AEPD: sanction to CaixaBank for infringing clients’ privacy rights


On January 15th 2021, the Spanish Data Protection Authority (AEPD – Agencia Espanola de Protecciòn de Datos) inflicted a sanction of 6 million euros to CaixaBank for having violated its own clients’ privacy through an illicit data treatment. This is the highest fine imposed by the AEPD. In particular, the Agency stated that the bank infringed article 6, 13 and 14 of the General Data Protection Regulation (GDPR).

The Spanish Agency claimed that there was a breach of the obligation to inform clients about the purpose of privacy treatment because the bank used imprecise terminology about privacy policy of the bank’s customers. The first compliant was made on January 2018 by a Caixa’s client, as he was forced to transfer his personal data to all the companies of the group. This meant that the present bank failed to comply with “the requirements established for the provision of valid consent”.

The AEPD concluded that CaixaBank used an imprecise terminology with regard to privacy policies, so this led to “a breach of the obligation to inform about the purpose of the treatment”.

Source: AEPD sanction number PS-00477-2019

Share this article!

About Author

Leave A Reply