On November 13, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00178-2023 in which it imposed a fine of €200,000 on CaixaBank Payments & Consumer E.F.C., E.P., S.A.U (CaixaBank) for violation of the General Data Protection Regulation (GDPR), following an investigation.

Background to the decision

The AEPD highlighted that the complainant had filed a court case disputing a debt allegedly owed to CaixaBank. However, before the case was concluded, CaixaBank forwarded the complainant's data to a credit reporting agency which listed the complainant as insolvent in the credit information database. As a result, the claimant was denied access to credit.

Findings of the AEPD

Following its investigation, the AEPD noted that the purpose of the credit information database was to provide information on the solvency of a debtor. Therefore, the AEPD determined that the inclusion of the complainant's data in the credit information database when the claimant had challenged the debt through judicial or arbitration proceedings was contrary to the purpose of the credit information database. Subsequently, the AEPD found that CaixaBank had violated Article 6 of the GDPR for processing the claimant's data without a legal basis.

Outcomes

In light of the above violation, the AEPD imposed a fine of €200,000 on CaixaBank. 

You can read the decision, only available in Spanish, here.