Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines CaixaBank €2M for processing data without a legal basis

On April 12, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00032/2023, in which it imposed a fine of €2 million on CaixaBank Payments & Consumer EFC, EP, S.A.U., which was subsequently reduced to €1.2 million, for violations of the General Data Protection Regulation (GDPR) following a complaint submitted by an individual.

Background to the decision

The AEPD highlighted that CaixaBank, a financial services company, had requested personal and economic information from the complainant through a form that contained a clause requiring the complainant to give CaixaBank consent to obtain the complainant's data from the General Treasury of Social Security (TGSS). The complainant stated that the clause did not offer an option to decline, making the consent preset. After expressing disagreement with this preset consent, CaixaBank informed the complainant that the clause was standard procedure for all clients and that non-compliance would result in the complainant's bank account being blocked.

Findings of the AEPD

Following its investigation, the AEPD noted that because there was no legal requirement for CaixaBank to verify the personal data information provided by the claimant through the TGSS, CaixaBank should have first obtained consent from the claimant. The AEPD determined that the claimant should have been allowed to withdraw consent without suffering any harm, and the consent should not have been included as a non-negotiable part of the general conditions. Subsequently, the AEPD found that CaixaBank had violated Article 6(1) of the GDPR for processing the claimant's data without a legal basis.

Outcomes

In light of the above violation, the AEPD imposed a fine of €2 million on CaixaBank. However, the fine was subsequently reduced to €1.2 million making use of the voluntary payment procedure and acknowledging its responsibility.

You can read the decision, only available in Spanish, here.