AEPD (Spain) - PS/00477/2019: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...") |
m (Ar moved page AEPD - PS-00477-2019 to AEPD (Spain) - PS/00477/2019) |
||
(10 intermediate revisions by 3 users not shown) | |||
Line 19: | Line 19: | ||
|Date_Decided= | |Date_Decided= | ||
|Date_Published=13.01.2021 | |Date_Published=13.01.2021 | ||
|Year= | |Year=2021 | ||
|Fine=6000000 | |Fine=6000000 | ||
|Currency=EUR | |Currency=EUR | ||
Line 44: | Line 44: | ||
|Appeal_To_Body= | |Appeal_To_Body= | ||
|Appeal_To_Case_Number_Name= | |Appeal_To_Case_Number_Name=RR/00061/2021 | ||
|Appeal_To_Status= | |Appeal_To_Status=Appealed - Overturned | ||
|Appeal_To_Link= | |Appeal_To_Link=https://www.aepd.es/es/documento/reposicion-ps-00477-2019.pdf | ||
|Initial_Contributor=Paola L. | |Initial_Contributor=Paola L. | ||
| | |}} | ||
}} | |||
The Spanish DPA (AEPD) | The Spanish DPA (AEPD) imposed a fine of €6 million on CaixaBank S.A following complaints received from a customer of the bank in 2018 and from the non-profit organization ‘FACUA’ in 2019. CaixaBank infringed Articles 6, 13, and 14 of the GDPR. | ||
== English Summary == | ==English Summary== | ||
=== Facts === | ===Facts=== | ||
On 24/01/2018, an individual (the first complainant) who was a customer of CaixaBank (the defendant) filed a complaint with the AEPD alleging that the defendant forced them to accept the new conditions regarding the protection of personal data, specifically that regarding the transfer of their personal data to all the companies of the CaixaBank group, and that if they wanted to withdraw their consent, | On 24/01/2018, an individual (the first complainant) who was a customer of CaixaBank (the defendant) filed a complaint with the AEPD alleging that the defendant forced them to accept the new conditions regarding the protection of personal data, specifically that regarding the transfer of their personal data to all the companies of the CaixaBank group, and that if they wanted to withdraw their consent, they had to correspond individually with each company of the group. The complainant alleged that this is disproportionate considering that the consent for this purpose was given in one single act. | ||
The AEPD proceeded to transfer the complaint to the defendant to which it responded by explaining the processing activities that were based on consent, why they were based on consent, and the mechanisms in place to obtain consent as well as the options available to customers to withdraw their consent whether it was in person, via the website or mobile app. On 02 | The AEPD proceeded to transfer the complaint to the defendant to which it responded by explaining the processing activities that were based on consent, why they were based on consent, and the mechanisms in place to obtain consent as well as the options available to customers to withdraw their consent whether it was in person, via the website or mobile app. On 01/02/2019, the AEPD closed this investigation due to being expired, as twelve months had elapsed since the complaint was filed (24/01/2018). | ||
On 29/03/2019, a second complaint was received against the defendant, this time from the Association of Consumers and Users in Action – ‘FACUA’ (the second complainant), who filed a complaint in relation to the "Framework Agreement" signed by the customers of this entity, through which their personal data is collected. Essentially, FACUA indicated that this was a boilerplate contract, as customers did not have the option to negotiate its terms and were obliged to consent to the processing of their personal data, including for the purpose of sharing it with third parties. | On 29/03/2019, a second complaint was received against the defendant, this time from the Association of Consumers and Users in Action – ‘FACUA’ (the second complainant), who filed a complaint in relation to the "Framework Agreement" signed by the customers of this entity, through which their personal data is collected. Essentially, FACUA indicated that this was a boilerplate contract, as customers did not have the option to negotiate its terms and were obliged to consent to the processing of their personal data, including for the purpose of sharing it with third parties. | ||
On 28/05/2019 the AEPD admitted the second complaint and launched an investigation into the matter. The AEPD requested | On 28/05/2019 the AEPD admitted the second complaint and launched an investigation into the matter. The AEPD requested the CaixaBank to provide evidence of the "Framework Agreement" in its current version and previous versions, channels, and methodology for its acceptance and granularity for obtaining consents; as well as the procedures that were enabled for the provision of information in accordance with Article 13 and 14 of the GDPR and the mechanisms to obtain its acceptance. In addition, the AEPD requested evidence of Article 30 record of processing activities, data protection impact assessments, and record of legitimate interest assessments. | ||
===Dispute=== | |||
=== Dispute === | |||
Was the information that CaixaBank provided to its customers in relation to data protection compliant with the requirements of Articles 13 and 14 of the GDPR? | Was the information that CaixaBank provided to its customers in relation to data protection compliant with the requirements of Articles 13 and 14 of the GDPR? | ||
=== Holding === | ===Holding=== | ||
In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided in relation to data protection, was imprecise, vague, and was not uniform, it noted that not even the terminology is offered with the same breadth to all customers and in all situations (in some cases the “Framework Agreement” is used, in others the “Consent Agreement” and for other clients only the “Privacy Policy”), and it was not updated in the same way in each case. The AEPD also pointed out that the information provided in relation to the legal basis relied upon, the categories of personal data processed, the purpose of the processing, retention periods, the exercise of rights, and profiles of users and their uses was insufficient. | In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided in relation to data protection, was imprecise, vague, and was not uniform, it noted that not even the terminology is offered with the same breadth to all customers and in all situations (in some cases the “Framework Agreement” is used, in others the “Consent Agreement” and for other clients only the “Privacy Policy”), and it was not updated in the same way in each case. The AEPD also pointed out that the information provided in relation to the legal basis relied upon, the categories of personal data processed, the purpose of the processing, retention periods, the exercise of rights, and profiles of users and their uses was insufficient. | ||
In relation to Article 6 of the GDPR, The AEPD found that Caixabank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent | In relation to Article 6 of the GDPR, The AEPD found that Caixabank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent. The AEPD outlined that ''"consent was considered an affirmative act, but it could not be considered to be freely, specific, informed, and unequivocal"''. It is further noted that CaixaBank does not inform about any legal basis that enables the transfer of data to the companies of the CaixaBank Group, therefore the transfer of personal data within the CaixaBank group was unlawful. | ||
In consequence, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review of the company's process and procedures and bring them into compliance with data protection regulations within six months. | In consequence, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review of the company's process and procedures and bring them into compliance with data protection regulations within six months. | ||
==Comment== | |||
== Comment == | |||
''Share your comments here!'' | ''Share your comments here!'' | ||
== Further Resources == | ==Further Resources== | ||
''Share blogs or news articles here!'' | ''Share blogs or news articles here!'' | ||
== English Machine Translation of the Decision == | ==English Machine Translation of the Decision== | ||
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. | ||
<pre> | <pre> | ||
Page 1 | |||
1/177 | |||
Procedure No.: PS / 00477/2019 | |||
RESOLUTION OF SANCTIONING PROCEDURE | |||
Of the procedure instructed by the Spanish Data Protection Agency and based on the | |||
following | |||
BACKGROUND | |||
FIRST: On 01/24/2018, a letter from Mr. AAA (as far as | |||
the claimant), in which he denounces the entity CAIXABANK, SA (hereinafter | |||
CAIXABANK) for imposing on him, on the same date of the complaint, the obligation to accept the | |||
new conditions regarding the protection of personal data, specifically that relating to the | |||
transfer of your personal data to all group companies, as stated in the section | |||
II of the "new LOPD conditions" established by the entity. Add that to cancel | |||
Said assignment must send a letter to each of the companies, which qualifies as | |||
disproportionate considering that the assignment is accepted in a single act. | |||
Provide a copy of the conditions that motivate the claim, relative to "Authorizations | |||
for data processing ” and “ Exercise of the right of access, cancellation and opposition. | |||
Claims before the Data Protection Authority ” . Through this document, that | |||
appears with the label "Authorizations for data processing" , the interested party "consents | |||
expressly ” the incorporation of all your personal data in a repository | |||
common information, where the data of the companies of the "la Caixa" Group work, so | |||
are processed by CAIXABANK and the companies of the "la Caixa" Group for the purposes set out | |||
detail (two groups of purposes: "Study and monitoring purposes" and " | |||
communication of offer of products, services and promotions ” ). | |||
Likewise, the client is advised that the indicated treatments may be carried out | |||
in an automated way and entail the elaboration of profiles, with the purposes already | |||
indicated. For this purpose, CAIXABANK informs you of your right to obtain the intervention | |||
treatment, to express their point of view, to obtain an explanation about | |||
of the decision made based on the automated processing, and to challenge said decision. | |||
Information is offered on the “data” of the Signatory that will be incorporated in this | |||
Common Repository and it is added that these data will be complemented and enriched by | |||
data obtained from commercial information provider companies, by data obtained from | |||
public sources, as well as statistical, socioeconomic data ( "Additional Information" ). | |||
Finally, the period of conservation of the personal data is indicated and it is offered | |||
information on data protection rights and the possibility of | |||
file a claim with the Spanish Agency for Data Protection. | |||
SECOND: In use of the powers conferred by article 40 of the Organic Law | |||
15/1999, of December 13, Protection of Personal Data (LOPD), after the | |||
receipt of the complaint, the Subdirectorate General for Data Inspection proceeded to | |||
carrying out preliminary investigation actions, indicated with number E / 01475/2018, | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 2 | |||
2/177 | |||
to clarify the facts denounced and determine if there are circumstances | |||
that justify the initiation of a sanctioning procedure. | |||
In your responses to the two requests that were made to you by the Services | |||
of Inspection during the development of the aforementioned previous actions, the entity | |||
CAIXABANK, informed this Agency that the informative clauses referred to in the | |||
complaint were implemented on the occasion of the contractual changes provided by the | |||
entity to adapt to Regulation (EU) 2016/679, of the European Parliament and of the | |||
Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the | |||
Processing of Personal Data and the Free Circulation of this Data and by which | |||
repeals Directive 95/46 / EC (hereinafter General Data Protection Regulation or | |||
RGPD), applicable from May 25, 2018. | |||
1. By letter dated 05/16/2018, entered on 05/22/2018, the entity | |||
CAIXABANK informed this Agency as follows: | |||
(…) | |||
Taking advantage of the contractual changes that were to be implemented to adapt to the | |||
GDPR, in 2016 it was decided to follow two principles in the relationships to be established with the | |||
clients: the basis for the commercial activity (treatment) would be the unequivocal consent | |||
the client's; and consents would be collected at the “group” level, to simplify procedures | |||
crossed relationships, requesting authorization from clients for treatment with the | |||
jointly for all the companies of the "group". | |||
(…) | |||
Customers are requested authorization to carry out data analysis treatments and | |||
advertising treatments for a set of ten entities, allowing to evaluate in common | |||
information on all customer products associated with the "CaixaBank Group". I know | |||
centralize consents in a repository, so that any input from | |||
information in it, whether they are notes of consents granted as denied, | |||
supersedes the previous annotation, allowing a customer to revoke consent from | |||
any company in the "group", and vice versa. Any group company is a point of | |||
entrance where the client can grant consents, or withdraw them, with effects to the | |||
whole. (…) | |||
The revocation of consent for commercial purposes automatically takes effect for | |||
all of them, so that the right can be exercised without distinction before anyone and by | |||
any channel. Instead, with respect to cancellation and rectification, each of the | |||
companies is responsible for the commercial relationships it maintains with its customers and for | |||
both of the data that it deals with in the field of the contractual relationship. Without prejudice to the fact that the data | |||
canceled or rectified, if it was capable of being used by the other companies, it will cease to | |||
be it in case of cancellation or it will be updated, in case of rectification. Further, | |||
CAIXABANK informs that a rights assistance system has been implemented | |||
centralized, at group level, in a service supervised by the DPD, this entity being | |||
entry channel, without prejudice to the fact that all companies have their own channel for | |||
the receipt of exercise of rights, including revocation. | |||
Consulted by the data collection of social networks, CAIXABANK clarifies that it has a | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 3 | |||
3/177 | |||
service so that customers who consent to it through internet banking can | |||
link your identification data in networks (Facebook, Twitter and Linkedin) with this service, | |||
to be able to identify them when they use these channels to contact the entity. (…) In | |||
all cases, the client must accept its use and the terms and conditions. | |||
It also informs about data aggregation services, which allow, upon request | |||
of the interested party, add the information of the products that have contracted with other | |||
entities (positions and movements of accounts and cards) and thus have a global vision | |||
of all positions, alerts on receipts, expirations, etc., but do not operate on the | |||
products of the added entities (the customer adds or removes entities at will, | |||
but only among those incorporated into the service). | |||
CAIXABANK includes a detail (screen printing) of the service request process | |||
of aggregation that the client must follow through the entity's website. After | |||
select the entity that you intend to add to the service and enter the data that the client | |||
used to access the selected entity online (access codes), the process requires | |||
the acceptance of the terms and conditions of the service, according to the detail that is outlined | |||
in the Proven Fact 8. | |||
On the other hand, on the possibility, contemplated in the information provided to the | |||
interested parties, to complement or enrich customer data with data obtained from | |||
companies that provide commercial information, public sources, and with statistical data and | |||
socioeconomic, (…). | |||
2. By letter dated 07/17/2018, entered on 07/19/2018, CAIXABANK | |||
provided its response to the second request for information that was sent to it so that | |||
provide details on the mechanism implemented to obtain consent | |||
unequivocal of the client for the treatments carried out for commercial purposes (or other | |||
treatments that exceed the basic activity protected by the legitimate interest of the | |||
entity, eg analytical and business impact treatments); mechanism detail | |||
implemented to allow the customer to revoke the consent granted for any of | |||
the processing of personal data carried out by the CaixaBank Group companies with | |||
legal basis in the consent of the client; and information provided to the client in the | |||
moment of obtaining consent in relation to data processing | |||
personal data carried out by the CaixaBank Group companies, their purpose and the mechanism | |||
to exercise your rights of access, rectification, deletion, limitation of your treatment, | |||
opposition to it and portability of data. | |||
A) on the mechanism to obtain the consent of the client: | |||
It has two channels to collect commercial consents from its clients, which | |||
coincide with the channels that make it possible to become a client of the entity, that is, | |||
in person at offices and through digital channels (CAIXABANK web portal, portal | |||
ImaginBank web and mobile app): | |||
a) The office registration process | |||
The entity informs that this process is carried out through an interview between the client and the | |||
manager, and involves the collection of identification, tax and contact data, data | |||
socioeconomic and work activity data, data on experience, financial situation and | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 4 | |||
4/177 | |||
investment objectives, as well as the collection of authorizations for the use of the data | |||
for commercial purposes. These authorizations are provided by answering three questions | |||
carried out by the manager to the client, one of them broken down into four options. | |||
The information provided by the client during the interview is incorporated into the system and, | |||
once this has been completed, it is reflected in the printing on paper of a "Framework Contract" that the | |||
client signs (provides a copy of a "Framework Agreement" dated 05/24/2018, whose clauses | |||
coincides with the one incorporated in Annex I). In this document a summary of the | |||
information provided (including their answers about the treatments) and a clause with the | |||
detail about the data processing that is planned. | |||
Attach sequence of screens that the manager has to fill in in the registration process | |||
of a person. Among others, those that allow to collect identifying data, digitize the | |||
identification document and signature, data of birth, residence and tax address, data of | |||
contact, taxation and economic data. After filling in several screens (around | |||
to fifteen), the manager must complete the label "Modification of data protection of ...", | |||
in which the "registration of consents" is included (the structure of this screen consists of | |||
outlined in Proven Fact 4). | |||
On a later screen, labeled “Scan signed document from original. Firm | |||
digital " , the client's" Framework Agreement "can be accessed in pdf format. At the end of this | |||
screen, a section "Signed document" is included , which offers the options "Document | |||
Scan ” and “ Scan and Send Document ” . | |||
He adds that the same procedure is followed for existing clients, when necessary. | |||
remediate the information contained in the systems. Since 2016, the Prevention of | |||
Money Laundering and Terrorism Financing and the GDPR motivated this remediation | |||
of customer information (100% of natural person customers were marked as | |||
remediable -when the manager accessed the client file, a warning was displayed indicating that the | |||
client has the "Framework Contract" pending for the manager to start the interview). | |||
It is also possible that the consents are collected or modified for purposes | |||
commercials at later times, with the same management described, but signing a | |||
document that only addresses this point. CAIXABANK provides a copy of this document, which | |||
It is presented as "Authorization for the processing of personal data with | |||
commercial purposes by CaixaBank, SA and companies of the CaixaBank Group ” and that this | |||
entity denominates “Consent Agreement”, the details of which appear in Annex II (as | |||
successive "Agreement of consents" or "Authorization for treatment"). | |||
In view of said document, it is verified that it has a structure and content similar to that of | |||
signed by the claimant on 01/24/2018 (outlined in the First Fact), although it has been | |||
provided the provision of consent separately for the same purposes as | |||
are cited in the "Framework Contract" (purpose of study and monitoring; communication of offers | |||
of products, services and promotions; transfer of data to third parties) | |||
Additionally, CAIXABANK continues, has provided the entire network of offices with tablets | |||
digitizers, enabling the "Framework Agreement" and the "Consent Agreement" to be | |||
sign, not on paper, but on the tablet itself. In addition, you plan to update the | |||
tablets to allow the manager and the client to work on "shared screen" and to the client | |||
interact with the device by selecting the options on the treatment of your data. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 5 | |||
5/177 | |||
b) Registration process through digital channels (CAIXABANK web portal, web portal and | |||
ImaginBank mobile app): | |||
CAIXABANK indicates that its web portal has a service to process customer registration | |||
online, the process of which includes a step that displays a screen through which | |||
They collect consents for the processing of data for commercial purposes (the | |||
detail of the options shown on this screen is outlined in Proven Fact 4). | |||
Add CAIXABANK to the information symbol (i) that appears in the previous screen | |||
leads to another screen “in which it is explained why it is necessary for the customer to respond to | |||
the questions that arise ” . In this new screen it is indicated “(i) We need your | |||
consent. Since May 2018 a new Data Protection Regulation applies. | |||
We have always been concerned about the protection of your data, that is why it is important | |||
that you answer the following questions (Understood) ” . From there you can access the | |||
Clause 8 “Treatment and transfer of data for commercial purposes by CaixaBank and | |||
CaixaBank Group companies based on the consent ” of the“ Framework Agreement ”. | |||
Finally, the summary of the consents granted and the clauses will be shown in | |||
the "Framework Contract" that the client signs at the end of the process. CAIXABANK warns that in the | |||
screen in which the signature is requested shows a summary of the most important aspects | |||
that regulates the contract, among which the authorizations for data processing are indicated. | |||
This screen includes a box to check "I have read and accept the contract . " | |||
The same process follows the registration and collection of consents through the mobile application | |||
from ImaginBank. The screen relative to consents shows the same structure of the | |||
CAIXABANK web portal, substituting the mentions to this entity for ImaginBank. | |||
B) About the mechanism to allow the client to revoke consent: | |||
The exercise of rights and the revocation of "commercial consents", by | |||
clients and non-clients, it can be formulated in multiple ways: | |||
. In person at the entity's offices. | |||
. Through the personal electronic banking space (Caixabank Now and ImaginBank, both in | |||
its web version as in the mobile application). | |||
. Using application forms on the corporate web portal of CAIXABANK or of each | |||
one of the Group companies. | |||
. Through CAIXABANK's telephone service. | |||
. Request by postal delivery or hand delivery. | |||
a) In the face-to-face process, in offices, the employee will register the request in the system | |||
noting "with respect to which company the revocation is formally exercised" , as may | |||
be seen in the screens it shows, one related to rights management and another specific | |||
for the revocation of consents (both have a drop-down that allows | |||
indicate the specific company before which the statement in question is made). | |||
The structure that shows the screen enabled for the manager to register the revocation or | |||
modification of consents that the client wants, under the heading "Modification of | |||
data protection ”, is the same as that indicated above for the “ Registration of consents ” | |||
manifested in person at the office. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 6 | |||
6/177 | |||
According to CAIXABANK, these requests are registered and sent to a service | |||
centralized attention to rights, which is responsible for giving them the corresponding procedure. | |||
b) The process to follow in the client's private space on the Caixabank Now website will | |||
allows you to select your preferences and obtain information about the proposed treatments | |||
(By clicking on the option "see detail Clause 8" you have direct access to the texts of the "Contract | |||
Framework ”related to each purpose). The detail of the options shown on this screen | |||
It is outlined in Proven Fact 5. | |||
Next, the client is shown a summary with the consents granted, to | |||
that you can check them, and the contract that includes a summary of | |||
those consents. Here is an example of this summary: | |||
<< Operation not yet completed, Check the data and confirm the operation. | |||
Check the data | |||
Study and monitoring purpose: You have expressed your acceptance and consent to the treatment of | |||
data. | |||
Purpose of communication of offers of products, services and promotions: you have stated your NO | |||
acceptance and consent to contact for commercial purposes. | |||
By any channel or medium, including electronic means. | |||
. Through my manager (office) | |||
Transfer of data to third parties: you have expressed your NO acceptance and consent to contact with | |||
commercial purposes. | |||
Read the contract carefully | |||
Confirm the operation… >>. | |||
In the CaixaBank Now mobile application environment, the customer can access | |||
"Configuration - Exercise of rights" and is redirected to the Web portal. However, it clarifies that | |||
This process is being reviewed in order to show the options available in the | |||
own application. Provides a detail of the screen in development "Configuration - Exercise of | |||
rights - Right of revocation ” : | |||
"The personal data protection regulations establish the right to revoke the | |||
data treatment. Below are the data processing that you have authorized: | |||
Authorization to process my data to carry out monitoring and study of operations, generation of | |||
alert of my contracted products, studies and services adjusted to my profile | |||
(I do not accept) | |||
Authorization for CaixaBank to contact me to find out about product offers and | |||
services, as well as promotions and offers that may be of interest to me | |||
(I do not accept) | |||
I accept the transfer of data to third parties | |||
(I do not accept)". | |||
Subsequently, the summary of the demonstrations made is shown, the | |||
introduction of the passwords and, in a new screen, it is indicated “Your right to | |||
revocation. You can check the contract in MailBox ” . | |||
The same indication is made with respect to the ImaginBank application. | |||
c) Use of the application forms available on CAIXABANK's corporate web portal | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 7 | |||
7/177 | |||
or each of the Group companies. | |||
As indicated, in the first case customers can revoke their consent to | |||
any company of the Group through the CAIXABANK website (a drop-down | |||
for the client to select the company on which they want to revoke consent). | |||
Once the company has been chosen, the right that the client wants to exercise must be selected, also | |||
using a drop-down. One of the options refers to the revocation of | |||
consents, with the possibility of marking three boxes, according to the detail that appears | |||
outlined in Proven Fact 5. | |||
In the second case, when it is intended to revoke consent from the web portal of | |||
a group company, as reported by CAIXABANK, a similar form is displayed and | |||
same operation as the previous one. When accessing the page corresponding to the entity from which the | |||
try, the client is directed to a screen common to all. | |||
d) Finally, reference is made to the request through the telephone service and | |||
by postal delivery. | |||
According to the entity, the Call Centers have at their disposal a tool that allows them to | |||
address the exercise of rights, including the revocation of consents. The | |||
request (the protocol contemplates the recording of the call) and the interested party is informed that | |||
You will receive a written response within one month. The structure shown by the aforementioned | |||
tool for the revocation of consents is similar to the one indicated above | |||
for the "Registration of consents" manifested in person at the office. In each | |||
option, a drop-down is displayed for the employee to mark the option desired by the | |||
client. | |||
3. CAIXABANK consulted for the information provided to the client at the time of the | |||
obtaining the consent of the Group companies, it is indicated that this | |||
Information is contained in the “Framework Agreement” and in the “Consent Agreement”. | |||
THIRD: By resolution dated 02/01/2019, of the Director of the Spanish Agency | |||
of Data Protection, the expiration of the previous actions outlined in the | |||
Second Antecedent, followed by number E / 01475/2018, for the duration of the | |||
twelve months from when the complaint was filed (01/24/2018), in accordance with the | |||
established in article 122 of RD 1720/2007, of December 21, which approves the | |||
Regulations for the development of the LOPD. | |||
This resolution warns about the provisions of article 95.3 of the On the other | |||
part, article 95.3 of Law 39/2015, of October 1, on Administrative Procedure | |||
Common of Public Administrations (hereinafter LPACAP), which establishes | |||
that the expiration will not produce the prescription of the actions of the Administration, | |||
and the opening of a new procedure is admitted when the | |||
prescription, with the incorporation of the acts, the acts and procedures whose content is | |||
it would have remained the same had it not expired. | |||
FOURTH: On 03/29/2019, a letter from the entity had entered this Agency | |||
Association of Consumers and Users in Action - FACUA, in which he makes a claim | |||
against CAIXABANK in relation to the “Framework Contract” signed by the clients of this | |||
entity, through which your personal data is collected, offers them the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 8 | |||
8/177 | |||
information on this matter and consents are collected for data processing that | |||
are specified. Specifically, FACUA denounces that it is an adhesion contract, whose | |||
content cannot be negotiated by the consumer, who is required to consent to | |||
processing of your personal data and the transfer of them to third companies with the | |||
that it could not be related (authorizations provided for in clause 8 and assignments | |||
mentioned in clause 10 of said contract). | |||
The claimant provides a copy of a "Framework Agreement" dated 10/24/2017, whose | |||
clauses coincides with the one corresponding to the version dated "03/14/2017", which will refer to | |||
below ("Version 3", according to the numbering provided by CAIXABANK). | |||
This claim was transferred to the CAIXABANK entity. In response to what | |||
expressed in the claim, CAIXABANK informed this Agency that it sent FACUA a | |||
writing detailing the process of collecting consent from clients for the purposes | |||
commercial, as well as the operations used to sign the contract, which summarizes how | |||
follow: | |||
. Customers are requested, on all occasions, express consent for the | |||
data analysis, commercial impact and the transfer of your data. | |||
. The contract is not an adhesion contract, since the client can decide whether or not to grant the | |||
consents. | |||
. Additionally, the client has several channels to modify their initial decision | |||
(offices, internet banking, call centers, etc.). | |||
CAIXABANK provides a copy of the communication sent to FACUA, which summarizes part of | |||
what was stated to the Agency in its response of 05/16/2018, and includes a list of the | |||
"Group companies" and an annex with details of the consent collection process | |||
(corresponds to an extract of the training given to employees, which includes the | |||
screens to be completed). From what was informed to FACUA in this communication, | |||
date 05/03/2019, the following should be noted: | |||
. Regarding the collection of consents, it describes the procedure for registering a new client, | |||
which includes your identification and your consent (signature). Before signing the "Contract | |||
Marco ”, the office manager must ask the client whether or not he authorizes the treatment of his | |||
data for commercial purposes (profiling, commercial communications and assignment to | |||
third parties), so that the client verbally expresses his choice in each of the three | |||
questions and the manager fill in the boxes corresponding to this choice | |||
(consent for the treatments explained in clauses 8 and 10 of the "Framework Contract" | |||
-currently 8 and 9). Once these boxes are filled in, the "Framework Contract" is generated | |||
to be signed by the client, collecting them in the header (page 1, | |||
section "Authorizations for data processing"). In case it is not granted | |||
none of the authorizations, in the aforementioned section the following will be indicated: | |||
"Authorizations for data processing | |||
In the terms established in clause 8 and 9 of this Contract, your authorizations for the | |||
data processing are the following: | |||
Commercial purposes: | |||
. Purpose of studies and profiling: You have expressed your non-acceptance and consent to | |||
treatment of your data. | |||
. Purpose of communication of offers of products, services and promotions: You have | |||
expressed their non-acceptance and consent to contact for commercial purposes by | |||
any channel or medium, including electronic media. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 9 | |||
9/177 | |||
. Transfer of data to third parties: You have expressed your non-acceptance of the transfer to third parties of your | |||
data ” . | |||
It also informs that a new shared screen operation is in the pipeline | |||
that will allow the client to directly read the information about data processing | |||
personal and mark, without intermediaries, those who authorize or not. | |||
. Regarding the revocation of consents and the exercise of rights, you warn that you have | |||
effects for all Group companies and that can be exercised before any of | |||
them, through any of the channels of each of them. Add that it has been named | |||
a Group DPD, who supervises the centralized rights management service, and who | |||
CAIXABANK is an entry channel for exercising rights for all companies. | |||
(…) | |||
FIFTH: The claim outlined in the Fourth Antecedent was admitted for processing through | |||
agreement of the Spanish Agency for Data Protection of 05/28/2019. | |||
In accordance with the provisions of article 67 of Organic Law 3/2018, of 5 | |||
December, Protection of Personal Data and Guarantee of Digital Rights (as | |||
successive LOPDGDD), it was agreed to initiate preliminary investigation actions and the | |||
incorporation to the same of all the documentation outlined in the previous events, | |||
composed of the complaint made by the claimant, the documentation corresponding to | |||
the previous actions indicated with number E / 01475/2018, processed on the occasion of that | |||
claim, the claim made by the FACUA entity and the documentation that integrates | |||
the phase of admission to process of the same. | |||
The object of these preliminary investigation actions was determined as the analysis of | |||
the information generally offered by CAIXABANK regarding the protection of | |||
personal data, through all the channels used by the entity (compliance by | |||
CAIXABANK part of the principle of transparency established in articles 5, 12 and | |||
following of the RGPD, and related precepts); the different data processing | |||
personal data carried out by the entity according to the information offered, in relation to | |||
clients or person who have any other relationship with it, and within the framework of the | |||
new regulations applicable from 05/25/2018, including analysis of the mechanisms | |||
employees to obtain the consent of the interested parties; just like him | |||
compliance by the aforementioned entity of the rest of the principles related to the treatment | |||
established in article 5 of the RGPD. | |||
In the development of these preliminary investigative actions, a request was made | |||
of information to CAIXABANK and an inspection visit was made on 11/28/2019: | |||
1. On 11/20/2019, a response was received from CAIXABANK to the request that was | |||
issued by the Inspection Services to provide information on the "Contract | |||
Marco ”, in its current version and previous versions valid as of 05/25/2018, and | |||
possible addenda; channels and methodology for its acceptance and granularity for obtaining | |||
of consents; as well as on the procedures that were enabled to give | |||
know the information on the protection of personal data updated to the RGPD to | |||
clients prior to 05/25/2018 and mechanisms to obtain their acceptance. | |||
a) CAIXABANK points out that, taking into account the preliminary texts of the RGPD, | |||
implemented the “Framework Contract” in June 2016, with six versions dated on | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 10 | |||
10/177 | |||
06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019 (provide a copy of | |||
these versions). It highlights that there have been no significant changes in this document, that | |||
regulates the entire customer relationship with CAIXABANK and the Group companies whose | |||
products sells that one, informs about all the treatments derived from the relationship | |||
contractual and requests the necessary consents for the treatment of the data of | |||
personal character at Group level. | |||
On the other hand, CAIXABANK advises that product and service contracts also | |||
include the information required by article 13 of the RGPD, in anticipation that it could | |||
mediate time between the signing of the "Framework Agreement" and the contracting of products | |||
(includes a copy of a contract for products and services corresponding to the "Book | |||
Star"); and that there are other services that, due to their specialty, contain their own | |||
data protection clauses (includes the detail of the protection information of | |||
personal data provided to subscribers of the "Shareholder Attention Service" and in the | |||
subscription form to "Events"). | |||
b) In relation to the granularity for obtaining the consents, it is indicated that | |||
CAIXABANK and a selection of investee companies, to which it has joined | |||
recently Caixabank Payments & Consumer, EFC, EP, SAU, has been collecting | |||
consents to carry out commercial treatments since 2016 in the terms | |||
set forth in file E / 01475/2018 (Second previous antecedent). | |||
It details the procedure followed by CAIXABANK and by Payments. In the first case, | |||
indicates that the information system guides the manager throughout the process, advising him that he must | |||
consult the customer's preferences and physically provide the tablet so that the customer himself | |||
proceed to mark your options. Once the preferences have been marked, the terminal itself will | |||
indicates that these preferences have been registered and invites you to return the device to | |||
manager. Subsequently, "the manager finalizes and consolidates the document and provides it for signature | |||
to the client ” . | |||
On the next screen, the indication "Tablet Mode" disappears and the following is stated: | |||
“Your consents have been indicated. Thank you for your cooperation. Please return the | |||
Tablet to your manager ” . | |||
It informs that CAIXABANK and its Group request three consents for the three purposes | |||
outlined, breaking down one of them into four options, and clarifies that the first two are | |||
requested at the level of the CaixaBank Group of companies. | |||
Next, it reproduces part of Clause 8 of the aforementioned contract, in which, according to | |||
CAIXABANK, the meaning and specification of the previous literals are explained and the | |||
detail of what data will be processed for purposes i) and ii). The content of this clause | |||
reproduced in CAIXABANK's brief coincides with the one outlined in Annex I. | |||
On this issue, it provides a copy of the screens that allow viewing the registration process | |||
of a client in person in offices. After advancing about fifteen screens, | |||
show two screens corresponding to the collection of consents for the treatment | |||
of personal data, with the label "Authorization / Revocation of consents" and the | |||
indication “Tablet mode. Customer ” . Previously, a screen is shown with a message to | |||
the manager with the indication “According to the General Data Protection Regulation, the client | |||
you must authorize the use of your data. You must then hand over the tablet to the customer so that | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 11 | |||
11/177 | |||
fill in the consents ” . After pressing the "OK" button , you access the "Mode | |||
Tablet " , to the " Authorization / Revocation of consents " screens , the details of which are | |||
outlined in Proven Fact 4. | |||
Once the options have been selected, the buttons at the bottom of the screen | |||
"Accept" and "Cancel" . Pressing the first one offers a message with the text "Your | |||
consents have been indicated. Thank you for your cooperation. Please return the Tablet to | |||
your manager ” . (…) | |||
It is verified that the “Tablet Mode. Client ” do not contain any link to the | |||
information on the protection of personal data contained in the "Framework Agreement". | |||
In relation to this process, no screen is provided regarding the consolidation of the | |||
document and its signature by the client. | |||
Next, the screens corresponding to the process of “Modification of | |||
consents ” . (…) This screen includes a link to the text: “Authorization / Revocation | |||
treatments for commercial purposes ” . By clicking on this link a message appears to | |||
the manager with the indication “According to the General Data Protection Regulation, the client | |||
you must authorize the use of your data. You must then hand over the tablet to the customer so that | |||
fill in the consents ” . After pressing the "OK" button , you access the "Mode | |||
Tablet ” , to the “ Authorization / Revocation of consents ” screens , the details of which are identical | |||
to the screens of “Authorization / Revocation of consents. Tablet mode. Client ” of | |||
client registration process, which has been referred to in the previous paragraphs, except in | |||
what refers to the use of biometric data, which is not included in this case. | |||
With its reply, CAIXABANK provided a copy of the contract corresponding to | |||
a client, which appears dated 11/06/2019 (hereinafter we will call this | |||
document such as “Version 7 of the Master Agreement” or “Client Master Agreement dated | |||
11/06/2019 ”). It is verified that its content does not match any of the six versions | |||
of the "Framework Contract" provided by the entity itself (in Annex I the | |||
modifications or new informative clauses introduced in this version of the "Contract | |||
Marco ”, which affect data processing in the electronic signature of documents and the | |||
biometric data processing). In the heading of the document, under the heading of | |||
"Authorizations for data processing" are indicated: | |||
“Other purposes: Use of biometric data for the purpose of identity verification and signature. You | |||
has expressed its acceptance and consent ” . | |||
c) On the procedures enabled to publicize the "Privacy Policy" | |||
updated to the RGPD to clients prior to the application of this standard and the mechanisms | |||
To obtain their acceptance, CAIXABANK informs this Agency that said "Policy of | |||
Privacy ”, which is published on the“ caixabank.es ”website, is intended to | |||
complement the information provided to customers in the "Framework Agreement" between June | |||
2016 and May 2018; and give complete information to customers who in May 2018 did not | |||
would have signed the "Framework Contract". Thus, since May 2018 it distinguishes two situations: | |||
. All pre-existing clients have signed a framework contract or have received the “Policy of | |||
Privacy ”(in addition to having it at your disposal on the entity's website). | |||
. All new clients, in their first relationship with the entity, sign a "Contract | |||
Marco ”, which includes all the information of article 13 of the RGPD. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 12 | |||
12/177 | |||
It clarifies that the "Framework Contract" is, since May 2018, the information on the treatment | |||
of the data that is delivered to the client in compliance with the provisions of article 13 of the | |||
RGPD and that the "Privacy Policy" is a document consistent with what is contained in said | |||
contract. | |||
To transfer the "Privacy Policy" to customers, CAIXABANK states that | |||
sent 15,917,507 communications, of which 5,663,683 were made by post and | |||
10,253,824 through remote banking with a warning pop-up (“If you want to know more | |||
about our commitment to your data and your privacy, you have a statement available at | |||
your MailBox -Access MailBox ”). | |||
Accompany a copy of the "Privacy Policy" of CAIXABANK available on the website of the | |||
entity, which is reproduced in Annex V. | |||
2. On the other hand, an inspection visit was made to CAIXABANK on 11/28/2019, | |||
informing the representatives of the entity that said action was aimed at | |||
verify the information you provide on the protection of personal data and the obtaining of | |||
Consents for the data processing carried out. | |||
According to the inspection record, in response to the questions raised, the | |||
representatives of CAIXABANK made the following statements and carried out | |||
the checks that are also detailed: | |||
a) The procedure for the beginning of commercial relations can be carried out | |||
in person, or also through the web and through the application for devices | |||
mobile "CaixaBank" previously downloaded | |||
In person. | |||
The agent requests the identification data, digitizes the identity document, collects | |||
data on residence and fiscal address, taxation and economic data (origin of funds, | |||
public personality, etc.); and hands a tablet to the customer to select the | |||
consents that you wish to grant to the inspected party and to the group companies. Indicated | |||
that there are four groups with Yes / No answers and the text that appears on the tablet is detailed | |||
stating the different groups, which coincides with the text detailed in section b) above | |||
("Authorization / Revocation of consent" screen, which contains the indication "Mode | |||
Tablet ”). | |||
At this time no biometric data is taken except for the signature. If in the future | |||
implant this type of identification, and this consent would have been granted, | |||
will collect this data. | |||
Once the consents have been collected, the agent consolidates and offers the tablet to the client with the | |||
“Framework Contract” document so that you can read it and see the section “Authorizations for | |||
Data processing ”with the consents granted and denied and signing said contract, | |||
which is done on the same Tablet. | |||
Through the CAIXABANK website. | |||
The procedure is carried out on the online platform of the inspected company through a | |||
Guided form for data collection of the future client. | |||
During the inspection, a simulation is performed and it is verified that the first page | |||
ask for the phone number and email. On this same screen a | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 13 | |||
13/177 | |||
window with a text entitled "Processing of personal data and obligations | |||
derived from the prevention of money laundering and terrorist financing ” . There's a | |||
button called "Accept and Continue" . Identification data is requested on the next screen | |||
and address. Next, the identification is carried out by video identification | |||
or through the service of obtaining ownership of external accounts through the service | |||
Iberpay. Then a screen is presented in which the purpose of the account is specified, | |||
screen for obtaining consents, account creation, and contract signing screen, | |||
where you can download the complete "Framework Agreement". Once the checkbox is selected | |||
verification of acceptance of the contract, the signature is carried out by sending the code | |||
numeric to the mobile phone provided by the customer. | |||
Mobile banking via app. | |||
It is possible to start the registration process through the application for mobile devices, but, | |||
After the installation process, at the time the data collection of the interested party begins, | |||
The application redirects the interested party to the web application described in the previous point. | |||
By phone. No registrations are made by this means. | |||
b) A demonstration is carried out on the procedure for modifying the | |||
Consents of a client through their personal space: | |||
Initial situation: all consents "I do not accept" | |||
Data processing: I do not accept | |||
Advertising: I do not accept | |||
Telemarketing advertising: I do not accept | |||
Advertising by electronic means: I do not accept | |||
Advertising by postal mail: I do not accept | |||
Personal manager advertising: I do not accept | |||
Data transfer: I do not accept | |||
Modification: the second level is modified and not the first level | |||
Data processing: Does not support | |||
Advertising: I do not accept | |||
Telemarketing advertising: Does not accept | |||
Advertising by electronic means: Does not accept | |||
Advertising by postal mail: Does not accept | |||
Personal manager advertising: If you accept | |||
Data transfer: Does not accept | |||
It is detected that, although it has been selected not to receive commercial communications from | |||
generic form, by being able to mark one of the media, the receipt of communications is accepted | |||
in this way and the granting is reflected in the document signed by the client (in | |||
Regarding this matter, on 12/10/2019 a letter was received from CAIXABANK, | |||
noting that it has included an informative text to indicate to the interested party that, when marking one | |||
of the media, accepts the receipt of communications in this way: “If, despite not wanting | |||
let us contact you in general, you are interested in receiving information by | |||
any of the following channels, you just have to mark it and we will use it to move you | |||
our news and offers ” ). | |||
A screenshot is attached in which all consents and consent are denied. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 14 | |||
14/177 | |||
copy of the document generated from the modification of consents. The structure and | |||
content of this screen coincides that the detail outlined in the Second Antecedent, | |||
section 2.Bb), in relation to the revocation of consents through the space | |||
private client on the Caixabank Now website. | |||
A screenshot of enabling a second level consent is attached while | |||
the first in "I do not accept" for commercial communications and document generated from | |||
of the modification of consents. | |||
The content of the documents generated once the customer's statements have been reflected | |||
coincides with the text outlined in Annex II ("Consent Agreement"), with the | |||
variations that are indicated below and that are also outlined in said Annex II: | |||
. The term "revocation" is added to the label of the document and | |||
"Authorization / revocation for the processing of personal data with | |||
commercial purposes by CaixaBank, SS and companies of the CaixaBank group ”. | |||
. The mention of the "common repository" disappears in the presentation of the document, in the | |||
that appeared with the indication “For this, your data will be managed from a repository | |||
common information of the companies of the CaixaBank Group. The data that is | |||
will be incorporated into this common repository will be… ” . | |||
. The section dedicated to "the data to be processed" moves from the presentation | |||
of the document to associate them with purposes 1 (analysis and study of data) and 2 (offer | |||
commercial products and services). In addition, in section c) the mention of the | |||
companies of the CaixaBank Group, and there remains “All those that CaixaBank or the companies of the | |||
Grupo CaixaBank obtain from the provision of services to third parties, when the service | |||
have the signer as the recipient, such as the management of transfers or receipts ” . | |||
. The following text is added: "The authorizations that you grant will remain | |||
valid until revocation or, in the absence thereof, up to six months | |||
since you cancel all your products or services with CaixaBank or any | |||
CaixaBank Group company ” . | |||
. In the authorization (ii) of the section corresponding to purpose 1 (Treatments of | |||
analysis, study and monitoring for the offer and design of adjusted products and services | |||
to the customer profile) the possibility of associating the signer's data with those of | |||
other clients with whom you have some type of family or social bond, relationship | |||
ownership or management, in order to analyze possible economic interdependencies | |||
in the study of service offers, risk requests and product contracting. | |||
. In the section dedicated to the exercise of rights, a mention is added to them, | |||
that does not appear in the text of Annex II, a postal address is indicated to exercise | |||
rights, which was also not recorded, and the possibility of exercising the rights to | |||
through mobile applications. | |||
. Two sections have been added corresponding to the data protection officer already | |||
the validity of the "Framework Contract" once it has been signed by all the parties involved. | |||
c) Exercise of rights. | |||
Any channel in which the client has identified is enabled to exercise | |||
rights. The revocation of consent is applied at the moment it is made and | |||
applies to all group companies. | |||
d) On the information provided to the client so that they consent to access to network data | |||
social: accessed from the personal area of online banking and specify which network | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 15 | |||
15/177 | |||
individually from among Facebook, Twitter and LinkedIn access is allowed. Appears the | |||
text "Information on the processing of personal data and communications | |||
commercials ”in a text box and a button with the text“ Accept and continue ”. | |||
Annex III outlines the information provided by CAIXABANK to its clients to collect their | |||
consent to access and use data from social networks. | |||
e) The account aggregation service requires a special contract, although the | |||
consent is given in the "Framework Agreement". When starting the process, a text "Contract" appears | |||
in a text region, with the possibility of generating a document in pdf format. | |||
Annex IV outlines the contract that the client formalizes requesting this aggregation service | |||
of accounts, which includes the information offered on the protection of personal data. | |||
f) The treatment described in point 7.3.5 is not carried out. on the aggregated accounts of other | |||
entities. You can exercise the right of opposition to the treatment collected in this point to | |||
through online banking and other enabled channels | |||
g) Regarding the content of 8.ii.h), this possibility has been specified for possible | |||
uses. When a treatment of this type occurs, it will be assessed by the | |||
Impact evaluation. | |||
h) On the mechanisms used to inform about the update of the " | |||
Privacy ”and obtaining the consent of clients, representatives of | |||
CAIXABANK stated that with the first version of the “Framework Contract”, dated June 20, | |||
2016, the new consents began to be collected. In May 2018 | |||
they set all consents in old format to "I do not accept". Since this date | |||
Customer consents have been collected through different channels. | |||
During the various updates, more than 15 million communications from | |||
of which 5,663,683 were sent by post and 10,253,824 were made available to | |||
customers through their online banking through a pop-up warning window. He | |||
Communication content is purely informative. | |||
i) Information systems are accessed to verify the consents granted by the | |||
claimant, obtaining the following data: | |||
Consents: | |||
Data processing: Does not support | |||
Telemarketing advertising: If supported | |||
Advertising by electronic means: If supported | |||
Advertising by postal mail: If supported | |||
Personal manager advertising: If supported | |||
Data transfer: - | |||
It is verified that the claimant has not signed the “Framework Contract”, but has granted | |||
consents on January 24, 2018, by signing the document found | |||
in its contractual repository (this document corresponds to the one provided by the | |||
claimant, signed on 01/24/2018, which is outlined in the First Fact). | |||
Additionally, it appears that the claimant modified through the entity Caixabank | |||
Consumer Finance, EFC, SAU, one of the consents in May 2018, no | |||
admitting the data processing (provides an internal email of 11/28/2019, which | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 16 | |||
16/177 | |||
informs about this modification: “consent 1 reached“ unsigned ”from company 6 | |||
(CCF), was signed on May 18. Consents from 3 to 6 were signed with ALF00017 | |||
(winning moment) in January 18. The 7th is not signed in the ALF00017, so it is | |||
pending signing ” ). | |||
Screenshots of the information systems of the | |||
CAIXABANK corresponding to the claimant's data, current consents, the | |||
contract of LOPD clauses of January 24, 2018 and justification of the change of the | |||
Consents granted for data processing: | |||
. The query on customer data, in its first section "Operational list", details the | |||
contracted products and a review of your personal data (name, NIF, date of | |||
birth, language, telephone numbers and the image of your ID. It includes two indications: "Program | |||
Family: Does not comply due to income ”and“ Framework Agreement Resolver ”. | |||
In the "Person" section the personal data, economic activity and taxation are detailed. | |||
It also contains subsections related to digital images (ID and signature), alerts ("Edition | |||
framework contract Resolve ”), Commercial consents (Data processing Not supported, | |||
telemarketing advertising Yes, electronic media advertising Yes, postal advertising | |||
If it admits, publicity contact manager If it admits, transfer of data "Authorization / revocation | |||
treatments through the edition of the framework contract… ”), consent history (“ Last | |||
movement 10/16/2019 ”), Right of access, revocation, rectification ... (without annotations). | |||
In the “Documents” section you access the “Contract clauses LOPD” of 01/24/2018. At | |||
In the “Digitization” subsection, the boxes Open Line, Office, Cashiers and | |||
Telemarketing. | |||
SIXTH: On 01/07/2020, the Agency's Inspection Services access the | |||
web caixabank.es, to the "Privacy" section, and the document | |||
called "Processing of personal data based on legitimate interest" . He | |||
The full content of this document is reproduced in Annex VI. | |||
SEVENTH: On 12/26/2019, the Subdirectorate General for Data Inspection | |||
Access the CAIXABANK website (“caixabank.es”) and obtain available information on the | |||
entity. | |||
In the "corporate information" that appears in the "Who we are" section of said | |||
website declares itself "leader in Iberian retail banking", with 15.7 million customers, 37,440 | |||
employees, a 29.3% penetration share of individuals in Spain and € 386,622 million of | |||
total assets. | |||
Financial information is also obtained, of which it is worth highlighting that relating to the | |||
Income Statement, which "as of 09/30/2019" reflects an "Operating Margin" of 2,035 | |||
millions of euros. | |||
According to the information contained in the Central Mercantile Registry, the "Subscribed Capital" | |||
amounts to 5,981,438,031.00 euros. | |||
EIGHTH: On 01/21/2020 , the Director of the Spanish Agency for Data Protection | |||
agreed to initiate a sanctioning procedure against the CAIXABANK entity, in accordance with | |||
provided for in article 58.2 of the RGPD, for the alleged violation of articles 13 and 14 of the | |||
RGPD, typified in article 83.5.b) of the aforementioned Regulation; for the alleged violation of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 17 | |||
17/177 | |||
Article 6 of the RGPD, typified in Article 83.5.a) of the aforementioned Regulation; and for the alleged | |||
violation of article 22 of the RGPD, typified in article 83.5.b) of the RGPD; determining | |||
that the penalty that may correspond would amount to a total of 6,500,000.00 euros | |||
(2,000,000, 4,000,000.00 and 500,000 euros, respectively), without prejudice to the results of | |||
The instruction. | |||
The actions outlined in the Background of this act are intended to | |||
analyze the information offered in general by CAIXABANK on the subject of | |||
protection of personal data, through all the channels used by the entity | |||
("Framework Agreement" and the "Consent Agreement" - "Revocation authorization for the | |||
processing of personal data for commercial purposes by CaixaBank, SA and | |||
CaixaBank group companies ”- , the“ Privacy Policy ”accessible through the website of the | |||
entity and the information offered in relation to personal data from social networks and | |||
aggregation service); the different processing of personal data carried out by the | |||
entity according to the information offered, in relation to clients or people who | |||
maintain any other relationship with it, including the analysis of the mechanisms | |||
employees to obtain the consent of the interested parties; just like him | |||
compliance by the aforementioned entity of the rest of the principles related to the treatment | |||
established in article 5 of the RGPD. | |||
The reasons that support the indicated allegations are, briefly, the | |||
following: | |||
a) Infringement of articles 13 and 14 of the RGPD: | |||
. The information offered in the different documents and channels is not uniform. | |||
. Use of imprecise terminology to define the privacy policy. | |||
. Insufficient information on the category of personal data that will be submitted to | |||
treatment. | |||
. Breach of the obligation to report on the purpose of the treatment and legal basis | |||
that legitimizes it, especially in relation to the processing of personal data based | |||
in the legitimate interest. | |||
. Insufficient information on the type of profiles to be made, the uses | |||
specific to which they are going to be used. | |||
. The information provided on the exercise of rights, possibility of claiming before the | |||
Spanish Agency for Data Protection, existence of a Data Protection Delegate | |||
and your contact information, as well as that relating to the data retention periods is not | |||
uniform. | |||
b) Violation of article 6 of the RGPD: | |||
. Insufficient justification of the legal basis for the processing of personal data, | |||
especially in relation to those based on legitimate interest. | |||
. Non-compliance with the requirements established for the provision of a | |||
valid consent, as a manifestation of specific will, | |||
unequivocal and informed. | |||
. Deficiencies in the processes enabled to obtain the consent of the | |||
clients for the processing of their personal data. | |||
. Illegal transfer of personal data to companies of the CaixaBank Group. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 18 | |||
18/177 | |||
c) b) Violation of article 22 of the RGPD: invalidity of the consent given by the | |||
clients for the data processing regulated in this article. | |||
Likewise, for the purposes provided for in article 58.2.d) of the RGPD, in said agreement of | |||
At the beginning, it was warned that the imputed infractions, if confirmed, may lead to the | |||
imposition on the CAIXABANK entity of the obligation to adopt the necessary measures to | |||
adapt to the personal data protection regulations the processing operations that | |||
performs, the information offered to its clients and the procedure by which they | |||
give their consent for the collection and processing of their personal data, with the | |||
scope expressed in the Basis of Law of the repeated agreement and without prejudice to the | |||
resulting from the instruction. | |||
NINTH: Once the aforementioned initiation agreement was notified, CAIXABANK presented a brief of allegations | |||
in which you request that the non-existence of infringement be declared and, alternatively, the cancellation | |||
of the procedure for expiration and prescription described in the fifth claim; or, in your | |||
defect, the warning or the imposition of the amount of the sanction is agreed | |||
corresponding in its minimal degree. In summary, the aforementioned entity bases its request on the | |||
following considerations: | |||
1. The opening agreement does not correctly reflect the procedures followed by the entity | |||
to inform and request the consent of its clients. | |||
a) On this previous question, he makes two initial clarifications, to clarify, on the one hand, that | |||
their allegations are simultaneously referred to the face-to-face and registration processes | |||
online, unless expressly indicated otherwise, that they follow the same operation in | |||
regarding the information offered and the collection of consents, one through the device | |||
the client and another through the Tablet that the office makes available to the client, who operates | |||
freely using this tool. | |||
It also notes that CAIXABANK and the CaixaBank Group operate under the same concept | |||
brand, being that entity the backbone of the Group, so that the client | |||
interacts with all entities through the different CAIXABANK channels, such as | |||
marketer of all products, as explained in the corporate information that | |||
It is offered on the web, in the section "Who are we?" . | |||
This scheme is transferred to the various facets of data processing, including management | |||
of the consents for treatments with commercial purposes, which is carried out in a | |||
centralized. Understand that it would not be operational to manage consents separately | |||
for treatments to be carried out jointly in the context of the | |||
Group activities for the same purpose with the same means, in relation to data from the | |||
that the Group entities are jointly responsible. | |||
(…) | |||
It is also a regulatory need required by the European Central Bank (...) and | |||
It is also necessary to comply with legal obligations that must be supported by the | |||
of the Group to manage customer information in a coordinated manner, established in | |||
regulations such as the Sustainable Economy Law, Consumer Credit Contracts or | |||
Prevention of Money Laundering and the financing of Terrorism. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 19 | |||
19/177 | |||
As a consequence of the adoption of this "common repository" model, which was analyzed | |||
In an Impact Assessment, several measures were implemented. Between them: | |||
. Inform the interested parties that consent was granted at the Group level, to all | |||
effects, so that if it is not lent to an entity, none of them could treat the | |||
data; | |||
. Centralized management of data protection rights, being possible to exercise them before | |||
one or all entities, justified by the sectoral regulations that require fraud prevention, | |||
money laundering and risk control; | |||
. Revocation of consent also at Group level (withdrawal of consent to a | |||
treatment for commercial purposes to an entity also means it for the rest). | |||
b) About the client registration process, information and decisions about the treatment of | |||
personal data, highlights that this decision is free for the client and is not predefined. | |||
This information / decision phase in the office is articulated through an interview between the | |||
employee and client, with content that must necessarily be addressed and | |||
which is formalized with the signing of the "Framework Contract", the first version of which with references to the | |||
RGPD is from June 2018 and not November. During the interview, after collecting the data | |||
identification, fiscal, regulatory and economic client, they are consulted about their | |||
preferences and you are asked to mark them yourself on the tablet provided, in which | |||
you can read and analyze the information provided for as long as you consider | |||
necessary, and can make inquiries to the employee, who has been trained to do so. | |||
The result of this is incorporated into a file in pdf format that the system generates in a | |||
individualized and unique for each client, which includes in its initial part their declarations | |||
regarding the processing of your personal data. Taking into account that this document already | |||
contains the particularities and preferences of the client, does not include selection boxes, which | |||
should not lead to the mistake of thinking that said "Framework Contract" does not allow the client to choose | |||
how your personal data will be processed. In fact, technically, the contract cannot | |||
be generated without the client having spoken one way or another. In addition, the interested party | |||
You can review the copy of the contract displayed on the Tablet, check that it includes your | |||
authorizations or consents, request its modification and sign it once you agree with | |||
what is reflected in it. | |||
During this process of obtaining the consents, the client is informed about his | |||
meaning clearly, simply and transparently, you can ask the employee questions and | |||
examine the own version of the "Framework Contract". | |||
For online registration, the operation is essentially the same. In this case, the client marks the | |||
boxes on your device, after reading the meaning of your choices in windows | |||
information that the system forces you to open, as found in the inspection of 11/28/2019; | |||
You can also review the document and sign it if you agree, or delete it otherwise. | |||
In addition, although the "Framework Contract" is the main axis of the relationship with the client, it | |||
has additional information in the "Privacy Policy", in a language | |||
adapted to the environment, simpler and more friendly; as well as in the specific contracts of the | |||
products or services that you contract. These specific contracts incorporate conditions | |||
specific or particularities that the new product or service entails, but there are | |||
on the basis of the "Framework Contract", which they complement. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 20 | |||
20/177 | |||
In the specific cases of social media and aggregation contracts, to which the | |||
agreement to open the procedure, indicates that they are not representative, due to the scarce | |||
number of clients who have requested them. This merely complementary character explains | |||
that the information is reduced, since it is about clients who were informed in | |||
under the "Framework Agreement". Regarding the social media contract, it warns that the | |||
Access to the service has been suspended for months and as of the date of the brief of allegations it is not | |||
accessible. | |||
In relation to the foregoing, CAIXABANK provides circulars and internal regulations regarding the | |||
data protection information and provision of consent, as well as some | |||
examples of employee training on this subject and the | |||
particular client registration processes, which is updated and complemented by | |||
circular. | |||
It provides two documents with the labels “Rule 47: Confidentiality and data treatment | |||
of a personal nature ” and “ Rule 122: Prevention of money laundering and financing | |||
terrorism ” , as well as some circulars; all of them aimed at employees of the entity. | |||
The first of the cited documents includes, among others, sections on the RGPD, | |||
obligations and principles of treatment, exercise of rights, purposes and communications | |||
of data. We highlight the following aspects: | |||
(…) | |||
Provide two circulars, dated 11/26/2019 "The client will complete the treatment of their | |||
personal data ” and 07/17/2019 “ Solve your doubts about the questions of the Framework Contract. | |||
These are some of the answers to the questions of the Framework Contract ” . | |||
(…) | |||
It also provides a document labeled "The General Regulations for the Protection of | |||
Data ” , also aimed at employees. This document explains basic lines of the | |||
regulations and different assumptions are made to employees in this matter. | |||
Finally, in relation to the issues mentioned in this section, it accompanies | |||
printing of screens corresponding to the personal area of a client, to justify that in | |||
it does not include the link to "My social network data . " | |||
c) The consent contract is used to document the modification of the | |||
consents outside the registration process. In this case the signature by the client is not required | |||
of the "Framework Contract", which is designed to be signed only once, with exceptions. | |||
Only texts related to the circumstances for which the request is requested are presented. | |||
consent or that you want to modify or revoke. It is a unique and clear document | |||
focused on what the client wants to change. | |||
d) As a conclusion to what is indicated in this point, CAIXABANK reiterates that the various | |||
documents you have to regulate the processing of personal data are used in | |||
different moments and scenarios, and not simultaneously. Customer experience is the | |||
to receive a single document; contrary to the image of disorganization and confusion that the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 21 | |||
21/177 | |||
AEPD seems to have. | |||
2. CAIXABANK has informed the interested parties in the terms provided in articles 13 and | |||
14 of the RGPD. | |||
a) It alleges that it complies with the provisions of article 13 of the RGPD, both in content and in | |||
shape, according to the procedure you described. The procedure is direct and simple, no | |||
responds to the confusing image reflected in the Startup Agreement, offers complete information and | |||
separately, step by step and intuitively. | |||
On the other hand, the information offered in the "Framework Contract" details the identity of the | |||
responsible, contact details of the DPD, purposes of the treatment and legal basis, treatments | |||
based on legitimate interest, retention periods, rights, revocation of the | |||
consent, possibility of filing a claim with the AEPD, communications of | |||
data, existence of automated decisions, and includes a link to the "Policy of | |||
Privacy". | |||
Regarding the rest of the documents ("Privacy Policy", product and service contracts and | |||
"Consent Agreement"), CAIXABANK points out that, considering that the "Agreement | |||
Marco ”informs about the extremes required by the RGPD, it is not necessary that they return to | |||
reproduce them. These other documents are not intended to comply with the provisions of the article | |||
13 of said Regulation, since they are directed to already informed clients. | |||
b) CAIXABANK does not carry out, within the framework of those established in the “Framework Contract”, | |||
treatments that involve decisions based solely on automated processing, | |||
including profiling. | |||
The alleged entity refers to the classification made by the Article 29 Working Group, | |||
made up of the European Data Protection Committee, in the Guidelines on | |||
automated individual decisions and profiling for the purposes of the RGPD, which | |||
distinguishes the following ways of using profiling (WP251 Guidelines): | |||
“There are three possible ways to create profiles: | |||
i) | |||
General profiling; | |||
i) | |||
decisions based on profiling; | |||
ii) | |||
decisions based solely on automated processing, including the preparation of | |||
profiles, which produce legal effects on the interested party or significantly affect him in | |||
similarly (Article 22 (1)). | |||
The difference between ii) and iii) is best seen with the following examples where a person requests | |||
a loan through the internet: | |||
. the case in which a human being decides whether to approve a loan based on an elaborate profile | |||
Only through automated processing corresponds to option ii); | |||
. the case where an algorithm decides whether the loan should be approved and the decision is carried over | |||
automatically to the person in question, without any prior and meaningful evaluation by a | |||
being human, corresponds to option iii) ” . | |||
CAIXABANK simply prepares general profiles (option i) and makes decisions based on | |||
profiles (option ii) from those listed in the Guidelines. Therefore, article 22 is not applicable | |||
of the RGPD and neither the duty of information included in article 13.2 f) of the same text | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 22 | |||
22/177 | |||
legal. Even so, CAIXABANK voluntarily and adequately informs the interested parties of the | |||
extremes provided in the last cited article in compliance with the recommendations | |||
established in those Guidelines, which determine: | |||
“Although the automated decision and profiling do not meet the definition of article 22, | |||
section 1, it is still advisable to provide such information. In any case, the person responsible | |||
of the treatment must offer enough information to the interested party so that the treatment is fair and | |||
comply with the rest of the information requirements of articles 13 and 14 ”. | |||
Consequently, although it is not obliged to do so, for transparency and voluntarily, | |||
informs of all the points provided for in article 13.2 f) and 22 of the RGPD: | |||
. Clause 8 of the “Framework Contract” informs the interested parties of their right to obtain | |||
human intervention in the treatments, to express their point of view, to obtain a | |||
explanation of the decision made based on the automated processing and to challenge said | |||
decision; that is, it is reported in line with the provisions of article 22.3 of the RGPD, despite | |||
if not necessary. | |||
. In line with the provisions of article 13.2 f), it is reported on the existence of profiling, the | |||
importance of the treatment (very minor as it is based on consent) and the | |||
consequence for the interested party ( “If I authorize it, the offers that are sent to me will be | |||
adapted to my profile ” ). | |||
. Regarding the applied logic, CAIXABANK's actions are consistent with the | |||
recommendations of the AEPD published in the "Guide to Adaptation to the RGPD of treatments | |||
that incorporate artificial intelligence. An introduction". He states that CAIXABANK agrees | |||
in which “to comply with this obligation by offering a technical reference to the implementation of | |||
algorithm can be opaque, confusing, and even lead to fatigue ” . Therefore, it facilitates | |||
Clause 8 (i) of the “Framework Contract” a description of the different operations that lead to | |||
carried out and that "allows to understand the behavior of the treatment" . | |||
. It considers that the obligation to inform about the right of opposition is not applicable, for | |||
how much decisions are not made based solely on automated processing. Add | |||
that, however, in different places it warns that the interested party can withdraw their | |||
consent and informs in a generic way about the right of opposition in the section | |||
which deals with data protection rights. | |||
c) It informs about the content provided for in article 14 of the RGPD, despite the fact that the Agency | |||
consider that this requirement is significantly breached in relation to the data | |||
"Supplemented and enriched" by data obtained from other sources. | |||
It points out that, as it already explained in file E / 01475/2018, that CAIXABANK considers | |||
expired, it only complemented data with databases that at that time were not | |||
subject to the LOPD, obtained from companies that provide commercial information, sources | |||
public and with statistical and socioeconomic data. (…) | |||
Currently, the sources and categories of data are reported in Clause 8 of the | |||
"Framework Contract", although the entity is working to update its clauses | |||
informative and gain even more transparency at this point. | |||
In addition, it is reported that the collection of data from third parties will be carried out verifying that | |||
meet the established requirements, which is guaranteed through the Evaluation process | |||
impact, recently shared with the Agency. The application of that protocol | |||
guarantees that any hypothetical database acquisition involves measures to | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 23 | |||
23/177 | |||
inform their holders. | |||
d) the statements about the vagueness and lack of clarity of the information made by the | |||
Agency are subjective and constitutes a mere opinion without foundation and without proof | |||
that determines that lack of clarity of the terms used or that shows what | |||
understand or not the clients, which cannot be extrapolated to the generality of interested parties and | |||
it can be taken as a criterion of what constitutes comprehensible information or not. | |||
On the contrary, CAIXABANK does periodic tests with users and specialists | |||
to ensure that your registration processes are simple and transparent, from which arise | |||
initiative that are put into production. In 2018, it commissioned the external entity specialized in | |||
linguistics a review of different contractual documents in order to verify what could | |||
be understood without difficulty for an average customer profile. One of these documents | |||
analyzed was the "Framework Contract", on which they raised doubts and suggested modifications | |||
minors, concluding that the text was understandable by the average client (cites an example | |||
referred to information on the transfer of data to third parties, in which the aforementioned company reduced | |||
the original format without changing the sense of the text). These works are suspended | |||
until the impact of this procedure can be evaluated. | |||
Another element that has not been considered is the low volume of claims (two | |||
cases). | |||
e) On the other hand, the AEPD criticizes the lack of uniformity between the different documents of | |||
CAIXABANK, in relation to the rights of the interested parties, the possibility of claiming before | |||
the Agency, the retention period, the contact details of the DPO. However, understand | |||
CAIXABANK that the duty of information is fulfilled with the "Framework Contract" and not with the rest | |||
of documents, which are merely complementary. They are not uniform because they pursue | |||
specific purposes and differences occur while documents are being updated in | |||
question. | |||
f) Regarding the lack of motivation for the six-month retention period after the | |||
termination of the contractual relationship, states that it is a self-imposed measure | |||
to protect your customers. Consider that consent for commercial purposes | |||
it could have been configured as valid until its revocation, unlike the | |||
data processing based on the contractual relationship, at the end of which the provisions of | |||
articles 17 RGPD and 32 LOPDGDD. In the treatments based on consent, the | |||
The rules of these articles would operate with their revocation, not based on the passage of time. | |||
It also points out that the GT29 Transparency Guidelines and the AEPD Guide do not | |||
indicate or recommend informing about the reasons that motivate a retention period. | |||
Finally, it states that the difference in term (6 months in some cases and 12 in others) | |||
is motivated because each client has a contract, which means that for each client | |||
there is a single retention period. While admitting that the situation is undesirable and | |||
reports that it is in the process of unification. | |||
g) Regarding the aggregation contract, inform that it has been updated. Consider correct | |||
the indication on the impossibility of offering the service in case of withdrawal of the | |||
consent, since in that case the object of the contract would be frustrated, which consists of, | |||
precisely, in accessing data from other accounts. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 24 | |||
24/177 | |||
In addition, it is the client who chooses the sources from which information is obtained when selecting | |||
the accounts you want to add and is informed about the categories of data obtained, which are | |||
those included in those accounts. | |||
It does not share the indication contained in the opening agreement on the meaning given by the | |||
Agency to collect the information that this service entails and highlights that it is | |||
subject to regulatory rules, specifically, article 39 of Royal Decree-Law 19/2018, | |||
according to which the service provider will not use, store or access any data for | |||
purposes other than the provision of the service and in accordance with the rules of protection of | |||
data. The use of the data for commercial purposes will only be carried out if the interested party has | |||
said use is consented, as provided in the "Framework Agreement". | |||
CAIXABANK understands that the novelty of the service seems to have confused the Agency, | |||
when the mechanism is exactly the same as a checking account (the data that is | |||
generated in the account statement are used for commercial purposes if the client authorizes it). | |||
The following is indicated in the new Contract model that accompanies: | |||
(…) | |||
3. CAIXABANK requests and obtains free, informed, specific and unequivocal consent | |||
interested parties. Legitimate interest. | |||
a) At present, consent is requested with full transparency, according to the | |||
procedure described above, for four purposes: | |||
. Profiling activities: this consent and operations are clearly reported | |||
that are carried out for this purpose, with the motivation of being transparent in relation to | |||
with what it involves profiling. | |||
. Commercial offer: receive advertising and commercial offers, with the option to mark the channel to | |||
through which you want to receive offers. | |||
. Assignment to third parties: consider that this purpose is self-explanatory and warns that it has not | |||
carried out any assignment. | |||
. Use of biometric data to verify identity and sign: this is a clause | |||
dynamic. It alleges that the clause on data processing referred to by the Agency, | |||
included in the version of the contract signed on 11/06/2019 corresponds to the face-to-face channel, | |||
while the template provided focused on the online channel. | |||
b) The three consents that are collected for commercial purposes (profiling, sending | |||
commercial communications and data transfer) are independent and freely provided | |||
by the interested party through an affirmative act that reflects a free, specific will, | |||
informed and unequivocal. | |||
Consent is free because it can be chosen whether it is given or not, it is presented in a part | |||
differentiated and given the opportunity to analyze and tick the corresponding boxes for themselves | |||
itself, having established an equally easy procedure to remove it; is specific | |||
because it is granted for well defined and delimited purposes; is unequivocal, considering the | |||
act of deliberately checking the box by which you consent to the treatment with | |||
stated purposes; and is informed because all sufficient information has been provided | |||
according to the Guidelines on the consent of the Working Group of Article 29 and the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 25 | |||
25/177 | |||
Recital 42 of the RGPD. | |||
c) Regarding the information provided regarding consents, CAIXABANK considers | |||
that the AEPD states that customers are not aware of the fact that they give their | |||
consent and the extent to which they do so without justifying this claim and without any proof, and | |||
nor does it prove that any of the elements that make up the information are missing. | |||
In any case, for clarification purposes, it should be noted that there are treatments on which | |||
informs in the "Framework Contract" that they have not been carried out in practice (the most | |||
the one related to transfers to third parties, already mentioned) and that, therefore, cannot | |||
be considered to appreciate any infraction. | |||
Profiling operations include treatments as a result of | |||
that the clause was drawn up in 2016, when there were no clear criteria on the | |||
interpretation of the RGPD, when the truth is that some of the treatments become | |||
legal obligations (fraud control and risk management) or are necessary for the | |||
contractual relationship (monitoring of the relationship or adoption of recovery measures). | |||
The information can be improved by explaining what “profiling” consists of, but this does not invalidate | |||
The consent. In fact, by suppressing some of the information, it becomes even clearer that | |||
authorization is only requested for profiling. Details the following example of a reduced clause: | |||
(…) | |||
There has not been a lack of information, but, in any case, an excess of information, | |||
but there are no hidden treatments in disguise. It is intended, simply, to explain what it is | |||
"Profiling" for commercial purposes. | |||
Therefore, in relation to this clause, no additional boxes are required to collect | |||
other authorizations. | |||
The fact that some information can be improved should not carry a sanction, | |||
but perhaps the warning for the implementation of certain changes. In view of these | |||
possible improvements, CAIXABANK is in a self-evaluation process to improve | |||
their texts and clarify their purposes and legal bases, as well as to eliminate treatments that | |||
they are not carried out. And you are planning a personalized communication process to | |||
totality of clients in which the consents granted are remembered and explained in | |||
new their meaning through a debugged and improved clause. | |||
d) Also in relation to profiling operations, CAIXABANK refers to the | |||
grouping of consents discussed by the Agency. Indicates that you have designed your | |||
consents for the four indicated purposes, describing the different operations | |||
of treatments for each purpose, without seeking a block consent that covers a | |||
purpose that surprises the customer. What the entity intends, he indicates, is to facilitate its | |||
understanding and detail, in accordance with the provisions of Recital 32 of the RGPD | |||
( “Consent must be given for all treatment activities carried out with the | |||
same or the same purposes ” ); as well as what is indicated by the Agency in point 2.4.1 of the | |||
Frequent Consultations (FAQS) and in the “Report on privacy policies on the Internet, | |||
adaptation to the RGPD ” (page 4). If Clause 8 (i) of the “Framework Contract” is analyzed, taking | |||
carried out the purifications that have been indicated before, it is observed that the operations that | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 26 | |||
26/177 | |||
indicate are nuances of the same profile. | |||
e) CAIXABANK is the CaixaBank Group. The way in which this Group has been articulated | |||
it responds to regulatory reasons, as indicated above. | |||
The entities that comprise it, since the entry into force of the RGPD have had a luck | |||
of shared responsibility for the data that is collected and processed in the context of its | |||
activities. Thus, it would be absurd to request different consents for treatments that | |||
are to be carried out jointly in the context of the Group's activities for a | |||
same purpose and with the same means, in relation to data from which all entities of the | |||
Group are responsible. The opposite would suppose a greater risk for the interested parties that | |||
they would lose real control over them. | |||
Given shared responsibility, it makes no sense to request a separate consent | |||
for the "transfer of data" to other entities that, for regulatory, strategic and | |||
operatives are equally responsible. There is no purpose of its own in the assignment, as it is | |||
all direct and joint responsible entities. Therefore, consent is joint | |||
and by purpose. | |||
Instead of confusing with strange constructions, the customer is asked a question | |||
Simple: whether or not you want the Group to process your data for commercial purposes. The interested party is | |||
free to accept it or not. This option of "all or none" does not limit the ability to decide of the | |||
client. It is simply a consequence of the corporate structure of the Group and its | |||
regulatory obligations. | |||
f) In relation to the processing of data for commercial purposes based on interest | |||
legitimate, CAIXABANK clarifies the operation that follows since the application of RGPD in May | |||
2018, (…) the data of those clients who have not consented to the processing of their data | |||
for commercial purposes, or has revoked the consent previously given to | |||
neither are they treated based on legitimate interest. | |||
For clients prior to that date, distinguish between those who signed the "Framework Agreement" or the | |||
of consents, (...) and those who were asked and have not answered, which are the | |||
only customers whose data is used based on legitimate interest (until the customer | |||
signs the contract). | |||
Thus, treatment based on legitimate interest is reduced to marginal cases, such as a | |||
temporary situation. In addition, it prepared an impact assessment and decided not to send the | |||
"Consent Agreement" to those pre-RGPD clients who, without having signed the | |||
"Framework Contract", they had already expressed "No." | |||
It adds that the statements made by the AEPD are not true. On this, he points out that he has | |||
carried out an impact evaluation on all the treatments carried out on this basis | |||
legitimizing and, within that evaluation, has made the weighing judgment between the interest | |||
legitimacy of the entity and the rights of the interested parties; secondly, it clarifies that | |||
described policy avoids that treatments can be carried out based on the legitimate interest that | |||
had been denied by the owner of the data. It equates the revocation of consent to | |||
opposition to the treatment for those cases in which CAIXABANK can carry out | |||
treatments based on their legitimate interest (such as, for example, the AEPD analyzes and assesses | |||
Report 195/2017, and as reported in clause 7 and on its website (see Fact | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 27 | |||
27/177 | |||
Fifth of the Initiation Agreement). | |||
In the aforementioned Report of Legitimate Interest of the Minutes of the CAIXABANK Privacy Committee, of | |||
05/15/2018, it is indicated: | |||
(…) | |||
g) Regarding the consents for the purposes indicated in the Aggregation Contract and the | |||
Terms of Social Networks, warns that in these additional documents the | |||
consent, but no new one is obtained; consent is given in the "Contract | |||
Framework". This fact has been confused by the AEPD, when it understands that these contracts | |||
give separate consent | |||
4. Consent is requested for profiling for commercial purposes; and not for adoption | |||
of automated decisions, which do not occur in this context. | |||
According to CAIXABANK, the alleged violation of article 22 of the RGPD is based on an assumption | |||
erroneous, as it does not adopt automated decisions for commercial purposes that produce | |||
significant legal effects on the holders of the data based on the execution of | |||
automated treatments. Simply build general profiles and make decisions | |||
based on profiles (option (i) and (ii) of the WP251 Guidelines). | |||
In this regard, it refers to the allegations already made regarding the duty of information and the | |||
validity of the consent granted and alleges that the Agency has not even proven that | |||
CAIXABANK is effectively carrying out these treatments. | |||
5. In the alternative, CAIXABANK alleges the nullity of the Initiation Agreement due to the expiration of the | |||
previous actions number E / 01475/2018 and because it sanctions infractions that would be | |||
prescribed in accordance with the LOPD. | |||
The AEPD makes use of previous actions started in January 2018 that were | |||
archived for expiration, which are incorporated into new ones through a simple | |||
"Chain" that turns the actions of the AEPD into perennial, contrary to what | |||
pursued by article 122 of the Development Regulation of the LOPD, approved by Real | |||
Decree 1720/2007. | |||
These actions number E / 01475/2018 began in January 2018, as a result of a | |||
complaint, and were filed for expiration on February 1, 2019. However, when | |||
the preliminary investigation actions indicated with number E / 01481/2019 were initiated, | |||
that led to the agreement to initiate this sanctioning procedure, one of the | |||
The first actions were to integrate the aforementioned expired actions. This action leaves | |||
It is clear that what is sought with this procedure is to prosecute and resolve those facts | |||
past events that gave rise to expired proceedings, which were artificially prolonged | |||
up to two years, almost doubling the twelve-month limit indicated in the RLOPD. | |||
Furthermore, the facts analyzed in the previous E / 01475/2018, if they were infractions, would have | |||
prescribed in the terms provided in the LOPD applicable in January 2018. This would be the case | |||
of the infractions considered minor under the LOPD. | |||
This conduct constitutes a fraud of law (article 6.4 of the Civil Code), as the AEPD shields itself | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 28 | |||
28/177 | |||
in an apparently legal action to achieve a result prohibited by law | |||
legal; it is contrary to article 95.3 LPAC; and entails the nullity of the initiation agreement and the | |||
procedure, proceeding its file. | |||
6. Also in a subsidiary way, it requests that a penalty of warning be imposed or, | |||
not consider said request, which is sanctioned within the scale provided for in sections | |||
fourth and fifth of article 83 of the RGPD. | |||
a) It considers the following graduation criteria applicable as mitigating factors: | |||
. The measures taken by the person in charge (article 83.2.c) of the RGPD): CAIXABANK has | |||
made a significant effort over the last few years, especially since the | |||
entry into force of the RGPD, to provide its customers with relevant information, including | |||
providing the intervention of third parties to verify the adequacy of the legal texts. East | |||
effort is evident with the implementation of the measures recommended by FACUA | |||
(provides a copy of emails related to the actions carried out to address the | |||
recommendations of this entity) and for the actions it has planned to strengthen the | |||
information, which includes the preparation of a new version of the "Framework Contract" and the | |||
sending its clients a communication to remember the consents granted and their | |||
meaning, as well as the possibility to revoke or modify them; in a clear will to | |||
repair any focusing errors that may have occurred. | |||
. The degree of cooperation with the supervisory authority in order to remedy the | |||
situation and mitigate possible adverse effects (article 83.2.f) of the RGPD). CAIXABANK has | |||
shown its willingness to collaborate and the implementation of measures aimed at solving | |||
possible shortcomings, indicated in the brief of allegations itself. Indicates as sample of | |||
this provision the attention paid by the DPD to the claim made by FACUA and the | |||
information provided about said action to the AEPD. | |||
b) The AEPD omits the aforementioned criteria and refers to a series of criteria that | |||
lists, without any motivation or justification and without specifying if they are applied as aggravating factors | |||
or mitigating, which generates defenselessness to the entity. CAIXABANK states that, due to | |||
disproportionate sanctions, understands that the aforementioned criteria are interpreted by | |||
the AEPD as aggravating factors. This entity considers that the following criteria collide with the | |||
reality: | |||
. The nature, severity and duration of the infringement (article 83.2.a) of the RGPD). Considers | |||
that the AEPD intends to impose a high penalty for issues that are not a | |||
especially serious, considering that we are not facing an assumption in which there is no | |||
provided no information, but all information is provided, although the | |||
AEPD considers that some aspect can be improved; special categories of | |||
data. | |||
To date, cases of absolute lack of information have been sanctioned with | |||
warning (PS / 00224/2019 or PS / 00041/2019), having imposed the highest sanction, | |||
for an amount of 250,000 euros, for a much more serious case (PS / 00326/2018). The | |||
disproportion in this case is ostentatious. | |||
In addition, it highlights that under the old LOPD and the LOPDGDD, for prescription purposes, the | |||
infraction for lack of information is considered as minor. However, the proposed sanction | |||
in the start-up agreement, it exceeds the previous sanctions imposed, and is radical compared to | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 29 | |||
29/177 | |||
new attitude adopted in recent times to try to find a collaborative solution | |||
with the entities that were willing and to resort to the warning. | |||
On the other hand, it highlights that there are only two claims, that no damage has been caused to | |||
clients given that the personal data processing carried out is as necessary | |||
for the development of the activity and are carried out in accordance with the requirements demanded by the | |||
normative, even when some aspect can be improved. This lack of prejudice is | |||
highlighted by the Article 29 Working Group in its Guidelines on the application and | |||
setting administrative fines (WP253), assumed by the European Committee for the Protection of | |||
Data. | |||
Neither did the complainant challenge the filing of his complaint, which he could have done; and not | |||
there have been other complaints or legal actions. That is, no damage has occurred. | |||
. Contrary to the Agency's assessment, it considers that the criterion regarding the | |||
intentionality or negligence appreciated in the commission of the infraction (article 83.2.b) of the | |||
RGPD) should be appreciated as a mitigating factor for the diligent action of the entity, the | |||
establishment of clear procedures regarding the information and provision of | |||
consents, the training given to the employees and the collaboration shown with the | |||
Agency, adapting and perfecting your texts. | |||
. If the commission of any infringement is appreciated, CAIXABANK has not obtained any benefit | |||
financial statement (article 83.2.k) of the RGPD), while it would mean, instead, damage | |||
reputational. It does not monetize the personal data of its customers, nor as a sale for | |||
commercial or for other actions. | |||
The CaixaBank Group experienced volume growth in the first nine months of 2019 | |||
business (+ 4.4%), reaching 609,012 million euros, which is due "to the boost | |||
commercial and the improvement of the relationship ” of customers (as indicated in the note of | |||
attached press, published on 10/31/2019 under the title “CaixaBank obtains a profit of | |||
1,266 million and reached 6,201 million in income ” ). | |||
. The Agency includes among the concurrent graduation criteria the high volume of | |||
data and treatments, among which transfers to third parties stand out. However, these | |||
Assignments do not occur or have been proven in any way. | |||
. Personal data of special sensitivity is not processed, which should be appreciated as a | |||
extenuating. | |||
. It is also stated in the initiation agreement that CAIXABANK has not implemented | |||
adequate procedures in the collection and processing of personal data, and that the | |||
Infringement is the consequence of a defect in the designed management system. In this regard, | |||
said entity alleges that the systematic and layered process of information and request for | |||
Consents is exemplary and gives the interested party greater control. Add that a possible | |||
Information defect cannot be understood as a system defect. | |||
. On the degree of responsibility of the person in charge, to which the Agency turns in relation to | |||
the violation of article 6 of the RGPD, indicates that the measures taken during the last | |||
years have been aimed at promoting transparency and compliance with the principles of | |||
data protection, as a reflection of the principle of proactive responsibility and privacy | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 30 | |||
30/177 | |||
from design and default. Therefore, this criterion must be interpreted as mitigating. | |||
As a conclusion, it highlights that diligent and proactive collaboration must be taken into account, | |||
the measures adopted to alleviate possible information errors, the lack of intentionality | |||
and that the possible infringement would be about information matters that do not have a | |||
special gravity; and based on this, according to the position taken by the AEPD, it would proceed | |||
a warning sanction or, if not appreciated, a sanction within the scale | |||
provided for in the fourth and fifth sections of article 83 of the RGPD. | |||
As a test proposal, it indicates that it intends to use the documentary that already | |||
appears in the files of previous actions E / 01475/2018, E / 03677/2019 and | |||
E / 01481/2019, as well as the documentation provided with your brief of allegations. | |||
TENTH: On 07/02/2020 the opening of the testing period was agreed. The writing | |||
sent on that date to CAIXABANK, through its representation, was rejected, | |||
as stated in the certificate issued by the Electronic Notifications Service and | |||
Enabled Electronic Address. | |||
By letter of 07/16/2020, notified a day later, said | |||
communication to CAIXABANK, informing said entity that it is considered | |||
evidentiary effects of the claim filed and its attached documentation, as well as the | |||
documents and statements obtained by the Subdirectorate General for Data Inspection | |||
in relation to said claim in the information request process prior to admission to | |||
Procedure; as well as the documents obtained and generated by the Inspection Services. | |||
Likewise, the allegations to the initiation agreement formulated | |||
by CAIXABANK and the documentation that accompanies them. | |||
On the other hand, it was agreed to require the CAIXABANK entity so that within a period of | |||
ten business days provide the following information and / or documentation: | |||
"A) Copy of the record of all personal data processing activities carried out under the | |||
CAIXABANK's responsibility to which mention is made in the data collection form | |||
personal information called "Declaration of economic activity and data protection policy | |||
personal ”, in its initial version, together with any addition, modification or exclusion in the content | |||
of the same. | |||
b) Copy of the evaluation / s of the impact on the protection of personal data relative to any | |||
type of personal data processing operations carried out under the responsibility of | |||
CAIXABANK, of those mentioned in the form “Declaration of economic and political activity of | |||
protection of personal data ”, which pose a high risk to the rights and freedoms of the | |||
natural persons, in its initial version and, where appropriate, with details of the modifications or | |||
updates that may have been made. | |||
Likewise, if there has been a change in the risk represented by the processing operations | |||
and if deemed necessary, the result of the examination that CAIXABANK could have | |||
perform to determine if the treatment is in accordance with the impact assessment related to the | |||
data protection (article 35.11 of the RGPD). | |||
c) Copy of the documents in which the evaluation carried out by the CAIXABANK entity is recorded | |||
on the prevalence or not of the interests and fundamental rights of the interested parties over the | |||
CAIXABANK interests in relation to personal data processing operations | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 31 | |||
31/177 | |||
made under the responsibility of CAIXABANK, of those mentioned in the form "Declaration | |||
of economic activity and personal data protection policy ”, with which the | |||
satisfaction of legitimate interests pursued by the CAIXABANK entity itself or by a third party ”. | |||
In response to the request by CAIXABANK, the term granted was extended by five | |||
business days. | |||
On 08/07/2020, a response letter was received, which CAIXABANK accompanied | |||
the following documentation: | |||
1. Register of personal data processing activities. | |||
(…) | |||
2. Impact evaluations on the protection of personal data. | |||
(…) | |||
3. Evaluation of the prevalence of the legitimate interest of CAIXABANK or third parties against | |||
the interests and fundamental rights of the interested parties. | |||
(…) | |||
ELEVENTH: On 11/24/2020, a resolution proposal was issued in the sense | |||
following: | |||
"1. That by the Director of the Spanish Data Protection Agency the entity is sanctioned | |||
CAIXABANK, SA, for an infringement of articles 13 and 14 of the RGPD, typified in article 83.5.b) | |||
and classified as mild for the purposes of prescription in article 74.a) of the LOPDGDD, with a fine for | |||
amount of 2,000,000 euros (two million euros). | |||
2. That by the Director of the Spanish Agency for Data Protection the entity is sanctioned | |||
CAIXABANK, SA, for an infringement of article 6 of the RGPD, typified in article 83.5.a) and | |||
classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a | |||
fine amounting to 4,000,000 euros (four million euros). | |||
3. That, due to lack of evidence, the non-existence of infringement in relation to the imputation is declared | |||
for a possible violation of the provisions of article 22 of the RGPD | |||
4. That the Director of the Spanish Agency for Data Protection proceeds to impose on the | |||
entity CAIXABANK, SA, within the period to be determined, the adoption of the necessary measures to | |||
adapt the processing operations carried out to the personal data protection regulations, | |||
the information offered to its clients and the procedure by which they must provide their | |||
consent to the collection and processing of your personal data, with the scope expressed in the | |||
Legal Basis X ” of the proposed resolution. | |||
TWELFTH: Notified to the entity CAIXABANK the aforementioned resolution proposal, | |||
a written statement of allegations was received at this Agency, dated 12/18/2020, in which it requests the | |||
annulment of the sanctioning procedure due to (i) the flagrant defenselessness produced by that | |||
entity by violating its presumption of innocence, (ii) the bankruptcy of the principle of trust | |||
legitimate, (iii) defenselessness materialized in previous investigation activities without | |||
subject to any guarantee and (iv) the expiration of the sanctioning procedure. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 32 | |||
32/177 | |||
Alternatively, it requests the filing of the proceedings due to the absence of an infringement and, in its | |||
defect, that the warning or the imposition of the amount of the sanction is agreed | |||
corresponding in its minimal degree. Base your requests on the following considerations: | |||
- 1. Violation of article 24.2 of the Constitution, presumption of innocence. | |||
The presumption of innocence is broken if the person instructing the file or who is going to resolve it | |||
do not have the ability to assess such evidence impartially, without any kind of | |||
"Pre-trial" , or if they have formed their will before having all the elements in their sight | |||
evidentiary. | |||
In this case, the allegations at the opening of the procedure were presented on the date | |||
03/04/2020. One day before, on 03/03/2020, without even having received the first allegations | |||
of CAIXABANK, in an act of ISMS Forum held in Madrid, the Director of the AEPD, | |||
highest authority of the institution and competent person to resolve this file | |||
and on which the instructor hierarchically depends, publicly stated that “We already have two | |||
or three high-impact sanctioning procedures that will have a great impact | |||
media in relation to the financial sector, will be the first quantitative fines | |||
important by the Agency ” . Not conditionally, but as something that necessarily | |||
is going to happen. In CAIXABANK's opinion, it is difficult to find a greater display of contempt for the | |||
presumption of innocence. | |||
He adds that this is stated in the summary of this intervention made by the prestigious publication | |||
The Law, Francis Lefebvre. Likewise, in a tweet from a person present at the event, | |||
stated that “Mar España announces that two sanctions will be made public shortly | |||
exemplary in the financial sector. A bombshell ” (provides screen impression relative | |||
this tweet). In this regard, CAIXABANK states in its allegations that “a sanction and the | |||
we know, that of BBVA. And, either we were wrong a lot, or the other is ours ” . | |||
Provides "notarial certificate of web verification" , which incorporates the information obtained through | |||
the link | |||
“Https: /elderecho.com/los-pensaron-la-aprobacion-la-entrada-vigor-del-rgpd-la- | |||
data-protection-would-decline-I'm-afraid-they-were-wrong ” . It corresponds to a review of the “XII | |||
Privacy Forum ” held on 03/03/2020, organized by ISM Forum and Data Privacy | |||
Institute (DPI). Includes a section on the intervention starring the Director of the | |||
AEPD, which includes the statements previously highlighted by CAIXABANK. | |||
Ex arts. 24.2, 103. 1 and 3 CE –and art. 6.1 of the ECHR-, any procedure should have | |||
been guided by objectivity and impartiality. As indicated by the ECHR (sic) “justice | |||
not only does it have to be applied, but it must also be apparent that it is administered ” (cf. | |||
Cubber v Belgium October 26, 1984) and “not only must justice be done, but | |||
what to do ” Delcourt Judgment of January 17, 1970. | |||
On the other hand, in this case, according to CAIXABANK, before knowing the allegations of the | |||
entity, the person who has to solve, far from keeping any semblance of justice, has already | |||
decided (publicly) to sanction. | |||
In accordance with article 12.2 i) of the Organic Statute of the AEPD (RD 428/1993 of March 26), | |||
The Director of the Agency has the function of “Initiating, promoting instruction and resolving | |||
disciplinary proceedings referring to those responsible for private files ” . Is the | |||
Director of the Agency who informs that instructor impulse and who will determine the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 33 | |||
33/177 | |||
forthcoming resolution. | |||
With this, there has been a flagrant violation of the fundamental right to presumption | |||
of innocence, which should lead to the immediate filing of this sanctioning file. | |||
- 2. Bankruptcy of legitimate expectations | |||
There has been a complete failure of the principle of legitimate expectations (article 3 of the Law | |||
40/2015, of October 1, of the Legal Regime of the Public Sector -LRJSP) , interrelated | |||
with the principle of good faith and legal security. This principle implies that "the authority | |||
the public cannot adopt measures that are contrary to a reasonable hope | |||
induced on stability in the decisions of the former, and based on which the | |||
individuals have adopted certain decisions ” (STS 173/2020). | |||
In this case, CAIXABANK points out that the AEPD's assessments refer to a | |||
documentary structure that was expressly communicated to said Agency shortly after | |||
the publication of the GDPR. Specifically, by email dated 08/02/2016, addressed | |||
to the Deputy Director of the AEPD, in which all the points of the “Contract | |||
Framework". Said email was headed as follows "In accordance with what has been said, | |||
Attached is the contract that we intend to implement this fall. To make it more | |||
understandable, I accompany you a short explanation of its purpose and content " . | |||
Regarding this query, CAIXABANK states that the AEPD "answers by telephone | |||
(obviously we have no recording), making some minor suggestion (which is | |||
implemented), without there being a meeting (such possibility was expressly declined). | |||
That framework contract is practically the same (if anything worse) than the one it is today | |||
allegedly deserving of 6 million euros of sanction and, what is almost more serious, a | |||
threat of nullity of everything acted under it ” . | |||
A year later, also after a conversation, CAIXABANK sends to the same recipient | |||
a general presentation about the GDPR implementation and asks for a meeting again, | |||
which is again denied. On pages 11 and 12 of this presentation he again does | |||
reference to the "Framework Contract", with for example a very clear mention of the now reviled | |||
common repository of group companies. | |||
4 and a half years, 2 detailed emails sent, 2 meetings denied and 14 million | |||
contacts with clients later, and completely unaware of the legitimate conviction | |||
of CAIXABANK to be acting correctly, a request is made for the nullity of all | |||
what has been done. CAIXABANK says: “We do not affirm here that everything we have done is | |||
OK, but could we have a "reasonable induced hope" that our way of | |||
was proceeding according to law? It seems difficult to say no . " | |||
This clear breakdown of legitimate expectations should lead to the filing of the file or, as | |||
At least, to reconsider the decision to declare the obtained consents null. | |||
Provide a copy of the emails to which this allegation refers, addressed by the | |||
signatory of the allegations to the proposed resolution to the Deputy Director of the AEPD and the | |||
answers from this. | |||
- 3. Violation of article 24 of the EC: defenselessness generated to CAIXABANK by the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 34 | |||
34/177 | |||
artificial and unlawful extension of the previous actions, also ignoring their | |||
expiration. | |||
a) The previous actions were not such: it was a sanctioning procedure without guarantees. | |||
CAIXABANK considers that the previous investigation actions supplanted the activity | |||
instructor, since they were used as a true sanctioning procedure (without | |||
guarantees), which constitutes a possible vice of misuse of power in the use of the | |||
mechanisms of instruction and generates helplessness. | |||
Considering the intended purpose with the initiation of preliminary investigation actions, | |||
CAIXABANK understands that the Administration is obliged to initiate the procedure | |||
the sanctioner as soon as he is certain of the commission of the facts and the identity of the | |||
responsible, even if it is not fully accredited (STS of 06/09/2006). | |||
Cites the STS of 12/26/2007 to state that these previous actions will only be | |||
deserving of such consideration to the extent that they “serve the purpose that | |||
justifies, that is, gathering the data and initial indications that serve to judge on the | |||
relevance of giving way to the sanctioning file, and do not distort themselves by transforming | |||
in a surreptitious alternative to the latter. " | |||
And the STS 06/09/2006, which has highlighted the need to safeguard the guarantees | |||
constitutional of the administered in cases like the one at hand: "As it results from this | |||
norm, prior information is not mandatory, having declared this Chamber in a judgment of | |||
