Continue reading on DataGuidance with:
Free Member
Limited ArticlesCreate an account to continue accessing select articles, resources, and guidance notes.
Already have an account? Log in
Create an account
Join our community for free to access exclusive whitepapers, reports, and regulatory information.
Spain: AEPD fines CaixaBank €5M for inadequate security measures
On October 26, 2023, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00020/2023, in which it imposed a fine of €5 million on CaixaBank S.A. (CaixaBank), for violations of the General Data Protection Regulation (GDPR), following a complaint by an individual.
Background to the decision
The AEPD noted that the complainant, a CaixaBank client, claimed that CaixaBank did not respect the rules on the confidentiality of personal data. The complaint concerned a document relating to a transfer made by a third party, which included the personal data of the third party, the originator of the transfer, and the recipient of the transfer. The AEPD noted that the complainant had access to this document after a personal data breach and it took one year and four months for CaixaBank to address this.
Findings of the AEPD
The AEPD explained that CaixaBank did not guarantee adequate security of personal data during processing and denied the existence of the risk. Additionally, the AEPD concluded that CaixaBank did not adhere to the principle of privacy by design as it did not focus on the fundamental rights and freedoms of individuals and did not provide for an adequate procedure to manage data protection complaints.
The AEPD made reference to their Privacy by Design Guide which states that privacy by design required being proactive and non-reactive and CaixaBank was found to be reactive in the way they handled data protection complaints. Lastly, the AEPD found that CaixaBank did not comply with its obligation to apply appropriate technical and security measures to guarantee a level of security for personal data appropriate to risks. Subsequently, the AEDPD determined that CaixaBank had violated Articles 5(1)(f), 25, and 32 of the GDPR.
Outcomes
As a result, the AEPD imposed a fine of €5 million on CaixaBank S.A. Furthermore, the AEPD ordered CaixaBank to report on their adoption of technical and organizational measures within nine months.
You can read the decision only available in Spanish here.
Send us your Feedback!
Please let us know what you think of DataGuidance! It will only take 60 seconds and help us make the site better for you.
