Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Spain: AEPD fines Caixabank €200,000 for processing data without a legal basis
On November 13, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS-00178-2023 in which it imposed a fine of €200,000 on CaixaBank Payments & Consumer E.F.C., E.P., S.A.U (CaixaBank) for violation of the General Data Protection Regulation (GDPR), following an investigation.
Background to the decision
The AEPD highlighted that the complainant had filed a court case disputing a debt allegedly owed to CaixaBank. However, before the case was concluded, CaixaBank forwarded the complainant's data to a credit reporting agency which listed the complainant as insolvent in the credit information database. As a result, the claimant was denied access to credit.
Findings of the AEPD
Following its investigation, the AEPD noted that the purpose of the credit information database was to provide information on the solvency of a debtor. Therefore, the AEPD determined that the inclusion of the complainant's data in the credit information database when the claimant had challenged the debt through judicial or arbitration proceedings was contrary to the purpose of the credit information database. Subsequently, the AEPD found that CaixaBank had violated Article 6 of the GDPR for processing the claimant's data without a legal basis.
Outcomes
In light of the above violation, the AEPD imposed a fine of €200,000 on CaixaBank.
You can read the decision, only available in Spanish, here.