November 6, 2000 that "if sufficient data is available to initiate the file, the | |||
Reserved information should not be practiced, because it is unnecessary and because the rights | |||
fundamental defense of art. 24.2 of the EC require that the granting not be delayed | |||
of the status of accused or prosecuted, thus avoiding the risk of using the delay | |||
to carry out interrogations in which the interviewee would find himself in a situation | |||
disadvantageous "." | |||
Well, the AEPD opened some previous proceedings that expired, some | |||
second, and later a disciplinary proceedings were initiated. The AEPD has taken 3 years | |||
to prepare a sanction already decided, with the formal support of previous actions | |||
(a first expired, which led to the opening of a second), without respecting any | |||
essential guarantee of the sanctioning procedure, such as reporting the imputation, | |||
remember the right not to testify against oneself, and a long etcetera, generating | |||
defenselessness in addition to the expiration of the file. | |||
Thus, the proposed resolution rests practically entirely on elements of | |||
charge collected during the preliminary proceedings phase. The only elements of charge | |||
contributed to the procedure during the investigation phase (impact evaluations, registration | |||
treatment and prevalence assessment activities), they have hardly been considered | |||
later, or it is a question of circumstances whose requirement was superfluous, since already | |||
they were held by the AEPD. | |||
In this case, CAIXABANK points out that, although the preliminary investigation actions were | |||
accommodate the requirements of competence and procedure that would enable their adoption, not | |||
they adhere to the purpose that they must cover according to the legislator's design. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 35 | |||
35/177 | |||
Given that the Proposed Resolution rests de facto, solely and exclusively, on the | |||
elements of conviction and evidence collected during the preliminary proceedings phase, the | |||
The impossibility of using these elements means that the Proposal lacks the | |||
elements necessary to enervate the presumption of innocence. | |||
b) In addition, it entailed the incorporation into the sanctioning file of actions from | |||
of some first previous expired actions. | |||
Article 95 of Law 39/2015, which expressly allows incorporating into a file | |||
administrative “the acts and procedures whose content would have remained the same had it not been | |||
expiration has occurred ” , it can hardly be applied to a sanctioning procedure. At | |||
case of a sanctioning procedure, the expiration becomes a guarantee of the defendant, who | |||
it cannot be in any way harmed by the inaction of the Administration. | |||
In addition, the use of previous actions without time limitation is not acceptable, | |||
beyond the prescription itself, which is the effect that would occur if it were allowed | |||
incorporate expired actions to a sanctioning file | |||
Regarding the block transfer of the expired file, refer to what was declared in STS of | |||
02/24/2004: “We know that the expiration declaration does not prevent the opening of a new | |||
sanctioning procedure insofar as the hypothetical infraction that originated the initiation | |||
of the expired procedure has not prescribed ... And this implies: ... That it does not fit, on the other hand, | |||
that the actions of the first take effect in the new procedure, that is, the | |||
arisen and documented in it as a result of its initiation to verify the reality of what | |||
occurred, the person or persons responsible for it, the charge or charges attributable, or the | |||
content, scope or effects of liability, since then there would be no compliance | |||
to the legal mandate to file the proceedings of the expired procedure ” . | |||
Nor is it possible, according to CAIXABANK, to transfer the file en bloc from a procedure to | |||
other because between the two, given their different nature, there are very divergent principles that | |||
prevent what was acted on in the previous proceedings from going entirely to the file | |||
sanctioner or the previous actions that were really nothing more than the instruction of the | |||
sanctioning file. To these pseudo previous performances, actually true | |||
instruction of the sanctioning procedure, should not have arrived "the actions arising | |||
and documented in it as a result of its initiation to verify the reality of what happened, the | |||
person or persons responsible for it, the charge or charge attributable, or the content, | |||
scope or effects of liability ” something that, as has been proven, really | |||
yes it has been transferred through that very difficult justification catwalk. | |||
c) Additionally, this implies the expiration of the sanctioning file | |||
CAIXABANK considers that the previous actions have constituted an artificial way and | |||
undercover of carrying out investigative actions proper to the sanctioning procedure (cites the | |||
STS of 05.13.2019 (RC 2415/2016) and of 6.05.2015 (RC 3438/2012): “... this Room has | |||
declared that the period prior to the initiation agreement << ... has to be necessarily | |||
brief and not cover up an artificial way of performing acts of instruction and mask and | |||
reduce the duration of the subsequent file itself >> (judgment of May 6, 2015, | |||
Appeal 3438/2012, FJ 2º) ". | |||
Based on this, said entity understands that the time used to carry out these | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 36 | |||
36/177 | |||
Actions must be included in the calculation of the expiration period of the procedure. He dies to | |||
quo of this period coincides with the beginning of the preliminary investigation actions | |||
This being the case, the expiration period would have elapsed sufficiently, without, on the other hand, the | |||
AEPD has proceeded to the eventual declaration of expiration and "re-opening" of a new | |||
sanctioning procedure. Finally, it adds that, once the file has expired, the offense has | |||
prescribed. | |||
- 4. CAIXABANK has informed the interested parties in the terms provided in the | |||
Articles 13 and 14 of the RGPD and they have understood it. | |||
Before going into the merits of the matter, CAIXABANK clarifies that it does not maintain that its | |||
information was perfect, that there were no errors. In fact, thanks in part to | |||
experience of several years and, in part, to some of the statements made throughout | |||
the different documents emanating from the AEPD throughout the file, has carried out a | |||
exercise to improve your different documents. However, he understands that he does not want | |||
say that there has been any non-compliance: objectively there was all the | |||
information required in articles 13 and 14 RGPD and customers understood the information | |||
that I was facilitating. | |||
a) All the information required in articles 13 and 14 of the RGPD was provided. | |||
39. The information on data protection that is provided to customers through the | |||
"Framework Contract" complies with the provisions of article 13 of the RGPD. It reports on the | |||
identity of the person in charge, contact details of the data protection officer, purposes of the | |||
treatment and legal basis (Clauses 7 and 8), treatments based on legitimate interest | |||
(Clause 7.3.5), recipients or categories of recipients of personal data | |||
(Clauses 7 and 8), conservation period (Clause 11.3), rights (Clause 9, as well as | |||
7.3.5 regarding the opposition to treatments based on legitimate interest), right to | |||
revoke consent (Clause 8), right to file a claim before a | |||
control authority (Clause 9, which includes a link to the Agency's website), | |||
communications of personal data that is a legal or contractual requirement (Clauses 7 and | |||
8). It also includes a link to the "Privacy Policy" (Clause 7.3.6). | |||
No automated decisions are made, so section 2.f) is not applicable. | |||
of article 13 of the RGPD. | |||
Likewise, CAIXABANK provides in any case the information required by art. 14 of the GDPR, | |||
on the categories of personal data and their source of origin (art. 14 d) and f). | |||
Specifically, in Clause 8 of the "Framework Contract" when informing about the possibility | |||
to enrich and complement the data of the signer with “data obtained from sources | |||
public, as well as by statistical, socioeconomic data (hereinafter, "Information | |||
Additional ”) always verifying that they meet the requirements established in the | |||
current regulations on data protection . | |||
b) Despite not being mandatory, the data categories are widely reported. | |||
Although article 13 of the RGPD and the corresponding article 11 of the LOPDGDD do not require | |||
provide interested parties with this information on a mandatory basis, CAIXABANK offers a | |||
Sufficiently descriptive list of the types of data that are treated based on the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 37 | |||
37/177 | |||
consent, in accordance with the provisions of the Guidelines 05/2020 on the | |||
consent in accordance with Regulation 2016/679 of the European Committee for the Protection of | |||
Data ("CEPD"). What the Agency cannot intend is to impose obligations that are not | |||
establishes the applicable regulations. If a detailed list of all the data were given | |||
specific personal that can be dealt with in this context, I would not be reporting | |||
categories of data processed, but on specific data, which would imply fatigue | |||
informative difficult to beat that has been sanctioned in the past (PS / 00082/2017). | |||
Likewise, it alleges that the information provided on the processing of data from | |||
movements, receipts, payroll, claims and claims, considering that it is about | |||
products and customer operations, who knows the information they include. | |||
It adds that this information does not include sensitive data and warns in this regard that the AEPD does not | |||
you can demand that you report what is not done, based on a suspicion. Even so, in the | |||
The new "Privacy Policy" is expressly indicated, when defining the data category | |||
observed of the operation of the contracted products, that no data of | |||
this nature . | |||
The Agency intends to apply to CAIXABANK information standards that the regulations | |||
does not foresee when it claims that the failure to report on the categories of personal data | |||
that are treated based on legitimate interest (which is not mandatory under the RGPD, nor is it | |||
mentions the CEPD in its guidelines) invalidates subsequent consents that may be | |||
request for commercial purposes. | |||
It is true, as indicated, that the information provided could be improved in | |||
relationship with its presentation, but in no case was it incomplete, so it is | |||
clearly disproportionate the very serious level of the reproach made in the Proposal of | |||
Resolution. In addition, the New Privacy Policy improves the exposure of the | |||
information, detailing in a specific section the specific categories of data and their | |||
breakdown, and subsequently referring to each of them in relation to the | |||
purpose in question. | |||
c) It is not at all proven by the instructor that the clients did not understand the information. | |||
The agency does not prove that the expressions are unclear, beyond the sentence | |||
very summary of the instructor that said lack of clarity is "evident and objective . " | |||
It is understandable that, if the person who is going to issue the resolution, and who is the | |||
regulatory authority in charge of promoting instruction (the Director of the AEPD), has already indicated | |||
publicly one year before the resolution will be sanctioning (we refer to the | |||
first allegation), the instructor understands that the evidentiary effort is unnecessary. But | |||
Obviously, said understanding supposes one (other), violation of the presumption of | |||
innocence. | |||
As indicated in the Transparency Guidelines transcribed in the resolution, the | |||
requirement that the information be "intelligible" means that "it must be understandable | |||
the average member of the target audience ” , and it does not appear in the file that the instructor | |||
have done some checking with average members of the target audience. | |||
d) This part provides evidence that customers fully understood (and understand): | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 38 | |||
38/177 | |||
surveys. | |||
Assuming a reversal of the burden of proof clearly infringing on our | |||
fundamental rights, has carried out a survey and a user test using a | |||
expert and independent company (provides a copy of the reports of this external company). | |||
(…) | |||
e) This part provides evidence that customers fully understood (and understand): | |||
reports from linguists. | |||
You have submitted the consent clauses to the analysis of a company specialized in | |||
linguistics and consultancy for communication, including legal information, having | |||
The work was directed by a Professor of the Spanish Language (...), an expert and advisor to | |||
communication. | |||
It can be seen in the reports provided (a copy is attached) that two clauses were analyzed | |||
different from the "Framework Contract) that with respect to the data processing clause the | |||
recommendations are minimal and less than those made regarding the other clause | |||
submitted to analysis, which does not concern us in this procedure. | |||
In conclusion, it is verified that an expert analysis considered that the text of the | |||
"Framework Agreement" relating to information on data protection was understandable by the | |||
CaixaBank's average customer, as opposed to the mere non-expert opinion of the AEPD. So continue | |||
calling such information "unclear" would be nothing short of reckless. | |||
In addition, CAIXABANK highlights that it has not received any claim for lack of | |||
information, except for the two that serve as the basis of this resolution (among millions of | |||
clients), who also do not state that they do not understand the texts presented to them. | |||
The aforementioned would be unnecessary to understand the accusation rejected. However, | |||
succinct comments are made to each of the specific blemishes that are made. | |||
f) It is not true that non-uniform information is offered to customers. | |||
The information on data protection that has been working in the various documents | |||
provided to customers has not always been completely uniform due to | |||
only to the process of updating such documents, being in any case something | |||
temporal and consequence of the time intervals that an entity such as CAIXABANK | |||
required for such updates. | |||
In this regard, a copy of a "Framework Agreement" dated 06/08/2018 is attached, as | |||
proof that this document was adapted to the RGPD and that the one included in Annex I, as | |||
version from November 2018, it was actually implemented in June 2018. | |||
Finally, CAIXABANK points out that the resolution seems to show that all customers | |||
access all documents and, uniquely, that all clients have both the | |||
consent contract as the framework contract, and both in all their different | |||
versions, in a kind of documentary bombardment that produces confusion, which is | |||
simply false. The vast majority of clients (more than 95%) have signed the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 39 | |||
39/177 | |||
“Framework Contract”, in the current version in each case, and only a residual percentage has the | |||
"Consent Agreement", without this implying any loss of information or | |||
confusion. Obviously the privacy policy is common for everyone, but there is no | |||
no discrepancy between this and the other documents. | |||
In any case, in the indicated improvement process, an absolute honesty has been carried out | |||
of all the documents, as set forth in the Sixth Allegation and the documents | |||
contribute. | |||
g) It is not true that imprecise terminology is used with vague formulations, lack of | |||
specification of the personal categories of data processed, and lack of information on the | |||
purposes and confusion of legal bases. | |||
As for these three accusations, it is enough to point out what is credited with the surveys | |||
provided, which CAIXABANK considers sufficient to distort the assertions of the | |||
Resolution motion. | |||
He reiterates his surprise at the fact that it seems to the instructor that they are not enough | |||
descriptive of the data categories in which the mentions to movements are treated, | |||
receipts, payroll or claims. On this question, CAIXABANK raises whether the purpose is that | |||
the microdata obtained from each category of | |||
document, which would imply an information fatigue that is difficult to overcome. | |||
h) There is no undue transfer of data between group companies: there is joint responsibility. | |||
Both at the regulatory level (an area that the AEPD does not question) and at the commercial level, a | |||
transparent co-responsibility regime for interested parties. Without prejudice to improvement | |||
that at the level of transparency has been carried out in the New Privacy Policy, | |||
considers it essential to point out three elements that the AEPD seems to confuse and that lead to | |||
the erroneous conclusion that the alleged assignments within the Group are unlawful: | |||
i. The Agency interprets that there is a transfer of data between the companies of the Group | |||
CaixaBank from data controller to data controller. This is wrong. It does not occur, | |||
legally, any data transfer; but a direct collection of data by the | |||
companies in the field of co-responsibility. | |||
ii. The AEPD separates the non-existent transfer of data as a new and artificial purpose. In | |||
In no case is access by the CaixaBank Group companies constituted as a | |||
purpose in itself. The "assignees" (actually joint controllers) do not access the | |||
themselves arbitrarily, but for the true purposes of which the interested parties | |||
are informed (these are, for regulatory purposes, "commercial purposes" and | |||
when it is necessary for the execution of the contract, as the case may be). | |||
iii. The birth of co-responsibility does not derive from “intended purposes” but from the | |||
joint participation in the determination of the purposes and means of the treatment between the | |||
CaixaBank Group entities (led by CaixaBank). The AEPD does not deny the existence | |||
of co-responsibility, although it claims that it does not apply (especially in relation to | |||
“commercial” treatments) insofar as the attribution of responsibility is not detailed | |||
between the different companies. However, the AEPD errs again by forgetting that the place | |||
where these responsibilities should be attributed that the foreign agency is not the Policy of | |||
Privacy or the Framework Contract, but the joint responsibility contract in the terms | |||
provided for in the CEPD Guidelines 7/2020 (attached a copy of an agreement of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 40 | |||
40/177 | |||
co-responsibility, which includes an annex for each of the “treatments subject to | |||
co-responsibility and co-responsible ”; these annexes detail the treatments, their | |||
purpose and legitimizing basis, in addition to the data of the "co-responsible" companies. | |||
No annex appears signed by these entities). | |||
In conclusion, neither data transfers occur under the terms provided in the RGPD, nor the | |||
co-responsibility requires a separate consent (within the framework of the “purposes | |||
commercial ”) insofar as it is a factual situation (it is not something agreeable nor does it require a | |||
legal under article 6 RGPD to attend). In addition, the impact evaluation that | |||
the AEPD alleges in Foundation VI that CaixaBank did not contribute (…). | |||
i) There is no deficient information on legitimate interest. | |||
Compared to what is maintained by the AEPD, there is no confusion between treatments based on | |||
legitimate interest and consent, nor are they coincident. Can't give the situation where | |||
a treatment on which it has been said "no" under the legal basis of the | |||
consent, can be made based on legitimate interest, a circumstance that the AEPD does not | |||
has tried. | |||
In any case, the New Privacy Policy has proceeded to eliminate the treatment | |||
based on legitimate interest for commercial purposes that, as indicated in the answer to the | |||
Opening Agreement is a treatment that is not carried out, nor has it ever been carried out. | |||
On the other hand, the New Privacy Policy reconfigures the differences already analyzed in | |||
the Claims to the Initiation Agreement between the treatments based on legitimate interest and | |||
The consent. | |||
In section VI of the Proposed Resolution, the AEPD concludes that “it is not possible | |||
determine the suitability (…), necessity (…) and proportionality… ”of the treatments | |||
based on legitimate interest and that the intrusion on the privacy of the interested party may be high, | |||
the effects may have a negative impact on them. However, it does not provide | |||
any proof that the legitimate interest is not present, invalid or insufficient. | |||
Regarding additional measures or recommendations to reinforce the legitimate interest, it states | |||
CAIXABANK that its absence does not invalidate the legitimate interest. Neither the RGPD nor the LOPDGDD | |||
provide for the making available to the interested party of the impact assessments or the | |||
weighting of legitimate interest, or reinforced opposition mechanisms. | |||
j) There is no lack of information on profiling. | |||
The AEPD argues that complete information is not offered on the types of profiles, their use | |||
and the right of opposition of the interested party. | |||
However, in the "Framework Contract" the first of the purposes for which the | |||
Consent is described as “data analysis and study treatments for the purpose of | |||
commercial by CaixaBank and the Companies of the CaixaBank Group ” , and in the detail of this title, | |||
the concept is extended to the expression “analysis, study and monitoring for the offer and design | |||
of product adjusted to their customer profile ”. Next, in the clause that supports the | |||
collection of consent, processing operations that include | |||
this purpose, where information is provided on the creation of profiles: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 41 | |||
41/177 | |||
"A) Proactively carry out risk analysis and apply on their technical data | |||
statistics and customer segmentation with a triple purpose: | |||
1) Study products or services that can be adjusted to your profile and business situation or | |||
specific credit, all to make commercial offers tailored to your needs | |||
and preferences. | |||
This information clearly spells out the purpose and, as demonstrated by the | |||
surveys provided, it is clearly understood by customers. | |||
It adds that in this same clause the error was made (corrected in the New | |||
Privacy), to list treatment operations that did not have to do with consent | |||
for profiling. And he lists those specific treatments that, in his opinion, can be covered by | |||
other legal basis (the list of the treatments to which this allegation refers consists of | |||
outlined in Law Foundation VII, in the section that examines the treatment of | |||
data based on the consent of the interested parties). | |||
He considers this error, which has been recognized and corrected, to be reprehensible, but does not break | |||
the principle of specificity of consent. Consent is only required to study | |||
products or services that can be adjusted to the profile and commercial or credit situation | |||
specific customers, to make commercial offers tailored to their needs and | |||
preferences and the rest of the clause, unfortunately superfluous, but it has no | |||
Consequently, different purposes are authorized en bloc. | |||
Finally, CAIXABANK has clarified and specified in the New Privacy Policy the | |||
treatments that involve profiling to prevent the concept from being misinterpreted by a | |||
"Common customer". | |||
k) There is no lack of information on the conservation periods and the exercise of | |||
rights. | |||
CAIXABANK refers to what is indicated in its allegations to the initiation agreement and adds that | |||
These aspects have been clarified and improved in the New Privacy Policy and in | |||
New Framework Contract. Regarding the conservation of personal data once the | |||
contractual relationship, he warns that it was not actually executed and that in the new policy the | |||
mention disappears, canceling the official data. | |||
- 5. There is a legal basis for the treatments and the consents are obtained from | |||
lawful manner. | |||
a) Consents meet all legally established requirements | |||
As detailed in the allegations to the initiation agreement, the consents comply | |||
all the requirements established by the RGPD as interpreted by the CEPD, without | |||
that the Agency has proven that they have not been obtained legally. On the contrary, | |||
content of the file itself shows that the consents obtained are free, | |||
specific, unequivocal and sufficiently informed. | |||
. Consents are free, since the client, at all times, has absolute freedom | |||
to grant them or not, without associated negative consequences, power imbalances, | |||
conditionalities or dissociation of the ends. There is no combination of different | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 42 | |||
42/177 | |||
purposes under the same consent that limits the freedom of choice of the owner. Thus | |||
three consents are requested and no commercial treatment is carried out based on the | |||
additional consent to these. | |||
. The consents are specific, since, in line with the disassociation requirement, | |||
separate and break down the only activities that are carried out under the consent, that is | |||
In other words, they are specifically and separately asked for the purposes that are intended (the | |||
data profiling to offer customers products that may be of interest to them; the | |||
choice of the communication channel of the offers; and the possibility of transferring the data to | |||
third parties). | |||
The AEPD interprets that there is a dissociation between the stated purposes and those | |||
on which the interested party pronounces. Given this, CAIXABANK reiterates that a large part of the | |||
treatments indicated in the revision documentation version are either not carried out, or | |||
are protected by another legal basis, or are simpler and more limited than the AEPD | |||
understands. As can be seen in the New Privacy Policy, the consent to | |||
profiling activities has been reduced to what is actually done under this | |||
consent, and the rest of the activities that are carried out have been informed in | |||
their respective and correct epigraphs (treatments in execution of a contractual relationship, | |||
or by legal obligation). | |||
In addition, it must be remembered that the Working Group of art. 29 in its document “Guidelines for | |||
consent under Regulation 2016/679 ”establishes that consent can | |||
cover different operations as long as these operations have the same purpose. At | |||
In the case of CaixaBank, there are only three purposes, and it is asked separately and specifically about | |||
them, without any deviation of use. Have made the mistake of including | |||
within the examples some treatment operations that should have been included | |||
in other treatments based on the execution of contracts or compliance with laws, | |||
such as, for example, the recovery actions inherent to credit contracts, not | |||
It undermines the specificity of the consent requested. | |||
. The consents are unequivocal, since the interested party must perform an affirmative act | |||
so that your consent is understood as granted. Consent is not based on | |||
acceptance of a policy or in a mere inaction, but a client is obtained | |||
manifestation, unequivocal positive or negative, corroborated in two steps (choice by marking | |||
the box and signature). | |||
. The consents are informed, and the reproaches regarding the | |||
validity of the information provided by the arguments and evidence provided in the | |||
fourth claim. The client receives all the legally required information and it has been proven | |||
empirically he understands it. | |||
The AEPD indicates that on the “Tablet Mode. Client ”there is no link to the information of | |||
Data Protection. In this sense, it only has to be clarified, again and as it was verified | |||
in person at the inspection, that after giving consents (or not), the client accesses the | |||
complete content of the contract text immediately. Before signing you are presented with the | |||
full text of the contract so that you can read and review it, so that you can not ratify | |||
your choice and "go back" technically. He is also presented at various times the | |||
consent scheme. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 43 | |||
43/177 | |||
Finally, it points out that the AEPD omits the analysis of the consent collection process | |||
in the non-face-to-face channel (online banking) that he reviewed in his face-to-face inspection dated | |||
November 28, 2019, in which it was demonstrated that the client must necessarily access | |||
to the information before giving consent, as already reiterated in the allegations to the | |||
opening of the procedure. | |||
b) It reiterates that there is no commercial treatment based on legitimate interest, having | |||
reduced these treatments in the new policy to internal management operations, very | |||
low impact on data subjects. | |||
c) It reiterates that there is no illicit transfer of data to group companies, but rather processing in | |||
co-responsibility. | |||
d) The social media contract was absolutely residual, and the aggregation contract was perfectly | |||
lawful. | |||
The Social Media Contract was a "pilot" project that was deployed with respect to a | |||
very small number of clients, who were unsuccessful and canceled, although the AEPD continues | |||
failing this question without taking into account those circumstances for the purposes of the sanction | |||
imposed. | |||
Regarding the Aggregation Contract, the AEPD forgets that its signature is complementary to the | |||
"Framework Contract", so that the consents for the "commercial purposes" in the | |||
framework of co-responsibility have been (where appropriate) duly obtained with the nuances | |||
specific to this type of contract (see the allegations to the initiation agreement). It is not true | |||
that this service is used for the collection of information, as indicated by the AEPD, inasmuch as | |||
This service is provided for in the payment regulations and serves not to dispose of the entity | |||
regarding new actors. In any case, there is a new version of this latest contract | |||
(provides a copy) that clarifies possible doubts that clients and the AEPD may have, which, | |||
Furthermore, like the rest of the contracts, it is being revised to adapt it to the new design that | |||
we detail them in the Sixth Allegation. | |||
- 6. On the measures proposed in Law Foundation X, of the proposal for | |||
resolution and remediation already operated by CAIXABANK. Inadmissibility of measures | |||
of cessation. | |||
The mentions to the cessation of treatments that are made in the proposed resolution are | |||
totally disproportionate for the present case, in which the only action taken | |||
reproach is the writing of the informative texts, through which it informs its | |||
clients of their treatments. The fair, proportionate and adequate measure would be to urge | |||
remedy those information deficits. | |||
It should be taken into account that the AEPD has taken three years to substantiate the present | |||
procedures and, during this process, has not considered the facts sufficiently | |||
serious enough to contact the company to urge a remediation of the treatments | |||
or of the information, to which it should be added that the documentation was sent one year and | |||
half before. | |||
Likewise, it must be taken into account that the interruption of treatments or collection of new | |||
Consents would imply an irreparable impact, both on the Entity and on the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 44 | |||
44/177 | |||
clients, much more pronounced even in the current global health situation, which forces | |||
restrict movements, visits that clients come to make arrangements at the offices. | |||
Privacy Information Enhancements | |||
By contrast, the publication of a new privacy policy, the communication of it to | |||
all clients and the renewal of all consent collection processes, which | |||
are already being implemented, as well as personalized communication of all changes to | |||
all the clients of the entity, reminding them of the consents | |||
granted in their day, explaining them according to the new drafting standards | |||
adopted and reminding customers of the possibility of revoking them, are sufficiently | |||
repair companies to estimate that CAIXABANK would have remedied any deficit estimated by the | |||
AEPD. | |||
These measures, which were intended to be implemented coinciding with the second anniversary of the | |||
RGPD, and that they have been delayed due to the impact of this procedure and the situation | |||
current health system, is based on the following components (attached a copy of the documents and | |||
Screenshots cited): | |||
- New structure of the documents through which customers are informed | |||
- Privacy Policy (version 12/2020) | |||
- Framework Agreement (version 12/20220) | |||
- New screens of the consent collection processes on tablet and banking to | |||
distance. | |||
- Massive communication to clients informing of the changes | |||
a) New structure of the documents through which customers are informed | |||
The "Framework Agreement", which contains the general regulation of the client's relations with the | |||
entity, and that it seemed the best option to also report on data processing, | |||
It will be replaced by a new Privacy Policy, as a document dedicated to informing the | |||
clients on this matter, given the dimension of the information that in the interpretation | |||
current estimate that it should be provided. To facilitate permanent customer access to the | |||
itself, will be permanently hosted on the company's website | |||
(www.caixabank.com/politicaprivacidad) | |||
The “Framework Contract”, which will continue to be the first contract signed by a client when interacting | |||
with the Entity, it will be used to collect customer consents, but only | |||
will collect detailed information referring to the consents and basic mentions that | |||
establishes art. 11 of the LOPDGDD, referring the client for more information to the second | |||
layer, the Privacy Policy. Product contracts, and other forms, will contain | |||
also only the basic mentions established by art. 11 of the LOPDGDD. | |||
A total uniformity in the information is intended, as well as a much deeper detail | |||
Of the same. | |||
b) Privacy Policy (version 12/2020) | |||
The Privacy Policy is already in force and published on the web, where you can consult and | |||
download in pdf format. In his brief of allegations, he outlines the structure of this | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 45 | |||
45/177 | |||
document, which consists of 11 sections. | |||
c) Co-responsibility agreement | |||
Together with the Policy, a co-responsibility agreement has been drawn up in the treatment of | |||
data between Group companies. This agreement defines the purposes and means of the | |||
treatments, as well as the basic rules to be observed by all the companies that make up | |||
these treatments in co-responsibility. Information about it also appears in the | |||
policy and more detail in the web address outlined in it | |||
www.caixabank.es/empresasgrupo. | |||
d) New Framework Agreement (version 12/20220) | |||
The new Framework Contract is closed, in the process of layout and put into production in | |||
the entity's information systems. The final implementation date is set for | |||
Systems Update (IOP) January 2021. | |||
The new Framework Agreement has been completely redesigned and has been drafted in new | |||
format under the recommendations of a linguistics company, to provide it with a | |||
clear and transparent wording for users. The text has been accompanied by examples and | |||
warning calls that are intended to reinforce the information offered to customers | |||
All the information has been unified in a single clause, which offers basic information on | |||
data protection (responsible for the data, and the possibility of processing | |||
in co-responsibility, of the Data Protection Delegate, of the possibility of exercising the | |||
rights recognized in the RGPD and to file claims with the AEPD, of the | |||
categories of data that are processed and data processing), redirecting to | |||
detailed information to the Privacy Policy published on the Web, as established in art. | |||
11 of the LOPDGG. The same terminology is used in both documents. | |||
Although it is a document understood as a first layer, it continues to be the support | |||
to obtain the consents. To ensure that this consent is | |||
informed, renewed and detailed information is given about them, maintaining the same | |||
wording that the Privacy Policy. | |||
In his brief of allegations, he outlines the new structure of this document, which dedicates the | |||
section 4 to the processing of personal data. | |||
e) New screens of the consent collection processes on tablet for offices | |||
and remote banking (web and mobile). | |||
This update, which will be in production in January 2021, improves the information and | |||
usability, providing examples and ensuring that the authorization process is maintained | |||
always in the possession of the client (shared tablet screens). The obligation to | |||
access information and the provision of consent through a clear exercise | |||
affirmative, separately for each of the purposes. | |||
New consents have been incorporated, although this is not a remediation. | |||
New treatments that require | |||
consent. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 46 | |||
46/177 | |||
f) Mass communication to clients informing of the changes | |||
To publicize all the above modifications, a statement has been prepared that | |||
will be sent to the entire customer base informing about the new Privacy Policy, and | |||
reminding them of the consents granted (including the new wording), the treatment | |||
of your data in co-responsibility by the companies of the CaixaBank Group, the right to | |||
oppose the treatments and other rights provided in the RGPD. | |||
With this communication any information deficit that could be understood is remedied | |||
Regarding all the data processing carried out by CAIXABANK and any | |||
understanding deficit that may have occurred. | |||
He insists that these improvements are the result of 4 years of experience, his own and that of others, but not | |||
they mean that the information currently provided violates any rule. | |||
- 7. On the necessary proportionality of sanctions and their graduation. | |||
Disproportionate sanction imposed. | |||
a) In a subsidiary manner, it considers that the following mitigating factors apply: | |||
. Any measure taken by the person in charge or in charge of the treatment to alleviate the | |||
damages suffered by the interested parties (art. 83.2.c) RGPD): In addition to what is indicated in | |||
the Claims to the Initiation Agreement [see section 6.1.a)], which continues to be | |||
fully applicable and that the AEPD simply disregards indicating that they lack the | |||
"Sufficient relevance"; CAIXABANK has proceeded to further clarify the information provided | |||
to their clients and the procedure by which they request consent, to such an extent | |||
that the imposition of the corrective measures proposed by | |||
the AEPD (Fundamental of Law X and proposal of resolution Fourth of the Proposal of | |||
Resolution). The potential infringement related to the alleged information deficit has been entirely | |||
regularized (if any such regularization was necessary) and any adverse effects | |||
suppressed. | |||
. The degree of cooperation with the supervisory authority in order to remedy the | |||
infringement and mitigate the possible adverse effects of the infringement (art. 83.2.f) RGPD): as already | |||
was indicated in the Arguments to the Initiation Agreement [see section 6.1.b)], and | |||
highlighted in the actions carried out by CaixaBank throughout the procedure (within and | |||
outside its framework), CaixaBank has only cooperated and walked hand in hand with | |||
the AEPD to achieve greater clarity and protection of the interested parties. Actually yes | |||
Some lack of collaboration has been reciprocal, given the absolute reluctance of the | |||
AEPD to meet with this entity. | |||
b) Unprecedented disproportion of the sanction imposed | |||
The AEPD recognizes that it is not a case of absence of information and qualifies the | |||
offense as minor (therefore, its assessment should be limited to the behavior | |||
of CAIXABANK in the year prior to the Initiation Agreement for obvious reasons of prescription). | |||
Likewise, there are no data transfers outside the framework of the joint responsibility of | |||
factual and currently formal existing in the CaixaBank Group (without the free will of | |||
subjects has been diminished in any case). However, it imposes on CAIXABANK a | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 47 | |||
47/177 | |||
unprecedented penalty 8 times higher than the highest fine imposed under the GDPR (if not | |||
we take into account “the other” exemplary sanction of the financial sector, recently known). | |||
And 3 times higher than the maximum foreseen under the previous regime for the most infringements | |||
serious, ignoring and simply denying the application of the mitigations that CAIXABANK | |||
detailed in the Allegations to the Initiation Agreement and which are hereby reiterated. Specific, | |||
the application of those provided for in articles 83.2.a), b) and k) RGPD, as well as the | |||
listed in sections c), d) and e) and f) of the Sixth Claim of the Claims to the | |||
Initiation Agreement. | |||
c) Possibility of warning | |||
Finally, with regard to the warning, the AEPD seems to want to imply that the | |||
warning is addressed only to natural persons, when it itself (see by way of | |||
example the PS / 00072/2019; or PS / 00096/2019) has resorted to this proportional measure in the | |||
passed with legal persons. | |||
d) Conclusion | |||
In conclusion, taking into account the new information that CAIXABANK customers go | |||
to receive and the proactive and exemplary attitude of CAIXABANK, this entity understands that the | |||
The measures set out in Legal Basis X of the proposed resolution remain | |||
without effect, even before the final resolution, as all behaviors are remedied, or | |||
in the process of remediation due to technological imperatives, and that the proportionate measure that the | |||
AEPD, where appropriate and in a subsidiary way, should apply is the warning. further | |||
and taking into account the patent application of mitigating criteria, this part understands that | |||
It would proceed to calculate the amount of the penalty that, if applicable, was imposed, applying, within | |||
of the scale provided for in the fourth and fifth paragraphs of article 83 RGPD, its minimum degree. | |||
Finally, considering that strategic and sensitive data is provided for the | |||
entity, requests that the information provided be kept confidential and not | |||
communicated to any third party. | |||
Of the actions carried out in this procedure and of the documentation | |||
Obrante in the file, the following have been accredited: | |||
PROVEN FACTS | |||
FIRST: On 01/24/2018, a claim made at this Agency | |||
by the claimant against CAIXABANK, in relation to the new conditions regarding | |||
protection of personal data whose acceptance requires that entity, questioning the | |||
transfer of your personal data to all the companies of the CaixaBank Group and the | |||
procedure provided to cancel said assignment, which, according to the claimant, requires directing | |||
a letter to each of the companies. He requested that CAIXABANK be urged to modify the | |||
the conditions mentioned. | |||
The claimant provided a copy of the aforementioned conditions, which appears with the labels | |||
"Authorizations for data processing" and "Exercise of the right of access, cancellation | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 48 | |||
48/177 | |||
and opposition. Claims before the Data Protection Authority ” . | |||
In relation to this claim, CAIXABANK informed this Agency that the clauses | |||
informative to which the complaint refers were implemented on the occasion of the changes | |||
contractual provisions arranged for adaptation to Regulation (EU) 2016/679. | |||
SECOND: On 03/29/2019, a claim made at this Agency | |||
by the entity Association of Consumers and Users in Action - FACUA, against | |||
CAIXABANK, in relation to the "Framework Contract" signed by the clients of this entity, | |||
through which your personal data is collected, the information is offered to them in | |||
this matter and consents are collected for the data processing specified. | |||
FACUA denounces that the content of this contract cannot be negotiated by the interested party, at | |||
that consent to the processing of your personal data and the transfer of the | |||
same to third companies with which it may not have a relationship (authorizations | |||
provided for in clause 8 and assignments mentioned in clause 10 of said contract). | |||
FACUA provided a copy of a "Framework Agreement" dated 10/24/2017. | |||
THIRD: The CAIXABANK entity has declared to this Agency that it began its adaptation to | |||
RGPD in 2016 and that this adaptation was carried out mainly through the | |||
implementation in June 2016 of the personal data collection form called | |||
"Framework Contract", used by CAIXABANK as a priority to comply with the | |||
transparency requirements regarding the protection of personal data and so that the | |||
clients can give their consent to the processing of their personal data at the | |||
of "Group" , with the purposes indicated in the aforementioned document. | |||
The "Framework Contract" is presented as mandatory subscription for new clients, | |||
establishing that the signature of the document implies that it “knows, understands and accepts its | |||
content ” . It is expressly provided that the terms and conditions apply | |||
general to all "commercial relationships" of the interested party "with CaixaBank and the companies | |||
of the CaixaBank Group, and therefore, the subscription and validity of this Agreement, respecting | |||
the corresponding rights of choice that the Signatory grants the clause, is | |||
necessary for the contracting and maintenance of product or service contracts ” . | |||
CAIXABANK has stated that in the case of existing clients a notice was included in | |||
the client file indicating to the manager that the “Framework Contract” had not been formalized. | |||
In its response to the Inspection Services dated 11/20/2019, CAIXABANK stated | |||
that the "Framework Contract" informs about all the treatments derived from the relationship | |||
contractual. | |||
CAIXABANK has contributed six versions of the "Framework Contract" to the proceedings, dated on | |||
06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019. | |||
The first three versions refer to the LOPD and do not refer to specific issues | |||
regulated in the RGPD, such as the legal basis of the treatment (legal obligation, interest | |||
legitimate or consent); rights of deletion, limitation and portability; right to | |||
file a claim with the Spanish Agency for Data Protection; existence of a | |||
data protection officer and means enabled to contact him. The version | |||
3rd constituted the information offered by CAIXABANK on 05/25/2018. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 49 | |||
49/177 | |||
In its response to the Inspection Services dated 11/20/2019, CAIXABANK provided a copy | |||
of the "Framework Contract corresponding to a client", which appears signed on 11/06/2019. | |||
It is verified that its content does not coincide in its entirety with any of the six versions | |||
of the "Framework Contract" provided by the entity itself (version 7). | |||
In section 1 of the "Framework Contract" the identification data of the client and its | |||
declaration of economic activity. Among other data, there are those related to name, | |||
surname, tax identifier, date of birth, nationality, address, marital status, | |||
matrimonial regime, contact information, fixed and variable income, entity in which it provides | |||
service or gross annual income. | |||
The information that is provided to the interested party in this document in relation to the protection | |||
personal data is structured according to the legal basis that legitimizes the treatment of the | |||
data, dedicating section 7 to the treatments “based on the execution of contracts, | |||
legal obligations and legitimate interest and privacy policy ” (includes a subsection | |||
regarding the "processing of biometric data in the electronic signature of documents" ), and the | |||
section 8 to the “treatment and transfer of data for commercial purposes by CaixaBank and the | |||
CaixaBank group companies based on consent ” . Paragraphs 9 are added | |||
"Exercise of rights regarding data protection" and 10 "Delegate for the Protection of | |||
Data " , as well as a subsection dedicated to " Data retention period " , inserted | |||
in section 11 referring to the duration, resolution and modification of the contract. | |||
During the contracting process, the client must express the consents for the | |||
processing of personal data that are requested from the interested party in clause 8, | |||
incorporating the options selected by the client in the header of the document, at the | |||
section of personal and socioeconomic data. The consents requested from the client | |||
are grouped into the following three purposes: | |||
“(I) data analysis and study treatments for commercial purposes by CaixaBank and companies | |||
of the CaixaBank group | |||
(ii) the treatments for the commercial offer of products and services by CaixaBank and the companies of the | |||
CaixaBank group | |||
(iii) the transfer of data to third parties ” . | |||
In relation to these three consents, Clause 8 indicates: “In order to make | |||
your availability a global offer of products and services, your authorization to (i) the treatments | |||
analysis and study of data, and (ii) for the commercial offer of products and services, in case | |||
If granted, it will include CaixaBank, and the companies of the CaixaBank group detailed | |||
at www.CaixaBank.es/empresasgrupo (the “CaixaBank Group companies”) who may | |||
share and use them for the stated purposes ” . | |||
The copy of the "Framework Contract" provided by CAIXABANK with its response to the Services of | |||
Inspection dated 11/20/2019 (version 7), which appears dated 11/06/2019, contemplates the | |||
provision by the client of a fourth consent referred to data processing | |||
biometrics. In the heading of the document provided, under the heading of "Authorizations | |||
for data processing ”it is indicated: “ Other purposes: Use of biometric data with | |||
purpose of identity verification and signature. You have expressed your acceptance and | |||
consent ” . | |||
The entire content of the "Contract | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 50 | |||
50/177 | |||
Marco ”, in its versions dated 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019, as well | |||
as the content of the "Framework Agreement" dated 11/06/2019 (version 7). The content of the | |||
version 4, dated by CAIXABANK on 11/12/2018, as well as the modifications made | |||
later it is included as Annex I. | |||
FOURTH: The formalization of the form for collecting personal data and providing the | |||
consent to the processing of personal data called "Framework Agreement" | |||
takes place during the client registration process, which can be done in person at | |||
offices or through digital channels. | |||
a) The office registration process is carried out through an interview between the client and the manager. | |||
During this process, the manager must fill in the sequence of screens provided in the | |||
system incorporating the information (personal data) provided by the client. After | |||
fill in several screens (around fifteen), the screen labeled "Modification | |||
of data protection of… ” , whose structure is the following: | |||
"High consents | |||
CaixaBank data protection (RGPD) | |||
The client authorizes CaixaBank to: | |||
1. Use your data to: | |||
. Carry out studies and monitoring of operations | |||
. Manage alerts for the products you have contracted | |||
. Study products and services tailored to your CaixaBank Group profile | |||
( ) If not | |||
2. Participate in promotional campaigns and commercial offers of the CaixaBank Group through the | |||
channels | |||
() Yes | |||
() Telemarketing | |||
() Electronic means such as SMS, email and others | |||
() Postcard advertising | |||
() Commercial contacts of the entity's managers | |||
( ) No | |||
3. Transfer customer data to third parties | |||
( ) If not | |||
(OK) (Cancel) ”. | |||
For the provision of these consents, during this interview the client responds | |||
verbally to the three questions that the manager asks about the indicated purposes, one | |||
of them broken down into four options, and it incorporates the responses into the system. One time | |||
After the interview, the completed "Framework Contract" is printed on paper and signed | |||
for the client. | |||
In its response to the Inspection Services of 07/17/2018, CAIXABANK states that, | |||
later, it equipped the entire network of offices with digitizing tablets, making it possible for the | |||
"Framework Contract" is signed, not on paper, but on the tablet itself. | |||
CAIXABANK, with its response to the AEPD, dated 05/03/2019, provided documentation | |||
referring to the training given to its employees in which it is indicated: | |||
(…) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 51 | |||
51/177 | |||
The operation followed in this process was modified again, establishing a system of | |||
"Shared screen" to enable the customer to mark the options selected by himself | |||
same on a tablet that the manager puts at your disposal. | |||
CAIXABANK with its letter of 11/20/2019, sent in response to the requirements of | |||
information from the Inspection Services of the AEPD provided screen printing | |||
corresponding to the process of registering a client. After advancing about fifteen screens, | |||
A screen is displayed with a message for the manager with the indication “According to the | |||
General Data Protection Regulation, the client must authorize the use of their data. TO | |||
You must then hand over the tablet to the client to fill in the consents ” . | |||
Once the manager presses the "Accept" button on that screen, two screens are displayed | |||
corresponding to the collection of consents for the processing of data | |||
personal, with the label "Authorization / Revocation of consents" and the indication "Mode | |||
Tablet. Customer ” . The detail is as follows: | |||
"Protection of personal data Caixabank group | |||
I authorize the Caixabank group to: | |||
1. Use my data for study and profiling purposes: | |||
If I authorize it, the offers that are sent to me will be adapted to my profile | |||
() Yes, I accept that the offers are based on my profile | |||
( ) No | |||
2. Receive advertising and commercial offers | |||
If I do not authorize it, not even my manager will be able to contact me to inform me of products of interest to me. | |||
() Yes, I agree to receive offers by the following means: | |||
() Telemarketing | |||
() Electronic means such as SMS, email and others | |||
( ) Post mail | |||
() Commercial contacts through any channel of my manager | |||
( ) No | |||
3. Transfer my data to third parties with whom the Caixabank group has agreements: | |||
If I authorize it, at the time my data is transferred, I will be informed of which third party the | |||
recipient of the data and, if I do not agree, I may revoke this authorization | |||
() Yes, I agree to transfer the data to third parties | |||
( ) No | |||
4. Use of my biometric data (facial image, fingerprint, etc.) in order to verify my | |||
identity and signature: This authorization will be complemented in each case with the registration of the data | |||
biometric to use at all times. In order to verify the identity / signature of your clients, | |||
Caixabank uses biometric recognition methods such as facial recognition systems, | |||
fingerprint reading and the like. Currently, some of our ATMs already allow you to | |||
operations using these methods. | |||
() Yes, I accept the use of my biometric data | |||
( ) No | |||
The preferences that you have indicated here will be included on the first page of your framework contract ” . | |||
Once the options have been selected, the buttons at the bottom of the screen | |||
"Accept" and "Cancel". When pressing the first one, the message “Your consents have been | |||
indicated. Thank you for your cooperation. Please return the Tablet to your manager ” . (…) | |||
The “ Tablet Mode. Client " do not contain any link to information on the subject | |||
protection of personal data contained in the "Framework Agreement". | |||
In relation to this process, no screen was provided regarding the consolidation of the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 52 | |||
52/177 | |||
document and its signature by the client. | |||
b) The client registration process through the CAIXABANK web portal and mobile application (the | |||
application redirects the data subject to the web application), includes a step that shows a | |||
screen through which consent is collected for the processing of data with | |||
commercial purposes. The screen shows the following options: | |||
<< Manage your data (i) | |||
Do you want to find out about our news in a personalized way? | |||
Processing of your data to receive a personalized service from the Caixabank Group | |||
Treatment of your data for the purposes of analysis, study and monitoring of the offer and design of | |||
products and services adapted to the customer profile by Caixabank and companies of the Caixabank Group. | |||
More information | |||
No | |||
Yes | |||
Processing of your data to receive offers of Caixabank products and services | |||
Processing of your data for the commercial offer of Caixabank products and services and companies | |||
of the Caixabank Group | |||
More information | |||
No | |||
Yes | |||
Transfer of your data to third parties with whom Caixabank and Caixabank Group companies have | |||
agreements | |||
Processing of your data by third parties with whom Caixabank and Caixabank Group companies have | |||
agreements, to receive offers of products and services from such third parties. | |||
More information | |||
No | |||
Yes | |||
(Continue) >> | |||
During this process of providing consent, access is made possible by the | |||
client to clause 8 of the "Framework Contract". At the end of the process the "Contract | |||
Marco ”with the summary of the consents granted and the clauses, for signature by the | |||
customer ( "View and download framework contract" ). A box is included to check “I have read and | |||
I accept the contract ” and the “ Previous ” and “ Continue ” buttons . | |||
In the inspection carried out at CAIXABANK on 11/28/2019, the download was verified | |||
complete of the "Framework Agreement" and that, once the acceptance box of the | |||
contract, the signature is carried out using a numerical code sent to the mobile phone | |||
provided by the customer. | |||
FIFTH: As reported by CAIXABANK to the Inspection Services in its response to | |||
07/17/2018, this entity also collects the consent of its clients for the treatment | |||
of data for "commercial purposes" and transfer of data to third parties, through the document | |||
labeled as "Authorization for the processing of personal data for purposes | |||
commercial by CaixaBank, SA and companies of the CaixaBank group ” , that CAIXABANK | |||
called “Consent Agreement” and it is also used to modify them in | |||
moments after the discharge process. | |||
a) The process of formalizing this document in the office is similar to that of the "Framework Contract" | |||
and has followed the same evolution over time (printing and signature of the document, digital signature and | |||
"Tablet mode"), but signing a document that only includes the points indicated. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 53 | |||
53/177 | |||
Through this document, the provision of consent has been provided separately. | |||
for the same purposes mentioned in the "Framework Contract". The system displays the | |||
Screen enabled for the manager to register the revocation under the heading "Modification of | |||
data protection ” , whose structure is similar to that shown for the provision of the | |||
consent during the client registration process, including the incorporation of the room | |||
consent that is requested from the client in relation to the processing of data | |||
biometric, verified in the inspection carried out on 11/28/2019. | |||
Three versions of this "Consent Agreement" are incorporated into the proceedings | |||
(the one provided by the claimant on 01/24/2018, outlined in Fact One -Version | |||
1; the one provided by CAIXABANK on 07/10/2018, outlined in the Second Fact and | |||
transcribed in Annex II -Version 2; and the one attached to the Inspection Certificate dated 11/28/2019, | |||
outlined in Fact Four, Version 3 (the differences are also included in Annex II | |||
of this Version 3 compared to Version 2). | |||
In version 3 of the document, the one provided during the inspection of 11/28/2019, in the | |||
denomination of the document the term "revocation" is added and | |||
"Authorization / revocation for the processing of personal data for purposes | |||
commercial by CaixaBank, SS and companies of the CaixaBank group ”. | |||
The information offered in the "Consent Agreement" regarding the protection of | |||
personal data coincides, almost literally, with clause 8 of the “Framework Agreement”. | |||
b) The process to revoke consents through the client's private space in the | |||
CAIXABANK website shows a screen with the following structure: | |||
<< Authorizations for commercial purposes | |||
Modification | |||
You can then modify the treatment that Caixabank performs on your information | |||
I accept the treatment of my data to monitor and study alerts for my products | |||
contracted, studies and services adjusted to my profile. See detail Clause 8 | |||
I accept I do not accept | |||
I accept that Caixabank contact me to find out those offers of products and services, as well | |||
as promotions and offers that may be of interest to me. See detail Clause 8 | |||
I accept I do not accept | |||
Indicate if Caixabank can contact you in any of the following ways | |||
() Through my manager (office) | |||
() Through postal communications | |||
() By email, SMS and other electronic channels | |||
() By telemarketing | |||
I accept that my data is shared with companies with which Caixabank has signed agreements with | |||
the purpose of being able to receive offers of products and services from these companies. See detail Clause 8 | |||
I accept I do not accept >> | |||
During this process, access by the client to the information contained is possible | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 54 | |||
54/177 | |||
in clause 8 of the “Framework Contract”. Once the options are selected, the client is shown | |||
a summary with the consents granted ( “Operation not yet completed, Check | |||
the data and confirm the operation ” ) and the contract that includes a | |||
summary of these consents ( "Read the contract carefully. Confirm the operation" ). | |||
c) In the environment of the CaixaBank Now mobile application, the customer can access | |||
"Configuration - Exercise of rights" and is redirected to the Web portal. | |||
d) CAIXABANK informed the Inspection Services, in its response dated 07/17/2018, that the | |||
client can revoke consents by using forms available in the | |||
CAIXABANK corporate web portal (indicates that it allows you to revoke consent for | |||
any Group company) or on the web portal of each of the Group companies (at | |||
access the page corresponding to the entity in question, the client is directed to a | |||
screen common to all). It offers the possibility of marking three boxes with the detail | |||
following: | |||
“() I do not wish to receive a personalized service from the CaixaBank Group (data processing with | |||
purposes of analysis, study and monitoring for the offer and design of products and services | |||
adjusted to your profile by CaixaBank and CaixaBank group companies) | |||
() I do not wish to receive offers of personalized products and services from CaixaBank and companies of the | |||
CaixaBank group | |||
() I do not want my data to be communicated for commercial purposes of third parties with | |||
CaixaBank has agreements ” . | |||
d) Revocation of consent through the telephone service: the Call Centers | |||
have at their disposal a tool that allows you to deal with the revocation of the | |||
consents. The structure shown by the aforementioned tool for the revocation of the | |||
Consents is similar to that indicated for the process of registering clients in the office ( “Registration of | |||
consents ” ). | |||
CAIXABANK, in its response of 05/03/2019 to the transfer of the claim made by | |||
FACUA, informed this Agency that the revocation of the consents has effects for | |||
all the Group companies and that can be exercised before any of them, for | |||
any of the channels of each one. | |||
According to CAIXABANK, these requests for revocation or modification of consents | |||
are registered and are referred to a centralized rights service, which | |||
is in charge of giving them the corresponding procedure. | |||
The entire content of the "Contract | |||
Consent ”, in all its versions (the content of version 2 and the differences in | |||
version 3 with respect to version 2 are included as Annex II). | |||
SIXTH: Section 7 of the "Framework Agreement" contains a reference to the privacy policy | |||
of CAIXABANK, accessible through the entity's website ( “You can find | |||
complementary information to that provided in this contract, regarding the | |||
processing of your personal data at www.CaixaBank.com/privacidad ” ). | |||
The document "Privacy Policy", with thirteen sections, provides generic information on | |||
the identity of the person in charge (without referring to the existence of a “common repository” to | |||
CAIXABANK and the Group companies), data collected, information obtained from | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 55 | |||
55/177 | |||
browsing the web and mobile applications, purposes, legal basis that covers the | |||
data processing, security, data retention, assignments, transfers | |||
internations, data protection officer and rights of the interested party. It is interesting to highlight | |||
that this "Privacy Policy", when referring to uses based on consent, | |||
warns the interested party that they may use "all the data we have about you" ; and in the | |||
section "To whom is my data disclosed?" is informed about the exchange of information | |||
with companies of the CaixaBank Group. | |||
In its response to the Inspection Services dated 11/20/2019, CAIXABANK informed | |||
this Agency that said privacy policy is intended to complement the | |||
information provided to customers through the "Framework Agreement" between June 2016 and May | |||
from 2018; and give complete information to clients who in May 2018 had not signed | |||
the "Framework Agreement". Thus, since May 2018 it distinguishes two situations: | |||
. All pre-existing clients have signed a framework contract or have received the | |||
Privacy (in addition to having it at your disposal on the entity's website). | |||
. All new clients, in their first relationship with the entity, sign a "Contract | |||
Marco ”, which includes all the information of article 13 of the RGPD. | |||
It is declared reproduced in this act, for evidentiary purposes, the full content of the Policy | |||
Privacy accessible through the CAIXABANK website. | |||
SEVENTH: The "Framework Agreement", in section 8, details the personal data used with | |||
the purposes described in that same section. Among them are mentioned “the data | |||
obtained from social networks that the signatory authorizes to consult ” . Accessed from the area | |||
online banking staff and the network for which access is allowed is specified | |||
(Facebook, Twitter and LinkedIn). A box includes a text with the indication "Information | |||
on the processing of personal data and commercial communications ” ; and a button | |||
with the text "Accept and continue . " With this single action, the client gives his consent to | |||
the collection of the personal data mentioned in that information and the treatments | |||
that are detailed. | |||
This information is declared reproduced in this act for evidentiary purposes (it is stated | |||
fully in Annex III): | |||
EIGHTH: Section 8 of the "Framework Agreement" details the personal data used with the | |||
purposes described in that same section. Among the data used for these purposes | |||
mention is made of "data obtained from third parties as a result of requests for | |||
aggregation of data requested by the signer ” . Said request is formalized through the | |||
subscription by the client of the so-called Aggregation Service Agreement. | |||
This service allows you to add the information of the products that you have contracted with other | |||
entities (positions and movements of accounts and cards) and thus have a global vision | |||
of all positions, alerts on receipts, expirations, etc., but do not operate on the | |||
products of the aggregated entities. The client adds or removes entities at will, | |||
but only among those incorporated into the service. | |||
The process of requesting the aggregation service is followed through the website of | |||
CAIXABANK. After selecting the entity that you intend to add to the service and | |||
enter the data that the client uses to access the selected entity online (passwords | |||
access), the process requires the acceptance of the terms and conditions of the service. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 56 | |||
56/177 | |||
“On the one hand Caixabank, SA and on the other the people whose circumstances and representation | |||
specified below, agree to formalize the contractual relationships that | |||
are expressed under the following conditions: | |||
Contractor data | |||
Name and surname | |||
Document number". | |||
(link to a document in pdf format. with the indication "Version to print or save" ). | |||
(link to download the Acrobat Reader program, with the indication “If you don't have the | |||
program…, you can download Acrobat Reader ” ) | |||
( "Accept and continue" button ) | |||
Next, the process requires confirmation of the operation by entering | |||
of a key. On the other hand, it does not include any verification that leaves proof of the reading | |||
of the document "Terms and conditions of service" . | |||
It is declared reproduced in this act, for evidentiary purposes, the complete clauses of the | |||
Aggregation service contract (it is fully outlined in Annex IV). | |||
NINTH: In your response to the Inspection Services of this Agency, dated 05/16/2018, | |||
CAIXABANK stated that, on the occasion of the changes that the adaptation to the RGPD entailed, | |||
in 2016 it established that the consent of the clients for the treatment of their data | |||
personnel for “commercial purposes” would be collected at the “group” level, jointly | |||
for all companies in the "group". | |||
Version 2 of the document "Consent Agreement" refers to a "repository | |||
common ”of personal data in the indication “ For this, your data will be managed from a | |||
common repository of information on the CaixaBank Group companies. The data that is | |||
will be incorporated into this common repository will be ... ” (this reference to the“ common repository ”in the | |||
presentation of the aforementioned document disappears in its 3rd version). | |||
(…) And a “common repository of consents”, which stores the authorizations for | |||
commercial treatments granted by clients to Group companies, allowing | |||
that a client revokes the consent from any company of the Group, and conversely, | |||
with effects automatically for all of them. | |||
(…) | |||
FOUNDATIONS OF LAW | |||
I | |||
By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of | |||
Control, and as established in articles 47, 48, 64.2 and 68.1 of the LOPDGDD, the | |||
Director of the Spanish Agency for Data Protection is competent to initiate and | |||
solve this procedure. | |||
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the | |||
Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) | |||
2016/679, in this organic law, by the regulatory provisions issued in its | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 57 | |||
57/177 | |||
development and, as long as they do not contradict them, in the alternative, by the general rules | |||
on administrative procedures. " | |||
II | |||
Previously, it is deemed appropriate to analyze the exceptions alleged by | |||
CAIXABANK, on the basis of which it requests the declaration of nullity of the proceedings, as well | |||
such as the formal questions raised by said entity. | |||
- 1. Violation of article 24.2 of the Constitution, presumption of innocence. | |||
First, it invokes Articles 24.2, 103.1 and 2 of the EC, and Article 6 of the Convention | |||
European Commission on Human Rights (ECHR), and alleges a possible violation of the principle of | |||
presumption of innocence due to lack of objectivity and impartiality of the body that has the | |||
competence to resolve the procedure, deduced by CAIXABANK from some | |||
statements made by the Director of the AEPD in a public act, through which | |||
the imposition of "quantitatively significant" fines is announced . The statement to which | |||
CAIXABANK refers to is the following: | |||
“We already have two or three high-impact sanctioning procedures that are going to have a lot of | |||
media impact in relation to the financial sector, will be the first quantitative fines | |||
important by the Agency ”. | |||
Of this declaration, made during the period granted to the interested party to present | |||
allegations at the opening of the procedure, CAIXABANK deduces that the will of the body | |||
that has the competence to resolve was formed without even knowing those allegations | |||
and without having all the evidence in view. | |||
In the administrative sanctioning area, the impartiality of the adjudicatory body is | |||
linked to the right of the interested party to a process with all the guarantees. It is guaranteed with | |||
the reasons for abstention or objection and with due separation between the phases of | |||
instruction and resolution of the sanctioning procedure, separation between phases that in this | |||
case has not gone bankrupt and that it is scrupulously respected in all the procedures of this | |||
nature followed in the AEPD. | |||
For the sake of legal certainty, the reasons for abstention or disqualification have been | |||
regulated by an exhaustive list of circumstances that respond to objective reasons, | |||
thus avoiding that the interested parties can appreciate causes of abstention or challenge | |||
based on own or particular criteria. | |||
In our administrative system, the appearance of partiality is estimated by the | |||
concurrence, objectively justified, of the reasons regulated in articles 23 and 24 of the | |||
Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP): | |||
“Article 23. Abstention. | |||
1. The authorities and personnel at the service of the Administrations in which some of the | |||
Circumstances indicated in the following section will refrain from intervening in the procedure and | |||
They will communicate to their immediate superior, who will resolve the proceeding. | |||
2. The following are reasons for abstention: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 58 | |||
58/177 | |||
a) Have a personal interest in the matter in question or in another whose resolution could be influenced by | |||
that; be an administrator of a company or interested entity, or have pending litigation with | |||
any interested. | |||
b) Have a marital bond or assimilable de facto situation and blood relationship | |||
within the fourth degree or affinity within the second, with any of the interested parties, with the | |||
administrators of interested entities or companies and also with the advisors, representatives | |||
legal entities or agents involved in the procedure, as well as sharing a professional office or | |||
be associated with them for advice, representation or mandate. | |||
c) Having an intimate friendship or manifest enmity with any of the persons mentioned in the | |||
previous section. | |||
d) Having intervened as an expert or as a witness in the procedure in question. | |||
e) Have a service relationship with a natural or legal person directly interested in the matter, or | |||
have provided professional services of any kind in the last two years and in any | |||
circumstance or place. | |||
Article 24. Challenge. | |||
1. In the cases provided for in the preceding article, recusal may be promoted by those interested in | |||
any time during the processing of the procedure. | |||
2. The challenge will be raised in writing in which the cause or causes on which it is based will be stated ”. | |||
Ultimately, it is a matter of the person making the decision not having any | |||
personal interest in the matter and has not participated in the procedure as an expert or witness, | |||
so that it can resolve according to the general interest, without any type of influence beyond | |||
that interest that can lead you to decide in a certain way. | |||
On the other hand, in accordance with the doctrine of our Constitutional Court, | |||
that is claimed from public servants is not the personal and procedural impartiality that | |||
It requires judicial bodies, but rather that they act with objectivity and submission to the law. | |||
Thus, in STC 174/2005, of July 4, the following is declared: | |||
“In this regard, it should be remembered that although this Court has reiterated that, in principle, the requirements | |||
derived from the right to a process with all the guarantees apply to the administrative procedure | |||
However, there has also been a special emphasis on the fact that said application must | |||
performed with the required modulations to the extent necessary to preserve the values | |||
essentials found at the base of art. 24.2 CE and the legal certainty guaranteed by art. | |||
9.3 CE, as long as they are compatible with their own nature (by all, STC 197/2004, of 15 | |||
November, FJ 2). More specifically, and with regard specifically to the guarantee of | |||
impartiality, it has been pointed out that it is one of the cases in which it is necessary to modulate its | |||
projection in the administrative sanctioning procedure, since said guarantee “cannot | |||
be predicated of the sanctioning Administration in the same sense as with respect to the organs | |||
judicial "(STC 2/2003, of January 16, FJ 10), therefore," without prejudice to the interdiction of all | |||
arbitrariness and subsequent judicial review of the sanction, strict impartiality and independence | |||
of the organs of the judiciary is not, in essence, predicable to the same extent of an organ | |||
administrative law ”(STC 14/1999, of February 22, FJ 4), concluding that the independence and | |||
impartiality of the judge, as a requirement of the right to a trial with all guarantees, is a | |||
guarantee characteristic of the judicial process that does not extend simply to the administrative procedure | |||
sanctioning (STC 74/2004, of April 22, FJ 5) ”. | |||
And STC 14/1999, of February 22, states the following: | |||
“An erroneous understanding of the content of the constitutional requirements of judicial impartiality and | |||
his alleged transfer in totum to whoever intervenes in the administrative sanctioning procedure in | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 59 | |||
59/177 | |||
Instructor quality, leads the appellant to affirm the injury of his right to a process with all the | |||
guarantee. | |||
(…) | |||
It should be reiterated here again, as we did in STC 22/1990 (4th legal basis), that "without | |||
prejudice to the interdiction of all arbitrariness and the subsequent judicial review of the sanction, the | |||
strict impartiality and independence of the organs of the judiciary is not, in essence, predicable | |||
to the same extent of an administrative body ". | |||
What can be claimed from the Instructor, ex arts. 24 and 103 CE, it is not that he acts in the situation of | |||
personal and procedural impartiality that is constitutionally required of judicial bodies when | |||
exercise jurisdiction, but act with objectivity, in the sense that we have given to this concept | |||
in SSTC 234/1991, 172/1996 and 73/1997, that is, performing their functions in the | |||
procedure with personal disinterest. To this end the possibility of recusal established by | |||
the art. 39 of Organic Law 12/1985, on the Disciplinary Regime of the Armed Forces (hereinafter | |||
LORDFA) which refers to art. 53 of the Military Procedural Law, whose catalog of cases keeps, in this | |||
scope, evident similarity, with that provided for in the Organic Law of the Judicial Power, although the | |||
listed in one and the other obey, according to what has been stated, a different foundation. | |||
(…) | |||
None of the reasons given can be addressed, not only because, in general, and according to | |||
previously stated, the doctrine cannot be transferred without further ado to the administrative sanctioning area | |||
constitutional elaborated on the impartiality of the judicial organs, but because in the case | |||
present, and in view of the configuration of the legal grounds for disqualification, the | |||
concurrence of any element that would demand the removal of the Instructor due to loss of | |||
necessary objectivity. It is not observed in the questioned Instructor, nor has the interested party provided data | |||
justified in this regard, the presence of direct or indirect personal interest in the resolution of the | |||
sanctioning file (…) ”. | |||
In this case, it must first be specified that CAIXABANK, despite its | |||
allegation of lack of impartiality of the adjudicatory body, has not formally raised the | |||
challenge of the Director of the AEPD, nor does he make any reference to the reasons listed in | |||
those items. | |||
In this regard, it should be taken into account that, to declare the nullity of the | |||
actions for the reasons alleged, it is necessary to fully demonstrate the | |||
concurrence of one of those reasons that could have effectively influenced the | |||
Decision adopted through the present resolution. | |||
However, it is considered appropriate to record in this act the non-attendance | |||
of any of the causes of abstention or recusal established in the precepts | |||
transcribed, which allows to conclude that the alleged lack of impartiality does not exist. Does not have | |||
personal interest in the object of the procedure; no bond, friendship or enmity with him | |||
interested; nor has he intervened as an expert or witness in the procedure. | |||
This resolution is adopted in accordance with the Law, according to objective criteria, and without | |||
that the adjudicatory body has prejudged the matter in question through actions | |||
previous formalities or through their intervention in previous phases of the procedure. This | |||
intervention has not taken place in any way, beyond the adoption of the | |||
opening of the procedure as established by the applicable procedural regulations. | |||
The demonstration to which CAIXABANK has referred does not fall within the | |||
cases of disqualification and abstention listed above and do not advance the decision, either | |||
so that they cannot be appreciated with the scope intended by said entity. | |||
Neither that manifestation, nor any other circumstance, have broken the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 60 | |||
60/177 | |||
impartiality of the investigating body, which has had all the powers attributed to it by the | |||
regulation in question and full freedom to dictate its resolution proposal, as evidenced by | |||
the fact that said proposal has reduced the infractions that were imputed in the | |||
agreement to open the sanctioning procedure. | |||
The intervention of the Director in the event held on 03/03/2020 is related, | |||
rather, with the adoption of the agreements to open the procedures to which the | |||
CAIXABANK refers in its allegations, both from the financial sector. The reference to these | |||
agreements as of wide impact for the affected sectors and with media relevance | |||
has to do with the novelties regulated in the RGPD and, in particular, those related to the new | |||
compliance and oversight model. In relation to the latter, the | |||
important amounts contemplated in the Regulation for the purpose of what, how does this | |||
norm, may have a dissuasive character. | |||
In the opinion of this Agency, specify in the initiation agreement issued the offense that | |||
could have committed and its possible sanction is adjusted to the provisions of article 68 of the | |||
LOPDGDD and article 64.2 of the LPACAP (in this case, of the different corrective powers | |||
provided for in article 58.2 of the RGPD, the Agency deemed appropriate the imposition of | |||
fine, in addition to the adoption of measures to adjust its performance to the regulations, | |||
considering the indications of infringement appreciated at the time of opening and without | |||
detriment to what could result from the instruction of the procedure). Thus, it cannot be said | |||
that to indicate the possible sanction that could correspond for the imputed infractions is | |||
determinant of defenselessness or that involves a breakdown of the principle of separation of | |||
phases of instruction and resolution. | |||
On the other hand, the instruction of the procedure has been in accordance with the regulations | |||
procedural, without being able to appreciate any irregularity in the processing of the | |||
procedure, in which, in addition, all the guarantees of the interested party have been respected, | |||
including the presumption of innocence. CAIXABANK, in this case, has seen all the | |||
guarantees of the interested party provided by the procedural regulations and it cannot be said that the | |||
determination of the amount of the fine in the opening agreement implies no loss of | |||
said guarantees causing helplessness. | |||
It should be noted that both in the present proceeding and the other cited by the | |||
CAIXABANK entity, the resolution issued has lowered the amount of the initial penalty in | |||
attention to the allegations of the parties, as is the case in so many cases of | |||
sanctioning procedures processed by the AEPD. | |||
All you have to do is go to the Agency's website, where all the | |||
resolutions issued in sanctioning procedures, to verify the large number of | |||
those that end with a resolution of the file of actions, as well as those others in | |||
those that increased or decreased the amount of the penalty set in the opening agreement or | |||
agreed to the application of a corrective power other than the fine, once a | |||
Proposal of the instructor or at the initiative of the decision-making body. | |||
- 2. Bankruptcy of legitimate expectations. | |||
On the other hand, CAIXABANK requests the filing of the file for an alleged | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 61 | |||
61/177 | |||
violation of the principle of legitimate expectations or reconsideration of the declaration of | |||
nullity of the consents obtained. | |||
It bases this request on the query made shortly after the GDPR was published, | |||
through emails addressed to the "Deputy Director of the AEPD" , regarding the | |||
implementation of the RGPD and the documents analyzed in the file, especially the | |||
“Framework Contract”, on which, according to CAIXABANK, only some | |||
minor considerations in telephone conversation, which were attended by the | |||
interested entity. It indicates that those emails repeatedly requested the holding of | |||
a meeting between the AEPD and CAIXABANK for this purpose, which was denied. | |||
From having communicated to the AEPD the main actions that would lead to | |||
carried out for the adequacy of its performance to the RGPD, including the reference to the so-called | |||
“Common repository”, CAIXABANK deduces its legitimate conviction of having been | |||
acting correctly and that he may have had a "reasonable induced hope" that his | |||
The way to proceed was in accordance with the law. | |||
The aforementioned principle of legitimate expectations is included in article 3 | |||
of the LRJSP: | |||
"Article 3. General principles. | |||
1. Public Administrations serve the general interests objectively and act in accordance | |||
with the principles of efficiency, hierarchy, decentralization, deconcentration and coordination, with | |||
full submission to the Constitution, the Law and the Law. | |||
They must respect the following principles in their actions and relationships: | |||
(…) | |||
e) Good faith, legitimate trust and institutional loyalty ” . | |||
It is a manifestation of the doctrine of "proper acts" and is related to the | |||
principle of legal certainty. The principle of legitimate expectations can be understood as the | |||
Citizens' confidence in the future action of Public Administrations | |||
taking into account their past performances, considering the expectations they generate, although | |||
always safeguarding the principle of legality, so that principle may not | |||
invoked to save situations contrary to the norm. | |||
The STS of December 18, 2007 refers to the principle of trust protection | |||
citing the terms of a previous Judgment of May 10, 1999: | |||
<< Thus, the STS of 10-5-99 (RJ 1999, 3979), recalls "the doctrine on the principle of protection of the | |||
legitimate trust, related to the most traditional in our security system | |||
legal and good faith in the relations between the Administration and individuals, and which involves, according to | |||
the doctrine of the Court of Justice of the European Communities and the jurisprudence of this Chamber, | |||
that the public authority cannot adopt measures that are contrary to the hope induced by | |||
reasonable stability in the decisions of the former, and based on which individuals have | |||
made certain decisions. […] On the other hand, in the STS of 1-2-99 (RJ 1999, 1633), | |||
remember that "this principle cannot be invoked to create, maintain or extend, within the scope of | |||
Public law, situations contrary to the legal system, or when the preceding act results | |||
a contradiction with the purpose or interest protected by a legal norm that, by its nature, is not | |||
liable to protect one. discretionary conduct by the Administration that involves the | |||
recognition of rights and / or obligations arising from acts of the same. […] | |||
One thing is the irrevocability of the declaratory acts of rights outside the channels of | |||
revision established in the Law (articles 109 and 110 of the Administrative Procedure Law of 1958 | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 62 | |||
62/177 | |||
[RCL 1958, 1258, 1469, 1504 and RCL 1959, 585], 102 and 103 of the Law of Legal Regime of the | |||
Public Administrations and Common Administrative Procedure, Law 30/1992 [RCL 1992, 2512, | |||
2775 and RCL 1993, 246], modified by Law 4/1999 [RCL 1999, 114, 329]), and another respecting the | |||
Legitimate confidence generated by own action that must necessarily be projected into the field of | |||
discretion or autonomy, not that of the regulated aspects or regulatory requirements against | |||
those that, in Administrative Law, what is resolved in act or in precedent that | |||
was contrary to those. Or, in other words, it cannot be said that the trust | |||
deposit in an act or precedent that is contrary to mandatory norm ">>. | |||
The STS of February 22, 2016 (rec. 1354/2014) refers to the requirements that must be | |||
concur to assess legitimate confidence: | |||
"It should be taken into account that legitimate trust requires, ultimately, the concurrence of three | |||
essential requirements. Namely, that it is based on undeniable and external signs (1); what hopes | |||
generated in the administered must be legitimate (2); and that the final conduct of the Administration | |||
is contradictory with the previous acts, is surprising and incoherent (3). Exactly what | |||
It occurs in the case under review, based on the facts mentioned above, which is irrelevant. | |||
Let us remember that, with respect to legitimate expectations, we have been declaring repeatedly, for all, | |||
Judgment of December 22, 2010 (contentious-administrative appeal nº 257/2009), that «the principle | |||
pio of good faith protects the legitimate expectations that may have been placed in the | |||
behavior of others and imposes the duty of consistency in their own behavior. What is so much | |||
as saying that the principle implies the requirement of a behavioral duty that consists in the | |||
It is necessary to observe in the future the behavior that the previous acts made foresee and accept the | |||
binding consequences arising from the acts themselves constituting an assumption of law. | |||
tion to the legitimate expectations of the parties "venire contra factum propium". | |||
This same Judgment refers to confidence in the stability of the criteria of the | |||
Administration, evidenced in previous acts in the same sense. | |||
On the other hand, the STS of September 21, 2015 (rec. 721/2013), in its Foundation | |||
Fourth Law, declares the following: | |||
“In the aforementioned judgment of this jurisdictional Chamber of February 23, 2000, the application of the | |||
The principle of protection of legitimate expectations is conditioned not so much by the fact that | |||
any type of psychological conviction in the particular beneficiary, but rather to accredit the | |||
existence of external signs produced by the Administration "sufficiently conclusive" to | |||
that reasonably induce him to trust in the legality of the administrative action ” . | |||
Therefore, that hope or confidence generated must be "legitimate" and based on | |||
previous external acts, the meaning of which is undoubtedly contrary to what was agreed | |||
subsequently, without having to include in this principle of legitimate expectations a mere | |||
psychological conviction of the individual. | |||
In this case, it appears that CAIXABANK sent several emails to | |||
"Deputy Director AEPD" , by way of consultation, accompanying a copy of the "Framework Contract" | |||
provided by that entity as a form for collecting personal data and with the | |||
informative clauses on the protection of personal data, as well as a program | |||
on the actions taken, in which, in addition, he requested the holding of a meeting | |||
for the purpose of commenting on such documents and actions. It also appears that this | |||
meeting did not take place. | |||
It is clear that these emails were answered by the recipient, by the | |||
same route, with the following messages: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 63 | |||
63/177 | |||
. Email dated 07/27/2016: | |||
"Subject: Meeting | |||
Good morning…, in order to assess the possibility of holding a meeting, send me a brief | |||
explanation of the policy you have adopted and the text of the informative clauses. We will talk | |||
in September ” . | |||
. Email from 09/11/2017: | |||
"Subject: RE: RGPD Presentation at CaixaBank | |||
Good morning, I would appreciate if possible, if you could send me the presentation in a format that can | |||
print as it is impossible for me to do so ” . | |||
In this case, CAIXABANK does not have previous external events ( "signs | |||
undeniable externalities ” ) that may be considered favorable to said entity in a | |||
conclusive and sufficient to have induced it to think that the AEPD validated the | |||
Actions undertaken by the entity to adapt its performance to the RGPD. | |||
Beyond the criticism that CAIXABANK could make to this AEPD for having been | |||
your inquiries or your requests for a meeting to analyze the documentation that | |||
was preparing, the truth is that the responses of this Agency contained in the emails | |||
provided by the interested party do not have any legally binding content nor do they contain | |||
any pronouncement on the issues to which the allegations refer. In | |||
definitively, they do not represent external acts of the Administration that could | |||
derive a future violation of the principle of the "legitimate confidence of the administered", | |||
now invoked. | |||
The actions of this Agency have not influenced in any way the conduct of | |||
CAIXABANK determining the infractions analyzed, nor has this Agency carried out | |||
any action that has allowed said entity to conclude that in the documentation of | |||
data protection formalized by the same or in its processes of collection and treatment of | |||
personal data does not exist any element that contravenes the provisions of the RGPD and | |||
LOPDGDD. CAIXABANK cannot provide any statement or action from this | |||
Agency that led to this alleged confusion, simply because there is no action | |||
some in that sense. | |||
In short, projecting the doctrine of the Supreme Court to the present case, and in the | |||
terms of the STS of December 18, 2007, it turns out that there are no circumstances that | |||
allow us to understand that CAIXABANK has been surprised by the performance of the | |||
Administration. | |||
Finally, it is considered appropriate to point out, firstly, that the emails to | |||
those referred to by CAIXABANK do not belong to or comprise any regulated action of the | |||
Administration and, secondly, that the AEPD has enabled consultation channels for | |||
that citizens and those responsible for processing personal data may raise | |||
your doubts in the matter of your competence, but these channels cannot be used for | |||
this Agency supervises and fully validates the actions undertaken by those | |||
responsible, unless a rule so expressly provides. | |||
Furthermore, it is surprising that CAIXABANK intends to found the bankruptcy of the principle of | |||
legitimate confidence in the forwarding of two emails to the Deputy to the Directorate of the | |||
AEPD, in which a meeting was requested on the texts that were attached. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 64 | |||
64/177 | |||
First, from a formal perspective, it should be noted that the allegations | |||
they highlight in bold the recipient of the emails, whom they incorrectly describe | |||
naming him as "Deputy Director of the AEPD", despite the fact that said job | |||
did not exist in the Agency's job list, as is fully known | |||
by CAIXABANK when in document number 3 that it provides in relation to this | |||
argumentation is addressed to the “AEPD Deputy”. What it might suggest, beyond a mere mistake | |||
material, an intentional will to give more importance at this time to the remission | |||
of the aforementioned emails according to the relevance of the position to which they were addressed. | |||
And, what is materially more relevant, is that it is intended to establish said allegation | |||
in compliance with the principle of proactive responsibility, regulated in the RGPD as a | |||
essential element of the new compliance model designed by said standard. Interpretation | |||
what exactly is contrary to the provisions of the Regulation, in which the principle of | |||
proactive responsibility refers to those responsible for the treatment the requirement to carry out | |||
risk analysis for the rights and freedoms of those affected and adopt | |||
autonomously the measures that allow guaranteeing them through the measures that in the | |||
described themselves. | |||
Maxime when in relation to these measures the only provision of the RGPD on | |||
consultations with the supervisory authority is related to the Impact Assessments on the | |||
Data Protection, when it shows that the treatment would involve a high risk if | |||
the person in charge does not take measures to mitigate it, in accordance with article 36 of said regulation. | |||
To which is added that, without having proceeded to the analysis of the documentation submitted or | |||
speak out about it, CAIXABANK was informed that the meetings would not be held | |||
arguing precisely that proactive responsibility requires the person responsible for the | |||
processing carry out their own analyzes and autonomously adopt the measures that | |||
guarantee and allow demonstrating compliance with their obligations. | |||
Therefore, the allegation of violation of the principle of trust must be rejected | |||
legitimate and, if not, reaffirm the full responsibility of CAIXABANK in the analysis of | |||
the risks associated with the initiatives developed to comply and demonstrate compliance | |||
of the RGPD. | |||
- 3. Expiration of the previous actions. | |||
In its arguments at the opening of the procedure, CAIXABANK invoked the expiration | |||
of the preliminary investigation actions indicated with number E / 01475/2018, initiated | |||
due to the claim presented on 01/24/2018, and whose documentation was | |||
incorporated into the new investigative actions initiated with number E / 01481/2019. | |||
Based on this, it considers that the possible infractions analyzed in the proceedings | |||
previous that were declared expired by resolution of 02/01/2019 would have prescribed, | |||
under the terms provided in Organic Law 15/1999, of December 13, on the Protection of | |||
Personal Data (LOPD). | |||
Subsequently, in its allegations to the motion for a resolution, CAIXABANK alleges | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 65 | |||
65/177 | |||
a possible violation of Article 24 of the EC due to the defenselessness produced by the extension | |||
artificial and unlawful of the previous investigation actions, also ignoring their | |||
expiration. He substantiates this claim according to the following considerations: | |||
. The previous investigative actions supplanted the instructional activity, since it was | |||
used as a true sanctioning procedure, which constitutes a possible vice of | |||
misuse of power in the use of instructional mechanisms. For this very | |||
reason, the sanctioning procedure must be considered expired by the expiration of the term | |||
planned for its resolution, counted from the beginning of the previous actions of | |||
investigation. | |||
. It understands that such consideration is only attributed to actions that allow data to be collected | |||
and indications about the facts committed and those responsible, and the | |||
procedure as soon as there is certainty about the commission of the facts and their author. According | |||
CAIXABANK, in this case they do not adhere to the purpose provided in the applicable regulations. | |||
. The previous actions developed (a first expired, which led to the opening of | |||
a second) did not respect any essential guarantee of the sanctioning procedure, such | |||
such as reporting the accusation, remembering the right not to testify against oneself, etc. | |||
. Given that the Proposed Resolution rests de facto, solely and exclusively, on the | |||
elements of conviction and evidence collected during the preliminary proceedings phase, the | |||
impossibility of using them means that the proposal lacks the elements | |||
necessary to enervate the presumption of innocence. | |||
. The bulk transfer of the expired file is not acceptable, nor is it possible to | |||
acted in the previous actions, pass in full to the sanctioning file. | |||
. The use of previous actions without time limitation is not acceptable, beyond | |||
of the prescription itself. | |||
This allegation by CAIXABANK is based on different pronouncements of | |||
our Supreme Court, but it contains statements that are contradictory in | |||
Some cases or refer to assumptions of events different from the one that concerns us in others. | |||
Thus, for example, CAIXABANK alleges that the previous actions carried out did not | |||
respected any essential guarantees of the sanctioning procedure, such as reporting | |||
the imputation, remember the right not to testify against oneself, etc. However, it based | |||
this allegation in what was expressed by the Supreme Court in Sentence of 06/09/2006, referred | |||
to an alleged disciplinary of the Armed Forces. | |||
On the other hand, it is not understood that, on the one hand, it is said that the motion for a resolution | |||
rests in its entirety on charge elements collected during the proceedings phase | |||
previous investigation and, on the other hand, it is defended that the previous actions | |||
developed were denatured and did not adhere to “the purpose that they must cover according to | |||
to the design of the legislator ” , when, precisely, the purpose of carrying out such | |||
investigations is none other than obtaining those evidences that justify the processing of a | |||
sanctioning procedure. For the same reason, it is not understood that the | |||
immediate opening of the sanctioning procedure, even if it has not been fully proven | |||
the offense. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 66 | |||
66/177 | |||
Likewise, that purpose being the basis for carrying out the | |||
previous investigation, this Agency does not share the assertion contained in the allegations of | |||
CAIXABANK on the "impossibility" of use in the proposed resolution of the | |||
elements of conviction and evidence collected during the preliminary proceedings phase. | |||
On the other hand, it is argued that the actions of a procedure | |||
expired cannot take effect in the new sanctioning file that may be initiated | |||
when the offense has not prescribed (STS of 02/24/2004). However, in this case, the | |||
expiration occurred with respect to the previous actions E / 01475/2018, and not the | |||
sanctioning procedure. | |||
Regarding this question regarding the transfer or use of the documentation of the | |||
the previous actions that were declared expired, some of the | |||
affirmations contained in the brief of allegations to the proposed resolution. In | |||
Specifically, said letter indicates that “there are very divergent principles that prevent | |||
the actions taken in the previous proceedings go entirely to the sanctioning file ” , or that | |||
"To these pseudo previous actions, in reality true instruction of the procedure | |||
sanctioner, the actions arising and documented in it should not have reached | |||
root of its initiation ” . In this case, there has been no transfer of documentation | |||
from the sanctioning procedure to the previous actions, but to the contrary, as is normal; and | |||
nor has documentation been transferred from an expired procedure to a new one | |||
procedure, simply because the expiration of the sanctioning procedure has not been | |||
produced. | |||
Likewise, it is said by CAIXABANK that the previous actions did not comply with “the | |||
purpose to be served according to the legislator's design , ” but it is not said that another | |||
"Design" pursued by the AEPD with the performance of these actions, other than to achieve a | |||
better determination of the facts and circumstances that justify the processing of a | |||
sanctioning procedure. | |||
It even alleges “a possible deviation of power in the use of the | |||
mechanisms of instruction ” , understood as <<“ a contravention of the teleological sense of | |||
the administrative activity carried out ”(STS of 7-4-86),“ a distortion of the normal | |||
purpose of the act ”(STS of 11-4-89), a“ non-use of administrative authority in a | |||
objective, in accordance with the objective pursued ”(STS of 12-5-86). Said procedural deviation | |||
it can happen “not only when it is proven that the Administration is pursuing a | |||
private or an unspeakable purpose, alien to any defense of the general interests, | |||
but this teleological deviation can also occur when pursuing an interest | |||
foreign public and, therefore, different from that provided by the legal system for the case " | |||
(Judgments of the Supreme Court of March 18, 2011 and May 11, 2012) ”>> (citations | |||
included by CAIXABANK in their allegations to the proposal). | |||
In this regard, it argues that the repeated previous investigative actions | |||
"They supplanted the teaching activity . " However, CAIXABANK does not explain how it has | |||
used in this case the administrative sanctioning power in a manner not in accordance with the | |||
purpose pursued, or what contravention of the teleological sense of the administrative activity | |||
has occurred or how the purpose of the administrative act has been distorted, nor | |||
what private purpose or public interest other than that provided for in the regulation pursues in this | |||
case the Administration. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 67 | |||
67/177 | |||
On this issue, the Supreme Court, in a Judgment of 05/13/2013, has declared: | |||
“In this regard, it should be noted that, according to the jurisprudence of this jurisdictional Chamber, the | |||
concurrence of misuse of power cannot be based on mere presumptions or conjectures, being | |||
necessary to prove sufficient facts or elements to form in the Court the conviction that the | |||
Although the Administration accommodated its actions to the law, it did so for a purpose other than | |||
claimed by the applicable norm, which, in this process, has not happened ”. | |||
In this case, not only are sufficient facts or elements not proven to form the | |||
conviction that the Administration acted for a purpose other than that intended by the | |||
rule, but not even assumptions or conjectures have been made about the | |||
concurrence of the alleged misuse of power. | |||
In the same way, CAIXABANK does not explain what specific procedure carried out in the | |||
framework of the preliminary investigation actions is actually an administrative procedure | |||
that should have been held within the sanctioning procedure, what procedure or procedures | |||
specific actions of the sanctioning procedure have been supplanted by the previous actions, or | |||
what steps of the procedure have been avoided because of the previous actions | |||
made, or how defenseless all this has generated the interested entity. | |||
On the contrary, prior investigation actions were carried out perfectly | |||
justified, with the purpose of achieving a better determination of the facts and | |||
circumstances (article 67 LOPDGDD), during which necessary information was collected | |||
for the determination of the facts, without carrying out during the course of the same procedures | |||
some of the sanctioning procedure, which was initiated based on the evidence | |||
obtained and with the sole purpose of applying the established regulatory provisions. | |||
A first claim was received, dated 01/24/2018, in which the | |||
Obligation to accept the new conditions regarding the protection of personal data | |||
implemented by CAIXABANK (provided a copy), and it was decided to carry out actions | |||
previous investigation, indicated with number E / 01475/2018, for the clarification of | |||
the facts denounced and determine if there were circumstances that justified the initiation | |||
of a sanctioning procedure. | |||
Within the framework of these preliminary actions, CAIXABANK received two | |||
requirements for said entity to provide essential information to assess the | |||
informative clauses offered by the entity to its clients. Among other information, | |||
requested that entity provide details on the architecture and operation of the | |||
"Common repository"; procedure for the exercise of rights; obtaining personal data | |||
social networks, aggregation services and third parties; about him | |||
data enrichment; detail on the mechanism implemented to collect the | |||
unequivocal consent of the client for the treatment of their data and mechanism for | |||
revoke it; and information provided to the client at the time of obtaining the | |||
consent in relation to the processing of personal data carried out by the | |||
CaixaBank Group companies and their purpose. | |||
Subsequently, a new complaint regarding the | |||
“Framework Contract”, which was submitted to the prior process of admission for processing, following the | |||
mechanism provided for in article 65.4 of the LOPDGDD, which consists of transferring the | |||
same to the data protection delegates appointed by those responsible or | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 68 | |||
68/177 | |||
responsible for the treatment, for the purposes provided in article 37 of the aforementioned regulation, or | |||
these when they have not designated them, so that they proceed to the analysis of said | |||
complaints and to respond to them within a month. It is an optional procedure, | |||
so that this transfer is carried out if the Agency so deems it. | |||
The result of said transfer was not satisfactory, therefore, for the intended purposes | |||
In its article 64.2 of the LOPDGDD, it was agreed to admit the claim presented | |||
by agreement that was duly notified to the claimant, and not to CAIXABANK, | |||
in accordance with the provisions of article 65.5 of the LOPDGDD. | |||
In accordance with the provisions of article 67 of the LOPDGDD, it was agreed to start | |||
new preliminary investigation actions, indicated with number E / 01481/2019, and the | |||
incorporation of the second claim received and the documentation that | |||
integrates the phase of admission to processing of the latter. Likewise, the entire | |||
documentation corresponding to the previous actions indicated with the number | |||
E / 01475/2018, including the claim that gave rise to them. | |||
The object of these new preliminary investigation actions was determined | |||
analysis of the information generally offered by CAIXABANK on the subject of | |||
protection of personal data, through all the channels used by the entity | |||
(CAIXABANK's compliance with the principle of transparency established in the | |||
articles 5, 12 and following of the RGPD, and related precepts); the different treatments of | |||
personal data carried out by the entity according to the information offered, in relation to | |||
with clients or person who have any other relationship with it, and within the framework of | |||
the new regulations applicable from 05/25/2018, including the analysis of the mechanisms | |||
employees to obtain the consent of the interested parties; just like him | |||
compliance by the aforementioned entity of the rest of the principles related to the treatment | |||
established in article 5 of the RGPD. | |||
During the course of this new preliminary phase of investigation, a request was made | |||
of information to CAIXABANK (a copy of all versions of the "Framework Contract" and | |||
possible addenda, information on the channels and methodology to accept the | |||
privacy and granularity of the consents, as well as the procedures enabled | |||
to publicize the updated privacy policy to clients prior to its validity and | |||
acceptance mechanisms) and an inspection visit was made to verify the process of | |||
In-person registration at the office, through the web and mobile application, and for verification of the | |||
consent modification process, among other issues. | |||
It cannot be said, in view of the foregoing, that in this case the previous actions | |||
were not necessary or were not carried out to gather data and evidence on the facts | |||
committed and those responsible. | |||
Indeed, the previous actions number E / 01475/2018 were declared | |||
expired by resolution of 02/01/2019, over the course of a twelve-month period | |||
provided for in article 122 of RD 1720/2007, of December 21, which approves the | |||
Regulations for the development of the LOPD. Said resolution warned about the provisions of | |||
Article 95.3 of the LPACAP, which establishes that the expiration will not produce by itself | |||
only the prescription of the actions of the Administration, and the opening of a new | |||
procedure when the prescription has not occurred. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 69 | |||
69/177 | |||
This expiration does not have the effect intended by CAIXABANK. Nothing prevents, therefore, | |||
the opening of new investigations, with the incorporation of the documentation | |||
that integrates expired actions. To this must be added the receipt of a new | |||
claim dated 03/29/2019, which is why these new actions of | |||
investigation to be initiated had as their object both claims, which resulted in | |||
to the investigation file E / 01475/2018 and this one received on 03/29/2019. | |||
No legal consequence can be attributed to this fact, beyond the rule of | |||
the prescription and the effects attributed to it. | |||
On the other hand, it is appropriate to respond to the allegation regarding the expiration of the procedure | |||
sanctioning declared by CAIXABANK. Based on the consideration maintained by this | |||
entity regarding the impersonation of the instructional activity by the previous actions of | |||
investigation, which, as has already been said, has no basis whatsoever, understands that the procedure | |||
sanctioning must be considered expired by the expiration of the period foreseen for its | |||
resolution, counted from the beginning of the preliminary investigation actions. | |||
This claim must also be rejected. The approach that CAIXABANK | |||
made on this issue in its allegations to the opening does not comply with the law. Should | |||
It should be noted that the expiration period of this procedure, established in nine | |||
months, it is computed from the date on which its beginning is agreed, resulting in inappropriate | |||
add to this computation, in order to measure the duration of the administrative file, no | |||
another period, such as the time of the preliminary investigation actions, or the time that | |||
elapses between the completion of these actions and the opening of the procedure, nor the | |||
time corresponding to the phase of admission for processing of the claims presented. | |||
This has been repeatedly stated by our Supreme Court. In Judgment of | |||
10/21/2015 cites the Judgment of 12/26/2007 (resource 1907/2005), which states the following: | |||
“[…] The term of the procedure […] is counted from the initiation of the sanctioning file, which | |||
obviously excludes from the computation the time of the reserved information ";" […] The major or minor | |||
duration of the preliminary phase does not entail the expiration of the subsequent procedure " . | |||
Also in the Supreme Court ruling of 10/13/2011 (resource 3987/2008) that | |||
examines a ground of appeal relating to the computation of the expiration period of the procedure, | |||
the following is declared: | |||
“We cannot share the reasoning presented by the Court of Instance to establish a dies a quo | |||
different from that established by law, indicating as the initial date of the computation the day following the | |||
completion of preliminary informational proceedings. | |||
[…] | |||
Well, once these previous actions have been carried out, the time it takes the Administration to | |||
agreeing to initiate the procedure […] may have the appropriate consequences regarding the | |||
calculation of the prescription (extinction of the right); but it cannot be taken into consideration | |||
effects of expiration, since this figure is intended to ensure that once the | |||
procedure the Administration does not exceed the term available to resolve. On the foundation | |||
third of the sentence under appeal, the Court of Instance makes an interpretation of the rule that is not | |||
according to the nature of the institution of expiration, since unlike the prescription, which is | |||
cause of extinction of the right or responsibility in question, expiration is a way of | |||
termination of the procedure due to the expiration of the period established in the norm, so its appreciation | |||
does not prevent, if the period established for the prescription of the action of | |||
restoration of urban legality by the Administration, the initiation of a new | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 70 | |||
70/177 | |||
process". | |||
Finally, regarding the prescription of the infractions invoked by CAIXABANK | |||
In accordance with the provisions of the LOPD, it is enough to point out that it is not this rule that typifies | |||
infractions analyzed in this procedure. | |||
The object of the sanctioning procedure, as well as that of the previous actions of | |||
research, already mentioned, which is perfectly defined in the Law Foundation | |||
following, is related to the information offered in general by | |||
CAIXABANK regarding the protection of personal data; the different treatments of | |||
personal data carried out by the entity according to the information offered, including the | |||
