification must be carried out before initiating any

processing, although it can also be carried out at any point in the
processing lifecycle.

Corrective Measures to be Implemented in Case of Infringement:

It should be noted that if the infringement is confirmed, as indicated in Legal Basis Seven, the resolution issued may establish the corrective measures that the infringing entity must adopt to end the non-compliance with personal data protection legislation, in this case Article 5.1.c) of the GDPR, in accordance with the provisions of Article 58.2.d) of the GDPR, according to which each supervisory authority may “require the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specific manner and within a specified period…” Therefore, we refer to the aforementioned Legal Basis Seven.

III
Preliminary Issues
In the present case, in accordance with the provisions of Articles 4.1 and 4.2 of the GDPR, the processing of personal data is established, since KVIKU
carries out, among other processing activities, the collection and storage of personal data of

natural persons: name and surname, ID number, email address, financial data.

KVIKU carries out this activity in its capacity as data controller, since it is the entity that determines the purposes and means of such activity pursuant to Article 4.7 of the GDPR.

IV
Breach of Obligation. Data Minimization

Article 5.1(c) of the GDPR stipulates:

“1. Personal data shall be:
(…)
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);”

It is worth mentioning the considerations regarding the principle of data minimization made by the European Data Protection Board (EDPB) in Guidelines 4/2019, “relating to Article 25, Data protection by design and by default”, version 2.0, dated 20/10/2020, adopted in compliance with the function entrusted to it by Article 70 of the GDPR to ensure its consistent application.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es
9/19

Paragraph 74 of these guidelines states that:

“First, data controllers must determine whether they even need to process personal data for their relevant purposes. The controller must verify whether the relevant purposes can be achieved by processing less personal data, or by using less detailed or aggregated personal data, or without processing personal data at all. This verification must take place before any processing, but can also be carried out at any time during the processing cycle.”

And in paragraph 76, these Guidelines 4/2019 indicate that the following may be “Essential by design and default elements with regard to data minimization,” among others:

• Avoidance of data: All processing of personal data will be avoided where possible to achieve the relevant purpose.

• Restriction: The amount of personal data collected will be limited to what is strictly necessary for the intended purpose. • Access limitation: Data processing will be configured to minimize the number of people who need access to personal data to perform their functions, and access will be limited accordingly.

• Relevance: Personal data must be relevant to the processing in question, and the data controller must be able to demonstrate such relevance.

• Necessity: Each category of personal data will be necessary for the specified purposes and will only be processed if it is not possible to achieve those purposes by other means.

* … On the other hand, the CJEU judgment of 4 October 2024, in Case C-446/21, states that

“Thirdly, as regards the fact that the personal data to which the main proceedings relate are collected, aggregated, analyzed and processed for the purpose of proposing targeted advertising, without distinction based on the nature of the data, it is important to recall that the Court of Justice has already held that, taking into account the principle of data minimization set out in Article 5(1)(c) of the GDPR, the controller may not proceed, in a generalized and indiscriminate manner, to collect personal data and must refrain from collecting data that are not strictly necessary in relation to the purposes of the processing [judgment of 24 February 2022, Valsts ieņēmumu dienests (Processing of personal data for tax purposes), C 175/20, EU:C:2022:124,
paragraph 74]”.

The aforementioned principle of data minimization aims to ensure that only data strictly necessary to achieve the legitimate purpose of the processing is processed, avoiding
the excessive or disproportionate processing of personal data. Its main objective

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 10/19

is to protect the rights and freedoms of natural persons, reducing the risks
associated with the unnecessary processing of personal data.

In this case, the complaint filed indicates that KVIKU allegedly
requested a photo of the complainant holding their ID card to cancel a loan.
However, KVIKU’s processing of the complainant’s personal data
to terminate its services must be governed by the principles set out in
Article 5 of the GDPR, and in particular the so-called “Principle of Data Minimization”. data”
specifically, as provided for in Article 5.1.c of the GDPR, which requires that no data be requested

unnecessary to verify the data subject’s true identity.

In short, the identification obligation can be fulfilled without requesting
a photograph of the claimant holding their ID card, as there are other
equally valid alternatives that pose less risk to the rights and freedoms of

individuals and allow for this verification in an equally effective and
less intrusive manner.

Given the circumstances, it is understood that requiring the submission
of a photograph of the claimant holding their ID card to cancel
a previously contracted loan constitutes excessive processing of

personal data, since this data is inadequate, irrelevant, and unnecessary for the
specific purpose of the processing in question.

