Administrative fine against S-Pankki: lessons on testing and incident handling

View as Markdown
1 min read • Simon • GDPR • 11 September 2025
  1. Background: what happened at S-Pankki?
  2. Why did it result in a sanction? Aligning with a GDPR risk assessment
  3. GDPR’s applicability despite sector-specific rules
  4. What should S-Pankki have done differently? Insights for a GDPR risk assessment
  5. Lessons for other businesses: embed a GDPR risk assessment
  6. How we can help with your GDPR risk assessment

When login authentication fails, the consequences can be far-reaching. The Finnish bank S-Pankki recently received an administrative fine following a serious personal data breach that exposed weaknesses in both software testing and incident handling. The decision offers important lessons for any organisation processing personal data. To mitigate similar risks, a GDPR risk assessment can provide essential support.

Background: what happened at S-Pankki?

The fault arose in the bank’s strong authentication system. A software defect enabled a person to sign in to online banking and other services requiring strong authentication—using another individual’s credentials.

The bank received initial customer reports in spring 2022. However, it took several months before the personal data incident was fully identified and notified to the Data Protection Authority.

Why did it result in a sanction? Aligning with a GDPR risk assessment

The Data Protection Authority concluded that the bank had failed on two central points:

  • Insufficient testing: Before launching the authentication solution, the bank had not ensured that testing covered all user flows. The authority considered that broader software testing coverage could have surfaced the defect in time.
  • Slow incident handling: Once the first customer reports arrived, the bank should have recognised the severity more quickly and acted.

The decision rested on several GDPR provisions:

  • Article 5(f): the integrity and confidentiality principle in personal data processing.
  • Article 25: inbuilt data protection (GDPR article 25 privacy by design).
  • Article 32: appropriate technical and organisational security measures (GDPR article 32 security of processing).

GDPR’s applicability despite sector-specific rules

S-Pankki argued that strong authentication is already governed by special legislation and that the data protection authority’s remit should therefore not apply. The authority rejected this. The conclusion was that the GDPR applies in parallel and the Data Protection Authority may intervene where personal data processing fails to meet the Regulation’s requirements.

What should S-Pankki have done differently? Insights for a GDPR risk assessment

The decision clarifies what is expected of an organisation:

  • Conduct comprehensive testing: The software should have been tested against a broader set of user cases to detect vulnerabilities before release, reinforcing technical and organisational security measures.
  • Map all user flows: Already at design stage, the bank should have identified the different paths users can take through the system and disabled flows that were not permitted, reflecting built in data protection.
  • Respond faster to signals: Customer reports should have been treated with greater seriousness and triaged by subject-matter experts from the outset.

Lessons for other businesses: embed a GDPR risk assessment

This case is a reminder that GDPR is not only about documentation and legal bases; it is also about technical execution. For organisations operating across Europe, key takeaways include:

  • Combine technology and organisation: Policies are not enough—systems must be secure in practice and demonstrably aligned with the integrity and confidentiality principle.
  • Incident handling requires readiness: Customer signals may be the first indicators of a serious breach. Processes must exist to investigate and act quickly, supported by a data protection impact assessment.
  • Privacy by design in practice: During development, consider how different user scenarios affect security and validate outcomes through a data protection impact assessment.

How we can help with your GDPR risk assessment

At Morling Consulting, we help organisations build robust processes for testing, incident handling and impact evaluations. A data protection impact assessment can identify risks early and enable remediation before deficiencies trigger an administrative fine.

We also review software testing coverage, strengthen technical and organisational security measures, and benchmark controls against GDPR article 25 privacy by design and GDPR article 32 security of processing.

Contact us to discuss how a targeted GDPR risk assessment can harden your authentication journeys and protect customers.

AML compliance officer reviewing customer due diligence, risk assessment and monitoring alerts, with compliance checklist and legal shield icon.

22 January 2026

Role and responsibilities of the AML specialist – a compliance perspective
Read more
Illustration of a legal professional at a desk with a digital interface showing structured regulatory compliance, internal controls, and AML processes for financial institutions.

21 January 2026

Exemptions for financial activities, prior notification and internal controls under the AMLR
Read more
Lawyer consulting a client at a desk, discussing legal advice and compliance documents, with contract approval icons on screen.

20 January 2026

When to ask a lawyer for faster answers at lower cost
Read more