analysis of the mechanisms used to obtain the consent of the | |||
interested; as well as compliance by the aforementioned entity of the rest of the principles | |||
relating to treatment. | |||
All this, within the framework of the new regulations, constituted by the RGPD, applicable | |||
since 05/25/2018, and the LOPDGDD, in force from the day following its publication in | |||
the Official State Gazette, which took place on 12/06/2018. | |||
The two claims that give rise to the procedure, including the first of them, | |||
received on 01/24/2018, are related to the changes implemented by | |||
CAIXABANK for its adaptation to the RGPD, and this has been recognized by the entity itself | |||
interested. | |||
The action carried out by CAIXABANK is analyzed from the application of the RGPD, | |||
that is, as of 05/25/2018, in relation to the extremes that constitute the object of the | |||
procedure, and the alleged infractions appreciated according to the | |||
sanctioner regulated in the RGPD and the LOPDGDD. This being the case, the prescription of | |||
infractions must be assessed in accordance with the provisions of this sanctioning regime and not in | |||
that established in Organic Law 15/1999 (LOPD). | |||
In this sanctioning procedure, the following infractions are charged: | |||
1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified | |||
in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the | |||
LOPDGDD. | |||
2. Infringement for breach of the provisions of article 6 of the RGPD, typified in the | |||
article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) and | |||
c) of the LOPDGDD. | |||
In accordance with the provisions of articles 72.1 and 74.1 of the LOPDGDD, the | |||
Infractions considered very serious will prescribe after three years and minor infractions | |||
prescribe in one year, counted from the commission of the offense and until the opening of the | |||
procedure with knowledge of the interested party. | |||
In this case, all the factual circumstances that appear in the | |||
Following legal grounds, which support the commission of the infractions that are | |||
declares in this act, they took place within the year prior to the opening of the procedure, in | |||
the case of the minor infraction, and within the previous three years, in the case of the infraction | |||
very serious; with the limit in the latter case of the date of application of the RGPD (05/25/2018), | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 71 | |||
71/177 | |||
attending to the object of the aforementioned file. | |||
This being the case, neither of the two offenses committed had prescribed at the time | |||
when the notification to CAIXABANK of the opening of the procedure took place. | |||
- 4. The enumeration of the graduation criteria in the opening agreement, without | |||
any motivation and without specifying whether they are applied as aggravating or mitigating | |||
cause of helplessness. | |||
In the opinion of this Agency, the agreement to initiate the procedure is in accordance with the provisions | |||
in article 68 of the LOPDGDD, according to which it will be enough to specify the facts that | |||
motivate the opening, identify the person or entity against which the procedure is directed, | |||
the offense that could have been committed and its possible sanction (in this case, of the different | |||
corrective powers contemplated in article 58.2 of the RGPD, the Agency deemed appropriate | |||
the imposition of a fine, in addition to the adoption of measures to adjust its performance to the | |||
regulations, without prejudice to what could result from the instruction of the procedure). | |||
In the same sense, article 64.2 of the LPACAP is expressed, which establishes | |||
expressly the minimum content of the initiation agreement. According to this precept, among others | |||
details, must contain “the facts that motivate the initiation of the procedure, its possible | |||
legal qualification and the penalties that may correspond, without prejudice to what results | |||
of the instruction ” . | |||
In this case, not only are the aforementioned requirements fully met, but also | |||
which goes further by offering reasons that justify the possible legal qualification of | |||
the facts valued at the beginning and, even, the circumstances that may influence the | |||
the determination of the sanction. | |||
In accordance with the foregoing, it cannot be said to point out the possible sanction that | |||
may correspond for the imputed infractions, with mention of the circumstances that | |||
influence is your determination, is a cause of helplessness. CAIXABANK, in this case, has seen | |||
respecting all the guarantees of the interested party provided by the procedural regulations and cannot | |||
be said that the enumeration of the circumstances or factors of graduation of the fine | |||
suppose any reduction of said guarantees causing defenselessness. | |||
Article 68 of the aforementioned LOPDGDD regulates the content that the agreement must include | |||
initiation of the sanctioning procedure. However, it is the minimum content required, | |||
of the elements that must be detailed in the aforementioned agreement to determine its validity. | |||
But nothing prevents that, as indicated above, the circumstances are mentioned | |||
that can influence the determination of the sanction, which will undoubtedly benefit | |||
of the interested party, who sees his right of defense reinforced and favored. | |||
III | |||
The actions outlined in the Background of this act are intended to | |||
analyze the information offered in general by CAIXABANK on the subject of | |||
protection of personal data, through all the channels used by the entity | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 72 | |||
72/177 | |||
(CAIXABANK's compliance with the principle of transparency established in the | |||
articles 5, 12 and following of the RGPD, and related precepts); the different treatments of | |||
personal data carried out by the entity according to the information offered, in relation to | |||
with clients or person who have any other relationship with it, including the | |||
analysis of the mechanisms used to obtain the consent of the | |||
interested; as well as compliance by the aforementioned entity of the rest of the principles | |||
related to the treatment established in article 5 of the RGPD. | |||
All this, within the framework of the new regulations, constituted by the RGPD, applicable | |||
since 05/25/2018, and the LOPDGDD, in force from the day following its publication in | |||
the Official State Gazette, which took place on 12/06/2018. | |||
The CAIXABANK entity has reported that it began its adaptation to the RGPD in the year | |||
2016, and that it was carried out mainly through the implementation of the | |||
document called “Framework Contract” in June 2016, of which six | |||
versions since then, dated 06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, | |||
12/20/2018 and 09/17/2019, according to that entity has informed this Agency. Too a | |||
declared that the "Framework Contract" regulates the entire customer relationship with CAIXABANK and | |||
the Group companies whose products it sells, informs of all the | |||
treatments derived from the contractual relationship and requests the necessary consents | |||
for the treatment of personal data at the Group level. This document, which | |||
It serves as a form for collecting personal data and that the client signs with his signature, | |||
is the one employed by CAIXABANK as a priority to comply with the requirements | |||
transparency and manifestation of consent by clients for the | |||
processing of your personal data. | |||
Of the six versions, the 4th version will be reviewed in this procedure. | |||
(Annex I), dated by CAIXABANK on 11/12/2018, and the two subsequent ones that modify it | |||
slightly (the 5th version presents some modifications in section 6.4 “Subscription of | |||
documents and contracts by electronic signature ” , and deletes section 7.2, referring to | |||
"Treatment of biometric data in the electronic signature of documents" ; and version 6 | |||
presents changes in section 4 "Compliance with regulatory obligations in | |||
tax ” , but without significant changes in terms of data protection | |||
personal), since it is these versions that appear with a greater adaptation to the | |||
GDPR and, furthermore, for temporary reasons. | |||
The first three versions (1, 2 and 3) refer to the LOPD and do not refer to | |||
specific issues regulated in the RGPD, such as the legal basis of the treatment | |||
(legal obligation, legitimate interest or consent); rights of deletion, limitation and | |||
portability; right to file a claim with the Spanish Agency for the Protection of | |||
Data; existence of a data protection officer and means enabled to contact | |||
with the same. | |||
In the proposed resolution, it was indicated that the 3rd version of the "Framework Contract" | |||
constituted the information offered by CAIXABANK on 05/25/2018 and that it | |||
shows the deficiencies expressed, among others. | |||
In relation to this issue, CAIXABANK has alleged that version 4 was | |||
implemented in June 2018 and not in November of that year, and provides a copy of a "Contract | |||
Marco ”signed by a client on 06/08/2018, whose content coincides with the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 73 | |||
73/177 | |||
corresponding to this 4th version, outlined in Annex I. | |||
It should be noted in this regard that it was the CAIXABANK entity itself that dated the | |||
version 4 of this document in November 2019, as stated in the documentation | |||
contributed to inspection services. In any case, this circumstance does not modify | |||
none of the conclusions expressed in the motion for a resolution or in this act | |||
on the defects of information appreciated and in relation to the treatment of the data, | |||
based on the content of this 4th version and those made subsequently by CAIXABANK. | |||
It has already been said that the changes produced in versions 5 and later with respect to the | |||
version 4 only affect the processing of biometric data in the electronic signature of | |||
documents and compliance with regulatory obligations in tax matters. | |||
The aforementioned 4th version, dated by CAIXABANK on 11/12/2018, is the first version that | |||
refers to specific issues regulated in the RGPD, such as the legal basis | |||
of the treatment (legal obligation, legitimate interest or consent); erasure rights, | |||
limitation and portability; right to file a claim with the Spanish Agency for | |||
Data Protection; existence of a data protection officer and authorized means | |||
to contact him. The complete content of this version, in relation to | |||
protection of personal data, appears in Annex I. | |||
This "Framework Contract", as stated in section 2, establishes the basic rules | |||
that will regulate the commercial, business and contractual relationships that are formalized between | |||
the client and CAIXABANK. Thus, this document dedicates sections 3 to 6 to inform and regulate | |||
about essential issues governing Business Relationships, such as the | |||
relating to the prevention of money laundering and the financing of terrorism, the | |||
compliance with regulatory obligations in tax matters, the application of sanctions | |||
international economic-financial and the fight against fraud or the general aspects of | |||
the contracting of products and services, which will not be the object of the actions, except | |||
the mentions to the treatments that derive from these questions contained in the | |||
following sections of the contract. | |||
The following sections of the "Framework Contract" deal with the "Policy of | |||
Privacy ”, the use and treatment of personal data and authorizations | |||
for the use of the data that is carried out for the development of commercial activity | |||
owned by CaixaBank and the CaixaBank Group companies, which are of interest for the purposes of | |||
present sanctioning procedure. | |||
It is also interesting to analyze in this file the information on protection | |||
of data offered in general by CAIXABANK and the mechanisms for providing the | |||
consent enabled by other means, channels or channels, referred to in | |||
the background of this agreement, based on the fact that the "Framework Contract" contains a reference | |||
specific to these other media. Specifically, we refer to the following documents: | |||
. "Privacy Policy" available on the entity's website: section 7 of the "Contract | |||
Frame ”contains indicates “ You can find complementary information to which you are | |||
facilitates in this contract, regarding the processing of your personal data in | |||
www.CaixaBank.com/privacidad ” . | |||
. Social media contract: section 8 of the “Framework Contract” details the data | |||
personal used for the purposes described in that same section. Among them are | |||
they mention "the data obtained from social networks that the signer authorizes to consult" . Bliss | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 74 | |||
74/177 | |||
authorization is provided in the so-called Social Networks Contract. | |||
. Aggregation service contract: section 8 of the “Framework Contract” details the | |||
personal data used for the purposes described in that same section. Between the | |||
data used for the purposes described in the same section 8 of the "Framework Agreement" is | |||
mention “data obtained from third parties as a result of requests for | |||
aggregation of data requested by the signer ” . Said request is formalized through the | |||
called Aggregation Service Contract. | |||
In addition to the aforementioned "Framework Contract", to offer information on the | |||
protection of personal data and obtain the consent of its clients for the | |||
data processing for "commercial" purposes and transfer of data to third parties, CAIXABANK | |||
uses the document called by said entity "Consent Agreement" . According | |||
It appears in the label of this document, through it the client is requested "Authorization | |||
for the processing of personal data for commercial purposes by CaixaBank, | |||
SA and companies of the CaixaBank group ” . | |||
Of this "Agreement of consents", three | |||
versions (the one provided by the claimant on 01/24/2018, outlined in the First Fact | |||
-Version 1; the one provided by CAIXABANK on 07/10/2018, outlined in the Second Fact | |||
and transcribed in Annex II -Version 2; and the one attached to the Inspection Certificate dated 11/28/2019, | |||
outlined in Fact Four, the details of which are also included in Annex II -Version 3). | |||
For temporary reasons, the document examination procedure is dispensed with | |||
provided by the claimant, prior to the date of application of the RGPD. | |||
On the other hand, considering the object of the preliminary investigation actions | |||
aforementioned, the information offered on this matter in the | |||
forms used to contract products or services that, due to their specialty, | |||
include their own data protection clauses, as reported by the entity | |||
CAIXABANK. Except for what is related to the aforementioned contracts, for which the client | |||
consent to access to personal data on social networks and "aggregation service". | |||
And neither does it examine the action that the companies that make up | |||
the so-called “CaixaBank Group” for compliance with the principle of transparency or the | |||
specific procedures that they have enabled to obtain the consent of their | |||
clients for the processing of personal data that they carry or intend to carry out, or in | |||
relation with the other aspects outlined. | |||
The analysis of the procedures established by CAIXABANK is also excluded. | |||
for the management of clients' rights, only interested in the mechanisms | |||
arranged so that the client can revoke the consents he had given, in | |||
the extent to which this mechanism is also used for the modification of said | |||
consents, and therefore may lead to the provision of new ones. | |||
Likewise, although part of the information contained in the | |||
Impact Evaluations provided by CAIXABANK, which have been outlined in the | |||
Background, no data security analysis is carried out. | |||
In accordance with the foregoing, the conclusions that may be derived from this | |||
procedure will not suppose any pronouncement regarding the previous aspects | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 75 | |||
75/177 | |||
discarded, or in relation to the CaixaBank Group entities. | |||
IV | |||
In accordance with the delimitation expressed in the previous Law Foundation, to | |||
The effects of this procedure are of interest in the content related to data protection of | |||
personal nature of the "Framework Agreement" and the "Consent Agreement" ( "Authorization | |||
revocation for the processing of personal data for commercial purposes by | |||
CaixaBank, SA and companies of the CaixaBank group ” ), the“ Privacy Policy ”accessible to | |||
through the entity's website and the information offered in relation to personal data | |||
of social networks and aggregation service. The content of these documents consists | |||
reproduced in Annexes. | |||
The "Framework Contract", which serves as a data collection form and which is the | |||
document used primarily to provide information on the protection of | |||
personal data, is presented as mandatory subscription for the client, establishing | |||
expressly that the signature of the document implies that it "knows, understands and accepts its | |||
content ” . It is also established that the terms and conditions are of general application. | |||
to all "commercial relationships" of the interested party "with CaixaBank and the Group companies | |||
CaixaBank, and therefore, the subscription and validity of this Agreement, respecting the | |||
corresponding rights of choice that the Signatory grants the clause, is | |||
necessary for the contracting and maintenance of product or service contracts ” . | |||
The options or "choice" referred to in the previous paragraph have to do with | |||
consents collected in the clauses of the "Framework Contract" subject to its effective | |||
acceptance by the client, which must be provided during the contracting process and | |||
that are incorporated, once those options have been expressed by the client, to the data section | |||
personal and socioeconomic status of the bedside. It is about the consents for the | |||
processing of personal data that are requested from the interested party in clause 8 (outlined and | |||
segmented, receipt of commercial impacts and transfer to third parties). | |||
The information provided to the interested party in this document in relation to the | |||
protection of personal data is structured according to the legal basis that legitimizes the | |||
treatment of the data, dedicating section 7 to the treatments “based on the execution | |||
of contracts, legal obligations and legitimate interest and privacy policy ” , section 8 | |||
to the “treatment and transfer of data for commercial purposes by CaixaBank and the companies | |||
of the CaixaBank group based on consent ” . | |||
The aforementioned section 7 includes a subsection related to "data processing | |||
biometric in the electronic signature of documents ” and provides information on the | |||
"Treatments based on legitimate interest" , included as one of the headings of the | |||
Subsection that informs about data processing "for regulatory purposes" . | |||
For its part, section 8 reports on treatments based on the | |||
"Consent" , which CAIXABAN groups into the following three purposes, and also informs | |||
on the "data" that will be processed for the first two purposes of the aforementioned | |||
continuation: | |||
“(I) data analysis and study treatments for commercial purposes by CaixaBank and companies | |||
of the CaixaBank group | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 76 | |||
76/177 | |||
(ii) the treatments for the commercial offer of products and services by CaixaBank and the companies of the | |||
CaixaBank group | |||
(iii) the transfer of data to third parties ” . | |||
To what is indicated, sections 9 "Exercise of rights in matters of | |||
data protection ” and 10 “ Data Protection Delegate ” , as well as a subsection | |||
dedicated to the "Data conservation period" , inserted in section 11 referring to the | |||
duration, resolution and modification of the contract. | |||
Section 11 is not related to the procedure (applicable law and jurisdiction). AND | |||
section 13 corresponds to the signing of the document. Its label is “Digitization of the | |||
signature and identification documentation of the client ” and offers the following information: | |||
"The signature that the Signatory stamps at the bottom of this Contract, in addition to having the purpose of | |||
Acceptance of the content of this Contract, will be used for digitization and registration, in order to | |||
to serve as a basis for verifying signatures that are stamped on any document that is | |||
present to CaixaBank… ”. | |||
“[…] For the identification of the client by the entity's employees, the Signatory authorizes | |||
CaixaBank, expressly, the digitization and registration of its official identification document, which | |||
which includes the digitization of its image contained in the photograph that it incorporates ”. | |||
The following Law Fundamentals will not detail the content of the | |||
document called by CAIXABANK "Consent Agreement" | |||
("Authorization / Revocation"), since its structure and content coincide almost literally | |||
with Clause 8 of the “Framework Agreement” (the references that in these Fundamentals of | |||
Right are made to this clause 8 or section 8 serve equally to the "Contract of | |||
Consents ”, unless otherwise specified). However, the | |||
differences that can be seen between both documents. | |||
Likewise, the "Privacy Policy" document available on the CAIXABANK website, | |||
which is incorporated as Annex V, with thirteen sections, provides a generic information on the | |||
identity of the person in charge (without referring to the existence of a "common repository" to | |||
CAIXABANK and the Group companies), data collected, information obtained from | |||
browsing the web and mobile applications, purposes, legal basis that covers the | |||
data processing, security, data retention, assignments, transfers | |||
internations, data protection officer and rights of the interested party. It is interesting to highlight | |||
that this "Privacy Policy", when referring to uses based on consent, | |||
warns the interested party that they may use "all the data we have about you" ; and in the | |||
section "To whom is my data disclosed?" is informed about the exchange of information | |||
with companies of the CaixaBank Group. | |||
Finally, in relation to the obtaining and use of personal data of the | |||
interested in social networks or obtained from the aggregation service, is informed about data, | |||
purposes, treatments based on the consent and rights of the interested party. In the last | |||
In addition, it is informed about data processing based on legitimate interest and | |||
data retention. | |||
The full content of this information (except the sections excluded from analysis) | |||
It is reproduced in Annexes. | |||
V | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 77 | |||
77/177 | |||
Article 5 "Principles relating to treatment" of the RGPD establishes: | |||
"1.The personal data will be: | |||
a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and | |||
transparency"); | |||
b) collected for specific, explicit and legitimate purposes, and will not be further processed as | |||
manner incompatible with said purposes; in accordance with Article 89 (1), further processing | |||
of personal data for archival purposes in the public interest, scientific research and | |||
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of | |||
purpose "); | |||
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed | |||
("Data minimization"); | |||
d) accurate and, if necessary, updated; All reasonable steps will be taken to ensure that | |||
delete or rectify without delay personal data that are inaccurate with respect to the purposes | |||
for which they are processed ("accuracy"); | |||
e) maintained in a way that allows the identification of the interested parties for no longer than | |||
necessary for the purposes of processing personal data; personal data may | |||
be kept for longer periods provided they are treated exclusively for archival purposes | |||
in the public interest, scientific or historical research purposes or statistical purposes, in accordance with | |||
Article 89 (1), without prejudice to the application of technical and organizational measures | |||
regulations imposed by this Regulation in order to protect the rights and freedoms of the | |||
data subject ("limitation of the conservation period"); | |||
f) treated in such a way as to guarantee adequate security of personal data, including the | |||
protection against unauthorized or illegal processing and against its loss, destruction or damage | |||
accidental, through the application of appropriate technical or organizational measures ("integrity and | |||
confidentiality '). | |||
2. The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and | |||
able to prove it ('proactive responsibility') ”. | |||
In relation to the aforementioned principles, what is stated in the | |||
Recital 39 of the aforementioned RGPD: | |||
"39. All processing of personal data must be lawful and fair. For natural persons it should be | |||
totally clear that data is being collected, used, consulted or otherwise processed | |||
personal data that concern them, as well as the extent to which said data is or will be processed. He | |||
The principle of transparency requires that all information and communication regarding the treatment of said | |||
data is easily accessible and easy to understand, and that simple and clear language is used. Saying | |||
The principle refers in particular to the information of the interested parties about the identity of the person in charge | |||
treatment and the purposes thereof and the information added to ensure fair treatment and | |||
transparent regarding the affected natural persons and their right to obtain confirmation and | |||
communication of personal data concerning them that are subject to treatment. The | |||
natural persons must be aware of the risks, regulations, safeguards and rights | |||
relating to the processing of personal data as well as how to enforce your rights in | |||
relation to treatment. In particular, the specific purposes of the processing of personal data | |||
must be explicit and legitimate, and must be determined at the time of collection. The data | |||
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which | |||
be treated. This requires, in particular, to ensure that their term of office is limited to a strict minimum. | |||
conservation. Personal data should only be processed if the purpose of the treatment could not | |||
be reasonably accomplished by other means. To ensure that personal data is not kept | |||
longer than necessary, the data controller must establish deadlines for its deletion or | |||
Periodic revision. All reasonable steps should be taken to ensure that they are rectified or | |||
delete personal data that are inaccurate. Personal data must be treated in a way | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 78 | |||
78/177 | |||
that guarantees adequate security and confidentiality of personal data, including for | |||
prevent unauthorized access or use of said data and the equipment used in the treatment ”. | |||
SAW | |||
Article 4 of the RGPD, under the heading "Definitions", provides the following: | |||
"2)" treatment ": any operation or set of operations carried out on personal data or | |||
sets of personal data, whether by automated procedures or not, such as collection, | |||
registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, | |||
use, communication by transmission, broadcast or any other form of access authorization, | |||
collation or interconnection, limitation, deletion or destruction ”. | |||
In accordance with these definitions, the collection of personal data through | |||
of forms enabled for this purpose constitutes data processing, with respect to which the | |||
data controller must comply with the principle of transparency, established | |||
in article 5.1 of the RGPD, according to which personal data will be “treated in a manner | |||
lawful, loyal and transparent in relation to the interested party (legality, loyalty and transparency) ” ; and | |||
developed in Chapter III, Section 1, of the same Regulation (articles 12 and following). | |||
Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for | |||
treatment of taking the appropriate measures to "provide the interested party with all information | |||
indicated in articles 13 and 14, as well as any communication in accordance with articles | |||
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way | |||
access, in clear and simple language, in particular any information addressed to a | |||
child". | |||
In the same sense, article 7 of the RGPD is expressed for cases in which the | |||
consent of the interested party is given in the context of a written statement, such as | |||
occurs in the present case. According to this article, said request for consent “is | |||
presented in such a way that it is clearly distinguished from other matters, in an intelligible way | |||
and easily accessible and using clear and simple language ” . It is added in this precept that | |||
no part of the declaration that constitutes an infringement of these Regulations will be | |||
binding. | |||
Article 13 of the aforementioned legal text details the “information that must be provided | |||
when the personal data is obtained from the interested party ” and the aforementioned article 14 is | |||
refers to the “information that must be provided when personal data has not been | |||
obtained from the interested party ” . | |||
In the first case, when the personal data is collected directly from the | |||
interested party, the information must be provided at the same time that that | |||
data Collect. Article 13 of the RGPD details this information in the following terms: | |||
1.When personal data relating to him are obtained from an interested party, the person responsible for the treatment, | |||
at the time these are obtained, you will provide all the information indicated below: | |||
a) the identity and contact details of the person in charge and, where appropriate, of their representative; | |||
b) the contact details of the data protection officer, if applicable; | |||
c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; | |||
d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the | |||
responsible or a third party; | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 79 | |||
79/177 | |||
e) the recipients or categories of recipients of the personal data, if applicable; | |||
f) where appropriate, the intention of the person responsible to transfer personal data to a third country or | |||
international organization and the existence or absence of an adequacy decision of the Commission, or, | |||
in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, paragraph | |||
second, reference to adequate or appropriate warranties and means of obtaining a copy of | |||
these or the fact that they have been borrowed. | |||
2. In addition to the information mentioned in section 1, the data controller will provide the | |||
interested party, at the time the personal data is obtained, the following information | |||
necessary to guarantee fair and transparent data processing: | |||
a) the period during which the personal data will be kept or, when this is not possible, the criteria | |||
used to determine this term; | |||
b) the existence of the right to request the data controller access to personal data | |||
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the | |||
treatment, as well as the right to data portability; | |||
c) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, | |||
letter a), the existence of the right to withdraw consent at any time, without affecting | |||
the legality of the treatment based on the consent prior to its withdrawal; | |||
d) the right to file a claim with a supervisory authority; | |||
e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement | |||
to sign a contract, and if the interested party is obliged to provide personal data and is | |||
informed of the possible consequences of not providing such data; | |||
f) the existence of automated decisions, including profiling, referred to in article | |||
22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as | |||
as the importance and expected consequences of said treatment for the interested party. | |||
3.When the controller plans the further processing of personal data for a | |||
purpose other than that for which they were collected, will provide the interested party, prior to said | |||
further processing, information on that other purpose and any additional information relevant to the | |||
of section 2. | |||
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the | |||
interested party already has the information ”. | |||
Article 14 regulates the information that must be provided in relation to the data that | |||
are not collected directly from the interested party: | |||
"1. When the personal data has not been obtained from the interested party, the person responsible for the treatment | |||
will provide you with the following information: | |||
a) the identity and contact details of the person in charge and, where appropriate, of their representative; | |||
b) the contact details of the data protection officer, if applicable; | |||
c) the purposes of the processing to which the personal data are intended, as well as the legal basis of the | |||
treatment; | |||
d) the categories of personal data in question; | |||
e) the recipients or categories of recipients of the personal data, if applicable; | |||
f) where appropriate, the intention of the person responsible to transfer personal data to a recipient in a third | |||
country or international organization and the existence or absence of a decision on the adequacy of the | |||
Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, | |||
Section 1, second paragraph, reference to adequate or appropriate guarantees and the means to | |||
obtain a copy of them or the fact that they have been loaned. | |||
2. In addition to the information mentioned in section 1, the data controller will provide the | |||
interested party the following information necessary to guarantee fair data processing and | |||
transparent with respect to the interested party: | |||
a) the period during which the personal data will be kept or, when that is not possible, the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 80 | |||
80/177 | |||
criteria used to determine this term; | |||
b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the | |||
responsible for the treatment or a third party; | |||
c) the existence of the right to request the data controller access to personal data | |||
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, and to oppose the | |||
treatment, as well as the right to data portability; | |||
d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, | |||
letter a), the existence of the right to withdraw consent at any time, without affecting | |||
to the legality of the treatment based on the consent before its withdrawal; | |||
e) the right to file a claim with a supervisory authority; | |||
f) the source from which the personal data come and, where appropriate, if they come from access sources | |||
public; | |||
g) the existence of automated decisions, including profiling, referred to in the | |||
Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic | |||
applied, as well as the importance and expected consequences of such treatment for the | |||
interested. | |||
3.The person responsible for the treatment will provide the information indicated in sections 1 and 2: | |||
a) within a reasonable period, once the personal data has been obtained, and at the latest within a | |||
month, taking into account the specific circumstances in which said data is processed; | |||
b) if the personal data are to be used for communication with the interested party, no later than the | |||
moment of the first communication to said interested party, or | |||
c) if it is planned to communicate them to another recipient, at the latest at the time the data | |||
personal information are communicated for the first time. | |||
4. When the person responsible for the treatment plans the subsequent treatment of personal data for | |||
a purpose other than that for which they were obtained, will provide the interested party, before said | |||
further processing, information on that other purpose and any other relevant information indicated in the | |||
section 2. | |||
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that: | |||
a) the interested party already has the information; | |||
b) the communication of such information is impossible or involves a disproportionate effort, | |||
in particular for the treatment for archival purposes in the public interest, scientific research purposes | |||
or historical or statistical purposes, subject to the conditions and guarantees indicated in article 89, | |||
paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article | |||
may prevent or seriously impede the achievement of the objectives of such treatment. In such | |||
cases, the controller shall adopt adequate measures to protect the rights, freedoms and interests | |||
legitimate interests of the interested party, including making the information public; | |||
c) the obtaining or the communication is expressly established by the Law of the Union or of the | |||
Member States that applies to the controller and that establishes appropriate measures | |||
to protect the legitimate interests of the data subject, or | |||
d) when personal data must continue to be confidential on the basis of a | |||
obligation of professional secrecy regulated by the law of the Union or of the Member States, | |||
including an obligation of secrecy of a statutory nature ” . | |||
For its part, article 11.1 and 2 of the LOPDGDD provides the following: | |||
"Article 11. Transparency and information to the affected | |||
1. When personal data are obtained from the affected party, the person responsible for the treatment may give | |||
compliance with the duty of information established in article 13 of Regulation (EU) 2016/679 | |||
providing the affected party with the basic information referred to in the following section and indicating a | |||
electronic address or other means that allows easy and immediate access to the remaining | |||
information. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 81 | |||
81/177 | |||
2. The basic information referred to in the previous section must contain, at least: | |||
a) The identity of the person responsible for the treatment and their representative, if applicable. | |||
b) The purpose of the treatment. | |||
c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) | |||
2016/679. | |||
If the data obtained from the affected party were to be processed for profiling, the information | |||
You will also understand this circumstance. In this case, the affected party must be informed of | |||
your right to object to the adoption of automated individual decisions that produce effects | |||
legal acts on him or significantly affect him in a similar way, when this right to | |||
in accordance with the provisions of article 22 of Regulation (EU) 2016/679 ” . | |||
In relation to this principle of transparency, it also takes into account the | |||
expressed in Recitals 32, 39, reproduced in the previous Legal Basis, | |||
42, 47, 58, 60, 61 and 72 of the RGPD. Part of the content of these is reproduced below | |||
Considering ourselves: | |||
(32) Consent must be given by a clear affirmative act that reflects a manifestation of | |||
free, specific, informed, and unequivocal will of the interested party to accept the processing of data from | |||
personal character concerning you, such as a written statement, including by means | |||
electronic, or verbal statement. This could include checking a box on a website on the internet, | |||
choose technical parameters for the use of information society services, or | |||
any other statement or conduct that clearly indicates in this context that the interested party | |||
accepts the proposal for the treatment of your personal data. Therefore, the silence, the boxes already | |||
marked or inaction should not constitute consent. Consent must be given for all | |||
the treatment activities carried out with the same or the same purposes. When the treatment has | |||
various purposes, consent must be given for all of them. If the consent of the interested party has been | |||
to give as a result of a request by electronic means, the request must be clear, concise and not | |||
unnecessarily disturbing the use of the service for which it is provided. | |||
(42) When the treatment is carried out with the consent of the interested party, the person responsible for the | |||
treatment must be able to demonstrate that he has given his consent to the operation of | |||
treatment. In particular in the context of a written statement made on another matter, | |||
there must be guarantees that the interested party is aware of the fact that he gives his consent and | |||
to the extent that it does. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071), | |||
A model declaration of consent must be provided previously prepared by the | |||
responsible for the treatment with an intelligible and easily accessible formulation that uses a language | |||
clear and simple, and that does not contain abusive clauses. For the consent to be informed, the | |||
The interested party must know at least the identity of the person responsible for the treatment and the purposes of the | |||
treatment for which the personal data is intended. Consent must not | |||
be considered freely provided when the interested party does not enjoy a true or free choice or not | |||
You can deny or withdraw your consent without suffering any harm. | |||
(47) The legitimate interest of a data controller, including that of a controller who is | |||
may communicate personal data, or that of a third party, may constitute a legal basis for the | |||
treatment, provided that the interests or rights and freedoms of the interested party do not prevail, | |||
taking into account the reasonable expectations of the interested parties based on their relationship with the | |||
responsable. Such a legitimate interest could arise, for example, when there is a relevant relationship and | |||
appropriate between the interested party and the controller, as in situations in which the interested party is a client | |||
or is at the service of the person in charge. In any case, the existence of a legitimate interest would require a | |||
meticulous evaluation, including whether a data subject can reasonably foresee, at the time and in | |||
the context of the collection of personal data, which may be processed for this purpose. In | |||
In particular, the interests and fundamental rights of the interested party could prevail over the | |||
interests of the data controller when the personal data is processed in | |||
circumstances in which the interested party does not reasonably expect a treatment to take place | |||
further ... The processing of personal data strictly necessary for the prevention of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 82 | |||
82/177 | |||
Fraud is also a legitimate interest of the data controller in question. He | |||
processing of personal data for direct marketing purposes can be considered carried out by | |||
legitimate interest. | |||
(58) The principle of transparency requires that all information directed to the public or the interested party be | |||
concise, easily accessible and easy to understand, and use clear and simple language, and, | |||
also, if applicable, it is displayed ... | |||
(60) The principles of fair and transparent treatment require that the interested party be informed of the | |||
existence of the treatment operation and its purposes. The data controller must provide the | |||
interested party as much additional information is necessary to guarantee fair treatment and | |||
transparent, taking into account the specific circumstances and context in which the data is processed | |||
personal. The interested party must also be informed of the existence of profiling and of | |||
the consequences of such elaboration. If the personal data is obtained from the interested parties, | |||
They should also be informed of whether they are obliged to provide them and of the consequences in the event that | |||
don't ... | |||
(61) Interested parties should be provided with information on the processing of their personal data in | |||
the time they are obtained from them or, if they are obtained from another source, within a reasonable time, | |||
depending on the circumstances of the case ... | |||
(72) Profiling is subject to the rules of this Regulation that govern the | |||
processing of personal data, such as the legal bases of the processing or the principles of | |||
Data Protection… | |||
CAIXABANK, according to proven facts, performs data processing | |||
personal data obtained from customers, directly or "indirectly" , as well as data | |||
personal data obtained from sources other than those interested or inferred by the | |||
entity. It is therefore obliged to provide information in the terms established in the | |||
RGPD and the LOPDGDD. | |||
- The information offered to CAIXABANK clients is not uniform. | |||
Analyzed the information on the protection of personal data offered by | |||
CAIXABANK, considering the various documents and channels through which it is offered, | |||
It is found that it is not uniform, not even in terminology, it is not offered with the same | |||
breadth to all clients and in all situations (in some cases the “Contract | |||
Marco ”, in others the“ Consent Agreement ”and for other clients only the“ Policy | |||
Privacy ”), and it is not updated in the same way in each case. | |||
CAIXABANK has argued that the duty of information is fulfilled with the "Contract | |||
Marco ”and not with the rest of the documents, which are merely complementary to that one, which | |||
are used at different times and scenarios, and not simultaneously, and are not intended to | |||
object to comply with what is mandated by article 13 of said Regulation, since they are addressed to clients | |||
already informed. | |||
However, this claim does not coincide with the checks carried out. It is true | |||
that the "Framework Contract" is the document used primarily, which also serves | |||
as a form for collecting personal data and for the provision of consents | |||
collected by CAIXABANK for commercial purposes. But it has been proven that the | |||
information on data protection was provided to some customers only | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 83 | |||
83/177 | |||
through the "Consent Agreement" and the "Privacy Policy", without them having | |||
signed the "Framework Contract". | |||
The "Consent Agreement", although it has been used and currently uses | |||
as a document to revoke and modify consents, it was conceived as a | |||
document to "authorize" data processing based on this legal basis, as well as | |||
than the "Framework Contract", and has not lost that character (its initial name was | |||
"Authorization for the processing of personal data for commercial purposes | |||
by CaixaBank, SA and companies of the CaixaBank Group ” ; and the current "Authorization / Revocation | |||
for the processing of personal data for commercial purposes by CaixaBank, | |||
SA and companies of the CaixaBank Group ” ). It is proven that the | |||
"Framework Contract" for the collection of consents, not in the case of all clients. | |||
The CAIXABANK entity itself, in its response to the Inspection Services of the | |||
Agency dated 07/17/2018, stated that the "Consent Agreement" is used, not | |||
only to modify the consents given, but also to collect them. He | |||
The claimant is an example of a client who has not signed the "Framework Agreement" and provided their | |||
consents through the "Consent Agreement", signed on 01/24/2018 and | |||
modified in May 2018, as could be seen in the inspection carried out on the | |||
11/28/2019 (as of this date, the claimant had not signed the “Framework Contract”) | |||
The same can be said of the "Privacy Policy" available on the website of the | |||
entity. Although it is indicated in the "Framework Contract" that includes "complementary information to | |||
the one provided in this contract ” , the Privacy Policy has also been the | |||
only information on protection of personal data that some clients have received, the | |||
which did not sign the “Framework Agreement” or the “Consent Agreement”. | |||
CAIXABANK was consulted in this regard by the Agency's Inspection Services | |||
on the procedures enabled to publicize the updated "Privacy Policy" | |||
to the RGPD to clients prior to the application of this rule and the mechanisms to collect | |||
your acceptance. In its response of 11/20/2019, CAIXABANK reported that said "Policy of | |||
Privacy ”is intended to provide complete information to customers who in May 2018 | |||
they had not signed the framework contract; and distinguishes since May 2018 the situations | |||
following: | |||
. The one corresponding to "pre-existing" clients who signed the "Framework Contract" or who | |||
received the "Privacy Policy". | |||
. That of new clients, who in their first relationship sign the "Framework Contract". | |||
In relation to the "Privacy Policy", you have provided details about your transfer to | |||
existing customers as of May 2018, specifically, the sending of 15,917,507 communications, | |||
of which 5,663,683 were made by postal mail and 10,253,824 through banking to | |||
distance with a warning pop up (“If you want to know more about our commitment to your | |||
data and your privacy, you have a statement available in your MailBox -Access MailBox ”). | |||
Also in its brief of allegations at the opening of the procedure, the aforementioned entity | |||
refers to clients prior to May 2018, distinguishing between those who have signed the | |||
“Framework Agreement”, those who have signed the “Consent Agreement” and those others to whom | |||
you asked and they didn't answer. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 84 | |||
84/177 | |||
On the other hand, these documents are not uniform in their content either, | |||
as will be described in the following sections and Fundamentals of Law. | |||
As an example of these differences, the | |||
valued between the "Framework Contract" and the "Consent Contract", being the most | |||
It is significant that this last document offers information basically equivalent to the | |||
Clause 8 of the "Framework Contract", so that customers who sign this document | |||
they do without having essential information. But this is not the only difference in terms of | |||
information content: | |||
. Version 2 of the "Consent Agreement" (Annex II) referred to the management of | |||
the data "from a common information repository of the CaixaBank Group Companies" | |||
that does not appear in the “Framework Contract” (this indication disappears in Version 3 of that | |||
document). | |||
. Differences regarding the exercise of rights, existence of a Protection Delegate of | |||
Data and the data retention period, which are detailed in the last two sections | |||
of this Legal Basis. | |||
. Version 3 of the "Consent Agreement", in the authorization (ii) of section | |||
corresponding to purpose 1 ( “Analysis, study and follow-up treatments for | |||
offer and design of products and services adjusted to the client profile ” ) the possibility is added | |||
to associate the data of the signer with those of other clients, which does not appear in the "Contract | |||
Framework". | |||
As can be seen, the different information that customers receive has to do with | |||
the document used in each case to provide the information, in addition to its different | |||
content, beyond the processes of updating those documents alleged by | |||
CAIXABANK to justify this deficiency. | |||
CAIXABANK says nothing about those circumstances in its brief of allegations to | |||
the proposal, in which it only indicates that said proposal seems to show that all | |||
clients have access to all documents and, uniquely, that all clients have both | |||
the "Consent Agreement" as the "Framework Agreement", which does not coincide with what | |||
exposed. | |||
CAIXABANK denies this lack of uniformity, but, at the same time, alleges that the | |||
improvement process that it has developed has been a co-honesty of all the | |||
documents. | |||
- | |||
Use of imprecise terminology and vague formulations | |||
In accordance with the foregoing, at the time of collecting personal data the | |||
data controller must provide interested parties with the information established in | |||
the cited standards, “in a concise, transparent, intelligible and easily accessible way, with a | |||
clear and simple language ” . | |||
CAIXABANK does not report clearly and systematically on data processing | |||
personal or the purposes for which they will be used. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 85 | |||
85/177 | |||
Sometimes information on key aspects such as categories of data | |||
personal processed, the purposes or the legal basis that enables the treatment, employs | |||
unclear and imprecise expressions, or vague formulations, with ambiguous meanings in | |||
some cases, and whose true scope is not developed; expressions that are repeated and that | |||
CAIXABANK uses to support different actions, treatments, purposes or | |||
legitimations. | |||
In addition, with some of these expressions, the data protection policy is | |||
shown as a benefit for the client, implying that its non-acceptance will mean | |||
loss of customer benefits. | |||
Expressions such as "get to know you better", "customize | |||
your experience "," commercial offers tailored to your needs and preferences "," improve the | |||
design and usability of the products "," products and services adjusted to your profile ", | |||
"Information generated from the products themselves", "analysis and study", "study products and | |||
services "or" design products and services "," for our own management "," give you a better | |||
service "," communicate your data to third parties with whom we have an agreement "," expectation | |||
reasonable to receive ”,“ management needs ”,“ analysis, study and follow-up for the offer | |||
and design of products and services adjusted to the profile ” . | |||
Nor can the interested party clearly deduce the meaning of these expressions from | |||
starting from the context in which the information is offered and the expression of will is collected | |||
of the interested party, or from the context of the contractual relationship that binds the | |||
interested party with the responsible entity. On this contextual basis or factual context, the | |||
client is not able to understand the data to be recorded or the meaning of the | |||
purposes pursued by CAIXABANK with the treatment, when these are not specified | |||
clearly, especially considering the variety and complexity of the purposes of the | |||
personal data processing carried out by CAIXABANK in its capacity as entity | |||
financial institution that occupies a relevant position in the market, which requires a | |||
additional when specifying the information on the aforementioned aspects. | |||
From all this it follows that the information offered in this matter is indeterminate in | |||
the aspects indicated and difficult to understand by any interested party, regardless of | |||
your qualifications, and demonstrates the extent to which you need to be an expert to understand | |||
such information and its scope. | |||
The terminology in those expressions, in short, is alien to compliance | |||
strict principle of transparency, and prevents interested parties from knowing the meaning and | |||
real meaning of the indications provided and the real scope of the consents that | |||
can be provided, which means understanding that the right to data protection has been violated | |||
personal, understood as the ability of the affected to decide on treatment. | |||
CAIXABANK, in its arguments at the opening of the procedure, limits itself to qualifying | |||
these arguments as subjective appraisals, with no evidence to show what | |||
understand or not the clients, adding that external work has been carried out to verify | |||
that the contractual documents can be easily understood by the average customer, the | |||
which does not contribute. | |||
However, in the opinion of this Agency, the lack of clarity of those formulas or | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 86 | |||
86/177 | |||
expressions is obvious and objective, as demonstrated by the difficulty of concluding | |||
its real and concrete scope. | |||
The expressions so repeated by CAIXABANK in the documents reviewed are | |||
include as examples of bad practices in the document of the Article Working Group | |||
29 “Guidelines on transparency under Regulation 2016/679” , adopted on | |||
11/29/2017 and revised on 04/11/2018. | |||
These Guidelines analyze the scope to be attributed to the elements of | |||
transparency established in article 12 of the RGPD, according to which the person responsible for the | |||
treatment will take the appropriate measures to "provide the interested party with all information | |||
indicated in articles 13 and 14, as well as any communication in accordance with articles | |||
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way | |||
access, with clear and simple language ” , which must be related to what is expressed in | |||
Recital 39 of the aforementioned Regulation. From what is stated in these Guidelines, it is | |||
highlight at this time the following: | |||
"The requirement that the information be" intelligible "means that it must be understandable to the | |||
average member of the target audience. Intelligibility is closely linked to the requirement of | |||
use clear and simple language. A data controller who acts responsibly | |||
You will proactively get to know the people you collect information about and can use this | |||
knowledge to determine what said audience is likely to understand… ”. | |||
<< Clear and simple language | |||
In the case of “written” information »(and when written information is communicated verbally, or | |||
through auditory or audiovisual methods, also for people with vision problems), have | |||
to follow best practices to write clearly. The EU legislator has already used | |||
previously a similar linguistic requirement (appealing to the use of “clear and understandable terms”) and | |||
it is also explicitly mentioned in the context of consent in recital 42 | |||
of the RGPD. The obligation to use clear and simple language implies that the information must | |||
be facilitated in the simplest possible way, avoiding sentences and complex linguistic structures. The | |||
information must be concrete and categorical; should not be formulated in abstract or ambivalent terms | |||
nor leave room for different interpretations. Specifically, the purposes and legal basis of the treatment | |||
of personal data must be clear. | |||
Examples of Poor Practice | |||
The following statements are not clear enough regarding the purpose of the treatment: | |||
. "We may use your personal data to develop new services" (since it is not clear | |||
what “services” are treated and how the data will help to develop them); | |||
. "We may use your personal data for research purposes" (since it is not clear what type | |||
of "research" refers); and | |||
. "We may use your personal data to offer you personalized services" (since there is no | |||
clear what this "customization" implies). | |||
Examples of good practices | |||
. "We will retain your purchase history and use details of the products you have purchased | |||
above to suggest other products that we think might also interest you ”(it is clear that | |||
types of data will be processed, that the interested party will be the object of personalized product advertising and | |||
that your data will be used in this regard); | |||
. “We will retain and evaluate information about your recent visits to our website and how | |||
navigate through the different sections of the same in order to analyze and understand the use that the | |||
people make our website and be able to make it more intuitive ”(it is clear what type of data is | |||
will treat and the type of analysis that the person in charge is going to carry out); and | |||
. “We will keep a record of the articles on our website that you have clicked on and we will use | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 87 | |||
87/177 | |||
that information to personalize, from the articles you have read, the advertising that we show you | |||
on this website to suit your interests ”(it is clear what personalization entails and | |||
how the interests attributed to the interested party have been identified) >> . | |||
The foregoing must be interpreted, in any case, taking into account the principles | |||
established in article 5 of the RGPD, especially the principle of loyalty. Recital 42 | |||
of the same text also refers that the form in which the information is offered in | |||
Personal data protection must not contain unfair terms. | |||
- Information on the processing of personal data based on the relationship | |||
contractual. | |||
In the section dedicated to purpose 1 "Management of business relationships" , | |||
CAIXABANK informs about the treatment of the following personal data: | |||
. The personal data provided by the client. | |||
. Personal data derived from business relationships. | |||
. Personal data derived from commercial relationships of CAIXABANK and | |||
CaixaBank Group companies with third parties (this section does not refer to the relationship | |||
business of the interested party / client with CAIXABANK, but to relationships of this entity and those that | |||
make up the Group with third parties; without explaining the nature of these relationships with third parties and | |||
without specifying what data of these relationships are necessary for the execution of the contract | |||
subscribed by the interested party / client, nor who is the owner of that data). | |||
. Personal data "made from them" (without specifying if it refers to the last | |||
indicated or all of the above). | |||
. Digitization and registration of identification documents and signature. | |||
It is estimated that the information included in this section should be rectified and | |||
suitably completed in such a way that it allows to assess and determine with certainty if the | |||
outlined treatments can be covered by this legal basis (the execution of the contract) or, | |||
on the contrary, its collection and subsequent treatment requires the consent of the interested party. Is | |||
It is necessary to know what CAIXABANK understands by data derived from the relationships | |||
commercial or data "made from them" and what use is given to them for the | |||
fulfillment of the contractual relationship. | |||
Likewise, it is necessary to point out the confusion that it produces on the legal basis of the | |||
treatment (treatments for the execution of the contract or based on consent) the | |||
Mention made in this section to "Commercial Relations" and what CAIXABANK | |||
called "commercial purposes". The sub-section label indicates “Treatments of | |||
personal data in order to manage business relationships " , within | |||
a more general section relating to processing "based on the performance of the contract" , | |||
while the text also refers to the treatments that the signer accepts | |||
for commercial purposes. The text reads like this: "The personal data of the signer ... | |||
will be incorporated ... to be treated in order to comply with and maintain the | |||
themselves (commercial relations) , verify the correctness of the operation and the purposes | |||
commercials that the signer accepts in this contract ” . | |||
- Information on the categories of personal data subjected to treatment; | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 88 | |||
88/177 | |||
and on the specific categories of personal data that will be processed for each | |||
one of the specific purposes. | |||
The information offered is incomplete in relation to key aspects, such as the | |||
categories of personal data processed. | |||
In accordance with the criteria stated by the European Committee for the Protection of | |||
Data, that information would be necessary in relation to those data processing whose | |||
legal basis is determined by the consent of the interested party. This is how the Group understood it | |||
of Article 29 in its document “Guidelines on consent under the | |||
Regulation 2016/679 ” , adopted on 11/28/2017, revised and approved on 04/10/2018 (these | |||
Guidelines have been updated by the European Data Protection Committee on | |||
05/04/2020 through the document “Guidelines 05/2020 on consent in accordance with | |||
to Regulation 2016/679 ” , which keeps the parts that are transcribed literally identical | |||
then). | |||
The Article 29 Working Group draws its conclusions from the definition | |||
of the "consent" contained in article 4 of the RGPD, which is expressed in the terms | |||
following: | |||
"11)" consent of the interested party ": any manifestation of free will, specific, informed and | |||
unequivocal by which the interested party accepts, either through a declaration or a clear action | |||
affirmative, the processing of personal data that concerns him ” . | |||
From this definition, they are specified as necessary elements for the validity of the | |||
consent to the following: | |||
. Manifestation of free will | |||
. specific | |||
. informed and | |||
. unequivocal by which the interested party accepts, either through a declaration or a clear | |||
affirmative action, the processing of personal data concerning you. | |||
In relation to the element "manifestation of specific will" it is said: | |||
“3.2. Specific manifestation of will | |||
(…) | |||
Ad. ii) The consent mechanisms should not only be separated in order to comply with the | |||
"free" consent requirement, but must also comply with the consent requirement | |||
"specific". This means that a data controller seeking consent to | |||
several different purposes, it must facilitate the possibility of opting for each purpose, so that users | |||
can give specific consent for specific purposes. | |||
Ad. iii) Finally, the data controllers must provide, with each request for | |||
separate consent, specific information about the data that will be processed for each purpose, with the | |||
In order for the interested parties to know the impact of the different options they have. Of this | |||
Thus, data subjects are allowed to give specific consent. This question overlaps with the | |||
requirement that those responsible provide clear information ”. | |||
Furthermore, consent, to be valid, must be informed. This item is | |||
analyzed in the aforementioned "guidelines" as follows: | |||
3.3. Informed manifestation of will | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 89 | |||
89/177 | |||
The GDPR reinforces the requirement that consent must be informed. In accordance with the | |||
Article 5 of the RGPD, the requirement of transparency is one of the fundamental principles, | |||
closely related to the principles of loyalty and lawfulness. Provide information to interested parties | |||
before obtaining their consent is essential so that they can make informed decisions, | |||
understand what they are authorizing and, for example, exercise your right to withdraw your | |||
consent. If the person in charge does not provide accessible information, the user's control will be | |||
illusory and consent will not constitute a valid basis for the processing of the data. | |||
If the requirements for informed consent are not met, the consent will not be valid | |||
and the person in charge may be in breach of article 6 of the RGPD. | |||
3.3.1. Minimum content requirements for consent to be "informed" | |||
For the consent to be informed, it is necessary to communicate to the interested party certain elements that | |||
they are crucial to choosing. Therefore, the WG29 believes that it requires, at least, the information | |||
following to obtain valid consent: | |||
i) the identity of the data controller, | |||
ii) the purpose of each of the processing operations for which consent is requested, | |||
iii) what (type of) data will be collected and used, | |||
iv) the existence of the right to withdraw consent, | |||
v) information on the use of the data for automated decisions in accordance with article | |||
22, paragraph 2, letter c), where relevant, and | |||
vi) information on the possible risks of data transfer due to the absence of a | |||
decision of adequacy and adequate guarantees, as described in article 46 >> . | |||
The information provided in the "Framework Agreement" on the types of data | |||
personal data of clients who undergo treatment is not contained, in general, in | |||
a specific section, but is included in each of the sections outlined at the | |||
detail the structure of the document, articulated around the legal bases, purposes and | |||
Intended data processing. | |||
In view of the interpretive criteria on the notion of "informed consent" | |||
offered by the European Data Protection Committee, it is considered that CAIXABANK does not | |||
provides sufficient information on the type of data that will be submitted to | |||
treatments whose legal basis is the consent of the interested parties. | |||
This insufficiency is observed in the "Framework Contract" and in the "Contract of | |||
Consents "in relation to the purposes of" data analysis and study " and " for the | |||
commercial offer of products and services ” , which are reported in section 8 | |||
"Treatment and transfer of data for commercial purposes by CaixaBank and the companies of the | |||
CaixaBank Group based on consent ” . In this section it is indicated that they will be treated: | |||
among others, the following data: | |||
“B) All those generated in the contracting and operations of products and services with CaixaBank, | |||
with the CaixaBank Group Companies or with third parties, such as account or card movements, | |||
details of direct debits, payroll direct debits, claims derived from insurance policies | |||
insurance, claims, etc. ”. | |||
"G) Those obtained from the signer's navigations through the digital banking service and other websites of | |||
CaixaBank and the CaixaBank Group Companies or the CaixaBank mobile phone application and the | |||
Companies of the CaixaBank Group, in which duly identified operates. This data may include | |||
information related to geolocation. | |||
h) Those obtained from chats, walls, videoconferences or any other means of communication | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 90 | |||
90/177 | |||
established between the parties ”. | |||
All this refers to the data processed by reason of the products and services | |||
contracted, so that, although these are known by the user, he cannot know the | |||
that will be selected from the use of such products and services. The same can be said | |||
Regarding the navigation data and those obtained from the communications that are | |||
established between the client and the entity. | |||
This information warns the interested party that CAIXABANK may treat "all" | |||
data that "are generated in the contracting and operations of products and services". | |||
Here are some examples, preceded by the expression "such as" and ending | |||
with the expression , "etc." , the use of which should be avoided when offering information on | |||
Data Protection. | |||
Nor are the examples given descriptive enough to | |||
understand the categories of data that will be processed ( "transactions", "receipts", "payroll", | |||
" Claims" and "claims" ) . In relation to "direct debit" it is indicated that | |||
they will deal with the “details” of the same; and with respect to all these examples it is indicated, as already | |||
it has been said that "all" data will be processed . | |||
In view of this information, it is clear that CAIXABANK will process data | |||
personnel generated in the contracting and operation of products and services contracted with | |||
that entity. | |||
With this information it is not clear what personal data CAIXABANK will record | |||
for each “movement”, “receipt”, “payroll”, “claim” or “claim” (will the concept | |||
and issuer corresponding to the payment of a union fee?). It could even happen that the | |||
information collected by the responsible entity from the products and services | |||
contracted was composed of sensitive data or special categories of data | |||
personal, for example, the aforementioned union dues or dues paid to parties | |||
politicians, or to religious entities, or for the use of services provided by entities | |||
sanitary or religious. | |||
It is not concluded that CAIXABANK processes personal data such as those | |||
indicated in the previous paragraph. It is said here, simply, in a foundation that analyzes the | |||
information offered by CAIXABANK to its clients, that this information is defective in the | |||
insofar as it does not allow the recipient of the information to know with certainty all the | |||
categories of personal data that will be used by that entity and that, even, the | |||
repeated information, due to its lack of specificity, could be covering a collection | |||
and unacceptable processing of personal data. | |||
The "Privacy Policy" also refers to the use of data | |||
generated from the contracted products and services ( “Basically, your data is | |||
identification and details of the professional or work activity, your contact information and the | |||
financial and socioeconomic data, both those that you have provided us and those that | |||
generated from the products or services contracted. Also… we may process data that | |||
we obtain from the provision of services to third parties when you are the recipient of the | |||
service… ” ) . | |||
Also when referring to the personal data that will be used for treatment of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 91 | |||
91/177 | |||
data based on the legitimate interest of the entity, the "Framework Contract" informs about the use | |||
of information "generated from the products contracted during the last year". In | |||
This section of the “Framework Contract” regarding legitimate interest states: | |||
“We will also treat your information (account movements, card movements, loans, etc.) | |||
to personalize your commercial experience in our channels based on previous uses, to | |||
offer you products and services that fit your profile, to apply benefits and promotions that | |||
we have in force and to which you are entitled, and to assess whether we can assign you credit limits | |||
pre-granted that you can use when you consider it most appropriate. | |||
In these treatments we will only use information provided by you, or generated from the | |||
own products contracted during the last year ”. | |||
In this case, insufficient information on the categories of data to be processed is not | |||
related to the need for informed consent, given that it concerns | |||
treatments based on the legitimate interest of the entity. However, the | |||
possible relationship between these processing of personal data based on the interest | |||
legitimate and the treatments based on the consent of the interested parties. The use of | |||
Personal data based on legitimate interest gives rise to the creation of profiles, which can | |||
be later used for treatment with commercial purposes based on the | |||
consent of the interested parties; and such personal data, including those outlined, will be | |||
communicate to the companies of the CaixaBank Group. This being the case, the defects in the information | |||
in relation to the processing of data based on legitimate interest equally affect the | |||
validity of consent. | |||
The obligation to report on the category of data that will be submitted to | |||
treatment is breached also in relation to the data that are not provided to the | |||
responsible for the interested party, but are obtained by him from external sources or are | |||
inferred by the entity itself. Provide information on the types of personal data | |||
submitted to treatment that are not collected directly from the interested parties is required | |||
expressly in article 14.1 d) of the RGPD. | |||
As detailed above, CAIXABANK not only uses personal data | |||
generated in the contracting and operation of products and services contracted with that | |||
entity, but also those generated from products and services contracted by the interested party | |||
with third parties ( “All those generated in the contracting and operations of products and | |||
services… with the CaixaBank Group Companies or with third parties ” ). In relation to these | |||
data, the same examples mentioned above are detailed ( "movements", "receipts", | |||
"Payroll", "claims" and "claims" ), on which the aforementioned objections serve | |||
regarding them. | |||
It follows that CAIXABANK, under the condition of data controller, | |||
collects and uses personal data that it does not obtain directly from the interested parties. Is about | |||
personal data from third parties that CAIXABANK uses for the purposes | |||
expressed in the information provided to the interested parties. | |||
This is not the only allusion to personal data obtained from third parties, external sources | |||
or inferred by the CAIXABANK entity contained in the "Framework Contract": | |||
. In relation to the treatments necessary for the execution of the contract, information is provided on the | |||
incorporation into the entity's files of data derived from the relationships | |||
commercial of CAIXABANK and the companies of the Group with third parties; and data made | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 92 | |||
92/177 | |||
from the above. | |||
. In the section that informs about "Treatment of personal data with | |||
regulatory purposes ” , the following references are included: | |||
“ (Ii) Verifications will be made of the information provided by the Signatory, contrasting it with | |||
external sources, such as the databases of the General Treasury of Social Security or | |||
other public bodies, Public Registries, Official Gazettes, or companies that provide | |||
Information services". | |||
“(Iv) The information available to you regarding the Signatory will be exchanged (assigned and received) with | |||
the CaixaBank Group companies | |||
(v) The current or past performance of positions of public responsibility will be verified by the | |||
signatory. | |||
(vi) The relationship of the Signatory with companies will be verified with internal and external sources and, | |||
case, its position of control in the ownership structure of the same. | |||
(vii) The Signatory will be classified in different degrees in accordance with the Admission Policy of | |||
Clients, based on the information provided and that resulting from the operations carried out by the | |||
Signatory". | |||
. In the same sub-section regarding data processing for regulatory purposes | |||
It is also reported on the consultation of data registered in compliance files or | |||
breach of monetary obligations (erroneously included in this subsection) and the | |||
Risk Information Center of the Bank of Spain, CIRBE (erroneously included in | |||
this subsection): | |||
“7.3.3 Communication with files of compliance or non-compliance with monetary obligations. | |||
The Signatory is informed that CaixaBank, in the study of the establishment of Commercial Relations, | |||
You can consult information in compliance files or non-compliance with obligations | |||
money ”. | |||
“7.3.4 Communication of data to the Risk Information Center of the Bank of Spain | |||
The Signatory is informed of the right that CaixaBank SA assists to obtain from the Central | |||
Risk Information of the Bank of Spain (CIR) reports on the risks it may have | |||
registered in the study of the establishment of Commercial Relations ”. | |||
. In section 8, regarding data processing based on consent (and | |||
also in the "Consent Agreement") it is expressly added that the data of the | |||
client "may be complemented and enriched by data obtained from companies | |||
providers of commercial information, by data obtained from public sources, as well as by | |||
statistical, socioeconomic data (hereinafter, "Additional Information") always | |||
verifying that they comply with the requirements established in the current regulations on | |||
data protection ” , without providing any details about the categories of personal data that | |||
they will be obtained from these external sources. | |||
Also, the Privacy Policy "includes information on data processing | |||
of health "in the marketing of certain insurance products (health, life ...)" . On | |||
these personal data, it is clarified that the person responsible is the insurance company: | |||
“When we market these products, the person responsible for health data is the company | |||
insurance company, therefore we want you to know that all insurance companies whose products | |||
we commercialize respect and strictly comply with the data protection regulations ”. | |||
With the information provided, as indicated above, it is not clear what | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 93 | |||
93/177 | |||
Personal data are processed or what data CAIXABANK will record. | |||
The use by CAIXABANK of personal data from products and | |||
services of third parties, from external sources or inferred by the entity itself, requires that | |||
provide interested parties with the appropriate information and have a legal basis that protects | |||
the treatment. | |||
It should be noted that the obtaining of personal data is not questioned in this case | |||
from files of compliance with monetary obligations and CIRBE to manage | |||
the products and services contracted, provided that it is necessary for the execution of the | |||
contract. This is the basis that determines access to this information. | |||
However, the use of these personal data by CAIXABANK is not | |||
limits to checking the situation of the interested party for the formalization of an operation of | |||
risk, but also with the purposes based on consent. Given | |||
that in clause or section 8 information is provided on the treatment of "all" the data provided | |||
in the establishment or maintenance of commercial or business relationships, it is estimated | |||
from CAIXABANK to report on the specific categories of personal data that | |||
will be obtained from the files of compliance or non-compliance with monetary obligations and | |||
of the CIRBE. | |||
On the other hand, in the case of personal data from products and services of | |||
third parties, the responsibility for these personal data corresponds to the entity that owns the | |||
product purchased by the interested party or provider of the service contracted by the same. | |||
When it comes to third-party products or services marketed by | |||
CAIXABANK, as in the case of insurance products, this entity accesses such data | |||
under the condition of person in charge of treatment, for her mediating intervention. This Agency | |||
questions the use of this data by that entity and for the purposes that | |||
are indicated, considering that they are not own products. The condition of manager | |||
treatment under which CAIXABANK intervened in these cases limits the possibility of | |||
use the information in question for their own purposes. | |||
In short, personal data is collected and processed without the owners of the same | |||
be aware that CAIXABANK is accessing them to register them in their | |||
information systems, subjects them to treatments about which the client is not informed | |||
in a clear, precise and simple way, and with non-explicit and undetermined purposes, against | |||
of the principles related to the treatment established in article 5 of the RGPD (loyalty, | |||
limitation of the purpose and minimization of data), since, from the information | |||
facilitated, considering their inconcretion, the interested party cannot know, as the | |||
Constitutional Court, “to what use is it being destined and, on the other hand, the power to oppose | |||
that possession and uses ” . This lack of precision renders the information provided ineffective | |||
about the data processing that is intended. | |||
What is indicated above contrasts with the information provided through the website of | |||
the entity on the personal data collected from social networks: | |||
. Twitter: Name, username, tweets, and user profile information, including biography and | |||
location information. | |||
. Facebook: User ID, email address, gender, date of birth, city | |||
current, and preferences expressed by you by clicking on "Like" (or Likes). | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 94 | |||
94/177 | |||
. Linkedin: Registered user, name and surname, email address, profile URL, | |||
Profile information and Groups. | |||
And not only does it not specify what data will be processed, but it also does not | |||
duly informs in all cases about the specific categories of personal data | |||
that will be treated for each of the specified purposes. | |||
The need to complete the information offered to customers in the sense | |||
expressed is especially relevant when it comes to data not provided by the | |||
customer, but inferred by the entity itself from the use of products, services and channels. | |||
It cannot be accepted that all information is intended for all uses, that all data | |||
collected, from the interested party or third parties, or inferred can be used for all | |||
purposes, without delimiting. | |||
This occurs in relation to the purpose expressed in section 8 of the "Contract | |||
Marco ”and in the“ Consent Agreement ”regarding the “ transfer of data to third parties ” with the | |||
consent as a legal basis. With the information provided it is not possible that the | |||
interested party has a clear idea about the personal data that will be transferred to the entities of | |||
the sectors indicated . | |||
In this regard, the Opinion of the aforementioned Article 29 Working Group, | |||
"Guidelines on consent under Regulation 2016/679" , adopted on | |||
11/28/2017, revised and approved on 04/10/2018, and revised again in May 2020, | |||
When referring to the obligation to inform about the data that will be collected and used, it refers to | |||
Opinion 15/2011 on the definition of consent, as “manifestation of | |||
specific will ” : | |||
“To be valid, consent must be specific. In other words, consent | |||
indiscriminate without specifying the exact purpose of the treatment is not admissible. | |||
To be specific, consent must be understandable: clearly and precisely refer to the | |||
scope and consequences of data processing. It cannot refer to an indefinite set of | |||
treatment activities. This means, in other words, that consent applies in a | |||
limited context. | |||
Consent must be given in relation to the various aspects of the treatment, clearly | |||
identified. This implies knowing what the data are and the reasons for the treatment. This knowledge | |||
It should be based on the reasonable expectations of the parties. Therefore, the "specific consent" | |||
it is intrinsically related to the fact that consent must be informed. Exists | |||
a requirement of precision of consent with respect to the different elements of the treatment of | |||
data: it cannot be claimed to encompass "all legitimate purposes" pursued by the controller | |||
treatment. The consent must refer to the treatment that is reasonable and necessary in | |||
relationship with the purpose ”. | |||
In General, as has been said, the principle of transparency should be understood as a | |||
fundamental aspect of the principles of lawful and fair treatment. It is interesting to reiterate | |||
expressed in Recitals 39 and 60 and the references they contain to the need to | |||
provide information to ensure fair and transparent treatment: | |||
"39. All processing of personal data must be lawful and fair. For natural persons it should be | |||
totally clear that data is being collected, used, consulted or otherwise processed | |||
personal data that concern them, as well as the extent to which said data is or will be processed ... Said | |||
The principle refers in particular to the information of the interested parties about the identity of the person in charge | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 95 | |||
95/177 | |||
treatment and the purposes thereof and the information added to ensure fair treatment and | |||
transparent regarding the affected natural persons and their right to obtain confirmation and | |||
communication of personal data concerning them that are subject to treatment. The | |||
natural persons must be aware of the risks, regulations, safeguards and rights | |||
relating to the processing of personal data ”. | |||
"60. The principles of fair and transparent treatment require that the interested party be informed of the | |||
existence of the treatment operation and its purposes. The data controller must provide the | |||
interested party as much additional information is necessary to guarantee fair treatment and | |||
transparent, taking into account the specific circumstances and context in which the data is processed | |||
personal ”. | |||
And in the also cited document of the Working Group on Article 29 "Guidelines | |||
on transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and | |||
revised on 04/11/2018, which analyzes the scope to be attributed to the principle of | |||
transparency, it indicates: | |||
“A fundamental consideration of the principle of transparency outlined in these provisions is that | |||
the interested party must be able to determine in advance the scope and consequences derived from the | |||
treatment, and that you should not be surprised at a later time by the use that has been made of | |||
your personal information". | |||
In relation to the information about the category of personal data that are | |||
collected and used by CAIXABANK, alleges that article 13 of the RGPD does not require | |||
provide data subjects with this information on a mandatory basis, although, however, | |||
offers a sufficiently descriptive list of the types of data that are treated based on the | |||
consent, in accordance with the provisions of the Guidelines 05/2020 on the | |||
consent in accordance with Regulation 2016/679, of the European Committee for the Protection of | |||
Data (CEPD). | |||
Likewise, it alleges (i) that the information it provides on the treatment of | |||
data on movements, receipts, payroll, claims and claims, considering that | |||
It deals with products and operations of the client, who knows the information they include; and (ii) that | |||
that information does not include sensitive data. | |||
In this regard, it warns that the obligation that the AEPD intends to impose would entail, | |||
one hand, the need to report on specific data, which would imply information fatigue | |||
difficult to beat; and, on the other hand, it would also mean informing about what is not done, in | |||
based on a suspicion of processing of sensitive data. | |||
This claim cannot be upheld, in accordance with the arguments already presented. | |||
in this section. This Agency considers that the review of those concepts (movements, | |||
receipts, payroll, claims and claims), without including the detail of the data categories | |||
they include, it is insufficient to understand the obligation to report on the | |||
categories of personal data that are collected and subjected to treatment and, ultimately, | |||
so that the interested party can have the essential and necessary information for taking their | |||
decisions and understand what you are authorizing, as well as for the exercise of your rights. | |||
Without forgetting that those concepts are included as examples, preceded by the | |||
expression "such as" and followed by the term "etc." . | |||
Regarding the suspicion of this Agency about the possibility that CAIXABANK | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 96 | |||
96/177 | |||
could be protecting, with the information offered, the collection and treatment of categories | |||
special data, it must be reiterated that it results from the information itself offered in | |||
the documents object of the proceedings. On the one hand, it is said that data may be obtained | |||
of products and services contracted by the client, “such as account movements or | |||
cards, details of direct debits, direct debits…, etc. " , and on the other hand, | |||
It is also indicated that “all the data generated in the contracting and | |||
operational ” of those products and services. Then, nothing prevents understanding that they could | |||
collect by CAIXABANK categories of data such as issuer and concept of receipts | |||
domiciled, which could refer to the payment of a union dues, payments to an entity | |||
of health care, fees to a political party or donations to a religious entity, | |||
civil society associations or political activism groups, which could serve to promote | |||
link the interested party with certain ideological positions, race, religion, etc. | |||
In any case, this question has not determined any imputation to | |||
CAIXABANK for data processing of this nature, although this | |||
circumstance, as has been said, to the extent that the information provided is | |||
defective and could serve as cover for the collection and processing of personal data | |||
unacceptable. | |||
The aforementioned serves both to obtain personal data | |||
generated in the contracting of products and services with CAIXABANK, such as those generated | |||
in contracting products and services with third parties. | |||
On the other hand, in relation to information on the category of personal data | |||
that are not obtained from the interested party, CAIXABANK claims that it complies with this obligation | |||
informing in Clause 8 of the "Framework Contract" when it is indicated that "the data of the signer | |||
may be complemented and enriched by data obtained from companies providing | |||
commercial information, by data obtained from public sources, as well as by data | |||
statistical, socioeconomic (hereinafter, "Additional Information") always verifying that | |||
These comply with the requirements established in the current regulations on the protection of | |||
data ” . | |||
However, with this information the interested party does not have details about the types of | |||
data that will be collected from these external sources or how they will be supplemented and | |||
enriched. It is not enough for these purposes to indicate that data will be collected from | |||
external sources, from supplier companies or public sources, which are not categories of | |||
personal information; nor is it sufficient to indicate that the customer's data is | |||
will be complemented with statistical and socioeconomic data without further detail that delimits the | |||
categories to actually be covered. | |||
Nothing is indicated either by CAIXABANK in its allegations about the data | |||
made from all of the above. | |||
It is also alleged by CAIXABANK that this information cannot be required in | |||
relationship with the categories of data that are treated based on legitimate interest. However, | |||
this Agency does not require this information as expressed by CAIXABANK. What I know | |||
defends is the need to inform in such cases when the information processed based on the | |||
legitimate interest, including the profiles prepared with this legal basis, is also used | |||
for consent-based treatments. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 97 | |||
97/177 | |||
Similarly, in the case of interest-based personal data processing | |||
made with personal data that were not obtained from the interested party, the obligation | |||
to inform about the categories of personal data used in this treatment comes | |||
also determined by the provisions of article 14 of the RGPD. | |||
Also in relation to information on categories of personal data | |||
CAIXABANK warns that it improves the information in its new Privacy Policy . There is not | |||
more than seeing the information on data categories that CAIXABANK has included in this | |||
new document, contributed to the proceedings together with its allegations to the | |||
resolution, to understand that the analyzed information cannot be understood as satisfactory, | |||
that it is not enough to refer to account movements or cards, receipts, | |||
payroll, claims and claims. Some examples taken from this new Policy serve | |||
of Privacy to illustrate about categories of data that CAIXABANK does not detail in the | |||
documents object of the present proceedings, nor could the interested party deduce from the | |||
information provided: family unit or circle; tax data; tax data; | |||
information on investments made and their evolution; or grouping of clients in | |||
categories and segments based on age, assets, operations, consumption habits, | |||
preferences, demographics. | |||
Finally, CAIXABANK considers that the incorporation of all that information | |||
relating to the type of data would lead to an excessively long document, | |||
liable to cause information fatigue in the interested parties. The WG29 Guidelines on | |||
Transparency recommend avoiding that consequence, but such a purpose cannot be taken | |||
as a justification for omitting necessary information. It forces the information to be structured | |||
adequately, but not limit it. | |||
These Guidelines require data controllers to demonstrate responsibility | |||
proactively in the development and use of methods to comply with the requirements of | |||
transparency that avoid the fatigue of the interested party. Although they offer numerous | |||
recommendations and examples of different modalities to provide information, | |||
warns that the data controllers are the ones who decide the tools of | |||
information they use. | |||
- Information on the purposes to which the personal data of the | |||
clients and the legal basis of the treatment. Confusion of legal bases. | |||
Regarding the purposes to which the personal data of the clients will be used and | |||
the legal basis of the treatment, the entity CAIXABANK, in the "Framework Contract" refers | |||
Similar treatments in relation to different purposes, protected by the legitimate interest | |||
in some cases and in consent in others. This may mean that a treatment is not | |||
consented by the interested party is finally carried out under the legitimate interest of the | |||
responsible, undermining the ability of customers to decide on the destination of their | |||
personal information. | |||
In relation to the treatments based on legitimate interest, information is provided | |||
on the purposes in the following terms: | |||
. “We will send you updates and information about products or services similar to those already | |||
have contracted ”. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 98 | |||
98/177 | |||
. "Personalize your commercial experience in our channels based on previous uses" | |||
. "Offer you products and services that fit your profile." | |||
. "Apply benefits and promotions that we have in force and to which you are entitled" | |||
. "Evaluate if we can assign pre-granted credit limits." | |||
In relation to treatments based on consent, information is provided | |||
on the purposes in the following terms: | |||
. "Study products or services that can be adjusted to your profile and business or credit situation" | |||
. "Make commercial offers tailored to your needs and preferences" | |||
. "Design new products or services" | |||
. “Define or improve user experiences in their relationship with CaixaBank and the Companies of the | |||
CaixaBank Group ”. | |||
. “Send commercial communications both on paper and by electronic or telematic means, | |||
relating to the products and services that, at any given time: a) CaixaBank or any of | |||
the CaixaBank Group Companies b) market other companies in which CaixaBank owns and | |||
third parties". | |||
The information offered can cause confusion, to an average citizen, about the | |||
legal basis that justifies the treatment, in the sense expressed. | |||
In this case, (…) it appears that this entity was aware of the deficiencies | |||
described above, assessed in relation to the information on the legal basis of the | |||
treatment. | |||
(…) | |||
On the other hand, in the document by which the client signs the registration in the | |||
aggregation service the customization of offers is included as an object of the contract | |||
adjusted to the profile and situation of the contractor by CAIXABANK and the | |||
improvement of risk analysis and suitability for contracting products and services | |||
requested by the contractor and the improvement of the management of defaults and incidents derived from | |||
the products and services contracted; and among the treatments that are cited for the purpose of | |||
managing the service includes improving the management of non-payments and incidents and the | |||
product tracking; while the "Framework Contract" requires the | |||
Client consent to carry out personal data processing with these | |||
purposes (the mention of the treatments indicated in the object of the service contract | |||
aggregation and in relation to service management has been removed in the new version of | |||
this contract provided by CAIXABANK with its statement of allegations). | |||
The information on the purposes, in general, is closely linked to the principle of limitation of | |||
the purpose, regulated in article 5.1 b) of the RGPD, which establishes the following: | |||
"1. The personal data will be: | |||
b) collected for specific, explicit and legitimate purposes, and will not be further processed as | |||
manner incompatible with said purposes; in accordance with Article 89 (1), further processing | |||
of personal data for archival purposes in the public interest, scientific research and | |||
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of | |||
purpose ")". | |||
The importance of this principle is determined by its object, which is none other than | |||
establish the limits within which personal data can be processed and the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 99 | |||
99/177 | |||
extent to which they can be used, as well as determining the data that can be collected. | |||
To be "explicit" , an end must be unequivocal and clearly stated, in detail | |||
enough for the interested party, any interested party, to know in a certain way how they will be or | |||
data not processed and favoring the exercise of their rights and the evaluation of the | |||
compliance with regulations. To be "explicit" , the purpose must also be disclosed, as | |||
that must take place at the time the personal data is collected | |||
On this issue, the Article 29 Working Group ruled in its Opinion | |||
03/2013, on limitation of purposes. In this work, it was considered that they should be rejected, | |||
by nonspecific, the purposes expressed with vague or too general formulas, | |||
such as "improving user experience" , "marketing purposes" or | |||
"Future research". | |||
This Opinion indicates that the more complex the data processing is | |||
personal, the purposes should be specified in a more detailed and exhaustive manner, "including, | |||
among other things, the way in which personal data is processed. They must also | |||
disclosure of the decision criteria used to create customer profiles ” . | |||
In accordance with the foregoing, the purposes for which the data will be processed | |||
personal information about which CAIXABANK informs its clients, do not conform to the | |||
mentioned transparency requirements, especially if we consider the huge amount | |||
of personal data that it submits to treatment, individually or globally considered, and the | |||
complex technical processes to which they are subjected, especially for the elaboration of | |||
profiles, which are used for all the purposes described in the information offered to | |||
Your clients: | |||
. "Personalize your commercial experience in our channels". | |||
. "Offer you products and services that fit your profile." | |||
. "Analysis, study and monitoring treatments for the offer and design of products and services | |||
adjusted to the customer profile ”. | |||
. "Study products or services that can be adjusted to your profile and business or credit situation." | |||
. "Commercial offers tailored to your needs and preferences." | |||
. "Define or improve user experiences." | |||
In CAIXABANK's allegations, once again, the conclusions | |||
obtained by this Agency from the analysis of the documents in question, this time in relation to | |||
with the confusion caused by the information about the data processing carried out in | |||
basis of legitimate interest and consent, highlighted above, and, again, again, | |||
warns that the New Privacy Policy "reconfigures the divergences between the | |||
treatments based on legitimate interest and consent ” . | |||
And also in this case does not offer any explanation for the above deficiencies, to | |||
which CAIXABANK does not refer to. | |||
- Information about the legitimate interest of the person in charge | |||
Likewise, the aforementioned precepts establish the obligation of the person responsible to inform | |||
on the legitimate interests on which the processing of personal data is based (the | |||
Articles 13 and 14 of the RGPD establish the obligation to inform about "legitimate interests | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 100 | |||
100/177 | |||
of the person in charge or of a third party ” ). However, the information offered by CAIXABANK | |||
remains undefined as to the basis of the treatment, so it does not substantiate | |||
duly this authorization for the treatment of data, resulting, therefore, contrary | |||
to the principle of transparency. | |||
Recital 47 of the RGPD is especially clarifying in the task of specifying | |||
the content and scope of this legitimizing basis of the treatment, described in letter f) of the | |||
Article 6.1 of the RGPD. From what is stated in this Considering, it is interesting to highlight as a | |||
interpretative, that the application of this legitimizing base must be predictable for its | |||
recipients, taking into account their reasonable expectations. | |||
The Article 29 Working Group prepared Opinion 6/2014 on the “ Concept of | |||
legitimate interest of the data controller under article 7 of the | |||
Directive 95/46 / CE ”, dated 04/09/2014. Although this Opinion 6/2014 was issued for | |||
favor a uniform interpretation of Directive 95/46 then in force, repealed by the | |||
RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and having | |||
Note that the reflections that the Opinion offers are an exponent and application of principles | |||
that also inspire the GDPR -such as the principle of proportionality- or of principles | |||
general rules of Community law - the principle of equity and respect for the law and | |||
Law- many of his reflections can be extrapolated to the application of current regulations, | |||
the RGPD. | |||
The said Opinion refers to the "Concept of interest" in the following Terms: | |||
"The concept of" interest "is closely related to the concept of" purpose "mentioned in | |||
Article 6 of the Directive, although these are different concepts. In terms of protection of | |||
data, "purpose" is the specific reason why the data is processed: the purpose or intention of the | |||
data processing. An interest, on the other hand, refers to a greater involvement than the | |||
responsible for the treatment may have in the treatment, or to the benefit that the person responsible for the | |||
treatment obtains -or that the company can obtain- from the treatment. | |||
For example, a company may have an interest in ensuring the health and safety of personnel who | |||
work at your nuclear power plant. Therefore, the company may have the purpose of applying | |||
specific access control procedures that justify the processing of certain data | |||
specific personnel in order to ensure the health and safety of personnel. | |||
An interest must be articulated clearly enough to allow the balancing test | |||
It is carried out contrary to the interests and fundamental rights of the interested party. | |||
Furthermore, the interest at stake must also be "pursued by the controller." This | |||
requires a real and current interest, which corresponds to present activities or benefits that are | |||
look forward to the very near future. In other words, interests that are too vague or | |||
speculative will not be enough. | |||
The nature of the interest can vary. Some interests may be compelling and beneficial to | |||
society in general, such as the interest of the press in publishing information on corruption | |||
government or interest in conducting scientific research (subject to appropriate safeguards). | |||
Other interests may be less pressing for society as a whole or, in any case, | |||
the impact of your search on society may be more disparate or controversial. This can, for | |||
For example, apply to the economic interest of a company in learning as much as possible about its | |||
potential clients in order to better target advertising on their products and services ”. | |||
In the conclusions section of this Opinion the following is added: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 101 | |||
101/177 | |||
"The concept of" interest "is the broadest implication that the controller may have | |||
in the treatment, or the benefit that it obtains, or that the company may obtain, from the treatment. | |||
This can be compelling, clear, or controversial. The situations referred to in the article | |||
7, letter f), may therefore vary from the exercise of fundamental rights or the protection of | |||
important personal or social interests to other less obvious or even problematic contexts. | |||
… It must also be articulated with sufficient clarity and must be specific enough to | |||
allow the balancing test to be performed against interests and rights | |||
fundamentals of the interested party. It must also represent a real and current interest, that is, it must not be | |||
speculative". | |||
The "interest" goes beyond the "purpose . " In terms of the GT29 it represents "a greater | |||
implication that the controller may have in the treatment, or the benefit | |||
that the data controller obtains ” ; while "purpose", in terms of | |||
data protection, “is the specific reason why the data is processed: the objective or the | |||
intention of data processing. | |||
In this case the "interest" is not expressed. The CAIXABANK entity does not report in the | |||
"Framework Agreement" or in the "Privacy Policy" about any specific interest when referring to | |||
the data processing that you plan to carry out under this legal basis. Is limited | |||
to indicate the treatments carried out with this legal basis and the purposes, mainly | |||
commercial, for which personal data are processed, but no legitimate interest of | |||
CAIXABANK in the sense expressed. | |||
This Agency considers that these processing of personal data, such as | |||
are based on the documents by which the interested parties are informed | |||
in terms of data protection, they cannot rely on the legal basis of interest | |||
legitimate, which requires an evaluation to determine the interests or rights that prevail. | |||
This weighting must take into account “the reasonable expectations of the interested parties | |||
based on their relationship with the person in charge ” , understood as what the interested party can | |||
perceive or deduce as reasonable by itself based on the specific circumstances that | |||
occur in each case, which was predicted at the time of data collection in a way that | |||
reasonable. | |||
The term “reasonable expectation” should always be used sparingly, | |||
taking into account the position held responsible and interested and the legal nature of | |||
the relationship or service that links them, which could lead to the subsequent use of the data | |||
this one's personal. The context is taken into account to be able to define, based on all this, | |||
the subsequent processing of the data that the interested party can expect to be carried out. This | |||
"Reasonable expectation" of the customer must be deducted by itself. | |||
The information provided by CAIXABANK on the use of data based on the | |||
legitimate interest is contrary to the previous approach, since such information is | |||
insufficient to justify this legal authorization and to carry out the weighting judgment that | |||
allow to determine if said reasons prevail over the interests and rights of the | |||
interested party, limiting the possibility that the client can correctly weigh the | |||
performance of the entity. The specific determination of the interest of CAIXABANK, articulated | |||
with sufficient clarity, it will allow the interested party to oppose their own interests. It enables, | |||
also, a better analysis of the reality and actuality of said interest. | |||
All this without forgetting what has already been indicated in relation to the use of imprecise terms | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 102 | |||
102/177 | |||
and vague formulations in the information provided, in particular with regard to the definition of | |||
the purposes. | |||
Regarding the legitimate interest of the person in charge and the weighting test, the document | |||
of the Working Group on Article 29 “Guidelines on transparency under the | |||
Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, offers the | |||
following criteria: | |||
“The specific interest in question must be identified for the benefit of the interested party. As a matter of | |||
good practice, the data controller can also provide the data subject with the information | |||
resulting from the "weighting test" that must be carried out in order to benefit from the provisions | |||
in article 6, paragraph 1, letter f), as a lawful basis for processing, prior to any | |||
collection of the personal data of the interested parties. To avoid information fatigue, this can | |||
be included within a tiered privacy statement / notice (see section 35). | |||
In any case, the position of the WG29 is that the information addressed to the interested party must make clear | |||
that he can obtain information on the weighting test upon request. This turns out | |||
essential for transparency to be effective when stakeholders doubt whether the examination of | |||
weighting has been carried out loyally or wish to file a claim with the | |||
control". | |||
On the other hand, regarding the data processing carried out based on the interest | |||
legitimate, both the "Framework Agreement" and the "Privacy Policy" indicate the following: | |||
. Sending "updates and information about products or services similar to those you already have | |||
hired ”. | |||
. Information processing “personalize your commercial experience in our channels based on | |||
previous uses ”. | |||
. Offer of products and services "that fit your profile" | |||
. Data processing “to apply benefits and promotions that we have in force and to which | |||
have the right " | |||
. Data processing "to assess whether we can assign you pre-granted credit limits." | |||
However, it has been verified that CAIXABANK performs other data processing | |||
personal based on the legitimate interest about which he does not inform at any time to the | |||
interested. (…) | |||
Some of these treatments, and others, are also mentioned in the document | |||
called "Processing of personal data based on legitimate interest" , to which | |||
can be accessed through the website "caixabank.es" , incorporated into the actions by the | |||
Inspection Services of the Agency dated 07/01/2020, which is reproduced in | |||
Annex VI: | |||
. Monitoring of the fulfillment of the objectives, incentives or awards set for our employees. | |||
. Communication of data between CaixaBank and the companies in which it has a stake for the purpose of | |||
make internal reports (without personal data), which allow us, among other aspects, | |||
carry out market studies and mathematical models to establish the business strategy of the | |||
CaixaBank Group. | |||
. Creation of statistical models (without personal data) that help the Entity to know | |||
better the preferences and tastes of our clients, collaborating in the improvement of the design and execution | |||
of commercial actions, as well as making aggregate reports on the results of the models | |||
to track customer behavior. | |||
. Structuring and profiling of the information processed by the Entity to maintain the resources and | |||
technical systems prepared to efficiently meet management needs. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 103 | |||
103/177 | |||
. Control and supervision of the Entity's activity through samples and self-evaluations with the | |||
purpose of identifying and assessing possible risks in the marketing of products, controls and | |||
evaluate compliance with internal rules and regulations. | |||
. Control and supervision of operations in order to prevent fraud, both to customers and to the | |||
own Entity. | |||
However, this document is not provided to interested parties nor does it record any | |||
reference to it in the "Framework Agreement", the "Consent Agreement" or in the "Policy | |||
of Privacy ”, so that CAIXABANK cannot be certain about the access of the | |||
customers to this information and is not in a position to prove this access. | |||
About this document called "Treatment of personal data in | |||
basis of legitimate interest ”it is also worth highlighting that the list of treatments based on | |||
in the legitimate interest that it contains, it is presented as an open list that "will be updated | |||
permanently to include new treatments, or cancel those that are stopped | |||
perform". This statement by CAIXABANK should be rejected as it could lead to | |||
the performance of data processing on which the users are not promptly informed | |||
interested in the documents that they subscribe on protection of personal data, | |||
as is the case in the examples indicated. | |||
If the interested parties are not duly informed about the treatments, and even less | |||
on the specific interest pursued by the person in charge with these treatments on which | |||
it is not reported, it is difficult for them to face the legitimate interests of CAIXABANK to | |||
their own interests and rights, nor do they have the opportunity to even exercise the right to | |||
opposition. | |||
In its brief of allegations to the proposed resolution, CAIXABANK does not make | |||
no mention of this lack of information on the legitimate interest pursued, which implies | |||
a breach of the provisions of article 13.1.d) of the RGPD, nor to the other | |||
circumstances expressed in this section. | |||
- Information on profiling | |||
Another important aspect related to the subject analyzed has to do with the use of | |||
personal data for the preparation of customer profiles, understood as any | |||
form of personal data processing that evaluates personal aspects related to a | |||
Physical person. According to art. 13.1.c) of the RGPD, the person in charge must inform the interested party of | |||
the purposes of the treatment, as well as its legal basis, which means that you must inform | |||
on the elaboration of profiles when the person responsible has foreseen such purpose and specify the | |||
legal basis that protects the treatment for that purpose. | |||
Article 11 of the LOPDGDD establishes the minimum content of the basic information | |||
to be provided to the interested party: | |||
"2. The basic information referred to in the previous section must contain, at least: | |||
(…) | |||
If the data obtained from the affected party were to be processed for profiling, the information | |||
will also understand this circumstance ”. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 104 | |||
104/177 | |||
Recital 60 of the RGPD also refers to the obligation to “inform the | |||
interested party about the existence of profiling and the consequences of said | |||
elaboration". | |||
On the principles relating to the processing of personal data, when these | |||
consist of profiling, the Guidelines of the Article 29 Working Group | |||
on automated individual decisions and profiling for the purposes of | |||
Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what | |||
following: | |||
“Transparency of treatment is a fundamental requirement of the GDPR. | |||
The profiling process is usually invisible to the person concerned. It works by creating data | |||
derived or inferred about people ("new" personal data that have not been directly | |||
provided by the interested parties themselves). People have different levels of understanding and | |||
It can be difficult to understand the complex techniques of profiling processes and | |||
automated decisions ”. | |||
“Taking into account the basic principle of transparency that sustains the RGPD, those responsible for the | |||
treatment must ensure that they clearly and easily explain to people the operation | |||
profiling or automated decisions. | |||
In particular, when the treatment involves decision-making based on the preparation of | |||
profiles (regardless of whether they fall within the scope of the provisions of Article 22), you must | |||
