Spain: AEPD fines CaixaBank €6M for consent and information failures
Furthermore, in relation to the violation of Article 6 of the GDPR, the resolution highlights that CaixaBank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent, namely, to be specific, unequivocal, and informed. The resolution further outlines that deficiencies were identified in the processes enabled to obtain the consent of the clients for the processing of their personal data, and states that the transfer of personal data to companies within the CaixaBank Group was unlawful. As a result, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, ordering CaixaBank to comply with the data protection regulations within six months.
The fine represents the largest financial penalty issued under the GDPR by the AEPD to date, surpassing the €5 million fine imposed on BBVA in December 2020.
You can read the resolution, only available in Spanish, here.