Therefore, in accordance with the proven facts in this proposed
sanctioning procedure, the known facts are considered to constitute

an infringement attributable to KVIKU. for violation of the article transcribed above.

Classification of the infringement of Article 5.1.c) of the GDPR and qualification for the purposes of the statute of limitations
Article 83.5 of the GDPR classifies as an administrative infringement the violation of the following articles, which will be sanctioned, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of an undertaking, up to 4% of its total annual global turnover of the preceding financial year, whichever is higher:

“a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7 and 9;
b) the rights of data subjects pursuant to Articles 12 to 22;

(c) transfers of personal data to a recipient in a third country or an international organisation pursuant to Articles 44 to 49;

(d) any obligation under the law of Member States adopted pursuant to Chapter IX; e) failure to comply with a decision or a temporary or permanent limitation on

processing or the suspension of data flows by the supervisory authority
pursuant to Article 58(2), or failure to provide access in violation of
Article 58(1).

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 11/19

For its part, the LOPDGDD, in its Article 71, Infringements, states that:

“The acts and conduct referred to in paragraphs 4,

5 and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are
contrary to this Organic Law, constitute infringements.”

For the sole purpose of the limitation period, Article 72.1 of the LOPDGDD establishes the following:

“Based on the provisions of Article 83.5 of Regulation (EU) 2016/679
considers infringements that constitute a substantial breach of the articles mentioned therein to be very serious and subject to a three-year statute of limitations, and in particular, the following:

a) The processing of personal data in violation of the principles and safeguards established in Article 5 of Regulation (EU) 2016/679.

Proposed Sanction
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed. These provisions state:

“1. Each supervisory authority shall ensure that the imposition of administrative fines under this Article for infringements of this Regulation referred to in paragraphs 4, 9 and 6 is, in each individual case, effective, proportionate and dissuasive.

2. Administrative fines shall be imposed, depending on the circumstances of each

individual case, in addition to or as an alternative to the measures provided for in
Article 58(2)(a) to (h) and (j). When deciding on the imposition of an
administrative fine and its amount in each individual case, due consideration shall be given to:

(a) the nature, seriousness, and duration of the infringement, taking into account the
nature, scope, or purpose of the processing operation concerned, as well as the
number of data subjects affected and the level of damage they have suffered;

(b) the intent or negligence of the infringement;

(d) the degree of responsibility of the controller or processor,

taking into account the technical or organizational measures they have implemented pursuant to
Articles 25 and 32; e) any prior infringement committed by the controller or processor;

f) the degree of cooperation with the supervisory authority with a view to remedying the infringement and mitigating its possible adverse effects;

g) the categories of personal data affected by the infringement;

h) how the supervisory authority became aware of the infringement, in particular whether and, if so, to what extent the controller or processor notified the infringement;

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 12/19

i) where the measures referred to in Article 58(2) have been previously ordered against the controller or processor concerned in relation to the same matter, compliance with those measures;

(j) adherence to codes of conduct pursuant to Article 40 or to approved certification mechanisms pursuant to Article 42, and (k) any other aggravating or mitigating factors applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.”

For its part, Article 76, “Sanctions and Corrective Measures,” of the LOPDGDD (Spanish Data Protection Law) provides:

“1. The sanctions provided for in paragraphs 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the criteria for determining the severity of the sanction established in paragraph 2 of said article.

2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be taken into account:

a) The continuing nature of the infringement.

b) The connection between the infringer’s activity and the processing of personal data.

c) The benefits obtained as a result of committing the infringement.

d) The possibility that the data subject’s conduct may have induced the commission of the infringement.

e) The existence of a merger by acquisition subsequent to the commission of the infringement, which cannot be attributed to the entity.” absorbing.

f) The impact on the rights of minors.

g) Appointing a data protection officer, when not mandatory.

h) The voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where disputes arise between them and any data subject.

In this case, considering the seriousness of the potential infringement, and especially the consequences for those affected, a fine should be imposed, in addition to the adoption of measures.

The fine imposed must be, in each individual case, effective, proportionate, and dissuasive, in accordance with Article 83.1 of the GDPR.

For the purposes of deciding on the imposition of an administrative fine and its amount,

in accordance with the proven facts in this proposed sanctioning procedure,

it is considered appropriate to determine the sanction to be imposed according to

the following circumstances, contemplated in the aforementioned provisions.