clarify to the user the fact that the treatment is for both a) profiling and | |||
of b) adoption of a decision based on the profile generated | |||
Recital 60 establishes that providing information about profiling is part of the | |||
of the transparency obligations of the data controller according to article 5, paragraph 1, | |||
letter a). The interested party has the right to be informed by the person responsible for the treatment, in | |||
certain circumstances, regarding your right to object to "profiling" | |||
regardless of whether individual decisions have been made based solely on the | |||
automated processing based on profiling ”. | |||
“The person responsible for the treatment must explicitly mention to the interested party details about the right | |||
opposition according to article 21, paragraphs 1 and 2, and present them clearly and regardless of any | |||
other information (Article 21, paragraph 4). | |||
According to article 21, paragraph 1, the interested party can oppose the treatment (including the elaboration | |||
of profiles) for reasons related to your particular situation. Those responsible for the treatment | |||
are specifically obliged to offer this right in all cases in which the treatment is | |||
based on article 6, paragraph 1, letters e) or f) ”. | |||
The information object of the actions refers to the elaboration of profiles in | |||
numerous times when describing the purposes for which the data will be used, or | |||
the purposes that are detailed entail these profiling operations. So can | |||
be understood, for example, in relation to the personalization of offers or the experience of the | |||
client or the purpose of “knowing you better” . | |||
Therefore, CAIXABANK processes the personal data of its clients to | |||
proceed to its profiling, which it uses later. In most cases in the | |||
which refers to the elaboration of profiles or the use of data that are the result of | |||
profiling activities, the basis of its action is based, according to the information | |||
that it facilitates to the interested parties, in their consent (Clause 8 of the Framework Contract); | |||
except in what refers to the "personalization of the experience" of the client or sending | |||
information in which he may have an interest, which CAIXABANK protects in the interest | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 105 | |||
105/177 | |||
legitimate, on which it has already been indicated that the information is insufficient. | |||
For the reasons already expressed in relation to the lack of justification of interest | |||
legitimate, processing operations that include the preparation of | |||
profiles or that are based on these profiles and that have a legal basis in the legitimate interest | |||
of the person in charge. | |||
In addition, in relation to the profiling operations, in the opinion of this | |||
Agency, the information requirements described. CAIXABANK is limited to informing about | |||
actions that can be developed adapted to the "customer profile" or "personalized" , but not | |||
offers information on the type of profiles to be made, the specific uses to which | |||
that these profiles are going to be used or the possibility that the interested party can exercise the | |||
right of opposition in application of article 21.2 RGPD, when the profiling is | |||
related to direct marketing activities. | |||
In the terms of the GT29, it is not “ explained to people in a clear and simple way the | |||
profiling ” nor are they warned about adopting | |||
decisions “on the basis of the generated profile” , regardless of whether they fall within the scope | |||
of the provisions of article 22. | |||
The concept of profiling is not systematized by CAIXABANK. Of | |||
In fact, the Privacy Policy only talks about “knowing you better, that is, studying your | |||
needs to know what new products and services fit your preferences and | |||
analyze the information that allows us to determine in advance what your | |||
creditworthiness ” , omitting profiling, despite the fact that this purpose, | |||
as stated, it is necessary to do a previous profiling. | |||
This is a breach of the provisions of article 11 of the LOPDGDD. | |||
In this case, in addition, the treatment operations based on the profiling of the | |||
customer go beyond improving the experience or sending commercial offers | |||
adjusted to the needs and preferences of the client, to the point that said profiling | |||
is used by CAIXABANK to design products and services or improve the design and | |||
usability of existing ones, that is, for your own business. | |||
CAIXABANK dedicates a subsection of its allegations to the elaboration of profiles, | |||
but without offering any explanation of the deficiencies noted, to which it does not refer. | |||
In relation to the profiling operations, in its allegations at the opening of the | |||
procedure warns CAIXABANK that treatments were included in the drafted clause | |||
in 2016 (refers to Clause 8 of the “Framework Contract”, the one relating to treatments based on | |||
in the client's consent), when clear criteria were not available, which could | |||
rely on another legal basis other than consent, such as legal obligations | |||
(fraud control and risk management) or the contractual relationship (monitoring and adoption of | |||
recovery stockings). He adds that what has been produced is an excess of information. | |||
Later, in its allegations to the motion for a resolution, it reiterates this allegation | |||
indicating that the error was made in that clause (corrected in the New | |||
Privacy), to list treatment operations that did not have to do with consent | |||
for profiling. And he lists the specific treatments that, in his opinion, can be covered by | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 106 | |||
106/177 | |||
another legal basis different from the legitimate interest (the list of the treatments to which it refers | |||
this allegation is outlined in the following Legal Basis). | |||
However, this claim is not related to the deficiencies found in the | |||
information offered on the elaboration of profiles, previously expressed, and is subject to | |||
analysis in the following Legal Basis, in the section that examines the treatments | |||
of data based on the consent of the interested parties. It should be clarified now that it has been the | |||
CAIXABANK own entity which decided to protect the profiles in the consent. | |||
On the other hand, it must be added that the conclusions expressed do not judge the | |||
information offered due to its breadth (CAIXABANK alleges an excess of information and provides | |||
an example of a reduced clause), but it is evaluated if it is sufficient and adequate to the standard. | |||
In relation to this issue of the profiles, CAIXABANK alleges that in Clause | |||
8 of the “Framework Contract”, it is informed about the purposes indicating that the | |||
consent for the “analysis, study and follow-up for the offer and product design | |||
adjusted to your client profile ” , and information is provided on the elaboration of profiles by making explicit the | |||
treatment operations that include this purpose ( "Study products or services | |||
that can be adjusted to your profile and specific business or credit situation ” ) . | |||
It has already been said previously that the information offered sometimes refers to the | |||
profiling by describing the purposes for which the data will be used | |||
personal. But that information contained in Clause 8 of the "Framework Contract" does not save | |||
any other information on purposes that involve profiling operations on | |||
those that the customer is not warned about. Furthermore, CAIXABANK does not explain the lack of information, in | |||
general, on the types of profiles and the uses to which they are to be put, so that the | |||
interested party has clear knowledge of the operation of these profiles and, above all, of | |||
the consequences of its elaboration. These circumstances are not mentioned by CAIXABANK | |||
in their allegations, and nothing is said in them to justify not informing the | |||
interested in the possibility of exercising the right of opposition, when appropriate. | |||
- Information on the exercise of rights, possibility of claiming before the Agency | |||
Spanish Data Protection, existence of a Delegate for the Protection of | |||
Data and your contact details and retention periods. | |||
On the other hand, the information provided by CAIXABANK on the exercise of | |||
rights, possibility of claiming before the Spanish Agency for Data Protection, | |||
existence of a Data Protection Delegate and their contact details is not uniform in | |||
all documents analyzed. | |||
The "Framework Agreement" and the "Privacy Policy" of CAIXABANK inform about the | |||
rights that correspond to the interested party regarding the protection of personal data, | |||
including the revocation of the consents granted, as well as the channels for | |||
exercise them. They also inform about the possibility of filing a claim with the | |||
Spanish Agency for Data Protection and on the existence of a Protection Delegate | |||
of Data of the CaixaBank Group of companies, indicating the means to contact | |||
the same. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 107 | |||
107/177 | |||
The "Consent Agreement" or document of "Authorization / Revocation of | |||
consents ”, on the other hand, in version 2, it reported on the possibility of exercising the | |||
rights, but without mentioning those established in the applicable regulations, and neither | |||
referred to the existence of a Data Protection Delegate; yes, you are | |||
deficiencies were corrected in version 3 of the document. | |||
To refer to the use of data based on legitimate interest, the "Framework Agreement" | |||
expressly warns about the possibility of objecting. The Privacy Policy does not | |||
mentions the right to object, but it indicates “… if you prefer that we not do it, just | |||
you have to tell us, in… ”. The right to object is also reported in the | |||
document inserted in the CAIXABANK website regarding the "Treatment of data of character | |||
personal based on legitimate interest ”. | |||
The information that is offered for access to personal data of customers in | |||
social networks informs about the rights contained in the LOPD, not in the RGPD: | |||
"You may exercise the rights of access, rectification, cancellation and opposition in accordance with the | |||
data protection regulations. To exercise these rights, you must go to the address of | |||
CaixaBank… ”. | |||
Likewise, the contract that regulates the aggregation service informs about the rights | |||
and channels for its exercise, the possibility of contacting the Protection Delegate of | |||
Data and to claim before this Agency, but does not expressly mention the possibility of | |||
revoke consent and the right to object the following is indicated: | |||
"The non-acceptance or subsequent opposition to the processing of your data, for the purposes below | |||
detailed information, implies that CaixaBank will not be able or (where appropriate) will stop offering you the | |||
aggregation". | |||
This information is modified in the new stipulations of the Service Contract | |||
Aggregation, (…) | |||
- Information on terms of conservation of personal data | |||
As indicated in relation to the issues indicated in the previous section, | |||
The information provided on the data retention periods is not uniform in | |||
the documents object of the proceedings. | |||
Regarding data conservation, the "Framework Agreement" includes a section | |||
specific to this question (11.3) with the following content: | |||
"Your data will be processed as long as the contractual or business relationships remain in force | |||
established or commercial use authorizations granted. | |||
Once the authorizations for use have been revoked, or six months after the relationship ends | |||
contractual or business established, your data not being necessary for the purposes for which | |||
were collected or processed, your data will no longer be processed. | |||
In accordance with the regulations, the data will be kept for the sole purpose of complying with those | |||
legal obligations imposed on CaixaBank and / or Group Companies, and for the formulation, exercise or | |||
defense of claims, during the limitation period of the actions derived from the relations | |||
contractual or business subscribed ”. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 108 | |||
108/177 | |||
However, in section 7.1 "Processing of personal data with the | |||
purpose of managing Commercial Relations ”it is indicated that the data will be canceled with | |||
the termination of all business relationships, without mentioning the six-month period | |||
after business relationships: | |||
“… At the time of cancellation by the Signatory of all Commercial Relations, the | |||
aforementioned data processing will cease, and your data will be canceled in accordance with the provisions | |||
in the applicable regulations, CaixaBank keeping their use duly limited until they have | |||
prescribed actions derived from them ”. | |||
On the other hand, the so-called "Consent Agreement" or | |||
" Authorization / revocation for the processing of personal data for purposes | |||
commercial by CaixaBank, SA and companies of the CaixaBank group ” , for its part, indicated in | |||
its version 2 that the data would be processed as long as the | |||
use authorizations granted or established contractual or business relationships, | |||
but without warning about the use during the six months after the end of | |||
said contractual relationships. That six-month data usage period was | |||
added in version 3 of this document, with a scope similar to that outlined in the | |||
"Framework contract": | |||
"The authorizations you grant will remain in effect until they are revoked or, in the absence of | |||
this, up to six months after you cancel all your products or services with | |||
CaixaBank or any company of the CaixaBank Group ” . | |||
Similar content contains the section of the "Privacy Policy" relative to the | |||
conservation of personal data. | |||
In none of the cases is the conservation of the data motivated during the six | |||
months after the contractual or business relationships. | |||
Information regarding access to personal data of customers in social networks | |||
does not contain any indication about the retention of personal data; Meanwhile he | |||
contract that regulates the aggregation service, although it informs that the data will be processed | |||
while the contractual relationships remain in force, it warns that, in the event that | |||
The data is processed in accordance with your consent, it may be processed as long as it is not | |||
withdraw, even after the relationship. In the clauses of the contract of this aggregation service | |||
indicated: | |||
"The data will be processed as long as the relationships derived from the relationships remain in force | |||
contractual, and will be kept (during the prescription period of actions derived from | |||
said relationships) for the sole purpose of complying with the required legal obligations, and for the | |||
formulation, exercise or defense of claims. However, in the event that the data is processed | |||
According to your consent, they may be processed until you withdraw it. | |||
Notwithstanding the foregoing, CaixaBank informs you that it will proceed to delete the data from its systems | |||
collected by the aggregation service: | |||
(i) in the event of elimination of a financial institution, CaixaBank will proceed to eliminate | |||
the data of the eliminated financial institution. | |||
(ii) in the event that the contractor notifies us of his withdrawal from the Service, CaixaBank will proceed to the | |||
elimination of the data of all third financial entities ”. | |||
(In the new clause of the Aggregation Service Contract, the information is modified | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 109 | |||
109/177 | |||
on the conservation of personal data in relation to the treatments with the purpose | |||
commercial, indicating that they will be treated until the revocation of consent or until | |||
twelve months after the end of the contractual relationship). | |||
CAIXABANK has alleged that the retention period of six months after the | |||
contractual relationship is a self-imposed measure, that there is no legal obligation to motivate | |||
that period and that the indication of a period of six months in one cases and twelve in others | |||
responds to the fact that each client has a contract, so there is no single term of | |||
conservation. | |||
On this issue, it should be clarified that the opportunity is not judged here and | |||
regularity of these periods, whether or not they comply with the principle established in article 5 of the RGPD, | |||
but the information offered, which is not uniform in the information offered to the | |||
interested. The imputed entity itself has highlighted in its brief of allegations the | |||
convenience of regularizing this information. | |||
These differences in terms of the retention period cannot be justified by the | |||
contract that binds the client with the entity, since the term in question does not refer to the | |||
conservation of the data related to the business relationship, but refers to the | |||
use authorizations. | |||
Throughout this Legal Basis the deficiencies have been described | |||
appreciated in relation to the fulfillment of the duty of information in matters of protection | |||
of data by CAIXABANK, which can be summarized, succinctly, as follows: | |||
. The information offered to CAIXABANK clients is not uniform. Papers | |||
arranged by CAIXABANK to inform customers use different terminology | |||
to refer to the same questions and do not have the same content, so it is not | |||
offers the information with the same breadth in all cases. | |||
. Vague terminology and vague formulations are used, with ambiguous meanings in | |||
some cases, and whose true scope is not developed, making it difficult for the recipient of | |||
the information can conclude its real and concrete scope. | |||
. The information offered on the processing of personal data based on the relationship | |||
contractual does not allow assessing whether all the treatments included in this section can | |||
rely on that legal basis. | |||
. Information on the categories of personal data subject to processing; and about the | |||
specific categories of personal data that will be processed for each of the purposes | |||
specific. This requirement is not met in relation to: | |||
. Data processing whose legal basis is determined by consent | |||
of the interested party, for which personal data obtained from the use of the | |||
products and services contracted by the client, navigation data and those obtained from | |||
the communications established between the client and the entity. | |||
. Data processing whose legal basis is determined by the legitimate interest of | |||
CAIXABANK and whose purpose is to prepare profiles that are subsequently | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 110 | |||
110/177 | |||
used to carry out data processing based on the consent of the | |||
interested. | |||
. The personal data obtained by CAIXABANK from external sources or inferred by the | |||
own entity. These include the data obtained by CAIXABANK from products | |||
and services contracted by the interested parties with third parties, including those of those | |||
products and services of third parties marketed by CAIXABANK; as well as the data | |||
that derive from CAIXABANK's own commercial relations with third parties and | |||
data made from the above. | |||
. Not all cases are duly informed about the categories of personal data | |||
Specific that will be treated for each of the specified purposes. | |||
. Information on the purposes for which the personal data of the clients will be used and | |||
the legal basis of the treatment. Confusion of legal bases. | |||
. The "Framework Contract" refers to similar treatments in relation to different purposes, | |||
covered by legitimate interest in some cases and consent in others. | |||
. The document signed by the client for registration in the aggregation service informs | |||
on purposes linked to the object of the contract that in the "Framework Contract", instead, | |||
associated with treatments for which the client's consent is required. | |||
. Information about the legitimate interest of the person in charge: | |||
. The "interest" is not expressed. The CAIXABANK entity does not inform in the "Framework Contract" or | |||
in the "Privacy Policy" about any specific interest when referring to the | |||
data processing that you plan to carry out under this legal basis. | |||
. The information is insufficient to justify this legal authorization and to carry out the | |||
weighing judgment that allows determining whether said reasons prevail over the | |||
interests and rights of the interested party, limiting the possibility that the client can | |||
correctly weigh the performance of the entity. | |||
. CAIXABANK processes personal data based on the legitimate interest in | |||
those that do not inform the interested parties at any time. | |||
. The document called "Treatment of personal data based on the | |||
legitimate interest ” includes a relationship of treatments based on the legitimate interest that | |||
it is presented as an open listing. | |||
. Profiling information | |||
. The legitimate interest of CAIXABANK in the elaboration of profiles for the | |||
"Personalization of the experience" of the client or sending information in which the client | |||
may be interested. | |||
. No information is offered on the type of profiles to be made, the uses | |||
specific to which these profiles are going to be used or their operation and | |||
consequences of its elaboration. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 111 | |||
111/177 | |||
. There is no information on the exercise of the right of opposition, when the profiling is | |||
related to direct marketing activities. | |||
. The Privacy Policy omits the creation of profiles in relation to the | |||
purpose of “getting to know you better, that is, studying your needs to know what new | |||
products and services are adjusted to your preferences and analyze the information that we | |||
let you determine in advance what your creditworthiness is ” . | |||
. Information on the exercise of rights, possibility of claiming before the Spanish Agency | |||
of Data Protection, existence of a Data Protection Delegate and their data from | |||
contact and retention periods. | |||
. The "Consent Agreement" informed about the possibility of exercising the rights, | |||
but without mentioning those that are established in the applicable regulations. | |||
. The right to object is not mentioned in the Privacy Policy. | |||
. The information that is offered for access to personal data of customers in networks | |||
Social reports on the rights contained in the LOPD, not in the RGPD. | |||
. The contract that regulates the aggregation service did not expressly mention the | |||
possibility to revoke consent and exercise the right of opposition. | |||
. The information on retention periods for personal data is not uniform: | |||
. According to section 11.3 of the "Framework Agreement", personal data will no longer be processed at | |||
within six months of the end of the contractual relationships; while in the section | |||
7.1 of the same document does not mention said term and it is reported that the treatments | |||
They will cease with the cancellation of the contractual relationships. | |||
. The so-called “Consent Agreement”, in its version 2, did not warn about the | |||
use of personal data during the six months after the end of | |||
said contractual relationships. That six-month data usage period | |||
was added in version 3. | |||
. Information regarding access to personal data of customers on social networks does not | |||
contains no indication about the storage of personal data. | |||
. The contract that regulates the aggregation service reported that the data processing | |||
based on the consent of the client may be carried out as long as it is not withdrawn, even | |||
relationship ended. The new clauses of this contract indicate that they will be | |||
treated until the revocation of consent or until twelve months after | |||
the termination of the contractual relationship. | |||
CAIXABANK, in its allegations, limits itself to stating in a generic way that it complies | |||
the requirements established in the applicable regulations, in articles 13 and 14 of the RGPD, or | |||
well to deny the stated conclusions, without offering in any case any justification on | |||
the irregularities observed, which he does not even mention. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 112 | |||
112/177 | |||
On many occasions, it simply qualifies those defects or defaults as a | |||
mere error to which no effect can be attributed. At other times, at the same time | |||
denies those non-compliances, admits the defects and claims that the improvement process | |||
developed has corrected them. He goes on to state that he does not claim that the information was | |||
perfect or that there were no errors, but that does not mean that there was | |||
any breach. | |||
This is the case, for example, in relation to the lack of uniformity of information | |||
offered; the confusion about the legal bases generated by the information offered by the | |||
data processing carried out based on legitimate interest and consent; | |||
information on the legitimate interest pursued and the processing of personal data | |||
carried out for commercial purposes covered by this legal basis; in relation to | |||
profiling; or in relation to the information provided on the exercise of | |||
rights and the period of data conservation. | |||
In general, CAIXABANK presents this supposed regularization as sufficient to | |||
prevent any type of responsibility from being demanded, without considering that it is | |||
substantive or substantive breaches that affect the validity of the information and | |||
basic principles of the protection of personal data. | |||
On the other hand, in its allegations to the proposed resolution, CAIXABANK | |||
refers as a priority to the question regarding the compression of the text, in relation to the | |||
use of imprecise terminology and vague formulations, although it is only one of | |||
the many highlights in the overview above. The aforementioned entity alleges that it has not | |||
proven that the expressions used are not clear and understandable for the “member | |||
target audience ” (Guidelines on Transparency), violating the principle of | |||
presumption of innocence, and provides the result of a survey and a user test | |||
carried out by an external and independent company that, according to CAIXABANK, certifies that | |||
Clients fully understand the information provided (the details of these jobs | |||
externalities are outlined in the Twelfth Antecedent). In this regard, it clarifies that | |||
By providing this evidence you are assuming a reversal of the burden of proof | |||
violator of their fundamental rights. | |||
These external studies were carried out through telephone surveys of 171 clients, | |||
the first, and 100 non-client users, the second. | |||
The first of these surveys consisted of reading to the respondent an extract from the | |||
Clause 8 of the "Framework Contract", to ask them later some questions about the | |||
same (...) | |||
In the second work, the user collection screens were transferred to | |||
consent, its dynamics and context, as well as the integrity of clause 8 of the “Contract | |||
Marco ”, simulating the experience of a signer of this document in an office. (…) | |||
CAIXABANK also provides a report from a company specialized in linguistics | |||
on the analysis made of two clauses of the "Framework Contract", one of them Clause 8, | |||
in which the recommendations made are minimal. | |||
With the result of this study and of those surveys, according to which a percentage | |||
average higher than 90% had understood that the information offered in the aforementioned Clause 8 | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 113 | |||
113/177 | |||
included the content of the questions, CAIXABANK intends to respond, not only to the | |||
question concerning the use of imprecise terminology, but also many other | |||
breaches outlined in this Legal Basis, such as the lack of | |||
specification of the categories of personal data processed, the lack of information on the | |||
purposes and confusion of legal bases. | |||
This Agency does not share the approaches expressed by CAIXABANK in its | |||
allegations. In the preceding sections it has been demonstrated with sufficient rigor and detail | |||
that CAIXABANK does not comply with the established information requirements and that the | |||
Non-compliances found are not the result of mere errors, so the claim must be rejected. | |||
exemption from liability to CAIXABANK based on the alleged regularization of those | |||
mistakes, made by the one who invokes them. | |||
Regarding the lack of evidence on the non-understanding by clients of the texts | |||
analyzed, alleged by CAIXABANK, it is understood that this Agency has tested the use of the | |||
expressions that are cited in the corresponding section of this Legal Basis and | |||
has sufficiently substantiated the reasons why terminology and expressions | |||
used must be rejected. | |||
This conclusion is based on consolidated criteria, such as those expressed by the Group | |||
of Article 29 in its “Guidelines on transparency under the Regulations | |||
2016/679 ” , which are known as CAIXABANK. The Article 29 Working Group will | |||
established under Directive 95/46 / EC on an advisory and independent basis, and whose | |||
Opinions and recommendations serve as an interpretive element in the matter that we | |||
occupies, admitted by jurisprudence. It is currently the European Committee for the Protection of | |||
Information about the body with competence to issue guidelines, recommendations and good practices | |||
in order to promote the consistent application of the GDPR. | |||
On the other hand, the use of these indeterminate expressions occurs throughout | |||
all the text of the documents that are analyzed, and not only in Clause 8 of the “Contract | |||
Marco ”, to which the studies provided by CAIXABANK refer. Therefore, | |||
The conclusions of these studies show nothing to the contrary regarding the lack of definition of the | |||
information offered, in general. | |||
It is not said here that the information provided is not fully comprehensible, since | |||
that obviously difficulties in understanding ambiguous expressions or | |||
Indeterminate affect the parts of the text in which they are used. But if it can be said | |||
that the understanding by the client of a part of the text of a document does not mean that | |||
understand all text in all documents. | |||
And it should also be noted that the information is not valid for the sole fact that | |||
is understandable. The studies provided do not refer to important aspects that are | |||
questioned in this resolution, whose understanding by clients does not modify the | |||
conclusions of this Agency and the consequences of non-compliance | |||
respective. This can be said, as an example, (i) in relation to the defects appreciated | |||
on the lack of information on the legal basis of the treatments: although the interested parties | |||
understand that their data will be provided to the Group companies, this circumstance does not | |||
overcomes the lack of information on the legal basis for this transfer of data; or (ii) regarding the | |||
use of personal data obtained from "the contracting and operations of products and | |||
services with third parties ” : the fact that the client understands that this data will be used does not | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 114 | |||
114/177 | |||
saves the lack of information on the categories of personal data that are collected and | |||
undergo treatment; or (iii) on the data processing mentioned in Clause 8 | |||
that have a purpose other than the three indicated in the repeated Clause 8: although the client | |||
understand these treatment activities, does not resolve that they are carried out without basis | |||
legal (as will be seen in the following Legal Basis). | |||
From a technical point of view, the work carried out indicates nothing about the selection | |||
of the sample of clients who were interviewed (only indicated that they have | |||
selected people who signed the "Framework Contract" in the last year); the statements of | |||
the questions are schematic, not precise and clarifying the content of the information, and | |||
They do not have as their object essential aspects, such as those related to profiles, their elaboration | |||
and utilization; and it is not acceptable for the survey to be conducted on an extract from the | |||
information, the content of which also does not exactly coincide with that of Clause 8 of the | |||
"Framework contract". It is, in short, a minimal survey compared to the | |||
purposes and data processing that are contemplated in the information provided by CAIXABANK | |||
to its clients in terms of data protection. | |||
Consequently, in accordance with the evidence presented, the facts described | |||
in this Legal Basis constitute a violation of the principle of | |||
transparency regulated in articles 13 and 14 of the RGPD, which gives rise to the application of the | |||
corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Agency for | |||
Data Protection. | |||
VII | |||
Articles 6 and 7 of the same RGPD refer, respectively, to the “Legality of the | |||
treatment ” and the “ Conditions for consent ”: | |||
Article 6 of the RGPD. | |||
"1. The treatment will only be lawful if at least one of the following conditions is met: | |||
a) the interested party gave their consent for the processing of their personal data for one or more | |||
specific purposes; | |||
b) the treatment is necessary for the execution of a contract in which the interested party is a party or for | |||
the application at his request of pre-contractual measures; | |||
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the | |||
treatment; | |||
d) the treatment is necessary to protect vital interests of the interested party or of another natural person; | |||
e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the | |||
exercise of public powers conferred on the data controller; | |||
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller | |||
of the treatment or by a third party, provided that the interests or the | |||
fundamental rights and freedoms of the interested party that require the protection of personal data, | |||
in particular when the interested party is a child. | |||
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the | |||
public authorities in the exercise of their functions. | |||
2. Member States may maintain or introduce more specific provisions in order to adapt | |||
the application of the rules of this Regulation with respect to the treatment in compliance with the | |||
section 1, letters c) and e), setting more precisely specific treatment requirements and other | |||
measures to ensure lawful and equitable treatment, including other specific situations | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 115 | |||
115/177 | |||
treatment according to chapter IX. | |||
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: | |||
a) Union law, or | |||
b) the law of the Member States that applies to the controller. | |||
The purpose of the treatment must be determined in said legal basis or, in relation to the | |||
Treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission | |||
carried out in the public interest or in the exercise of public powers conferred on the person responsible for | |||
treatment. Said legal basis may contain specific provisions to adapt the application of | |||
rules of this Regulation, among others: the general conditions that govern the legality of the | |||
treatment by the person in charge; the types of data being processed; the interested | |||
affected; the entities to which personal data may be communicated and the purposes of such | |||
communication; the limitation of the purpose; the data retention periods, as well as the | |||
processing operations and procedures, including measures to ensure processing | |||
lawful and equitable, such as those relating to other specific treatment situations pursuant to the chapter | |||
IX. The law of the Union or of the Member States shall fulfill an objective of public interest and shall be | |||
proportional to the legitimate aim pursued. | |||
4. When the treatment for a purpose other than that for which the personal data was collected | |||
is not based on the consent of the interested party or on the law of the Union or of the States | |||
members that constitute a necessary and proportionate measure in a democratic society to | |||
safeguard the objectives indicated in article 23, paragraph 1, the data controller, with | |||
in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected | |||
initially personal data, will take into account, among other things: | |||
a) any relationship between the purposes for which the personal data was collected and the purposes | |||
the planned further processing; | |||
b) the context in which the personal data was collected, in particular with regard to the | |||
relationship between the interested parties and the data controller; | |||
c) the nature of the personal data, specifically when special categories of data are processed | |||
personal data, in accordance with article 9, or personal data regarding convictions and offenses | |||
criminal, in accordance with article 10; | |||
d) the possible consequences for the data subjects of the planned further processing; | |||
e) the existence of adequate guarantees, which may include encryption or pseudonymization ”. | |||
Article 7 of the RGPD. | |||
"1. When the treatment is based on the consent of the interested party, the person in charge must be | |||
capable of demonstrating that he consented to the processing of his personal data. | |||
2. If the consent of the interested party is given in the context of a written statement that is also | |||
refer to other matters, the consent request will be presented in such a way that it distinguishes | |||
clearly of the other matters, in an intelligible and easily accessible way and using clear and | |||
simple. Any part of the declaration that constitutes infringement of this will not be binding. | |||
Regulation. | |||
3. The interested party will have the right to withdraw their consent at any time. The withdrawal of | |||
Consent will not affect the legality of the treatment based on the consent prior to its withdrawal. | |||
Before giving consent, the interested party will be informed of this. It will be so easy to remove the | |||
consent how to give it. | |||
4. When assessing whether consent has been freely given, the fullest extent will be taken into account | |||
possible the fact whether, among other things, the performance of a contract, including the provision of a | |||
service, is subject to consent to the processing of personal data that are not necessary for | |||
the execution of said contract ”. | |||
In relation to what is established in the articles reviewed, the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 116 | |||
116/177 | |||
expressed in recitals 32 (already reviewed), 40, 41, 42 (already reviewed), 43, 44 and 47 (already | |||
cited in the previous Legal Basis) of the RGPD. From what is expressed in these | |||
recitals, the following should be noted: | |||
(43) To ensure that consent has been freely given, it should not constitute a | |||
valid legal basis for the processing of personal data in a specific case in the | |||
that there is a clear imbalance between the interested party and the controller, in particular | |||
when said person responsible is a public authority and it is therefore unlikely that the | |||
consent has been freely given in all the circumstances of that particular situation. I know | |||
presumes that consent has not been freely given when it does not allow the separate authorization of the | |||
different personal data processing operations despite being appropriate in the specific case, or | |||
when the performance of a contract, including the provision of a service, is dependent on the | |||
consent, even when it is not necessary for said compliance. | |||
(44) The processing must be lawful when necessary in the context of a contract or the intention | |||
to conclude a contract. | |||
It is also necessary to take into account the provisions of article 6 of the LOPDGDD: | |||
"Article 6. Treatment based on the consent of the affected party | |||
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the term | |||
consent of the affected party any manifestation of free, specific, informed and unequivocal will | |||
by which he accepts, either through a declaration or a clear affirmative action, the treatment | |||
of personal data concerning you. | |||
2. When it is intended to base the processing of the data on the consent of the affected party for a | |||
plurality of purposes, it will be necessary to state specifically and unequivocally that said | |||
consent is given for all of them. | |||
3. The execution of the contract may not be subject to the affected party consenting to the treatment of the | |||
personal data for purposes that are not related to the maintenance, development or control | |||
of the contractual relationship ” . | |||
In the present case, CAIXABANK contemplates in the “Framework Contract” that the | |||
clients the use of their personal data for the following purposes (excluding | |||
purposes referred to by said entity as "regulatory" ): | |||
1. Manage business relationships: comply and maintain them, verify the | |||
correction of the operation, verify the identity of the signer, establishment and maintenance | |||
of commercial relations. | |||
2. Sending information and updates about products or services similar to those that | |||
already have hired; personalize the customer's business experience across the channels | |||
entity based on previous uses, to offer you products and services that fit your | |||
profile, to apply benefits and promotions that we have in force and to which it has | |||
right, and to assess whether we can assign you pre-granted credit limits that may | |||
use when it deems appropriate. | |||
3. Commercial purposes: | |||
. Offer and design of products and services adjusted to the client profile. | |||
. Commercial offer of products and services of CaixaBank and the Group Companies | |||
CaixaBank. | |||
. Transfer of data to third parties. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 117 | |||
117/177 | |||
4. Transfer of personal data to the companies of the CaixaBank Group. | |||
5. Manage the client's signature and, where appropriate, verify the identity of the signer in successive | |||
operations, through the use of pattern contrast methods. This purpose is | |||
pursues through the processing of biometric data. | |||
In relation to these purposes, CAIXABANK refers to the fulfillment of the | |||
contractual relationship as a legitimate basis for the purposes indicated in number 1 | |||
previous; to the legitimate interest as a legal basis for the use of the data for the indicated purpose | |||
in section 2 above; and consent in relation to the purposes indicated in the | |||
section 3. | |||
CAIXABANK does not inform about any legal basis that enables data transfers | |||
to the companies of the CaixaBank Group. | |||
Information on the processing of biometric data was initially included in the | |||
“Framework contract” as a sub-section of section 7 ( “Treatment of data of character | |||
personnel based on the execution of contracts, legal obligations and legitimate interest and | |||
privacy policy ), but without clearly specifying the legal basis of the treatment; and | |||
currently they are protected by the consent of the interested parties. | |||
- Processing of personal data based on the consent of the interested parties | |||
contemplated in the “Framework Agreement” (clause 8) and “Consent Agreement”. | |||
In accordance with the above, data processing requires the existence of a | |||
legal basis that legitimizes it, such as the consent of the interested party validly given, | |||
necessary when there is no other legal basis than those mentioned in article 6.1 | |||
of the RGPD or the treatment pursues a purpose compatible with that for which the data were collected | |||
data. | |||
Article 4 of the RGPD) defines “consent” as follows: | |||
"11)" consent of the interested party ": any manifestation of free will, specific, informed and | |||
unequivocal by which the interested party accepts, either through a declaration or a clear action | |||
affirmative, the processing of personal data that concerns him ” . | |||
Consent is understood as a clear affirmative act that reflects a | |||
manifestation of free, specific, informed and unequivocal will of the interested party to accept | |||
the processing of personal data that concerns you, provided with guarantees | |||
sufficient so that the person in charge can prove that the interested party is aware of the | |||
fact that you consent and the extent to which you do so. And it must be given to all | |||
the treatment activities carried out for the same or same purposes, so that, when | |||
the treatment has several purposes, consent must be given for all of them in a | |||
specific and unequivocal, without the execution of the contract being subject to the fact that the affected | |||
consent to the processing of your personal data for purposes that are not related | |||
with the maintenance, development or control of the business relationship. In this regard, the legality | |||
of the treatment requires that the interested party be informed about the purposes for which they are intended | |||
the data (informed consent). | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 118 | |||
118/177 | |||
Consent must be freely given. It is understood that consent does not | |||
is free when the interested party does not have a true or free choice or cannot deny or | |||
withdraw your consent without suffering any harm; or when you are not allowed to authorize | |||
separate the different personal data processing operations despite being adequate | |||
in the specific case, or when the fulfillment of a contract or service provision is | |||
dependent on consent, even when it is not necessary for such compliance. | |||
This occurs when consent is included as a non-negotiable part of the | |||
general conditions or when the obligation to agree to the use of | |||
personal data additional to those strictly necessary. | |||
Without these conditions, the provision of consent would not offer the interested party a | |||
true control over your personal data and their destination, and this would make it illegal to | |||
treatment activity. | |||
The Article 29 Working Group analyzed these issues in its document | |||
"Guidelines on consent under Regulation 2016/679" , adopted on | |||
11/28/2017, reviewed and approved on 04/10/2018. | |||
These Guidelines have been updated by the European Data Protection Committee | |||
on 05/04/2020 through the document “Guidelines 05/2020 on consent with | |||
according to Regulation 2016/679 ” (it keeps the parts that are transcribed | |||
then). In this document 5/2020 it is expressly stated that the opinions of the | |||
Article 29 (WP29) Working Group on consent remain relevant, | |||
provided they are consistent with the new legal framework, stating that these guidelines do not | |||
they replace previous opinions, but rather expand and complete them. | |||
From what is indicated in the document of the GT29 previously mentioned, it is interesting now | |||
highlight some of the criteria related to the validity of consent, specifically | |||
on the elements "specific" , "informed" and "unequivocal" : | |||
“3.2. Specific manifestation of will | |||
Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the treatment of | |||
your data must be given "for one or more specific purposes" and that an interested party can choose with | |||
with respect to each of these purposes. The requirement that consent must be "specific" has | |||
in order to guarantee a level of control and transparency for the interested party. This requirement has not been | |||
amended by the GDPR and remains closely linked to the consent requirement | |||
"informed". At the same time, it must be interpreted in line with the 'dissociation' requirement for | |||
obtain "free" consent. In short, to fulfill the character of "specific" the | |||
data controller must apply: | |||
i) the specification of the purpose as a guarantee against deviation of use, | |||
ii) disassociation in consent requests, and | |||
iii) a clear separation between the information related to obtaining consent for the | |||
data processing activities and information related to other issues. | |||
Ad. i): In accordance with article 5, section 1, letter b), of the RGPD, obtaining consent | |||
Valid is always preceded by the determination of a specific, explicit and legitimate purpose for the | |||
planned treatment activity. The need for specific consent in combination with the | |||
notion of limitation of purpose contained in article 5, paragraph 1, letter b), functions as | |||
guarantee against the gradual extension or blurring of the purposes for which the treatment is carried out | |||
of the data once an interested party has given their authorization to the initial collection of the data. | |||
This phenomenon, also known as diversion of use, poses a risk to stakeholders already | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 119 | |||
119/177 | |||
which may lead to an unforeseen use of personal data by the person responsible for the | |||
treatment or third parties and the loss of control by the interested party. | |||
If the controller is based on article 6, paragraph 1, letter a), the interested parties must | |||
always give your consent for a specific purpose for the processing of data. In consonance | |||
with the concept of purpose limitation, with article 5, paragraph 1, letter b), and with the | |||
Recital 32, consent may cover different operations, provided that said | |||
operations have the same purpose. Needless to say, specific consent can only be obtained | |||
when the interested parties are expressly informed about the purposes envisaged for the use of the data | |||
that concern them. | |||
Without prejudice to the provisions on compatibility of purposes, consent must be | |||
specific for each purpose. The interested parties will give their consent understanding that they have control | |||
about your data and that these will only be processed for said specific purposes. If a responsible treats | |||
data based on consent and, in addition, you want to process said data for another purpose, you must | |||
obtain consent for that other purpose, unless there is another legal basis that better reflects the | |||
situation… | |||
Ad. ii) The consent mechanisms should not only be separated in order to comply with the | |||
"free" consent requirement, but must also comply with the consent requirement | |||
"specific". This means that a data controller seeking consent to | |||
several different purposes, it must facilitate the possibility of opting for each purpose, so that users | |||
can give specific consent for specific purposes. | |||
Ad. iii) Finally, the data controllers must provide, with each request for | |||
separate consent, specific information about the data that will be processed for each purpose, with the | |||
In order for the interested parties to know the impact of the different options they have. Of this | |||
Thus, data subjects are allowed to give specific consent. This question overlaps with the | |||
requirement that those responsible provide clear information, as stated above | |||
in section 3.3 ". | |||
"3.3. Informed expression of will… ” (this section 3.3 already outlined in the Basis of | |||
Previous right). | |||
"3.4. Unequivocal expression of will | |||
The RGPD clearly establishes that consent requires a declaration by the interested party or a | |||
clear affirmative action, which means that consent must always be given by an action | |||
or statement. It must be evident that the interested party has consented to an operation | |||
specific data processing ... | |||
A "clear affirmative action" means that the data subject must have acted deliberately to | |||
give your consent to that particular treatment. Recital 32 offers additional guidance | |||
on this point ... | |||
The use of already checked acceptance boxes is not valid under the GDPR. The silence or the | |||
inactivity of the interested party, or simply continuing with a service, cannot be considered as a | |||
active indication of having made a choice ... | |||
A data controller must also take into account that consent cannot | |||
be obtained through the same action by which the user agrees a contract or accepts the terms and | |||
general conditions of a service. Global acceptance of the general terms and conditions does not | |||
can be considered a clear affirmative action aimed at consenting to the use of data | |||
personal. The RGPD does not allow those responsible for the treatment to offer boxes marked | |||
previously or opt-out mechanisms that require the intervention of the interested party to | |||
avoid the agreement (eg "opt-out boxes") ... ”. | |||
Data controllers must design consent mechanisms so that | |||
are clear to stakeholders. They must avoid ambiguity and ensure that action by means of | |||
which consent is given is distinguished from other actions… ”. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 120 | |||
120/177 | |||
This document cites Opinion 15/2011 of the WG29, on the definition of the | |||
consent. Regarding consent as a manifestation of unequivocal will, in this | |||
Last Opinion indicates: | |||
“In order for consent to be unequivocally granted, the procedure for obtaining it and | |||
granting does not have to leave any doubt about the intention of the interested party when giving his | |||
consent. In other words, the manifestation by which the interested party consents must not | |||
leave room for any misunderstanding about your intention. If there is a reasonable doubt about the intent of the | |||
person will produce an equivocal situation. | |||
As described below, this requirement obliges data controllers to create | |||
rigorous procedures for people to give their consent… ”. | |||
“This example illustrates the case of the person who remains passive (eg, inaction or 'silence'). | |||
Clear consent does not fit well with procedures for obtaining consent to | |||
starting from the inaction or silence of the people: the silence or inaction of one party is | |||
inherently misleading (the interested party's intention could be assent or simply not | |||
perform the action) ”. | |||
“… Individual behavior (or rather, lack of action) raises serious doubts about the will | |||
according to the person. The fact that the person does not take a positive action does not allow | |||
conclude that you have given your consent. Therefore, it does not meet the consent requirement | |||
unequivocal". Furthermore, as illustrated below, it will also be very difficult for the person responsible for the | |||
data processing provide proof that shows that the person has consented ”. | |||
Clause 8 of the "Framework Contract" is dedicated to the "Treatment and transfer of data | |||
for commercial purposes by CAIXABANK and the CaixaBank group companies based | |||
in consent ” . This is what CAIXABANK generically calls "purposes | |||
commercial ” , including: (i) analysis, study and monitoring for the offer and design | |||
of products and services adjusted to the customer profile; (ii) commercial offer of products and | |||
services of CaixaBank and the CaixaBank Group Companies; (iii) and transfer of data to | |||
third parties. | |||
The consent of the interested party is the legal basis for the processing of their data | |||
personal for such purposes. | |||
The aforementioned Clause 8 describes these treatments as follows: | |||
"The detail of the uses that will be carried out according to your authorizations is as follows: | |||
(i) Detail of the analysis, study and monitoring treatments for the offer and design of products and | |||
services tailored to the customer profile. | |||
By granting your consent to the purposes detailed here, you authorize us to: | |||
a) Proactively carry out risk analysis and apply statistical technical data on their data | |||
and customer segmentation, with a triple purpose: 1) Study products or services that | |||
can be adjusted to your profile and specific business or credit situation, all to | |||
make commercial offers tailored to your needs and preferences, 2) Make the | |||
monitoring of products and services contracted, 3) Adjust recovery measures on the | |||
defaults and incidents derived from the products and services contracted. | |||
b) Associate your data with those of companies with which you have some type of link, both for their | |||
ownership and management relationship, in order to analyze possible interdependencies | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 121 | |||
121/177 | |||
economic in the study of service offers, risk requests and contracting of | |||
products. | |||
c) Carry out studies and automatic controls of fraud, defaults and incidents derived from | |||
contracted products and services. | |||
The treatments indicated in sections (i), (ii) and (iii) may be carried out in a | |||
automated and entail the elaboration of profiles, with the aforementioned purposes. To this | |||
Indeed, we inform you of your right to obtain human intervention in the treatments, to | |||
express their point of view, to obtain an explanation about the decision made based on the | |||
automated processing, and to challenge said decision. | |||
d) Carry out satisfaction surveys by telephone or electronic channel with the aim of | |||
assess the services received. | |||
e) Design new products or services, or improve the design and usability of existing ones, as well | |||
how to define or improve user experiences in their relationship with CaixaBank and the | |||
CaixaBank Group companies. | |||
(ii) Details of the treatments for the commercial offer of CaixaBank products and services and the | |||
CaixaBank Group companies. | |||
By granting your consent to the purposes detailed here, you authorize us to: | |||
Send commercial communications both on paper and by electronic or telematic means, | |||
relating to the products and services that, at any given time: a) CaixaBank or any of | |||
the CaixaBank Group Companies b) market other companies in which CaixaBank owns and | |||
third parties whose activities are included between banking, investment services and | |||
insurer, shareholding, venture capital, real estate, roads, sale and distribution of | |||
goods and services, consulting services, leisure and charity-social. | |||
The signer will be able to choose at any time the different channels or means by which he wishes or not | |||
receive the indicated commercial communications through your digital banking, by exercising | |||
their rights, or through their management in the CaixaBank branch network ”. | |||
"(Iii) Transfer of data to third parties | |||
By granting your consent to the purposes detailed here, you authorize us to transfer your data to | |||
companies with which CaixaBank and / or the CaixaBank Group Companies have / n agreements, whose | |||
activities are included between banking, investment services and insurance, holding | |||
of shares, venture capital, real estate, roads, sale and distribution of goods and services, | |||
consulting, leisure and charity-social services, in order that these companies make you | |||
commercial offers of products marketed by them. | |||
In any case, once a transfer of data is produced by virtue of your authorization, the company receiving the | |||
communication would inform the signatory of the processing of their data and its origin ”. | |||
Likewise, the personal data of the clients who submit to the | |||
cited treatments: | |||
“A) All those provided in the establishment or maintenance of commercial or business relationships. | |||
b) All those generated in the contracting and operations of products and services with CaixaBank, | |||
with the CaixaBank Group Companies or with third parties, such as account or card movements, | |||
details of direct debits, payroll direct debits, claims derived from insurance policies | |||
insurance, claims, etc. | |||
c) All those that CaixaBank or the CaixaBank Group Companies obtain from the provision of | |||
services to third parties, when the service is intended for the signer, such as the management of | |||
transfers or receipts. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 122 | |||
122/177 | |||
d) Your status or not as a CaixaBank shareholder as recorded in the entity's records, or the | |||
entities that, in accordance with the securities market regulations, must carry the | |||
records of the values represented by book entries. | |||
e) Those obtained from the social networks that the signer authorizes to consult | |||
f) Those obtained from third parties as a result of requests for data aggregation | |||
requested by the signer | |||
g) Those obtained from the signer's navigations through the digital banking service and other websites of | |||
CaixaBank and the CaixaBank Group Companies or the CaixaBank mobile phone application and the | |||
Companies of the CaixaBank Group, in which duly identified operates. This data may include | |||
information related to geolocation. | |||
h) Those obtained from chats, walls, videoconferences or any other means of communication | |||
established between the parties. | |||
The data of the signer may be complemented and enriched by data obtained from companies | |||
providers of commercial information, by data obtained from public sources, as well as by data | |||
statistical, socioeconomic (hereinafter, "Additional Information") always verifying that these | |||
they comply with the requirements established in the current regulations on data protection ”. | |||
Based on this information, CAIXABANK limits the customer's options to the | |||
provision of your consent, separately, for each of the three purposes (i), (ii) and | |||
(iii) indicated. The summary of the statements made by the client in relation to these | |||
"Authorizations" is moved to the heading of the "Framework Contract", to the section relating to | |||
personal and economic data of the client, under the heading "Authorizations for the treatment | |||
of data ” . Here's an example: | |||
"Authorizations for data processing | |||
In the terms established in clause 8 and 9 of this Contract, your authorizations for the | |||
data processing are the following: | |||
Commercial purposes: | |||
. Purpose of studies and profiling: You have expressed your non-acceptance and consent to | |||
treatment of your data. | |||
. Purpose of communication of offers of products, services and promotions: You have | |||
expressed their non-acceptance and consent to contact for commercial purposes by | |||
any channel or medium, including electronic media. | |||
. Transfer of data to third parties: You have expressed your non-acceptance of the transfer to third parties of your | |||
data ” . | |||
Subsequently, from the checks carried out in the inspection carried out in | |||
date 11/28/2019 and the documentation provided by CAIXABANK with its written statement | |||
11/20/2019, it is found that a fourth consent has been added, regarding the treatment | |||
of biometric data: | |||
"4. Use of my biometric data (facial image, fingerprint, etc.) in order to verify my | |||
identity and signature: This authorization will be complemented in each case with the registration of the data | |||
biometric to use at all times. In order to verify the identity / signature of your clients, | |||
Caixabank uses biometric recognition methods such as facial recognition systems, | |||
fingerprint reading and the like. Currently, some of our ATMs already allow you to | |||
operations using these methods. | |||
() Yes, I accept the use of my biometric data | |||
( ) No". | |||
This Agency considers that said consents (four) do not meet the conditions | |||
for the expression of the interested party to be considered validly rendered, the | |||
that makes the data processing carried out by CAIXABANK illegal based on the | |||
consent of the interested party. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 123 | |||
123/177 | |||
The manifestation made by the client to give these consents may | |||
be considered an affirmative act, but not a manifestation of free, specific will, | |||
informed and unequivocal to accept the processing of personal data that | |||
concern, provided with sufficient guarantees to prove that it is aware of the fact that | |||
that you consent and to the extent that you do so. | |||
In this case, the consent cannot be considered free because with the signature of the | |||
contract, essential aspects related to the processing of their data are imposed on the client | |||
personal, reducing their ability to choose; How is the exchange of information that | |||
CAIXABANK performs with the entities that make up the CaixaBank Group, which will be analyzed | |||
later. | |||
On the other hand, as the mechanism for the provision of the | |||
consent, it has not been foreseen that the interested party expresses his option on all the purposes | |||
for which the data is processed. CAIXABANK carries out data processing that appears | |||
grouped in one of the purposes indicated, but that pursue a purpose other than | |||
those on which the interested party speaks. The list of treatments that | |||
said entity performs for each of the purposes on which the option is offered to the client | |||
to consent or not, in reality supposes an extension of the purposes, so the | |||
consent given cannot be considered specific as it has not been dissociated | |||
sufficiently requests for consent. | |||
CAIXABANK considers that the group of consents included in the clause | |||
8 is adequate and that all the treatments included in it are nuances of the same | |||
profiling, as can be seen with the convenient debuggers. | |||
This Agency does not share that opinion. It is discussed in section (i) about treatments | |||
for "the offer and design of products and services adjusted to the client profile" , on which the | |||
customer speaks. However, purposes such as “adjust measures | |||
recoveries on defaults and incidents derived from products and services | |||
contracted ” , “ analyze possible economic interdependencies in risk requests and | |||
contracting products " , " assessing the services received " or " designing new products or | |||
services, or improve the design and usability of existing ones, as well as define or improve the | |||
experiences of users in their relationship with CaixaBank and the Group Companies | |||
CaixaBank ” . | |||
Section (ii) groups the shipment in a single statement of will of the interested party | |||
of commercial communications related to CAIXABANK products and services, the | |||
CaixaBank Group companies and third parties. | |||
Consent must be given for all processing activities carried out with | |||
the same or the same purposes and, when the treatment has several purposes, the | |||
consent for all of them, although through a manifestation of expressed will | |||
for each of the purposes separately or differently, allowing the interested party to choose | |||
for choosing all, a part or none of them. As expressed in Recital 43, no | |||
consent can be understood to have been freely given by not being allowed to "authorize | |||
separately the different personal data processing operations despite being | |||
appropriate in the specific case ” . Recital 32 states that "consent must | |||
cover all processing activities carried out for the same purpose or purposes. When the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 124 | |||
124/177 | |||
processing has multiple purposes, consent must be given for all of them ” . | |||
“When the data processing is carried out for several purposes, the solution to meet | |||
with the conditions of valid consent lies in the granularity, that is, the | |||
separation of these purposes and obtaining consent for each purpose ” (Guidelines of the | |||
GT29). | |||
Understand that the provision of consent for those purposes implies the | |||
acceptance of all the treatments that are included within such purposes, when in | |||
In reality some of these treatments pursue different purposes, as has been said, not | |||
meets this requirement of separation of purposes and provision of consent for each | |||
one of them. | |||
In relation to the incorrect grouping of consents, a separate mention | |||
requires the indication contained in Clause 8 in relation to the first three | |||
treatments that are listed in section (i), according to which these treatments may be | |||
carried out in an automated manner and entail profiling. It is obvious that these | |||
Automated treatments require an explicit client consent that is not | |||
collected in legal form. | |||
Furthermore, the consent given is not considered informed. It has already been said here | |||
the importance of providing information to data subjects before obtaining their consent, | |||
essential so they can make decisions having understood what you are authorizing. Yes | |||
the person in charge does not provide accessible information, the user's control will be illusory and the | |||
Consent will not constitute a valid basis for the processing of the data. | |||
What is stated in Law Foundation IV, on the objections observed in the | |||
information that CAIXABANK provides regarding the protection of personal data, | |||
they equally affect the consent that could have been given. For this purpose, the | |||
observations or objections made in said Legal Basis on language | |||
employee, unclear and indeterminate information about data processing | |||
personal and the lack of a clear and intelligible formulation of the purposes for which | |||
will be used, as well as the lack of information on the specific categories of data that | |||
They will be treated for each of the specified purposes. | |||
These deficiencies prevent the interested parties from knowing the meaning and real meaning of | |||
the indications provided and the real scope of the consent they could give, | |||
making it invalid as it is not an informed consent, in relation to the | |||
data collection operations or data processing in respect of which | |||
appreciated those defects in the information, including the treatment of those data that | |||
have not been provided directly by the interested party or are not necessary for the | |||
compliance with the contractual relationship that binds you with the entity. | |||
The lack of information is evident if the process enabled by | |||
CAIXABANK to collect customer consents for the treatment of their | |||
personal data, either in person at the entity's offices, through the web portal | |||
(for new clients or through the personal area enabled on the web) or the application | |||
mobile. These procedures are outlined in detail in the Background of this act and | |||
in the Proven Facts. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 125 | |||
125/177 | |||
It is worth highlighting the collection of consents carried out in person at | |||
the entity's offices, which is formalized with the signing of the “Framework Contract”. CAIXABANK has | |||
introduced several modifications to this mechanism since the entry into force of the GDPR. | |||
In May 2018 (as stated in CAIXABANK's response dated 05/16/2018), the | |||
respective expressions of will of the interested party were expressed verbally in | |||
an employee-led interview, who fills in the options by checking the boxes | |||
corresponding on the respective screen, which are recorded in the document | |||
("Framework Contract") that is printed later, when the client has already spoken. | |||
It is proven that the verbal statements of the client expressing their options | |||
about the treatments and purposes indicated, as well as the signing of the document, are carried out without | |||
that he has had access to the information contained in the "Framework Contract". | |||
Subsequently, according to CAIXABANK, the entire network of | |||
digitizing tablets, enabling the "Framework Contract" and the "Contract | |||
Consents ”are signed, not on paper, but on the tablet itself. The "Framework Agreement" is | |||
subscribed by the client without having access to the document, which is to say that he lends his | |||
consent without CAIXABANK providing you with any information. | |||
(…) | |||
In the inspection carried out at CAIXABANK on 11/28/2019, a new | |||
change in the process described above, consisting of arranging for the delivery of a digital tablet | |||
the client so that he himself can mark the corresponding consent options, but | |||
does not modify the above circumstances. | |||
The system guides the manager throughout the process, advising him to consult the | |||
client their preferences and physically provide the tablet so that the client can proceed to | |||
mark your options. Once the preferences have been marked, the terminal itself tells you that | |||
These preferences have been registered and invites you to return the device to the manager (once | |||
Once the options have been selected by the customer, the indication "Mode | |||
Tablet ” and the following is stated: “ Your consents have been indicated. Thank you for your | |||
collaboration. Please return the Tablet to your manager ” ). Subsequently, “the manager finalizes and | |||
consolidates the document and facilitates it for the client to sign ” . | |||
The “Tablet Mode. Client ” do not contain any link to the | |||
information on the protection of personal data contained in the "Framework Agreement". | |||
During the registration process through the web, the system displays a screen that allows | |||
to the client to mark the options "Yes" or "No" for each one of the consents that are | |||
they request. This screen includes a symbol (i) that leads to another screen with a message | |||
on the information on data protection and a link that leads to it. | |||
However, the information offered is insufficient because it only collects the | |||
corresponding to clause 8 "Treatment and transfer of data for commercial purposes | |||
by CaixaBank and companies of the CaixaBank Group based on the consent ” of the Contract | |||
Framework. In this case, according to CAIXABANK, the signature screen includes a | |||
box to check "I have read and accept the contract" . | |||
The same objection about the information offered presents the process enabled for the | |||
provision of consents in the client's private space on the “Caixabank | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 126 | |||
126/177 | |||
Now ”and when he uses the mobile application, which redirects to the web portal. | |||
These processes do not ensure that the interested party accesses the information in a | |||
prior to selecting your consents and signing the document in all cases, which | |||
it occurs both in relation to the “Framework Agreement” and the “Consent Agreement”. | |||
Therefore, all the detailed treatments whose legal basis comes from | |||
determined, as expressed by the CAIXABANK entity itself, by the | |||
consent of the interested parties. | |||
On the issue analyzed in this section, regarding data processing | |||
based on the consent of the interested parties, CAIXABANK, in its writing of | |||
allegations to the proposed resolution, is limited to stating that the consents | |||
obtained are free, specific, unequivocal and sufficiently informed. Points out | |||
simply that the client has the absolute freedom to grant them or not, without consequences | |||
negative associated and without conditionalities, that there is no combination of different | |||
purposes under the same consent, and that the interested party gives their consent | |||
by affirmative action. | |||
However, it omits any justification for the irregularities that have been | |||
detailed and that support the conclusion on the lack of legal basis of the treatments | |||
that CAIXABANK performs based on consent. | |||
Faced with the important objections mentioned in relation to the treatments of | |||
data that pursue a purpose other than those on which the interested party lends his | |||
consent, CAIXABANK states that in Clause 8 of the "Framework Contract" and in the | |||
"Consent Agreement" breaks down the only three activities, three purposes, which are | |||
carried out under the protection of consent (the profiling of data to offer customers | |||
products that may be of interest to you; the choice of the communication channel of the offers; | |||
and the possibility of transferring the data to third parties). And he adds that those treatments on | |||
that the client has no opportunity to comment are not carried out (he does not say which ones), or | |||
are protected by another legal basis, or are simpler and more limited than the AEPD | |||
understands. | |||
It qualifies as an "error" that does not break the principle of specificity the fact of including | |||
within the examples some treatment operations that should have been included | |||
in other legal bases, among the treatments that are carried out based on the execution of the | |||
contracts or in compliance with laws. It adds that it has been corrected in the New Policy of | |||
Privacy including those activities in their respective and correct epigraphs (treatments | |||
in execution of a contractual relationship or by legal obligation). | |||
In this regard, in its fourth claim, when referring to the information on the | |||
profiling, also alleges this "error" and lists the processing operations | |||
which, in his opinion, have nothing to do with consent: | |||
“- To monitor the products and services contracted, which is clearly a treatment | |||
necessary for the execution of the contractual relationship as established in art. 6.1.b) | |||
- Adjust recovery measures on defaults and incidents derived from products and | |||
contracted services also clearly a necessary treatment for the execution of the relationship | |||
contractual as established in art. 6.1.b) | |||
- Associate your data with those of companies with which you have some type of link, both because of their relationship | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 127 | |||
127/177 | |||
property, as well as administration, in order to analyze possible economic interdependencies in | |||
the study of service offers, risk requests and product contracting, which is a | |||
Treatment necessary for the execution of the contractual relationship as established in art. 6.1.b), and | |||
mandatory to comply with Law 10/2014, of June 26, on Regulation, Supervision and Solvency of | |||
Credit Institutions, Law 44/2002, on Measures of Reform of the Financial System and others | |||
obligations and principles of the regulations on responsible lending, and whose | |||
detail is reported in the product requests that customers subscribe when requesting their | |||
hiring. | |||
- Carry out studies and automatic controls of fraud, defaults and incidents derived from | |||
products and services contracted, which is clearly a treatment based on the legitimate interest of | |||
CaixaBank, as established in art. 6.1.f), an interest that is summarized in the interest of avoiding fraud | |||
that suppose economic or reputational losses. | |||
- Conduct satisfaction surveys by telephone or electronic channel in order to assess | |||
the services received, which is a necessary treatment for the execution of the contractual relationship | |||
As established in art. 6.1.b), and linked to the authorization for the use of the specific channel. | |||
- Design products or services, or improve the design and usability of existing ones, as well as define or | |||
improve user experiences in their relationship with CaixaBank and the Group Companies | |||
CaixaBank, which is a treatment that is not carried out with personal data, if not by analyzing | |||
statistics and data added after anonymization processes ” . | |||
With this allegation it is being recognized that these operations have purposes | |||
other than those expressed in Clause 8 of the "Framework Contract" and in the "Contract of | |||
Consents ”under which are grouped the consents on which the | |||
client, and also that it is not true that the treatment activities mentioned in | |||
those documents can be grouped into the only three purposes that are broken down. Yes | |||
These treatments could have a legal basis other than consent, it is clear that | |||
They are different treatments and they pursue different purposes. This is evident if | |||
We consider that all the treatments to which CAIXABANK refers in its | |||
allegations, those collected in the previous list, are linked in Clause 8 of the "contract | |||
Marco ”to “ Data processing for commercial purposes by CAIXABANK and the companies | |||
of the CaixaBank Group ” , and “ the uses to be made ” are described as “ Treatments of | |||
analysis, study and monitoring for the offer and design of products and services adjusted to | |||
customer profile ” . | |||
There are, in addition, other data processing to which CAIXABANK does not refer in | |||
their allegations and that also require the consent of the interested party so that they can | |||
be carried out, such as the exchange of information with the companies of the Group. | |||
These are substantive defects, which affect the basic principle of the legality of the | |||
treatment. Therefore, CAIXABANK's approach, which claims | |||
avoid the liability that such non-compliance entails by alleging a mere error not | |||
reprehensible. | |||
Furthermore, this Agency does not agree that no effect can be attributed to this | |||
important irregularity, as CAIXABANK claims, assuming that the activities of | |||
processing of the data listed could find protection in another legal basis other than the | |||
consent. | |||
On the one hand, inaccurate information is being provided to interested parties about | |||
the legal bases on which the corresponding treatments are legitimized, which, | |||
undoubtedly, it affects the knowledge and expectations that stakeholders may have | |||
regarding the rights that correspond to them based on the different legal bases | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 128 | |||
128/177 | |||
involved and, ultimately, the control they can exercise over your personal data. So by | |||
For example, if an interested party does not consent to these treatments. | |||
On the other hand, it would be necessary, as has been seen here, a thorough analysis of all | |||
the concurrent circumstances in relation to the treatments intended to assess the | |||
relevance of the new legal basis that CAIXABANK indicates in its allegations, so | |||
that the alleged reasons cannot be given for good. | |||
This is evident in relation to the treatments that now, in their allegations, | |||
CAIXABANK intends to base on the legitimate interest of the person in charge (“ Carry out studies | |||
and automatic controls of fraud, defaults and incidents derived from the products and | |||
contracted services ” ) . Accepting this approach would be as much as admitting an interest | |||
legitimate occurrence, or later, with respect to which the requirements have not been respected | |||
provided for in the personal data protection regulations, in particular the obligation to | |||
weigh the rights and interests at stake, and about which is not informed in the Policy of | |||
Privacy. | |||
CAIXABANK also alleges that the treatments it performs to " Design products | |||
or services, or improve the design and usability of existing ones, as well as define or improve the | |||
experiences of users in their relationship with CaixaBank and the Group Companies | |||
CaixaBank ” , are not carried out with personal data, but rather by analyzing statistics and data | |||
added after anonymization processes. But it does not take into account that this activity | |||
involves two treatments, the one that gives rise to anonymous information (anonymization | |||
itself), subject to data protection regulations, and the treatment that is | |||
carry out with the data already anonymized, excluded from said regulations. So, also in | |||
In this case, it is necessary to have a legal basis to protect these data processing. | |||
It has been the CAIXABANK entity itself that arranged, in the design of its | |||
treatment operations, protect the aforementioned treatments in the consent | |||
above and is obliged, consequently, to comply with the demands that this entails. | |||
About the process enabled to grant consent in person at the office, | |||
reiterates that, after giving the consents (or not), the client accesses the full text of the | |||
contract so that you can read and review it, so that you may not ratify your choice and | |||
"Go back" . Finally, it points out that the AEPD omits the analysis of the process of collecting | |||
consents in the non-face-to-face channel (online banking) that he reviewed in the same | |||
inspection, in which it was demonstrated that the customer must necessarily access the | |||
information before giving consent. | |||
In relation to this issue, CAIXABANK does not take into account that the process for | |||
formalization of the “Framework Agreement” or the “Consent Agreement, and with it the | |||
provision of consent in person, has followed different operations throughout | |||
of the analyzed period. As has been stated, the provision by the client of the | |||
Consents requested by CAIXABANK, including the signing of the aforementioned documents, will be | |||
carried out without the information on the protection of personal data being made available | |||
customer's disposal. Even during the process called "Tablet Mode", which is | |||
refer the allegations, the client gives consent without receiving that information | |||
previously. | |||
This does not occur, as stated above, in the process of collecting | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 129 | |||
129/177 | |||
Consents during the registration process through the web and in the enabled mechanism | |||
in the client's private area on the “Caixabank Now” website. In this case, the information is | |||
offers the client before they check the options provided, but only the information | |||
corresponding to Clause 8 of the "Framework Contract", not all the information. | |||
These conclusions about the registration process through the web and the personal area of | |||
the clients were already exposed, in the same terms, in the resolution proposal. No | |||
It is understood, therefore, that CAIXABANK alleges that the AEPD has omitted the analysis of these | |||
consent collection processes. | |||
- b) Other processing of personal data based on the consent of the | |||
interested parties included in the "Consent Agreement". | |||
About the document called "Consent Agreement" serve all the | |||
observations and objections made in relation to Clause 8 of the “Framework Contract”, by the | |||
similarity of their contents and of the consent collection process, according to | |||
been exposed. | |||
However, it is worth highlighting two issues in relation to the “Contract of | |||
Consents ”or document of“ Authorization / revocation for the processing of data from | |||
personal character for commercial purposes by CaixaBank, SA and group companies | |||
CaixaBank ” : | |||
1. The information offered to the interested party is less than that offered in the "Framework Contract", | |||
since access is only given to a text similar to that of Clause 8 of said Contract. | |||
2. Another matter from which personal data processing without the consent of | |||
its holders have to do with the association of data of CAIXABANK clients with the | |||
of other clients with whom he has some kind of relationship, family or social, "for the purpose of | |||
analyze possible economic interdependencies in the study of service offers, | |||
risk requests and product contracting ” . This linking of customer data with | |||
personal data of third parties, which was added in the 3rd version of this document in the | |||
authorization (ii) of the section corresponding to purpose 1 ( “Analysis treatments, | |||
study and monitoring for the offer and design of products and services adjusted to the profile of | |||
client ” ), it cannot be carried out on the basis of the pronouncement that the | |||
client, who is not the owner of the data in question (it is personal data of third parties | |||
that are associated with customer data). | |||
- c) Processing of personal data based on the consent of the | |||
interested parties included in the "Social media contract". | |||
In relation to the processing of data obtained from social networks, they weigh | |||
objections to the consent given and the purposes intended with the | |||
treatment. In addition, the client consents through a single act and does so for treatments | |||
of data for various purposes: | |||
From the personal area of online banking, the client consents that CAIXABANK | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 130 | |||
130/177 | |||
Access and use information from social networks. The tool enabled for this requests the | |||
client that selects the network (Facebook, Twitter and LinkedIn), offers the information arranged | |||
by the entity in a text box and requires the interested party to press the button enabled with | |||
the text "Accept and continue . " With this single action, the client gives his consent to the | |||
collection of the personal data mentioned in that information, to the treatments | |||
that are detailed and for the different purposes indicated (this information consists of | |||
reproduced in full in Annex III): | |||
"By clicking on the" Accept and continue "button, you expressly consent that | |||
CaixaBank… incorporate the following personal data into files… with the | |||
purposes of | |||
a) contact you and send you commercial communications by electronic means | |||
related to products and services and / or any others that currently or in the future | |||
markets CaixaBank, and related to products and services of third parties whose activities | |||
are included in those indicated in the following section. | |||
b) communicate the data provided by you to Caixabank, SA, with NIF…, address | |||
at Av. Diagonal 621 08028 in Barcelona, and to companies and entities whose capital | |||
CaixaBank participates directly or indirectly, so that they can direct you | |||
commercial communications on paper and by electronic means about the products and | |||
services of their respective activities, including banking, | |||
investment and insured services, shareholding, venture capital, real estate, | |||
roads, sale and distribution of goods and services, consulting services, leisure and | |||
charity-social, as well as the communication of your data by said entities to | |||
Caixabank, for the purposes set forth in section a) above. | |||
c) validate, by the Customer Service in social networks, the data | |||
identification that you provide to the same, in order to meet the requests that | |||
You direct him. | |||
d) validate your identification data when you access other applications of | |||
CaixaBank through your Username (Twitter), your User ID | |||
(Facebook) or your registered User (Linkedin). | |||
e) contact you in the event that it was detected or there were founded | |||
suspicions in relation to a possible fraud or impersonation of your identity or activity in | |||
social networks, or in the use of CaixaBank channels or applications. | |||
Likewise, you expressly consent to CaixaBank's access to those contents and | |||
information that you have decided to make public at all times (and, where appropriate, to | |||
those contents and information whose access you have specifically allowed) in the | |||
social networks indicated, as well as the communication of the aforementioned information, to the | |||
companies and entities indicated in section b) above, for their treatment with the | |||
following purposes: | |||
(i) customization of commercial offers. | |||
(ii) profiling and segmentation based on the public information of your profile, | |||
in order to recommend and offer you the products and services that best suit your | |||
their preferences and needs ”. | |||
It is significant that some of the purposes are similar to those mentioned in the | |||
Clause 8 of the "Framework Agreement" and the "Consent Agreement" | |||
("Authorization / revocation") for which CAIXABANK provides that the interested party provide their | |||
specific consent and, instead, for the processing of personal data obtained | |||
of social networks the interested party consents to all treatments and for all purposes | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 131 | |||
131/177 | |||
by means of a single action, pressing the button enabled with the text “Accept and continue” . | |||
Another relevant issue has to do with the communication of data to companies and | |||
entities in whose founding capital CaixaBank participates directly or indirectly (in this | |||
In this case, it does not speak of the CaixaBank Group of companies, nor does it detail which companies it refers to), | |||
which also requires a specific statement from the interested party so that CAIXABANK | |||
can carry it out. | |||
Likewise, the fact that the consent obtained in relation to | |||
with the information obtained from social networks include data communications by the | |||
entities indicated in the paragraph before CAIXABANK. | |||
No comment includes CAIXABANK on the above circumstances in relation to | |||
with the "Social media contract", except for the indication that it was a project that did not have | |||
success and unsubscribed. | |||
- d) Processing of personal data based on the consent of the | |||
interested parties included in the "Aggregation service contract". | |||
The same can be said for the aggregation service. This service is provided by | |||
CAIXABANK at the request of the interested party and is formalized by signing the contract | |||
correspondent. | |||
In relation to the consent to the processing of data that the interested party | |||
provided with the hiring of this service weigh the same objections. Also in this | |||
case the client consents through a single act and does so for data processing with | |||
various purposes. | |||
The purpose of the relationship is to allow the contractor to manage and display | |||
on positions and movements of the products and services that it maintains with other | |||
financial entities. However, in accordance with the clauses provided in the model | |||
of the contract prepared by CAIXABANK, the signing of the document entails the provision of the | |||
Customer consent for data processing for different purposes, some of the | |||
which are presented as if it were the pure object of the contract, although they are more | |||
beyond the expressed object, with which they are not related. | |||
Thus, in section 2 of the Contract, in which its object is defined, it is indicated that the | |||
said service "also" aims, based on the aggregated information, "the | |||
personalization of commercial offers adjusted to the profile and situation of the contractor by | |||
from CaixaBank; the improvement of risk analysis and suitability for contracting products | |||
and services requested by the contractor; and the improvement of the management of defaults and incidents | |||
derived from the products and services contracted ”. | |||
Likewise, section 11 reports on two more purposes: | |||
a) the personalization of commercial offers adjusted to the profile and situation of the contractor by | |||
part of CaixaBank, in relation to its own products or those of third parties marketed by it. | |||
b) Conduct satisfaction surveys by telephone or electronic channel with the aim of | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 132 | |||
132/177 | |||
to assess the services received by CaixaBank ”. | |||
In this case, the interested party is warned that these are additional purposes that | |||
must expressly consent (it is expressed as follows: “Additionally, in the event that there is | |||
expressly consented, the data obtained may be processed with the following | |||
purposes… ” ). Considering the mechanisms enabled by CAIXABANK to provide the | |||
consent to which this clause refers, we understand that it refers to the | |||
expressions of will obtained through the "Framework Contract" or through the "Contract | |||
of Consents ”, and the objections to the consents obtained have already been indicated | |||
through these documents. In addition, in relation to what is expressed in the service contract | |||
of aggregation, it should be added that neither of these two documents | |||
consent of the client for the personalization of commercial offers adjusted to the profile and | |||
situation of the contractor by CAIXABANK, in relation to third-party products | |||
marketed by this entity. Therefore, CAIXABANK has not provided for the provision of the | |||
consent for the purpose a) indicated above in relation to third-party products. | |||
On the other hand, it should be noted that the purposes and treatments on which | |||
informs the aggregation service contract do not make any reference to the companies of the | |||
CaixaBank Group. Therefore, with the signing of this contract, it cannot be understood that the | |||
consent for the purposes indicated in the "Framework Contract" and in the "Contract of | |||
Consents ”, which include the use by those companies of the data collected | |||
on the occasion of this service. It is therefore an illegal communication of data. | |||
Finally, it is interesting to highlight one more observation about the object of the | |||
aggregation. According to the contract, this service is intended to manage and display | |||
information on positions and movements of products that the interested party maintains in | |||
other entities. However, despite this description of the object and the term "management" | |||
that is included, it is noted in the same document that the service does not allow | |||
operations or transactions on the products of third parties and that the provision | |||
of the same will be reflected in the possibility of the contractor to visualize through the bank | |||
digital aggregated information. | |||
Considering this limitation of the object, the data that is collected and the use that is | |||
intends to perform, it could be understood that the aggregation service rather seems to | |||
It was designed for the collection of information by the responsible entity. Even more so | |||
We consider that the contract itself provides that non-acceptance or subsequent opposition to the | |||
Processing of your data for the detailed purposes implies that CAIXABANK “will not be able to or | |||
(in your case) you must stop offering the aggregation service ” and that, in the event that the | |||
data are processed with the consent of the interested party, they may be processed as long as the | |||
consent, even after the contractual relationship has ended. | |||
CAIXABANK denies this observation, alleging that the Agency has not understood the | |||
nature of this service, which is provided for in the payment regulations and serves not to | |||
deposition the entity with respect to new actors. However, that conclusion is not | |||
It results from analyzing the nature of this service, but from the purposes, especially | |||
commercial or advertising, and the elaboration of profiles that were imposed as the object of the | |||
contract. | |||
That same payment regulation cited by CAIXABANK establishes the prohibition of | |||
use personal data for purposes other than the provision of the service. The Royal Decree- | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 133 | |||
133/177 | |||
Law 19/2018, of November 23, on payment services and other urgent measures in the field | |||
financial, refers to the rules of access to information related to payment accounts and | |||
to the use of that information. Specifically, in its article 39.1.f) it provides the following: | |||
"Article 39. Rules for access to information on payment accounts and use of such information in | |||
case of account information services. | |||
1. The payment service provider that provides the account information service: | |||
f) will not use, store or access any data, for purposes other than the provision of the service of | |||
information about accounts expressly requested by the user of the payment service, in accordance | |||
with the rules on data protection ” . | |||
In relation to the Aggregation Service Contract, and also with the Terms of | |||
Social Networks, CAIXABANK has indicated that the signing of these documents is | |||
complementary to the "Framework Contract", which in these additional documents does not obtain a | |||
new consent, which is granted in the "Framework Contract". | |||
This does not agree with what is expressed in those documents and in the "Contract | |||
Framework". This contract does not require the provision of any consent for the treatment | |||
of these data, but is limited to reporting on the use of data obtained from | |||
social networks and the aggregation service that the interested party has authorized. That | |||
authorization can only be provided by accepting the Social Media Terms | |||
and the signing of the Aggregation Service Contract in the manner indicated above. Specifically, the | |||
"Framework Agreement" indicates the following: | |||
" The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the offer | |||
commercial products and services will be: | |||
e) Those obtained from the social networks that the signer authorizes to consult | |||
f) Those obtained from third parties as a result of requests for data aggregation | |||
requested by the signer ”. | |||
Finally, it is interesting to note that the new Aggregation Service Contract does not | |||
includes the performance of data processing for the purposes indicated. Regarding | |||
commercial purposes, refers to the authorizations that the client has granted and | |||
advises on the possibility of managing them in the office, through digital or mobile banking. | |||
On the other hand, there is no evidence that the references contained in the "Contract | |||
Marco ”to the use of data obtained from this service have been adapted to changes in the | |||
Aggregation Service Contract. | |||
- Other processing of personal data without legal basis | |||
On the other hand, there are other data treatments that appear in the information that | |||
CAIXABANK facilitates its clients that they are carried out without any basis of legitimacy: | |||
As detailed in the previous Legal Basis, CAIXABANK uses data | |||
personal ( "movements", "receipts", "payroll", "claims" and "claims" ) generated in | |||
the contracting and operation of products and services contracted by the interested party with third parties | |||
( “All those generated in the contracting and operations of products and services… with the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 134 | |||
134/177 | |||
Companies of the CaixaBank Group or with third parties ” ). | |||
It follows that CAIXABANK, under the condition of data controller, | |||
collects and uses personal data that it does not obtain directly from the interested parties. Is about | |||
personal data from third parties that CAIXABANK uses for the purposes | |||
expressed in the information provided to the interested parties. | |||
There is no legal basis that legitimizes the use of these personal data. | |||
CAIXABANK is not the entity responsible for this data obtained from third-party products, | |||
which limits the possibility of using the information in question for their own purposes. | |||
Also in relation to this question it is necessary to take into account the limitations | |||
on the use of personal data imposed by Royal Decree-Law 19/2018 cited above. | |||
In its article 65 it expressly refers to the protection of personal data in the | |||
following terms: | |||
"Article 65. Data protection. | |||
1. The treatment and transfer of data related to the activities to which this real refers | |||
decree-law are subject to the provisions of Regulation (EU) 2016/679 of Parliament | |||
Council, of April 27, 2016, regarding the protection of natural persons in the | |||
regarding the processing of personal data and the free circulation of these data and by which | |||
repeals Directive 95/46 / CE and in the Spanish data protection regulations, and in the regulations | |||
national that develops it ”. | |||
- Processing of personal data based on the legitimate interest of the person in charge | |||
The analysis of this issue must initially take into account the provisions of the | |||
Article 1.2 of the RGPD, according to which “This Regulation protects the rights and | |||
fundamental freedoms of natural persons and, in particular, their right to protection | |||
of personal data ” . For this, all the circumstances that | |||
surround the collection and processing of data and the way in which they are fulfilled or reinforced | |||
the principles, rights and obligations required by the data protection regulations of | |||
personal character. | |||
Article 6 of the RGPD requires that the processing of personal data, to be | |||
lawful, can be protected by any of the bases of legitimacy that it establishes and that the | |||
responsible for the treatment is able to demonstrate that, indeed, it concurred in the | |||
processing operation the legal basis that it invokes (article 5.2, principle of | |||
proactive responsibility). | |||
The legal bases of the treatment that are detailed in article 6.1 RGPD are | |||
related to the broader principle of legality of article 5.1.a) of the RGPD, precept | |||
which provides that personal data will be treated " lawfully, loyally and transparently in | |||
relationship with the interested party ”. | |||
In relation to the legal basis of the legitimate interest, invoked by CAIXABANK to | |||
the treatments described, the aforementioned article 6 establishes: | |||
"1. The treatment will only be lawful if at least one of the following conditions is met: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 135 | |||
135/177 | |||
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller | |||
of the treatment or by a third party, provided that the interests or the | |||
fundamental rights and freedoms of the interested party that require the protection of personal data, | |||
particularly when the interested party is a child ... ”. | |||
Recital 47 of the RGPD specifies the content and scope of this base | |||
legitimizing the treatment. | |||
The interpretive criteria that are extracted from this Considering are, among others, (i) | |||
that the legitimate interest of the controller prevails over the interests or rights and freedoms | |||
fundamentals of the data owner, in view of the reasonable expectations that the latter | |||
has, based on the relationship it maintains with the person responsible for the treatment; (ii) will be | |||
it is essential that a “ meticulous evaluation ” of the rights and interests at stake be carried out, | |||
also in those cases in which the interested party can reasonably foresee, in | |||
the moment and in the context of the data collection, that the treatment with | |||
such an end; (iii) the interests and fundamental rights of the owner of the personal data could | |||
prevail over the legitimate interests of the controller when the data is processed | |||
is carried out in such circumstances in which the interested party " does not reasonably expect" that | |||
a further processing of your personal data is carried out. | |||
It should be added that the interested party, in all cases, can exercise the right to | |||
opposition, which also involves a new evaluation of the interests of the controller and owner | |||
of the data, except in cases of commercial prospecting, in which the exercise of the right | |||
forces to interrupt the treatments without any evaluation (article 21.3 of the RGPD). | |||
It is interesting to highlight some aspects collected in Opinion 6/2014 prepared by the | |||
Article 29 Working Group on the “ Concept of legitimate interest of the person responsible for the | |||
processing of data under article 7 of Directive 95/46 / CE ", dated | |||
04/09/2014, especially the factors that can be valued when the | |||
mandatory weighing of the rights and interests at stake. Although Opinion 6/2014 was | |||
issued to favor a uniform interpretation of Directive 95/46 then in force, | |||
repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the | |||
RGPD, and that the reflections offered are an example and application of principles that inspire | |||
also the RGPD, such as the principle of proportionality, or general principles of the | |||
Community law, such as the principles of equity and respect for the law and the law, | |||
many of his reflections can be extrapolated to the application of current regulations. | |||
As indicated, so that section f) of article 6.1. RGPD may constitute | |||
the legitimizing basis for the processing of personal data that is carried out, mandatory, | |||
and prior to the treatment, a weighting, an “evaluation | |||
meticulous ” , of the rights and interests at stake: the legitimate interest of the person responsible for the | |||
treatment, on the one hand, and on the other, both the interests and the rights and freedoms | |||
fundamentals of those affected. Weighting that is essential, because only when I eat | |||
As a result, the legitimate interest of the data controller prevails over the | |||
rights or interests of the owners of the data may operate as legal basis of the | |||
treatment of the aforementioned interest. | |||
Regarding the weighting test, the repeated Opinion indicates the following: | |||
"The legitimate interest of the person responsible for the treatment, when it is minor and not very pressing, in general, | |||
only nullifies the interests and rights of data subjects in cases where the impact on these | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 136 | |||
136/177 | |||
rights and interests are even more trivial. On the other hand, an important and compelling legitimate interest | |||
may, in some cases and subject to guarantees and measures, justify even a significant intrusion into | |||
privacy or any other significant impact on the interests or rights of the interested parties. | |||
Here it is important to highlight the special role that guarantees can play in reducing a | |||
undue impact on data subjects and therefore to change the balance of rights and interests | |||
to the extent that the legitimate interest of the data controller prevails. By | |||
Of course, the use of guarantees alone is not sufficient to justify any type of | |||
treatment in any context. Furthermore, the guarantees in question must be adequate and | |||
sufficient, and must, unquestionably and significantly, reduce the repercussion for the interested parties ” . | |||
The aforementioned Opinion refers to the multiple factors that can operate | |||
in the weighting of the interests at stake and groups them into these categories: | |||
(a) the evaluation of the legitimate interest of the controller, the nature and source | |||
of legitimate interest and if the data processing is necessary for the exercise of a right | |||
fundamental, is otherwise in the public interest or benefits from recognition of the | |||
affected community; | |||
(b) the impact or repercussions on data subjects and their reasonable expectations about what | |||
will happen to your data ( “what a person considers reasonably acceptable under | |||
circumstances ” ), as well as the nature of the data and the way in which they are | |||
processed; underlining that the claim is not that the data processing carried out by the | |||
responsible does not have any negative impact on the interested parties but prevent the | |||
impact is “ disproportionate ”; | |||
(c) the provisional equilibrium and | |||
(d) additional guarantees that could limit an undue impact on the interested party, such | |||
such as data minimization, privacy protection technologies, increased | |||
transparency, the general and unconditional right to opt-out and the | |||
data portability. | |||
First of all, the Opinion underlines that the implication that the person responsible for the | |||
treatment may have in the data processing carried out is that of "interest", which is already | |||
referenced in the previous Legal Basis to indicate that it is related to | |||
purpose, but it is a broader concept ( “purpose is the specific reason why | |||
process the data: the purpose or intention of the data processing. One interest for another | |||
On the other hand, it refers to a greater involvement that the controller may have in the | |||
treatment, or the benefit that the controller obtains from the treatment ” ). | |||
It is also broader than that of fundamental rights and freedoms, hence, regarding | |||
those affected are weighed not only their fundamental rights and freedoms, but also their | |||
"Interests" . | |||
According to GT29, “an interest must be articulated with sufficient clarity to | |||
allow the balancing test to be carried out against the interests and | |||
fundamental rights of the interested party. Furthermore, the interest at stake must also be | |||
pursued by the controller. This requires a real and current interest, which is | |||
corresponds to present activities or benefits that are expected in a very future | |||
next. In other words, interests that are too vague or speculative are not | |||
they will be enough ” . | |||
In addition, the "interest" of the data controller, as established in article 6.1.f) | |||
of the RGPD and before article 7.f) of the Directive, it must be "legitimate" , which means, says the | |||
Opinion, which must be "lawful" (respectful of applicable national and EU legislation). | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 137 | |||
137/177 | |||
However, the WG29 adds that “The legitimacy of the interest of the data controller | |||
it is only a starting point, one of the elements that must be analyzed under article | |||
7, letter f). Whether Article 7, letter f) can be used as a legal basis or not will depend | |||
the result of the next balancing test ”; "If the interest pursued by the | |||
controller is not compelling, it is more likely that the interest and rights | |||
of the interested party prevail over the legitimate - but less important - interest of the | |||
responsible for the treatment. Similarly, this does not mean that less interest | |||
compelling of the data controller cannot sometimes prevail over the interests | |||
and rights of the data subjects: this normally happens when the impact of the treatment | |||
about stakeholders is also less important ” . | |||
And exposes the following example: | |||
"Serve as an example: those responsible for the treatment may have a legitimate interest in knowing the | |||
preferences of your customers so that this allows them to better personalize their offers and, ultimately | |||
term, offer products and services that better respond to the needs and desires of your | |||
customers. In light of this, Article 7 (f) may constitute an appropriate legal basis in | |||
some types of market activities, online and offline, provided that | |||
adequate guarantees (including, but not limited to, a viable mechanism that allows to oppose the treatment | |||
by virtue of article 14, letter b), as will be explained in section III.3.6 The right to object and | |||
beyond). | |||
However, this does not mean that data controllers can refer to article 7, | |||
letter f), as a legal basis for improperly monitoring online and offline activities | |||
of your customers, combining huge amounts of data about them, from different | |||
sources, which were initially collected in other contexts and for different purposes, and create -and, for | |||
For example, with the intermediation of data brokers, also trade with them - complex profiles | |||
of the personalities and preferences of customers without their knowledge, without a viable mechanism of | |||
opposition, not to mention the absence of informed consent. It is likely that said | |||
profiling activity represents a significant intrusion on customer privacy and, | |||
When this happens, the interests and rights of the interested party will prevail over the interest of the | |||
responsible for the treatment ” . | |||
Ultimately, the concurrence of said interest in the data controller does not | |||
necessarily means that article 6.1 f) RGPD can be used as a basis | |||
legal treatment. Whether or not it can be used as a legal basis | |||
it will depend on the result of the balancing test. | |||
In addition, the treatment must be that necessary to satisfy the legitimate interest | |||
pursued by the person in charge, so that less invasive means are always preferred | |||
to serve the same purpose. Need means here that the treatment is essential | |||
for the satisfaction of the aforementioned interest, so that, if said objective can be achieved | |||
reasonably otherwise less impactful or intrusive, the interest | |||
legitimate cannot be invoked. | |||
The term “ need ” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a | |||
own and independent meaning in Community legislation. It is a " concept | |||
autonomous community law ” (STJUE of 12/16/2008, case C-524/2006, section | |||
52). On the other hand, the European Court of Human Rights (ECHR) has also offered | |||
guidelines for interpreting the concept of need. In section 97 of its Judgment of | |||
03/25/1983 states that the " necessary adjective is not synonymous with" indispensable "nor does it have the | |||
flexibility of the expressions “admissible,“ ordinary ”,“ useful ”,“ reasonable ”or“ desirable ”. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 138 | |||
138/177 | |||
On the impact or repercussion that the data processing has on the interests or | |||
fundamental rights and freedoms of the interested parties, indicates that the more "negative" or | |||
“Uncertain” may be the impact of treatment, it is more unlikely than treatment in its | |||
set may be considered legitimate. | |||
“The Task Force makes it clear that it is crucial to understand that relevant 'impact' is a | |||
much broader concept than damage or harm to one or more stakeholders in particular. The term | |||
'Impact' as used in this Opinion covers any possible consequences (potential or actual) | |||
of data processing. For the sake of clarity, we also emphasize that the concept is not | |||
related to the notion of violation of personal data and is much broader than the | |||
repercussions that may arise from said violation. On the contrary, the notion of impact, such as | |||
used here, it encompasses the various ways in which an individual may be affected, positively or | |||
negatively, due to the processing of your personal data ”. | |||
“In general, the more negative and uncertain the impact of treatment may be, the more unlikely it is. | |||
that the treatment is considered, as a whole, legitimate. The availability of alternative methods for | |||
achieve the objectives pursued by the data controller, with less negative impact | |||
on the interested party, should, without a doubt, be a pertinent consideration in this context ”. | |||
As sources of potential repercussions for stakeholders he cites the probability | |||
that the risk may materialize and the seriousness of the consequences, noting that | |||
this concept of “severity may take into account the number of potentially | |||
affected ” . | |||
The assessment of the nature of the personal data that has been | |||
object of treatment ) , if the data has been made available to the public by the interested party or | |||
by a third party, a fact - says the Opinion - that can be an evaluation factor especially | |||
whether the publication was carried out with a reasonable expectation of data reuse | |||
for certain purposes: | |||
“… Does not mean that data that appears in and of itself innocuous can be processed | |||
freely ... even such data, depending on how it is processed, can have an impact | |||
significant about people ”. | |||
The way in which the person in charge treats the data; whether they have been disclosed to the public or | |||
have been made available to large numbers of people or if large amounts of data are | |||
process or combine with other data ( “for example, in the case of profiling, with | |||
commercial purposes, for purposes of compliance with the law or others ” ). On this question it is said: | |||
“Apparently innocuous data, when treated on a large scale and combined with other data, | |||
can lead to interference with more sensitive data, as demonstrated in Scenario 3 above, | |||
which gives as an example the relationship between pizza consumption patterns and insurance premiums for | |||
healthcare. | |||
In addition to potentially leading to the processing of more sensitive data, such analysis may | |||
also lead to strange, unexpected and sometimes inaccurate predictions, for example, concerning the | |||
behavior or personality of the affected persons. Depending on the nature and | |||
impact of these predictions, this can be highly intrusive in the privacy of the person ” . | |||
All this, without forgetting the reasonable expectations of the interested parties: | |||
“… It is important to consider whether the position of the data controller, the nature of the relationship or | |||
the service provided, or the applicable legal or contractual obligations (or other promises made | |||
