Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 EUR on CAIXABANK, S.A.,

Feb 18, 2021

Source: European Data Protection Board

The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR). 

The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 of the GDPR. Following Article 83 (5) b of the GDPR, a fine of 2.000.000 EUR was imposed. When deciding on the amount of the administrative fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.

On the other hand, the AEPD found that CAIXABANK did not provide with any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified; especially the relationship between the company’s activity and the processing of personal data. The AEPD concluded that this constituted a breach of Article 6 of the GDPR, and according to Article 83 (5) a of the GDPR, an administrative fine of 4.000.000 EUR was imposed. In deciding on the amount of the fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the degree of responsibility of the controller taking into account technical and organisational measures implemented pursuant to Articles 25 and 32 of the GDPR; the benefits gained from the infringement; the categories of personal data affected by the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover. 

In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months. 

To read the full decision in Spanish, click here.

For further information, please contact the Spanish DPA: prensa@aepd.es

The press release published here does not constitute official EDPB communication, nor an EDPB endorsement. This press release was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. As the press release is represented here as it appeared on the SA’s website or other channels of communication, the news item is only available in English or in the Member State’s official language with a short introduction in English. Any questions regarding this press release should be directed to the supervisory authority concerned.
 

Recent news

Norwegian DPA issues fine to Aquateknikk AS

The Norwegian Data Protection Authority has fined Aquateknikk AS EUR 10,000 (NOK 100,000) for having performed a credit rating on a private individual without legal basis. This case came in response to a complaint from a person who discovered that Aquateknikk had...

read more

Swedish DPA: Police unlawfully used facial recognition app

The Swedish Authority for Privacy Protection finds that the Swedish Police Authority has processed personal data in breach of the Swedish Criminal Data Act when using Clearview AI to identify individuals. Upon news in the media of the Swedish Police Authority using...

read more