A 6 million euro fine was recently imposed on CAIXABANK by AEPD, the Spanish DPA for various breaches of the GDPR.
Late last month, the EDPB reported on a fine imposed by AEPD on Spanish multinational financial services company CAIXABANK, for GDPR violations. It was found that the company unlawfully processed clients’ personal data and failed to provide adequate information regarding the processing of personal data. For the former infringement, a fine of 4 million euros was imposed and for the latter, 2 million euros, which is AEPD’s largest cumulative fine to date.
The total fine imposed by AEPD included a 4 million eurodollar fine for a breach of Article 6 of the GDPR.
CAIXABANK was found to be in violation of Article 6 of the GDPR, by their failure to provide any mechanism to collect consent from data subjects. As a result, the data subjects’ consent did not meet with all the elements of valid consent required for processing. The AEPD found that based on the company’s legitimate interest, processing activities were not sufficiently justified, neither was the relationship between the company’s activity and the processing of personal data. As a result of this breach, the AEPD imposed an administrative fine of 4 million euros, under GDPR Article 83 (5) a.
CAIXABANK was fined 2 million euros for a breach of Articles 13 and 14 of the GDPR.
CAIXABANK was also found to be lacking key information in a document meant to comply with Articles 13 and 14 of the GDPR. This document did not clearly outline the categories of personal data processed, nor the purposes for this processing of personal data. In addition, the document provided did not specifically outline the legal basis for the processing specific to their company’s legitimate interest. As a result the AEPD found them in violation of the aforementioned articles of the GDPR, resulting in a fine of 2 million euros, under Article 83 (5) b.
The fine imposed by AEPD was decided upon based on several key factors.
In deciding on an appropriate fine for the various breaches of the GDPR, AEPD considered certain aggravating factors of the violations found. In general the AEPD considered the nature, gravity and the duration of the specific infringements as well as the negligent character of those infringements. The fact that the company is a large enterprise and the rate of its turnover also played a key role in the amount that was fined. The AEPD considered the relationship between CAIXABANK’s activity and the processing of the personal data, as well as the benefits gained from the infringement and the categories of personal data affected. Additionally, the AEPD looked at the Degree of responsibility of the controller, considering the technical and organizational measures implemented pursuant to Articles 25 and 32 of the GDPR.
CAIXABANK has been ordered to bring its operations into compliance within 6 months.
In addition to the administrative fines imposed by the AEPD, the financial services company has been ordered to bring its processing operations into compliance with Articles 6,13, and 14 of the GDPR within the next 6 months. This would mean providing an adequate mechanism for collecting customers’ valid consent and ensuring that only necessary personal information which is legally justified based on the company’s legitimate interest is processed. In addition, the company will need to ensure that this information, as well as the purposes of the processing, is clearly outlined in the document intended for compliance.
Does your company have all of the mandated safeguards in place to ensure compliance with the GDPR and Data Protection Act 2018 in handling customer data? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing. We can help your company get on track towards full compliance.