The Spanish data protection authority ('AEPD') issued, on 13 January 2021, a resolution in proceeding PS/00477/2019, fining CaixaBank S.A. €6 million for violating Articles 6, 13, and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'). In relation to the violation of Articles 13 and 14 of the GDPR, the resolution highlights, among other things, that the information provided by CaixaBank in different documents and channels was not uniform, imprecise terminology was used within the privacy policy, and information about the category of personal data processed, profiles made of users and specific uses of the same, as well as the exercise of rights and data retention periods, was insufficient.

Furthermore, in relation to the violation of Article 6 of the GDPR, the resolution highlights that CaixaBank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent, namely, to be specific, unequivocal, and informed. The resolution further outlines that deficiencies were identified in the processes enabled to obtain the consent of the clients for the processing of their personal data, and states that the transfer of personal data to companies within the CaixaBank Group was unlawful. As a result, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, ordering CaixaBank to comply with the data protection regulations within six months.

The fine represents the largest financial penalty issued under the GDPR by the AEPD to date, surpassing the €5 million fine imposed on BBVA in December 2020.

You can read the resolution, only available in Spanish, here.