In the middle of last month, BBVA was the subject of the largest sanction ever imposed by the Spanish Data Protection Agency against a company for violating the General Data Protection Regulations (GDPR). The fine amounted to 5 million euros.
This week, the AEPD has broken its own record with a new sanction, this time of 6 million Euros, and precisely against another Spanish bank: CaixaBank.
This is what can be seen in the resolution that the AEPD published this Wednesday in its web. The extensive document (177 pages) details the reasons why the bank has violated several articles of the European regulations. Specifically, it sanctions CaixaBank with 2,000,000 euros for a “slight” infraction of articles 13 and 14, and with 4,000,000 for a very serious infraction of article 6.
The proceedings start in January 2018 with a user of the institution receiving a notification in the app of his mobile banking informing them that they have to accept new terms regarding data protection. The claimant then explains to the AEPD that CaixaBank is considering transferring the data of its customers to all the companies of the banking group, and that in order to cease the processing of data by each of these companies, those affected will have to go to them one by one.
Shortly thereafter, in 2019, the consumer association FACUA filed a second complaint against CaixaBank on the understanding that the framework contracts signed by customers and through which the entity collects personal data are “an adhesion contract whose content cannot be negotiated by the consumer.”
Two years later, the AEPD issued the historic sanction, ruling that CaixaBank has violated articles 6, 13 and 14 of the General Regulations on Data Protection. The reasoning is that the entity would have failed to meet “the requirements” for “the provision of valid consent” and there were “deficiencies in the processes enabled” to obtain such consent. In addition, the AEPD states that there was an“illicit transfer of personal data to group companies”.
In the legal bases explored by the AEPD, the agency also discusses that all the companies of the CaixaBank group contemplate a “co-responsibility” in the treatment of the data that could be considered lawful to share profiles among all the companies of the group.
For all these reasons, CaixaBank has to pay a sanction of 6 million euros against which, as the control body also points out, an appeal can be lodged through the contentious-administrative channel.
View original article here Source