From the European Data Protection Board:
The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR).
The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 of the GDPR. Following Article 83 (5) b of the GDPR, a fine of 2.000.000 EUR was imposed. When deciding on the amount of the administrative fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.
On the other hand, the AEPD found that CAIXABANK did not provide with any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified; especially the relationship between the company’s activity and the processing of personal data. The AEPD concluded that this constituted a breach of Article 6 of the GDPR, and according to Article 83 (5) a of the GDPR, an administrative fine of 4.000.000 EUR was imposed. In deciding on the amount of the fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the degree of responsibility of the controller taking into account technical and organisational measures implemented pursuant to Articles 25 and 32 of the GDPR; the benefits gained from the infringement; the categories of personal data affected by the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.
In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months.
To read the full decision in Spanish, click here.
For further information, please contact the Spanish DPA: [email protected]