Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

Spain: AEPD fines SegurCaixa Adeslas €300,000 for unsolicited email marketing and failure to facilitate right to erasure

The Spanish data protection authority ('AEPD') published, on 4 February 2022, its decision in proceeding PS-00322-2021, in which it imposed a fine of €300,000 on SegurCaixa Adeslas, S.A. de Seguros y Reaseguros for violations of Articles 6, 17, and 28 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR'), following the sending of marketing emails to the complainant, despite the latter's request for deletion of their data, as well as registration of their email address in the Robinson List, i.e. opt-out list of people who do not wish to receive marketing communications.

Background to the decision

In particular, the AEPD commenced its investigation following the receipt of a complaint regarding the sending of marketing emails to the complainant, despite the complainant's multiple requests for deletion of their personal data via emails to SegurCaixa Adeslas, and their inclusion in the Robinson List. Additionally, in response to the request by the AEPD, SegurCaixa Adeslas indicated that the marketing emails were sent to insurance agents with which SegurCaixa Adeslas maintained a commercial relationship, claiming that these insurance agents should be responsible, as, according to them, the activity of promoting and attracting clients was carried out independently and autonomously from SegurCaixa Adeslas.

Findings of the AEPD

The AEPD found that SegurCaixa Adeslas violated:

  • Article 6 of the GDPR due to the lack of lawfulness of processing;
  • Article 17 of the GDPR because the claimant had repeatedly tried to request the deletion of their personal data, to which SegurCaixa Adeslas failed to respond; and
  • Article 28 of the GDPR because it had not formalised a contract with the insurance agents that met all requirements under Article 28(3) of the GDPR.


As a result, the AEPD issued a total fine of €300,000 to SegurCaixa Adeslas.

You can read the decision, only available in Spanish, here.