News

🇪🇸 When a Loan Simulation on a Website Turns into a Real Loan…

Data Subject Rights, Retention & Minimisation | 26/03/2025

Right to Erasure Not Applied, a Bank Sanctioned by the AEPD
Source : PS 00196-2024

📝 Facts

A citizen conducted a loan simulation on an online comparison website, Crezu.es. The site collects user data and shares it via an API to find the most suitable loan offer.

🔄 Crezu redirected the user to the bank Kviku.es, which automatically generated a loan offer.

⚠️ Unlike traditional banks that require formal validation and a clear electronic signature, the loan money was deposited into the user’s account without explicit consent.

🤔 The user may not have realized they were validating a loan (or the acceptance conditions were ambiguous).

🚀 KVIKU used a fast-track process, where the user’s validation on Crezu.es was enough to activate the loan.

💸 The user immediately repaid the unsolicited money along with interest.

🗑️ They then requested the deletion of their personal data, but:

·       KVIKU ignored their request

·       💰 KVIKU continued demanding additional payments

·       ⚠️ They threatened to list them in credit files (ASNEF) for unpaid debts

Unable to assert their rights, the user filed a complaint in June 2023 with the AEPD (Spanish Data Protection Agency).

⚖️ Violations Identified by the AEPD

1️ Violation of Data Retention Limitation Principle (Article 5.1.e of the GDPR)

·       📂 KVIKU stored the complainant’s personal data without valid reason.

·       🛑 KVIKU’s privacy policy stated that data was retained, even if the loan application was not approved.

·       The GDPR imposes a limited retention period and requires data to be deleted once the purpose is fulfilled.

2️ Failure to Respect the Right to Erasure (Right to be Forgotten) (Article 17 of the GDPR)

·       🗑️ The user exercised their right to data deletion, but KVIKU did not respond or execute the request.

·       The company should have processed the request within one month and informed the user if refused.

·       Instead, KVIKU continued to contact the user, demanding money.

💰 Consequences and SanctionsAdministrative Sanction: €6,000

·       💶 €4,000 fine for unlawful data retention (Article 5.1.e of the GDPR)
🛑 €2,000 fine for failure to comply with the right to erasure (Article 17 of the GDPR).

 📜 Obligation to adjust their data retention policy and to respond to deletion requests within 3 months.

Back to news list

Explore all our areas of expertise:

Governance and Strategy Data Quality MDM / PIM Compliance