New record: the Spanish Data Protection Agency fines CaixaBank 6 million euros for violating GDPR

In the middle of last month, BBVA was the subject of the largest sanction ever imposed by the Spanish Data Protection Agency against a company for violating the General Data Protection Regulations (GDPR). The fine amounted to 5 million euros.

This week, the AEPD has broken its own record with a new sanction, this time of 6 million Euros, and precisely against another Spanish bank: CaixaBank.

This is what can be seen in the resolution that the AEPD published this Wednesday in its web. The extensive document (177 pages) details the reasons why the bank has violated several articles of the European regulations. Specifically, it sanctions CaixaBank with 2,000,000 euros for a “slight” infraction of articles 13 and 14, and with 4,000,000 for a very serious infraction of article 6.

Spanish banks will take at least three years to recover pre-pandemic coronavirus profitability

The proceedings start in January 2018 with a user of the institution receiving a notification in the app of his mobile banking informing them that they have to accept new terms regarding data protection. The claimant then explains to the AEPD that CaixaBank is considering transferring the data of its customers to all the companies of the banking group, and that in order to cease the processing of data by each of these companies, those affected will have to go to them one by one.

In the claimant’s opinion, this requirement was “disproportionate”, as stated in the resolution of the AEPD, as it was understood that “the transfer is accepted in a single act”. For this reason, the Spanish data protection authority initiated a sanctioning procedure through which it began to investigate the privacy policy of the bank.

Shortly thereafter, in 2019, the consumer association FACUA filed a second complaint against CaixaBank on the understanding that the framework contracts signed by customers and through which the entity collects personal data are “an adhesion contract whose content cannot be negotiated by the consumer.”

This is how you are affected by the dividend limitation imposed by the European Central Bank if you have shares in Santander, CaixaBank or BBVA

Two years later, the AEPD issued the historic sanction, ruling that CaixaBank has violated articles 6, 13 and 14 of the General Regulations on Data Protection. The reasoning is that the entity would have failed to meet “the requirements” for “the provision of valid consent” and there were “deficiencies in the processes enabled” to obtain such consent. In addition, the AEPD states that there was an“illicit transfer of personal data to group companies”.

In addition, the AEPD also stated that the information offered in the different documents and channels of CaixaBank was not uniform and “imprecise terminology” was used to define the privacy policy. Nor did it detail “the categories of personal data that would be subject to treatment” or the purpose of the treatment or the legal basis that would protect it.

“It is not uniform, even in terminology, it is not offered with the same amplitude to all customers and in all situations (in some cases the ‘Framework Contract’ is used and in others the ‘Consent Contract’ and for other customers only the ‘Privacy Policy’), and it is not updated in the same way in each case”, states the AEPD. In its defense, the entity argued that the duty of information was fulfilled with the Framework Contract “and not with the rest of the documents”, the resolution continues.

The banks face a new stage of mergers after years of cuts: the big bank has reduced to half its offices and a third of its staff since 2012

In the legal bases explored by the AEPD, the agency also discusses that all the companies of the CaixaBank group contemplate a “co-responsibility” in the treatment of the data that could be considered lawful to share profiles among all the companies of the group.

For all these reasons, CaixaBank has to pay a sanction of 6 million euros against which, as the control body also points out, an appeal can be lodged through the contentious-administrative channel.

View original article here Source