The Spanish data protection authority ('AEPD') issued, on 21 October 2021, a decision in proceeding PS/00500/2021, fining Caixabank Payments & Consumer EFC, EP, S.A.U., €3 million for unlawfully processing personal data, pursuant to Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In particular, the decision notes that the investigation against the entity began after the complaint in 2018 of an individual, who informed that Caixabank had requested information about him from a solvency file without having any current contract with the entity and that he was included in a commercial campaign to offer him a pre-granted credit. Moreover, the decision highlights that Caixabank did not provide adequate information about the data processing, including profiling, or the legal basis used to carry out such processing.

Furthermore, the decision highlights that Caixabank and Caixabank, S.A's co-responsibility agreement was not valid as it was not dated and signed by all co-responsible parties. In addition, the decision provided, making reference to case C-210/16 Wirtschaftsakademie Schleswig-Holstein, that the co-responsibility regime does not determine that all liability applies to a single subject, but that each co-responsible party is liable for the part of the processing it carries out.

Finally, the decision outlines, among other things, the following aggravated factors in consideration of the sanction:

• the nature, severity, and duration of the offence, taking into account the nature, scope, or purpose of the processing operations in question as the offence results from the procedure designed by said entity for the collection of the consent to carry out profiles for commercial purposes with their clients, that involves a significant risk to the rights of the data subjects taking into account the particularly intrusive nature of such data processing;
• the intentionality or negligence shown in the commission of the infraction;
• the high link between the activity of the offender and the performance of processing of personal data;
• the status of a large company of the responsible entity and its volume of business;
• the high volume of data and processing that constitutes the object of the proceedings; and
• the high number of interested parties.

You can read the decision, only available in Spanish, here.

UPDATE (4 February 2022)

EDPB publishes summary of AEPD decision to fine Caixabank €3M for unlawfully processing personal data

The European Data Protection Board ('EDPB') published, on 3 February 2022, an English summary of the of AEPD's decision to fine Caixabank €3 million for unlawfully processing personal data.

You can read the summary here.