As a preliminary matter, the following circumstances are considered to exist:

• The nature, seriousness, and duration of the infringement, taking into account the
nature, scope, or purpose of the processing operation in question,

as well as the number of data subjects affected and the level of damage
they have suffered (Article 83.2(a) of the GDPR):

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 13/19

In this regard, it should be noted that the number of affected parties is high, even
when only one complaint has been received, since it affects
all of the defendant’s clients who wish to carry out a loan cancellation operation.

• Intentionality or negligence in the infringement: (Article 83.2, point b),

of the GDPR): The entity acted negligently by requesting a photograph of the
complainant holding their ID card without adequately assessing that this practice
could be excessive and contrary to the principle of data minimization.

• Categories of personal data affected by the
infringement (Article 83.2, point g), of the GDPR):

The processing involves the photograph of the complainant holding their ID card. Obtaining
both images creates additional risks of identity theft.

As a criterion for determining the severity of the offense under Article 76.2 of the LOPDGDD (Spanish Data Protection Law), applied as an aggravating factor:

• The connection between the offender’s activity and the processing of

personal data (Article 76.2, letter b), of the LOPDGDD):

This circumstance is applicable to a financial institution dedicated to
granting online loans, since its main activity is
intrinsically linked to the intensive processing of personal data. These

types of institutions manage identifying, financial, and asset information
of individuals, which requires strict compliance with data protection regulations
due to the high risks involved for the
rights and freedoms of these individuals.

Consequently, non-compliance with the regulations in this context is
more serious because data processing is not an

accessory characteristic, but rather a central aspect of the activity of the entity being sued,

justifying the inclusion of this circumstance within the framework of the
sanctioning procedure.

For the purposes of deciding on the imposition of an administrative fine and its amount,
in accordance with the proven facts available at this time

in the proposed resolution of the sanctioning procedure, it is considered that the balance
of the circumstances contemplated in Article 83.2 of the GDPR and 76.2 of the
LOPDGDD, with respect to the infringement committed by violating the provisions of
Article 5.1.c) of the GDPR, allows for proposing an administrative fine of
€10,000.00.

VII
Corrective Measures
The resolution issued may establish the corrective measures that the infringing entity must adopt to end the non-compliance with the legislation on

personal data protection, in this case Article 5.1.c) of the GDPR, in accordance
with the provisions of Article 58.2.d) of the GDPR, according to which each supervisory authority
may “require the controller or processor to bring the

processing operations into compliance with the provisions of this Regulation,
where appropriate, in a specific manner and within a specified time frame…”

Thus, the responsible entity may be required to adapt its actions to the
personal data protection regulations, to the extent expressed in the
previous Legal Basis.

This document establishes the alleged infringement and the facts
that could give rise to this possible violation of data protection regulations.

From this, the measures to be adopted are clearly inferred, without prejudice to the fact that the specific procedures, mechanisms, or instruments for
implementing them correspond to the sanctioned party, since it is the data controller who fully knows their organization and must decide, based on
proactive responsibility and a risk-based approach, how to comply with the GDPR and the

LOPDGDD.

However, in this case, notwithstanding the foregoing, in accordance with the proven facts available at this time for the proposed sanctioning procedure, it is proposed that the resolution adopted require KVIKU to adopt the following measures within one month from the date of enforcement of the final resolution of this procedure:

– Demonstrate that it has adopted measures to ensure that identity verification in loan cancellation procedures is carried out using options that guarantee compliance with Article 5.1 c of the GDPR.

The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided for in Article 83.2 of the GDPR.

Please be advised that failure to comply with any order to adopt measures imposed by

this agency in the resolution of this sanctioning procedure may be
considered an administrative infringement in accordance with the GDPR,
classified as an infringement in Articles 83.5 and 83.6, and such conduct may lead to
the initiation of further administrative sanctioning proceedings.

Furthermore, please note that neither acknowledgment of the infringement committed nor, where applicable,

voluntary payment of the proposed amounts, exempts you from the obligation to
adopt the appropriate measures to cease the conduct or correct the effects of
the infringement committed, and from the obligation to demonstrate compliance with this
obligation to the Spanish Data Protection Agency (AEPD).

