Publications - 25/01/21

Spanish Data Protection Agency applies Millionaire Fine to Company for Violating Data Protection Regulations

The Agencia Española de Protección de Dados (“AEPD”), the independent government body responsible for ensuring compliance with data protection regulations in the country, issued a resolution on January 13, 2021, establishing a fine of 6 million euros for CaixaBank SA, due to the bank violation to General Data Protection Regulation (“GDPR”) provisions.

During the investigative process carried out by AEPD (case PS/ 00477/2019), evidence was found demonstrating a violation of articles 13 and 14 of the GDPR, in the sense that the information provided by CaixaBank in documents and channels was not uniform, the privacy policy had imprecise terminology, and information about the (i) category of processed personal data, (ii) the profiles of users, (i) the purpose of their specific use, (iv) the exercise of data retention rights were insufficient.

Violations of article 6 of the GDPR were also found, since the bank did not provide the regulatory agency with sufficient justifications for the legal basis for the processing of personal data, especially in relation to data processed based on legitimate interest. In addition, it was found that the requirements for obtaining valid user consent were not met, which, under the law, must be specific, unambiguous and informed. The processes used by the company to obtain customers’ consent for the processing of their data were considered deficient, making the transmission of personal data to CaixaBank Group companies illegal.

From the violations found, the regulatory agency stipulated a fine of 2 million euros, due to the violation of articles 13 and 14 of the GDPR, and 4 million euros due to the violation of article 6 of the GDPR. The bank is still obliged to modify its internal policies and procedures in order to implement the obligations provided for in the GDPR over the period of 6 months.

This represents, until now, the largest financial penalty issued by the AEPD in its exercise of ensuring compliance to the data protection legislation.