The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for :
- unlawful processing of its clients’ personal data (4.000.000 EUR); and
- not providing sufficient information regarding the processing of personal data (2.000.000 EUR).
In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months.
1. Lack of legal basis for processing personal data (4M€ fine)
According to he AEPD findings, CAIXABANK did not collect data subjects’ consent in compliance with the GDPR requirements.
Indeed, the Supervisory Authority reports that there was no mechanism to collect the data subject’s consent and therefore, it did not meet the conditions for a GDPR compliant consent.
Besides, the processing activities based on the company’s legitimate interest were not sufficiently justified, in particular, the relationship between the company’s activity and the processing of personal data.
The AEPD considered CAIXABANK had breached the article 6 of the GDPR, and on this basis, served an administrative fine of 4.000.000 EUR.
2. Insufficient information (2M€ fine)
The AEPD considered that the information notice was not specific enough regarding:
- the categories of personal data concerned (which is a requirement only under article 14 when data are not directly provided by the data subject);
- the purposes of the processing; and
- the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest.
Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 GDPR and served a fine of 2.000.000 EUR.
For a full reading of the decision in Spanish click here