In view of the foregoing, the following

PROPOSED RESOLUTION is issued:

That the President of the Spanish Data Protection Agency sanction KVIKU SPAIN, S.L., with Tax Identification Number B09804295, for an infringement of Article 5.1.c) of the GDPR, as defined in Article 83.5 of the GDPR, with a fine of €10,000.00.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 15/19

That the Presidency of the Spanish Data Protection Agency order
KVIKU SPAIN, S.L., with Tax Identification Number B09804295, pursuant to Article 58.2.d) of the GDPR,
within a maximum period of one month:

-Provide proof of having adopted measures whereby identity verification in loan cancellation procedures is carried out through options that
guarantee compliance with Article 5.1 c of the GDPR.

Furthermore, in accordance with the provisions of Article 85.2 of the LPACAP, you are hereby

informed that you may, at any time prior to the resolution of these proceedings, make voluntary payment of the proposed penalty, which
will result in a 20% reduction of the amount. With the application of this
reduction, the penalty would be set at €8,000.00 and its payment will result in the
termination of the proceedings, without prejudice to the imposition of the

corresponding measures. The effectiveness of this reduction will be conditional upon the
withdrawal or waiver of any administrative action or appeal against the
penalty.

Should you choose to make voluntary payment of the amount specified above, in accordance with the provisions of Article 85.2, you must make the payment by depositing it into the restricted account no. IBAN: ES00-0000-0000-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) held in the name of the Spanish Data Protection Agency at CAIXABANK, S.A., indicating in the payment details the reference number of the procedure shown in the heading of this document and the reason for the reduction of the penalty amount due to voluntary payment. You must also send proof of payment to the General Sub-Directorate of Inspection to close the file.

In compliance with Articles 14, 41, and 43 of the LPACAP (Law on the Legal Regime of Public Administrations and Common Administrative Procedure), please be advised that, henceforth, all notifications sent to you will be made exclusively electronically, through the Single Authorized Electronic Address (dehu.redsara.es) and the Electronic Headquarters (sedeaepd.gob.es). Failure to access these notifications will result in a record of your rejection in the file, thus completing the process and continuing the procedure. You are hereby informed that you may provide this Agency with an email address to receive notifications when they are available. Failure to respond to this notification will not invalidate the notification.

Fully valid Therefore, you are hereby notified of the foregoing, and the procedure is made available to you
so that within TEN DAYS you may submit any arguments you deem relevant in your defense and
present any documents and information you consider pertinent, in accordance with

Article 89.2 of the LPACAP (Law on Administrative Procedure of Public Administrations).

926-250625
A.A.A.
INSPECTOR/INSTRUCTOR

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 16/19

ANNEX
File Index EXP202410843
06/06/2024 Claim from B.B.B.

01/08/2024 Claim transferred to KVIKU SPAIN, S.L.

12/08/2024 Reiteration to KVIKU SPAIN, S.L.

06/09/2024 Letter to B.B.B.

04/02/2025 Commencement Agreement to KVIKU SPAIN, S.L.

15/02/2025 Letter to B.B.B.

10/06/2025 Response to request from KVIKU SPAIN, S.L.

SECOND: On December 9, 2025, KVIKU paid the penalty in the amount of €8,000.00, taking advantage of the reduction provided for in the aforementioned resolution proposal.

THIRD: The proposed resolution transcribed above established the
facts constituting the infringement and proposed that the Chair require
the responsible party to adopt appropriate measures to bring its actions into compliance with the
regulations, in accordance with the provisions of Article 58.2 d) of the GDPR,

which states that each supervisory authority may “require the controller or processor to bring processing operations into compliance with the provisions of
this Regulation, where appropriate, in a specific manner and within a specified
time period…”.

LEGAL BASIS

Jurisdiction

In accordance with the powers conferred upon each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR)

and as established in Articles 47, 48.1, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the Presidency of the Spanish Data Protection Agency is competent to resolve this procedure.

Likewise, Article 63.2 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights) stipulates that: “The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the implementing regulations issued thereunder, and, insofar as they do not contradict them, subsidiarily, by the general rules on administrative procedures.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 17/19

II
Termination of the Procedure

Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), under the heading
“Termination of Sanctioning Procedures,” provides the following:

“1. Once a sanctioning procedure has been initiated, if the offender acknowledges their responsibility,
the procedure may be resolved by imposing the corresponding sanction.

2. When the sanction is solely monetary, or when a monetary sanction and a non-monetary sanction are applicable but the

inappropriateness of the latter has been justified, voluntary payment by the alleged offender, at any time prior to the resolution, will imply the termination of the procedure,
except with regard to the restoration of the altered situation or the determination of
compensation for the damages caused by the commission of the infraction.

