Spain’s data protection authority, the Agencia Española de Protección de Datos (AEPD), recently fined CaixaBank €6 million (U.S. $7.3 million) for misuse of customer data.

It is the highest General Data Protection Regulation (GDPR) fine the Spanish regulator has handed out, surpassing a €5 million (U.S. $6.09 million) penalty against rival bank BBVA late last year for similar offenses.

The AEPD said CaixaBank violated Articles 6, 13, and 14 of the GDPR for failing to process personal data lawfully and failing to inform customers adequately about its privacy policies.

The regulator found customers were supposed to accept new privacy policies that allowed the bank to transfer their personal data to all the companies within the CaixaBank Group. At the same time, data subjects were not given the option of specifically not consenting to this transfer. Instead, if they wished to opt out of the transfer of their data, they were required to send a letter to each company in the group asking for the transfer not to go ahead.

The data authority ruled this was a “disproportionate procedure.”

It also found the information provided to customers under the privacy policy was not consistent, contained imprecise terminology, and did not provide sufficient explanation on the type of personal data processed and the nature of the processing. Also, the information on the rights of the data subjects, as well as the contact information of the controller, were not provided in a consistent manner, while the way in which the data was retained and processed went beyond the legitimate interests for which the information had originally been gathered. As such, transferring customers’ data throughout the group did not amount to proper consent and was therefore unlawful.

It is not the first time CaixaBank has had its fingers burned over data issues. The bank was previously fined by Spanish banking authorities for a lack of clarity in some of its customer documentation.

Spain has been the most active regulator under the GDPR, issuing some 175 fines, according to the GDPR Enforcement Tracker. Penalties have typically been low: around half have been below €10,000, and only four have reached more than €100,000.

Lawyers believe the fact the AEPD’s only two multi-million-euro fines to date have been issued within recent months suggests the regulator is set to get tougher on big companies, especially where multiple GDPR infringements take place.

The CaixaBank case also highlights a number of issues around data sharing and consent (or lack of it) that data regulators are trying to untangle in a slew of other ongoing investigations—namely, tech firm WhatsApp’s data sharing arrangements with its parent company, Facebook.