at the time of data collection) could give rise to reasonable expectations of a | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 139 | |||
139/177 | |||
stricter confidentiality and stricter limitations on further use. Usually, | |||
the more specific and restrictive the context of data collection, the more constraints it is | |||
likely to be used. In this case, again, it is necessary to take into account the factual context and not | |||
simply rely on the fine print of the text ” . | |||
The Opinion also considers pertinent when evaluating the impact of the treatment to analyze the | |||
position of the data controller and the interested party; your position may be more or less | |||
dominant with respect to the interested party depending on whether the person responsible for the treatment is a | |||
person, a small organization or a large company, even a multinational company: | |||
“A multinational company may, for example, have more resources and bargaining power than the | |||
individual data subject and may therefore be in a better position to impose on the data subject | |||
what you think is your "legitimate interest". This may be all the more so if the | |||
company has a dominant position in the market ” . | |||
When weighing the interests and rights at stake, the GT29 understands that the | |||
compliance with the general obligations imposed by the regulations, including the principles | |||
proportionality and transparency, help to ensure that the requirements are met | |||
legitimate interest. Although, it clarifies that this does not mean that the fulfillment of those | |||
horizontal requirements, by itself, are always sufficient. | |||
If, finally, after the evaluation, it is not clear how to achieve equilibrium, the | |||
taking additional guarantees can help reduce undue impact and ensure | |||
that the treatment may be based on legitimate interest. As additional measures | |||
includes, for example, the facilitation of voluntary and unconditional exclusion mechanisms, | |||
or increased transparency: | |||
“The concept of responsibility is closely linked to the concept of transparency. With the purpose of | |||
allow data subjects to exercise their rights and allow wider public scrutiny for | |||
part of the interested parties, the Working Group recommends that those responsible for the treatment | |||
explain to stakeholders clearly and easily the reasons why they believe their interests | |||
prevail over the interests or fundamental rights and freedoms of the interested parties, and | |||
also explain to them the guarantees they have adopted to protect their personal data, including, | |||
where appropriate, the right to opt out of treatment ”. | |||
"As explained on page 46 of Opinion 3/2013 of the Working Group on the limitation of | |||
purpose (cited in footnote 9 above), in the case of profiling and taking | |||
automated decisions, interested parties or consumers must be given access to their profiles to | |||
guarantee transparency, as well as the logic of the decision-making process (algorithm) that gave | |||
place to the development of said profiles. In other words: organizations should disclose their | |||
criteria for decision making. This is a fundamental guarantee and is especially | |||
important in the world of big data. Whether or not an organization offers this | |||
Transparency is a very pertinent factor that should also be considered in the proof of | |||
balancing ”. | |||
By referring to the right to object and the opt-out mechanism or right | |||
unconditional opposition, the WG29 reflects on advertising based on profiles of the | |||
client, which requires a follow-up of the activities and personal data of the | |||
interested parties, which are analyzed with sophisticated automated methods. He concludes the following: | |||
“In this sense, it is useful to recall the Opinion of the Working Group on the limitation of the | |||
purpose, where it was specifically stated that when an organization wishes to analyze or predict | |||
specifically the personal preferences, behavior and attitudes of customers | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 140 | |||
140/177 | |||
individuals that will subsequently motivate the «decisions or measures» adopted in relation to | |||
such clients ... free, specific, informed and informed consent should almost always be required | |||
unequivocal of "voluntary inclusion", since otherwise the reuse of the data may not | |||
considered compatible. Most importantly, such consent should be required, for | |||
For example, for tracking and profiling for prospecting, advertising | |||
behavioral, data marketing, location-based advertising, or digital research | |||
market based on monitoring ” . | |||
The information included in the "Framework Agreement" on | |||
these data processing based on the legitimate interest of CAIXABANK: | |||
“7.3.5 Treatments based on legitimate interest | |||
Unless you have told us, or tell us otherwise in the future, we will send you updates and | |||
information about products or services similar to those you already have contracted. | |||
We will also process your information (account movements, card movements, loans, etc.) | |||
to personalize your commercial experience in our channels based on previous uses, to | |||
offer you products and services that fit your profile, to apply benefits and promotions that | |||
we have in force and to which you are entitled, and to assess whether we can assign you credit limits | |||
pre-granted that you can use when you consider it most appropriate. | |||
In these treatments we will only use information provided by you, or generated from the | |||
own products contracted during the last year. | |||
If you do not want these treatments to be carried out, you can object to them | |||
communicating it to us in any of our offices, in the P.O. Box nº 209 of Valencia | |||
(46080), at the electronic address www.CaixaBank.com/ejerciciodederechos, or through the options | |||
enabled for this purpose in their digital banking and in our mobile applications ”. | |||
For any other commercial use, consent will be requested, as established in clause | |||
following. | |||
According to CAIXABANK, legitimate interest is the legal basis for the processing that | |||
carried out with the "commercial purposes" indicated in section 7.3.5 of the "Framework Contract" | |||
(erroneously included within the subsection dedicated to "Data processing of | |||
personal character for regulatory purposes ” ) and section 03 of the“ Privacy Policy ” | |||
(with content similar to the above): sending information and updates about | |||
products or services similar to those that the client already has contracted; customize the | |||
customer's commercial experience in the entity's channels based on previous uses, to | |||
offer you products and services that fit your profile, to apply benefits and | |||
promotions that we have in force and to which you are entitled, and to evaluate if we can | |||
assign you pre-granted credit limits that you can use when you consider it most | |||
timely. | |||
However, as stated in the previous Legal Basis, it has | |||
it has been proven that CAIXABANK carries out other processing of personal data based on | |||
to the legitimate interest that are not known by the client, which is not informed in any case, and | |||
that, due to the breadth of personal data used and the different purposes for which | |||
are treated, affect multiple aspects of the client's personal life, so such | |||
treatments are considered illegal. Among them the following were mentioned: | |||
(…) | |||
In relation to the processing of data for commercial purposes based on interest | |||
legitimate referred to in the "Framework Agreement" and in the "Privacy Policy", | |||
During the testing phase, (…), CAIXABANK has stated that they are not taking | |||
carry out the following treatments: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 141 | |||
141/177 | |||
. Sending information about products or services similar to those that you already have contracted or | |||
information that we believe may be of interest to you, or that we believe may have a | |||
reasonable expectation of receiving. | |||
. Study of the information that we have about you (account movements, card movements, | |||
loans, etc.) to personalize your experience with the Entity, for example by first showing | |||
in ATMs and websites their most common operations, or offering products and services that are | |||
adjust to your profile and apply the benefits and promotions in force at all times. | |||
However, in its brief of allegations, (…), according to which the data of those | |||
clients who have not consented to the processing of their data for commercial purposes, or have | |||
previously given consent for this has been revoked, they are not treated on the basis of | |||
legitimate interest. It adds that it only processes personal data in | |||
relationship with those who were asked and did not answer, that is, who have not signed the | |||
"Framework Agreement" nor the "Consent Agreement". From what follows that it is | |||
performing these personal data processing. | |||
(…) | |||
In relation to these treatments with "commercial purposes" based on the interest | |||
legitimate, it was also indicated when dealing with the duty of information, that they are similar to | |||
treatments that CAIXABANK protects in the consent of the client and the consequences that | |||
arise from this circumstance in relation to the validity of these treatments. | |||
Specifically, the realization of personalized offers, the application of benefits and | |||
promotions or the allocation of pre-granted credits, are data processing similar to | |||
those outlined by citing other purposes based on consent ( “Studying products or | |||
services that can be adjusted to your profile and specific business or credit situation, all | |||
this to make commercial offers tailored to your needs and preferences ” ), | |||
motivating that the description of the purposes and enumeration of data processing | |||
contained in the information offered causes confusion to the interested parties. Of this | |||
Thus, data processing based on legitimate interest similar to that of | |||
others carried out on the basis of the client's consent, which, moreover, is not | |||
lend in a valid way, as discussed above. It could lead to a situation in | |||
which data processing is carried out based on the legitimate interest that would have been | |||
denied by the affected party. | |||
On the other hand, taking into account that CAIXABANK records personal data “from | |||
Commercial Relations, or Commercial Relations of CAIXABANK and the companies of the | |||
Grupo CaixaBank with third parties ” , it is not possible to understand whether the sending of “ information and | |||
updates about products or services similar to those who have already contracted " are | |||
refers to own products, those of Group companies or third parties. Serve in this regard | |||
same observations already expressed previously on the use of data collected from | |||
products of the Group companies or third parties. | |||
It was also said that the information provided does not specify any legitimate interest of | |||
CAIXABANK, which is limited to indicating the data processing carried out with this database | |||
legal. Therefore, the circumstances expressed in the Law Foundation are reiterated | |||
on the lack of justification of the legitimate interest sufficiently to allow the proof of | |||
balance between the interest of the person in charge and the rights of the interested party to determine | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 142 | |||
142/177 | |||
those that prevail, necessary to determine the legality of the treatments carried out | |||
Here we reiterate what has already been indicated about the insufficient information provided on the | |||
categories of data that will be used and on the determination of the purposes, or on the | |||
types of profiles that will be made and the specific uses and applications that will be | |||
those profiles; and, especially, the lack of information on the specific interest of the | |||
responsible, that is not expressed, due to the limitations and difficulties, if not impediment, that | |||
supposes at the time of realizing an evaluation on the concurrence of an interest | |||
legitimate prevalent, real and not speculative. | |||
And also what has already been indicated about the language used; the indefiniteness of the purposes | |||
for which the personal data will be used ( "know the customer better" and "improve the | |||
products and services ” or “ develop the business model ” , etc.) and the exhaustive analysis of the | |||
information related to clients that carry such purposes; or about the types of profiles | |||
to be carried out and the specific uses and applications that will be given to these profiles. | |||
Carrying out the weighting judgment in this case also requires assessing the breadth | |||
of the types of data that are collected by CAIXABANK, and make said assessment | |||
in conjunction with the highlights in the preceding paragraphs, especially with the | |||
uncertainty of the purposes for which personal data are processed. | |||
This has the consequence that the treatments carried out are not | |||
predictable for an average citizen. | |||
This being the case, it is impossible for the interested party, or this supervisory authority, to be able to | |||
assess whether the processing operations carried out are necessary, or if, on the contrary, | |||
The same result could be obtained by less invasive means; nor can it be concluded, | |||
even less, that the interest invoked is prevalent. | |||
This legal basis requires the existence of real interests, not speculative and that, | |||
Also, they are legitimate. And not only the existence of that legitimate interest means that they can | |||
perform those treatment operations. It is also necessary that these treatments | |||
are necessary to satisfy that interest and consider the repercussion for the interested party. In | |||
In this case, a data combination is carried out whose scope has not been defined and is | |||
perform profiling operations to offer products and services that conform to said | |||
profile, to apply benefits and promotions that CAIXABANK has in force and to which | |||
the client has the right, and to evaluate whether it is possible to assign credit limits | |||
that you can use when you see fit. Therefore, the intrusion | |||
the privacy of the interested party may be high and the effects may have repercussions | |||
negatively. | |||
Considering the limitations set forth, suitability is not credited (if the measure | |||
allows to achieve the proposed objective); need (that there is no other measure more | |||
moderate); proportionality in the strict sense (more benefits or advantages than damages), | |||
the data processing indicated above. | |||
In addition to the above, the following circumstances are taken into account: | |||
. The lack of transparency about the logic of the treatment consisting in the preparation of | |||
profiling, which can lead to product discrimination and impact | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 143 | |||
143/177 | |||
financial potential that may have the character of excessive. | |||
. The high number of affected, as well as the large amount of data that is processed and | |||
combined with other data. Said combination of data, due to the lack of definition of the data that | |||
will be used, does not respect the aforementioned proportionality nor does it allow the weighing judgment | |||
necessary to assess the concurrence of a legitimate interest that justifies the treatment of | |||
the data. | |||
. The dominant position of the person in charge over the interested party, due to his condition of great | |||
company and one of the market leaders in its sector. | |||
A special importance must also be given to the absence of measures or | |||
additional guarantees that, although not required by the applicable regulations, are | |||
consider a good practice that favors the appreciation of the legitimate interest of the | |||
responsible when in the weighing judgment it was not clear how to achieve equilibrium, | |||
to the extent that they reduce the impact of the treatment on the privacy of the interested party. | |||
Among them, the increased transparency and the enabling of mechanisms | |||
opt-out. | |||
Regarding transparency, CAIXABANK does not make available to interested parties the | |||
Report on the weighting of legitimate interest or impact assessments. | |||
Neither does CAIXABANK offer opt-out mechanisms. It is limited to inform | |||
on the possibility of exercising the right of opposition, which is nothing but a requirement | |||
normative. This right requires a new weighting, in accordance with the provisions of the | |||
Article 21 of the RGPD ( “the data controller will stop processing personal data, | |||
Unless it proves compelling legitimate reasons for the treatment that prevail over | |||
interests, rights and freedoms of the interested party ” ) and has nothing to do with the | |||
opt-out or unconditional opt-out mechanisms are recommended. | |||
In summary, contrary to what was stated by CAIXABANK in its allegations, of | |||
In accordance with the foregoing, it is proven that this entity performs data processing | |||
personal data of its clients based on legitimate interest, including treatment with | |||
commercial purposes. | |||
On the other hand, for the reasons stated, it has not been proven that the interest | |||
that CAIXABANK claims to prevail over the interests and rights and | |||
fundamental freedoms of clients; and the guarantees offered are not sufficient to | |||
bridging the imbalance that occurs with these data processing operations | |||
personal. | |||
Consequently, it must be concluded that the legitimate interest of CAIXABANK does not prevail | |||
as a legitimate basis for the treatment. | |||
CAIXABANK alleges that the AEPD concludes that it is not possible to determine suitability, | |||
necessity and proportionality of these treatments, and that the intrusion into the privacy of the | |||
interested can be high, without providing any evidence in this regard. However, it is a | |||
CAIXABANK to whom it corresponds to prove the concurrence of the legitimate interest for the | |||
data processing operations that you intend to base on this legal basis, to | |||
who corresponds to specify the interest pursued and make the weighing judgment that | |||
justify. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 144 | |||
144/177 | |||
Also in relation to this question, it refers to the changes introduced in the | |||
New Privacy Policy, implying with these alleged corrections that no | |||
there are responsibilities to be demanded from the facts analyzed, which must be rejected | |||
absolutely by inappropriate. Specifically, it alleges that it has proceeded to eliminate the | |||
treatment based on legitimate interest for commercial purposes, but omits any | |||
reference to the rest of the circumstances that determine the illegality of the treatments analyzed | |||
in this section and that they are not carried out exclusively for commercial purposes. | |||
Finally, it should be noted that the conclusion obtained from this examination does not contradict what | |||
expressed in the Report of the Legal Office of the AEPD 195/2017, to which it refers | |||
CAIXABANK, both in the aforementioned impact assessment, which contains the report of | |||
weighting of the legitimate interest, as in its brief of allegations. | |||
The premises evaluated in said report do not conform to the present assumption, in the | |||
that detailed personal data processing has a much broader purpose | |||
that those analyzed in said report regarding the purposes of the treatment as the | |||
information or personal data used. | |||
- Other processing of personal data without legal basis. Communication of data to | |||
CaixaBank Group companies. | |||
On the other hand, it is also necessary to analyze the transfer of data to Group companies | |||
CaixaBank that is included in the “Framework Agreement”, about which the interested party is not consulted. | |||
It is reiterated here that said document is presented as mandatory subscription for | |||
the client, expressly stating that the signature of the document supposes that it "knows, | |||
understand and accept its content ” . It is also established that the terms and conditions are | |||
of general application to all "commercial relationships" of the interested party "with CaixaBank and | |||
the CaixaBank Group companies, and therefore, the subscription and validity of this | |||
Contract, respecting the corresponding rights of choice that for the Signatory | |||
grant the clause, it is necessary for the contracting and maintenance of contracts of | |||
products or services ” . | |||
In the same section relating to the object of the contract, it indicates that "informs and regulates" | |||
about "authorizations for the use of data of the signer to carry out activity | |||
commercial of CaixaBank and the companies of the CaixaBank Group ” . | |||
Allusions to the CaixaBank Group companies occur throughout the entire | |||
"Framework Contract" and place it, practically, at the same level of intervention as | |||
CAIXABANK: | |||
"7.1 Processing of personal data in order to manage the Relationships | |||
Commercial. | |||
The personal data of the Signatory, both those that the same contribution, as those derived | |||
of the Commercial Relations, or Commercial Relations of CaixaBank and the companies of the Group | |||
CaixaBank with third parties and those made from them, will be incorporated into files owned by | |||
CaixaBank and the CaixaBank Group companies that are holders of the Commercial Relations… ”. | |||
8. treatment and transfer of data for commercial purposes by CAIXABANK and the companies of the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 145 | |||
145/177 | |||
CaixaBank Group based on consent | |||
This document will include on its first page, under the heading of authorizations for the | |||
data processing, the authorizations that you grant us or revoke us in relation to: | |||
(i) The data analysis and study treatments for commercial purposes by CaixaBank and companies | |||
of the CaixaBank Group | |||
(ii) The treatments for the commercial offer of products and services by CaixaBank and the companies of the | |||
CaixaBank Group | |||
(iii) The transfer of data to third parties | |||
In order to make a global offer of products and services available to you, your authorization to | |||
(i) data analysis and study treatments, and (ii) for the commercial offer of products and | |||
services, if granted, will include CaixaBank, and the companies of the CaixaBank group | |||
detailed at www.CaixaBank.es/empresasgrupo (the “CaixaBank Group companies”) who | |||
They can share and use them for the indicated purposes. | |||
The authorizations you grant will remain in effect until they are revoked or, in the absence of | |||
this, until 6 months after you cancel all your products or services with the | |||
Entity. | |||
The detail of the uses of the data that will be carried out in accordance with your authorizations is as follows ... (already | |||
detailed above) ”. | |||
"The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the offer | |||
commercial products and services will be ... (already detailed above) " | |||
"11.3 Data Conservation Period ... | |||
In accordance with the regulations, the data will be kept for the sole purpose of complying with those | |||
legal obligations imposed on CaixaBank and / or Group Companies… ”. | |||
The "Privacy Policy" also refers to the "exchange of commercial information | |||
among the CaixaBank Group companies ” . | |||
The concept of "Business Group" is defined in point 19 of article 4 of the RGPD: | |||
<< "Business group": group made up of a controlling company and its companies | |||
controlled >> . | |||
On the scope to be attributed to this concept from the point of view of the | |||
RGPD, it is necessary to consider what is stated in Considerations 37 and 48 of said | |||
Regulation: | |||
“(37) A business group must be constituted by a company that exercises control and the | |||
controlled companies, and it must be the company that exercises control that can exercise a | |||
dominant influence in the other companies, for reasons, for example, ownership, participation | |||
financial, rules by which it is governed, or power to enforce data protection rules | |||
personal. A company that controls the processing of personal data in companies that | |||
they are affiliated should be considered, together with such companies, a 'business group' ”. | |||
"(48) Those responsible who are part of a business group or entities affiliated with a | |||
central body may have a legitimate interest in transmitting personal data within the group | |||
business for internal administrative purposes, including the processing of personal data of customers | |||
or employees. The general principles applicable to the transmission of personal data, within a | |||
business group, a company located in a third country are not affected " . | |||
The CaixaBank Group, in principle, can be understood within this concept, from | |||
the point of view of the protection of personal data, with the entity CAIXABANK as | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 146 | |||
146/177 | |||
controlling company. But the information exchange that carries out | |||
CAIXABANK in favor of the CaixaBank Group companies has no place in the shares | |||
which may be based on the legitimate interest referred to in Recital 48, referring to | |||
the transmission of personal data within the business group "for administrative purposes | |||
internal ” . Nothing to do with the transfers of data referred to in the "Framework Contract" and the | |||
purposes for which they are intended. | |||
With this, it is not excluded that other data communications could be admitted | |||
personal, with other purposes, that could be justified by the concept of group | |||
business, even based on legitimate interest. | |||
To all this, must be added the defects appreciated in the information offered that is | |||
have pointed out in this act. CAIXABANK does not even inform about the legal basis that justifies | |||
this global exchange of information with the companies of the CaixaBank Group. | |||
Neither does any of the consents requested from clients include any that | |||
refers to this transfer of personal data of CAIXABANK customers to companies of the | |||
CaixaBank Group, which cannot be considered covered by the three consents | |||
collected. In addition to the objections noted on the validity of the consents | |||
provided by customers, this transfer of data constitutes a specific purpose in itself | |||
considered itself, which requires a manifestation of the client's will by which the client | |||
consent that this communication of personal data can be carried out. CAIXABANK no | |||
collects specific consent from its clients for this transfer of data. | |||
This lack of design or provision of a specific mechanism to collect the | |||
consent of their clients in order to transfer data to Group companies is not | |||
remedied with the signature by the client of the repeated "Framework Contract", which occurs without receiving the | |||
accurate information and does not imply a statement by the customer about the use of their | |||
personal data from the CaixaBank Group companies. This use entails the | |||
prior transfer of the data by CAIXABANK to the companies of the Group without the | |||
interested party has manifested in this regard, that is, without the consent of the interested party. | |||
Acceptance through a single action, such as the signing of the contract, becomes | |||
invalid the consent given by the interested party regarding the use of the data | |||
for purposes other than the execution of the contract or business relationship maintained by the | |||
interested party and the responsible entity or, what is the same, with respect to all those | |||
treatments that require a differentiated and granular consent. In relation to | |||
communication of data to the companies of the CaixaBank Group, this explicit consent and | |||
separate would require enabling the selection of the specific company or companies to be | |||
refers to the consent for the assignment that could be provided. | |||
The requirement that “consent must be given through a | |||
clear affirmative act that reflects a manifestation of free will, specific, informed, and | |||
unequivocal of the interested party to accept the treatment of personal data that | |||
concern ” , understanding that “ inaction should not constitute consent ” | |||
(Recital 32). Consent must also be given for all activities of | |||
treatment carried out for the same or the same purposes and, when the treatment has several | |||
purposes, consent must be given for all of them through a manifestation of will | |||
expressed for each of the purposes separately or differently, allowing the | |||
interested choose to choose all, a part or none of them. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 147 | |||
147/177 | |||
Consent cannot be understood freely given as it has not been allowed | |||
“To authorize separately the different personal data processing operations despite | |||
be appropriate in the specific case ” (Recital 43). | |||
The Article 29 Working Group, in its document “Guidelines on the | |||
consent under Regulation 2016/679 ” , which has been cited on several occasions, | |||
refers to the dissociation of the purposes of the treatment and the freedom that the | |||
interested parties to choose which purposes they accept, instead of having to consent to a | |||
set of purposes. It adds that " When the data is processed for purposes | |||
diverse, the solution to fulfill the condition of valid consent will be in the | |||
granularity, that is, in the dissociation of said purposes and obtaining consent | |||
for each of them " , and cites the following example: | |||
"[Example 7] | |||
In the same request for consent, a retailer asks its customers for consent to use | |||
your data to send them advertising by email and to share your data with other | |||
companies in your group. This consent is not granular since it is not possible to consent for | |||
separated for these two different purposes and, therefore, the consent will not be valid. In this case, | |||
specific consent should be obtained to send contact details to partners | |||
commercial. Such specific consent will be considered valid for each partner (see also the | |||
section 3.3.1) whose identity has been provided to the interested party at the time of obtaining their | |||
consent and to the extent that it is sent for the same purpose (in this example, a commercial purpose) ” . | |||
Therefore, all data transfers made by CAIXABANK become illegal. | |||
to companies of the CaixaBank Group. | |||
In the same way, all the treatments carried out are considered irregular or illegal. | |||
CAIXABANK out of personal data that are provided by the entities | |||
belonging to the CaixaBank Group, relating to clients of the latter. | |||
Apart from this exchange of information, Clause 8 of the "Framework Contract" | |||
indicate that the client grants his authorization "in relation to: (i) The analysis treatments and | |||
study of data for commercial purposes by CaixaBank and companies of the CaixaBank Group; (ii) | |||
The treatments for the commercial offer of products and services by CaixaBank and the | |||
CaixaBank Group companies ”. With this, CAIXABANK intends that the interested parties | |||
give, to CAIXABANK itself, their consent for other companies of the Group | |||
perform personal data processing, which cannot be accepted. | |||
CAIXABANK has stated in its allegations that the CaixaBank Group operates under | |||
the same brand concept, with that entity as the axis. | |||
It indicates that this circumstance is transferred to the various facets of the treatment of | |||
data, including the management of consents for processing purposes | |||
commercial, which are to be carried out jointly in the context of the activities | |||
of the Group for the same purpose with the same means, in relation to data from which the | |||
Group entities are jointly responsible. And add that each entity has its database | |||
own (only accesses the data necessary for the provision of its services), but that | |||
all have “a kind of shared responsibility” , they are jointly responsible for the | |||
treatment, so there is no purpose of its own in the transfer that justifies the provision of | |||
a separate consent. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 148 | |||
148/177 | |||
On the other hand, CAIXABANK alleges that this "integration of all bases" is a | |||
regulatory requirement for correct risk management and necessary for compliance with | |||
legal obligations, which must be supported by the coordinated management of information. But, | |||
Even in this risk management, the risk of the business group that | |||
must be quantified for regulatory purposes, of individual risk, which should only be | |||
be valued by the entity with which the interested party maintains a contractual relationship. In | |||
In any case, nothing is said to the client about this co-responsibility (in the “Framework Contract”, | |||
When reporting on regulatory purposes only reference is made to responsibilities and | |||
obligations of CAIXABANK). | |||
Finally, CAIXABANK notes that this issue was the subject of an evaluation of | |||
impact, which does not contribute. | |||
CAIXABANK, however, has not justified that we are faced with an alleged | |||
of co-responsibility, beyond the exchange of information between Group companies | |||
CaixaBank that are necessary for regulatory purposes or for compliance with a | |||
legal obligation, which are not questioned in these proceedings. | |||
In this case, the attribution of responsibilities between the different | |||
Group companies required by the RGPD, nor the functions and obligations of these companies | |||
in its relationship with the interested parties; and there is also no evidence that the | |||
corresponding agreement that regulates these circumstances in a transparent way, which, | |||
in addition, it must be made available to interested parties. The obligation to formalize that | |||
agreement in which the respective responsibilities are determined, as well as that of putting it into | |||
disposition of the interested parties in their essential aspects, is established in article 26 of the | |||
GDPR: | |||
"Article 26 Co-responsible for the treatment | |||
1.When two or more managers jointly determine the objectives and means of the | |||
treatment will be considered joint controllers of the treatment. The joint controllers will determine | |||
transparently and by mutual agreement their respective responsibilities in complying with the | |||
obligations imposed by this Regulation, in particular with regard to the exercise of | |||
rights of the interested party and their respective obligations to supply information to which | |||
referred to in articles 13 and 14, except, and to the extent that, their respective responsibilities are governed | |||
by the law of the Union or of the Member States that applies to them. Said agreement may | |||
designate a point of contact for stakeholders. | |||
2. The agreement indicated in section 1 shall duly reflect the respective functions and relationships of | |||
the joint controllers in relation to the interested parties. The interested parties will be made available | |||
essential aspects of the agreement. | |||
3. Regardless of the terms of the agreement referred to in section 1, the interested parties | |||
may exercise the rights recognized by this Regulation against, and against, each | |||
one of those responsible ” . | |||
On the contrary, considering the data used by the CaixaBank Group and the uses | |||
to which they are intended, already detailed in the Fundamentals that analyze the information offered | |||
to customers, it follows that the exchange of all information between all | |||
companies that comprise it respond more to "commercial" purposes, unrelated to the relationship | |||
contractual, such as the realization of commercial impacts and the design of new products | |||
or services, for which all data related to the client available in all | |||
Group companies, those provided by the interested party and those that “are generated in the | |||
contracting and operating products and services ” , with CaixaBank and with the Companies of the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 149 | |||
149/177 | |||
CaixaBank Group, including the profiles made from such data. CAIXABANK | |||
He even stated that he had arranged that the consent of the clients for the | |||
Processing of your personal data for "commercial purposes" would be collected at the | |||
"Group", jointly for all the companies of the "group". | |||
This exchange, as has been said, occurs between all the companies of the Group, | |||
that is, each of the companies that make up said Group shares personal data | |||
registered in their information systems with all the others. The data was said to be | |||
would manage “from a common information repository of the Group's companies | |||
CaixaBank ”. | |||
Thus, said exchange does not occur only between CAIXABANK and the rest or between them and | |||
CAIXABANK only. Although the present procedure is intended to analyze the | |||
infractions attributed to CAIXABANK and does not reach the rest of the companies of the Group, | |||
make this global exchange clear to record the irregular action that took place | |||
has been producing. | |||
If to that we add the detail of the companies that make up the repeated Group | |||
CaixaBank and the specific commercial activity that each of them carries out, the | |||
irregularity is even more apparent. | |||
Obviously, there cannot be co-responsibility of all the companies of the Group | |||
CaixaBank in relation to the treatment of data that the contract entails, of whatever type, | |||
that a client formalizes with one of them. If more than one company is involved in the contract, | |||
The rest of the companies, which do not participate in any way in this contract, cannot be | |||
considered co-responsible. | |||
It is enough to examine the entities that make up the CaixaBank Group and the purpose of their | |||
businesses, to conclude that this global co-responsibility cannot occur, which would mean | |||
admit that all act as responsible for the treatment of customer data of a | |||
of these companies, even if they do not participate in the specific contractual relationship formalized by the | |||
client. | |||
The Privacy Policy contains the following detail: | |||
"Your bank CAIXABANK, SA | |||
The issuer of your credit and debit cards CAIXABANK PAYMENTS, EFC, EP, SAU | |||
The issuer of your prepaid cards CAIXABANK ELECTRONIC MONEY, EDE, SL | |||
Your insurer VIDACAIXA, SAU DE SEGUROS Y REASEGUROS | |||
The marketer of your funds CAIXABANK ASSET MANAGEMENT, SGIIC, SAU | |||
Your social bank, expert in microcredits NUEVO MICRO BANK, SAU | |||
Your consumer finance company CAIXABANK CONSUMER FINANCE, EFC, SAU | |||
Your renting company CAIXABANK EQUIPMENT FINANCE, SAU | |||
Your e-commerce company PROMOCAIXA, SA | |||
The company that manages payments in your stores COMERCIA GLOBAL PAYMENTS, EP, SL ” . | |||
The intervention of more than one Group company in the relationship that formalizes the | |||
Nor does the client determine, without further ado, the joint responsibility of both. It will be necessary to analyze | |||
each of the cases to conclude what is appropriate in this regard. | |||
It so happens that some of these activities and the relationships that | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 150 | |||
150/177 | |||
link each company with the client is expressly regulated in a standard, | |||
which provides the nature of their participation from the point of view of the protection of | |||
personal data, so it cannot be left to the will of these companies to provide a | |||
different frame. | |||
A clear example can be found in the regulations governing mediation in | |||
private insurance, for cases in which the financial institution or commercial companies | |||
controlled or participated by it, enter into an insurance agency contract with a | |||
insurance company and carry out the activity of insurance mediation as an insurance agent | |||
using the distribution networks of the credit institution, assuming the character of | |||
Banking-Insurance Operator. | |||
In these cases, article 62 of Law 26/2006, of July 17, on the mediation of | |||
private insurance and reinsurance states that, for the purposes of the LOPD, “a. Agents | |||
exclusive insurance and exclusive banking-insurance operators will have the status of | |||
responsible for the treatment of the insurance company with which they had concluded the | |||
corresponding agency contract, in the terms provided in this Law ”. | |||
This rule has been repealed by Royal Decree-Law 3/2020, of February 4, of | |||
Urgent measures incorporating various Spanish legal systems | |||
European Union directives in the field of public procurement in certain | |||
sectors; private insurance; of pension plans and funds; of the tax field and | |||
tax litigation. This Royal Decree-law does not modify the previous scheme: | |||
“Article 203. Condition of person in charge or in charge of the treatment. | |||
1. For the purposes set forth in Organic Law 3/2018, of December 5, as well as in the Regulations | |||
(EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection | |||
of natural persons with regard to the processing of personal data and the free movement of | |||
these dates: | |||
a) Insurance agents and banking-insurance operators will be in charge of the | |||
treatment of the insurance company with which they had entered into the corresponding | |||
agency, in the terms provided in title I ". | |||
“Article 204. Other data protection regulations. | |||
2. Insurance agents and banking-insurance operators may only process the data of the | |||
interested in the terms and with the scope of the insurance agency contract and | |||
always in the name and on behalf of the insurance company with which they have entered into the contract. | |||
The banking-insurance operators will not be able to process the data related to their intermediary activity | |||
for purposes of its corporate purpose without the unequivocal and specific consent of the | |||
affected ”. | |||
In any case, the information exchange designed by CAIXABANK and the | |||
CaixaBank Group companies do not comply with the concept of “co-responsibility”, which is | |||
establishes for specific treatments, “when two or more managers determine | |||
jointly the objectives and the means of the treatment ” ; and that requires a decision-making power of | |||
all responsible that is not given in this case. | |||
In accordance with the foregoing, the allegations to the proposal of | |||
resolution made by CAIXABANK, in which it states that there is no undue assignment | |||
personal data, but a transparent co-responsibility regime is established | |||
for the interested parties, which derives from a direct collection of the data by the companies in the | |||
scope of joint responsibility and joint participation in the determination of goals and | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 151 | |||
151/177 | |||
media. | |||
There is no co-responsibility regime, nor can it be said that it was transparent to | |||
the clients. In fact, CAIXABANK at no previous time has had the agreement of | |||
co-responsibility, so it was never before able to make available to the interested parties the | |||
essential aspects of an agreement that did not exist. Not even in the previous phases has | |||
alleged this co-responsibility, referring to this matter in its allegations to the agreement of | |||
initiation of the procedure, noting that all the Group companies have “a sort of | |||
shared responsibility ” , as already indicated. And neither does the Activity Register | |||
Treatment includes operations in which CAIXABANK intervenes as joint controller. | |||
It has been on the occasion of the processing of allegations to the proposed resolution when | |||
CAIXABANK has raised this claim and has provided a "Co-responsibility Agreement", | |||
that appears in the "Sixth Allegation" of the brief of allegations to the proposed resolution | |||
among the new measures implemented, which appears unsigned by the entities that | |||
supposedly involved in its formalization. In his allegations about graduation from the | |||
The sanction refers to data transfers made within the framework of “the | |||
de facto co-responsibility, and currently formal ” . However, this agreement does not | |||
remedies the irregular situation maintained during the period of time prior to the opening of the | |||
process. | |||
On the other hand, CAIXABANK has not provided the essential information for | |||
have sufficient elements to assess whether the conditions are met, from the point of | |||
factual and not only formal view, for that co-responsibility in each of the treatments to | |||
those referred to in the agreement provided, considered case by case; nor to conclude if all | |||
entities have complied with the regulatory provisions, especially those relating to | |||
duty of transparency and the existence of a legal basis for the treatment. | |||
If it can be said, as indicated above, that CAIXABANK has not | |||
complied with these provisions in relation to the exchange of information regarding their | |||
customers with the companies that make up the Group, and would not be met in relation to | |||
these alleged joint treatments, about which you have not informed clients | |||
duly and for which there is no legal basis. | |||
(…) | |||
Finally, it is considered appropriate to cite the Guidelines 07/2020, on the concepts of | |||
data controller and data processor in the RGPD, adopted by the CEPD | |||
on September 2, 2020, in which the assumption of joint responsibility is rejected as | |||
use for advertising purposes of a database shared by a group of | |||
Business: | |||
“Joint control can also be excluded if several entities use a base of | |||
shared data or a common infrastructure, if each entity independently determines its | |||
own ends. | |||
Example: marketing operations in a group of companies using a database | |||
shared. | |||
A group of companies uses the same database for the management of clients and potential clients. | |||
This database is hosted on servers of the parent company which, therefore, is a | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 152 | |||
152/177 | |||
in charge of the treatment of the companies with respect to the storage of the data. Each | |||
Group entity enters the data of its own customers and potential customers and processes them | |||
solely for your own purposes. In addition, each entity decides independently on access, | |||
retention periods, correction or deletion of your customers and customer data | |||
potentials. They cannot access or use the data of others. The mere fact that you are | |||
Companies using a shared group database does not imply joint control as such. | |||
In these circumstances, each company is therefore a data controller ”. | |||
Consequently, in accordance with the above findings, the facts | |||
set forth in this Legal Basis constitute a violation of Article 6 of the | |||
RGPD, in relation to article 7 of the same legal text and article 6 of the LOPDGDD, which gives | |||
place to the application of the corrective powers that article 58 of the RGPD grants to the | |||
Spanish Agency for Data Protection. | |||
VIII | |||
Article 22 of the RGPD allows "automated individual decisions, including the | |||
profiling ” if such a decision is necessary for the execution of the contract, it is | |||
authorized by Union or Member State law or is based on the | |||
consent of the interested party, which entails compliance with the obligation to inform | |||
about it. Said article establishes the following: | |||
"Article 22. Automated individual decisions, including profiling | |||
1. Any interested party shall have the right not to be the subject of a decision based solely on the | |||
automated processing, including profiling, that produces legal effects on him or her | |||
affect significantly in a similar way. | |||
2. Paragraph 1 shall not apply if the decision: | |||
a) is necessary for the conclusion or execution of a contract between the interested party and a person in charge | |||
of the treatment; | |||
b) is authorized by Union or Member State law that applies to the | |||
responsible for the treatment and that also establishes adequate measures to safeguard the | |||
rights and freedoms and the legitimate interests of the interested party, or | |||
c) is based on the explicit consent of the interested party. | |||
3. In the cases referred to in section 2, letters a) and c), the data controller shall adopt the | |||
adequate measures to safeguard the rights and freedoms and the legitimate interests of the | |||
interested party, at least the right to obtain human intervention from the person in charge, to | |||
express your point of view and challenge the decision. | |||
4. The decisions referred to in paragraph 2 shall not be based on the special categories of data | |||
referred to in Article 9 (1), unless Article 9 (2) applies, | |||
letter a) or g), and adequate measures have been taken to safeguard the rights and freedoms and | |||
legitimate interests of the interested party ”. | |||
Furthermore, what is expressed in recitals 71 and 72 of the RGPD is taken into account. | |||
“(71) The interested party must have the right not to be the subject of a decision, which may include a measure, | |||
that evaluates personal aspects related to him, and that is based solely on the treatment | |||
automated and produces legal effects on it or significantly affects it in a similar way, such as the | |||
Automatic denial of an online credit application or online contracting services in the | |||
that there is no human intervention. This type of treatment includes profiling | |||
consisting of any form of processing of personal data that evaluates personal aspects | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 153 | |||
153/177 | |||
relating to a natural person, in particular to analyze or predict aspects related to the | |||
job performance, financial situation, health, personal preferences or interests, | |||
reliability or the behavior, situation or movements of the data subject, to the extent that | |||
produces legal effects on him or significantly affects him in a similar way. However, they must | |||
allow decisions based on such treatment, including profiling ... in cases where | |||
those that the interested party has given their explicit consent. In any case, such treatment must | |||
be subject to appropriate safeguards, including information specific to the | |||
interested party and the right to obtain human intervention, to express their point of view, to receive a | |||
explanation of the decision made after such evaluation and to challenge the decision. Such a measure no | |||
it must affect a minor. | |||
In order to guarantee fair and transparent treatment with respect to the interested party, taking into account the | |||
specific circumstances and context in which personal data is processed, the person responsible for the | |||
The treatment should use appropriate mathematical or statistical procedures for the elaboration of | |||
profiles, apply appropriate technical and organizational measures to ensure, in particular, that | |||
correct the factors that introduce inaccuracies in personal data and reduce the maximum | |||
risk of error, secure personal data so that possible risks are taken into account | |||
for the interests and rights of the interested party and prevent, among other things, discriminatory effects | |||
in natural persons for reasons of race or ethnic origin, political opinions, religion or beliefs, | |||
union membership, genetic condition or health status or sexual orientation, or that result in | |||
measures that produce such an effect. Automated decisions and profiling about the | |||
basis of particular categories of personal data should only be allowed under conditions | |||
specific. | |||
(72) Profiling is subject to the rules of this Regulation that govern the | |||
processing of personal data, such as the legal bases of the processing or the principles of | |||
Data Protection…". | |||
The aforementioned regulations prohibit decisions based solely on treatment | |||
automated, including profiling, that produce legal effects in the | |||
interested or significantly affect you in a similar way, unless such decisions are | |||
based on the explicit consent of the same. | |||
An important aspect regarding automated individual decisions has to be | |||
see with the use of personal data for the elaboration of customer profiles, | |||
understood as any form of personal data processing that evaluates aspects | |||
personal information relating to a natural person. | |||
According to art. 13.1.f) of the RGPD, section 2, the person in charge is obliged to inform | |||
on the “existence of automated decisions, including the elaboration of profiles, to which | |||
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information | |||
on the applied logic, as well as the importance and expected consequences of said | |||
treatment for the interested party ” . | |||
The information that CAIXABANK offers to its clients in the different documents that | |||
are subject to analysis refers expressly to profiling in numerous | |||
Sometimes and on others, the purposes or treatments that entail carrying out | |||
profiling operations. | |||
The "Privacy Policy" accessible through the CAIXABANK website, by referring to | |||
uses based on the consent of the interested party, informs: | |||
“04 WE CANNOT HIDE IT FROM YOU: WE WANT TO KNOW YOU BETTER! | |||
(…) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 154 | |||
154/177 | |||
Uses based on your consent | |||
Only if you authorize us when we ask, we would like to process all the data that | |||
we have about you to get to know you better, that is, to study your needs to know what new | |||
products and services are adjusted to your preferences and analyze the information that allows us to have | |||
determined in advance what your creditworthiness is. | |||
We would also send you product offers from all Group companies and third parties that | |||
we think they may interest you ”. | |||
In Clause 8 of the “Framework Contract”, so repeated, CAIXABANK refers to the | |||
"Treatment and transfer of data for commercial purposes by CaixaBank and the companies of the | |||
CaixaBank group based on consent ” , which are grouped as follows: | |||
(i) Detail of the analysis, study and monitoring treatments for the offer and design of products and | |||
services tailored to the customer profile. | |||
(ii) Details of the treatments for the commercial offer of CaixaBank products and services and the | |||
CaixaBank Group companies. | |||
(iii) Transfer of data to third parties | |||
These subsections correspond to three consents that are collected from the | |||
interested and which are outlined on the first page of the document, under the heading | |||
"Authorizations for treatment" . | |||
The description of the first group of treatments (i) in other documents or channels of | |||
collection of consents is expressed as follows: | |||
. Purpose of studies and profiling. | |||
. Carry out studies and monitoring of operations; manage alerts for the products you have | |||
hired; study products and services tailored to your CaixaBank Group profile. | |||
. Authorization for profiled and segmented. | |||
This first group of treatments, “ Detail of the analysis, study and | |||
follow-up for the offer and design of products and services adjusted to the client's profile ” , | |||
details five purposes: | |||
"By granting your consent to the purposes detailed here, you authorize us to: | |||
a) Proactively carry out risk analysis and apply statistical and technical data on | |||
customer segmentation, with a triple purpose: 1) Study products or services that may be | |||
tailored to your profile and specific business or credit situation, all to make offers | |||
sales tailored to your needs and preferences, 2) Track products and | |||
contracted services, 3) Adjust recovery measures on defaults and incidents derived from | |||
the products and services contracted. | |||
b) Associate your data with those of companies with which you have some type of link, both for their | |||
ownership and management relationship, in order to analyze possible interdependencies | |||
economic in the study of service offers, risk requests and product contracting. | |||
c) Carry out studies and automatic controls of fraud, defaults and incidents derived from | |||
products and services contracted ... ”. | |||
And in relation to these purposes, the following is indicated: | |||
"The treatments indicated in sections (i), (ii) and (iii) may be carried out in a | |||
automated and entail the elaboration of profiles, with the aforementioned purposes. For this purpose, | |||
We inform you of your right to obtain human intervention in the treatments, to express your point | |||
of view, to obtain an explanation about the decision made based on the automated processing, | |||
and to challenge said decision ”. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 155 | |||
155/177 | |||
CAIXABANK advises the client that the indicated treatments may be carried out | |||
in an automated way and lead to profiling. To this end, CAIXABANK will | |||
informs about “their right to obtain human intervention in the treatments, to express | |||
your point of view, to obtain an explanation about the decision made based on the | |||
automated processing, and to challenge said decision ” . | |||
With this, CAIXABANK advises on profiling operations that correspond | |||
with automated individual decisions regulated in article 22 of the RGPD, which | |||
These profiles will be used to make automated decisions with legal effects for the | |||
interested or that will significantly affect you in a similar way. In this case, according to | |||
As indicated, the interested party has the right to be informed by virtue of what is established in the | |||
Article 13.2.f) of the RGPD, including in that information all the issues that that letter | |||
mentions, as is the applied logic, the importance and expected consequences of said | |||
treatment for the interested party, as well as the possibility of opposing the adoption of | |||
these automated individual decisions, and the right to have all the | |||
Provided guarantees (in addition to the information specific to the interested party, the right to obtain | |||
human intervention, to express their point of view, to receive an explanation of the decision | |||
taken after such evaluation and to challenge the decision). | |||
The legal basis for these actions is based, according to the information that | |||
facilitates the interested-clients, with their consent. | |||
This information, and the evidence on the irregularity of the consents | |||
provided by CAIXABANK clients for the processing of their personal data, | |||
determined the imputation to said entity in the agreement to open the procedure of a | |||
alleged infringement due to the violation of article 22 of the RGPD. | |||
However, the instruction of the procedure has not confirmed that | |||
CAIXABANK carry out data processing as regulated in this article 22 of the | |||
RGPD, that is, to make decisions based solely on automated processing and | |||
that produce legal effects on the interested party or significantly affect him in a way | |||
Similary. | |||
Some data processing involves the use of profiles of which could | |||
result in discriminatory effects for the interested parties (such as, for example, credits | |||
pre-granted prices, prices adjusted to the client's profile, benefits and promotions). But I do not know | |||
has evidence that these treatments respond to the concept of "individual decision | |||
automated " and that effectively produce legal effects or significantly affect the | |||
interested. | |||
If so, CAIXABANK must consider the provisions of the aforementioned article 22 of the | |||
RGPD and comply with the expressed demands and the requirements that allow | |||
consider that the consent has been given in a valid way, if this were the basis | |||
legal. | |||
Consequently, it is deemed appropriate, due to lack of evidence, to declare the | |||
nonexistence of infringement in relation to the imputation for an alleged breach of the | |||
established in article 22 of the RGPD. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 156 | |||
156/177 | |||
IX | |||
In the event of an infringement of the RGPD precepts, among the | |||
corrective powers available to the Spanish Data Protection Agency, such as | |||
supervisory authority, article 58.2 of said Regulation contemplates the following: | |||
“2 Each supervisory authority shall have all the following corrective powers indicated at | |||
continuation: | |||
(…) | |||
d) order the person in charge or in charge of the treatment that the treatment operations conform to | |||
the provisions of this Regulation, where appropriate, in a certain way and within | |||
a specified term; | |||
(…) | |||
i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures | |||
mentioned in this section, according to the circumstances of each particular case; " . | |||
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) | |||
above is compatible with the sanction consisting of an administrative fine. | |||
X | |||
In the present case, the breach of the principle of | |||
transparency established in articles 12, 13 and 14 of the RGPD, as well as the principle of legality | |||
of the treatment regulated in article 6 of the same Regulation, with the scope expressed in | |||
the previous Fundamentals of Law, which implies the commission of respective infractions | |||
typified in article 83.5 of the RGPD, which under the heading " General conditions for the | |||
imposition of administrative fines ” provides the following: | |||
"Violations of the following provisions will be sanctioned, in accordance with section 2, with | |||
administrative fines of up to EUR 20,000,000 or, in the case of a company, a | |||
amount equivalent to a maximum of 4% of the total annual global business volume for the year | |||
financial statement, opting for the one with the highest amount: | |||
a) the basic principles for the treatment, including the conditions for consent in accordance with | |||
Articles 5, 6, 7 and 9; | |||
b) the rights of the interested parties in accordance with articles 12 to 22; (…) ” . | |||
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute | |||
offenses the acts and conducts referred to in sections 4, 5 and 6 of article 83 | |||
of Regulation (EU) 2016/679, as well as those that are contrary to this law | |||
organic ” . | |||
For the purposes of the limitation period, articles 72 and 74 of the LOPDGDD indicate: | |||
“Article 72. Violations considered very serious. | |||
1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very | |||
serious and will prescribe after three years the infractions that suppose a substantial violation of the | |||
articles mentioned therein and, in particular, the following: | |||
(…) | |||
b) The processing of personal data without any of the conditions of legality of the | |||
treatment established in article 6 of Regulation (EU) 2016/679. | |||
c) Failure to comply with the requirements of Article 7 of Regulation (EU) 2016/679 for the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 157 | |||
157/177 | |||
validity of consent. | |||
(…) | |||
k) The impediment or the obstruction or the repeated neglect of the exercise of the rights | |||
established in articles 15 to 22 of Regulation (EU) 2016/679 ”. | |||
“Article 74. Infractions considered minor. | |||
The remaining infringements of a merely formal nature are considered minor and will prescribe a year. | |||
the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in | |||
in particular, the following: | |||
a) Failure to comply with the principle of transparency of information or the right to information of the | |||
affected by not providing all the information required by articles 13 and 14 of Regulation (EU) | |||
2016/679 " . | |||
In order to determine the administrative fine to be imposed, the provisions | |||
of articles 83.1 and 83.2 of the RGPD, precepts that state : | |||
"1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with the | |||
this article for the infractions of this Regulation indicated in paragraphs 4, 9 and 6 are | |||
in each individual case effective, proportionate and dissuasive. | |||
2. Administrative fines will be imposed, depending on the circumstances of each individual case, to | |||
additional or replacement title of the measures referred to in article 58, paragraph 2, letters a) to h) and | |||
j). When deciding the imposition of an administrative fine and its amount in each individual case, the | |||
due account: | |||
a) the nature, seriousness and duration of the offense, taking into account the nature, scope or | |||
purpose of the treatment operation in question as well as the number of interested parties affected | |||
and the level of damages they have suffered; | |||
b) intentionality or negligence in the infringement; | |||
c) any measure taken by the controller or processor to mitigate the damage and | |||
damages suffered by the interested parties; | |||
d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the | |||
technical or organizational measures that have been applied by virtue of articles 25 and 32; | |||
e) any previous infringement committed by the person in charge or the person in charge of the treatment; | |||
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and | |||
mitigate the possible adverse effects of the violation; | |||
g) the categories of personal data affected by the infringement; | |||
h) the way in which the supervisory authority learned of the infringement, in particular if the | |||
responsible or the manager notified the infringement and, if so, to what extent; | |||
i) when the measures indicated in article 58, paragraph 2, have been previously ordered | |||
against the person in charge or the person in charge in relation to the same matter, compliance | |||
of said measures; | |||
j) adherence to codes of conduct under article 40 or to certification mechanisms | |||
approved in accordance with Article 42, and | |||
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as | |||
financial benefits obtained or losses avoided, directly or indirectly, through the | |||
infringement." | |||
For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD provides: | |||
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 are | |||
will be applied taking into account the graduation criteria established in section 2 of the aforementioned | |||
Article. | |||
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, they may also | |||
be taken into account: | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 158 | |||
158/177 | |||
a) The continuing nature of the offense. | |||
b) The linking of the offender's activity with the processing of personal data. | |||
c) The benefits obtained as a result of the commission of the offense. | |||
d) The possibility that the affected person's conduct could have led to the commission of the offense. | |||
e) The existence of a merger by absorption process after the commission of the offense, which does not | |||
it can be attributed to the absorbing entity. | |||
f) Affecting the rights of minors. | |||
g) Have, when not mandatory, a data protection officer. | |||
h) The submission by the person in charge or in charge, on a voluntary basis, to mechanisms of | |||
alternative conflict resolution, in those cases in which there are controversies between | |||
those and anyone interested ”. | |||
In this case, considering the seriousness of the violations found, the | |||
imposition of a fine, in addition to the adoption of measures. | |||
In a subsidiary manner and for reasons of proportionality, CAIXABANK has requested that | |||
other corrective powers are imposed that allow the implementation of certain changes | |||
that you have in process to debug the errors in the informative clauses and improve them, | |||
as is the warning, and points out that this measure has been applied in some cases to | |||
legal persons and not only natural persons (he cites as an example the procedures | |||
PS / 00072/2019; or PS / 00096/2019). Additionally, in the event that the | |||
previous petition, requests that a sanction be imposed to a minimum degree. | |||
It is not possible to accept the request made by CAIXABANK to impose other | |||
corrective powers, specifically, the warning, which is intended for persons | |||
physical and when the sanction constitutes a disproportionate burden (recital 148 of the | |||
RGPD). In this case, unlike the precedents invoked by CAIXABANK, no | |||
None of the assumptions that would support the application of the | |||
warning, for which, obviously, other factors must also be considered, such as | |||
the offense committed and its seriousness. In the present case, the irregularities committed are | |||
much more serious and have a greater impact than that expressed by CAIXABANK, who | |||
aims to reduce the assumption analyzed to a few simple defects of the information offered | |||
that they do not deserve any reproach other than their rectification. | |||
For the same reasons, and considering the criteria for graduation of sanctions | |||
indicated below, the request for the imposition of a penalty is also rejected. | |||
tion to its minimum degree. | |||
In accordance with the transcribed precepts, in order to set the amount of the sanctions | |||
of fine to impose in the present case to the defendant, as responsible for infractions | |||
typified in article 83.5.a) and b) of the RGPD, it is necessary to graduate the corresponding fine | |||
impose for each of the offenses charged as follows: | |||
1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified | |||
in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the | |||
LOPDGDD: | |||
It is estimated that the following factors concur as aggravating factors that reveal | |||
greater unlawfulness and / or culpability in the conduct of the CAIXABANK entity: | |||
a) The nature, seriousness and duration of the offense: the verified facts put in | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 159 | |||
159/177 | |||
The entire action carried out by CAIXABANK, as a whole, is questionable, since the | |||
Infringements result from the personal data management procedures designed by that | |||
entity for the adequacy of those processes to the RGPD, which are considered irregular | |||
from the moment of the collection of personal data, questioning all | |||
the activity carried out by the responsible entity since the entry into force of the RGPD. I know | |||
takes into account, however, that it is not a case of total absence of | |||
information, but that the disputed facts result from not providing the interested parties | |||
sufficient and adequate information in relation to the various treatments carried out. | |||
In this regard, CAIXABANK alleges that the issues analyzed in the procedure | |||
are not particularly serious, considering that all the information is provided, although | |||
the AEPD understands that it can be improved; that the offense is classified as minor; and it has not | |||
caused damage to the only two claimants, given that the treatments carried out are the | |||
necessary for the development of the activity. | |||
Contrary to what is stated by said entity, it is understood that the deficiencies | |||
appreciated are particularly serious, since they affect substantive aspects of the | |||
principle of transparency and all the processing operations carried out, which are not | |||
limited to the treatments necessary for the development of the activity, as indicated | |||
CAIXABANK. None of the precedents cited in the allegations can be assimilated into | |||
in any way to the present assumption. | |||
b) The intentionality or negligence appreciated in the commission of the offense: the actions | |||
have proven negligent conduct in relation to the violation of the regulations of | |||
personal data protection. The violations found, given their evidence, should | |||
have been warned by an entity with the characteristics of CAIXABANK and avoided when | |||
design your personal data management processes. | |||
CAIXABANK understands that the establishment of clear procedures in relation to | |||
The information and the provision of consents implies that this graduation criterion of | |||
The sanction should be considered as mitigating, without considering that the infractions are | |||
they consider committed precisely the opposite. Furthermore, violations are not | |||
only non-compliance with the requirements for obtaining consent or the | |||
operations carried out on this legal basis. | |||
c) The continuing nature of the offense, in the sense interpreted by the National Court, | |||
as a permanent offense. | |||
d) The high link of the activity of the offender with the performance of data processing | |||
personal: all operations that constitute the business activity carried out by | |||
CAIXABANK involve personal data processing operations. | |||
e) The condition of a large company of the responsible entity and its volume of business: it is a | |||
leading company in the financial sector with a strong national presence. According to | |||
information that appears on the “ caixabank.es ” website , as of 12/26/2019, CAIXABANK declares itself the leader | |||
in retail banking, with a 29.3% penetration share of individuals in Spain. TO | |||
09/30/2019, the Income Statement reflects an “Operating Margin” of 2,035 million | |||
euros. According to the information contained in the Central Mercantile Registry, the "Subscribed Capital" | |||
amounts to 5,981,438,031.00 euros. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 160 | |||
160/177 | |||
f) High volume of data and processing that constitutes the object of the file: the | |||
Infractions affect all the data processing carried out by CAIXABANK that does not | |||
are necessary for the execution of the contract, in which all the information is used | |||
relating to customers. | |||
g) High number of interested parties: the perceived defects affect all clients | |||
natural persons of the entity. According to the information available on the web "caixabank.es" to | |||
On 12/26/2019, the entity had 15.7 million clients. | |||
h) The imputed entity does not have adequate procedures in place for action in the | |||
collection and processing of personal data, so that the infringement is not | |||
consequence of an anomaly in the operation of these procedures, but a | |||
defect in the personal data management system designed by the person in charge. It has | |||
taking into account that the non-compliances found are structural and do not result from a | |||
punctual non-compliance. | |||
According to CAIXABANK, an information defect cannot be understood as a defect | |||
of the system. However, it is clear that the present assumption does not refer, | |||
simply, to a defect of information. | |||
Considering the exposed factors, the assessment of the fine for the | |||
The offense charged is 2,000,000 euros. | |||
2. Infringement for breach of the provisions of article 6 of the RGPD, in relation to | |||
article 7 of the same legal text and article 6 of the LOPDGDD, typified in article 83.5.a) | |||
and classified as very serious for the purposes of prescription in article 72.1.b) and c) of the | |||
LOPDGDD: | |||
It is estimated that they concur as aggravating factors, in addition to the exposed factors | |||
in relation to the aforementioned offense, indicated with letters b), c), d), e), g) and h), the | |||
following factors that reveal greater unlawfulness and / or culpability in the conduct of the | |||
CAIXABANK entity: | |||
a) The nature, severity and duration of the offense, taking into account the nature, | |||
scope or purpose of the processing operations in question: infractions | |||
result from the personal data management procedures designed by CAIXABANK | |||
for the adaptation of these processes to the RGPD, which are considered irregular from the | |||
collection of personal data and the provision of consents requested from the | |||
clients right then and there. The severity of the infractions increases according to the | |||
scope or purpose of the processing operations in question, which include the | |||
profiling using excessive information. | |||
b) The degree of responsibility of the person in charge, taking into account the technical measures and | |||
organizational applied by virtue of articles 25 and 32; considering that the facts | |||
found show that CAIXABANK has not taken care that in the treatment of | |||
data is used exclusively the data necessary for the intended purpose. | |||
Faced with this, the adoption of measures in recent years cannot be opposed | |||
aimed at promoting privacy from the design. What is relevant is that such measures | |||
are appropriate and, in relation to the foregoing, those adopted by CAIXABANK are not. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 161 | |||
161/177 | |||
c) The benefits obtained as a result of the commission of the offense: the information | |||
related to customers is used to design new products or services or improve | |||
existing and for the dissemination of them. To appreciate this benefit it is not necessary that | |||
the responsible entity has monetized the personal data, making data sales with | |||
commercial purposes, as claimed by CAIXABANK. | |||
d) The nature of the damages caused to the interested persons or third persons: | |||
the high degree of interference in the privacy of CAIXABANK clients is taken into account | |||
and that all information is communicated to third parties (companies of the CaixaBank Group). | |||
The transfers have taken place and have been accredited. CAIXABANK itself has | |||
recognized the exchange of information with the companies of the Group. | |||
e) High volume of data and processing that constitutes the object of the file; between the | |||
that highlight, in a significant way, the transfer of personal data to third parties. Alleges the | |||
responsible entity that has not initiated the data transfers, without considering those made to | |||
the CaixaBank Group entities. | |||
f) The categories of personal data affected by the infringement, which includes | |||
customer profiles, inferred using all available customer information, including | |||
collected for compliance with legal obligations. This conclusion is not affected by the | |||
fact that the treatments do not use data of special category, manifested by | |||
CAIXABANK. | |||
Considering the exposed factors, the assessment of the fine for the | |||
The offense charged is 4,000,000 euros. | |||
The allegations at the opening of the procedure made by the entity | |||
CAIXABANK do not contain any observations on the circumstances indicated with the | |||
letters c), d), e), f) and g) of point 1. | |||
Instead, it requested that the measures taken be taken into account as mitigating | |||
to regularize the situation revealed in the claim outlined in the Fact | |||
Fourth tested, implementing the measures recommended by the organization of | |||
consumers and users who submitted the claim; along with the purpose of | |||
draw up a new "Framework Contract"; as well as the degree of cooperation shown to put | |||
remedy the irregular situation and mitigate possible adverse effects. | |||
These actions are not considered of sufficient relevance to be considered in this | |||
procedure for the purposes intended by CAIXABANK. With the measures taken in | |||
relation to the aforementioned claim, related only to the face-to-face process of | |||
obtaining the client's consent, there has not been a true regularization, nor has | |||
mitigated the adverse effects of the offenses committed. On the other hand, the elaboration of | |||
A new “Framework Contract” is nothing but the necessary consequence of the irregularity of the | |||
document used by CAIXABANK and analyzed in this procedure. So, | |||
the request to consider such actions as a mitigating circumstance is rejected. | |||
In its allegations to the resolution proposal, CAIXABANK declares reproduced | |||
their allegations to the commencement agreement, without formulating, in this case, no | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 162 | |||
162/177 | |||
consideration of the graduation criteria indicated by letters c), d), e), f) and g) of the | |||
point 1. | |||
In these allegations, he again requests that they be taken into account as mitigating | |||
the measures taken by CAIXABANK, as well as the degree of cooperation shown, within and | |||
outside the framework of the procedure, to remedy the infringement and mitigate the possible | |||
adverse effects of the offense. | |||
Finally, CAIXABANK warns about the unprecedented disproportion of the sanction | |||
imposed, considering that it is a case of minor infraction and not of absence of | |||
information, and that there are no data transfers outside the framework of co-responsibility | |||
de facto and currently formal entity that exists in the CaixaBank Group (without the free will | |||
The will of the subjects has been diminished in any case). It adds that the proposed sanction | |||
ta is 8 times higher than the highest fine imposed under the GDPR (if we do not take into account | |||
“The other” exemplary sanction of the financial sector, recently known), and 3 times higher than | |||
maximum foreseen under the previous regime for the most serious infractions, ignoring the application | |||
cation of the mitigating factors that CAIXABANK details in its allegations. | |||
In the opinion of this Agency, the cooperative attitude of CAIXABANK cannot be admitted, | |||
that he has consistently denied the facts, despite his evidence. | |||
On the other hand, none of the circumstances expressed by said entity to establish | |||
mentioning the disproportion of the sanction concurs in this case, in which there is also | |||
a very serious infringement, to which CAIXABANK does not usually refer in any of its allegations | |||
attempts to reduce the assumption analyzed, as has already been said, to mere errors in the | |||
information provided to customers. Precisely, one of the determining facts, not | |||
The only one of the very serious infringement has to do with the transfer of customer data, | |||
all the data and all the clients, that CAIXABANK makes to the companies of the Caixa Group- | |||
Bank, on which the interested party does not have the opportunity to comment, being committed | |||
Take your free choice. | |||
In any case, the proportionality of the sanction results from the application of the criteria | |||
of graduation established in the corresponding infractions and sanctions regime, which | |||
is applicable to the facts, that is, the current regime. Thus, it does not proceed | |||
qualify the sanction imposed as disproportionate by resorting to the infractions regime and | |||
sanctions regulated by Organic Law 15/1999 (LOPD), to affirm that the sanction im- | |||
set is so many times higher than those provided for in that Organic Law, but rather than the norm that | |||
establishes the measures to be imposed in this case, that is, the RGPD. | |||
This Regulation, in its article 83.3, establishes that breaches of the | |||
Articles 13, 14, and 6 of the same RGPD will be sanctioned with administrative fines of | |||
20,000,000 euros (twenty million euros) maximum or, in the case of a company, | |||
of an amount equivalent to a maximum of 4% of the total annual global business volume of the | |||
previous financial year, opting for the highest amount. Considering this regulation | |||
and the graduation criteria previously assessed, the fine imposed on CAIXABANK is not | |||
disproportionate. It is useless to argue that the LOPD provided penalties for amounts | |||
lower. | |||
The truth is that, in this aspect, as in many others, the RGPD has been a | |||
paradigm shift in the protection of personal data, establishing measures with a | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 163 | |||
163/177 | |||
clear deterrent. It is enough to examine the sanctions that, in this matter, have | |||
recently imposed other European countries, which are public, to understand the scope | |||
of the change that the application of the RGPD entails. Below are links to | |||
some of these resolutions, as examples: | |||
. https://edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty- | |||
50-million-euros_es; | |||
. https://edpb.europa.eu/news/national-news/2020/aggressive-telemarketing-practices-vodafone-fined- | |||
over-12-million-euro_es; | |||
. https://edpb.europa.eu/news/national-news/2020/belgian-dpa-imposes-eu600000-fine-google-belgium- | |||
not-respecting-right-be_es. | |||
On the other hand, CAIXABANK also understands that it is appropriate to qualify as mitigating | |||
fact of having proceeded to further clarify the information offered to its clients and the | |||
procedure by which consent is requested, to such an extent that it would be the | |||
all unnecessary the imposition of the corrective measures proposed by the AEPD. | |||
The aforementioned entity has stated in its brief of allegations that it has provided a | |||
new structure of the documents through which it informs clients on the matter that | |||
it concerns us, preparing a new Privacy Policy, as a basic document, and | |||
modifying the "Framework Agreement" so that it offers only basic information and | |||
refer to the Privacy Policy, as the second layer. As indicated, a total | |||
uniformity and deeper detail of information. And has provided a copy of both | |||
documents, together with the “Co-responsibility Agreement”, which was referred to in the | |||
Basis of Law VII when dealing with data communications to Group companies | |||
CaixaBank, screen printing related to the consent collection processes. | |||
CAIXABANK also points out that it has arranged a massive communication to customers | |||
reporting on changes. | |||
This Agency considers that the actions mentioned, given the evidence | |||
obtained in the present case, are a requirement of the principle of proactive responsibility and | |||
the diligence regarding compliance with the data protection regulations that must | |||
expected of an entity such as CAIXABANK and that the RGPD itself expressly imposes, | |||
including the obligation to review and update the organizational measures that guarantee the | |||
adequacy of your data processing with the RGPD. | |||
And this Agency also considers that there is no true regularization of the | |||
situation generated by the breaches found, nor have their effects been mitigated. | |||
On the one hand, the statement made by CAIXABANK in its plea cannot be accepted, | |||
according to which the only action that is criticized is the writing of the informative texts, | |||
through which it informs its clients about the processing of their personal data. | |||
And, on the other hand, in relation to the consents given and the treatments | |||
of data that it carries out, CAIXABANK is limited to indicating that the mentions to the cessation of | |||
treatments are disproportionate. In its submissions, it makes no reference to the | |||
regularization in its records of the annotations corresponding to the consents | |||
collected to date, or the suspension of personal data processing | |||
classified as illegal in these actions or the deletion of personal data | |||
collected from third parties or inferred by the entity itself. | |||
Once again, as has been said so many times before, CAIXABANK intends to reduce the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 164 | |||
164/177 | |||
issues arising from information defects, from which it can only be derived, | |||
his judgment, the demand to correct them. However, contrary to what was intended by | |||
CAIXABANK, the breach of the provisions of article 6 of the | |||
RGPD, together with the seriousness and impact of the defects appreciated in the information | |||
offered to those interested. | |||
Thus, the alleged correction of the information contained in the documents provided | |||
by CAIXABANK, even assuming this correction is complete, it does not constitute a | |||
true regularization of the irregular situation found in the present procedure | |||
sanctioner. Therefore, the request to consider such actions as a | |||
extenuating circumstance. | |||
On the other hand, CAIXABANK does not provide any report or evaluation, nor does it explain how it has | |||
adapted the documents that determine the configuration of this new | |||
Privacy and would allow its analysis by this control authority (eg, the registry of | |||
processing activities, impact assessment reports or weighting of interest | |||
legitimate). | |||
CAIXABANK has enjoyed numerous opportunities to contribute this | |||
documentation during the processing of the procedure. In each and every one of the | |||
communications that have been sent to you have been warned about the principle of access | |||
permanent regulation regulated in article 53 “Rights of the interested party in the | |||
Administrative Procedure ” of Law 39/2015, of October 1, on the Common Administrative Procedure | |||
of the Public Administrations, which recognizes to those interested in the procedure the | |||
right to know, at any time, the status of the processing and to formulate | |||
allegations, use the means of defense admitted by the Legal System, and | |||
provide documents at any stage of the procedure prior to the hearing process. | |||
Consequently, it is not possible to consider the irregular situation regularized. | |||
XI | |||
In accordance with the provisions of article 58.2.d) of the RGPD, each | |||
control may “order the person in charge of the treatment that the operations of | |||
treatment comply with the provisions of this Regulation, where appropriate, of a | |||
in a certain way and within a specified period… ” . | |||
In this case, considering the circumstances expressed in relation to the | |||
Appreciated breaches, it is appropriate to require CAIXABANK so that, within the period | |||
indicated in the operative part, adapt to the personal data protection regulations the | |||
processing operations carried out, the information offered to its customers and the | |||
procedure by which they give their consent for the collection and | |||
processing of your personal data. | |||
In those cases in which the interested party has not been duly informed about | |||
the circumstances regulated in articles 13 and 14 of the RGPD or the interested party had not | |||
given your valid consent, CAIXABANK will not be able to carry out the collection and | |||
treatment of personal data. The same applies in relation to the treatments of | |||
data based on the legitimate interest of the person in charge and with all those declared illegal | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 165 | |||
165/177 | |||
in this act, including communications of personal data to companies of the | |||
CaixaBank Group. | |||
All this with the scope and in the sense expressed in the Fundamentals of Law | |||
of this act. | |||
Likewise, it is appropriate to require CAIXABANK to notify the entities of the | |||
Grupo CaixaBank to which it has communicated personal data of customers so that | |||
delete such data and stop using them. It is also appropriate to require | |||
CAIXABANK to cease the processing of the personal data provided to it | |||
by entities belonging to the CaixaBank Group, relating to the latter's clients. | |||
It is noted that not meeting the requirements of this body may be | |||
considered as a serious administrative offense by “not cooperating with the | |||
control ” in the face of the requirements made, such conduct may be assessed at the time of | |||
the opening of an administrative procedure punishing with a pecuniary fine. | |||
In relation to these measures, which are intended to repair the irregular situation | |||
generated by CAIXABANK in the treatment of the data of its clients and the clients of | |||
the entities of the CaixaBank Group, as well as the correction of the information offered in | |||
matter of personal data protection, said entity has stated that they would represent a | |||
irreparable impact, but without describing what this impact consists of and without justifying why it is | |||
irreparable. | |||
In any case, no particular circumstances can be alleged to justify the non-application | |||
of the rule. | |||
It also warns about the current global health situation, which restricts visits to | |||
offices by customers. This Agency understands that it intends to reflect the | |||
difficulties posed by this crisis to regularize the situation of customers. However, | |||
the term granted in the operative part is considered sufficient to carry out the | |||
relevant regularization. | |||
Therefore, in accordance with the applicable legislation and the graduation criteria of | |||
the sanctions whose existence has been proven, | |||
the Director of the Spanish Agency for Data Protection RESOLVES: | |||
FIRST: IMPOSE the entity CAIXABANK, SA, with NIF A08663619 , for an infraction | |||
of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild to | |||
prescription effects in article 74.a) of the LOPDGDD, a fine in the amount of | |||
2,000,000 euros (two million euros). | |||
SECOND: IMPOSE the entity CAIXABANK, SA, for an infringement of article 6 of the | |||
RGPD, typified in article 83.5.a) and classified as very serious for the purposes of prescription | |||
in article 72.1.b) of the LOPDGDD, a fine of 4,000,000 euros (four | |||
millions of euros). | |||
THIRD: DECLARE the non-existence of infringement in relation to the imputation to the | |||
entity CAIXABANK, SA of a possible violation of the provisions of article 22 of the | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 166 | |||
166/177 | |||
RGPD. | |||
FOURTH: REQUIRE the entity CAIXABANK, SA, so that, within six months, | |||
adapt to the personal data protection regulations the processing operations of | |||
personal data that you carry out, the information offered to your clients and the procedure | |||
through which they must give their consent for the collection and treatment | |||
of your personal data, with the scope expressed in Law Foundation XI. At | |||
indicated period, CAIXABANK, SA must justify before this Spanish Protection Agency | |||
of Data the attention of this requirement. | |||
FIFTH: NOTIFY this resolution to CAIXABANK, SA | |||
SIX: Advise the sanctioned person that he must make the imposed sanction effective once the | |||
This resolution is executive, in accordance with the provisions of art. 98.1.b) of the law | |||
39/2015, of October 1, of the Common Administrative Procedure of the Administrations | |||
Public (hereinafter LPACAP), within the voluntary payment period established in art. 68 of | |||
General Collection Regulation, approved by Royal Decree 939/2005, of July 29, | |||
in relation to art. 62 of Law 58/2003, of December 17, by entering, | |||
indicating the NIF of the sanctioned person and the procedure number that appears in the | |||
heading of this document, in the restricted account number ES00 0000 0000 0000 0000 | |||
0000 , opened in the name of the Spanish Agency for Data Protection in the bank | |||
CAIXABANK, SA. Otherwise, it will be collected in the executive period. | |||
Once the notification has been received and once it is executed, if the date of execution is between the | |||
days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to | |||
on the 20th of the following or immediately subsequent business month, and if it is between the 16th and | |||
last of each month, both inclusive, the payment term will be until the 5th of the second month | |||
next or immediate after business. | |||
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution | |||
It will be made public once it has been notified to the interested parties. | |||
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the | |||
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties | |||
They may optionally file an appeal for reconsideration before the Director of the Agency | |||
Spanish Data Protection Agency within a month from the day following the | |||
notification of this resolution or directly administrative contentious appeal before the Chamber | |||
of the Contentious-administrative of the National Court, in accordance with the provisions of the | |||
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 | |||
July, regulating the Contentious-administrative Jurisdiction, within two months to | |||
count from the day after notification of this act, as provided in article | |||
46.1 of the aforementioned Law. | |||
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may | |||
provisionally suspend the final administrative resolution if the interested party manifests | |||
his intention to file a contentious-administrative appeal. If this is the case, the | |||
The interested party must formally communicate this fact by writing to the Agency | |||
Spanish Data Protection, presenting it through the Electronic Registry of the | |||
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the | |||
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 167 | |||
167/177 | |||
You must also send the Agency the documentation that proves the effective filing | |||
of the contentious-administrative appeal. If the Agency is not aware of the | |||
filing of the contentious-administrative appeal within a period of two months from the | |||
following notification of this resolution, it would terminate the suspension | |||
precautionary. | |||
938-131120 | |||
Mar Spain Martí | |||
Director of the Spanish Agency for Data Protection | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 168 | |||
168/177 | |||
ANNEX I | |||
Version 4 of the "Framework Contract", dated by CAIXABANK on 11/12/2018: | |||
(…) | |||
Modifications to the previous text or new informative clauses introduced by Version 5 | |||
of the "Framework Contract", dated by CAIXABANK on 12/20/2018. | |||
(…) | |||
Modifications to the previous text or new informative clauses introduced by the | |||
document provided by CAIXABANK with its response to the Inspection Services and date | |||
11/20/2019, which has been referred to in this act as "Version 7 of the Framework Contract" or | |||
“Client Framework Agreement dated 11/06/2019. | |||
(…) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 169 | |||
169/177 | |||
ANNEX II | |||
Document provided by CAIXABANK on 07/10/2018, called by the same "Contract of | |||
Consents ”, which is outlined in the Second Fact of this Agreement: | |||
(…) | |||
Modifications to the previous text introduced by the document that is incorporated into the Minutes | |||
corresponding to the inspection carried out at the CAIXABANK premises on the | |||
11/28/2019 (Attachments 4 and 5): | |||
(…) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 170 | |||
170/177 | |||
ANNEX III | |||
Information offered for access to information of the interested party in SOCIAL NETWORKS | |||
(…) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 171 | |||
171/177 | |||
ANNEX IV | |||
AGGREGATION SERVICE | |||
(…) | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 172 | |||
172/177 | |||
ANNEX V | |||
Privacy Policy available on the CaixaBank entity's website. | |||
01 WHO ARE WE? | |||
CaixaBank, as you already know, is the largest bank in Spain by number of customers, and it sells, | |||
in addition to its products and services, those of a large group of investee companies, with activities | |||
in the sectors of payment services, investment, insurance, holding of shares, venture capital, | |||
real estate, roads, sale and distribution of goods and services, consulting services, leisure and | |||
charitable-social. | |||
The list of these companies can be found at www.CaixaBank.es/empresasgrupo and their data, in the | |||
Annex at the end of this communication (hereinafter we will call them companies of the CaixaBank Group). | |||
02 WHAT DO WE NEED TO USE YOUR DATA FOR? | |||
Uses for contractual purposes | |||
The first and main reason why we need to process your data is for the provision of the | |||
services that you have contracted with us and for our own management. This treatment is | |||
essential. If we don't, we won't be able to manage your accounts, cards, insurance, etc. | |||
Uses for legal or regulatory purposes | |||
At CaixaBank, and at the CaixaBank Group companies, we are bound by different regulations to | |||
process your data to comply with the obligations that they have. They are rules that | |||
establish, for example, regulatory reporting obligations, money laundering prevention measures | |||
capital and terrorist financing or tax controls and reports. In these cases, the | |||
Treatment of the data is limited to what is necessary to comply with those obligations or | |||
legally required responsibilities. | |||
Uses for the purpose of preventing fraud | |||
We also need to process your data to prevent fraud, as well as to guarantee the | |||
security, both of your information and of our networks and information systems. | |||
As you may have seen, these three types of treatments are essential to be able to maintain your | |||
relationship with us. Without them we could not provide our services | |||
03 AND MY DATA WILL NOT BE USED FOR MORE PURPOSES? | |||
The above uses are those necessary to provide you with our services but, with your trust, | |||
we would like to offer you much more. | |||
Uses for commercial purposes based on legitimate interest | |||
Unless you have told us, or tell us otherwise, we will send you updates and information | |||
about products or services similar to those you already have contracted. | |||
We will also use your information (account movements, card movements, loans, | |||
etc.) to personalize your experience with us, for example by showing you first in the | |||
ATMs and websites your most common operations; to offer you products and services that conform to | |||
your profile and thus not bother with what does not interest you; to apply the benefits and promotions that | |||
we have in force and to which you have the right, because we do not want you to miss any of the | |||
advantages of being our client: and to evaluate if we can assign you credit limits | |||
pre-granted that you can use when you consider it most appropriate, so, when you need it, | |||
We will be able to assist you with the greatest speed. | |||
Do not worry. In these treatments we will not use more information than the one you have given us | |||
or the one generated from the products contracted during the last year and, if you prefer not to | |||
Let's do it, you just have to tell us, at any of our offices, at PO box no. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 173 | |||
173/177 | |||
209 of Valencia (46080), at the electronic address www.CaixaBank.es/ejerciciodederechos or | |||
through the options enabled for this purpose in your internet banking and in our applications | |||
mobiles. | |||
For any other commercial use that we want to do, we will ask you before, as you are going to see | |||
continuation. Remember that one of our core values is trust. | |||
04 WE CANNOT HIDE IT FROM YOU: WE WANT TO KNOW YOU BETTER! | |||
Nowadays, there are many possibilities of using the information to get to know yourself better, give yourself a | |||
better service, be more attentive and always ready to attend to your needs. Therefore, | |||
We will ask for authorization to process your data a little more than what we told you before. | |||
If you have already tried it, or try it in the future, surely you will not regret it, but do not worry, no | |||
you have to decide now, we will ask you about it in the office, in electronic channels or in your | |||
relations with the rest of the CaixaBank Group companies. | |||
Uses based on your consent | |||
Only if you authorize us when we ask, we would like to process all the data that | |||
we have about you to get to know you better, that is, to study your needs to know what new | |||
products and services are adjusted to your preferences and analyze the information that allows us to have | |||
determined in advance what your creditworthiness is. | |||
We would also send you product offers from all Group companies and third parties that | |||
we think they may interest you. | |||
As we have told you, CaixaBank is a great family, so when you authorize us these | |||
treatments you will benefit from the joint work of the CaixaBank Group companies in the table that | |||
follow (remember that the list will be updated at all times in the link | |||
www.CaixaBank.es/empresasgrupo). | |||
Your bank CAIXABANK, SA | |||
The issuer of your credit and debit cards CAIXABANK PAYMENTS, EFC, EP, SAU | |||
The issuer of your prepaid cards CAIXABANK ELECTRONIC MONEY, EDE, SL | |||
Your insurer VIDACAIXA, SAU DE SEGUROS Y REASEGUROS | |||
The marketer of your funds CAIXABANK ASSET MANAGEMENT, SGIIC, SAU | |||
Your social bank, expert in microcredits NUEVO MICRO BANK, SAU | |||
Your consumer finance company CAIXABANK CONSUMER FINANCE, EFC, SAU | |||
Your renting company CAIXABANK EQUIPMENT FINANCE, SAU | |||
Your e-commerce company PROMOCAIXA, SA | |||
The company that manages payments in your stores COMERCIA GLOBAL PAYMENTS, EP, SL | |||
Finally, if you want, we can communicate your data to third parties with whom we have agreements, | |||
whose activities are included between banking, investment services, forecasting and | |||
insurer, shareholding, venture capital, real estate, roads, sale and distribution of goods | |||
and services, consulting services, leisure and charity-social. | |||
We want you to be very clear that we respect your choices and act in accordance with them, | |||
so that we will treat your data only for those purposes that, among the three above, we | |||
you have expressly authorized. | |||
05 AND WHAT HAPPENS TO MY DATA WHEN I BROWSE THE WEB PAGES OR THE | |||
MOBILE APPLICATIONS OF THE CAIXABANK GROUP? | |||
When you browse our web pages or use our mobile applications, we want to be able to | |||
personalize your experience to make it as exceptional as possible. It is also possible that | |||
we want to remind you of our products and offers when you are browsing the internet. | |||
You already know that cookies are used for that. We will inform you at all times of the details of its use | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 174 | |||
174/177 | |||
in the Cookies Policy, which you will find on all our web pages, as well as in the conditions | |||
of use of the mobile applications that you download. | |||
There we will describe to you at all times what data we can collect, how and what it is used for. | |||
In addition, most web browsers allow you to manage your preferences regarding the use of the | |||
cookies. Remember that you can adjust the browser at any time to reject or delete | |||
certain cookies at your discretion. | |||
Likewise, the privacy settings of the mobile device allow you to manage the treatment of your | |||
data. | |||
06 BY THE WAY, WHAT DATA OF ME IS PROCESSED? | |||
As you can imagine, thanks to the trust you have placed in us, we have a lot of | |||
information about you. We have already told you what we use them for and how you can control each | |||
At the moment these uses, but what specific information of yours are we going to treat? | |||
Basically, they are your identifying and detail data of the professional or work activity, your data of | |||
contact and financial and socio-economic data, both those you have provided us and those that | |||
generated from the products or services contracted. | |||
Also, only if you consent to it when we consult it, we may process data that we obtain from | |||
the provision of services to third parties when you are the recipient of the service, those obtained from the networks | |||
that you authorize us to consult, those obtained from third parties as a result of services | |||
aggregation of data that you request, those obtained from the navigations you make through the service | |||
internet banking, mobile phone applications and other websites of the companies of the | |||
Grupo CaixaBank or those obtained from companies that provide commercial information. | |||
07 ARE HEALTH DATA, IDEOLOGY OR OTHER SPECIAL OR SENSITIVE DATA PROCESSED? | |||
In general, we do not need to process certain data of yours that are considered as | |||
special categories of data, for example those related to ethnic or racial origin, political opinions, | |||
religious convictions or sexual identity. | |||
If it is necessary to treat this type of sensitive data, in each case we will request your consent | |||
explicit. These are some of the situations in which we will need to use any of this data: | |||
Health data related to insurance products | |||
Health data is within the category of sensitive data, and its treatment is essential | |||
in the marketing of certain insurance products (health, life ...). When we market | |||
these products, the person in charge of the health data is the insurance company, therefore we want | |||
that you know that all insurance companies whose products we commercialize respect and | |||
They strictly comply with the data protection regulations. | |||
Biometric data collected in the electronic signature of documents | |||
When we use electronic signature systems, on occasions, for your greater security and comfort, | |||
biometric elements are used in the creation of the signature, for example the signature trace on tablets | |||
digitizers or fingerprints on the mobile phone. These data are essential to | |||
make sure that you are the one who is using the applications and that, therefore, no one is | |||
impersonating your identity. | |||
For the use of these means of signature or identification you must explicitly accept these | |||
biometric data processing. | |||
08 IS MY DATA SECURE? | |||
For us the security of your data is essential, and we assume the obligation and commitment to | |||
protect them at all times. | |||
Therefore, within this standard of maximum protection, we protect them against treatments not | |||
authorized or illegal and against their loss, destruction or accidental damage, and we have implemented the | |||
more rigorous information security protocols following the best practices in this | |||
matter. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 175 | |||
175/177 | |||
09 HOW LONG DO I NEED TO SAVE MY DATA? | |||
We will process your data as long as the authorizations for use that you have given us remain in force. | |||
granted or you have not canceled the contractual or business relationships with us. | |||
We will stop treating them once the authorizations for use that you have given us have been revoked or, if you have not | |||
revoked the authorizations but you have ceased to be a client, six months after they ended | |||
contractual or business relationships established, provided that your data is not necessary to | |||
the purposes for which they were collected or processed. | |||
This does not mean that we delete them immediately, as we are bound by different regulations to | |||
keep the information for a certain time (in many cases up to ten years), but in accordance with the | |||
regulations, your data will only be kept to comply with these legal obligations, and for the | |||
formulation, exercise or defense of claims, during the limitation period of the actions | |||
derived from the contractual or business relationships subscribed. | |||
10 TO WHOM IS MY DATA COMMUNICATED? | |||
In addition to the exchange of commercial information between the companies of the CaixaBank Group (of which you | |||
previously reported), on certain occasions we need to share certain information | |||
with third parties to be able to provide our services, either because a regulation requires them, or | |||
because we need the support of specialist companies to help us in our work. | |||
Below we explain with whom we can share your information, always with the maximum | |||
security and confidentiality: | |||
Communication of data for the fulfillment of a legal obligation | |||
As we have explained to you, we collaborate with the authorities, courts and public bodies. If the | |||
regulations establish it, we will share with them the information they request. | |||
Communication of data for the execution of a contractual relationship | |||
Sometimes, we turn to service providers with potential access to personal data. | |||
These providers provide adequate and sufficient guarantees in relation to data processing, | |||
since we carry out a responsible selection of service providers that incorporates | |||
specific requirements in the event that the services involve the processing of data from | |||
personal character. | |||
Next, you will see what types of services we order: | |||
FINANCIAL BACKOFFICE SERVICES | |||
ADMINISTRATIVE SUPPORT SERVICES | |||
AUDIT AND CONSULTING SERVICES | |||
LEGAL SERVICES AND RECOVERY OF ASSETS AND UNPAID | |||
PAYMENT SERVICES | |||
MARKETING AND ADVERTISING SERVICES | |||
SURVEY SERVICES | |||
CALL CENTER SERVICES | |||
LOGISTICS SERVICES | |||
PHYSICAL SECURITY SERVICES | |||
COMPUTER SERVICES (SYSTEMS AND INFORMATION SECURITY, | |||
CYBERSECURITY, INFORMATION SYSTEMS, ARCHITECTURE, ACCOMMODATION, PROCESS | |||
OF DATA) | |||
TELECOMMUNICATIONS SERVICES (VOICE AND DATA) | |||
PRINTING, ENVELOPE, POSTCARD AND MESSAGING SERVICES | |||
INFORMATION CUSTODY AND DESTRUCTION SERVICES (DIGITAL AND PHYSICAL) | |||
BUILDINGS, FACILITIES AND EQUIPMENT MAINTENANCE SERVICES | |||
We can also communicate your data to third parties that are necessary for the development, compliance | |||
and control of the contracts for products and services that you have signed with us, for example, to | |||
clearing houses or systems for the execution of transfers or receipts or for the payment of | |||
rates or taxes. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 176 | |||
176/177 | |||
11 IS MY DATA TRANSFERRED OUTSIDE THE EUROPEAN ECONOMIC AREA? | |||
The treatment of your data is carried out, in general, by service providers located | |||
within the European Economic Area or in countries that have been declared with an adequate level of | |||
protection. | |||
In other cases, we guarantee the security and legitimacy of the processing of your data by requiring | |||
their suppliers that have binding corporate standards that guarantee the protection of the | |||
information in a similar way to those established by European standards, which are subject to | |||
to the Privacy Shield, in the case of service providers in the US, or who subscribe to the clauses | |||
European Union type. | |||
At all times we will ensure that, whoever has your information to help us | |||
provide our services, it does so with all guarantees. | |||
12 DO CAIXABANK AND THE COMPANIES IN ITS GROUP HAVE A DELEGATE FOR THE PROTECTION OF | |||
DATA? | |||
Indeed, as required by data protection regulations, the companies of the Group | |||
CaixaBank has a Data Protection delegate who ensures that all the processing that is carried out | |||
are made with full respect for your privacy and the applicable regulations at all times. | |||
The Data Protection delegate is at your disposal to answer all the questions you may | |||
have relating to the processing of your personal data and the exercise of your rights. You can contact | |||
with the Data Protection delegate at: www.CaixaBank.es/delegadoprotecciondedatos | |||
13 WHAT RIGHTS DO I HAVE IN RELATION TO MY DATA AND ITS TREATMENTS? | |||
These are the rights that you can exercise in relation to your data: | |||
Right of access: Right to know what data of yours we are treating. | |||
Right to revoke consent: Right to withdraw consent at any time | |||
when you have given us authorization to process your data. | |||
Right of rectification: Right to have your data rectified or completed if it is inaccurate. | |||
Right of opposition: Right to oppose those treatments based on legitimate interest. | |||
Right of deletion: Right to have your data deleted when it is no longer necessary for the | |||
purposes for which they were collected. | |||
Right of limitation: Right to limit the processing of your data (in certain | |||
assumptions, expressly provided for in the regulations). | |||
Right of portability: Right to have your data delivered to you (data processed for the execution of | |||
the products and services and data that we process with your consent) so that you can transmit them to | |||
another responsible. | |||
You can exercise your rights in any of the channels that we put at your disposal: | |||
- At the offices of CaixaBank or the Group companies | |||
- By postal communication addressed to the Post Office box No. 209 of Valencia (46080) | |||
- At the electronic address www.CaixaBank.es/ejerciciodederechos | |||
- Through the options enabled for this purpose in your internet banking and in our applications | |||
mobile | |||
Additionally, you already know that, if in spite of everything you have any claim derived from the treatment | |||
of your data that we have not been able to solve, you can direct it to the Spanish Protection Agency | |||
Data (www.agpd.es). | |||
Note: The Privacy Policy includes an Annex in which the Group companies are listed | |||
CaixaBank (the same ones listed in point 04), indicating your address, NIF and registration | |||
in the Mercantile Registry and Special Administrative Registry of the Bank of Spain, Registry | |||
Administrative of Insurance Entities of the General Directorate of Insurance and Pension Funds, | |||
Registry of Management Companies of Collective Investment Institutions of the National Commission of the | |||
Stock Market, as appropriate in each case. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
Page 177 | |||
177/177 | |||
ANNEX VI | |||
Document called "Treatment of personal data based on interest | |||
legitimate ” , obtained from the caixabank.es website, in the“ Privacy ”section, on 01/07/2020: | |||
<< Processing of personal data based on legitimate interest | |||
We inform you that, in accordance with the provisions of article 6.1.f) of the General Regulations of | |||
Data Protection, CaixaBank, on occasions, processes its customers' data based on legitimate interest. | |||
Below you will find a list of all the treatments that CaixaBank can carry out with this | |||
legal base. This list will be permanently updated to include new treatments, or give | |||
unsubscribe those that are stopped. | |||
You can oppose the treatments that we list below by indicating it in any | |||
from our offices, in writing to PO Box 209 of Valencia (46080), at the address | |||
electronic www.CaixaBank.es/ejerciciodederechos or through the options enabled for this purpose | |||
in your internet banking and mobile apps. | |||
Treatments based on legitimate interest | |||
. Sending information about products or services similar to those that you already have contracted or | |||
information that we believe may be of interest to you, or that we believe may have | |||
a reasonable expectation of receiving. | |||
. Study of the information that we have about you (account movements, account movements | |||
card, loans, etc.) to personalize your experience with the Entity, for example | |||
showing you their most common operations first at ATMs and websites, or offering | |||
products and services that fit your profile and apply the current benefits and promotions | |||
in every moment. | |||
. Monitoring of the fulfillment of the objectives, incentives or awards set to our | |||
employees. | |||
. Communication of data between CaixaBank and the companies in which it has a stake for the purpose | |||
to carry out internal reports (without personal data), which allow us, among others | |||
aspects, carry out market studies and mathematical models to establish the strategy of | |||
CaixaBank Group business. | |||
. Creation of statistical models (without personal data) that help the Entity to | |||
better understand the preferences and tastes of our customers, collaborating in the improvement of | |||
design and execution of commercial actions, as well as making aggregate reports on the | |||
result of the models to carry out the monitoring of customer behavior. | |||
. Structuring and profiling of the information processed by the Entity to maintain the resources and | |||
technical systems prepared to efficiently meet management needs. | |||
. Control and supervision of the Entity's activity through samples and self-evaluations with | |||
the purpose of identifying and assessing possible risks in the commercialization of products, controls | |||
and evaluate compliance with internal rules and regulations. | |||
. Control and supervision of operations in order to prevent fraud, both to customers and to | |||
the Entity itself. | |||
. Use of contact data of employees or representatives of legal entities to maintain | |||
relations with the legal entity in which it provides services >>. | |||
C / Jorge Juan, 6 | |||
www.aepd.es | |||
28001 - Madrid | |||
sedeagpd.gob.es | |||
</pre> | </pre> |
Latest revision as of 13:43, 13 December 2023
AEPD - PS-00477-2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6 GDPR Article 13 GDPR Article 14 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 13.01.2021 |
Fine: | 6000000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00477-2019 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Overturned RR/00061/2021 |
Original Language(s): | Spanish |
Original Source: | AEPD (Spain) (in ES) |
Initial Contributor: | Paola L. |
The Spanish DPA (AEPD) imposed a fine of €6 million on CaixaBank S.A following complaints received from a customer of the bank in 2018 and from the non-profit organization ‘FACUA’ in 2019. CaixaBank infringed Articles 6, 13, and 14 of the GDPR.
