The Spanish data protection authority ('AEPD') published, on 15 March 2023, its decision in Proceeding No. PS/00241/2022, in which it imposed fine of €100,000 to Ibercaja Banco, S.A. for violation of Article 6(1) of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following a complaint.

Background to the decision

In particular, the AEPD stated that the claimant filed a claim against Ibercaja Banco relating to the handling of a family inheritance, in which Ibercaja Banco provided the claimant's and their children's data to the lawyer representing the other heirs, who then created a private document dividing the assets. In particular, the AEPD noted that the claimant alleged that the claimant was unaware of the existence of the private document, and therefore requested access to their data and that of their children from Ibercaja Banco.

Moreover, the AEPD highlighted that the claimant alleged that Ibercaja Banco opened an account in the name of the claimant's child for the disposition of funds from the inheritance without their knowledge or consent. In addition, the AEPD emphasised that the claimant alleged that their personal data, as well as that of their deceased spouse and their children, were transferred to the family representative of the other heirs, who then shared this information with a company, with whom the deceased had a life insurance policy, without the claimant's prior knowledge or consent.

Findings of the AEPD

In its finding the AEPD noted that regarding the alleged infringement of Article 15 of the GDPR, the case would instead fall under Article 74(c) of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights ('LOPDGDD'), since Ibercaja Banco responded to the access request of the claimant, even if in an incomplete manner, and there was no absolute disregard of the right of access, which would constitute an infringment of Article 72(1)(k) of the LOPDGDD. As such, the AEPD dimissed the claim in relation to Article 15 of the GDPR.

Furthermore, the AEPD highlighted that the fact that the claimant had provided their personal data to Ibercaja Banco to obtain the bank balances, does not allow the said entity to process it for other purposes, such as the creation of a bank account in the name of one of their children. In accordance with the evidence available, the AEPD considered that the facts constitute a violation of Article 6(1) of the GDPR, since Ibercaja Banco processed the personal data of the claimant and their children without the latter having given their express consent to do so.

Outcomes

As a result, the AEPD imposed a fine of €100,000 on Ibercaja Banco for violation of Article 6(1) of the GDPR and dismissed the complaint regarding Article 15 of the GDPR.

You can read the decision, only available in Spanish, here.