3. In both cases, when the sanction is solely monetary, the

competent body to resolve the procedure shall apply reductions of at least
20% to the amount of the proposed sanction, and these reductions may be combined.

The aforementioned reductions must be specified in the notification initiating
the procedure, and their effectiveness shall be conditional upon the withdrawal or waiver of
any action or appeal through administrative channels against the sanction.

The percentage reduction provided for in this section may be increased
by regulation.

III

Voluntary Payment

In accordance with the provisions of Article 85 of the LPACAP, the
notified resolution proposal allowed for voluntary payment of the
proposed sanction, which would entail a 20% reduction of its amount. With the application of this reduction, the penalty would be set at €8,000.00, and its payment will result in the termination of the proceedings, without prejudice to the imposition of the corresponding measures.

Following the aforementioned proposed resolution, and before a decision was issued by this authority, KVIKU made a voluntary payment on December 9, 2025, taking advantage of the 20% reduction. In accordance with section 3 of Article 85 of the LPACAP (Law on Administrative Procedure), the effectiveness of the aforementioned reduction is conditional upon the withdrawal or waiver of any administrative action or appeal against the penalty.

It should be noted that, in accordance with the provisions of the LPACAP (Law on the Legal Regime of Public Administrations and Common Administrative Procedure), as well as the jurisprudence of the Supreme Court on this matter, the exercise of voluntary payment by the alleged offender does not exempt the administration from the obligation to resolve and notify all proceedings, regardless of how they were initiated. Similarly, Article 88 of the aforementioned law establishes that the resolution

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 18/19

that concludes the proceedings will decide all the issues raised by the interested parties and any others arising from them.

Therefore, in accordance with applicable legislation and having assessed the criteria for
graduating the sanctions, the Presidency of the Spanish Data Protection Agency RESOLVES:

FIRST: TO DECLARE the commission of the infringements and CONFIRM the sanctions
determined in the operative part of the proposed resolution transcribed in

this resolution.

The sum of the aforementioned amounts totals €10,000.00.

After KVIKU SPAIN, S.L. made voluntary payment, although without

acknowledging liability, a 20% reduction of the aforementioned total is applied, pursuant to Article 85 of the LPCAP (Law on Administrative Procedure), resulting in a final amount of
€8,000.00.

The effectiveness of this reduction is conditional, in any case, on the withdrawal
or waiver of any action or appeal through administrative channels.

SECOND: DECLARE the termination of procedure EXP202410843, in accordance with the provisions of Article 85 of the LPACAP.

THIRD: ORDER KVIKU SPAIN, S.L. to notify the Agency, within one month from the date this resolution becomes final and enforceable, of the adoption of the measures described in the legal grounds of the proposed resolution transcribed herein.

FOURTH: NOTIFY KVIKU SPAIN, S.L. of this resolution.

FIFTH: In accordance with the provisions of Article 85 of the LPACAP, which conditions the reduction for voluntary payment on the withdrawal or waiver of any action or appeal through administrative channels, this resolution will become final and fully enforceable upon notification.

In accordance with Article 50 of the LOPDGDD (Organic Law on the Protection of Personal Data and Guarantee of Digital Rights), this
Resolution will be made public. Publication will take place once the resolution has been notified to the interested parties.

This resolution, which concludes the administrative process as stipulated by Article 50 of the LOPDGDD, may be appealed. 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, interested parties may file an appeal with the Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and paragraph 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Administrative Jurisdiction, within two months from the day following notification of this act, as provided for in Article 46.1 of the aforementioned Law.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeaepd.gob.es 19/19

However, in accordance with the provisions of Article 90.3 a) of the LPACAP (Law on Administrative Procedure), the final administrative decision may be provisionally suspended if the interested party expresses their intention to file an appeal with the Administrative Court. If this is the case, the interested party must formally communicate this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency’s Electronic Registry [https://sedeaepd.gob.es/sede-electronica-web/], or through one of the other registries provided for in Article 16.4 of Law 39/2015, of October 1. They must also provide the Agency with documentation proving the effective filing of the appeal with the Administrative Court. If the Agency does not receive notification of the filing of an administrative appeal within two months of the day following notification of this resolution, it will terminate the precautionary suspension.

1331-101025

Lorenzo Cotino Hueso

President of the Spanish Data Protection Agency

28001 – Madrid 6 sedeaepd.gob.es
</pre>

APD/GBA (Belgium) – 28/2026

AEPD (Spain) – EXP202408793