Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines CaixaBank €5M for inadequate security measures

On October 26, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00020/2023, in which it imposed a fine of €5 million on CaixaBank S.A. (CaixaBank), for violations of the General Data Protection Regulation (GDPR), following a complaint by an individual.

Background to the decision

The AEPD noted that the complainant, a CaixaBank client, claimed that CaixaBank did not respect the rules on the confidentiality of personal data. The complaint concerned a document relating to a transfer made by a third party, which included the personal data of the third party, the originator of the transfer, and the recipient of the transfer. The AEPD noted that the complainant had access to this document after a personal data breach and it took one year and four months for CaixaBank to address this.

Findings of the AEPD

The AEPD explained that CaixaBank did not guarantee adequate security of personal data during processing and denied the existence of the risk. Additionally, the AEPD concluded that CaixaBank did not adhere to the principle of privacy by design as it did not focus on the fundamental rights and freedoms of individuals and did not provide for an adequate procedure to manage data protection complaints.

The AEPD made reference to their Privacy by Design Guide which states that privacy by design required being proactive and non-reactive and CaixaBank was found to be reactive in the way they handled data protection complaints. Lastly, the AEPD found that CaixaBank did not comply with its obligation to apply appropriate technical and security measures to guarantee a level of security for personal data appropriate to risks. Subsequently, the AEDPD determined that CaixaBank had violated Articles 5(1)(f), 25, and 32 of the GDPR.


As a result, the AEPD imposed a fine of €5 million on CaixaBank S.A. Furthermore, the AEPD ordered CaixaBank to report on their adoption of technical and organizational measures within nine months.  

You can read the decision only available in Spanish here.