Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines Caixabank €200,000 for processing data without a legal basis

On November 13, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00178-2023 in which it imposed a fine of €200,000 on CaixaBank Payments & Consumer E.F.C., E.P., S.A.U (CaixaBank) for violation of the General Data Protection Regulation (GDPR), following an investigation.

Background to the decision

The AEPD highlighted that the complainant had filed a court case disputing a debt allegedly owed to CaixaBank. However, before the case was concluded, CaixaBank forwarded the complainant's data to a credit reporting agency which listed the complainant as insolvent in the credit information database. As a result, the claimant was denied access to credit.

Findings of the AEPD

Following its investigation, the AEPD noted that the purpose of the credit information database was to provide information on the solvency of a debtor. Therefore, the AEPD determined that the inclusion of the complainant's data in the credit information database when the claimant had challenged the debt through judicial or arbitration proceedings was contrary to the purpose of the credit information database. Subsequently, the AEPD found that CaixaBank had violated Article 6 of the GDPR for processing the claimant's data without a legal basis.


In light of the above violation, the AEPD imposed a fine of €200,000 on CaixaBank. 

You can read the decision, only available in Spanish, here.