English Summary
Facts
On 24/01/2018, an individual (the first complainant) who was a customer of CaixaBank (the defendant) filed a complaint with the AEPD alleging that the defendant forced them to accept the new conditions regarding the protection of personal data, specifically that regarding the transfer of their personal data to all the companies of the CaixaBank group, and that if they wanted to withdraw their consent, they had to correspond individually with each company of the group. The complainant alleged that this is disproportionate considering that the consent for this purpose was given in one single act.
The AEPD proceeded to transfer the complaint to the defendant to which it responded by explaining the processing activities that were based on consent, why they were based on consent, and the mechanisms in place to obtain consent as well as the options available to customers to withdraw their consent whether it was in person, via the website or mobile app. On 01/02/2019, the AEPD closed this investigation due to being expired, as twelve months had elapsed since the complaint was filed (24/01/2018).
On 29/03/2019, a second complaint was received against the defendant, this time from the Association of Consumers and Users in Action – ‘FACUA’ (the second complainant), who filed a complaint in relation to the "Framework Agreement" signed by the customers of this entity, through which their personal data is collected. Essentially, FACUA indicated that this was a boilerplate contract, as customers did not have the option to negotiate its terms and were obliged to consent to the processing of their personal data, including for the purpose of sharing it with third parties.
On 28/05/2019 the AEPD admitted the second complaint and launched an investigation into the matter. The AEPD requested the CaixaBank to provide evidence of the "Framework Agreement" in its current version and previous versions, channels, and methodology for its acceptance and granularity for obtaining consents; as well as the procedures that were enabled for the provision of information in accordance with Article 13 and 14 of the GDPR and the mechanisms to obtain its acceptance. In addition, the AEPD requested evidence of Article 30 record of processing activities, data protection impact assessments, and record of legitimate interest assessments.
Dispute
Was the information that CaixaBank provided to its customers in relation to data protection compliant with the requirements of Articles 13 and 14 of the GDPR?
Holding
In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided in relation to data protection, was imprecise, vague, and was not uniform, it noted that not even the terminology is offered with the same breadth to all customers and in all situations (in some cases the “Framework Agreement” is used, in others the “Consent Agreement” and for other clients only the “Privacy Policy”), and it was not updated in the same way in each case. The AEPD also pointed out that the information provided in relation to the legal basis relied upon, the categories of personal data processed, the purpose of the processing, retention periods, the exercise of rights, and profiles of users and their uses was insufficient.
In relation to Article 6 of the GDPR, The AEPD found that Caixabank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent. The AEPD outlined that "consent was considered an affirmative act, but it could not be considered to be freely, specific, informed, and unequivocal". It is further noted that CaixaBank does not inform about any legal basis that enables the transfer of data to the companies of the CaixaBank Group, therefore the transfer of personal data within the CaixaBank group was unlawful.
In consequence, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review of the company's process and procedures and bring them into compliance with data protection regulations within six months.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/177 Procedure No.: PS / 00477/2019 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On 01/24/2018, a letter from Mr. AAA (as far as the claimant), in which he denounces the entity CAIXABANK, SA (hereinafter CAIXABANK) for imposing on him, on the same date of the complaint, the obligation to accept the new conditions regarding the protection of personal data, specifically that relating to the transfer of your personal data to all group companies, as stated in the section II of the "new LOPD conditions" established by the entity. Add that to cancel Said assignment must send a letter to each of the companies, which qualifies as disproportionate considering that the assignment is accepted in a single act. Provide a copy of the conditions that motivate the claim, relative to "Authorizations for data processing ” and “ Exercise of the right of access, cancellation and opposition. Claims before the Data Protection Authority ” . Through this document, that appears with the label "Authorizations for data processing" , the interested party "consents expressly ” the incorporation of all your personal data in a repository common information, where the data of the companies of the "la Caixa" Group work, so are processed by CAIXABANK and the companies of the "la Caixa" Group for the purposes set out detail (two groups of purposes: "Study and monitoring purposes" and " communication of offer of products, services and promotions ” ). Likewise, the client is advised that the indicated treatments may be carried out in an automated way and entail the elaboration of profiles, with the purposes already indicated. For this purpose, CAIXABANK informs you of your right to obtain the intervention treatment, to express their point of view, to obtain an explanation about of the decision made based on the automated processing, and to challenge said decision. Information is offered on the “data” of the Signatory that will be incorporated in this Common Repository and it is added that these data will be complemented and enriched by data obtained from commercial information provider companies, by data obtained from public sources, as well as statistical, socioeconomic data ( "Additional Information" ). Finally, the period of conservation of the personal data is indicated and it is offered information on data protection rights and the possibility of file a claim with the Spanish Agency for Data Protection. SECOND: In use of the powers conferred by article 40 of the Organic Law 15/1999, of December 13, Protection of Personal Data (LOPD), after the receipt of the complaint, the Subdirectorate General for Data Inspection proceeded to carrying out preliminary investigation actions, indicated with number E / 01475/2018, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/177 to clarify the facts denounced and determine if there are circumstances that justify the initiation of a sanctioning procedure. In your responses to the two requests that were made to you by the Services of Inspection during the development of the aforementioned previous actions, the entity CAIXABANK, informed this Agency that the informative clauses referred to in the complaint were implemented on the occasion of the contractual changes provided by the entity to adapt to Regulation (EU) 2016/679, of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the Processing of Personal Data and the Free Circulation of this Data and by which repeals Directive 95/46 / EC (hereinafter General Data Protection Regulation or RGPD), applicable from May 25, 2018. 1. By letter dated 05/16/2018, entered on 05/22/2018, the entity CAIXABANK informed this Agency as follows: (…) Taking advantage of the contractual changes that were to be implemented to adapt to the GDPR, in 2016 it was decided to follow two principles in the relationships to be established with the clients: the basis for the commercial activity (treatment) would be the unequivocal consent the client's; and consents would be collected at the “group” level, to simplify procedures crossed relationships, requesting authorization from clients for treatment with the jointly for all the companies of the "group". (…) Customers are requested authorization to carry out data analysis treatments and advertising treatments for a set of ten entities, allowing to evaluate in common information on all customer products associated with the "CaixaBank Group". I know centralize consents in a repository, so that any input from information in it, whether they are notes of consents granted as denied, supersedes the previous annotation, allowing a customer to revoke consent from any company in the "group", and vice versa. Any group company is a point of entrance where the client can grant consents, or withdraw them, with effects to the whole. (…) The revocation of consent for commercial purposes automatically takes effect for all of them, so that the right can be exercised without distinction before anyone and by any channel. Instead, with respect to cancellation and rectification, each of the companies is responsible for the commercial relationships it maintains with its customers and for both of the data that it deals with in the field of the contractual relationship. Without prejudice to the fact that the data canceled or rectified, if it was capable of being used by the other companies, it will cease to be it in case of cancellation or it will be updated, in case of rectification. Further, CAIXABANK informs that a rights assistance system has been implemented centralized, at group level, in a service supervised by the DPD, this entity being entry channel, without prejudice to the fact that all companies have their own channel for the receipt of exercise of rights, including revocation. Consulted by the data collection of social networks, CAIXABANK clarifies that it has a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/177 service so that customers who consent to it through internet banking can link your identification data in networks (Facebook, Twitter and Linkedin) with this service, to be able to identify them when they use these channels to contact the entity. (…) In all cases, the client must accept its use and the terms and conditions. It also informs about data aggregation services, which allow, upon request of the interested party, add the information of the products that have contracted with other entities (positions and movements of accounts and cards) and thus have a global vision of all positions, alerts on receipts, expirations, etc., but do not operate on the products of the added entities (the customer adds or removes entities at will, but only among those incorporated into the service). CAIXABANK includes a detail (screen printing) of the service request process of aggregation that the client must follow through the entity's website. After select the entity that you intend to add to the service and enter the data that the client used to access the selected entity online (access codes), the process requires the acceptance of the terms and conditions of the service, according to the detail that is outlined in the Proven Fact 8. On the other hand, on the possibility, contemplated in the information provided to the interested parties, to complement or enrich customer data with data obtained from companies that provide commercial information, public sources, and with statistical data and socioeconomic, (…). 2. By letter dated 07/17/2018, entered on 07/19/2018, CAIXABANK provided its response to the second request for information that was sent to it so that provide details on the mechanism implemented to obtain consent unequivocal of the client for the treatments carried out for commercial purposes (or other treatments that exceed the basic activity protected by the legitimate interest of the entity, eg analytical and business impact treatments); mechanism detail implemented to allow the customer to revoke the consent granted for any of the processing of personal data carried out by the CaixaBank Group companies with legal basis in the consent of the client; and information provided to the client in the moment of obtaining consent in relation to data processing personal data carried out by the CaixaBank Group companies, their purpose and the mechanism to exercise your rights of access, rectification, deletion, limitation of your treatment, opposition to it and portability of data. A) on the mechanism to obtain the consent of the client: It has two channels to collect commercial consents from its clients, which coincide with the channels that make it possible to become a client of the entity, that is, in person at offices and through digital channels (CAIXABANK web portal, portal ImaginBank web and mobile app): a) The office registration process The entity informs that this process is carried out through an interview between the client and the manager, and involves the collection of identification, tax and contact data, data socioeconomic and work activity data, data on experience, financial situation and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/177 investment objectives, as well as the collection of authorizations for the use of the data for commercial purposes. These authorizations are provided by answering three questions carried out by the manager to the client, one of them broken down into four options. The information provided by the client during the interview is incorporated into the system and, once this has been completed, it is reflected in the printing on paper of a "Framework Contract" that the client signs (provides a copy of a "Framework Agreement" dated 05/24/2018, whose clauses coincides with the one incorporated in Annex I). In this document a summary of the information provided (including their answers about the treatments) and a clause with the detail about the data processing that is planned. Attach sequence of screens that the manager has to fill in in the registration process of a person. Among others, those that allow to collect identifying data, digitize the identification document and signature, data of birth, residence and tax address, data of contact, taxation and economic data. After filling in several screens (around to fifteen), the manager must complete the label "Modification of data protection of ...", in which the "registration of consents" is included (the structure of this screen consists of outlined in Proven Fact 4). On a later screen, labeled “Scan signed document from original. Firm digital " , the client's" Framework Agreement "can be accessed in pdf format. At the end of this screen, a section "Signed document" is included , which offers the options "Document Scan ” and “ Scan and Send Document ” . He adds that the same procedure is followed for existing clients, when necessary. remediate the information contained in the systems. Since 2016, the Prevention of Money Laundering and Terrorism Financing and the GDPR motivated this remediation of customer information (100% of natural person customers were marked as remediable -when the manager accessed the client file, a warning was displayed indicating that the client has the "Framework Contract" pending for the manager to start the interview). It is also possible that the consents are collected or modified for purposes commercials at later times, with the same management described, but signing a document that only addresses this point. CAIXABANK provides a copy of this document, which It is presented as "Authorization for the processing of personal data with commercial purposes by CaixaBank, SA and companies of the CaixaBank Group ” and that this entity denominates “Consent Agreement”, the details of which appear in Annex II (as successive "Agreement of consents" or "Authorization for treatment"). In view of said document, it is verified that it has a structure and content similar to that of signed by the claimant on 01/24/2018 (outlined in the First Fact), although it has been provided the provision of consent separately for the same purposes as are cited in the "Framework Contract" (purpose of study and monitoring; communication of offers of products, services and promotions; transfer of data to third parties) Additionally, CAIXABANK continues, has provided the entire network of offices with tablets digitizers, enabling the "Framework Agreement" and the "Consent Agreement" to be sign, not on paper, but on the tablet itself. In addition, you plan to update the tablets to allow the manager and the client to work on "shared screen" and to the client interact with the device by selecting the options on the treatment of your data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/177 b) Registration process through digital channels (CAIXABANK web portal, web portal and ImaginBank mobile app): CAIXABANK indicates that its web portal has a service to process customer registration online, the process of which includes a step that displays a screen through which They collect consents for the processing of data for commercial purposes (the detail of the options shown on this screen is outlined in Proven Fact 4). Add CAIXABANK to the information symbol (i) that appears in the previous screen leads to another screen “in which it is explained why it is necessary for the customer to respond to the questions that arise ” . In this new screen it is indicated “(i) We need your consent. Since May 2018 a new Data Protection Regulation applies. We have always been concerned about the protection of your data, that is why it is important that you answer the following questions (Understood) ” . From there you can access the Clause 8 “Treatment and transfer of data for commercial purposes by CaixaBank and CaixaBank Group companies based on the consent ” of the“ Framework Agreement ”. Finally, the summary of the consents granted and the clauses will be shown in the "Framework Contract" that the client signs at the end of the process. CAIXABANK warns that in the screen in which the signature is requested shows a summary of the most important aspects that regulates the contract, among which the authorizations for data processing are indicated. This screen includes a box to check "I have read and accept the contract . " The same process follows the registration and collection of consents through the mobile application from ImaginBank. The screen relative to consents shows the same structure of the CAIXABANK web portal, substituting the mentions to this entity for ImaginBank. B) About the mechanism to allow the client to revoke consent: The exercise of rights and the revocation of "commercial consents", by clients and non-clients, it can be formulated in multiple ways: . In person at the entity's offices. . Through the personal electronic banking space (Caixabank Now and ImaginBank, both in its web version as in the mobile application). . Using application forms on the corporate web portal of CAIXABANK or of each one of the Group companies. . Through CAIXABANK's telephone service. . Request by postal delivery or hand delivery. a) In the face-to-face process, in offices, the employee will register the request in the system noting "with respect to which company the revocation is formally exercised" , as may be seen in the screens it shows, one related to rights management and another specific for the revocation of consents (both have a drop-down that allows indicate the specific company before which the statement in question is made). The structure that shows the screen enabled for the manager to register the revocation or modification of consents that the client wants, under the heading "Modification of data protection ”, is the same as that indicated above for the “ Registration of consents ” manifested in person at the office. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/177 According to CAIXABANK, these requests are registered and sent to a service centralized attention to rights, which is responsible for giving them the corresponding procedure. b) The process to follow in the client's private space on the Caixabank Now website will allows you to select your preferences and obtain information about the proposed treatments (By clicking on the option "see detail Clause 8" you have direct access to the texts of the "Contract Framework ”related to each purpose). The detail of the options shown on this screen It is outlined in Proven Fact 5. Next, the client is shown a summary with the consents granted, to that you can check them, and the contract that includes a summary of those consents. Here is an example of this summary: << Operation not yet completed, Check the data and confirm the operation. Check the data Study and monitoring purpose: You have expressed your acceptance and consent to the treatment of data. Purpose of communication of offers of products, services and promotions: you have stated your NO acceptance and consent to contact for commercial purposes. By any channel or medium, including electronic means. . Through my manager (office) Transfer of data to third parties: you have expressed your NO acceptance and consent to contact with commercial purposes. Read the contract carefully Confirm the operation… >>. In the CaixaBank Now mobile application environment, the customer can access "Configuration - Exercise of rights" and is redirected to the Web portal. However, it clarifies that This process is being reviewed in order to show the options available in the own application. Provides a detail of the screen in development "Configuration - Exercise of rights - Right of revocation ” : "The personal data protection regulations establish the right to revoke the data treatment. Below are the data processing that you have authorized: Authorization to process my data to carry out monitoring and study of operations, generation of alert of my contracted products, studies and services adjusted to my profile (I do not accept) Authorization for CaixaBank to contact me to find out about product offers and services, as well as promotions and offers that may be of interest to me (I do not accept) I accept the transfer of data to third parties (I do not accept)". Subsequently, the summary of the demonstrations made is shown, the introduction of the passwords and, in a new screen, it is indicated “Your right to revocation. You can check the contract in MailBox ” . The same indication is made with respect to the ImaginBank application. c) Use of the application forms available on CAIXABANK's corporate web portal C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 7 7/177 or each of the Group companies. As indicated, in the first case customers can revoke their consent to any company of the Group through the CAIXABANK website (a drop-down for the client to select the company on which they want to revoke consent). Once the company has been chosen, the right that the client wants to exercise must be selected, also using a drop-down. One of the options refers to the revocation of consents, with the possibility of marking three boxes, according to the detail that appears outlined in Proven Fact 5. In the second case, when it is intended to revoke consent from the web portal of a group company, as reported by CAIXABANK, a similar form is displayed and same operation as the previous one. When accessing the page corresponding to the entity from which the try, the client is directed to a screen common to all. d) Finally, reference is made to the request through the telephone service and by postal delivery. According to the entity, the Call Centers have at their disposal a tool that allows them to address the exercise of rights, including the revocation of consents. The request (the protocol contemplates the recording of the call) and the interested party is informed that You will receive a written response within one month. The structure shown by the aforementioned tool for the revocation of consents is similar to the one indicated above for the "Registration of consents" manifested in person at the office. In each option, a drop-down is displayed for the employee to mark the option desired by the client. 3. CAIXABANK consulted for the information provided to the client at the time of the obtaining the consent of the Group companies, it is indicated that this Information is contained in the “Framework Agreement” and in the “Consent Agreement”. THIRD: By resolution dated 02/01/2019, of the Director of the Spanish Agency of Data Protection, the expiration of the previous actions outlined in the Second Antecedent, followed by number E / 01475/2018, for the duration of the twelve months from when the complaint was filed (01/24/2018), in accordance with the established in article 122 of RD 1720/2007, of December 21, which approves the Regulations for the development of the LOPD. This resolution warns about the provisions of article 95.3 of the On the other part, article 95.3 of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), which establishes that the expiration will not produce the prescription of the actions of the Administration, and the opening of a new procedure is admitted when the prescription, with the incorporation of the acts, the acts and procedures whose content is it would have remained the same had it not expired. FOURTH: On 03/29/2019, a letter from the entity had entered this Agency Association of Consumers and Users in Action - FACUA, in which he makes a claim against CAIXABANK in relation to the “Framework Contract” signed by the clients of this entity, through which your personal data is collected, offers them the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 8 8/177 information on this matter and consents are collected for data processing that are specified. Specifically, FACUA denounces that it is an adhesion contract, whose content cannot be negotiated by the consumer, who is required to consent to processing of your personal data and the transfer of them to third companies with the that it could not be related (authorizations provided for in clause 8 and assignments mentioned in clause 10 of said contract). The claimant provides a copy of a "Framework Agreement" dated 10/24/2017, whose clauses coincides with the one corresponding to the version dated "03/14/2017", which will refer to below ("Version 3", according to the numbering provided by CAIXABANK). This claim was transferred to the CAIXABANK entity. In response to what expressed in the claim, CAIXABANK informed this Agency that it sent FACUA a writing detailing the process of collecting consent from clients for the purposes commercial, as well as the operations used to sign the contract, which summarizes how follow: . Customers are requested, on all occasions, express consent for the data analysis, commercial impact and the transfer of your data. . The contract is not an adhesion contract, since the client can decide whether or not to grant the consents. . Additionally, the client has several channels to modify their initial decision (offices, internet banking, call centers, etc.). CAIXABANK provides a copy of the communication sent to FACUA, which summarizes part of what was stated to the Agency in its response of 05/16/2018, and includes a list of the "Group companies" and an annex with details of the consent collection process (corresponds to an extract of the training given to employees, which includes the screens to be completed). From what was informed to FACUA in this communication, date 05/03/2019, the following should be noted: . Regarding the collection of consents, it describes the procedure for registering a new client, which includes your identification and your consent (signature). Before signing the "Contract Marco ”, the office manager must ask the client whether or not he authorizes the treatment of his data for commercial purposes (profiling, commercial communications and assignment to third parties), so that the client verbally expresses his choice in each of the three questions and the manager fill in the boxes corresponding to this choice (consent for the treatments explained in clauses 8 and 10 of the "Framework Contract" -currently 8 and 9). Once these boxes are filled in, the "Framework Contract" is generated to be signed by the client, collecting them in the header (page 1, section "Authorizations for data processing"). In case it is not granted none of the authorizations, in the aforementioned section the following will be indicated: "Authorizations for data processing In the terms established in clause 8 and 9 of this Contract, your authorizations for the data processing are the following: Commercial purposes: . Purpose of studies and profiling: You have expressed your non-acceptance and consent to treatment of your data. . Purpose of communication of offers of products, services and promotions: You have expressed their non-acceptance and consent to contact for commercial purposes by any channel or medium, including electronic media. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 9 9/177 . Transfer of data to third parties: You have expressed your non-acceptance of the transfer to third parties of your data ” . It also informs that a new shared screen operation is in the pipeline that will allow the client to directly read the information about data processing personal and mark, without intermediaries, those who authorize or not. . Regarding the revocation of consents and the exercise of rights, you warn that you have effects for all Group companies and that can be exercised before any of them, through any of the channels of each of them. Add that it has been named a Group DPD, who supervises the centralized rights management service, and who CAIXABANK is an entry channel for exercising rights for all companies. (…) FIFTH: The claim outlined in the Fourth Antecedent was admitted for processing through agreement of the Spanish Agency for Data Protection of 05/28/2019. In accordance with the provisions of article 67 of Organic Law 3/2018, of 5 December, Protection of Personal Data and Guarantee of Digital Rights (as successive LOPDGDD), it was agreed to initiate preliminary investigation actions and the incorporation to the same of all the documentation outlined in the previous events, composed of the complaint made by the claimant, the documentation corresponding to the previous actions indicated with number E / 01475/2018, processed on the occasion of that claim, the claim made by the FACUA entity and the documentation that integrates the phase of admission to process of the same. The object of these preliminary investigation actions was determined as the analysis of the information generally offered by CAIXABANK regarding the protection of personal data, through all the channels used by the entity (compliance by CAIXABANK part of the principle of transparency established in articles 5, 12 and following of the RGPD, and related precepts); the different data processing personal data carried out by the entity according to the information offered, in relation to clients or person who have any other relationship with it, and within the framework of the new regulations applicable from 05/25/2018, including analysis of the mechanisms employees to obtain the consent of the interested parties; just like him compliance by the aforementioned entity of the rest of the principles related to the treatment established in article 5 of the RGPD. In the development of these preliminary investigative actions, a request was made of information to CAIXABANK and an inspection visit was made on 11/28/2019: 1. On 11/20/2019, a response was received from CAIXABANK to the request that was issued by the Inspection Services to provide information on the "Contract Marco ”, in its current version and previous versions valid as of 05/25/2018, and possible addenda; channels and methodology for its acceptance and granularity for obtaining of consents; as well as on the procedures that were enabled to give know the information on the protection of personal data updated to the RGPD to clients prior to 05/25/2018 and mechanisms to obtain their acceptance. a) CAIXABANK points out that, taking into account the preliminary texts of the RGPD, implemented the “Framework Contract” in June 2016, with six versions dated on C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 10 10/177 06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019 (provide a copy of these versions). It highlights that there have been no significant changes in this document, that regulates the entire customer relationship with CAIXABANK and the Group companies whose products sells that one, informs about all the treatments derived from the relationship contractual and requests the necessary consents for the treatment of the data of personal character at Group level. On the other hand, CAIXABANK advises that product and service contracts also include the information required by article 13 of the RGPD, in anticipation that it could mediate time between the signing of the "Framework Agreement" and the contracting of products (includes a copy of a contract for products and services corresponding to the "Book Star"); and that there are other services that, due to their specialty, contain their own data protection clauses (includes the detail of the protection information of personal data provided to subscribers of the "Shareholder Attention Service" and in the subscription form to "Events"). b) In relation to the granularity for obtaining the consents, it is indicated that CAIXABANK and a selection of investee companies, to which it has joined recently Caixabank Payments & Consumer, EFC, EP, SAU, has been collecting consents to carry out commercial treatments since 2016 in the terms set forth in file E / 01475/2018 (Second previous antecedent). It details the procedure followed by CAIXABANK and by Payments. In the first case, indicates that the information system guides the manager throughout the process, advising him that he must consult the customer's preferences and physically provide the tablet so that the customer himself proceed to mark your options. Once the preferences have been marked, the terminal itself will indicates that these preferences have been registered and invites you to return the device to manager. Subsequently, "the manager finalizes and consolidates the document and provides it for signature to the client ” . On the next screen, the indication "Tablet Mode" disappears and the following is stated: “Your consents have been indicated. Thank you for your cooperation. Please return the Tablet to your manager ” . It informs that CAIXABANK and its Group request three consents for the three purposes outlined, breaking down one of them into four options, and clarifies that the first two are requested at the level of the CaixaBank Group of companies. Next, it reproduces part of Clause 8 of the aforementioned contract, in which, according to CAIXABANK, the meaning and specification of the previous literals are explained and the detail of what data will be processed for purposes i) and ii). The content of this clause reproduced in CAIXABANK's brief coincides with the one outlined in Annex I. On this issue, it provides a copy of the screens that allow viewing the registration process of a client in person in offices. After advancing about fifteen screens, show two screens corresponding to the collection of consents for the treatment of personal data, with the label "Authorization / Revocation of consents" and the indication “Tablet mode. Customer ” . Previously, a screen is shown with a message to the manager with the indication “According to the General Data Protection Regulation, the client you must authorize the use of your data. You must then hand over the tablet to the customer so that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 11 11/177 fill in the consents ” . After pressing the "OK" button , you access the "Mode Tablet " , to the " Authorization / Revocation of consents " screens , the details of which are outlined in Proven Fact 4. Once the options have been selected, the buttons at the bottom of the screen "Accept" and "Cancel" . Pressing the first one offers a message with the text "Your consents have been indicated. Thank you for your cooperation. Please return the Tablet to your manager ” . (…) It is verified that the “Tablet Mode. Client ” do not contain any link to the information on the protection of personal data contained in the "Framework Agreement". In relation to this process, no screen is provided regarding the consolidation of the document and its signature by the client. Next, the screens corresponding to the process of “Modification of consents ” . (…) This screen includes a link to the text: “Authorization / Revocation treatments for commercial purposes ” . By clicking on this link a message appears to the manager with the indication “According to the General Data Protection Regulation, the client you must authorize the use of your data. You must then hand over the tablet to the customer so that fill in the consents ” . After pressing the "OK" button , you access the "Mode Tablet ” , to the “ Authorization / Revocation of consents ” screens , the details of which are identical to the screens of “Authorization / Revocation of consents. Tablet mode. Client ” of client registration process, which has been referred to in the previous paragraphs, except in what refers to the use of biometric data, which is not included in this case. With its reply, CAIXABANK provided a copy of the contract corresponding to a client, which appears dated 11/06/2019 (hereinafter we will call this document such as “Version 7 of the Master Agreement” or “Client Master Agreement dated 11/06/2019 ”). It is verified that its content does not match any of the six versions of the "Framework Contract" provided by the entity itself (in Annex I the modifications or new informative clauses introduced in this version of the "Contract Marco ”, which affect data processing in the electronic signature of documents and the biometric data processing). In the heading of the document, under the heading of "Authorizations for data processing" are indicated: “Other purposes: Use of biometric data for the purpose of identity verification and signature. You has expressed its acceptance and consent ” . c) On the procedures enabled to publicize the "Privacy Policy" updated to the RGPD to clients prior to the application of this standard and the mechanisms To obtain their acceptance, CAIXABANK informs this Agency that said "Policy of Privacy ”, which is published on the“ caixabank.es ”website, is intended to complement the information provided to customers in the "Framework Agreement" between June 2016 and May 2018; and give complete information to customers who in May 2018 did not would have signed the "Framework Contract". Thus, since May 2018 it distinguishes two situations: . All pre-existing clients have signed a framework contract or have received the “Policy of Privacy ”(in addition to having it at your disposal on the entity's website). . All new clients, in their first relationship with the entity, sign a "Contract Marco ”, which includes all the information of article 13 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 12 12/177 It clarifies that the "Framework Contract" is, since May 2018, the information on the treatment of the data that is delivered to the client in compliance with the provisions of article 13 of the RGPD and that the "Privacy Policy" is a document consistent with what is contained in said contract. To transfer the "Privacy Policy" to customers, CAIXABANK states that sent 15,917,507 communications, of which 5,663,683 were made by post and 10,253,824 through remote banking with a warning pop-up (“If you want to know more about our commitment to your data and your privacy, you have a statement available at your MailBox -Access MailBox ”). Accompany a copy of the "Privacy Policy" of CAIXABANK available on the website of the entity, which is reproduced in Annex V. 2. On the other hand, an inspection visit was made to CAIXABANK on 11/28/2019, informing the representatives of the entity that said action was aimed at verify the information you provide on the protection of personal data and the obtaining of Consents for the data processing carried out. According to the inspection record, in response to the questions raised, the representatives of CAIXABANK made the following statements and carried out the checks that are also detailed: a) The procedure for the beginning of commercial relations can be carried out in person, or also through the web and through the application for devices mobile "CaixaBank" previously downloaded In person. The agent requests the identification data, digitizes the identity document, collects data on residence and fiscal address, taxation and economic data (origin of funds, public personality, etc.); and hands a tablet to the customer to select the consents that you wish to grant to the inspected party and to the group companies. Indicated that there are four groups with Yes / No answers and the text that appears on the tablet is detailed stating the different groups, which coincides with the text detailed in section b) above ("Authorization / Revocation of consent" screen, which contains the indication "Mode Tablet ”). At this time no biometric data is taken except for the signature. If in the future implant this type of identification, and this consent would have been granted, will collect this data. Once the consents have been collected, the agent consolidates and offers the tablet to the client with the “Framework Contract” document so that you can read it and see the section “Authorizations for Data processing ”with the consents granted and denied and signing said contract, which is done on the same Tablet. Through the CAIXABANK website. The procedure is carried out on the online platform of the inspected company through a Guided form for data collection of the future client. During the inspection, a simulation is performed and it is verified that the first page ask for the phone number and email. On this same screen a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 13 13/177 window with a text entitled "Processing of personal data and obligations derived from the prevention of money laundering and terrorist financing ” . There's a button called "Accept and Continue" . Identification data is requested on the next screen and address. Next, the identification is carried out by video identification or through the service of obtaining ownership of external accounts through the service Iberpay. Then a screen is presented in which the purpose of the account is specified, screen for obtaining consents, account creation, and contract signing screen, where you can download the complete "Framework Agreement". Once the checkbox is selected verification of acceptance of the contract, the signature is carried out by sending the code numeric to the mobile phone provided by the customer. Mobile banking via app. It is possible to start the registration process through the application for mobile devices, but, After the installation process, at the time the data collection of the interested party begins, The application redirects the interested party to the web application described in the previous point. By phone. No registrations are made by this means. b) A demonstration is carried out on the procedure for modifying the Consents of a client through their personal space: Initial situation: all consents "I do not accept" Data processing: I do not accept Advertising: I do not accept Telemarketing advertising: I do not accept Advertising by electronic means: I do not accept Advertising by postal mail: I do not accept Personal manager advertising: I do not accept Data transfer: I do not accept Modification: the second level is modified and not the first level Data processing: Does not support Advertising: I do not accept Telemarketing advertising: Does not accept Advertising by electronic means: Does not accept Advertising by postal mail: Does not accept Personal manager advertising: If you accept Data transfer: Does not accept It is detected that, although it has been selected not to receive commercial communications from generic form, by being able to mark one of the media, the receipt of communications is accepted in this way and the granting is reflected in the document signed by the client (in Regarding this matter, on 12/10/2019 a letter was received from CAIXABANK, noting that it has included an informative text to indicate to the interested party that, when marking one of the media, accepts the receipt of communications in this way: “If, despite not wanting let us contact you in general, you are interested in receiving information by any of the following channels, you just have to mark it and we will use it to move you our news and offers ” ). A screenshot is attached in which all consents and consent are denied. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 14 14/177 copy of the document generated from the modification of consents. The structure and content of this screen coincides that the detail outlined in the Second Antecedent, section 2.Bb), in relation to the revocation of consents through the space private client on the Caixabank Now website. A screenshot of enabling a second level consent is attached while the first in "I do not accept" for commercial communications and document generated from of the modification of consents. The content of the documents generated once the customer's statements have been reflected coincides with the text outlined in Annex II ("Consent Agreement"), with the variations that are indicated below and that are also outlined in said Annex II: . The term "revocation" is added to the label of the document and "Authorization / revocation for the processing of personal data with commercial purposes by CaixaBank, SS and companies of the CaixaBank group ”. . The mention of the "common repository" disappears in the presentation of the document, in the that appeared with the indication “For this, your data will be managed from a repository common information of the companies of the CaixaBank Group. The data that is will be incorporated into this common repository will be… ” . . The section dedicated to "the data to be processed" moves from the presentation of the document to associate them with purposes 1 (analysis and study of data) and 2 (offer commercial products and services). In addition, in section c) the mention of the companies of the CaixaBank Group, and there remains “All those that CaixaBank or the companies of the Grupo CaixaBank obtain from the provision of services to third parties, when the service have the signer as the recipient, such as the management of transfers or receipts ” . . The following text is added: "The authorizations that you grant will remain valid until revocation or, in the absence thereof, up to six months since you cancel all your products or services with CaixaBank or any CaixaBank Group company ” . . In the authorization (ii) of the section corresponding to purpose 1 (Treatments of analysis, study and monitoring for the offer and design of adjusted products and services to the customer profile) the possibility of associating the signer's data with those of other clients with whom you have some type of family or social bond, relationship ownership or management, in order to analyze possible economic interdependencies in the study of service offers, risk requests and product contracting. . In the section dedicated to the exercise of rights, a mention is added to them, that does not appear in the text of Annex II, a postal address is indicated to exercise rights, which was also not recorded, and the possibility of exercising the rights to through mobile applications. . Two sections have been added corresponding to the data protection officer already the validity of the "Framework Contract" once it has been signed by all the parties involved. c) Exercise of rights. Any channel in which the client has identified is enabled to exercise rights. The revocation of consent is applied at the moment it is made and applies to all group companies. d) On the information provided to the client so that they consent to access to network data social: accessed from the personal area of online banking and specify which network C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 15 15/177 individually from among Facebook, Twitter and LinkedIn access is allowed. Appears the text "Information on the processing of personal data and communications commercials ”in a text box and a button with the text“ Accept and continue ”. Annex III outlines the information provided by CAIXABANK to its clients to collect their consent to access and use data from social networks. e) The account aggregation service requires a special contract, although the consent is given in the "Framework Agreement". When starting the process, a text "Contract" appears in a text region, with the possibility of generating a document in pdf format. Annex IV outlines the contract that the client formalizes requesting this aggregation service of accounts, which includes the information offered on the protection of personal data. f) The treatment described in point 7.3.5 is not carried out. on the aggregated accounts of other entities. You can exercise the right of opposition to the treatment collected in this point to through online banking and other enabled channels g) Regarding the content of 8.ii.h), this possibility has been specified for possible uses. When a treatment of this type occurs, it will be assessed by the Impact evaluation. h) On the mechanisms used to inform about the update of the " Privacy ”and obtaining the consent of clients, representatives of CAIXABANK stated that with the first version of the “Framework Contract”, dated June 20, 2016, the new consents began to be collected. In May 2018 they set all consents in old format to "I do not accept". Since this date Customer consents have been collected through different channels. During the various updates, more than 15 million communications from of which 5,663,683 were sent by post and 10,253,824 were made available to customers through their online banking through a pop-up warning window. He Communication content is purely informative. i) Information systems are accessed to verify the consents granted by the claimant, obtaining the following data: Consents: Data processing: Does not support Telemarketing advertising: If supported Advertising by electronic means: If supported Advertising by postal mail: If supported Personal manager advertising: If supported Data transfer: - It is verified that the claimant has not signed the “Framework Contract”, but has granted consents on January 24, 2018, by signing the document found in its contractual repository (this document corresponds to the one provided by the claimant, signed on 01/24/2018, which is outlined in the First Fact). Additionally, it appears that the claimant modified through the entity Caixabank Consumer Finance, EFC, SAU, one of the consents in May 2018, no admitting the data processing (provides an internal email of 11/28/2019, which C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 16 16/177 informs about this modification: “consent 1 reached“ unsigned ”from company 6 (CCF), was signed on May 18. Consents from 3 to 6 were signed with ALF00017 (winning moment) in January 18. The 7th is not signed in the ALF00017, so it is pending signing ” ). Screenshots of the information systems of the CAIXABANK corresponding to the claimant's data, current consents, the contract of LOPD clauses of January 24, 2018 and justification of the change of the Consents granted for data processing: . The query on customer data, in its first section "Operational list", details the contracted products and a review of your personal data (name, NIF, date of birth, language, telephone numbers and the image of your ID. It includes two indications: "Program Family: Does not comply due to income ”and“ Framework Agreement Resolver ”. In the "Person" section the personal data, economic activity and taxation are detailed. It also contains subsections related to digital images (ID and signature), alerts ("Edition framework contract Resolve ”), Commercial consents (Data processing Not supported, telemarketing advertising Yes, electronic media advertising Yes, postal advertising If it admits, publicity contact manager If it admits, transfer of data "Authorization / revocation treatments through the edition of the framework contract… ”), consent history (“ Last movement 10/16/2019 ”), Right of access, revocation, rectification ... (without annotations). In the “Documents” section you access the “Contract clauses LOPD” of 01/24/2018. At In the “Digitization” subsection, the boxes Open Line, Office, Cashiers and Telemarketing. SIXTH: On 01/07/2020, the Agency's Inspection Services access the web caixabank.es, to the "Privacy" section, and the document called "Processing of personal data based on legitimate interest" . He The full content of this document is reproduced in Annex VI. SEVENTH: On 12/26/2019, the Subdirectorate General for Data Inspection Access the CAIXABANK website (“caixabank.es”) and obtain available information on the entity. In the "corporate information" that appears in the "Who we are" section of said website declares itself "leader in Iberian retail banking", with 15.7 million customers, 37,440 employees, a 29.3% penetration share of individuals in Spain and € 386,622 million of total assets. Financial information is also obtained, of which it is worth highlighting that relating to the Income Statement, which "as of 09/30/2019" reflects an "Operating Margin" of 2,035 millions of euros. According to the information contained in the Central Mercantile Registry, the "Subscribed Capital" amounts to 5,981,438,031.00 euros. EIGHTH: On 01/21/2020 , the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against the CAIXABANK entity, in accordance with provided for in article 58.2 of the RGPD, for the alleged violation of articles 13 and 14 of the RGPD, typified in article 83.5.b) of the aforementioned Regulation; for the alleged violation of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 17 17/177 Article 6 of the RGPD, typified in Article 83.5.a) of the aforementioned Regulation; and for the alleged violation of article 22 of the RGPD, typified in article 83.5.b) of the RGPD; determining that the penalty that may correspond would amount to a total of 6,500,000.00 euros (2,000,000, 4,000,000.00 and 500,000 euros, respectively), without prejudice to the results of The instruction. The actions outlined in the Background of this act are intended to analyze the information offered in general by CAIXABANK on the subject of protection of personal data, through all the channels used by the entity ("Framework Agreement" and the "Consent Agreement" - "Revocation authorization for the processing of personal data for commercial purposes by CaixaBank, SA and CaixaBank group companies ”- , the“ Privacy Policy ”accessible through the website of the entity and the information offered in relation to personal data from social networks and aggregation service); the different processing of personal data carried out by the entity according to the information offered, in relation to clients or people who maintain any other relationship with it, including the analysis of the mechanisms employees to obtain the consent of the interested parties; just like him compliance by the aforementioned entity of the rest of the principles related to the treatment established in article 5 of the RGPD. The reasons that support the indicated allegations are, briefly, the following: a) Infringement of articles 13 and 14 of the RGPD: . The information offered in the different documents and channels is not uniform. . Use of imprecise terminology to define the privacy policy. . Insufficient information on the category of personal data that will be submitted to treatment. . Breach of the obligation to report on the purpose of the treatment and legal basis that legitimizes it, especially in relation to the processing of personal data based in the legitimate interest. . Insufficient information on the type of profiles to be made, the uses specific to which they are going to be used. . The information provided on the exercise of rights, possibility of claiming before the Spanish Agency for Data Protection, existence of a Data Protection Delegate and your contact information, as well as that relating to the data retention periods is not uniform. b) Violation of article 6 of the RGPD: . Insufficient justification of the legal basis for the processing of personal data, especially in relation to those based on legitimate interest. . Non-compliance with the requirements established for the provision of a valid consent, as a manifestation of specific will, unequivocal and informed. . Deficiencies in the processes enabled to obtain the consent of the clients for the processing of their personal data. . Illegal transfer of personal data to companies of the CaixaBank Group. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 18 18/177 c) b) Violation of article 22 of the RGPD: invalidity of the consent given by the clients for the data processing regulated in this article. Likewise, for the purposes provided for in article 58.2.d) of the RGPD, in said agreement of At the beginning, it was warned that the imputed infractions, if confirmed, may lead to the imposition on the CAIXABANK entity of the obligation to adopt the necessary measures to adapt to the personal data protection regulations the processing operations that performs, the information offered to its clients and the procedure by which they give their consent for the collection and processing of their personal data, with the scope expressed in the Basis of Law of the repeated agreement and without prejudice to the resulting from the instruction. NINTH: Once the aforementioned initiation agreement was notified, CAIXABANK presented a brief of allegations in which you request that the non-existence of infringement be declared and, alternatively, the cancellation of the procedure for expiration and prescription described in the fifth claim; or, in your defect, the warning or the imposition of the amount of the sanction is agreed corresponding in its minimal degree. In summary, the aforementioned entity bases its request on the following considerations: 1. The opening agreement does not correctly reflect the procedures followed by the entity to inform and request the consent of its clients. a) On this previous question, he makes two initial clarifications, to clarify, on the one hand, that their allegations are simultaneously referred to the face-to-face and registration processes online, unless expressly indicated otherwise, that they follow the same operation in regarding the information offered and the collection of consents, one through the device the client and another through the Tablet that the office makes available to the client, who operates freely using this tool. It also notes that CAIXABANK and the CaixaBank Group operate under the same concept brand, being that entity the backbone of the Group, so that the client interacts with all entities through the different CAIXABANK channels, such as marketer of all products, as explained in the corporate information that It is offered on the web, in the section "Who are we?" . This scheme is transferred to the various facets of data processing, including management of the consents for treatments with commercial purposes, which is carried out in a centralized. Understand that it would not be operational to manage consents separately for treatments to be carried out jointly in the context of the Group activities for the same purpose with the same means, in relation to data from the that the Group entities are jointly responsible. (…) It is also a regulatory need required by the European Central Bank (...) and It is also necessary to comply with legal obligations that must be supported by the of the Group to manage customer information in a coordinated manner, established in regulations such as the Sustainable Economy Law, Consumer Credit Contracts or Prevention of Money Laundering and the financing of Terrorism. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 19 19/177 As a consequence of the adoption of this "common repository" model, which was analyzed In an Impact Assessment, several measures were implemented. Between them: . Inform the interested parties that consent was granted at the Group level, to all effects, so that if it is not lent to an entity, none of them could treat the data; . Centralized management of data protection rights, being possible to exercise them before one or all entities, justified by the sectoral regulations that require fraud prevention, money laundering and risk control; . Revocation of consent also at Group level (withdrawal of consent to a treatment for commercial purposes to an entity also means it for the rest). b) About the client registration process, information and decisions about the treatment of personal data, highlights that this decision is free for the client and is not predefined. This information / decision phase in the office is articulated through an interview between the employee and client, with content that must necessarily be addressed and which is formalized with the signing of the "Framework Contract", the first version of which with references to the RGPD is from June 2018 and not November. During the interview, after collecting the data identification, fiscal, regulatory and economic client, they are consulted about their preferences and you are asked to mark them yourself on the tablet provided, in which you can read and analyze the information provided for as long as you consider necessary, and can make inquiries to the employee, who has been trained to do so. The result of this is incorporated into a file in pdf format that the system generates in a individualized and unique for each client, which includes in its initial part their declarations regarding the processing of your personal data. Taking into account that this document already contains the particularities and preferences of the client, does not include selection boxes, which should not lead to the mistake of thinking that said "Framework Contract" does not allow the client to choose how your personal data will be processed. In fact, technically, the contract cannot be generated without the client having spoken one way or another. In addition, the interested party You can review the copy of the contract displayed on the Tablet, check that it includes your authorizations or consents, request its modification and sign it once you agree with what is reflected in it. During this process of obtaining the consents, the client is informed about his meaning clearly, simply and transparently, you can ask the employee questions and examine the own version of the "Framework Contract". For online registration, the operation is essentially the same. In this case, the client marks the boxes on your device, after reading the meaning of your choices in windows information that the system forces you to open, as found in the inspection of 11/28/2019; You can also review the document and sign it if you agree, or delete it otherwise. In addition, although the "Framework Contract" is the main axis of the relationship with the client, it has additional information in the "Privacy Policy", in a language adapted to the environment, simpler and more friendly; as well as in the specific contracts of the products or services that you contract. These specific contracts incorporate conditions specific or particularities that the new product or service entails, but there are on the basis of the "Framework Contract", which they complement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 20 20/177 In the specific cases of social media and aggregation contracts, to which the agreement to open the procedure, indicates that they are not representative, due to the scarce number of clients who have requested them. This merely complementary character explains that the information is reduced, since it is about clients who were informed in under the "Framework Agreement". Regarding the social media contract, it warns that the Access to the service has been suspended for months and as of the date of the brief of allegations it is not accessible. In relation to the foregoing, CAIXABANK provides circulars and internal regulations regarding the data protection information and provision of consent, as well as some examples of employee training on this subject and the particular client registration processes, which is updated and complemented by circular. It provides two documents with the labels “Rule 47: Confidentiality and data treatment of a personal nature ” and “ Rule 122: Prevention of money laundering and financing terrorism ” , as well as some circulars; all of them aimed at employees of the entity. The first of the cited documents includes, among others, sections on the RGPD, obligations and principles of treatment, exercise of rights, purposes and communications of data. We highlight the following aspects: (…) Provide two circulars, dated 11/26/2019 "The client will complete the treatment of their personal data ” and 07/17/2019 “ Solve your doubts about the questions of the Framework Contract. These are some of the answers to the questions of the Framework Contract ” . (…) It also provides a document labeled "The General Regulations for the Protection of Data ” , also aimed at employees. This document explains basic lines of the regulations and different assumptions are made to employees in this matter. Finally, in relation to the issues mentioned in this section, it accompanies printing of screens corresponding to the personal area of a client, to justify that in it does not include the link to "My social network data . " c) The consent contract is used to document the modification of the consents outside the registration process. In this case the signature by the client is not required of the "Framework Contract", which is designed to be signed only once, with exceptions. Only texts related to the circumstances for which the request is requested are presented. consent or that you want to modify or revoke. It is a unique and clear document focused on what the client wants to change. d) As a conclusion to what is indicated in this point, CAIXABANK reiterates that the various documents you have to regulate the processing of personal data are used in different moments and scenarios, and not simultaneously. Customer experience is the to receive a single document; contrary to the image of disorganization and confusion that the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 21 21/177 AEPD seems to have. 2. CAIXABANK has informed the interested parties in the terms provided in articles 13 and 14 of the RGPD. a) It alleges that it complies with the provisions of article 13 of the RGPD, both in content and in shape, according to the procedure you described. The procedure is direct and simple, no responds to the confusing image reflected in the Startup Agreement, offers complete information and separately, step by step and intuitively. On the other hand, the information offered in the "Framework Contract" details the identity of the responsible, contact details of the DPD, purposes of the treatment and legal basis, treatments based on legitimate interest, retention periods, rights, revocation of the consent, possibility of filing a claim with the AEPD, communications of data, existence of automated decisions, and includes a link to the "Policy of Privacy". Regarding the rest of the documents ("Privacy Policy", product and service contracts and "Consent Agreement"), CAIXABANK points out that, considering that the "Agreement Marco ”informs about the extremes required by the RGPD, it is not necessary that they return to reproduce them. These other documents are not intended to comply with the provisions of the article 13 of said Regulation, since they are directed to already informed clients. b) CAIXABANK does not carry out, within the framework of those established in the “Framework Contract”, treatments that involve decisions based solely on automated processing, including profiling. The alleged entity refers to the classification made by the Article 29 Working Group, made up of the European Data Protection Committee, in the Guidelines on automated individual decisions and profiling for the purposes of the RGPD, which distinguishes the following ways of using profiling (WP251 Guidelines): “There are three possible ways to create profiles: i) General profiling; i) decisions based on profiling; ii) decisions based solely on automated processing, including the preparation of profiles, which produce legal effects on the interested party or significantly affect him in similarly (Article 22 (1)). The difference between ii) and iii) is best seen with the following examples where a person requests a loan through the internet: . the case in which a human being decides whether to approve a loan based on an elaborate profile Only through automated processing corresponds to option ii); . the case where an algorithm decides whether the loan should be approved and the decision is carried over automatically to the person in question, without any prior and meaningful evaluation by a being human, corresponds to option iii) ” . CAIXABANK simply prepares general profiles (option i) and makes decisions based on profiles (option ii) from those listed in the Guidelines. Therefore, article 22 is not applicable of the RGPD and neither the duty of information included in article 13.2 f) of the same text C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 22 22/177 legal. Even so, CAIXABANK voluntarily and adequately informs the interested parties of the extremes provided in the last cited article in compliance with the recommendations established in those Guidelines, which determine: “Although the automated decision and profiling do not meet the definition of article 22, section 1, it is still advisable to provide such information. In any case, the person responsible of the treatment must offer enough information to the interested party so that the treatment is fair and comply with the rest of the information requirements of articles 13 and 14 ”. Consequently, although it is not obliged to do so, for transparency and voluntarily, informs of all the points provided for in article 13.2 f) and 22 of the RGPD: . Clause 8 of the “Framework Contract” informs the interested parties of their right to obtain human intervention in the treatments, to express their point of view, to obtain a explanation of the decision made based on the automated processing and to challenge said decision; that is, it is reported in line with the provisions of article 22.3 of the RGPD, despite if not necessary. . In line with the provisions of article 13.2 f), it is reported on the existence of profiling, the importance of the treatment (very minor as it is based on consent) and the consequence for the interested party ( “If I authorize it, the offers that are sent to me will be adapted to my profile ” ). . Regarding the applied logic, CAIXABANK's actions are consistent with the recommendations of the AEPD published in the "Guide to Adaptation to the RGPD of treatments that incorporate artificial intelligence. An introduction". He states that CAIXABANK agrees in which “to comply with this obligation by offering a technical reference to the implementation of algorithm can be opaque, confusing, and even lead to fatigue ” . Therefore, it facilitates Clause 8 (i) of the “Framework Contract” a description of the different operations that lead to carried out and that "allows to understand the behavior of the treatment" . . It considers that the obligation to inform about the right of opposition is not applicable, for how much decisions are not made based solely on automated processing. Add that, however, in different places it warns that the interested party can withdraw their consent and informs in a generic way about the right of opposition in the section which deals with data protection rights. c) It informs about the content provided for in article 14 of the RGPD, despite the fact that the Agency consider that this requirement is significantly breached in relation to the data "Supplemented and enriched" by data obtained from other sources. It points out that, as it already explained in file E / 01475/2018, that CAIXABANK considers expired, it only complemented data with databases that at that time were not subject to the LOPD, obtained from companies that provide commercial information, sources public and with statistical and socioeconomic data. (…) Currently, the sources and categories of data are reported in Clause 8 of the "Framework Contract", although the entity is working to update its clauses informative and gain even more transparency at this point. In addition, it is reported that the collection of data from third parties will be carried out verifying that meet the established requirements, which is guaranteed through the Evaluation process impact, recently shared with the Agency. The application of that protocol guarantees that any hypothetical database acquisition involves measures to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 23 23/177 inform their holders. d) the statements about the vagueness and lack of clarity of the information made by the Agency are subjective and constitutes a mere opinion without foundation and without proof that determines that lack of clarity of the terms used or that shows what understand or not the clients, which cannot be extrapolated to the generality of interested parties and it can be taken as a criterion of what constitutes comprehensible information or not. On the contrary, CAIXABANK does periodic tests with users and specialists to ensure that your registration processes are simple and transparent, from which arise initiative that are put into production. In 2018, it commissioned the external entity specialized in linguistics a review of different contractual documents in order to verify what could be understood without difficulty for an average customer profile. One of these documents analyzed was the "Framework Contract", on which they raised doubts and suggested modifications minors, concluding that the text was understandable by the average client (cites an example referred to information on the transfer of data to third parties, in which the aforementioned company reduced the original format without changing the sense of the text). These works are suspended until the impact of this procedure can be evaluated. Another element that has not been considered is the low volume of claims (two cases). e) On the other hand, the AEPD criticizes the lack of uniformity between the different documents of CAIXABANK, in relation to the rights of the interested parties, the possibility of claiming before the Agency, the retention period, the contact details of the DPO. However, understand CAIXABANK that the duty of information is fulfilled with the "Framework Contract" and not with the rest of documents, which are merely complementary. They are not uniform because they pursue specific purposes and differences occur while documents are being updated in question. f) Regarding the lack of motivation for the six-month retention period after the termination of the contractual relationship, states that it is a self-imposed measure to protect your customers. Consider that consent for commercial purposes it could have been configured as valid until its revocation, unlike the data processing based on the contractual relationship, at the end of which the provisions of articles 17 RGPD and 32 LOPDGDD. In the treatments based on consent, the The rules of these articles would operate with their revocation, not based on the passage of time. It also points out that the GT29 Transparency Guidelines and the AEPD Guide do not indicate or recommend informing about the reasons that motivate a retention period. Finally, it states that the difference in term (6 months in some cases and 12 in others) is motivated because each client has a contract, which means that for each client there is a single retention period. While admitting that the situation is undesirable and reports that it is in the process of unification. g) Regarding the aggregation contract, inform that it has been updated. Consider correct the indication on the impossibility of offering the service in case of withdrawal of the consent, since in that case the object of the contract would be frustrated, which consists of, precisely, in accessing data from other accounts. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 24 24/177 In addition, it is the client who chooses the sources from which information is obtained when selecting the accounts you want to add and is informed about the categories of data obtained, which are those included in those accounts. It does not share the indication contained in the opening agreement on the meaning given by the Agency to collect the information that this service entails and highlights that it is subject to regulatory rules, specifically, article 39 of Royal Decree-Law 19/2018, according to which the service provider will not use, store or access any data for purposes other than the provision of the service and in accordance with the rules of protection of data. The use of the data for commercial purposes will only be carried out if the interested party has said use is consented, as provided in the "Framework Agreement". CAIXABANK understands that the novelty of the service seems to have confused the Agency, when the mechanism is exactly the same as a checking account (the data that is generated in the account statement are used for commercial purposes if the client authorizes it). The following is indicated in the new Contract model that accompanies: (…) 3. CAIXABANK requests and obtains free, informed, specific and unequivocal consent interested parties. Legitimate interest. a) At present, consent is requested with full transparency, according to the procedure described above, for four purposes: . Profiling activities: this consent and operations are clearly reported that are carried out for this purpose, with the motivation of being transparent in relation to with what it involves profiling. . Commercial offer: receive advertising and commercial offers, with the option to mark the channel to through which you want to receive offers. . Assignment to third parties: consider that this purpose is self-explanatory and warns that it has not carried out any assignment. . Use of biometric data to verify identity and sign: this is a clause dynamic. It alleges that the clause on data processing referred to by the Agency, included in the version of the contract signed on 11/06/2019 corresponds to the face-to-face channel, while the template provided focused on the online channel. b) The three consents that are collected for commercial purposes (profiling, sending commercial communications and data transfer) are independent and freely provided by the interested party through an affirmative act that reflects a free, specific will, informed and unequivocal. Consent is free because it can be chosen whether it is given or not, it is presented in a part differentiated and given the opportunity to analyze and tick the corresponding boxes for themselves itself, having established an equally easy procedure to remove it; is specific because it is granted for well defined and delimited purposes; is unequivocal, considering the act of deliberately checking the box by which you consent to the treatment with stated purposes; and is informed because all sufficient information has been provided according to the Guidelines on the consent of the Working Group of Article 29 and the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 25 25/177 Recital 42 of the RGPD. c) Regarding the information provided regarding consents, CAIXABANK considers that the AEPD states that customers are not aware of the fact that they give their consent and the extent to which they do so without justifying this claim and without any proof, and nor does it prove that any of the elements that make up the information are missing. In any case, for clarification purposes, it should be noted that there are treatments on which informs in the "Framework Contract" that they have not been carried out in practice (the most the one related to transfers to third parties, already mentioned) and that, therefore, cannot be considered to appreciate any infraction. Profiling operations include treatments as a result of that the clause was drawn up in 2016, when there were no clear criteria on the interpretation of the RGPD, when the truth is that some of the treatments become legal obligations (fraud control and risk management) or are necessary for the contractual relationship (monitoring of the relationship or adoption of recovery measures). The information can be improved by explaining what “profiling” consists of, but this does not invalidate The consent. In fact, by suppressing some of the information, it becomes even clearer that authorization is only requested for profiling. Details the following example of a reduced clause: (…) There has not been a lack of information, but, in any case, an excess of information, but there are no hidden treatments in disguise. It is intended, simply, to explain what it is "Profiling" for commercial purposes. Therefore, in relation to this clause, no additional boxes are required to collect other authorizations. The fact that some information can be improved should not carry a sanction, but perhaps the warning for the implementation of certain changes. In view of these possible improvements, CAIXABANK is in a self-evaluation process to improve their texts and clarify their purposes and legal bases, as well as to eliminate treatments that they are not carried out. And you are planning a personalized communication process to totality of clients in which the consents granted are remembered and explained in new their meaning through a debugged and improved clause. d) Also in relation to profiling operations, CAIXABANK refers to the grouping of consents discussed by the Agency. Indicates that you have designed your consents for the four indicated purposes, describing the different operations of treatments for each purpose, without seeking a block consent that covers a purpose that surprises the customer. What the entity intends, he indicates, is to facilitate its understanding and detail, in accordance with the provisions of Recital 32 of the RGPD ( “Consent must be given for all treatment activities carried out with the same or the same purposes ” ); as well as what is indicated by the Agency in point 2.4.1 of the Frequent Consultations (FAQS) and in the “Report on privacy policies on the Internet, adaptation to the RGPD ” (page 4). If Clause 8 (i) of the “Framework Contract” is analyzed, taking carried out the purifications that have been indicated before, it is observed that the operations that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 26 26/177 indicate are nuances of the same profile. e) CAIXABANK is the CaixaBank Group. The way in which this Group has been articulated it responds to regulatory reasons, as indicated above. The entities that comprise it, since the entry into force of the RGPD have had a luck of shared responsibility for the data that is collected and processed in the context of its activities. Thus, it would be absurd to request different consents for treatments that are to be carried out jointly in the context of the Group's activities for a same purpose and with the same means, in relation to data from which all entities of the Group are responsible. The opposite would suppose a greater risk for the interested parties that they would lose real control over them. Given shared responsibility, it makes no sense to request a separate consent for the "transfer of data" to other entities that, for regulatory, strategic and operatives are equally responsible. There is no purpose of its own in the assignment, as it is all direct and joint responsible entities. Therefore, consent is joint and by purpose. Instead of confusing with strange constructions, the customer is asked a question Simple: whether or not you want the Group to process your data for commercial purposes. The interested party is free to accept it or not. This option of "all or none" does not limit the ability to decide of the client. It is simply a consequence of the corporate structure of the Group and its regulatory obligations. f) In relation to the processing of data for commercial purposes based on interest legitimate, CAIXABANK clarifies the operation that follows since the application of RGPD in May 2018, (…) the data of those clients who have not consented to the processing of their data for commercial purposes, or has revoked the consent previously given to neither are they treated based on legitimate interest. For clients prior to that date, distinguish between those who signed the "Framework Agreement" or the of consents, (...) and those who were asked and have not answered, which are the only customers whose data is used based on legitimate interest (until the customer signs the contract). Thus, treatment based on legitimate interest is reduced to marginal cases, such as a temporary situation. In addition, it prepared an impact assessment and decided not to send the "Consent Agreement" to those pre-RGPD clients who, without having signed the "Framework Contract", they had already expressed "No." It adds that the statements made by the AEPD are not true. On this, he points out that he has carried out an impact evaluation on all the treatments carried out on this basis legitimizing and, within that evaluation, has made the weighing judgment between the interest legitimacy of the entity and the rights of the interested parties; secondly, it clarifies that described policy avoids that treatments can be carried out based on the legitimate interest that had been denied by the owner of the data. It equates the revocation of consent to opposition to the treatment for those cases in which CAIXABANK can carry out treatments based on their legitimate interest (such as, for example, the AEPD analyzes and assesses Report 195/2017, and as reported in clause 7 and on its website (see Fact C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 27 27/177 Fifth of the Initiation Agreement). In the aforementioned Report of Legitimate Interest of the Minutes of the CAIXABANK Privacy Committee, of 05/15/2018, it is indicated: (…) g) Regarding the consents for the purposes indicated in the Aggregation Contract and the Terms of Social Networks, warns that in these additional documents the consent, but no new one is obtained; consent is given in the "Contract Framework". This fact has been confused by the AEPD, when it understands that these contracts give separate consent 4. Consent is requested for profiling for commercial purposes; and not for adoption of automated decisions, which do not occur in this context. According to CAIXABANK, the alleged violation of article 22 of the RGPD is based on an assumption erroneous, as it does not adopt automated decisions for commercial purposes that produce significant legal effects on the holders of the data based on the execution of automated treatments. Simply build general profiles and make decisions based on profiles (option (i) and (ii) of the WP251 Guidelines). In this regard, it refers to the allegations already made regarding the duty of information and the validity of the consent granted and alleges that the Agency has not even proven that CAIXABANK is effectively carrying out these treatments. 5. In the alternative, CAIXABANK alleges the nullity of the Initiation Agreement due to the expiration of the previous actions number E / 01475/2018 and because it sanctions infractions that would be prescribed in accordance with the LOPD. The AEPD makes use of previous actions started in January 2018 that were archived for expiration, which are incorporated into new ones through a simple "Chain" that turns the actions of the AEPD into perennial, contrary to what pursued by article 122 of the Development Regulation of the LOPD, approved by Real Decree 1720/2007. These actions number E / 01475/2018 began in January 2018, as a result of a complaint, and were filed for expiration on February 1, 2019. However, when the preliminary investigation actions indicated with number E / 01481/2019 were initiated, that led to the agreement to initiate this sanctioning procedure, one of the The first actions were to integrate the aforementioned expired actions. This action leaves It is clear that what is sought with this procedure is to prosecute and resolve those facts past events that gave rise to expired proceedings, which were artificially prolonged up to two years, almost doubling the twelve-month limit indicated in the RLOPD. Furthermore, the facts analyzed in the previous E / 01475/2018, if they were infractions, would have prescribed in the terms provided in the LOPD applicable in January 2018. This would be the case of the infractions considered minor under the LOPD. This conduct constitutes a fraud of law (article 6.4 of the Civil Code), as the AEPD shields itself C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 28 28/177 in an apparently legal action to achieve a result prohibited by law legal; it is contrary to article 95.3 LPAC; and entails the nullity of the initiation agreement and the procedure, proceeding its file. 6. Also in a subsidiary way, it requests that a penalty of warning be imposed or, not consider said request, which is sanctioned within the scale provided for in sections fourth and fifth of article 83 of the RGPD. a) It considers the following graduation criteria applicable as mitigating factors: . The measures taken by the person in charge (article 83.2.c) of the RGPD): CAIXABANK has made a significant effort over the last few years, especially since the entry into force of the RGPD, to provide its customers with relevant information, including providing the intervention of third parties to verify the adequacy of the legal texts. East effort is evident with the implementation of the measures recommended by FACUA (provides a copy of emails related to the actions carried out to address the recommendations of this entity) and for the actions it has planned to strengthen the information, which includes the preparation of a new version of the "Framework Contract" and the sending its clients a communication to remember the consents granted and their meaning, as well as the possibility to revoke or modify them; in a clear will to repair any focusing errors that may have occurred. . The degree of cooperation with the supervisory authority in order to remedy the situation and mitigate possible adverse effects (article 83.2.f) of the RGPD). CAIXABANK has shown its willingness to collaborate and the implementation of measures aimed at solving possible shortcomings, indicated in the brief of allegations itself. Indicates as sample of this provision the attention paid by the DPD to the claim made by FACUA and the information provided about said action to the AEPD. b) The AEPD omits the aforementioned criteria and refers to a series of criteria that lists, without any motivation or justification and without specifying if they are applied as aggravating factors or mitigating, which generates defenselessness to the entity. CAIXABANK states that, due to disproportionate sanctions, understands that the aforementioned criteria are interpreted by the AEPD as aggravating factors. This entity considers that the following criteria collide with the reality: . The nature, severity and duration of the infringement (article 83.2.a) of the RGPD). Considers that the AEPD intends to impose a high penalty for issues that are not a especially serious, considering that we are not facing an assumption in which there is no provided no information, but all information is provided, although the AEPD considers that some aspect can be improved; special categories of data. To date, cases of absolute lack of information have been sanctioned with warning (PS / 00224/2019 or PS / 00041/2019), having imposed the highest sanction, for an amount of 250,000 euros, for a much more serious case (PS / 00326/2018). The disproportion in this case is ostentatious. In addition, it highlights that under the old LOPD and the LOPDGDD, for prescription purposes, the infraction for lack of information is considered as minor. However, the proposed sanction in the start-up agreement, it exceeds the previous sanctions imposed, and is radical compared to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 29 29/177 new attitude adopted in recent times to try to find a collaborative solution with the entities that were willing and to resort to the warning. On the other hand, it highlights that there are only two claims, that no damage has been caused to clients given that the personal data processing carried out is as necessary for the development of the activity and are carried out in accordance with the requirements demanded by the normative, even when some aspect can be improved. This lack of prejudice is highlighted by the Article 29 Working Group in its Guidelines on the application and setting administrative fines (WP253), assumed by the European Committee for the Protection of Data. Neither did the complainant challenge the filing of his complaint, which he could have done; and not there have been other complaints or legal actions. That is, no damage has occurred. . Contrary to the Agency's assessment, it considers that the criterion regarding the intentionality or negligence appreciated in the commission of the infraction (article 83.2.b) of the RGPD) should be appreciated as a mitigating factor for the diligent action of the entity, the establishment of clear procedures regarding the information and provision of consents, the training given to the employees and the collaboration shown with the Agency, adapting and perfecting your texts. . If the commission of any infringement is appreciated, CAIXABANK has not obtained any benefit financial statement (article 83.2.k) of the RGPD), while it would mean, instead, damage reputational. It does not monetize the personal data of its customers, nor as a sale for commercial or for other actions. The CaixaBank Group experienced volume growth in the first nine months of 2019 business (+ 4.4%), reaching 609,012 million euros, which is due "to the boost commercial and the improvement of the relationship ” of customers (as indicated in the note of attached press, published on 10/31/2019 under the title “CaixaBank obtains a profit of 1,266 million and reached 6,201 million in income ” ). . The Agency includes among the concurrent graduation criteria the high volume of data and treatments, among which transfers to third parties stand out. However, these Assignments do not occur or have been proven in any way. . Personal data of special sensitivity is not processed, which should be appreciated as a extenuating. . It is also stated in the initiation agreement that CAIXABANK has not implemented adequate procedures in the collection and processing of personal data, and that the Infringement is the consequence of a defect in the designed management system. In this regard, said entity alleges that the systematic and layered process of information and request for Consents is exemplary and gives the interested party greater control. Add that a possible Information defect cannot be understood as a system defect. . On the degree of responsibility of the person in charge, to which the Agency turns in relation to the violation of article 6 of the RGPD, indicates that the measures taken during the last years have been aimed at promoting transparency and compliance with the principles of data protection, as a reflection of the principle of proactive responsibility and privacy C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 30 30/177 from design and default. Therefore, this criterion must be interpreted as mitigating. As a conclusion, it highlights that diligent and proactive collaboration must be taken into account, the measures adopted to alleviate possible information errors, the lack of intentionality and that the possible infringement would be about information matters that do not have a special gravity; and based on this, according to the position taken by the AEPD, it would proceed a warning sanction or, if not appreciated, a sanction within the scale provided for in the fourth and fifth sections of article 83 of the RGPD. As a test proposal, it indicates that it intends to use the documentary that already appears in the files of previous actions E / 01475/2018, E / 03677/2019 and E / 01481/2019, as well as the documentation provided with your brief of allegations. TENTH: On 07/02/2020 the opening of the testing period was agreed. The writing sent on that date to CAIXABANK, through its representation, was rejected, as stated in the certificate issued by the Electronic Notifications Service and Enabled Electronic Address. By letter of 07/16/2020, notified a day later, said communication to CAIXABANK, informing said entity that it is considered evidentiary effects of the claim filed and its attached documentation, as well as the documents and statements obtained by the Subdirectorate General for Data Inspection in relation to said claim in the information request process prior to admission to Procedure; as well as the documents obtained and generated by the Inspection Services. Likewise, the allegations to the initiation agreement formulated by CAIXABANK and the documentation that accompanies them. On the other hand, it was agreed to require the CAIXABANK entity so that within a period of ten business days provide the following information and / or documentation: "A) Copy of the record of all personal data processing activities carried out under the CAIXABANK's responsibility to which mention is made in the data collection form personal information called "Declaration of economic activity and data protection policy personal ”, in its initial version, together with any addition, modification or exclusion in the content of the same. b) Copy of the evaluation / s of the impact on the protection of personal data relative to any type of personal data processing operations carried out under the responsibility of CAIXABANK, of those mentioned in the form “Declaration of economic and political activity of protection of personal data ”, which pose a high risk to the rights and freedoms of the natural persons, in its initial version and, where appropriate, with details of the modifications or updates that may have been made. Likewise, if there has been a change in the risk represented by the processing operations and if deemed necessary, the result of the examination that CAIXABANK could have perform to determine if the treatment is in accordance with the impact assessment related to the data protection (article 35.11 of the RGPD). c) Copy of the documents in which the evaluation carried out by the CAIXABANK entity is recorded on the prevalence or not of the interests and fundamental rights of the interested parties over the CAIXABANK interests in relation to personal data processing operations C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 31 31/177 made under the responsibility of CAIXABANK, of those mentioned in the form "Declaration of economic activity and personal data protection policy ”, with which the satisfaction of legitimate interests pursued by the CAIXABANK entity itself or by a third party ”. In response to the request by CAIXABANK, the term granted was extended by five business days. On 08/07/2020, a response letter was received, which CAIXABANK accompanied the following documentation: 1. Register of personal data processing activities. (…) 2. Impact evaluations on the protection of personal data. (…) 3. Evaluation of the prevalence of the legitimate interest of CAIXABANK or third parties against the interests and fundamental rights of the interested parties. (…) ELEVENTH: On 11/24/2020, a resolution proposal was issued in the sense following: "1. That by the Director of the Spanish Data Protection Agency the entity is sanctioned CAIXABANK, SA, for an infringement of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild for the purposes of prescription in article 74.a) of the LOPDGDD, with a fine for amount of 2,000,000 euros (two million euros). 2. That by the Director of the Spanish Agency for Data Protection the entity is sanctioned CAIXABANK, SA, for an infringement of article 6 of the RGPD, typified in article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a fine amounting to 4,000,000 euros (four million euros). 3. That, due to lack of evidence, the non-existence of infringement in relation to the imputation is declared for a possible violation of the provisions of article 22 of the RGPD 4. That the Director of the Spanish Agency for Data Protection proceeds to impose on the entity CAIXABANK, SA, within the period to be determined, the adoption of the necessary measures to adapt the processing operations carried out to the personal data protection regulations, the information offered to its clients and the procedure by which they must provide their consent to the collection and processing of your personal data, with the scope expressed in the Legal Basis X ” of the proposed resolution. TWELFTH: Notified to the entity CAIXABANK the aforementioned resolution proposal, a written statement of allegations was received at this Agency, dated 12/18/2020, in which it requests the annulment of the sanctioning procedure due to (i) the flagrant defenselessness produced by that entity by violating its presumption of innocence, (ii) the bankruptcy of the principle of trust legitimate, (iii) defenselessness materialized in previous investigation activities without subject to any guarantee and (iv) the expiration of the sanctioning procedure. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 32 32/177 Alternatively, it requests the filing of the proceedings due to the absence of an infringement and, in its defect, that the warning or the imposition of the amount of the sanction is agreed corresponding in its minimal degree. Base your requests on the following considerations: - 1. Violation of article 24.2 of the Constitution, presumption of innocence. The presumption of innocence is broken if the person instructing the file or who is going to resolve it do not have the ability to assess such evidence impartially, without any kind of "Pre-trial" , or if they have formed their will before having all the elements in their sight evidentiary. In this case, the allegations at the opening of the procedure were presented on the date 03/04/2020. One day before, on 03/03/2020, without even having received the first allegations of CAIXABANK, in an act of ISMS Forum held in Madrid, the Director of the AEPD, highest authority of the institution and competent person to resolve this file and on which the instructor hierarchically depends, publicly stated that “We already have two or three high-impact sanctioning procedures that will have a great impact media in relation to the financial sector, will be the first quantitative fines important by the Agency ” . Not conditionally, but as something that necessarily is going to happen. In CAIXABANK's opinion, it is difficult to find a greater display of contempt for the presumption of innocence. He adds that this is stated in the summary of this intervention made by the prestigious publication The Law, Francis Lefebvre. Likewise, in a tweet from a person present at the event, stated that “Mar España announces that two sanctions will be made public shortly exemplary in the financial sector. A bombshell ” (provides screen impression relative this tweet). In this regard, CAIXABANK states in its allegations that “a sanction and the we know, that of BBVA. And, either we were wrong a lot, or the other is ours ” . Provides "notarial certificate of web verification" , which incorporates the information obtained through the link “Https: /elderecho.com/los-pensaron-la-aprobacion-la-entrada-vigor-del-rgpd-la- data-protection-would-decline-I'm-afraid-they-were-wrong ” . It corresponds to a review of the “XII Privacy Forum ” held on 03/03/2020, organized by ISM Forum and Data Privacy Institute (DPI). Includes a section on the intervention starring the Director of the AEPD, which includes the statements previously highlighted by CAIXABANK. Ex arts. 24.2, 103. 1 and 3 CE –and art. 6.1 of the ECHR-, any procedure should have been guided by objectivity and impartiality. As indicated by the ECHR (sic) “justice not only does it have to be applied, but it must also be apparent that it is administered ” (cf. Cubber v Belgium October 26, 1984) and “not only must justice be done, but what to do ” Delcourt Judgment of January 17, 1970. On the other hand, in this case, according to CAIXABANK, before knowing the allegations of the entity, the person who has to solve, far from keeping any semblance of justice, has already decided (publicly) to sanction. In accordance with article 12.2 i) of the Organic Statute of the AEPD (RD 428/1993 of March 26), The Director of the Agency has the function of “Initiating, promoting instruction and resolving disciplinary proceedings referring to those responsible for private files ” . Is the Director of the Agency who informs that instructor impulse and who will determine the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 33 33/177 forthcoming resolution. With this, there has been a flagrant violation of the fundamental right to presumption of innocence, which should lead to the immediate filing of this sanctioning file. - 2. Bankruptcy of legitimate expectations There has been a complete failure of the principle of legitimate expectations (article 3 of the Law 40/2015, of October 1, of the Legal Regime of the Public Sector -LRJSP) , interrelated with the principle of good faith and legal security. This principle implies that "the authority the public cannot adopt measures that are contrary to a reasonable hope induced on stability in the decisions of the former, and based on which the individuals have adopted certain decisions ” (STS 173/2020). In this case, CAIXABANK points out that the AEPD's assessments refer to a documentary structure that was expressly communicated to said Agency shortly after the publication of the GDPR. Specifically, by email dated 08/02/2016, addressed to the Deputy Director of the AEPD, in which all the points of the “Contract Framework". Said email was headed as follows "In accordance with what has been said, Attached is the contract that we intend to implement this fall. To make it more understandable, I accompany you a short explanation of its purpose and content " . Regarding this query, CAIXABANK states that the AEPD "answers by telephone (obviously we have no recording), making some minor suggestion (which is implemented), without there being a meeting (such possibility was expressly declined). That framework contract is practically the same (if anything worse) than the one it is today allegedly deserving of 6 million euros of sanction and, what is almost more serious, a threat of nullity of everything acted under it ” . A year later, also after a conversation, CAIXABANK sends to the same recipient a general presentation about the GDPR implementation and asks for a meeting again, which is again denied. On pages 11 and 12 of this presentation he again does reference to the "Framework Contract", with for example a very clear mention of the now reviled common repository of group companies. 4 and a half years, 2 detailed emails sent, 2 meetings denied and 14 million contacts with clients later, and completely unaware of the legitimate conviction of CAIXABANK to be acting correctly, a request is made for the nullity of all what has been done. CAIXABANK says: “We do not affirm here that everything we have done is OK, but could we have a "reasonable induced hope" that our way of was proceeding according to law? It seems difficult to say no . " This clear breakdown of legitimate expectations should lead to the filing of the file or, as At least, to reconsider the decision to declare the obtained consents null. Provide a copy of the emails to which this allegation refers, addressed by the signatory of the allegations to the proposed resolution to the Deputy Director of the AEPD and the answers from this. - 3. Violation of article 24 of the EC: defenselessness generated to CAIXABANK by the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 34 34/177 artificial and unlawful extension of the previous actions, also ignoring their expiration. a) The previous actions were not such: it was a sanctioning procedure without guarantees. CAIXABANK considers that the previous investigation actions supplanted the activity instructor, since they were used as a true sanctioning procedure (without guarantees), which constitutes a possible vice of misuse of power in the use of the mechanisms of instruction and generates helplessness. Considering the intended purpose with the initiation of preliminary investigation actions, CAIXABANK understands that the Administration is obliged to initiate the procedure the sanctioner as soon as he is certain of the commission of the facts and the identity of the responsible, even if it is not fully accredited (STS of 06/09/2006). Cites the STS of 12/26/2007 to state that these previous actions will only be deserving of such consideration to the extent that they “serve the purpose that justifies, that is, gathering the data and initial indications that serve to judge on the relevance of giving way to the sanctioning file, and do not distort themselves by transforming in a surreptitious alternative to the latter. " And the STS 06/09/2006, which has highlighted the need to safeguard the guarantees constitutional of the administered in cases like the one at hand: "As it results from this norm, prior information is not mandatory, having declared this Chamber in a judgment of November 6, 2000 that "if sufficient data is available to initiate the file, the Reserved information should not be practiced, because it is unnecessary and because the rights fundamental defense of art. 24.2 of the EC require that the granting not be delayed of the status of accused or prosecuted, thus avoiding the risk of using the delay to carry out interrogations in which the interviewee would find himself in a situation disadvantageous "." Well, the AEPD opened some previous proceedings that expired, some second, and later a disciplinary proceedings were initiated. The AEPD has taken 3 years to prepare a sanction already decided, with the formal support of previous actions (a first expired, which led to the opening of a second), without respecting any essential guarantee of the sanctioning procedure, such as reporting the imputation, remember the right not to testify against oneself, and a long etcetera, generating defenselessness in addition to the expiration of the file. Thus, the proposed resolution rests practically entirely on elements of charge collected during the preliminary proceedings phase. The only elements of charge contributed to the procedure during the investigation phase (impact evaluations, registration treatment and prevalence assessment activities), they have hardly been considered later, or it is a question of circumstances whose requirement was superfluous, since already they were held by the AEPD. In this case, CAIXABANK points out that, although the preliminary investigation actions were accommodate the requirements of competence and procedure that would enable their adoption, not they adhere to the purpose that they must cover according to the legislator's design. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 35 35/177 Given that the Proposed Resolution rests de facto, solely and exclusively, on the elements of conviction and evidence collected during the preliminary proceedings phase, the The impossibility of using these elements means that the Proposal lacks the elements necessary to enervate the presumption of innocence. b) In addition, it entailed the incorporation into the sanctioning file of actions from of some first previous expired actions. Article 95 of Law 39/2015, which expressly allows incorporating into a file administrative “the acts and procedures whose content would have remained the same had it not been expiration has occurred ” , it can hardly be applied to a sanctioning procedure. At case of a sanctioning procedure, the expiration becomes a guarantee of the defendant, who it cannot be in any way harmed by the inaction of the Administration. In addition, the use of previous actions without time limitation is not acceptable, beyond the prescription itself, which is the effect that would occur if it were allowed incorporate expired actions to a sanctioning file Regarding the block transfer of the expired file, refer to what was declared in STS of 02/24/2004: “We know that the expiration declaration does not prevent the opening of a new sanctioning procedure insofar as the hypothetical infraction that originated the initiation of the expired procedure has not prescribed ... And this implies: ... That it does not fit, on the other hand, that the actions of the first take effect in the new procedure, that is, the arisen and documented in it as a result of its initiation to verify the reality of what occurred, the person or persons responsible for it, the charge or charges attributable, or the content, scope or effects of liability, since then there would be no compliance to the legal mandate to file the proceedings of the expired procedure ” . Nor is it possible, according to CAIXABANK, to transfer the file en bloc from a procedure to other because between the two, given their different nature, there are very divergent principles that prevent what was acted on in the previous proceedings from going entirely to the file sanctioner or the previous actions that were really nothing more than the instruction of the sanctioning file. To these pseudo previous performances, actually true instruction of the sanctioning procedure, should not have arrived "the actions arising and documented in it as a result of its initiation to verify the reality of what happened, the person or persons responsible for it, the charge or charge attributable, or the content, scope or effects of liability ” something that, as has been proven, really yes it has been transferred through that very difficult justification catwalk. c) Additionally, this implies the expiration of the sanctioning file CAIXABANK considers that the previous actions have constituted an artificial way and undercover of carrying out investigative actions proper to the sanctioning procedure (cites the STS of 05.13.2019 (RC 2415/2016) and of 6.05.2015 (RC 3438/2012): “... this Room has declared that the period prior to the initiation agreement << ... has to be necessarily brief and not cover up an artificial way of performing acts of instruction and mask and reduce the duration of the subsequent file itself >> (judgment of May 6, 2015, Appeal 3438/2012, FJ 2º) ". Based on this, said entity understands that the time used to carry out these C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 36 36/177 Actions must be included in the calculation of the expiration period of the procedure. He dies to quo of this period coincides with the beginning of the preliminary investigation actions This being the case, the expiration period would have elapsed sufficiently, without, on the other hand, the AEPD has proceeded to the eventual declaration of expiration and "re-opening" of a new sanctioning procedure. Finally, it adds that, once the file has expired, the offense has prescribed. - 4. CAIXABANK has informed the interested parties in the terms provided in the Articles 13 and 14 of the RGPD and they have understood it. Before going into the merits of the matter, CAIXABANK clarifies that it does not maintain that its information was perfect, that there were no errors. In fact, thanks in part to experience of several years and, in part, to some of the statements made throughout the different documents emanating from the AEPD throughout the file, has carried out a exercise to improve your different documents. However, he understands that he does not want say that there has been any non-compliance: objectively there was all the information required in articles 13 and 14 RGPD and customers understood the information that I was facilitating. a) All the information required in articles 13 and 14 of the RGPD was provided. 39. The information on data protection that is provided to customers through the "Framework Contract" complies with the provisions of article 13 of the RGPD. It reports on the identity of the person in charge, contact details of the data protection officer, purposes of the treatment and legal basis (Clauses 7 and 8), treatments based on legitimate interest (Clause 7.3.5), recipients or categories of recipients of personal data (Clauses 7 and 8), conservation period (Clause 11.3), rights (Clause 9, as well as 7.3.5 regarding the opposition to treatments based on legitimate interest), right to revoke consent (Clause 8), right to file a claim before a control authority (Clause 9, which includes a link to the Agency's website), communications of personal data that is a legal or contractual requirement (Clauses 7 and 8). It also includes a link to the "Privacy Policy" (Clause 7.3.6). No automated decisions are made, so section 2.f) is not applicable. of article 13 of the RGPD. Likewise, CAIXABANK provides in any case the information required by art. 14 of the GDPR, on the categories of personal data and their source of origin (art. 14 d) and f). Specifically, in Clause 8 of the "Framework Contract" when informing about the possibility to enrich and complement the data of the signer with “data obtained from sources public, as well as by statistical, socioeconomic data (hereinafter, "Information Additional ”) always verifying that they meet the requirements established in the current regulations on data protection . b) Despite not being mandatory, the data categories are widely reported. Although article 13 of the RGPD and the corresponding article 11 of the LOPDGDD do not require provide interested parties with this information on a mandatory basis, CAIXABANK offers a Sufficiently descriptive list of the types of data that are treated based on the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 37 37/177 consent, in accordance with the provisions of the Guidelines 05/2020 on the consent in accordance with Regulation 2016/679 of the European Committee for the Protection of Data ("CEPD"). What the Agency cannot intend is to impose obligations that are not establishes the applicable regulations. If a detailed list of all the data were given specific personal that can be dealt with in this context, I would not be reporting categories of data processed, but on specific data, which would imply fatigue informative difficult to beat that has been sanctioned in the past (PS / 00082/2017). Likewise, it alleges that the information provided on the processing of data from movements, receipts, payroll, claims and claims, considering that it is about products and customer operations, who knows the information they include. It adds that this information does not include sensitive data and warns in this regard that the AEPD does not you can demand that you report what is not done, based on a suspicion. Even so, in the The new "Privacy Policy" is expressly indicated, when defining the data category observed of the operation of the contracted products, that no data of this nature . The Agency intends to apply to CAIXABANK information standards that the regulations does not foresee when it claims that the failure to report on the categories of personal data that are treated based on legitimate interest (which is not mandatory under the RGPD, nor is it mentions the CEPD in its guidelines) invalidates subsequent consents that may be request for commercial purposes. It is true, as indicated, that the information provided could be improved in relationship with its presentation, but in no case was it incomplete, so it is clearly disproportionate the very serious level of the reproach made in the Proposal of Resolution. In addition, the New Privacy Policy improves the exposure of the information, detailing in a specific section the specific categories of data and their breakdown, and subsequently referring to each of them in relation to the purpose in question. c) It is not at all proven by the instructor that the clients did not understand the information. The agency does not prove that the expressions are unclear, beyond the sentence very summary of the instructor that said lack of clarity is "evident and objective . " It is understandable that, if the person who is going to issue the resolution, and who is the regulatory authority in charge of promoting instruction (the Director of the AEPD), has already indicated publicly one year before the resolution will be sanctioning (we refer to the first allegation), the instructor understands that the evidentiary effort is unnecessary. But Obviously, said understanding supposes one (other), violation of the presumption of innocence. As indicated in the Transparency Guidelines transcribed in the resolution, the requirement that the information be "intelligible" means that "it must be understandable the average member of the target audience ” , and it does not appear in the file that the instructor have done some checking with average members of the target audience. d) This part provides evidence that customers fully understood (and understand): C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 38 38/177 surveys. Assuming a reversal of the burden of proof clearly infringing on our fundamental rights, has carried out a survey and a user test using a expert and independent company (provides a copy of the reports of this external company). (…) e) This part provides evidence that customers fully understood (and understand): reports from linguists. You have submitted the consent clauses to the analysis of a company specialized in linguistics and consultancy for communication, including legal information, having The work was directed by a Professor of the Spanish Language (...), an expert and advisor to communication. It can be seen in the reports provided (a copy is attached) that two clauses were analyzed different from the "Framework Contract) that with respect to the data processing clause the recommendations are minimal and less than those made regarding the other clause submitted to analysis, which does not concern us in this procedure. In conclusion, it is verified that an expert analysis considered that the text of the "Framework Agreement" relating to information on data protection was understandable by the CaixaBank's average customer, as opposed to the mere non-expert opinion of the AEPD. So continue calling such information "unclear" would be nothing short of reckless. In addition, CAIXABANK highlights that it has not received any claim for lack of information, except for the two that serve as the basis of this resolution (among millions of clients), who also do not state that they do not understand the texts presented to them. The aforementioned would be unnecessary to understand the accusation rejected. However, succinct comments are made to each of the specific blemishes that are made. f) It is not true that non-uniform information is offered to customers. The information on data protection that has been working in the various documents provided to customers has not always been completely uniform due to only to the process of updating such documents, being in any case something temporal and consequence of the time intervals that an entity such as CAIXABANK required for such updates. In this regard, a copy of a "Framework Agreement" dated 06/08/2018 is attached, as proof that this document was adapted to the RGPD and that the one included in Annex I, as version from November 2018, it was actually implemented in June 2018. Finally, CAIXABANK points out that the resolution seems to show that all customers access all documents and, uniquely, that all clients have both the consent contract as the framework contract, and both in all their different versions, in a kind of documentary bombardment that produces confusion, which is simply false. The vast majority of clients (more than 95%) have signed the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 39 39/177 “Framework Contract”, in the current version in each case, and only a residual percentage has the "Consent Agreement", without this implying any loss of information or confusion. Obviously the privacy policy is common for everyone, but there is no no discrepancy between this and the other documents. In any case, in the indicated improvement process, an absolute honesty has been carried out of all the documents, as set forth in the Sixth Allegation and the documents contribute. g) It is not true that imprecise terminology is used with vague formulations, lack of specification of the personal categories of data processed, and lack of information on the purposes and confusion of legal bases. As for these three accusations, it is enough to point out what is credited with the surveys provided, which CAIXABANK considers sufficient to distort the assertions of the Resolution motion. He reiterates his surprise at the fact that it seems to the instructor that they are not enough descriptive of the data categories in which the mentions to movements are treated, receipts, payroll or claims. On this question, CAIXABANK raises whether the purpose is that the microdata obtained from each category of document, which would imply an information fatigue that is difficult to overcome. h) There is no undue transfer of data between group companies: there is joint responsibility. Both at the regulatory level (an area that the AEPD does not question) and at the commercial level, a transparent co-responsibility regime for interested parties. Without prejudice to improvement that at the level of transparency has been carried out in the New Privacy Policy, considers it essential to point out three elements that the AEPD seems to confuse and that lead to the erroneous conclusion that the alleged assignments within the Group are unlawful: i. The Agency interprets that there is a transfer of data between the companies of the Group CaixaBank from data controller to data controller. This is wrong. It does not occur, legally, any data transfer; but a direct collection of data by the companies in the field of co-responsibility. ii. The AEPD separates the non-existent transfer of data as a new and artificial purpose. In In no case is access by the CaixaBank Group companies constituted as a purpose in itself. The "assignees" (actually joint controllers) do not access the themselves arbitrarily, but for the true purposes of which the interested parties are informed (these are, for regulatory purposes, "commercial purposes" and when it is necessary for the execution of the contract, as the case may be). iii. The birth of co-responsibility does not derive from “intended purposes” but from the joint participation in the determination of the purposes and means of the treatment between the CaixaBank Group entities (led by CaixaBank). The AEPD does not deny the existence of co-responsibility, although it claims that it does not apply (especially in relation to “commercial” treatments) insofar as the attribution of responsibility is not detailed between the different companies. However, the AEPD errs again by forgetting that the place where these responsibilities should be attributed that the foreign agency is not the Policy of Privacy or the Framework Contract, but the joint responsibility contract in the terms provided for in the CEPD Guidelines 7/2020 (attached a copy of an agreement of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 40 40/177 co-responsibility, which includes an annex for each of the “treatments subject to co-responsibility and co-responsible ”; these annexes detail the treatments, their purpose and legitimizing basis, in addition to the data of the "co-responsible" companies. No annex appears signed by these entities). In conclusion, neither data transfers occur under the terms provided in the RGPD, nor the co-responsibility requires a separate consent (within the framework of the “purposes commercial ”) insofar as it is a factual situation (it is not something agreeable nor does it require a legal under article 6 RGPD to attend). In addition, the impact evaluation that the AEPD alleges in Foundation VI that CaixaBank did not contribute (…). i) There is no deficient information on legitimate interest. Compared to what is maintained by the AEPD, there is no confusion between treatments based on legitimate interest and consent, nor are they coincident. Can't give the situation where a treatment on which it has been said "no" under the legal basis of the consent, can be made based on legitimate interest, a circumstance that the AEPD does not has tried. In any case, the New Privacy Policy has proceeded to eliminate the treatment based on legitimate interest for commercial purposes that, as indicated in the answer to the Opening Agreement is a treatment that is not carried out, nor has it ever been carried out. On the other hand, the New Privacy Policy reconfigures the differences already analyzed in the Claims to the Initiation Agreement between the treatments based on legitimate interest and The consent. In section VI of the Proposed Resolution, the AEPD concludes that “it is not possible determine the suitability (…), necessity (…) and proportionality… ”of the treatments based on legitimate interest and that the intrusion on the privacy of the interested party may be high, the effects may have a negative impact on them. However, it does not provide any proof that the legitimate interest is not present, invalid or insufficient. Regarding additional measures or recommendations to reinforce the legitimate interest, it states CAIXABANK that its absence does not invalidate the legitimate interest. Neither the RGPD nor the LOPDGDD provide for the making available to the interested party of the impact assessments or the weighting of legitimate interest, or reinforced opposition mechanisms. j) There is no lack of information on profiling. The AEPD argues that complete information is not offered on the types of profiles, their use and the right of opposition of the interested party. However, in the "Framework Contract" the first of the purposes for which the Consent is described as “data analysis and study treatments for the purpose of commercial by CaixaBank and the Companies of the CaixaBank Group ” , and in the detail of this title, the concept is extended to the expression “analysis, study and monitoring for the offer and design of product adjusted to their customer profile ”. Next, in the clause that supports the collection of consent, processing operations that include this purpose, where information is provided on the creation of profiles: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 41 41/177 "A) Proactively carry out risk analysis and apply on their technical data statistics and customer segmentation with a triple purpose: 1) Study products or services that can be adjusted to your profile and business situation or specific credit, all to make commercial offers tailored to your needs and preferences. This information clearly spells out the purpose and, as demonstrated by the surveys provided, it is clearly understood by customers. It adds that in this same clause the error was made (corrected in the New Privacy), to list treatment operations that did not have to do with consent for profiling. And he lists those specific treatments that, in his opinion, can be covered by other legal basis (the list of the treatments to which this allegation refers consists of outlined in Law Foundation VII, in the section that examines the treatment of data based on the consent of the interested parties). He considers this error, which has been recognized and corrected, to be reprehensible, but does not break the principle of specificity of consent. Consent is only required to study products or services that can be adjusted to the profile and commercial or credit situation specific customers, to make commercial offers tailored to their needs and preferences and the rest of the clause, unfortunately superfluous, but it has no Consequently, different purposes are authorized en bloc. Finally, CAIXABANK has clarified and specified in the New Privacy Policy the treatments that involve profiling to prevent the concept from being misinterpreted by a "Common customer". k) There is no lack of information on the conservation periods and the exercise of rights. CAIXABANK refers to what is indicated in its allegations to the initiation agreement and adds that These aspects have been clarified and improved in the New Privacy Policy and in New Framework Contract. Regarding the conservation of personal data once the contractual relationship, he warns that it was not actually executed and that in the new policy the mention disappears, canceling the official data. - 5. There is a legal basis for the treatments and the consents are obtained from lawful manner. a) Consents meet all legally established requirements As detailed in the allegations to the initiation agreement, the consents comply all the requirements established by the RGPD as interpreted by the CEPD, without that the Agency has proven that they have not been obtained legally. On the contrary, content of the file itself shows that the consents obtained are free, specific, unequivocal and sufficiently informed. . Consents are free, since the client, at all times, has absolute freedom to grant them or not, without associated negative consequences, power imbalances, conditionalities or dissociation of the ends. There is no combination of different C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 42 42/177 purposes under the same consent that limits the freedom of choice of the owner. Thus three consents are requested and no commercial treatment is carried out based on the additional consent to these. . The consents are specific, since, in line with the disassociation requirement, separate and break down the only activities that are carried out under the consent, that is In other words, they are specifically and separately asked for the purposes that are intended (the data profiling to offer customers products that may be of interest to them; the choice of the communication channel of the offers; and the possibility of transferring the data to third parties). The AEPD interprets that there is a dissociation between the stated purposes and those on which the interested party pronounces. Given this, CAIXABANK reiterates that a large part of the treatments indicated in the revision documentation version are either not carried out, or are protected by another legal basis, or are simpler and more limited than the AEPD understands. As can be seen in the New Privacy Policy, the consent to profiling activities has been reduced to what is actually done under this consent, and the rest of the activities that are carried out have been informed in their respective and correct epigraphs (treatments in execution of a contractual relationship, or by legal obligation). In addition, it must be remembered that the Working Group of art. 29 in its document “Guidelines for consent under Regulation 2016/679 ”establishes that consent can cover different operations as long as these operations have the same purpose. At In the case of CaixaBank, there are only three purposes, and it is asked separately and specifically about them, without any deviation of use. Have made the mistake of including within the examples some treatment operations that should have been included in other treatments based on the execution of contracts or compliance with laws, such as, for example, the recovery actions inherent to credit contracts, not It undermines the specificity of the consent requested. . The consents are unequivocal, since the interested party must perform an affirmative act so that your consent is understood as granted. Consent is not based on acceptance of a policy or in a mere inaction, but a client is obtained manifestation, unequivocal positive or negative, corroborated in two steps (choice by marking the box and signature). . The consents are informed, and the reproaches regarding the validity of the information provided by the arguments and evidence provided in the fourth claim. The client receives all the legally required information and it has been proven empirically he understands it. The AEPD indicates that on the “Tablet Mode. Client ”there is no link to the information of Data Protection. In this sense, it only has to be clarified, again and as it was verified in person at the inspection, that after giving consents (or not), the client accesses the complete content of the contract text immediately. Before signing you are presented with the full text of the contract so that you can read and review it, so that you can not ratify your choice and "go back" technically. He is also presented at various times the consent scheme. