Record fine

The Spanish Data Protection Agency fines Caixabank 6 million euros following complaints from FACUA and a customer of the bank

The AEPD has confirmed that the bank has been in breach of three articles of the General Data Protection Act.

The Spanish Data Protection Agency fines Caixabank 6 million euros following complaints from FACUA and a customer of the bank

The Spanish Data Protection Agency (AEPD, according to its initials in Spanish) has sanctioned Caixabank with two fines of 4 and 2 million euros for breaching the General Data Protection
Act (GDPA). The resolution follows a complaint from a customer of the bank in 2018 and another filed by FACUA-Consumers in Action in 2019.

To this date, the three highest fines imposed by governmental bodies on companies reported by FACUA are the 6.23 million that the Junta de Andalucía (regional government) imposed on Movistar in 2016 for raising its Fusión deal tariffs after advertising that it would keep the same prices "forever"; the fine now imposed by the AEPD on Caixabank and the 3.15 million imposed by the Andalusian Government on Unicaja bank for its base lending rates in mortgages.

The Agency imposed a fine of 4 million euros for "an infringement of Article 6 of the GDPA, defined in Article 83(5)(a) and classified as very severe" and a fine of 2 million euros for "an infringement of Articles 13 and 14 of the GDPR, defined in Article 83(5)(b) and classified as minor".

It also required Caixabank "to bring its personal data processing operations, the information provided to its customers and the procedure by which they must give their consent to the collection and processing of their personal data into line with personal data protection legislation within six months".

In the 177-page Resolution, which analyses, among other issues, different versions of Caixabank's Standard Agreement that the bank's customers had to sign, the AEPD imposes these sanctions after finding that "the breach of the principle of transparency established in articles 12, 13 and 14 of the GDPA, as well as the principle of lawfulness of processing regulated in article 6 of the same Act, has been accredited".

The Agency also points out that it started the investigation procedure after agreeing to initiate preliminary inspections and incorporating all the evidence it had received on the matter: the complaint from a private individual -made in January 2018-, the actual files of these preliminary proceedings and the FACUA complaint, which was filed in March 2019, alleging a breach of Article 6 of the GDPA.

The AEPD's ruling states that Caixabank may lodge an appeal for judicial review with the director of the Spanish Data Protection Agency or directly lodge a contentious-administrative appeal with the contentious-administrative chamber of the Audiencia Nacional (National High Court, a special highest level court where only national or specific felonies are judged).

Unlawful processing

FACUA filed a complaint against Caixabank with the Agency in March 2019, stating that the Standard Agreement included a number of terms that could violate data protection regulations.

Specifically, the association considered that the entity's text imposed on consumers the consent to the processing of their personal data and the transfer of their data to third party companies with which they might have no relationship. Thus, FACUA indicated that, given that this agreement was a contract of adhesion -that is, the user can only adhere to it but does not have the capacity to modify it- this unilateral imposition entailed the violation of the processing of the personal data of the bank's customers.

In this regard, the association stated in the complaint that Caixabank violated article 6 of the GDPA, which sets out the requirements that must be met in order for the processing of users' personal data to be considered lawful.