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 43 43/177 Finally, it points out that the AEPD omits the analysis of the consent collection process in the non-face-to-face channel (online banking) that he reviewed in his face-to-face inspection dated November 28, 2019, in which it was demonstrated that the client must necessarily access to the information before giving consent, as already reiterated in the allegations to the opening of the procedure. b) It reiterates that there is no commercial treatment based on legitimate interest, having reduced these treatments in the new policy to internal management operations, very low impact on data subjects. c) It reiterates that there is no illicit transfer of data to group companies, but rather processing in co-responsibility. d) The social media contract was absolutely residual, and the aggregation contract was perfectly lawful. The Social Media Contract was a "pilot" project that was deployed with respect to a very small number of clients, who were unsuccessful and canceled, although the AEPD continues failing this question without taking into account those circumstances for the purposes of the sanction imposed. Regarding the Aggregation Contract, the AEPD forgets that its signature is complementary to the "Framework Contract", so that the consents for the "commercial purposes" in the framework of co-responsibility have been (where appropriate) duly obtained with the nuances specific to this type of contract (see the allegations to the initiation agreement). It is not true that this service is used for the collection of information, as indicated by the AEPD, inasmuch as This service is provided for in the payment regulations and serves not to dispose of the entity regarding new actors. In any case, there is a new version of this latest contract (provides a copy) that clarifies possible doubts that clients and the AEPD may have, which, Furthermore, like the rest of the contracts, it is being revised to adapt it to the new design that we detail them in the Sixth Allegation. - 6. On the measures proposed in Law Foundation X, of the proposal for resolution and remediation already operated by CAIXABANK. Inadmissibility of measures of cessation. The mentions to the cessation of treatments that are made in the proposed resolution are totally disproportionate for the present case, in which the only action taken reproach is the writing of the informative texts, through which it informs its clients of their treatments. The fair, proportionate and adequate measure would be to urge remedy those information deficits. It should be taken into account that the AEPD has taken three years to substantiate the present procedures and, during this process, has not considered the facts sufficiently serious enough to contact the company to urge a remediation of the treatments or of the information, to which it should be added that the documentation was sent one year and half before. Likewise, it must be taken into account that the interruption of treatments or collection of new Consents would imply an irreparable impact, both on the Entity and on the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 44 44/177 clients, much more pronounced even in the current global health situation, which forces restrict movements, visits that clients come to make arrangements at the offices. Privacy Information Enhancements By contrast, the publication of a new privacy policy, the communication of it to all clients and the renewal of all consent collection processes, which are already being implemented, as well as personalized communication of all changes to all the clients of the entity, reminding them of the consents granted in their day, explaining them according to the new drafting standards adopted and reminding customers of the possibility of revoking them, are sufficiently repair companies to estimate that CAIXABANK would have remedied any deficit estimated by the AEPD. These measures, which were intended to be implemented coinciding with the second anniversary of the RGPD, and that they have been delayed due to the impact of this procedure and the situation current health system, is based on the following components (attached a copy of the documents and Screenshots cited): - New structure of the documents through which customers are informed - Privacy Policy (version 12/2020) - Framework Agreement (version 12/20220) - New screens of the consent collection processes on tablet and banking to distance. - Massive communication to clients informing of the changes a) New structure of the documents through which customers are informed The "Framework Agreement", which contains the general regulation of the client's relations with the entity, and that it seemed the best option to also report on data processing, It will be replaced by a new Privacy Policy, as a document dedicated to informing the clients on this matter, given the dimension of the information that in the interpretation current estimate that it should be provided. To facilitate permanent customer access to the itself, will be permanently hosted on the company's website (www.caixabank.com/politicaprivacidad) The “Framework Contract”, which will continue to be the first contract signed by a client when interacting with the Entity, it will be used to collect customer consents, but only will collect detailed information referring to the consents and basic mentions that establishes art. 11 of the LOPDGDD, referring the client for more information to the second layer, the Privacy Policy. Product contracts, and other forms, will contain also only the basic mentions established by art. 11 of the LOPDGDD. A total uniformity in the information is intended, as well as a much deeper detail Of the same. b) Privacy Policy (version 12/2020) The Privacy Policy is already in force and published on the web, where you can consult and download in pdf format. In his brief of allegations, he outlines the structure of this C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 45 45/177 document, which consists of 11 sections. c) Co-responsibility agreement Together with the Policy, a co-responsibility agreement has been drawn up in the treatment of data between Group companies. This agreement defines the purposes and means of the treatments, as well as the basic rules to be observed by all the companies that make up these treatments in co-responsibility. Information about it also appears in the policy and more detail in the web address outlined in it www.caixabank.es/empresasgrupo. d) New Framework Agreement (version 12/20220) The new Framework Contract is closed, in the process of layout and put into production in the entity's information systems. The final implementation date is set for Systems Update (IOP) January 2021. The new Framework Agreement has been completely redesigned and has been drafted in new format under the recommendations of a linguistics company, to provide it with a clear and transparent wording for users. The text has been accompanied by examples and warning calls that are intended to reinforce the information offered to customers All the information has been unified in a single clause, which offers basic information on data protection (responsible for the data, and the possibility of processing in co-responsibility, of the Data Protection Delegate, of the possibility of exercising the rights recognized in the RGPD and to file claims with the AEPD, of the categories of data that are processed and data processing), redirecting to detailed information to the Privacy Policy published on the Web, as established in art. 11 of the LOPDGG. The same terminology is used in both documents. Although it is a document understood as a first layer, it continues to be the support to obtain the consents. To ensure that this consent is informed, renewed and detailed information is given about them, maintaining the same wording that the Privacy Policy. In his brief of allegations, he outlines the new structure of this document, which dedicates the section 4 to the processing of personal data. e) New screens of the consent collection processes on tablet for offices and remote banking (web and mobile). This update, which will be in production in January 2021, improves the information and usability, providing examples and ensuring that the authorization process is maintained always in the possession of the client (shared tablet screens). The obligation to access information and the provision of consent through a clear exercise affirmative, separately for each of the purposes. New consents have been incorporated, although this is not a remediation. New treatments that require consent. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 46 46/177 f) Mass communication to clients informing of the changes To publicize all the above modifications, a statement has been prepared that will be sent to the entire customer base informing about the new Privacy Policy, and reminding them of the consents granted (including the new wording), the treatment of your data in co-responsibility by the companies of the CaixaBank Group, the right to oppose the treatments and other rights provided in the RGPD. With this communication any information deficit that could be understood is remedied Regarding all the data processing carried out by CAIXABANK and any understanding deficit that may have occurred. He insists that these improvements are the result of 4 years of experience, his own and that of others, but not they mean that the information currently provided violates any rule. - 7. On the necessary proportionality of sanctions and their graduation. Disproportionate sanction imposed. a) In a subsidiary manner, it considers that the following mitigating factors apply: . Any measure taken by the person in charge or in charge of the treatment to alleviate the damages suffered by the interested parties (art. 83.2.c) RGPD): In addition to what is indicated in the Claims to the Initiation Agreement [see section 6.1.a)], which continues to be fully applicable and that the AEPD simply disregards indicating that they lack the "Sufficient relevance"; CAIXABANK has proceeded to further clarify the information provided to their clients and the procedure by which they request consent, to such an extent that the imposition of the corrective measures proposed by the AEPD (Fundamental of Law X and proposal of resolution Fourth of the Proposal of Resolution). The potential infringement related to the alleged information deficit has been entirely regularized (if any such regularization was necessary) and any adverse effects suppressed. . The degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement (art. 83.2.f) RGPD): as already was indicated in the Arguments to the Initiation Agreement [see section 6.1.b)], and highlighted in the actions carried out by CaixaBank throughout the procedure (within and outside its framework), CaixaBank has only cooperated and walked hand in hand with the AEPD to achieve greater clarity and protection of the interested parties. Actually yes Some lack of collaboration has been reciprocal, given the absolute reluctance of the AEPD to meet with this entity. b) Unprecedented disproportion of the sanction imposed The AEPD recognizes that it is not a case of absence of information and qualifies the offense as minor (therefore, its assessment should be limited to the behavior of CAIXABANK in the year prior to the Initiation Agreement for obvious reasons of prescription). Likewise, there are no data transfers outside the framework of the joint responsibility of factual and currently formal existing in the CaixaBank Group (without the free will of subjects has been diminished in any case). However, it imposes on CAIXABANK a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 47 47/177 unprecedented penalty 8 times higher than the highest fine imposed under the GDPR (if not we take into account “the other” exemplary sanction of the financial sector, recently known). And 3 times higher than the maximum foreseen under the previous regime for the most infringements serious, ignoring and simply denying the application of the mitigations that CAIXABANK detailed in the Allegations to the Initiation Agreement and which are hereby reiterated. Specific, the application of those provided for in articles 83.2.a), b) and k) RGPD, as well as the listed in sections c), d) and e) and f) of the Sixth Claim of the Claims to the Initiation Agreement. c) Possibility of warning Finally, with regard to the warning, the AEPD seems to want to imply that the warning is addressed only to natural persons, when it itself (see by way of example the PS / 00072/2019; or PS / 00096/2019) has resorted to this proportional measure in the passed with legal persons. d) Conclusion In conclusion, taking into account the new information that CAIXABANK customers go to receive and the proactive and exemplary attitude of CAIXABANK, this entity understands that the The measures set out in Legal Basis X of the proposed resolution remain without effect, even before the final resolution, as all behaviors are remedied, or in the process of remediation due to technological imperatives, and that the proportionate measure that the AEPD, where appropriate and in a subsidiary way, should apply is the warning. further and taking into account the patent application of mitigating criteria, this part understands that It would proceed to calculate the amount of the penalty that, if applicable, was imposed, applying, within of the scale provided for in the fourth and fifth paragraphs of article 83 RGPD, its minimum degree. Finally, considering that strategic and sensitive data is provided for the entity, requests that the information provided be kept confidential and not communicated to any third party. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: PROVEN FACTS FIRST: On 01/24/2018, a claim made at this Agency by the claimant against CAIXABANK, in relation to the new conditions regarding protection of personal data whose acceptance requires that entity, questioning the transfer of your personal data to all the companies of the CaixaBank Group and the procedure provided to cancel said assignment, which, according to the claimant, requires directing a letter to each of the companies. He requested that CAIXABANK be urged to modify the the conditions mentioned. The claimant provided a copy of the aforementioned conditions, which appears with the labels "Authorizations for data processing" and "Exercise of the right of access, cancellation C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 48 48/177 and opposition. Claims before the Data Protection Authority ” . In relation to this claim, CAIXABANK informed this Agency that the clauses informative to which the complaint refers were implemented on the occasion of the changes contractual provisions arranged for adaptation to Regulation (EU) 2016/679. SECOND: On 03/29/2019, a claim made at this Agency by the entity Association of Consumers and Users in Action - FACUA, against CAIXABANK, in relation to the "Framework Contract" signed by the clients of this entity, through which your personal data is collected, the information is offered to them in this matter and consents are collected for the data processing specified. FACUA denounces that the content of this contract cannot be negotiated by the interested party, at that consent to the processing of your personal data and the transfer of the same to third companies with which it may not have a relationship (authorizations provided for in clause 8 and assignments mentioned in clause 10 of said contract). FACUA provided a copy of a "Framework Agreement" dated 10/24/2017. THIRD: The CAIXABANK entity has declared to this Agency that it began its adaptation to RGPD in 2016 and that this adaptation was carried out mainly through the implementation in June 2016 of the personal data collection form called "Framework Contract", used by CAIXABANK as a priority to comply with the transparency requirements regarding the protection of personal data and so that the clients can give their consent to the processing of their personal data at the of "Group" , with the purposes indicated in the aforementioned document. The "Framework Contract" is presented as mandatory subscription for new clients, establishing that the signature of the document implies that it “knows, understands and accepts its content ” . It is expressly provided that the terms and conditions apply general to all "commercial relationships" of the interested party "with CaixaBank and the companies of the CaixaBank Group, and therefore, the subscription and validity of this Agreement, respecting the corresponding rights of choice that the Signatory grants the clause, is necessary for the contracting and maintenance of product or service contracts ” . CAIXABANK has stated that in the case of existing clients a notice was included in the client file indicating to the manager that the “Framework Contract” had not been formalized. In its response to the Inspection Services dated 11/20/2019, CAIXABANK stated that the "Framework Contract" informs about all the treatments derived from the relationship contractual. CAIXABANK has contributed six versions of the "Framework Contract" to the proceedings, dated on 06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019. The first three versions refer to the LOPD and do not refer to specific issues regulated in the RGPD, such as the legal basis of the treatment (legal obligation, interest legitimate or consent); rights of deletion, limitation and portability; right to file a claim with the Spanish Agency for Data Protection; existence of a data protection officer and means enabled to contact him. The version 3rd constituted the information offered by CAIXABANK on 05/25/2018. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 49 49/177 In its response to the Inspection Services dated 11/20/2019, CAIXABANK provided a copy of the "Framework Contract corresponding to a client", which appears signed on 11/06/2019. It is verified that its content does not coincide in its entirety with any of the six versions of the "Framework Contract" provided by the entity itself (version 7). In section 1 of the "Framework Contract" the identification data of the client and its declaration of economic activity. Among other data, there are those related to name, surname, tax identifier, date of birth, nationality, address, marital status, matrimonial regime, contact information, fixed and variable income, entity in which it provides service or gross annual income. The information that is provided to the interested party in this document in relation to the protection personal data is structured according to the legal basis that legitimizes the treatment of the data, dedicating section 7 to the treatments “based on the execution of contracts, legal obligations and legitimate interest and privacy policy ” (includes a subsection regarding the "processing of biometric data in the electronic signature of documents" ), and the section 8 to the “treatment and transfer of data for commercial purposes by CaixaBank and the CaixaBank group companies based on consent ” . Paragraphs 9 are added "Exercise of rights regarding data protection" and 10 "Delegate for the Protection of Data " , as well as a subsection dedicated to " Data retention period " , inserted in section 11 referring to the duration, resolution and modification of the contract. During the contracting process, the client must express the consents for the processing of personal data that are requested from the interested party in clause 8, incorporating the options selected by the client in the header of the document, at the section of personal and socioeconomic data. The consents requested from the client are grouped into the following three purposes: “(I) data analysis and study treatments for commercial purposes by CaixaBank and companies of the CaixaBank group (ii) the treatments for the commercial offer of products and services by CaixaBank and the companies of the CaixaBank group (iii) the transfer of data to third parties ” . In relation to these three consents, Clause 8 indicates: “In order to make your availability a global offer of products and services, your authorization to (i) the treatments analysis and study of data, and (ii) for the commercial offer of products and services, in case If granted, it will include CaixaBank, and the companies of the CaixaBank group detailed at www.CaixaBank.es/empresasgrupo (the “CaixaBank Group companies”) who may share and use them for the stated purposes ” . The copy of the "Framework Contract" provided by CAIXABANK with its response to the Services of Inspection dated 11/20/2019 (version 7), which appears dated 11/06/2019, contemplates the provision by the client of a fourth consent referred to data processing biometrics. In the heading of the document provided, under the heading of "Authorizations for data processing ”it is indicated: “ Other purposes: Use of biometric data with purpose of identity verification and signature. You have expressed your acceptance and consent ” . The entire content of the "Contract C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 50 50/177 Marco ”, in its versions dated 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019, as well as the content of the "Framework Agreement" dated 11/06/2019 (version 7). The content of the version 4, dated by CAIXABANK on 11/12/2018, as well as the modifications made later it is included as Annex I. FOURTH: The formalization of the form for collecting personal data and providing the consent to the processing of personal data called "Framework Agreement" takes place during the client registration process, which can be done in person at offices or through digital channels. a) The office registration process is carried out through an interview between the client and the manager. During this process, the manager must fill in the sequence of screens provided in the system incorporating the information (personal data) provided by the client. After fill in several screens (around fifteen), the screen labeled "Modification of data protection of… ” , whose structure is the following: "High consents CaixaBank data protection (RGPD) The client authorizes CaixaBank to: 1. Use your data to: . Carry out studies and monitoring of operations . Manage alerts for the products you have contracted . Study products and services tailored to your CaixaBank Group profile ( ) If not 2. Participate in promotional campaigns and commercial offers of the CaixaBank Group through the channels () Yes () Telemarketing () Electronic means such as SMS, email and others () Postcard advertising () Commercial contacts of the entity's managers ( ) No 3. Transfer customer data to third parties ( ) If not (OK) (Cancel) ”. For the provision of these consents, during this interview the client responds verbally to the three questions that the manager asks about the indicated purposes, one of them broken down into four options, and it incorporates the responses into the system. One time After the interview, the completed "Framework Contract" is printed on paper and signed for the client. In its response to the Inspection Services of 07/17/2018, CAIXABANK states that, later, it equipped the entire network of offices with digitizing tablets, making it possible for the "Framework Contract" is signed, not on paper, but on the tablet itself. CAIXABANK, with its response to the AEPD, dated 05/03/2019, provided documentation referring to the training given to its employees in which it is indicated: (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 51 51/177 The operation followed in this process was modified again, establishing a system of "Shared screen" to enable the customer to mark the options selected by himself same on a tablet that the manager puts at your disposal. CAIXABANK with its letter of 11/20/2019, sent in response to the requirements of information from the Inspection Services of the AEPD provided screen printing corresponding to the process of registering a client. After advancing about fifteen screens, A screen is displayed with a message for the manager with the indication “According to the General Data Protection Regulation, the client must authorize the use of their data. TO You must then hand over the tablet to the client to fill in the consents ” . Once the manager presses the "Accept" button on that screen, two screens are displayed corresponding to the collection of consents for the processing of data personal, with the label "Authorization / Revocation of consents" and the indication "Mode Tablet. Customer ” . The detail is as follows: "Protection of personal data Caixabank group I authorize the Caixabank group to: 1. Use my data for study and profiling purposes: If I authorize it, the offers that are sent to me will be adapted to my profile () Yes, I accept that the offers are based on my profile ( ) No 2. Receive advertising and commercial offers If I do not authorize it, not even my manager will be able to contact me to inform me of products of interest to me. () Yes, I agree to receive offers by the following means: () Telemarketing () Electronic means such as SMS, email and others ( ) Post mail () Commercial contacts through any channel of my manager ( ) No 3. Transfer my data to third parties with whom the Caixabank group has agreements: If I authorize it, at the time my data is transferred, I will be informed of which third party the recipient of the data and, if I do not agree, I may revoke this authorization () Yes, I agree to transfer the data to third parties ( ) No 4. Use of my biometric data (facial image, fingerprint, etc.) in order to verify my identity and signature: This authorization will be complemented in each case with the registration of the data biometric to use at all times. In order to verify the identity / signature of your clients, Caixabank uses biometric recognition methods such as facial recognition systems, fingerprint reading and the like. Currently, some of our ATMs already allow you to operations using these methods. () Yes, I accept the use of my biometric data ( ) No The preferences that you have indicated here will be included on the first page of your framework contract ” . Once the options have been selected, the buttons at the bottom of the screen "Accept" and "Cancel". When pressing the first one, the message “Your consents have been indicated. Thank you for your cooperation. Please return the Tablet to your manager ” . (…) The “ Tablet Mode. Client " do not contain any link to information on the subject protection of personal data contained in the "Framework Agreement". In relation to this process, no screen was provided regarding the consolidation of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 52 52/177 document and its signature by the client. b) The client registration process through the CAIXABANK web portal and mobile application (the application redirects the data subject to the web application), includes a step that shows a screen through which consent is collected for the processing of data with commercial purposes. The screen shows the following options: << Manage your data (i) Do you want to find out about our news in a personalized way? Processing of your data to receive a personalized service from the Caixabank Group Treatment of your data for the purposes of analysis, study and monitoring of the offer and design of products and services adapted to the customer profile by Caixabank and companies of the Caixabank Group. More information No Yes Processing of your data to receive offers of Caixabank products and services Processing of your data for the commercial offer of Caixabank products and services and companies of the Caixabank Group More information No Yes Transfer of your data to third parties with whom Caixabank and Caixabank Group companies have agreements Processing of your data by third parties with whom Caixabank and Caixabank Group companies have agreements, to receive offers of products and services from such third parties. More information No Yes (Continue) >> During this process of providing consent, access is made possible by the client to clause 8 of the "Framework Contract". At the end of the process the "Contract Marco ”with the summary of the consents granted and the clauses, for signature by the customer ( "View and download framework contract" ). A box is included to check “I have read and I accept the contract ” and the “ Previous ” and “ Continue ” buttons . In the inspection carried out at CAIXABANK on 11/28/2019, the download was verified complete of the "Framework Agreement" and that, once the acceptance box of the contract, the signature is carried out using a numerical code sent to the mobile phone provided by the customer. FIFTH: As reported by CAIXABANK to the Inspection Services in its response to 07/17/2018, this entity also collects the consent of its clients for the treatment of data for "commercial purposes" and transfer of data to third parties, through the document labeled as "Authorization for the processing of personal data for purposes commercial by CaixaBank, SA and companies of the CaixaBank group ” , that CAIXABANK called “Consent Agreement” and it is also used to modify them in moments after the discharge process. a) The process of formalizing this document in the office is similar to that of the "Framework Contract" and has followed the same evolution over time (printing and signature of the document, digital signature and "Tablet mode"), but signing a document that only includes the points indicated. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 53 53/177 Through this document, the provision of consent has been provided separately. for the same purposes mentioned in the "Framework Contract". The system displays the Screen enabled for the manager to register the revocation under the heading "Modification of data protection ” , whose structure is similar to that shown for the provision of the consent during the client registration process, including the incorporation of the room consent that is requested from the client in relation to the processing of data biometric, verified in the inspection carried out on 11/28/2019. Three versions of this "Consent Agreement" are incorporated into the proceedings (the one provided by the claimant on 01/24/2018, outlined in Fact One -Version 1; the one provided by CAIXABANK on 07/10/2018, outlined in the Second Fact and transcribed in Annex II -Version 2; and the one attached to the Inspection Certificate dated 11/28/2019, outlined in Fact Four, Version 3 (the differences are also included in Annex II of this Version 3 compared to Version 2). In version 3 of the document, the one provided during the inspection of 11/28/2019, in the denomination of the document the term "revocation" is added and "Authorization / revocation for the processing of personal data for purposes commercial by CaixaBank, SS and companies of the CaixaBank group ”. The information offered in the "Consent Agreement" regarding the protection of personal data coincides, almost literally, with clause 8 of the “Framework Agreement”. b) The process to revoke consents through the client's private space in the CAIXABANK website shows a screen with the following structure: << Authorizations for commercial purposes Modification You can then modify the treatment that Caixabank performs on your information I accept the treatment of my data to monitor and study alerts for my products contracted, studies and services adjusted to my profile. See detail Clause 8 I accept I do not accept I accept that Caixabank contact me to find out those offers of products and services, as well as promotions and offers that may be of interest to me. See detail Clause 8 I accept I do not accept Indicate if Caixabank can contact you in any of the following ways () Through my manager (office) () Through postal communications () By email, SMS and other electronic channels () By telemarketing I accept that my data is shared with companies with which Caixabank has signed agreements with the purpose of being able to receive offers of products and services from these companies. See detail Clause 8 I accept I do not accept >> During this process, access by the client to the information contained is possible C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 54 54/177 in clause 8 of the “Framework Contract”. Once the options are selected, the client is shown a summary with the consents granted ( “Operation not yet completed, Check the data and confirm the operation ” ) and the contract that includes a summary of these consents ( "Read the contract carefully. Confirm the operation" ). c) In the environment of the CaixaBank Now mobile application, the customer can access "Configuration - Exercise of rights" and is redirected to the Web portal. d) CAIXABANK informed the Inspection Services, in its response dated 07/17/2018, that the client can revoke consents by using forms available in the CAIXABANK corporate web portal (indicates that it allows you to revoke consent for any Group company) or on the web portal of each of the Group companies (at access the page corresponding to the entity in question, the client is directed to a screen common to all). It offers the possibility of marking three boxes with the detail following: “() I do not wish to receive a personalized service from the CaixaBank Group (data processing with purposes of analysis, study and monitoring for the offer and design of products and services adjusted to your profile by CaixaBank and CaixaBank group companies) () I do not wish to receive offers of personalized products and services from CaixaBank and companies of the CaixaBank group () I do not want my data to be communicated for commercial purposes of third parties with CaixaBank has agreements ” . d) Revocation of consent through the telephone service: the Call Centers have at their disposal a tool that allows you to deal with the revocation of the consents. The structure shown by the aforementioned tool for the revocation of the Consents is similar to that indicated for the process of registering clients in the office ( “Registration of consents ” ). CAIXABANK, in its response of 05/03/2019 to the transfer of the claim made by FACUA, informed this Agency that the revocation of the consents has effects for all the Group companies and that can be exercised before any of them, for any of the channels of each one. According to CAIXABANK, these requests for revocation or modification of consents are registered and are referred to a centralized rights service, which is in charge of giving them the corresponding procedure. The entire content of the "Contract Consent ”, in all its versions (the content of version 2 and the differences in version 3 with respect to version 2 are included as Annex II). SIXTH: Section 7 of the "Framework Agreement" contains a reference to the privacy policy of CAIXABANK, accessible through the entity's website ( “You can find complementary information to that provided in this contract, regarding the processing of your personal data at www.CaixaBank.com/privacidad ” ). The document "Privacy Policy", with thirteen sections, provides generic information on the identity of the person in charge (without referring to the existence of a “common repository” to CAIXABANK and the Group companies), data collected, information obtained from C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 55 55/177 browsing the web and mobile applications, purposes, legal basis that covers the data processing, security, data retention, assignments, transfers internations, data protection officer and rights of the interested party. It is interesting to highlight that this "Privacy Policy", when referring to uses based on consent, warns the interested party that they may use "all the data we have about you" ; and in the section "To whom is my data disclosed?" is informed about the exchange of information with companies of the CaixaBank Group. In its response to the Inspection Services dated 11/20/2019, CAIXABANK informed this Agency that said privacy policy is intended to complement the information provided to customers through the "Framework Agreement" between June 2016 and May from 2018; and give complete information to clients who in May 2018 had not signed the "Framework Agreement". Thus, since May 2018 it distinguishes two situations: . All pre-existing clients have signed a framework contract or have received the Privacy (in addition to having it at your disposal on the entity's website). . All new clients, in their first relationship with the entity, sign a "Contract Marco ”, which includes all the information of article 13 of the RGPD. It is declared reproduced in this act, for evidentiary purposes, the full content of the Policy Privacy accessible through the CAIXABANK website. SEVENTH: The "Framework Agreement", in section 8, details the personal data used with the purposes described in that same section. Among them are mentioned “the data obtained from social networks that the signatory authorizes to consult ” . Accessed from the area online banking staff and the network for which access is allowed is specified (Facebook, Twitter and LinkedIn). A box includes a text with the indication "Information on the processing of personal data and commercial communications ” ; and a button with the text "Accept and continue . " With this single action, the client gives his consent to the collection of the personal data mentioned in that information and the treatments that are detailed. This information is declared reproduced in this act for evidentiary purposes (it is stated fully in Annex III): EIGHTH: Section 8 of the "Framework Agreement" details the personal data used with the purposes described in that same section. Among the data used for these purposes mention is made of "data obtained from third parties as a result of requests for aggregation of data requested by the signer ” . Said request is formalized through the subscription by the client of the so-called Aggregation Service Agreement. This service allows you to add the information of the products that you have contracted with other entities (positions and movements of accounts and cards) and thus have a global vision of all positions, alerts on receipts, expirations, etc., but do not operate on the products of the aggregated entities. The client adds or removes entities at will, but only among those incorporated into the service. The process of requesting the aggregation service is followed through the website of CAIXABANK. After selecting the entity that you intend to add to the service and enter the data that the client uses to access the selected entity online (passwords access), the process requires the acceptance of the terms and conditions of the service. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 56 56/177 “On the one hand Caixabank, SA and on the other the people whose circumstances and representation specified below, agree to formalize the contractual relationships that are expressed under the following conditions: Contractor data Name and surname Document number". (link to a document in pdf format. with the indication "Version to print or save" ). (link to download the Acrobat Reader program, with the indication “If you don't have the program…, you can download Acrobat Reader ” ) ( "Accept and continue" button ) Next, the process requires confirmation of the operation by entering of a key. On the other hand, it does not include any verification that leaves proof of the reading of the document "Terms and conditions of service" . It is declared reproduced in this act, for evidentiary purposes, the complete clauses of the Aggregation service contract (it is fully outlined in Annex IV). NINTH: In your response to the Inspection Services of this Agency, dated 05/16/2018, CAIXABANK stated that, on the occasion of the changes that the adaptation to the RGPD entailed, in 2016 it established that the consent of the clients for the treatment of their data personnel for “commercial purposes” would be collected at the “group” level, jointly for all companies in the "group". Version 2 of the document "Consent Agreement" refers to a "repository common ”of personal data in the indication “ For this, your data will be managed from a common repository of information on the CaixaBank Group companies. The data that is will be incorporated into this common repository will be ... ” (this reference to the“ common repository ”in the presentation of the aforementioned document disappears in its 3rd version). (…) And a “common repository of consents”, which stores the authorizations for commercial treatments granted by clients to Group companies, allowing that a client revokes the consent from any company of the Group, and conversely, with effects automatically for all of them. (…) FOUNDATIONS OF LAW I By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of Control, and as established in articles 47, 48, 64.2 and 68.1 of the LOPDGDD, the Director of the Spanish Agency for Data Protection is competent to initiate and solve this procedure. Article 63.2 of the LOPDGDD determines that: “The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 57 57/177 development and, as long as they do not contradict them, in the alternative, by the general rules on administrative procedures. " II Previously, it is deemed appropriate to analyze the exceptions alleged by CAIXABANK, on the basis of which it requests the declaration of nullity of the proceedings, as well such as the formal questions raised by said entity. - 1. Violation of article 24.2 of the Constitution, presumption of innocence. First, it invokes Articles 24.2, 103.1 and 2 of the EC, and Article 6 of the Convention European Commission on Human Rights (ECHR), and alleges a possible violation of the principle of presumption of innocence due to lack of objectivity and impartiality of the body that has the competence to resolve the procedure, deduced by CAIXABANK from some statements made by the Director of the AEPD in a public act, through which the imposition of "quantitatively significant" fines is announced . The statement to which CAIXABANK refers to is the following: “We already have two or three high-impact sanctioning procedures that are going to have a lot of media impact in relation to the financial sector, will be the first quantitative fines important by the Agency ”. Of this declaration, made during the period granted to the interested party to present allegations at the opening of the procedure, CAIXABANK deduces that the will of the body that has the competence to resolve was formed without even knowing those allegations and without having all the evidence in view. In the administrative sanctioning area, the impartiality of the adjudicatory body is linked to the right of the interested party to a process with all the guarantees. It is guaranteed with the reasons for abstention or objection and with due separation between the phases of instruction and resolution of the sanctioning procedure, separation between phases that in this case has not gone bankrupt and that it is scrupulously respected in all the procedures of this nature followed in the AEPD. For the sake of legal certainty, the reasons for abstention or disqualification have been regulated by an exhaustive list of circumstances that respond to objective reasons, thus avoiding that the interested parties can appreciate causes of abstention or challenge based on own or particular criteria. In our administrative system, the appearance of partiality is estimated by the concurrence, objectively justified, of the reasons regulated in articles 23 and 24 of the Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP): “Article 23. Abstention. 1. The authorities and personnel at the service of the Administrations in which some of the Circumstances indicated in the following section will refrain from intervening in the procedure and They will communicate to their immediate superior, who will resolve the proceeding. 2. The following are reasons for abstention: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 58 58/177 a) Have a personal interest in the matter in question or in another whose resolution could be influenced by that; be an administrator of a company or interested entity, or have pending litigation with any interested. b) Have a marital bond or assimilable de facto situation and blood relationship within the fourth degree or affinity within the second, with any of the interested parties, with the administrators of interested entities or companies and also with the advisors, representatives legal entities or agents involved in the procedure, as well as sharing a professional office or be associated with them for advice, representation or mandate. c) Having an intimate friendship or manifest enmity with any of the persons mentioned in the previous section. d) Having intervened as an expert or as a witness in the procedure in question. e) Have a service relationship with a natural or legal person directly interested in the matter, or have provided professional services of any kind in the last two years and in any circumstance or place. Article 24. Challenge. 1. In the cases provided for in the preceding article, recusal may be promoted by those interested in any time during the processing of the procedure. 2. The challenge will be raised in writing in which the cause or causes on which it is based will be stated ”. Ultimately, it is a matter of the person making the decision not having any personal interest in the matter and has not participated in the procedure as an expert or witness, so that it can resolve according to the general interest, without any type of influence beyond that interest that can lead you to decide in a certain way. On the other hand, in accordance with the doctrine of our Constitutional Court, that is claimed from public servants is not the personal and procedural impartiality that It requires judicial bodies, but rather that they act with objectivity and submission to the law. Thus, in STC 174/2005, of July 4, the following is declared: “In this regard, it should be remembered that although this Court has reiterated that, in principle, the requirements derived from the right to a process with all the guarantees apply to the administrative procedure However, there has also been a special emphasis on the fact that said application must performed with the required modulations to the extent necessary to preserve the values essentials found at the base of art. 24.2 CE and the legal certainty guaranteed by art. 9.3 CE, as long as they are compatible with their own nature (by all, STC 197/2004, of 15 November, FJ 2). More specifically, and with regard specifically to the guarantee of impartiality, it has been pointed out that it is one of the cases in which it is necessary to modulate its projection in the administrative sanctioning procedure, since said guarantee “cannot be predicated of the sanctioning Administration in the same sense as with respect to the organs judicial "(STC 2/2003, of January 16, FJ 10), therefore," without prejudice to the interdiction of all arbitrariness and subsequent judicial review of the sanction, strict impartiality and independence of the organs of the judiciary is not, in essence, predicable to the same extent of an organ administrative law ”(STC 14/1999, of February 22, FJ 4), concluding that the independence and impartiality of the judge, as a requirement of the right to a trial with all guarantees, is a guarantee characteristic of the judicial process that does not extend simply to the administrative procedure sanctioning (STC 74/2004, of April 22, FJ 5) ”. And STC 14/1999, of February 22, states the following: “An erroneous understanding of the content of the constitutional requirements of judicial impartiality and his alleged transfer in totum to whoever intervenes in the administrative sanctioning procedure in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 59 59/177 Instructor quality, leads the appellant to affirm the injury of his right to a process with all the guarantee. (…) It should be reiterated here again, as we did in STC 22/1990 (4th legal basis), that "without prejudice to the interdiction of all arbitrariness and the subsequent judicial review of the sanction, the strict impartiality and independence of the organs of the judiciary is not, in essence, predicable to the same extent of an administrative body ". What can be claimed from the Instructor, ex arts. 24 and 103 CE, it is not that he acts in the situation of personal and procedural impartiality that is constitutionally required of judicial bodies when exercise jurisdiction, but act with objectivity, in the sense that we have given to this concept in SSTC 234/1991, 172/1996 and 73/1997, that is, performing their functions in the procedure with personal disinterest. To this end the possibility of recusal established by the art. 39 of Organic Law 12/1985, on the Disciplinary Regime of the Armed Forces (hereinafter LORDFA) which refers to art. 53 of the Military Procedural Law, whose catalog of cases keeps, in this scope, evident similarity, with that provided for in the Organic Law of the Judicial Power, although the listed in one and the other obey, according to what has been stated, a different foundation. (…) None of the reasons given can be addressed, not only because, in general, and according to previously stated, the doctrine cannot be transferred without further ado to the administrative sanctioning area constitutional elaborated on the impartiality of the judicial organs, but because in the case present, and in view of the configuration of the legal grounds for disqualification, the concurrence of any element that would demand the removal of the Instructor due to loss of necessary objectivity. It is not observed in the questioned Instructor, nor has the interested party provided data justified in this regard, the presence of direct or indirect personal interest in the resolution of the sanctioning file (…) ”. In this case, it must first be specified that CAIXABANK, despite its allegation of lack of impartiality of the adjudicatory body, has not formally raised the challenge of the Director of the AEPD, nor does he make any reference to the reasons listed in those items. In this regard, it should be taken into account that, to declare the nullity of the actions for the reasons alleged, it is necessary to fully demonstrate the concurrence of one of those reasons that could have effectively influenced the Decision adopted through the present resolution. However, it is considered appropriate to record in this act the non-attendance of any of the causes of abstention or recusal established in the precepts transcribed, which allows to conclude that the alleged lack of impartiality does not exist. Does not have personal interest in the object of the procedure; no bond, friendship or enmity with him interested; nor has he intervened as an expert or witness in the procedure. This resolution is adopted in accordance with the Law, according to objective criteria, and without that the adjudicatory body has prejudged the matter in question through actions previous formalities or through their intervention in previous phases of the procedure. This intervention has not taken place in any way, beyond the adoption of the opening of the procedure as established by the applicable procedural regulations. The demonstration to which CAIXABANK has referred does not fall within the cases of disqualification and abstention listed above and do not advance the decision, either so that they cannot be appreciated with the scope intended by said entity. Neither that manifestation, nor any other circumstance, have broken the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 60 60/177 impartiality of the investigating body, which has had all the powers attributed to it by the regulation in question and full freedom to dictate its resolution proposal, as evidenced by the fact that said proposal has reduced the infractions that were imputed in the agreement to open the sanctioning procedure. The intervention of the Director in the event held on 03/03/2020 is related, rather, with the adoption of the agreements to open the procedures to which the CAIXABANK refers in its allegations, both from the financial sector. The reference to these agreements as of wide impact for the affected sectors and with media relevance has to do with the novelties regulated in the RGPD and, in particular, those related to the new compliance and oversight model. In relation to the latter, the important amounts contemplated in the Regulation for the purpose of what, how does this norm, may have a dissuasive character. In the opinion of this Agency, specify in the initiation agreement issued the offense that could have committed and its possible sanction is adjusted to the provisions of article 68 of the LOPDGDD and article 64.2 of the LPACAP (in this case, of the different corrective powers provided for in article 58.2 of the RGPD, the Agency deemed appropriate the imposition of fine, in addition to the adoption of measures to adjust its performance to the regulations, considering the indications of infringement appreciated at the time of opening and without detriment to what could result from the instruction of the procedure). Thus, it cannot be said that to indicate the possible sanction that could correspond for the imputed infractions is determinant of defenselessness or that involves a breakdown of the principle of separation of phases of instruction and resolution. On the other hand, the instruction of the procedure has been in accordance with the regulations procedural, without being able to appreciate any irregularity in the processing of the procedure, in which, in addition, all the guarantees of the interested party have been respected, including the presumption of innocence. CAIXABANK, in this case, has seen all the guarantees of the interested party provided by the procedural regulations and it cannot be said that the determination of the amount of the fine in the opening agreement implies no loss of said guarantees causing helplessness. It should be noted that both in the present proceeding and the other cited by the CAIXABANK entity, the resolution issued has lowered the amount of the initial penalty in attention to the allegations of the parties, as is the case in so many cases of sanctioning procedures processed by the AEPD. All you have to do is go to the Agency's website, where all the resolutions issued in sanctioning procedures, to verify the large number of those that end with a resolution of the file of actions, as well as those others in those that increased or decreased the amount of the penalty set in the opening agreement or agreed to the application of a corrective power other than the fine, once a Proposal of the instructor or at the initiative of the decision-making body. - 2. Bankruptcy of legitimate expectations. On the other hand, CAIXABANK requests the filing of the file for an alleged C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 61 61/177 violation of the principle of legitimate expectations or reconsideration of the declaration of nullity of the consents obtained. It bases this request on the query made shortly after the GDPR was published, through emails addressed to the "Deputy Director of the AEPD" , regarding the implementation of the RGPD and the documents analyzed in the file, especially the “Framework Contract”, on which, according to CAIXABANK, only some minor considerations in telephone conversation, which were attended by the interested entity. It indicates that those emails repeatedly requested the holding of a meeting between the AEPD and CAIXABANK for this purpose, which was denied. From having communicated to the AEPD the main actions that would lead to carried out for the adequacy of its performance to the RGPD, including the reference to the so-called “Common repository”, CAIXABANK deduces its legitimate conviction of having been acting correctly and that he may have had a "reasonable induced hope" that his The way to proceed was in accordance with the law. The aforementioned principle of legitimate expectations is included in article 3 of the LRJSP: "Article 3. General principles. 1. Public Administrations serve the general interests objectively and act in accordance with the principles of efficiency, hierarchy, decentralization, deconcentration and coordination, with full submission to the Constitution, the Law and the Law. They must respect the following principles in their actions and relationships: (…) e) Good faith, legitimate trust and institutional loyalty ” . It is a manifestation of the doctrine of "proper acts" and is related to the principle of legal certainty. The principle of legitimate expectations can be understood as the Citizens' confidence in the future action of Public Administrations taking into account their past performances, considering the expectations they generate, although always safeguarding the principle of legality, so that principle may not invoked to save situations contrary to the norm. The STS of December 18, 2007 refers to the principle of trust protection citing the terms of a previous Judgment of May 10, 1999: << Thus, the STS of 10-5-99 (RJ 1999, 3979), recalls "the doctrine on the principle of protection of the legitimate trust, related to the most traditional in our security system legal and good faith in the relations between the Administration and individuals, and which involves, according to the doctrine of the Court of Justice of the European Communities and the jurisprudence of this Chamber, that the public authority cannot adopt measures that are contrary to the hope induced by reasonable stability in the decisions of the former, and based on which individuals have made certain decisions. […] On the other hand, in the STS of 1-2-99 (RJ 1999, 1633), remember that "this principle cannot be invoked to create, maintain or extend, within the scope of Public law, situations contrary to the legal system, or when the preceding act results a contradiction with the purpose or interest protected by a legal norm that, by its nature, is not liable to protect one. discretionary conduct by the Administration that involves the recognition of rights and / or obligations arising from acts of the same. […] One thing is the irrevocability of the declaratory acts of rights outside the channels of revision established in the Law (articles 109 and 110 of the Administrative Procedure Law of 1958 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 62 62/177 [RCL 1958, 1258, 1469, 1504 and RCL 1959, 585], 102 and 103 of the Law of Legal Regime of the Public Administrations and Common Administrative Procedure, Law 30/1992 [RCL 1992, 2512, 2775 and RCL 1993, 246], modified by Law 4/1999 [RCL 1999, 114, 329]), and another respecting the Legitimate confidence generated by own action that must necessarily be projected into the field of discretion or autonomy, not that of the regulated aspects or regulatory requirements against those that, in Administrative Law, what is resolved in act or in precedent that was contrary to those. Or, in other words, it cannot be said that the trust deposit in an act or precedent that is contrary to mandatory norm ">>. The STS of February 22, 2016 (rec. 1354/2014) refers to the requirements that must be concur to assess legitimate confidence: "It should be taken into account that legitimate trust requires, ultimately, the concurrence of three essential requirements. Namely, that it is based on undeniable and external signs (1); what hopes generated in the administered must be legitimate (2); and that the final conduct of the Administration is contradictory with the previous acts, is surprising and incoherent (3). Exactly what It occurs in the case under review, based on the facts mentioned above, which is irrelevant. Let us remember that, with respect to legitimate expectations, we have been declaring repeatedly, for all, Judgment of December 22, 2010 (contentious-administrative appeal nº 257/2009), that «the principle pio of good faith protects the legitimate expectations that may have been placed in the behavior of others and imposes the duty of consistency in their own behavior. What is so much as saying that the principle implies the requirement of a behavioral duty that consists in the It is necessary to observe in the future the behavior that the previous acts made foresee and accept the binding consequences arising from the acts themselves constituting an assumption of law. tion to the legitimate expectations of the parties "venire contra factum propium". This same Judgment refers to confidence in the stability of the criteria of the Administration, evidenced in previous acts in the same sense. On the other hand, the STS of September 21, 2015 (rec. 721/2013), in its Foundation Fourth Law, declares the following: “In the aforementioned judgment of this jurisdictional Chamber of February 23, 2000, the application of the The principle of protection of legitimate expectations is conditioned not so much by the fact that any type of psychological conviction in the particular beneficiary, but rather to accredit the existence of external signs produced by the Administration "sufficiently conclusive" to that reasonably induce him to trust in the legality of the administrative action ” . Therefore, that hope or confidence generated must be "legitimate" and based on previous external acts, the meaning of which is undoubtedly contrary to what was agreed subsequently, without having to include in this principle of legitimate expectations a mere psychological conviction of the individual. In this case, it appears that CAIXABANK sent several emails to "Deputy Director AEPD" , by way of consultation, accompanying a copy of the "Framework Contract" provided by that entity as a form for collecting personal data and with the informative clauses on the protection of personal data, as well as a program on the actions taken, in which, in addition, he requested the holding of a meeting for the purpose of commenting on such documents and actions. It also appears that this meeting did not take place. It is clear that these emails were answered by the recipient, by the same route, with the following messages: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 63 63/177 . Email dated 07/27/2016: "Subject: Meeting Good morning…, in order to assess the possibility of holding a meeting, send me a brief explanation of the policy you have adopted and the text of the informative clauses. We will talk in September ” . . Email from 09/11/2017: "Subject: RE: RGPD Presentation at CaixaBank Good morning, I would appreciate if possible, if you could send me the presentation in a format that can print as it is impossible for me to do so ” . In this case, CAIXABANK does not have previous external events ( "signs undeniable externalities ” ) that may be considered favorable to said entity in a conclusive and sufficient to have induced it to think that the AEPD validated the Actions undertaken by the entity to adapt its performance to the RGPD. Beyond the criticism that CAIXABANK could make to this AEPD for having been your inquiries or your requests for a meeting to analyze the documentation that was preparing, the truth is that the responses of this Agency contained in the emails provided by the interested party do not have any legally binding content nor do they contain any pronouncement on the issues to which the allegations refer. In definitively, they do not represent external acts of the Administration that could derive a future violation of the principle of the "legitimate confidence of the administered", now invoked. The actions of this Agency have not influenced in any way the conduct of CAIXABANK determining the infractions analyzed, nor has this Agency carried out any action that has allowed said entity to conclude that in the documentation of data protection formalized by the same or in its processes of collection and treatment of personal data does not exist any element that contravenes the provisions of the RGPD and LOPDGDD. CAIXABANK cannot provide any statement or action from this Agency that led to this alleged confusion, simply because there is no action some in that sense. In short, projecting the doctrine of the Supreme Court to the present case, and in the terms of the STS of December 18, 2007, it turns out that there are no circumstances that allow us to understand that CAIXABANK has been surprised by the performance of the Administration. Finally, it is considered appropriate to point out, firstly, that the emails to those referred to by CAIXABANK do not belong to or comprise any regulated action of the Administration and, secondly, that the AEPD has enabled consultation channels for that citizens and those responsible for processing personal data may raise your doubts in the matter of your competence, but these channels cannot be used for this Agency supervises and fully validates the actions undertaken by those responsible, unless a rule so expressly provides. Furthermore, it is surprising that CAIXABANK intends to found the bankruptcy of the principle of legitimate confidence in the forwarding of two emails to the Deputy to the Directorate of the AEPD, in which a meeting was requested on the texts that were attached. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 64 64/177 First, from a formal perspective, it should be noted that the allegations they highlight in bold the recipient of the emails, whom they incorrectly describe naming him as "Deputy Director of the AEPD", despite the fact that said job did not exist in the Agency's job list, as is fully known by CAIXABANK when in document number 3 that it provides in relation to this argumentation is addressed to the “AEPD Deputy”. What it might suggest, beyond a mere mistake material, an intentional will to give more importance at this time to the remission of the aforementioned emails according to the relevance of the position to which they were addressed. And, what is materially more relevant, is that it is intended to establish said allegation in compliance with the principle of proactive responsibility, regulated in the RGPD as a essential element of the new compliance model designed by said standard. Interpretation what exactly is contrary to the provisions of the Regulation, in which the principle of proactive responsibility refers to those responsible for the treatment the requirement to carry out risk analysis for the rights and freedoms of those affected and adopt autonomously the measures that allow guaranteeing them through the measures that in the described themselves. Maxime when in relation to these measures the only provision of the RGPD on consultations with the supervisory authority is related to the Impact Assessments on the Data Protection, when it shows that the treatment would involve a high risk if the person in charge does not take measures to mitigate it, in accordance with article 36 of said regulation. To which is added that, without having proceeded to the analysis of the documentation submitted or speak out about it, CAIXABANK was informed that the meetings would not be held arguing precisely that proactive responsibility requires the person responsible for the processing carry out their own analyzes and autonomously adopt the measures that guarantee and allow demonstrating compliance with their obligations. Therefore, the allegation of violation of the principle of trust must be rejected legitimate and, if not, reaffirm the full responsibility of CAIXABANK in the analysis of the risks associated with the initiatives developed to comply and demonstrate compliance of the RGPD. - 3. Expiration of the previous actions. In its arguments at the opening of the procedure, CAIXABANK invoked the expiration of the preliminary investigation actions indicated with number E / 01475/2018, initiated due to the claim presented on 01/24/2018, and whose documentation was incorporated into the new investigative actions initiated with number E / 01481/2019. Based on this, it considers that the possible infractions analyzed in the proceedings previous that were declared expired by resolution of 02/01/2019 would have prescribed, under the terms provided in Organic Law 15/1999, of December 13, on the Protection of Personal Data (LOPD). Subsequently, in its allegations to the motion for a resolution, CAIXABANK alleges C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 65 65/177 a possible violation of Article 24 of the EC due to the defenselessness produced by the extension artificial and unlawful of the previous investigation actions, also ignoring their expiration. He substantiates this claim according to the following considerations: . The previous investigative actions supplanted the instructional activity, since it was used as a true sanctioning procedure, which constitutes a possible vice of misuse of power in the use of instructional mechanisms. For this very reason, the sanctioning procedure must be considered expired by the expiration of the term planned for its resolution, counted from the beginning of the previous actions of investigation. . It understands that such consideration is only attributed to actions that allow data to be collected and indications about the facts committed and those responsible, and the procedure as soon as there is certainty about the commission of the facts and their author. According CAIXABANK, in this case they do not adhere to the purpose provided in the applicable regulations. . The previous actions developed (a first expired, which led to the opening of a second) did not respect any essential guarantee of the sanctioning procedure, such such as reporting the accusation, remembering the right not to testify against oneself, etc. . Given that the Proposed Resolution rests de facto, solely and exclusively, on the elements of conviction and evidence collected during the preliminary proceedings phase, the impossibility of using them means that the proposal lacks the elements necessary to enervate the presumption of innocence. . The bulk transfer of the expired file is not acceptable, nor is it possible to acted in the previous actions, pass in full to the sanctioning file. . The use of previous actions without time limitation is not acceptable, beyond of the prescription itself. This allegation by CAIXABANK is based on different pronouncements of our Supreme Court, but it contains statements that are contradictory in Some cases or refer to assumptions of events different from the one that concerns us in others. Thus, for example, CAIXABANK alleges that the previous actions carried out did not respected any essential guarantees of the sanctioning procedure, such as reporting the imputation, remember the right not to testify against oneself, etc. However, it based this allegation in what was expressed by the Supreme Court in Sentence of 06/09/2006, referred to an alleged disciplinary of the Armed Forces. On the other hand, it is not understood that, on the one hand, it is said that the motion for a resolution rests in its entirety on charge elements collected during the proceedings phase previous investigation and, on the other hand, it is defended that the previous actions developed were denatured and did not adhere to “the purpose that they must cover according to to the design of the legislator ” , when, precisely, the purpose of carrying out such investigations is none other than obtaining those evidences that justify the processing of a sanctioning procedure. For the same reason, it is not understood that the immediate opening of the sanctioning procedure, even if it has not been fully proven the offense. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 66 66/177 Likewise, that purpose being the basis for carrying out the previous investigation, this Agency does not share the assertion contained in the allegations of CAIXABANK on the "impossibility" of use in the proposed resolution of the elements of conviction and evidence collected during the preliminary proceedings phase. On the other hand, it is argued that the actions of a procedure expired cannot take effect in the new sanctioning file that may be initiated when the offense has not prescribed (STS of 02/24/2004). However, in this case, the expiration occurred with respect to the previous actions E / 01475/2018, and not the sanctioning procedure. Regarding this question regarding the transfer or use of the documentation of the the previous actions that were declared expired, some of the affirmations contained in the brief of allegations to the proposed resolution. In Specifically, said letter indicates that “there are very divergent principles that prevent the actions taken in the previous proceedings go entirely to the sanctioning file ” , or that "To these pseudo previous actions, in reality true instruction of the procedure sanctioner, the actions arising and documented in it should not have reached root of its initiation ” . In this case, there has been no transfer of documentation from the sanctioning procedure to the previous actions, but to the contrary, as is normal; and nor has documentation been transferred from an expired procedure to a new one procedure, simply because the expiration of the sanctioning procedure has not been produced. Likewise, it is said by CAIXABANK that the previous actions did not comply with “the purpose to be served according to the legislator's design , ” but it is not said that another "Design" pursued by the AEPD with the performance of these actions, other than to achieve a better determination of the facts and circumstances that justify the processing of a sanctioning procedure. It even alleges “a possible deviation of power in the use of the mechanisms of instruction ” , understood as <<“ a contravention of the teleological sense of the administrative activity carried out ”(STS of 7-4-86),“ a distortion of the normal purpose of the act ”(STS of 11-4-89), a“ non-use of administrative authority in a objective, in accordance with the objective pursued ”(STS of 12-5-86). Said procedural deviation it can happen “not only when it is proven that the Administration is pursuing a private or an unspeakable purpose, alien to any defense of the general interests, but this teleological deviation can also occur when pursuing an interest foreign public and, therefore, different from that provided by the legal system for the case " (Judgments of the Supreme Court of March 18, 2011 and May 11, 2012) ”>> (citations included by CAIXABANK in their allegations to the proposal). In this regard, it argues that the repeated previous investigative actions "They supplanted the teaching activity . " However, CAIXABANK does not explain how it has used in this case the administrative sanctioning power in a manner not in accordance with the purpose pursued, or what contravention of the teleological sense of the administrative activity has occurred or how the purpose of the administrative act has been distorted, nor what private purpose or public interest other than that provided for in the regulation pursues in this case the Administration. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 67 67/177 On this issue, the Supreme Court, in a Judgment of 05/13/2013, has declared: “In this regard, it should be noted that, according to the jurisprudence of this jurisdictional Chamber, the concurrence of misuse of power cannot be based on mere presumptions or conjectures, being necessary to prove sufficient facts or elements to form in the Court the conviction that the Although the Administration accommodated its actions to the law, it did so for a purpose other than claimed by the applicable norm, which, in this process, has not happened ”. In this case, not only are sufficient facts or elements not proven to form the conviction that the Administration acted for a purpose other than that intended by the rule, but not even assumptions or conjectures have been made about the concurrence of the alleged misuse of power. In the same way, CAIXABANK does not explain what specific procedure carried out in the framework of the preliminary investigation actions is actually an administrative procedure that should have been held within the sanctioning procedure, what procedure or procedures specific actions of the sanctioning procedure have been supplanted by the previous actions, or what steps of the procedure have been avoided because of the previous actions made, or how defenseless all this has generated the interested entity. On the contrary, prior investigation actions were carried out perfectly justified, with the purpose of achieving a better determination of the facts and circumstances (article 67 LOPDGDD), during which necessary information was collected for the determination of the facts, without carrying out during the course of the same procedures some of the sanctioning procedure, which was initiated based on the evidence obtained and with the sole purpose of applying the established regulatory provisions. A first claim was received, dated 01/24/2018, in which the Obligation to accept the new conditions regarding the protection of personal data implemented by CAIXABANK (provided a copy), and it was decided to carry out actions previous investigation, indicated with number E / 01475/2018, for the clarification of the facts denounced and determine if there were circumstances that justified the initiation of a sanctioning procedure. Within the framework of these preliminary actions, CAIXABANK received two requirements for said entity to provide essential information to assess the informative clauses offered by the entity to its clients. Among other information, requested that entity provide details on the architecture and operation of the "Common repository"; procedure for the exercise of rights; obtaining personal data social networks, aggregation services and third parties; about him data enrichment; detail on the mechanism implemented to collect the unequivocal consent of the client for the treatment of their data and mechanism for revoke it; and information provided to the client at the time of obtaining the consent in relation to the processing of personal data carried out by the CaixaBank Group companies and their purpose. Subsequently, a new complaint regarding the “Framework Contract”, which was submitted to the prior process of admission for processing, following the mechanism provided for in article 65.4 of the LOPDGDD, which consists of transferring the same to the data protection delegates appointed by those responsible or C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 68 68/177 responsible for the treatment, for the purposes provided in article 37 of the aforementioned regulation, or these when they have not designated them, so that they proceed to the analysis of said complaints and to respond to them within a month. It is an optional procedure, so that this transfer is carried out if the Agency so deems it. The result of said transfer was not satisfactory, therefore, for the intended purposes In its article 64.2 of the LOPDGDD, it was agreed to admit the claim presented by agreement that was duly notified to the claimant, and not to CAIXABANK, in accordance with the provisions of article 65.5 of the LOPDGDD. In accordance with the provisions of article 67 of the LOPDGDD, it was agreed to start new preliminary investigation actions, indicated with number E / 01481/2019, and the incorporation of the second claim received and the documentation that integrates the phase of admission to processing of the latter. Likewise, the entire documentation corresponding to the previous actions indicated with the number E / 01475/2018, including the claim that gave rise to them. The object of these new preliminary investigation actions was determined analysis of the information generally offered by CAIXABANK on the subject of protection of personal data, through all the channels used by the entity (CAIXABANK's compliance with the principle of transparency established in the articles 5, 12 and following of the RGPD, and related precepts); the different treatments of personal data carried out by the entity according to the information offered, in relation to with clients or person who have any other relationship with it, and within the framework of the new regulations applicable from 05/25/2018, including the analysis of the mechanisms employees to obtain the consent of the interested parties; just like him compliance by the aforementioned entity of the rest of the principles related to the treatment established in article 5 of the RGPD. During the course of this new preliminary phase of investigation, a request was made of information to CAIXABANK (a copy of all versions of the "Framework Contract" and possible addenda, information on the channels and methodology to accept the privacy and granularity of the consents, as well as the procedures enabled to publicize the updated privacy policy to clients prior to its validity and acceptance mechanisms) and an inspection visit was made to verify the process of In-person registration at the office, through the web and mobile application, and for verification of the consent modification process, among other issues. It cannot be said, in view of the foregoing, that in this case the previous actions were not necessary or were not carried out to gather data and evidence on the facts committed and those responsible. Indeed, the previous actions number E / 01475/2018 were declared expired by resolution of 02/01/2019, over the course of a twelve-month period provided for in article 122 of RD 1720/2007, of December 21, which approves the Regulations for the development of the LOPD. Said resolution warned about the provisions of Article 95.3 of the LPACAP, which establishes that the expiration will not produce by itself only the prescription of the actions of the Administration, and the opening of a new procedure when the prescription has not occurred. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 69 69/177 This expiration does not have the effect intended by CAIXABANK. Nothing prevents, therefore, the opening of new investigations, with the incorporation of the documentation that integrates expired actions. To this must be added the receipt of a new claim dated 03/29/2019, which is why these new actions of investigation to be initiated had as their object both claims, which resulted in to the investigation file E / 01475/2018 and this one received on 03/29/2019. No legal consequence can be attributed to this fact, beyond the rule of the prescription and the effects attributed to it. On the other hand, it is appropriate to respond to the allegation regarding the expiration of the procedure sanctioning declared by CAIXABANK. Based on the consideration maintained by this entity regarding the impersonation of the instructional activity by the previous actions of investigation, which, as has already been said, has no basis whatsoever, understands that the procedure sanctioning must be considered expired by the expiration of the period foreseen for its resolution, counted from the beginning of the preliminary investigation actions. This claim must also be rejected. The approach that CAIXABANK made on this issue in its allegations to the opening does not comply with the law. Should It should be noted that the expiration period of this procedure, established in nine months, it is computed from the date on which its beginning is agreed, resulting in inappropriate add to this computation, in order to measure the duration of the administrative file, no another period, such as the time of the preliminary investigation actions, or the time that elapses between the completion of these actions and the opening of the procedure, nor the time corresponding to the phase of admission for processing of the claims presented. This has been repeatedly stated by our Supreme Court. In Judgment of 10/21/2015 cites the Judgment of 12/26/2007 (resource 1907/2005), which states the following: “[…] The term of the procedure […] is counted from the initiation of the sanctioning file, which obviously excludes from the computation the time of the reserved information ";" […] The major or minor duration of the preliminary phase does not entail the expiration of the subsequent procedure " . Also in the Supreme Court ruling of 10/13/2011 (resource 3987/2008) that examines a ground of appeal relating to the computation of the expiration period of the procedure, the following is declared: “We cannot share the reasoning presented by the Court of Instance to establish a dies a quo different from that established by law, indicating as the initial date of the computation the day following the completion of preliminary informational proceedings. […] Well, once these previous actions have been carried out, the time it takes the Administration to agreeing to initiate the procedure […] may have the appropriate consequences regarding the calculation of the prescription (extinction of the right); but it cannot be taken into consideration effects of expiration, since this figure is intended to ensure that once the procedure the Administration does not exceed the term available to resolve. On the foundation third of the sentence under appeal, the Court of Instance makes an interpretation of the rule that is not according to the nature of the institution of expiration, since unlike the prescription, which is cause of extinction of the right or responsibility in question, expiration is a way of termination of the procedure due to the expiration of the period established in the norm, so its appreciation does not prevent, if the period established for the prescription of the action of restoration of urban legality by the Administration, the initiation of a new C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 70 70/177 process". Finally, regarding the prescription of the infractions invoked by CAIXABANK In accordance with the provisions of the LOPD, it is enough to point out that it is not this rule that typifies infractions analyzed in this procedure. The object of the sanctioning procedure, as well as that of the previous actions of research, already mentioned, which is perfectly defined in the Law Foundation following, is related to the information offered in general by CAIXABANK regarding the protection of personal data; the different treatments of personal data carried out by the entity according to the information offered, including the analysis of the mechanisms used to obtain the consent of the interested; as well as compliance by the aforementioned entity of the rest of the principles relating to treatment. All this, within the framework of the new regulations, constituted by the RGPD, applicable since 05/25/2018, and the LOPDGDD, in force from the day following its publication in the Official State Gazette, which took place on 12/06/2018. The two claims that give rise to the procedure, including the first of them, received on 01/24/2018, are related to the changes implemented by CAIXABANK for its adaptation to the RGPD, and this has been recognized by the entity itself interested. The action carried out by CAIXABANK is analyzed from the application of the RGPD, that is, as of 05/25/2018, in relation to the extremes that constitute the object of the procedure, and the alleged infractions appreciated according to the sanctioner regulated in the RGPD and the LOPDGDD. This being the case, the prescription of infractions must be assessed in accordance with the provisions of this sanctioning regime and not in that established in Organic Law 15/1999 (LOPD). In this sanctioning procedure, the following infractions are charged: 1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD. 2. Infringement for breach of the provisions of article 6 of the RGPD, typified in the article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) and c) of the LOPDGDD. In accordance with the provisions of articles 72.1 and 74.1 of the LOPDGDD, the Infractions considered very serious will prescribe after three years and minor infractions prescribe in one year, counted from the commission of the offense and until the opening of the procedure with knowledge of the interested party. In this case, all the factual circumstances that appear in the Following legal grounds, which support the commission of the infractions that are declares in this act, they took place within the year prior to the opening of the procedure, in the case of the minor infraction, and within the previous three years, in the case of the infraction very serious; with the limit in the latter case of the date of application of the RGPD (05/25/2018), C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 71 71/177 attending to the object of the aforementioned file. This being the case, neither of the two offenses committed had prescribed at the time when the notification to CAIXABANK of the opening of the procedure took place. - 4. The enumeration of the graduation criteria in the opening agreement, without any motivation and without specifying whether they are applied as aggravating or mitigating cause of helplessness. In the opinion of this Agency, the agreement to initiate the procedure is in accordance with the provisions in article 68 of the LOPDGDD, according to which it will be enough to specify the facts that motivate the opening, identify the person or entity against which the procedure is directed, the offense that could have been committed and its possible sanction (in this case, of the different corrective powers contemplated in article 58.2 of the RGPD, the Agency deemed appropriate the imposition of a fine, in addition to the adoption of measures to adjust its performance to the regulations, without prejudice to what could result from the instruction of the procedure). In the same sense, article 64.2 of the LPACAP is expressed, which establishes expressly the minimum content of the initiation agreement. According to this precept, among others details, must contain “the facts that motivate the initiation of the procedure, its possible legal qualification and the penalties that may correspond, without prejudice to what results of the instruction ” . In this case, not only are the aforementioned requirements fully met, but also which goes further by offering reasons that justify the possible legal qualification of the facts valued at the beginning and, even, the circumstances that may influence the the determination of the sanction. In accordance with the foregoing, it cannot be said to point out the possible sanction that may correspond for the imputed infractions, with mention of the circumstances that influence is your determination, is a cause of helplessness. CAIXABANK, in this case, has seen respecting all the guarantees of the interested party provided by the procedural regulations and cannot be said that the enumeration of the circumstances or factors of graduation of the fine suppose any reduction of said guarantees causing defenselessness. Article 68 of the aforementioned LOPDGDD regulates the content that the agreement must include initiation of the sanctioning procedure. However, it is the minimum content required, of the elements that must be detailed in the aforementioned agreement to determine its validity. But nothing prevents that, as indicated above, the circumstances are mentioned that can influence the determination of the sanction, which will undoubtedly benefit of the interested party, who sees his right of defense reinforced and favored. III The actions outlined in the Background of this act are intended to analyze the information offered in general by CAIXABANK on the subject of protection of personal data, through all the channels used by the entity C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 72 72/177 (CAIXABANK's compliance with the principle of transparency established in the articles 5, 12 and following of the RGPD, and related precepts); the different treatments of personal data carried out by the entity according to the information offered, in relation to with clients or person who have any other relationship with it, including the analysis of the mechanisms used to obtain the consent of the interested; as well as compliance by the aforementioned entity of the rest of the principles related to the treatment established in article 5 of the RGPD. All this, within the framework of the new regulations, constituted by the RGPD, applicable since 05/25/2018, and the LOPDGDD, in force from the day following its publication in the Official State Gazette, which took place on 12/06/2018. The CAIXABANK entity has reported that it began its adaptation to the RGPD in the year 2016, and that it was carried out mainly through the implementation of the document called “Framework Contract” in June 2016, of which six versions since then, dated 06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019, according to that entity has informed this Agency. Too a declared that the "Framework Contract" regulates the entire customer relationship with CAIXABANK and the Group companies whose products it sells, informs of all the treatments derived from the contractual relationship and requests the necessary consents for the treatment of personal data at the Group level. This document, which It serves as a form for collecting personal data and that the client signs with his signature, is the one employed by CAIXABANK as a priority to comply with the requirements transparency and manifestation of consent by clients for the processing of your personal data. Of the six versions, the 4th version will be reviewed in this procedure. (Annex I), dated by CAIXABANK on 11/12/2018, and the two subsequent ones that modify it slightly (the 5th version presents some modifications in section 6.4 “Subscription of documents and contracts by electronic signature ” , and deletes section 7.2, referring to "Treatment of biometric data in the electronic signature of documents" ; and version 6 presents changes in section 4 "Compliance with regulatory obligations in tax ” , but without significant changes in terms of data protection personal), since it is these versions that appear with a greater adaptation to the GDPR and, furthermore, for temporary reasons. The first three versions (1, 2 and 3) refer to the LOPD and do not refer to specific issues regulated in the RGPD, such as the legal basis of the treatment (legal obligation, legitimate interest or consent); rights of deletion, limitation and portability; right to file a claim with the Spanish Agency for the Protection of Data; existence of a data protection officer and means enabled to contact with the same. In the proposed resolution, it was indicated that the 3rd version of the "Framework Contract" constituted the information offered by CAIXABANK on 05/25/2018 and that it shows the deficiencies expressed, among others. In relation to this issue, CAIXABANK has alleged that version 4 was implemented in June 2018 and not in November of that year, and provides a copy of a "Contract Marco ”signed by a client on 06/08/2018, whose content coincides with the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 73 73/177 corresponding to this 4th version, outlined in Annex I. It should be noted in this regard that it was the CAIXABANK entity itself that dated the version 4 of this document in November 2019, as stated in the documentation contributed to inspection services. In any case, this circumstance does not modify none of the conclusions expressed in the motion for a resolution or in this act on the defects of information appreciated and in relation to the treatment of the data, based on the content of this 4th version and those made subsequently by CAIXABANK. It has already been said that the changes produced in versions 5 and later with respect to the version 4 only affect the processing of biometric data in the electronic signature of documents and compliance with regulatory obligations in tax matters. The aforementioned 4th version, dated by CAIXABANK on 11/12/2018, is the first version that refers to specific issues regulated in the RGPD, such as the legal basis of the treatment (legal obligation, legitimate interest or consent); erasure rights, limitation and portability; right to file a claim with the Spanish Agency for Data Protection; existence of a data protection officer and authorized means to contact him. The complete content of this version, in relation to protection of personal data, appears in Annex I. This "Framework Contract", as stated in section 2, establishes the basic rules that will regulate the commercial, business and contractual relationships that are formalized between the client and CAIXABANK. Thus, this document dedicates sections 3 to 6 to inform and regulate about essential issues governing Business Relationships, such as the relating to the prevention of money laundering and the financing of terrorism, the compliance with regulatory obligations in tax matters, the application of sanctions international economic-financial and the fight against fraud or the general aspects of the contracting of products and services, which will not be the object of the actions, except the mentions to the treatments that derive from these questions contained in the following sections of the contract. The following sections of the "Framework Contract" deal with the "Policy of Privacy ”, the use and treatment of personal data and authorizations for the use of the data that is carried out for the development of commercial activity owned by CaixaBank and the CaixaBank Group companies, which are of interest for the purposes of present sanctioning procedure. It is also interesting to analyze in this file the information on protection of data offered in general by CAIXABANK and the mechanisms for providing the consent enabled by other means, channels or channels, referred to in the background of this agreement, based on the fact that the "Framework Contract" contains a reference specific to these other media. Specifically, we refer to the following documents: . "Privacy Policy" available on the entity's website: section 7 of the "Contract Frame ”contains indicates “ You can find complementary information to which you are facilitates in this contract, regarding the processing of your personal data in www.CaixaBank.com/privacidad ” . . Social media contract: section 8 of the “Framework Contract” details the data personal used for the purposes described in that same section. Among them are they mention "the data obtained from social networks that the signer authorizes to consult" . Bliss C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 74 74/177 authorization is provided in the so-called Social Networks Contract. . Aggregation service contract: section 8 of the “Framework Contract” details the personal data used for the purposes described in that same section. Between the data used for the purposes described in the same section 8 of the "Framework Agreement" is mention “data obtained from third parties as a result of requests for aggregation of data requested by the signer ” . Said request is formalized through the called Aggregation Service Contract. In addition to the aforementioned "Framework Contract", to offer information on the protection of personal data and obtain the consent of its clients for the data processing for "commercial" purposes and transfer of data to third parties, CAIXABANK uses the document called by said entity "Consent Agreement" . According It appears in the label of this document, through it the client is requested "Authorization for the processing of personal data for commercial purposes by CaixaBank, SA and companies of the CaixaBank group ” . Of this "Agreement of consents", three versions (the one provided by the claimant on 01/24/2018, outlined in the First Fact -Version 1; the one provided by CAIXABANK on 07/10/2018, outlined in the Second Fact and transcribed in Annex II -Version 2; and the one attached to the Inspection Certificate dated 11/28/2019, outlined in Fact Four, the details of which are also included in Annex II -Version 3). For temporary reasons, the document examination procedure is dispensed with provided by the claimant, prior to the date of application of the RGPD. On the other hand, considering the object of the preliminary investigation actions aforementioned, the information offered on this matter in the forms used to contract products or services that, due to their specialty, include their own data protection clauses, as reported by the entity CAIXABANK. Except for what is related to the aforementioned contracts, for which the client consent to access to personal data on social networks and "aggregation service". And neither does it examine the action that the companies that make up the so-called “CaixaBank Group” for compliance with the principle of transparency or the specific procedures that they have enabled to obtain the consent of their clients for the processing of personal data that they carry or intend to carry out, or in relation with the other aspects outlined. The analysis of the procedures established by CAIXABANK is also excluded. for the management of clients' rights, only interested in the mechanisms arranged so that the client can revoke the consents he had given, in the extent to which this mechanism is also used for the modification of said consents, and therefore may lead to the provision of new ones. Likewise, although part of the information contained in the Impact Evaluations provided by CAIXABANK, which have been outlined in the Background, no data security analysis is carried out. In accordance with the foregoing, the conclusions that may be derived from this procedure will not suppose any pronouncement regarding the previous aspects C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 75 75/177 discarded, or in relation to the CaixaBank Group entities. IV In accordance with the delimitation expressed in the previous Law Foundation, to The effects of this procedure are of interest in the content related to data protection of personal nature of the "Framework Agreement" and the "Consent Agreement" ( "Authorization revocation for the processing of personal data for commercial purposes by CaixaBank, SA and companies of the CaixaBank group ” ), the“ Privacy Policy ”accessible to through the entity's website and the information offered in relation to personal data of social networks and aggregation service. The content of these documents consists reproduced in Annexes. The "Framework Contract", which serves as a data collection form and which is the document used primarily to provide information on the protection of personal data, is presented as mandatory subscription for the client, establishing expressly that the signature of the document implies that it "knows, understands and accepts its content ” . It is also established that the terms and conditions are of general application. to all "commercial relationships" of the interested party "with CaixaBank and the Group companies CaixaBank, and therefore, the subscription and validity of this Agreement, respecting the corresponding rights of choice that the Signatory grants the clause, is necessary for the contracting and maintenance of product or service contracts ” . The options or "choice" referred to in the previous paragraph have to do with consents collected in the clauses of the "Framework Contract" subject to its effective acceptance by the client, which must be provided during the contracting process and that are incorporated, once those options have been expressed by the client, to the data section personal and socioeconomic status of the bedside. It is about the consents for the processing of personal data that are requested from the interested party in clause 8 (outlined and segmented, receipt of commercial impacts and transfer to third parties). The information provided to the interested party in this document in relation to the protection of personal data is structured according to the legal basis that legitimizes the treatment of the data, dedicating section 7 to the treatments “based on the execution of contracts, legal obligations and legitimate interest and privacy policy ” , section 8 to the “treatment and transfer of data for commercial purposes by CaixaBank and the companies of the CaixaBank group based on consent ” . The aforementioned section 7 includes a subsection related to "data processing biometric in the electronic signature of documents ” and provides information on the "Treatments based on legitimate interest" , included as one of the headings of the Subsection that informs about data processing "for regulatory purposes" . For its part, section 8 reports on treatments based on the "Consent" , which CAIXABAN groups into the following three purposes, and also informs on the "data" that will be processed for the first two purposes of the aforementioned continuation: “(I) data analysis and study treatments for commercial purposes by CaixaBank and companies of the CaixaBank group C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 76 76/177 (ii) the treatments for the commercial offer of products and services by CaixaBank and the companies of the CaixaBank group (iii) the transfer of data to third parties ” . To what is indicated, sections 9 "Exercise of rights in matters of data protection ” and 10 “ Data Protection Delegate ” , as well as a subsection dedicated to the "Data conservation period" , inserted in section 11 referring to the duration, resolution and modification of the contract. Section 11 is not related to the procedure (applicable law and jurisdiction). AND section 13 corresponds to the signing of the document. Its label is “Digitization of the signature and identification documentation of the client ” and offers the following information: "The signature that the Signatory stamps at the bottom of this Contract, in addition to having the purpose of Acceptance of the content of this Contract, will be used for digitization and registration, in order to to serve as a basis for verifying signatures that are stamped on any document that is present to CaixaBank… ”. “[…] For the identification of the client by the entity's employees, the Signatory authorizes CaixaBank, expressly, the digitization and registration of its official identification document, which which includes the digitization of its image contained in the photograph that it incorporates ”. The following Law Fundamentals will not detail the content of the document called by CAIXABANK "Consent Agreement" ("Authorization / Revocation"), since its structure and content coincide almost literally with Clause 8 of the “Framework Agreement” (the references that in these Fundamentals of Right are made to this clause 8 or section 8 serve equally to the "Contract of Consents ”, unless otherwise specified). However, the differences that can be seen between both documents. Likewise, the "Privacy Policy" document available on the CAIXABANK website, which is incorporated as Annex V, with thirteen sections, provides a generic information on the identity of the person in charge (without referring to the existence of a "common repository" to CAIXABANK and the Group companies), data collected, information obtained from browsing the web and mobile applications, purposes, legal basis that covers the data processing, security, data retention, assignments, transfers internations, data protection officer and rights of the interested party. It is interesting to highlight that this "Privacy Policy", when referring to uses based on consent, warns the interested party that they may use "all the data we have about you" ; and in the section "To whom is my data disclosed?" is informed about the exchange of information with companies of the CaixaBank Group. Finally, in relation to the obtaining and use of personal data of the interested in social networks or obtained from the aggregation service, is informed about data, purposes, treatments based on the consent and rights of the interested party. In the last In addition, it is informed about data processing based on legitimate interest and data retention. The full content of this information (except the sections excluded from analysis) It is reproduced in Annexes. V C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 77 77/177 Article 5 "Principles relating to treatment" of the RGPD establishes: "1.The personal data will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency"); b) collected for specific, explicit and legitimate purposes, and will not be further processed as manner incompatible with said purposes; in accordance with Article 89 (1), further processing of personal data for archival purposes in the public interest, scientific research and historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of purpose "); c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed ("Data minimization"); d) accurate and, if necessary, updated; All reasonable steps will be taken to ensure that delete or rectify without delay personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties for no longer than necessary for the purposes of processing personal data; personal data may be kept for longer periods provided they are treated exclusively for archival purposes in the public interest, scientific or historical research purposes or statistical purposes, in accordance with Article 89 (1), without prejudice to the application of technical and organizational measures regulations imposed by this Regulation in order to protect the rights and freedoms of the data subject ("limitation of the conservation period"); f) treated in such a way as to guarantee adequate security of personal data, including the protection against unauthorized or illegal processing and against its loss, destruction or damage accidental, through the application of appropriate technical or organizational measures ("integrity and confidentiality '). 2. The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and able to prove it ('proactive responsibility') ”. In relation to the aforementioned principles, what is stated in the Recital 39 of the aforementioned RGPD: "39. All processing of personal data must be lawful and fair. For natural persons it should be totally clear that data is being collected, used, consulted or otherwise processed personal data that concern them, as well as the extent to which said data is or will be processed. He The principle of transparency requires that all information and communication regarding the treatment of said data is easily accessible and easy to understand, and that simple and clear language is used. Saying The principle refers in particular to the information of the interested parties about the identity of the person in charge treatment and the purposes thereof and the information added to ensure fair treatment and transparent regarding the affected natural persons and their right to obtain confirmation and communication of personal data concerning them that are subject to treatment. The natural persons must be aware of the risks, regulations, safeguards and rights relating to the processing of personal data as well as how to enforce your rights in relation to treatment. In particular, the specific purposes of the processing of personal data must be explicit and legitimate, and must be determined at the time of collection. The data Personal data must be adequate, relevant and limited to what is necessary for the purposes for which be treated. This requires, in particular, to ensure that their term of office is limited to a strict minimum. conservation. Personal data should only be processed if the purpose of the treatment could not be reasonably accomplished by other means. To ensure that personal data is not kept longer than necessary, the data controller must establish deadlines for its deletion or Periodic revision. All reasonable steps should be taken to ensure that they are rectified or delete personal data that are inaccurate. Personal data must be treated in a way C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 78 78/177 that guarantees adequate security and confidentiality of personal data, including for prevent unauthorized access or use of said data and the equipment used in the treatment ”. SAW Article 4 of the RGPD, under the heading "Definitions", provides the following: "2)" treatment ": any operation or set of operations carried out on personal data or sets of personal data, whether by automated procedures or not, such as collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of access authorization, collation or interconnection, limitation, deletion or destruction ”. In accordance with these definitions, the collection of personal data through of forms enabled for this purpose constitutes data processing, with respect to which the data controller must comply with the principle of transparency, established in article 5.1 of the RGPD, according to which personal data will be “treated in a manner lawful, loyal and transparent in relation to the interested party (legality, loyalty and transparency) ” ; and developed in Chapter III, Section 1, of the same Regulation (articles 12 and following). Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for treatment of taking the appropriate measures to "provide the interested party with all information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way access, in clear and simple language, in particular any information addressed to a child". In the same sense, article 7 of the RGPD is expressed for cases in which the consent of the interested party is given in the context of a written statement, such as occurs in the present case. According to this article, said request for consent “is presented in such a way that it is clearly distinguished from other matters, in an intelligible way and easily accessible and using clear and simple language ” . It is added in this precept that no part of the declaration that constitutes an infringement of these Regulations will be binding. Article 13 of the aforementioned legal text details the “information that must be provided when the personal data is obtained from the interested party ” and the aforementioned article 14 is refers to the “information that must be provided when personal data has not been obtained from the interested party ” . In the first case, when the personal data is collected directly from the interested party, the information must be provided at the same time that that data Collect. Article 13 of the RGPD details this information in the following terms: 1.When personal data relating to him are obtained from an interested party, the person responsible for the treatment, at the time these are obtained, you will provide all the information indicated below: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing for which the personal data are intended and the legal basis for the processing; d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the responsible or a third party; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 79 79/177 e) the recipients or categories of recipients of the personal data, if applicable; f) where appropriate, the intention of the person responsible to transfer personal data to a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, paragraph second, reference to adequate or appropriate warranties and means of obtaining a copy of these or the fact that they have been borrowed. 2. In addition to the information mentioned in section 1, the data controller will provide the interested party, at the time the personal data is obtained, the following information necessary to guarantee fair and transparent data processing: a) the period during which the personal data will be kept or, when this is not possible, the criteria used to determine this term; b) the existence of the right to request the data controller access to personal data relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the treatment, as well as the right to data portability; c) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting the legality of the treatment based on the consent prior to its withdrawal; d) the right to file a claim with a supervisory authority; e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement to sign a contract, and if the interested party is obliged to provide personal data and is informed of the possible consequences of not providing such data; f) the existence of automated decisions, including profiling, referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as as the importance and expected consequences of said treatment for the interested party. 3.When the controller plans the further processing of personal data for a purpose other than that for which they were collected, will provide the interested party, prior to said further processing, information on that other purpose and any additional information relevant to the of section 2. 4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the interested party already has the information ”. Article 14 regulates the information that must be provided in relation to the data that are not collected directly from the interested party: "1. When the personal data has not been obtained from the interested party, the person responsible for the treatment will provide you with the following information: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; c) the purposes of the processing to which the personal data are intended, as well as the legal basis of the treatment; d) the categories of personal data in question; e) the recipients or categories of recipients of the personal data, if applicable; f) where appropriate, the intention of the person responsible to transfer personal data to a recipient in a third country or international organization and the existence or absence of a decision on the adequacy of the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, Section 1, second paragraph, reference to adequate or appropriate guarantees and the means to obtain a copy of them or the fact that they have been loaned. 2. In addition to the information mentioned in section 1, the data controller will provide the interested party the following information necessary to guarantee fair data processing and transparent with respect to the interested party: a) the period during which the personal data will be kept or, when that is not possible, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 80 80/177 criteria used to determine this term; b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the responsible for the treatment or a third party; c) the existence of the right to request the data controller access to personal data relating to the interested party, and their rectification or deletion, or the limitation of their treatment, and to oppose the treatment, as well as the right to data portability; d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent at any time, without affecting to the legality of the treatment based on the consent before its withdrawal; e) the right to file a claim with a supervisory authority; f) the source from which the personal data come and, where appropriate, if they come from access sources public; g) the existence of automated decisions, including profiling, referred to in the Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as the importance and expected consequences of such treatment for the interested. 3.The person responsible for the treatment will provide the information indicated in sections 1 and 2: a) within a reasonable period, once the personal data has been obtained, and at the latest within a month, taking into account the specific circumstances in which said data is processed; b) if the personal data are to be used for communication with the interested party, no later than the moment of the first communication to said interested party, or c) if it is planned to communicate them to another recipient, at the latest at the time the data personal information are communicated for the first time. 4. When the person responsible for the treatment plans the subsequent treatment of personal data for a purpose other than that for which they were obtained, will provide the interested party, before said further processing, information on that other purpose and any other relevant information indicated in the section 2. 5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that: a) the interested party already has the information; b) the communication of such information is impossible or involves a disproportionate effort, in particular for the treatment for archival purposes in the public interest, scientific research purposes or historical or statistical purposes, subject to the conditions and guarantees indicated in article 89, paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article may prevent or seriously impede the achievement of the objectives of such treatment. In such cases, the controller shall adopt adequate measures to protect the rights, freedoms and interests legitimate interests of the interested party, including making the information public; c) the obtaining or the communication is expressly established by the Law of the Union or of the Member States that applies to the controller and that establishes appropriate measures to protect the legitimate interests of the data subject, or d) when personal data must continue to be confidential on the basis of a obligation of professional secrecy regulated by the law of the Union or of the Member States, including an obligation of secrecy of a statutory nature ” . For its part, article 11.1 and 2 of the LOPDGDD provides the following: "Article 11. Transparency and information to the affected 1. When personal data are obtained from the affected party, the person responsible for the treatment may give compliance with the duty of information established in article 13 of Regulation (EU) 2016/679 providing the affected party with the basic information referred to in the following section and indicating a electronic address or other means that allows easy and immediate access to the remaining information. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 81 81/177 2. The basic information referred to in the previous section must contain, at least: a) The identity of the person responsible for the treatment and their representative, if applicable. b) The purpose of the treatment. c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679. If the data obtained from the affected party were to be processed for profiling, the information You will also understand this circumstance. In this case, the affected party must be informed of your right to object to the adoption of automated individual decisions that produce effects legal acts on him or significantly affect him in a similar way, when this right to in accordance with the provisions of article 22 of Regulation (EU) 2016/679 ” . In relation to this principle of transparency, it also takes into account the expressed in Recitals 32, 39, reproduced in the previous Legal Basis, 42, 47, 58, 60, 61 and 72 of the RGPD. Part of the content of these is reproduced below Considering ourselves: (32) Consent must be given by a clear affirmative act that reflects a manifestation of free, specific, informed, and unequivocal will of the interested party to accept the processing of data from personal character concerning you, such as a written statement, including by means electronic, or verbal statement. This could include checking a box on a website on the internet, choose technical parameters for the use of information society services, or any other statement or conduct that clearly indicates in this context that the interested party accepts the proposal for the treatment of your personal data. Therefore, the silence, the boxes already marked or inaction should not constitute consent. Consent must be given for all the treatment activities carried out with the same or the same purposes. When the treatment has various purposes, consent must be given for all of them. If the consent of the interested party has been to give as a result of a request by electronic means, the request must be clear, concise and not unnecessarily disturbing the use of the service for which it is provided. (42) When the treatment is carried out with the consent of the interested party, the person responsible for the treatment must be able to demonstrate that he has given his consent to the operation of treatment. In particular in the context of a written statement made on another matter, there must be guarantees that the interested party is aware of the fact that he gives his consent and to the extent that it does. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071), A model declaration of consent must be provided previously prepared by the responsible for the treatment with an intelligible and easily accessible formulation that uses a language clear and simple, and that does not contain abusive clauses. For the consent to be informed, the The interested party must know at least the identity of the person responsible for the treatment and the purposes of the treatment for which the personal data is intended. Consent must not be considered freely provided when the interested party does not enjoy a true or free choice or not You can deny or withdraw your consent without suffering any harm. (47) The legitimate interest of a data controller, including that of a controller who is may communicate personal data, or that of a third party, may constitute a legal basis for the treatment, provided that the interests or rights and freedoms of the interested party do not prevail, taking into account the reasonable expectations of the interested parties based on their relationship with the responsable. Such a legitimate interest could arise, for example, when there is a relevant relationship and appropriate between the interested party and the controller, as in situations in which the interested party is a client or is at the service of the person in charge. In any case, the existence of a legitimate interest would require a meticulous evaluation, including whether a data subject can reasonably foresee, at the time and in the context of the collection of personal data, which may be processed for this purpose. In In particular, the interests and fundamental rights of the interested party could prevail over the interests of the data controller when the personal data is processed in circumstances in which the interested party does not reasonably expect a treatment to take place further ... The processing of personal data strictly necessary for the prevention of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 82 82/177 Fraud is also a legitimate interest of the data controller in question. He processing of personal data for direct marketing purposes can be considered carried out by legitimate interest. (58) The principle of transparency requires that all information directed to the public or the interested party be concise, easily accessible and easy to understand, and use clear and simple language, and, also, if applicable, it is displayed ... (60) The principles of fair and transparent treatment require that the interested party be informed of the existence of the treatment operation and its purposes. The data controller must provide the interested party as much additional information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in which the data is processed personal. The interested party must also be informed of the existence of profiling and of the consequences of such elaboration. If the personal data is obtained from the interested parties, They should also be informed of whether they are obliged to provide them and of the consequences in the event that don't ... (61) Interested parties should be provided with information on the processing of their personal data in the time they are obtained from them or, if they are obtained from another source, within a reasonable time, depending on the circumstances of the case ... (72) Profiling is subject to the rules of this Regulation that govern the processing of personal data, such as the legal bases of the processing or the principles of Data Protection… CAIXABANK, according to proven facts, performs data processing personal data obtained from customers, directly or "indirectly" , as well as data personal data obtained from sources other than those interested or inferred by the entity. It is therefore obliged to provide information in the terms established in the RGPD and the LOPDGDD. - The information offered to CAIXABANK clients is not uniform. Analyzed the information on the protection of personal data offered by CAIXABANK, considering the various documents and channels through which it is offered, It is found that it is not uniform, not even in terminology, it is not offered with the same breadth to all clients and in all situations (in some cases the “Contract Marco ”, in others the“ Consent Agreement ”and for other clients only the“ Policy Privacy ”), and it is not updated in the same way in each case. CAIXABANK has argued that the duty of information is fulfilled with the "Contract Marco ”and not with the rest of the documents, which are merely complementary to that one, which are used at different times and scenarios, and not simultaneously, and are not intended to object to comply with what is mandated by article 13 of said Regulation, since they are addressed to clients already informed. However, this claim does not coincide with the checks carried out. It is true that the "Framework Contract" is the document used primarily, which also serves as a form for collecting personal data and for the provision of consents collected by CAIXABANK for commercial purposes. But it has been proven that the information on data protection was provided to some customers only C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 83 83/177 through the "Consent Agreement" and the "Privacy Policy", without them having signed the "Framework Contract". The "Consent Agreement", although it has been used and currently uses as a document to revoke and modify consents, it was conceived as a document to "authorize" data processing based on this legal basis, as well as than the "Framework Contract", and has not lost that character (its initial name was "Authorization for the processing of personal data for commercial purposes by CaixaBank, SA and companies of the CaixaBank Group ” ; and the current "Authorization / Revocation for the processing of personal data for commercial purposes by CaixaBank, SA and companies of the CaixaBank Group ” ). It is proven that the "Framework Contract" for the collection of consents, not in the case of all clients. The CAIXABANK entity itself, in its response to the Inspection Services of the Agency dated 07/17/2018, stated that the "Consent Agreement" is used, not only to modify the consents given, but also to collect them. He The claimant is an example of a client who has not signed the "Framework Agreement" and provided their consents through the "Consent Agreement", signed on 01/24/2018 and modified in May 2018, as could be seen in the inspection carried out on the 11/28/2019 (as of this date, the claimant had not signed the “Framework Contract”) The same can be said of the "Privacy Policy" available on the website of the entity. Although it is indicated in the "Framework Contract" that includes "complementary information to the one provided in this contract ” , the Privacy Policy has also been the only information on protection of personal data that some clients have received, the which did not sign the “Framework Agreement” or the “Consent Agreement”. CAIXABANK was consulted in this regard by the Agency's Inspection Services on the procedures enabled to publicize the updated "Privacy Policy" to the RGPD to clients prior to the application of this rule and the mechanisms to collect your acceptance. In its response of 11/20/2019, CAIXABANK reported that said "Policy of Privacy ”is intended to provide complete information to customers who in May 2018 they had not signed the framework contract; and distinguishes since May 2018 the situations following: . The one corresponding to "pre-existing" clients who signed the "Framework Contract" or who received the "Privacy Policy". . That of new clients, who in their first relationship sign the "Framework Contract". In relation to the "Privacy Policy", you have provided details about your transfer to existing customers as of May 2018, specifically, the sending of 15,917,507 communications, of which 5,663,683 were made by postal mail and 10,253,824 through banking to distance with a warning pop up (“If you want to know more about our commitment to your data and your privacy, you have a statement available in your MailBox -Access MailBox ”). Also in its brief of allegations at the opening of the procedure, the aforementioned entity refers to clients prior to May 2018, distinguishing between those who have signed the “Framework Agreement”, those who have signed the “Consent Agreement” and those others to whom you asked and they didn't answer. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 84 84/177 On the other hand, these documents are not uniform in their content either, as will be described in the following sections and Fundamentals of Law. As an example of these differences, the valued between the "Framework Contract" and the "Consent Contract", being the most It is significant that this last document offers information basically equivalent to the Clause 8 of the "Framework Contract", so that customers who sign this document they do without having essential information. But this is not the only difference in terms of information content: . Version 2 of the "Consent Agreement" (Annex II) referred to the management of the data "from a common information repository of the CaixaBank Group Companies" that does not appear in the “Framework Contract” (this indication disappears in Version 3 of that document). . Differences regarding the exercise of rights, existence of a Protection Delegate of Data and the data retention period, which are detailed in the last two sections of this Legal Basis. . Version 3 of the "Consent Agreement", in the authorization (ii) of section corresponding to purpose 1 ( “Analysis, study and follow-up treatments for offer and design of products and services adjusted to the client profile ” ) the possibility is added to associate the data of the signer with those of other clients, which does not appear in the "Contract Framework". As can be seen, the different information that customers receive has to do with the document used in each case to provide the information, in addition to its different content, beyond the processes of updating those documents alleged by CAIXABANK to justify this deficiency. CAIXABANK says nothing about those circumstances in its brief of allegations to the proposal, in which it only indicates that said proposal seems to show that all clients have access to all documents and, uniquely, that all clients have both the "Consent Agreement" as the "Framework Agreement", which does not coincide with what exposed. CAIXABANK denies this lack of uniformity, but, at the same time, alleges that the improvement process that it has developed has been a co-honesty of all the documents. - Use of imprecise terminology and vague formulations In accordance with the foregoing, at the time of collecting personal data the data controller must provide interested parties with the information established in the cited standards, “in a concise, transparent, intelligible and easily accessible way, with a clear and simple language ” . CAIXABANK does not report clearly and systematically on data processing personal or the purposes for which they will be used. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 85 85/177 Sometimes information on key aspects such as categories of data personal processed, the purposes or the legal basis that enables the treatment, employs unclear and imprecise expressions, or vague formulations, with ambiguous meanings in some cases, and whose true scope is not developed; expressions that are repeated and that CAIXABANK uses to support different actions, treatments, purposes or legitimations. In addition, with some of these expressions, the data protection policy is shown as a benefit for the client, implying that its non-acceptance will mean loss of customer benefits. Expressions such as "get to know you better", "customize your experience "," commercial offers tailored to your needs and preferences "," improve the design and usability of the products "," products and services adjusted to your profile ", "Information generated from the products themselves", "analysis and study", "study products and services "or" design products and services "," for our own management "," give you a better service "," communicate your data to third parties with whom we have an agreement "," expectation reasonable to receive ”,“ management needs ”,“ analysis, study and follow-up for the offer and design of products and services adjusted to the profile ” . Nor can the interested party clearly deduce the meaning of these expressions from starting from the context in which the information is offered and the expression of will is collected of the interested party, or from the context of the contractual relationship that binds the interested party with the responsible entity. On this contextual basis or factual context, the client is not able to understand the data to be recorded or the meaning of the purposes pursued by CAIXABANK with the treatment, when these are not specified clearly, especially considering the variety and complexity of the purposes of the personal data processing carried out by CAIXABANK in its capacity as entity financial institution that occupies a relevant position in the market, which requires a additional when specifying the information on the aforementioned aspects. From all this it follows that the information offered in this matter is indeterminate in the aspects indicated and difficult to understand by any interested party, regardless of your qualifications, and demonstrates the extent to which you need to be an expert to understand such information and its scope. The terminology in those expressions, in short, is alien to compliance strict principle of transparency, and prevents interested parties from knowing the meaning and real meaning of the indications provided and the real scope of the consents that can be provided, which means understanding that the right to data protection has been violated personal, understood as the ability of the affected to decide on treatment. CAIXABANK, in its arguments at the opening of the procedure, limits itself to qualifying these arguments as subjective appraisals, with no evidence to show what understand or not the clients, adding that external work has been carried out to verify that the contractual documents can be easily understood by the average customer, the which does not contribute. However, in the opinion of this Agency, the lack of clarity of those formulas or C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 86 86/177 expressions is obvious and objective, as demonstrated by the difficulty of concluding its real and concrete scope. The expressions so repeated by CAIXABANK in the documents reviewed are include as examples of bad practices in the document of the Article Working Group 29 “Guidelines on transparency under Regulation 2016/679” , adopted on 11/29/2017 and revised on 04/11/2018. These Guidelines analyze the scope to be attributed to the elements of transparency established in article 12 of the RGPD, according to which the person responsible for the treatment will take the appropriate measures to "provide the interested party with all information indicated in articles 13 and 14, as well as any communication in accordance with articles 15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way access, with clear and simple language ” , which must be related to what is expressed in Recital 39 of the aforementioned Regulation. From what is stated in these Guidelines, it is highlight at this time the following: "The requirement that the information be" intelligible "means that it must be understandable to the average member of the target audience. Intelligibility is closely linked to the requirement of use clear and simple language. A data controller who acts responsibly You will proactively get to know the people you collect information about and can use this knowledge to determine what said audience is likely to understand… ”. << Clear and simple language In the case of “written” information »(and when written information is communicated verbally, or through auditory or audiovisual methods, also for people with vision problems), have to follow best practices to write clearly. The EU legislator has already used previously a similar linguistic requirement (appealing to the use of “clear and understandable terms”) and it is also explicitly mentioned in the context of consent in recital 42 of the RGPD. The obligation to use clear and simple language implies that the information must be facilitated in the simplest possible way, avoiding sentences and complex linguistic structures. The information must be concrete and categorical; should not be formulated in abstract or ambivalent terms nor leave room for different interpretations. Specifically, the purposes and legal basis of the treatment of personal data must be clear. Examples of Poor Practice The following statements are not clear enough regarding the purpose of the treatment: . "We may use your personal data to develop new services" (since it is not clear what “services” are treated and how the data will help to develop them); . "We may use your personal data for research purposes" (since it is not clear what type of "research" refers); and . "We may use your personal data to offer you personalized services" (since there is no clear what this "customization" implies). Examples of good practices . "We will retain your purchase history and use details of the products you have purchased above to suggest other products that we think might also interest you ”(it is clear that types of data will be processed, that the interested party will be the object of personalized product advertising and that your data will be used in this regard); . “We will retain and evaluate information about your recent visits to our website and how navigate through the different sections of the same in order to analyze and understand the use that the people make our website and be able to make it more intuitive ”(it is clear what type of data is will treat and the type of analysis that the person in charge is going to carry out); and . “We will keep a record of the articles on our website that you have clicked on and we will use C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 87 87/177 that information to personalize, from the articles you have read, the advertising that we show you on this website to suit your interests ”(it is clear what personalization entails and how the interests attributed to the interested party have been identified) >> . The foregoing must be interpreted, in any case, taking into account the principles established in article 5 of the RGPD, especially the principle of loyalty. Recital 42 of the same text also refers that the form in which the information is offered in Personal data protection must not contain unfair terms. - Information on the processing of personal data based on the relationship contractual. In the section dedicated to purpose 1 "Management of business relationships" , CAIXABANK informs about the treatment of the following personal data: . The personal data provided by the client. . Personal data derived from business relationships. . Personal data derived from commercial relationships of CAIXABANK and CaixaBank Group companies with third parties (this section does not refer to the relationship business of the interested party / client with CAIXABANK, but to relationships of this entity and those that make up the Group with third parties; without explaining the nature of these relationships with third parties and without specifying what data of these relationships are necessary for the execution of the contract subscribed by the interested party / client, nor who is the owner of that data). . Personal data "made from them" (without specifying if it refers to the last indicated or all of the above). . Digitization and registration of identification documents and signature. It is estimated that the information included in this section should be rectified and suitably completed in such a way that it allows to assess and determine with certainty if the outlined treatments can be covered by this legal basis (the execution of the contract) or, on the contrary, its collection and subsequent treatment requires the consent of the interested party. Is It is necessary to know what CAIXABANK understands by data derived from the relationships commercial or data "made from them" and what use is given to them for the fulfillment of the contractual relationship. Likewise, it is necessary to point out the confusion that it produces on the legal basis of the treatment (treatments for the execution of the contract or based on consent) the Mention made in this section to "Commercial Relations" and what CAIXABANK called "commercial purposes". The sub-section label indicates “Treatments of personal data in order to manage business relationships " , within a more general section relating to processing "based on the performance of the contract" , while the text also refers to the treatments that the signer accepts for commercial purposes. The text reads like this: "The personal data of the signer ... will be incorporated ... to be treated in order to comply with and maintain the themselves (commercial relations) , verify the correctness of the operation and the purposes commercials that the signer accepts in this contract ” . - Information on the categories of personal data subjected to treatment; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 88 88/177 and on the specific categories of personal data that will be processed for each one of the specific purposes. The information offered is incomplete in relation to key aspects, such as the categories of personal data processed. In accordance with the criteria stated by the European Committee for the Protection of Data, that information would be necessary in relation to those data processing whose legal basis is determined by the consent of the interested party. This is how the Group understood it of Article 29 in its document “Guidelines on consent under the Regulation 2016/679 ” , adopted on 11/28/2017, revised and approved on 04/10/2018 (these Guidelines have been updated by the European Data Protection Committee on 05/04/2020 through the document “Guidelines 05/2020 on consent in accordance with to Regulation 2016/679 ” , which keeps the parts that are transcribed literally identical then). The Article 29 Working Group draws its conclusions from the definition of the "consent" contained in article 4 of the RGPD, which is expressed in the terms following: "11)" consent of the interested party ": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear action affirmative, the processing of personal data that concerns him ” . From this definition, they are specified as necessary elements for the validity of the consent to the following: . Manifestation of free will . specific . informed and . unequivocal by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data concerning you. In relation to the element "manifestation of specific will" it is said: “3.2. Specific manifestation of will (…) Ad. ii) The consent mechanisms should not only be separated in order to comply with the "free" consent requirement, but must also comply with the consent requirement "specific". This means that a data controller seeking consent to several different purposes, it must facilitate the possibility of opting for each purpose, so that users can give specific consent for specific purposes. Ad. iii) Finally, the data controllers must provide, with each request for separate consent, specific information about the data that will be processed for each purpose, with the In order for the interested parties to know the impact of the different options they have. Of this Thus, data subjects are allowed to give specific consent. This question overlaps with the requirement that those responsible provide clear information ”. Furthermore, consent, to be valid, must be informed. This item is analyzed in the aforementioned "guidelines" as follows: 3.3. Informed manifestation of will C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 89 89/177 The GDPR reinforces the requirement that consent must be informed. In accordance with the Article 5 of the RGPD, the requirement of transparency is one of the fundamental principles, closely related to the principles of loyalty and lawfulness. Provide information to interested parties before obtaining their consent is essential so that they can make informed decisions, understand what they are authorizing and, for example, exercise your right to withdraw your consent. If the person in charge does not provide accessible information, the user's control will be illusory and consent will not constitute a valid basis for the processing of the data. If the requirements for informed consent are not met, the consent will not be valid and the person in charge may be in breach of article 6 of the RGPD. 3.3.1. Minimum content requirements for consent to be "informed" For the consent to be informed, it is necessary to communicate to the interested party certain elements that they are crucial to choosing. Therefore, the WG29 believes that it requires, at least, the information following to obtain valid consent: i) the identity of the data controller, ii) the purpose of each of the processing operations for which consent is requested, iii) what (type of) data will be collected and used, iv) the existence of the right to withdraw consent, v) information on the use of the data for automated decisions in accordance with article 22, paragraph 2, letter c), where relevant, and vi) information on the possible risks of data transfer due to the absence of a decision of adequacy and adequate guarantees, as described in article 46 >> . The information provided in the "Framework Agreement" on the types of data personal data of clients who undergo treatment is not contained, in general, in a specific section, but is included in each of the sections outlined at the detail the structure of the document, articulated around the legal bases, purposes and Intended data processing. In view of the interpretive criteria on the notion of "informed consent" offered by the European Data Protection Committee, it is considered that CAIXABANK does not provides sufficient information on the type of data that will be submitted to treatments whose legal basis is the consent of the interested parties. This insufficiency is observed in the "Framework Contract" and in the "Contract of Consents "in relation to the purposes of" data analysis and study " and " for the commercial offer of products and services ” , which are reported in section 8 "Treatment and transfer of data for commercial purposes by CaixaBank and the companies of the CaixaBank Group based on consent ” . In this section it is indicated that they will be treated: among others, the following data: “B) All those generated in the contracting and operations of products and services with CaixaBank, with the CaixaBank Group Companies or with third parties, such as account or card movements, details of direct debits, payroll direct debits, claims derived from insurance policies insurance, claims, etc. ”. "G) Those obtained from the signer's navigations through the digital banking service and other websites of CaixaBank and the CaixaBank Group Companies or the CaixaBank mobile phone application and the Companies of the CaixaBank Group, in which duly identified operates. This data may include information related to geolocation. h) Those obtained from chats, walls, videoconferences or any other means of communication C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 90 90/177 established between the parties ”. All this refers to the data processed by reason of the products and services contracted, so that, although these are known by the user, he cannot know the that will be selected from the use of such products and services. The same can be said Regarding the navigation data and those obtained from the communications that are established between the client and the entity. This information warns the interested party that CAIXABANK may treat "all" data that "are generated in the contracting and operations of products and services". Here are some examples, preceded by the expression "such as" and ending with the expression , "etc." , the use of which should be avoided when offering information on Data Protection. Nor are the examples given descriptive enough to understand the categories of data that will be processed ( "transactions", "receipts", "payroll", " Claims" and "claims" ) . In relation to "direct debit" it is indicated that they will deal with the “details” of the same; and with respect to all these examples it is indicated, as already it has been said that "all" data will be processed . In view of this information, it is clear that CAIXABANK will process data personnel generated in the contracting and operation of products and services contracted with that entity. With this information it is not clear what personal data CAIXABANK will record for each “movement”, “receipt”, “payroll”, “claim” or “claim” (will the concept and issuer corresponding to the payment of a union fee?). It could even happen that the information collected by the responsible entity from the products and services contracted was composed of sensitive data or special categories of data personal, for example, the aforementioned union dues or dues paid to parties politicians, or to religious entities, or for the use of services provided by entities sanitary or religious. It is not concluded that CAIXABANK processes personal data such as those indicated in the previous paragraph. It is said here, simply, in a foundation that analyzes the information offered by CAIXABANK to its clients, that this information is defective in the insofar as it does not allow the recipient of the information to know with certainty all the categories of personal data that will be used by that entity and that, even, the repeated information, due to its lack of specificity, could be covering a collection and unacceptable processing of personal data. The "Privacy Policy" also refers to the use of data generated from the contracted products and services ( “Basically, your data is identification and details of the professional or work activity, your contact information and the financial and socioeconomic data, both those that you have provided us and those that generated from the products or services contracted. Also… we may process data that we obtain from the provision of services to third parties when you are the recipient of the service… ” ) . Also when referring to the personal data that will be used for treatment of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 91 91/177 data based on the legitimate interest of the entity, the "Framework Contract" informs about the use of information "generated from the products contracted during the last year". In This section of the “Framework Contract” regarding legitimate interest states: “We will also treat your information (account movements, card movements, loans, etc.) to personalize your commercial experience in our channels based on previous uses, to offer you products and services that fit your profile, to apply benefits and promotions that we have in force and to which you are entitled, and to assess whether we can assign you credit limits pre-granted that you can use when you consider it most appropriate. In these treatments we will only use information provided by you, or generated from the own products contracted during the last year ”. In this case, insufficient information on the categories of data to be processed is not related to the need for informed consent, given that it concerns treatments based on the legitimate interest of the entity. However, the possible relationship between these processing of personal data based on the interest legitimate and the treatments based on the consent of the interested parties. The use of Personal data based on legitimate interest gives rise to the creation of profiles, which can be later used for treatment with commercial purposes based on the consent of the interested parties; and such personal data, including those outlined, will be communicate to the companies of the CaixaBank Group. This being the case, the defects in the information in relation to the processing of data based on legitimate interest equally affect the validity of consent. The obligation to report on the category of data that will be submitted to treatment is breached also in relation to the data that are not provided to the responsible for the interested party, but are obtained by him from external sources or are inferred by the entity itself. Provide information on the types of personal data submitted to treatment that are not collected directly from the interested parties is required expressly in article 14.1 d) of the RGPD. As detailed above, CAIXABANK not only uses personal data generated in the contracting and operation of products and services contracted with that entity, but also those generated from products and services contracted by the interested party with third parties ( “All those generated in the contracting and operations of products and services… with the CaixaBank Group Companies or with third parties ” ). In relation to these data, the same examples mentioned above are detailed ( "movements", "receipts", "Payroll", "claims" and "claims" ), on which the aforementioned objections serve regarding them. It follows that CAIXABANK, under the condition of data controller, collects and uses personal data that it does not obtain directly from the interested parties. Is about personal data from third parties that CAIXABANK uses for the purposes expressed in the information provided to the interested parties. This is not the only allusion to personal data obtained from third parties, external sources or inferred by the CAIXABANK entity contained in the "Framework Contract": . In relation to the treatments necessary for the execution of the contract, information is provided on the incorporation into the entity's files of data derived from the relationships commercial of CAIXABANK and the companies of the Group with third parties; and data made C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 92 92/177 from the above. . In the section that informs about "Treatment of personal data with regulatory purposes ” , the following references are included: “ (Ii) Verifications will be made of the information provided by the Signatory, contrasting it with external sources, such as the databases of the General Treasury of Social Security or other public bodies, Public Registries, Official Gazettes, or companies that provide Information services". “(Iv) The information available to you regarding the Signatory will be exchanged (assigned and received) with the CaixaBank Group companies (v) The current or past performance of positions of public responsibility will be verified by the signatory. (vi) The relationship of the Signatory with companies will be verified with internal and external sources and, case, its position of control in the ownership structure of the same. (vii) The Signatory will be classified in different degrees in accordance with the Admission Policy of Clients, based on the information provided and that resulting from the operations carried out by the Signatory". . In the same sub-section regarding data processing for regulatory purposes It is also reported on the consultation of data registered in compliance files or breach of monetary obligations (erroneously included in this subsection) and the Risk Information Center of the Bank of Spain, CIRBE (erroneously included in this subsection): “7.3.3 Communication with files of compliance or non-compliance with monetary obligations. The Signatory is informed that CaixaBank, in the study of the establishment of Commercial Relations, You can consult information in compliance files or non-compliance with obligations money ”. “7.3.4 Communication of data to the Risk Information Center of the Bank of Spain The Signatory is informed of the right that CaixaBank SA assists to obtain from the Central Risk Information of the Bank of Spain (CIR) reports on the risks it may have registered in the study of the establishment of Commercial Relations ”. . In section 8, regarding data processing based on consent (and also in the "Consent Agreement") it is expressly added that the data of the client "may be complemented and enriched by data obtained from companies providers of commercial information, by data obtained from public sources, as well as by statistical, socioeconomic data (hereinafter, "Additional Information") always verifying that they comply with the requirements established in the current regulations on data protection ” , without providing any details about the categories of personal data that they will be obtained from these external sources. Also, the Privacy Policy "includes information on data processing of health "in the marketing of certain insurance products (health, life ...)" . On these personal data, it is clarified that the person responsible is the insurance company: “When we market these products, the person responsible for health data is the company insurance company, therefore we want you to know that all insurance companies whose products we commercialize respect and strictly comply with the data protection regulations ”. With the information provided, as indicated above, it is not clear what C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 93 93/177 Personal data are processed or what data CAIXABANK will record. The use by CAIXABANK of personal data from products and services of third parties, from external sources or inferred by the entity itself, requires that provide interested parties with the appropriate information and have a legal basis that protects the treatment. It should be noted that the obtaining of personal data is not questioned in this case from files of compliance with monetary obligations and CIRBE to manage the products and services contracted, provided that it is necessary for the execution of the contract. This is the basis that determines access to this information. However, the use of these personal data by CAIXABANK is not limits to checking the situation of the interested party for the formalization of an operation of risk, but also with the purposes based on consent. Given that in clause or section 8 information is provided on the treatment of "all" the data provided in the establishment or maintenance of commercial or business relationships, it is estimated from CAIXABANK to report on the specific categories of personal data that will be obtained from the files of compliance or non-compliance with monetary obligations and of the CIRBE. On the other hand, in the case of personal data from products and services of third parties, the responsibility for these personal data corresponds to the entity that owns the product purchased by the interested party or provider of the service contracted by the same. When it comes to third-party products or services marketed by CAIXABANK, as in the case of insurance products, this entity accesses such data under the condition of person in charge of treatment, for her mediating intervention. This Agency questions the use of this data by that entity and for the purposes that are indicated, considering that they are not own products. The condition of manager treatment under which CAIXABANK intervened in these cases limits the possibility of use the information in question for their own purposes. In short, personal data is collected and processed without the owners of the same be aware that CAIXABANK is accessing them to register them in their information systems, subjects them to treatments about which the client is not informed in a clear, precise and simple way, and with non-explicit and undetermined purposes, against of the principles related to the treatment established in article 5 of the RGPD (loyalty, limitation of the purpose and minimization of data), since, from the information facilitated, considering their inconcretion, the interested party cannot know, as the Constitutional Court, “to what use is it being destined and, on the other hand, the power to oppose that possession and uses ” . This lack of precision renders the information provided ineffective about the data processing that is intended. What is indicated above contrasts with the information provided through the website of the entity on the personal data collected from social networks: . Twitter: Name, username, tweets, and user profile information, including biography and location information. . Facebook: User ID, email address, gender, date of birth, city current, and preferences expressed by you by clicking on "Like" (or Likes). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 94 94/177 . Linkedin: Registered user, name and surname, email address, profile URL, Profile information and Groups. And not only does it not specify what data will be processed, but it also does not duly informs in all cases about the specific categories of personal data that will be treated for each of the specified purposes. The need to complete the information offered to customers in the sense expressed is especially relevant when it comes to data not provided by the customer, but inferred by the entity itself from the use of products, services and channels. It cannot be accepted that all information is intended for all uses, that all data collected, from the interested party or third parties, or inferred can be used for all purposes, without delimiting. This occurs in relation to the purpose expressed in section 8 of the "Contract Marco ”and in the“ Consent Agreement ”regarding the “ transfer of data to third parties ” with the consent as a legal basis. With the information provided it is not possible that the interested party has a clear idea about the personal data that will be transferred to the entities of the sectors indicated . In this regard, the Opinion of the aforementioned Article 29 Working Group, "Guidelines on consent under Regulation 2016/679" , adopted on 11/28/2017, revised and approved on 04/10/2018, and revised again in May 2020, When referring to the obligation to inform about the data that will be collected and used, it refers to Opinion 15/2011 on the definition of consent, as “manifestation of specific will ” : “To be valid, consent must be specific. In other words, consent indiscriminate without specifying the exact purpose of the treatment is not admissible. To be specific, consent must be understandable: clearly and precisely refer to the scope and consequences of data processing. It cannot refer to an indefinite set of treatment activities. This means, in other words, that consent applies in a limited context. Consent must be given in relation to the various aspects of the treatment, clearly identified. This implies knowing what the data are and the reasons for the treatment. This knowledge It should be based on the reasonable expectations of the parties. Therefore, the "specific consent" it is intrinsically related to the fact that consent must be informed. Exists a requirement of precision of consent with respect to the different elements of the treatment of data: it cannot be claimed to encompass "all legitimate purposes" pursued by the controller treatment. The consent must refer to the treatment that is reasonable and necessary in relationship with the purpose ”. In General, as has been said, the principle of transparency should be understood as a fundamental aspect of the principles of lawful and fair treatment. It is interesting to reiterate expressed in Recitals 39 and 60 and the references they contain to the need to provide information to ensure fair and transparent treatment: "39. All processing of personal data must be lawful and fair. For natural persons it should be totally clear that data is being collected, used, consulted or otherwise processed personal data that concern them, as well as the extent to which said data is or will be processed ... Said The principle refers in particular to the information of the interested parties about the identity of the person in charge C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 95 95/177 treatment and the purposes thereof and the information added to ensure fair treatment and transparent regarding the affected natural persons and their right to obtain confirmation and communication of personal data concerning them that are subject to treatment. The natural persons must be aware of the risks, regulations, safeguards and rights relating to the processing of personal data ”. "60. The principles of fair and transparent treatment require that the interested party be informed of the existence of the treatment operation and its purposes. The data controller must provide the interested party as much additional information is necessary to guarantee fair treatment and transparent, taking into account the specific circumstances and context in which the data is processed personal ”. And in the also cited document of the Working Group on Article 29 "Guidelines on transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, which analyzes the scope to be attributed to the principle of transparency, it indicates: “A fundamental consideration of the principle of transparency outlined in these provisions is that the interested party must be able to determine in advance the scope and consequences derived from the treatment, and that you should not be surprised at a later time by the use that has been made of your personal information". In relation to the information about the category of personal data that are collected and used by CAIXABANK, alleges that article 13 of the RGPD does not require provide data subjects with this information on a mandatory basis, although, however, offers a sufficiently descriptive list of the types of data that are treated based on the consent, in accordance with the provisions of the Guidelines 05/2020 on the consent in accordance with Regulation 2016/679, of the European Committee for the Protection of Data (CEPD). Likewise, it alleges (i) that the information it provides on the treatment of data on movements, receipts, payroll, claims and claims, considering that It deals with products and operations of the client, who knows the information they include; and (ii) that that information does not include sensitive data. In this regard, it warns that the obligation that the AEPD intends to impose would entail, one hand, the need to report on specific data, which would imply information fatigue difficult to beat; and, on the other hand, it would also mean informing about what is not done, in based on a suspicion of processing of sensitive data. This claim cannot be upheld, in accordance with the arguments already presented. in this section. This Agency considers that the review of those concepts (movements, receipts, payroll, claims and claims), without including the detail of the data categories they include, it is insufficient to understand the obligation to report on the categories of personal data that are collected and subjected to treatment and, ultimately, so that the interested party can have the essential and necessary information for taking their decisions and understand what you are authorizing, as well as for the exercise of your rights. Without forgetting that those concepts are included as examples, preceded by the expression "such as" and followed by the term "etc." . Regarding the suspicion of this Agency about the possibility that CAIXABANK C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 96 96/177 could be protecting, with the information offered, the collection and treatment of categories special data, it must be reiterated that it results from the information itself offered in the documents object of the proceedings. On the one hand, it is said that data may be obtained of products and services contracted by the client, “such as account movements or cards, details of direct debits, direct debits…, etc. " , and on the other hand, It is also indicated that “all the data generated in the contracting and operational ” of those products and services. Then, nothing prevents understanding that they could collect by CAIXABANK categories of data such as issuer and concept of receipts domiciled, which could refer to the payment of a union dues, payments to an entity of health care, fees to a political party or donations to a religious entity, civil society associations or political activism groups, which could serve to promote link the interested party with certain ideological positions, race, religion, etc. In any case, this question has not determined any imputation to CAIXABANK for data processing of this nature, although this circumstance, as has been said, to the extent that the information provided is defective and could serve as cover for the collection and processing of personal data unacceptable. The aforementioned serves both to obtain personal data generated in the contracting of products and services with CAIXABANK, such as those generated in contracting products and services with third parties. On the other hand, in relation to information on the category of personal data that are not obtained from the interested party, CAIXABANK claims that it complies with this obligation informing in Clause 8 of the "Framework Contract" when it is indicated that "the data of the signer may be complemented and enriched by data obtained from companies providing commercial information, by data obtained from public sources, as well as by data statistical, socioeconomic (hereinafter, "Additional Information") always verifying that These comply with the requirements established in the current regulations on the protection of data ” . However, with this information the interested party does not have details about the types of data that will be collected from these external sources or how they will be supplemented and enriched. It is not enough for these purposes to indicate that data will be collected from external sources, from supplier companies or public sources, which are not categories of personal information; nor is it sufficient to indicate that the customer's data is will be complemented with statistical and socioeconomic data without further detail that delimits the categories to actually be covered. Nothing is indicated either by CAIXABANK in its allegations about the data made from all of the above. It is also alleged by CAIXABANK that this information cannot be required in relationship with the categories of data that are treated based on legitimate interest. However, this Agency does not require this information as expressed by CAIXABANK. What I know defends is the need to inform in such cases when the information processed based on the legitimate interest, including the profiles prepared with this legal basis, is also used for consent-based treatments. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 97 97/177 Similarly, in the case of interest-based personal data processing made with personal data that were not obtained from the interested party, the obligation to inform about the categories of personal data used in this treatment comes also determined by the provisions of article 14 of the RGPD. Also in relation to information on categories of personal data CAIXABANK warns that it improves the information in its new Privacy Policy . There is not more than seeing the information on data categories that CAIXABANK has included in this new document, contributed to the proceedings together with its allegations to the resolution, to understand that the analyzed information cannot be understood as satisfactory, that it is not enough to refer to account movements or cards, receipts, payroll, claims and claims. Some examples taken from this new Policy serve of Privacy to illustrate about categories of data that CAIXABANK does not detail in the documents object of the present proceedings, nor could the interested party deduce from the information provided: family unit or circle; tax data; tax data; information on investments made and their evolution; or grouping of clients in categories and segments based on age, assets, operations, consumption habits, preferences, demographics. Finally, CAIXABANK considers that the incorporation of all that information relating to the type of data would lead to an excessively long document, liable to cause information fatigue in the interested parties. The WG29 Guidelines on Transparency recommend avoiding that consequence, but such a purpose cannot be taken as a justification for omitting necessary information. It forces the information to be structured adequately, but not limit it. These Guidelines require data controllers to demonstrate responsibility proactively in the development and use of methods to comply with the requirements of transparency that avoid the fatigue of the interested party. Although they offer numerous recommendations and examples of different modalities to provide information, warns that the data controllers are the ones who decide the tools of information they use. - Information on the purposes to which the personal data of the clients and the legal basis of the treatment. Confusion of legal bases. Regarding the purposes to which the personal data of the clients will be used and the legal basis of the treatment, the entity CAIXABANK, in the "Framework Contract" refers Similar treatments in relation to different purposes, protected by the legitimate interest in some cases and in consent in others. This may mean that a treatment is not consented by the interested party is finally carried out under the legitimate interest of the responsible, undermining the ability of customers to decide on the destination of their personal information. In relation to the treatments based on legitimate interest, information is provided on the purposes in the following terms: . “We will send you updates and information about products or services similar to those already have contracted ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 98 98/177 . "Personalize your commercial experience in our channels based on previous uses" . "Offer you products and services that fit your profile." . "Apply benefits and promotions that we have in force and to which you are entitled" . "Evaluate if we can assign pre-granted credit limits." In relation to treatments based on consent, information is provided on the purposes in the following terms: . "Study products or services that can be adjusted to your profile and business or credit situation" . "Make commercial offers tailored to your needs and preferences" . "Design new products or services" . “Define or improve user experiences in their relationship with CaixaBank and the Companies of the CaixaBank Group ”. . “Send commercial communications both on paper and by electronic or telematic means, relating to the products and services that, at any given time: a) CaixaBank or any of the CaixaBank Group Companies b) market other companies in which CaixaBank owns and third parties". The information offered can cause confusion, to an average citizen, about the legal basis that justifies the treatment, in the sense expressed. In this case, (…) it appears that this entity was aware of the deficiencies described above, assessed in relation to the information on the legal basis of the treatment. (…) On the other hand, in the document by which the client signs the registration in the aggregation service the customization of offers is included as an object of the contract adjusted to the profile and situation of the contractor by CAIXABANK and the improvement of risk analysis and suitability for contracting products and services requested by the contractor and the improvement of the management of defaults and incidents derived from the products and services contracted; and among the treatments that are cited for the purpose of managing the service includes improving the management of non-payments and incidents and the product tracking; while the "Framework Contract" requires the Client consent to carry out personal data processing with these purposes (the mention of the treatments indicated in the object of the service contract aggregation and in relation to service management has been removed in the new version of this contract provided by CAIXABANK with its statement of allegations). The information on the purposes, in general, is closely linked to the principle of limitation of the purpose, regulated in article 5.1 b) of the RGPD, which establishes the following: "1. The personal data will be: b) collected for specific, explicit and legitimate purposes, and will not be further processed as manner incompatible with said purposes; in accordance with Article 89 (1), further processing of personal data for archival purposes in the public interest, scientific research and historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of purpose ")". The importance of this principle is determined by its object, which is none other than establish the limits within which personal data can be processed and the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 99 99/177 extent to which they can be used, as well as determining the data that can be collected. To be "explicit" , an end must be unequivocal and clearly stated, in detail enough for the interested party, any interested party, to know in a certain way how they will be or data not processed and favoring the exercise of their rights and the evaluation of the compliance with regulations. To be "explicit" , the purpose must also be disclosed, as that must take place at the time the personal data is collected On this issue, the Article 29 Working Group ruled in its Opinion 03/2013, on limitation of purposes. In this work, it was considered that they should be rejected, by nonspecific, the purposes expressed with vague or too general formulas, such as "improving user experience" , "marketing purposes" or "Future research". This Opinion indicates that the more complex the data processing is personal, the purposes should be specified in a more detailed and exhaustive manner, "including, among other things, the way in which personal data is processed. They must also disclosure of the decision criteria used to create customer profiles ” . In accordance with the foregoing, the purposes for which the data will be processed personal information about which CAIXABANK informs its clients, do not conform to the mentioned transparency requirements, especially if we consider the huge amount of personal data that it submits to treatment, individually or globally considered, and the complex technical processes to which they are subjected, especially for the elaboration of profiles, which are used for all the purposes described in the information offered to Your clients: . "Personalize your commercial experience in our channels". . "Offer you products and services that fit your profile." . "Analysis, study and monitoring treatments for the offer and design of products and services adjusted to the customer profile ”. . "Study products or services that can be adjusted to your profile and business or credit situation." . "Commercial offers tailored to your needs and preferences." . "Define or improve user experiences." In CAIXABANK's allegations, once again, the conclusions obtained by this Agency from the analysis of the documents in question, this time in relation to with the confusion caused by the information about the data processing carried out in basis of legitimate interest and consent, highlighted above, and, again, again, warns that the New Privacy Policy "reconfigures the divergences between the treatments based on legitimate interest and consent ” . And also in this case does not offer any explanation for the above deficiencies, to which CAIXABANK does not refer to. - Information about the legitimate interest of the person in charge Likewise, the aforementioned precepts establish the obligation of the person responsible to inform on the legitimate interests on which the processing of personal data is based (the Articles 13 and 14 of the RGPD establish the obligation to inform about "legitimate interests C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 100 100/177 of the person in charge or of a third party ” ). However, the information offered by CAIXABANK remains undefined as to the basis of the treatment, so it does not substantiate duly this authorization for the treatment of data, resulting, therefore, contrary to the principle of transparency. Recital 47 of the RGPD is especially clarifying in the task of specifying the content and scope of this legitimizing basis of the treatment, described in letter f) of the Article 6.1 of the RGPD. From what is stated in this Considering, it is interesting to highlight as a interpretative, that the application of this legitimizing base must be predictable for its recipients, taking into account their reasonable expectations. The Article 29 Working Group prepared Opinion 6/2014 on the “ Concept of legitimate interest of the data controller under article 7 of the Directive 95/46 / CE ”, dated 04/09/2014. Although this Opinion 6/2014 was issued for favor a uniform interpretation of Directive 95/46 then in force, repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and having Note that the reflections that the Opinion offers are an exponent and application of principles that also inspire the GDPR -such as the principle of proportionality- or of principles general rules of Community law - the principle of equity and respect for the law and Law- many of his reflections can be extrapolated to the application of current regulations, the RGPD. The said Opinion refers to the "Concept of interest" in the following Terms: "The concept of" interest "is closely related to the concept of" purpose "mentioned in Article 6 of the Directive, although these are different concepts. In terms of protection of data, "purpose" is the specific reason why the data is processed: the purpose or intention of the data processing. An interest, on the other hand, refers to a greater involvement than the responsible for the treatment may have in the treatment, or to the benefit that the person responsible for the treatment obtains -or that the company can obtain- from the treatment. For example, a company may have an interest in ensuring the health and safety of personnel who work at your nuclear power plant. Therefore, the company may have the purpose of applying specific access control procedures that justify the processing of certain data specific personnel in order to ensure the health and safety of personnel. An interest must be articulated clearly enough to allow the balancing test It is carried out contrary to the interests and fundamental rights of the interested party. Furthermore, the interest at stake must also be "pursued by the controller." This requires a real and current interest, which corresponds to present activities or benefits that are look forward to the very near future. In other words, interests that are too vague or speculative will not be enough. The nature of the interest can vary. Some interests may be compelling and beneficial to society in general, such as the interest of the press in publishing information on corruption government or interest in conducting scientific research (subject to appropriate safeguards). Other interests may be less pressing for society as a whole or, in any case, the impact of your search on society may be more disparate or controversial. This can, for For example, apply to the economic interest of a company in learning as much as possible about its potential clients in order to better target advertising on their products and services ”. In the conclusions section of this Opinion the following is added: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 101 101/177 "The concept of" interest "is the broadest implication that the controller may have in the treatment, or the benefit that it obtains, or that the company may obtain, from the treatment. This can be compelling, clear, or controversial. The situations referred to in the article 7, letter f), may therefore vary from the exercise of fundamental rights or the protection of important personal or social interests to other less obvious or even problematic contexts. … It must also be articulated with sufficient clarity and must be specific enough to allow the balancing test to be performed against interests and rights fundamentals of the interested party. It must also represent a real and current interest, that is, it must not be speculative". The "interest" goes beyond the "purpose . " In terms of the GT29 it represents "a greater implication that the controller may have in the treatment, or the benefit that the data controller obtains ” ; while "purpose", in terms of data protection, “is the specific reason why the data is processed: the objective or the intention of data processing. In this case the "interest" is not expressed. The CAIXABANK entity does not report in the "Framework Agreement" or in the "Privacy Policy" about any specific interest when referring to the data processing that you plan to carry out under this legal basis. Is limited to indicate the treatments carried out with this legal basis and the purposes, mainly commercial, for which personal data are processed, but no legitimate interest of CAIXABANK in the sense expressed. This Agency considers that these processing of personal data, such as are based on the documents by which the interested parties are informed in terms of data protection, they cannot rely on the legal basis of interest legitimate, which requires an evaluation to determine the interests or rights that prevail. This weighting must take into account “the reasonable expectations of the interested parties based on their relationship with the person in charge ” , understood as what the interested party can perceive or deduce as reasonable by itself based on the specific circumstances that occur in each case, which was predicted at the time of data collection in a way that reasonable. The term “reasonable expectation” should always be used sparingly, taking into account the position held responsible and interested and the legal nature of the relationship or service that links them, which could lead to the subsequent use of the data this one's personal. The context is taken into account to be able to define, based on all this, the subsequent processing of the data that the interested party can expect to be carried out. This "Reasonable expectation" of the customer must be deducted by itself. The information provided by CAIXABANK on the use of data based on the legitimate interest is contrary to the previous approach, since such information is insufficient to justify this legal authorization and to carry out the weighting judgment that allow to determine if said reasons prevail over the interests and rights of the interested party, limiting the possibility that the client can correctly weigh the performance of the entity. The specific determination of the interest of CAIXABANK, articulated with sufficient clarity, it will allow the interested party to oppose their own interests. It enables, also, a better analysis of the reality and actuality of said interest. All this without forgetting what has already been indicated in relation to the use of imprecise terms C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 102 102/177 and vague formulations in the information provided, in particular with regard to the definition of the purposes. Regarding the legitimate interest of the person in charge and the weighting test, the document of the Working Group on Article 29 “Guidelines on transparency under the Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, offers the following criteria: “The specific interest in question must be identified for the benefit of the interested party. As a matter of good practice, the data controller can also provide the data subject with the information resulting from the "weighting test" that must be carried out in order to benefit from the provisions in article 6, paragraph 1, letter f), as a lawful basis for processing, prior to any collection of the personal data of the interested parties. To avoid information fatigue, this can be included within a tiered privacy statement / notice (see section 35). In any case, the position of the WG29 is that the information addressed to the interested party must make clear that he can obtain information on the weighting test upon request. This turns out essential for transparency to be effective when stakeholders doubt whether the examination of weighting has been carried out loyally or wish to file a claim with the control". On the other hand, regarding the data processing carried out based on the interest legitimate, both the "Framework Agreement" and the "Privacy Policy" indicate the following: . Sending "updates and information about products or services similar to those you already have hired ”. . Information processing “personalize your commercial experience in our channels based on previous uses ”. . Offer of products and services "that fit your profile" . Data processing “to apply benefits and promotions that we have in force and to which have the right " . Data processing "to assess whether we can assign you pre-granted credit limits." However, it has been verified that CAIXABANK performs other data processing personal based on the legitimate interest about which he does not inform at any time to the interested. (…) Some of these treatments, and others, are also mentioned in the document called "Processing of personal data based on legitimate interest" , to which can be accessed through the website "caixabank.es" , incorporated into the actions by the Inspection Services of the Agency dated 07/01/2020, which is reproduced in Annex VI: . Monitoring of the fulfillment of the objectives, incentives or awards set for our employees. . Communication of data between CaixaBank and the companies in which it has a stake for the purpose of make internal reports (without personal data), which allow us, among other aspects, carry out market studies and mathematical models to establish the business strategy of the CaixaBank Group. . Creation of statistical models (without personal data) that help the Entity to know better the preferences and tastes of our clients, collaborating in the improvement of the design and execution of commercial actions, as well as making aggregate reports on the results of the models to track customer behavior. . Structuring and profiling of the information processed by the Entity to maintain the resources and technical systems prepared to efficiently meet management needs. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 103 103/177 . Control and supervision of the Entity's activity through samples and self-evaluations with the purpose of identifying and assessing possible risks in the marketing of products, controls and evaluate compliance with internal rules and regulations. . Control and supervision of operations in order to prevent fraud, both to customers and to the own Entity. However, this document is not provided to interested parties nor does it record any reference to it in the "Framework Agreement", the "Consent Agreement" or in the "Policy of Privacy ”, so that CAIXABANK cannot be certain about the access of the customers to this information and is not in a position to prove this access. About this document called "Treatment of personal data in basis of legitimate interest ”it is also worth highlighting that the list of treatments based on in the legitimate interest that it contains, it is presented as an open list that "will be updated permanently to include new treatments, or cancel those that are stopped perform". This statement by CAIXABANK should be rejected as it could lead to the performance of data processing on which the users are not promptly informed interested in the documents that they subscribe on protection of personal data, as is the case in the examples indicated. If the interested parties are not duly informed about the treatments, and even less on the specific interest pursued by the person in charge with these treatments on which it is not reported, it is difficult for them to face the legitimate interests of CAIXABANK to their own interests and rights, nor do they have the opportunity to even exercise the right to opposition. In its brief of allegations to the proposed resolution, CAIXABANK does not make no mention of this lack of information on the legitimate interest pursued, which implies a breach of the provisions of article 13.1.d) of the RGPD, nor to the other circumstances expressed in this section. - Information on profiling Another important aspect related to the subject analyzed has to do with the use of personal data for the preparation of customer profiles, understood as any form of personal data processing that evaluates personal aspects related to a Physical person. According to art. 13.1.c) of the RGPD, the person in charge must inform the interested party of the purposes of the treatment, as well as its legal basis, which means that you must inform on the elaboration of profiles when the person responsible has foreseen such purpose and specify the legal basis that protects the treatment for that purpose. Article 11 of the LOPDGDD establishes the minimum content of the basic information to be provided to the interested party: "2. The basic information referred to in the previous section must contain, at least: (…) If the data obtained from the affected party were to be processed for profiling, the information will also understand this circumstance ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 104 104/177 Recital 60 of the RGPD also refers to the obligation to “inform the interested party about the existence of profiling and the consequences of said elaboration". On the principles relating to the processing of personal data, when these consist of profiling, the Guidelines of the Article 29 Working Group on automated individual decisions and profiling for the purposes of Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what following: “Transparency of treatment is a fundamental requirement of the GDPR. The profiling process is usually invisible to the person concerned. It works by creating data derived or inferred about people ("new" personal data that have not been directly provided by the interested parties themselves). People have different levels of understanding and It can be difficult to understand the complex techniques of profiling processes and automated decisions ”. “Taking into account the basic principle of transparency that sustains the RGPD, those responsible for the treatment must ensure that they clearly and easily explain to people the operation profiling or automated decisions. In particular, when the treatment involves decision-making based on the preparation of profiles (regardless of whether they fall within the scope of the provisions of Article 22), you must clarify to the user the fact that the treatment is for both a) profiling and of b) adoption of a decision based on the profile generated Recital 60 establishes that providing information about profiling is part of the of the transparency obligations of the data controller according to article 5, paragraph 1, letter a). The interested party has the right to be informed by the person responsible for the treatment, in certain circumstances, regarding your right to object to "profiling" regardless of whether individual decisions have been made based solely on the automated processing based on profiling ”. “The person responsible for the treatment must explicitly mention to the interested party details about the right opposition according to article 21, paragraphs 1 and 2, and present them clearly and regardless of any other information (Article 21, paragraph 4). According to article 21, paragraph 1, the interested party can oppose the treatment (including the elaboration of profiles) for reasons related to your particular situation. Those responsible for the treatment are specifically obliged to offer this right in all cases in which the treatment is based on article 6, paragraph 1, letters e) or f) ”. The information object of the actions refers to the elaboration of profiles in numerous times when describing the purposes for which the data will be used, or the purposes that are detailed entail these profiling operations. So can be understood, for example, in relation to the personalization of offers or the experience of the client or the purpose of “knowing you better” . Therefore, CAIXABANK processes the personal data of its clients to proceed to its profiling, which it uses later. In most cases in the which refers to the elaboration of profiles or the use of data that are the result of profiling activities, the basis of its action is based, according to the information that it facilitates to the interested parties, in their consent (Clause 8 of the Framework Contract); except in what refers to the "personalization of the experience" of the client or sending information in which he may have an interest, which CAIXABANK protects in the interest C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 105 105/177 legitimate, on which it has already been indicated that the information is insufficient. For the reasons already expressed in relation to the lack of justification of interest legitimate, processing operations that include the preparation of profiles or that are based on these profiles and that have a legal basis in the legitimate interest of the person in charge. In addition, in relation to the profiling operations, in the opinion of this Agency, the information requirements described. CAIXABANK is limited to informing about actions that can be developed adapted to the "customer profile" or "personalized" , but not offers information on the type of profiles to be made, the specific uses to which that these profiles are going to be used or the possibility that the interested party can exercise the right of opposition in application of article 21.2 RGPD, when the profiling is related to direct marketing activities. In the terms of the GT29, it is not “ explained to people in a clear and simple way the profiling ” nor are they warned about adopting decisions “on the basis of the generated profile” , regardless of whether they fall within the scope of the provisions of article 22. The concept of profiling is not systematized by CAIXABANK. Of In fact, the Privacy Policy only talks about “knowing you better, that is, studying your needs to know what new products and services fit your preferences and analyze the information that allows us to determine in advance what your creditworthiness ” , omitting profiling, despite the fact that this purpose, as stated, it is necessary to do a previous profiling. This is a breach of the provisions of article 11 of the LOPDGDD. In this case, in addition, the treatment operations based on the profiling of the customer go beyond improving the experience or sending commercial offers adjusted to the needs and preferences of the client, to the point that said profiling is used by CAIXABANK to design products and services or improve the design and usability of existing ones, that is, for your own business. CAIXABANK dedicates a subsection of its allegations to the elaboration of profiles, but without offering any explanation of the deficiencies noted, to which it does not refer. In relation to the profiling operations, in its allegations at the opening of the procedure warns CAIXABANK that treatments were included in the drafted clause in 2016 (refers to Clause 8 of the “Framework Contract”, the one relating to treatments based on in the client's consent), when clear criteria were not available, which could rely on another legal basis other than consent, such as legal obligations (fraud control and risk management) or the contractual relationship (monitoring and adoption of recovery stockings). He adds that what has been produced is an excess of information. Later, in its allegations to the motion for a resolution, it reiterates this allegation indicating that the error was made in that clause (corrected in the New Privacy), to list treatment operations that did not have to do with consent for profiling. And he lists the specific treatments that, in his opinion, can be covered by C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 106 106/177 another legal basis different from the legitimate interest (the list of the treatments to which it refers this allegation is outlined in the following Legal Basis). However, this claim is not related to the deficiencies found in the information offered on the elaboration of profiles, previously expressed, and is subject to analysis in the following Legal Basis, in the section that examines the treatments of data based on the consent of the interested parties. It should be clarified now that it has been the CAIXABANK own entity which decided to protect the profiles in the consent. On the other hand, it must be added that the conclusions expressed do not judge the information offered due to its breadth (CAIXABANK alleges an excess of information and provides an example of a reduced clause), but it is evaluated if it is sufficient and adequate to the standard. In relation to this issue of the profiles, CAIXABANK alleges that in Clause 8 of the “Framework Contract”, it is informed about the purposes indicating that the consent for the “analysis, study and follow-up for the offer and product design adjusted to your client profile ” , and information is provided on the elaboration of profiles by making explicit the treatment operations that include this purpose ( "Study products or services that can be adjusted to your profile and specific business or credit situation ” ) . It has already been said previously that the information offered sometimes refers to the profiling by describing the purposes for which the data will be used personal. But that information contained in Clause 8 of the "Framework Contract" does not save any other information on purposes that involve profiling operations on those that the customer is not warned about. Furthermore, CAIXABANK does not explain the lack of information, in general, on the types of profiles and the uses to which they are to be put, so that the interested party has clear knowledge of the operation of these profiles and, above all, of the consequences of its elaboration. These circumstances are not mentioned by CAIXABANK in their allegations, and nothing is said in them to justify not informing the interested in the possibility of exercising the right of opposition, when appropriate. - Information on the exercise of rights, possibility of claiming before the Agency Spanish Data Protection, existence of a Delegate for the Protection of Data and your contact details and retention periods. On the other hand, the information provided by CAIXABANK on the exercise of rights, possibility of claiming before the Spanish Agency for Data Protection, existence of a Data Protection Delegate and their contact details is not uniform in all documents analyzed. The "Framework Agreement" and the "Privacy Policy" of CAIXABANK inform about the rights that correspond to the interested party regarding the protection of personal data, including the revocation of the consents granted, as well as the channels for exercise them. They also inform about the possibility of filing a claim with the Spanish Agency for Data Protection and on the existence of a Protection Delegate of Data of the CaixaBank Group of companies, indicating the means to contact the same. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 107 107/177 The "Consent Agreement" or document of "Authorization / Revocation of consents ”, on the other hand, in version 2, it reported on the possibility of exercising the rights, but without mentioning those established in the applicable regulations, and neither referred to the existence of a Data Protection Delegate; yes, you are deficiencies were corrected in version 3 of the document. To refer to the use of data based on legitimate interest, the "Framework Agreement" expressly warns about the possibility of objecting. The Privacy Policy does not mentions the right to object, but it indicates “… if you prefer that we not do it, just you have to tell us, in… ”. The right to object is also reported in the document inserted in the CAIXABANK website regarding the "Treatment of data of character personal based on legitimate interest ”. The information that is offered for access to personal data of customers in social networks informs about the rights contained in the LOPD, not in the RGPD: "You may exercise the rights of access, rectification, cancellation and opposition in accordance with the data protection regulations. To exercise these rights, you must go to the address of CaixaBank… ”. Likewise, the contract that regulates the aggregation service informs about the rights and channels for its exercise, the possibility of contacting the Protection Delegate of Data and to claim before this Agency, but does not expressly mention the possibility of revoke consent and the right to object the following is indicated: "The non-acceptance or subsequent opposition to the processing of your data, for the purposes below detailed information, implies that CaixaBank will not be able or (where appropriate) will stop offering you the aggregation". This information is modified in the new stipulations of the Service Contract Aggregation, (…) - Information on terms of conservation of personal data As indicated in relation to the issues indicated in the previous section, The information provided on the data retention periods is not uniform in the documents object of the proceedings. Regarding data conservation, the "Framework Agreement" includes a section specific to this question (11.3) with the following content: "Your data will be processed as long as the contractual or business relationships remain in force established or commercial use authorizations granted. Once the authorizations for use have been revoked, or six months after the relationship ends contractual or business established, your data not being necessary for the purposes for which were collected or processed, your data will no longer be processed. In accordance with the regulations, the data will be kept for the sole purpose of complying with those legal obligations imposed on CaixaBank and / or Group Companies, and for the formulation, exercise or defense of claims, during the limitation period of the actions derived from the relations contractual or business subscribed ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 108 108/177 However, in section 7.1 "Processing of personal data with the purpose of managing Commercial Relations ”it is indicated that the data will be canceled with the termination of all business relationships, without mentioning the six-month period after business relationships: “… At the time of cancellation by the Signatory of all Commercial Relations, the aforementioned data processing will cease, and your data will be canceled in accordance with the provisions in the applicable regulations, CaixaBank keeping their use duly limited until they have prescribed actions derived from them ”. On the other hand, the so-called "Consent Agreement" or " Authorization / revocation for the processing of personal data for purposes commercial by CaixaBank, SA and companies of the CaixaBank group ” , for its part, indicated in its version 2 that the data would be processed as long as the use authorizations granted or established contractual or business relationships, but without warning about the use during the six months after the end of said contractual relationships. That six-month data usage period was added in version 3 of this document, with a scope similar to that outlined in the "Framework contract": "The authorizations you grant will remain in effect until they are revoked or, in the absence of this, up to six months after you cancel all your products or services with CaixaBank or any company of the CaixaBank Group ” . Similar content contains the section of the "Privacy Policy" relative to the conservation of personal data. In none of the cases is the conservation of the data motivated during the six months after the contractual or business relationships. Information regarding access to personal data of customers in social networks does not contain any indication about the retention of personal data; Meanwhile he contract that regulates the aggregation service, although it informs that the data will be processed while the contractual relationships remain in force, it warns that, in the event that The data is processed in accordance with your consent, it may be processed as long as it is not withdraw, even after the relationship. In the clauses of the contract of this aggregation service indicated: "The data will be processed as long as the relationships derived from the relationships remain in force contractual, and will be kept (during the prescription period of actions derived from said relationships) for the sole purpose of complying with the required legal obligations, and for the formulation, exercise or defense of claims. However, in the event that the data is processed According to your consent, they may be processed until you withdraw it. Notwithstanding the foregoing, CaixaBank informs you that it will proceed to delete the data from its systems collected by the aggregation service: (i) in the event of elimination of a financial institution, CaixaBank will proceed to eliminate the data of the eliminated financial institution. (ii) in the event that the contractor notifies us of his withdrawal from the Service, CaixaBank will proceed to the elimination of the data of all third financial entities ”. (In the new clause of the Aggregation Service Contract, the information is modified C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 109 109/177 on the conservation of personal data in relation to the treatments with the purpose commercial, indicating that they will be treated until the revocation of consent or until twelve months after the end of the contractual relationship). CAIXABANK has alleged that the retention period of six months after the contractual relationship is a self-imposed measure, that there is no legal obligation to motivate that period and that the indication of a period of six months in one cases and twelve in others responds to the fact that each client has a contract, so there is no single term of conservation. On this issue, it should be clarified that the opportunity is not judged here and regularity of these periods, whether or not they comply with the principle established in article 5 of the RGPD, but the information offered, which is not uniform in the information offered to the interested. The imputed entity itself has highlighted in its brief of allegations the convenience of regularizing this information. These differences in terms of the retention period cannot be justified by the contract that binds the client with the entity, since the term in question does not refer to the conservation of the data related to the business relationship, but refers to the use authorizations. Throughout this Legal Basis the deficiencies have been described appreciated in relation to the fulfillment of the duty of information in matters of protection of data by CAIXABANK, which can be summarized, succinctly, as follows: . The information offered to CAIXABANK clients is not uniform. Papers arranged by CAIXABANK to inform customers use different terminology to refer to the same questions and do not have the same content, so it is not offers the information with the same breadth in all cases. . Vague terminology and vague formulations are used, with ambiguous meanings in some cases, and whose true scope is not developed, making it difficult for the recipient of the information can conclude its real and concrete scope. . The information offered on the processing of personal data based on the relationship contractual does not allow assessing whether all the treatments included in this section can rely on that legal basis. . Information on the categories of personal data subject to processing; and about the specific categories of personal data that will be processed for each of the purposes specific. This requirement is not met in relation to: . Data processing whose legal basis is determined by consent of the interested party, for which personal data obtained from the use of the products and services contracted by the client, navigation data and those obtained from the communications established between the client and the entity. . Data processing whose legal basis is determined by the legitimate interest of CAIXABANK and whose purpose is to prepare profiles that are subsequently C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 110 110/177 used to carry out data processing based on the consent of the interested. . The personal data obtained by CAIXABANK from external sources or inferred by the own entity. These include the data obtained by CAIXABANK from products and services contracted by the interested parties with third parties, including those of those products and services of third parties marketed by CAIXABANK; as well as the data that derive from CAIXABANK's own commercial relations with third parties and data made from the above. . Not all cases are duly informed about the categories of personal data Specific that will be treated for each of the specified purposes. . Information on the purposes for which the personal data of the clients will be used and the legal basis of the treatment. Confusion of legal bases. . The "Framework Contract" refers to similar treatments in relation to different purposes, covered by legitimate interest in some cases and consent in others. . The document signed by the client for registration in the aggregation service informs on purposes linked to the object of the contract that in the "Framework Contract", instead, associated with treatments for which the client's consent is required. . Information about the legitimate interest of the person in charge: . The "interest" is not expressed. The CAIXABANK entity does not inform in the "Framework Contract" or in the "Privacy Policy" about any specific interest when referring to the data processing that you plan to carry out under this legal basis. . The information is insufficient to justify this legal authorization and to carry out the weighing judgment that allows determining whether said reasons prevail over the interests and rights of the interested party, limiting the possibility that the client can correctly weigh the performance of the entity. . CAIXABANK processes personal data based on the legitimate interest in those that do not inform the interested parties at any time. . The document called "Treatment of personal data based on the legitimate interest ” includes a relationship of treatments based on the legitimate interest that it is presented as an open listing. . Profiling information . The legitimate interest of CAIXABANK in the elaboration of profiles for the "Personalization of the experience" of the client or sending information in which the client may be interested. . No information is offered on the type of profiles to be made, the uses specific to which these profiles are going to be used or their operation and consequences of its elaboration. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 111 111/177 . There is no information on the exercise of the right of opposition, when the profiling is related to direct marketing activities. . The Privacy Policy omits the creation of profiles in relation to the purpose of “getting to know you better, that is, studying your needs to know what new products and services are adjusted to your preferences and analyze the information that we let you determine in advance what your creditworthiness is ” . . Information on the exercise of rights, possibility of claiming before the Spanish Agency of Data Protection, existence of a Data Protection Delegate and their data from contact and retention periods. . The "Consent Agreement" informed about the possibility of exercising the rights, but without mentioning those that are established in the applicable regulations. . The right to object is not mentioned in the Privacy Policy. . The information that is offered for access to personal data of customers in networks Social reports on the rights contained in the LOPD, not in the RGPD. . The contract that regulates the aggregation service did not expressly mention the possibility to revoke consent and exercise the right of opposition. . The information on retention periods for personal data is not uniform: . According to section 11.3 of the "Framework Agreement", personal data will no longer be processed at within six months of the end of the contractual relationships; while in the section 7.1 of the same document does not mention said term and it is reported that the treatments They will cease with the cancellation of the contractual relationships. . The so-called “Consent Agreement”, in its version 2, did not warn about the use of personal data during the six months after the end of said contractual relationships. That six-month data usage period was added in version 3. . Information regarding access to personal data of customers on social networks does not contains no indication about the storage of personal data. . The contract that regulates the aggregation service reported that the data processing based on the consent of the client may be carried out as long as it is not withdrawn, even relationship ended. The new clauses of this contract indicate that they will be treated until the revocation of consent or until twelve months after the termination of the contractual relationship. CAIXABANK, in its allegations, limits itself to stating in a generic way that it complies the requirements established in the applicable regulations, in articles 13 and 14 of the RGPD, or well to deny the stated conclusions, without offering in any case any justification on the irregularities observed, which he does not even mention. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 112 112/177 On many occasions, it simply qualifies those defects or defaults as a mere error to which no effect can be attributed. At other times, at the same time denies those non-compliances, admits the defects and claims that the improvement process developed has corrected them. He goes on to state that he does not claim that the information was perfect or that there were no errors, but that does not mean that there was any breach. This is the case, for example, in relation to the lack of uniformity of information offered; the confusion about the legal bases generated by the information offered by the data processing carried out based on legitimate interest and consent; information on the legitimate interest pursued and the processing of personal data carried out for commercial purposes covered by this legal basis; in relation to profiling; or in relation to the information provided on the exercise of rights and the period of data conservation. In general, CAIXABANK presents this supposed regularization as sufficient to prevent any type of responsibility from being demanded, without considering that it is substantive or substantive breaches that affect the validity of the information and basic principles of the protection of personal data. On the other hand, in its allegations to the proposed resolution, CAIXABANK refers as a priority to the question regarding the compression of the text, in relation to the use of imprecise terminology and vague formulations, although it is only one of the many highlights in the overview above. The aforementioned entity alleges that it has not proven that the expressions used are not clear and understandable for the “member target audience ” (Guidelines on Transparency), violating the principle of presumption of innocence, and provides the result of a survey and a user test carried out by an external and independent company that, according to CAIXABANK, certifies that Clients fully understand the information provided (the details of these jobs externalities are outlined in the Twelfth Antecedent). In this regard, it clarifies that By providing this evidence you are assuming a reversal of the burden of proof violator of their fundamental rights. These external studies were carried out through telephone surveys of 171 clients, the first, and 100 non-client users, the second. The first of these surveys consisted of reading to the respondent an extract from the Clause 8 of the "Framework Contract", to ask them later some questions about the same (...) In the second work, the user collection screens were transferred to consent, its dynamics and context, as well as the integrity of clause 8 of the “Contract Marco ”, simulating the experience of a signer of this document in an office. (…) CAIXABANK also provides a report from a company specialized in linguistics on the analysis made of two clauses of the "Framework Contract", one of them Clause 8, in which the recommendations made are minimal. With the result of this study and of those surveys, according to which a percentage average higher than 90% had understood that the information offered in the aforementioned Clause 8 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 113 113/177 included the content of the questions, CAIXABANK intends to respond, not only to the question concerning the use of imprecise terminology, but also many other breaches outlined in this Legal Basis, such as the lack of specification of the categories of personal data processed, the lack of information on the purposes and confusion of legal bases. This Agency does not share the approaches expressed by CAIXABANK in its allegations. In the preceding sections it has been demonstrated with sufficient rigor and detail that CAIXABANK does not comply with the established information requirements and that the Non-compliances found are not the result of mere errors, so the claim must be rejected. exemption from liability to CAIXABANK based on the alleged regularization of those mistakes, made by the one who invokes them. Regarding the lack of evidence on the non-understanding by clients of the texts analyzed, alleged by CAIXABANK, it is understood that this Agency has tested the use of the expressions that are cited in the corresponding section of this Legal Basis and has sufficiently substantiated the reasons why terminology and expressions used must be rejected. This conclusion is based on consolidated criteria, such as those expressed by the Group of Article 29 in its “Guidelines on transparency under the Regulations 2016/679 ” , which are known as CAIXABANK. The Article 29 Working Group will established under Directive 95/46 / EC on an advisory and independent basis, and whose Opinions and recommendations serve as an interpretive element in the matter that we occupies, admitted by jurisprudence. It is currently the European Committee for the Protection of Information about the body with competence to issue guidelines, recommendations and good practices in order to promote the consistent application of the GDPR. On the other hand, the use of these indeterminate expressions occurs throughout all the text of the documents that are analyzed, and not only in Clause 8 of the “Contract Marco ”, to which the studies provided by CAIXABANK refer. Therefore, The conclusions of these studies show nothing to the contrary regarding the lack of definition of the information offered, in general. It is not said here that the information provided is not fully comprehensible, since that obviously difficulties in understanding ambiguous expressions or Indeterminate affect the parts of the text in which they are used. But if it can be said that the understanding by the client of a part of the text of a document does not mean that understand all text in all documents. And it should also be noted that the information is not valid for the sole fact that is understandable. The studies provided do not refer to important aspects that are questioned in this resolution, whose understanding by clients does not modify the conclusions of this Agency and the consequences of non-compliance respective. This can be said, as an example, (i) in relation to the defects appreciated on the lack of information on the legal basis of the treatments: although the interested parties understand that their data will be provided to the Group companies, this circumstance does not overcomes the lack of information on the legal basis for this transfer of data; or (ii) regarding the use of personal data obtained from "the contracting and operations of products and services with third parties ” : the fact that the client understands that this data will be used does not C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 114 114/177 saves the lack of information on the categories of personal data that are collected and undergo treatment; or (iii) on the data processing mentioned in Clause 8 that have a purpose other than the three indicated in the repeated Clause 8: although the client understand these treatment activities, does not resolve that they are carried out without basis legal (as will be seen in the following Legal Basis). From a technical point of view, the work carried out indicates nothing about the selection of the sample of clients who were interviewed (only indicated that they have selected people who signed the "Framework Contract" in the last year); the statements of the questions are schematic, not precise and clarifying the content of the information, and They do not have as their object essential aspects, such as those related to profiles, their elaboration and utilization; and it is not acceptable for the survey to be conducted on an extract from the information, the content of which also does not exactly coincide with that of Clause 8 of the "Framework contract". It is, in short, a minimal survey compared to the purposes and data processing that are contemplated in the information provided by CAIXABANK to its clients in terms of data protection. Consequently, in accordance with the evidence presented, the facts described in this Legal Basis constitute a violation of the principle of transparency regulated in articles 13 and 14 of the RGPD, which gives rise to the application of the corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Agency for Data Protection. VII Articles 6 and 7 of the same RGPD refer, respectively, to the “Legality of the treatment ” and the “ Conditions for consent ”: Article 6 of the RGPD. "1. The treatment will only be lawful if at least one of the following conditions is met: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at his request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller of the treatment or by a third party, provided that the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the public authorities in the exercise of their functions. 2. Member States may maintain or introduce more specific provisions in order to adapt the application of the rules of this Regulation with respect to the treatment in compliance with the section 1, letters c) and e), setting more precisely specific treatment requirements and other measures to ensure lawful and equitable treatment, including other specific situations C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 115 115/177 treatment according to chapter IX. 3. The basis of the treatment indicated in section 1, letters c) and e), must be established by: a) Union law, or b) the law of the Member States that applies to the controller. The purpose of the treatment must be determined in said legal basis or, in relation to the Treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person responsible for treatment. Said legal basis may contain specific provisions to adapt the application of rules of this Regulation, among others: the general conditions that govern the legality of the treatment by the person in charge; the types of data being processed; the interested affected; the entities to which personal data may be communicated and the purposes of such communication; the limitation of the purpose; the data retention periods, as well as the processing operations and procedures, including measures to ensure processing lawful and equitable, such as those relating to other specific treatment situations pursuant to the chapter IX. The law of the Union or of the Member States shall fulfill an objective of public interest and shall be proportional to the legitimate aim pursued. 4. When the treatment for a purpose other than that for which the personal data was collected is not based on the consent of the interested party or on the law of the Union or of the States members that constitute a necessary and proportionate measure in a democratic society to safeguard the objectives indicated in article 23, paragraph 1, the data controller, with in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected initially personal data, will take into account, among other things: a) any relationship between the purposes for which the personal data was collected and the purposes the planned further processing; b) the context in which the personal data was collected, in particular with regard to the relationship between the interested parties and the data controller; c) the nature of the personal data, specifically when special categories of data are processed personal data, in accordance with article 9, or personal data regarding convictions and offenses criminal, in accordance with article 10; d) the possible consequences for the data subjects of the planned further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymization ”. Article 7 of the RGPD. "1. When the treatment is based on the consent of the interested party, the person in charge must be capable of demonstrating that he consented to the processing of his personal data. 2. If the consent of the interested party is given in the context of a written statement that is also refer to other matters, the consent request will be presented in such a way that it distinguishes clearly of the other matters, in an intelligible and easily accessible way and using clear and simple. Any part of the declaration that constitutes infringement of this will not be binding. Regulation. 3. The interested party will have the right to withdraw their consent at any time. The withdrawal of Consent will not affect the legality of the treatment based on the consent prior to its withdrawal. Before giving consent, the interested party will be informed of this. It will be so easy to remove the consent how to give it. 4. When assessing whether consent has been freely given, the fullest extent will be taken into account possible the fact whether, among other things, the performance of a contract, including the provision of a service, is subject to consent to the processing of personal data that are not necessary for the execution of said contract ”. In relation to what is established in the articles reviewed, the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 116 116/177 expressed in recitals 32 (already reviewed), 40, 41, 42 (already reviewed), 43, 44 and 47 (already cited in the previous Legal Basis) of the RGPD. From what is expressed in these recitals, the following should be noted: (43) To ensure that consent has been freely given, it should not constitute a valid legal basis for the processing of personal data in a specific case in the that there is a clear imbalance between the interested party and the controller, in particular when said person responsible is a public authority and it is therefore unlikely that the consent has been freely given in all the circumstances of that particular situation. I know presumes that consent has not been freely given when it does not allow the separate authorization of the different personal data processing operations despite being appropriate in the specific case, or when the performance of a contract, including the provision of a service, is dependent on the consent, even when it is not necessary for said compliance. (44) The processing must be lawful when necessary in the context of a contract or the intention to conclude a contract. It is also necessary to take into account the provisions of article 6 of the LOPDGDD: "Article 6. Treatment based on the consent of the affected party 1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the term consent of the affected party any manifestation of free, specific, informed and unequivocal will by which he accepts, either through a declaration or a clear affirmative action, the treatment of personal data concerning you. 2. When it is intended to base the processing of the data on the consent of the affected party for a plurality of purposes, it will be necessary to state specifically and unequivocally that said consent is given for all of them. 3. The execution of the contract may not be subject to the affected party consenting to the treatment of the personal data for purposes that are not related to the maintenance, development or control of the contractual relationship ” . In the present case, CAIXABANK contemplates in the “Framework Contract” that the clients the use of their personal data for the following purposes (excluding purposes referred to by said entity as "regulatory" ): 1. Manage business relationships: comply and maintain them, verify the correction of the operation, verify the identity of the signer, establishment and maintenance of commercial relations. 2. Sending information and updates about products or services similar to those that already have hired; personalize the customer's business experience across the channels entity based on previous uses, to offer you products and services that fit your profile, to apply benefits and promotions that we have in force and to which it has right, and to assess whether we can assign you pre-granted credit limits that may use when it deems appropriate. 3. Commercial purposes: . Offer and design of products and services adjusted to the client profile. . Commercial offer of products and services of CaixaBank and the Group Companies CaixaBank. . Transfer of data to third parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 117 117/177 4. Transfer of personal data to the companies of the CaixaBank Group. 5. Manage the client's signature and, where appropriate, verify the identity of the signer in successive operations, through the use of pattern contrast methods. This purpose is pursues through the processing of biometric data. In relation to these purposes, CAIXABANK refers to the fulfillment of the contractual relationship as a legitimate basis for the purposes indicated in number 1 previous; to the legitimate interest as a legal basis for the use of the data for the indicated purpose in section 2 above; and consent in relation to the purposes indicated in the section 3. CAIXABANK does not inform about any legal basis that enables data transfers to the companies of the CaixaBank Group. Information on the processing of biometric data was initially included in the “Framework contract” as a sub-section of section 7 ( “Treatment of data of character personnel based on the execution of contracts, legal obligations and legitimate interest and privacy policy ), but without clearly specifying the legal basis of the treatment; and currently they are protected by the consent of the interested parties. - Processing of personal data based on the consent of the interested parties contemplated in the “Framework Agreement” (clause 8) and “Consent Agreement”. In accordance with the above, data processing requires the existence of a legal basis that legitimizes it, such as the consent of the interested party validly given, necessary when there is no other legal basis than those mentioned in article 6.1 of the RGPD or the treatment pursues a purpose compatible with that for which the data were collected data. Article 4 of the RGPD) defines “consent” as follows: "11)" consent of the interested party ": any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a declaration or a clear action affirmative, the processing of personal data that concerns him ” . Consent is understood as a clear affirmative act that reflects a manifestation of free, specific, informed and unequivocal will of the interested party to accept the processing of personal data that concerns you, provided with guarantees sufficient so that the person in charge can prove that the interested party is aware of the fact that you consent and the extent to which you do so. And it must be given to all the treatment activities carried out for the same or same purposes, so that, when the treatment has several purposes, consent must be given for all of them in a specific and unequivocal, without the execution of the contract being subject to the fact that the affected consent to the processing of your personal data for purposes that are not related with the maintenance, development or control of the business relationship. In this regard, the legality of the treatment requires that the interested party be informed about the purposes for which they are intended the data (informed consent). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 118 118/177 Consent must be freely given. It is understood that consent does not is free when the interested party does not have a true or free choice or cannot deny or withdraw your consent without suffering any harm; or when you are not allowed to authorize separate the different personal data processing operations despite being adequate in the specific case, or when the fulfillment of a contract or service provision is dependent on consent, even when it is not necessary for such compliance. This occurs when consent is included as a non-negotiable part of the general conditions or when the obligation to agree to the use of personal data additional to those strictly necessary. Without these conditions, the provision of consent would not offer the interested party a true control over your personal data and their destination, and this would make it illegal to treatment activity. The Article 29 Working Group analyzed these issues in its document "Guidelines on consent under Regulation 2016/679" , adopted on 11/28/2017, reviewed and approved on 04/10/2018. These Guidelines have been updated by the European Data Protection Committee on 05/04/2020 through the document “Guidelines 05/2020 on consent with according to Regulation 2016/679 ” (it keeps the parts that are transcribed then). In this document 5/2020 it is expressly stated that the opinions of the Article 29 (WP29) Working Group on consent remain relevant, provided they are consistent with the new legal framework, stating that these guidelines do not they replace previous opinions, but rather expand and complete them. From what is indicated in the document of the GT29 previously mentioned, it is interesting now highlight some of the criteria related to the validity of consent, specifically on the elements "specific" , "informed" and "unequivocal" : “3.2. Specific manifestation of will Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the treatment of your data must be given "for one or more specific purposes" and that an interested party can choose with with respect to each of these purposes. The requirement that consent must be "specific" has in order to guarantee a level of control and transparency for the interested party. This requirement has not been amended by the GDPR and remains closely linked to the consent requirement "informed". At the same time, it must be interpreted in line with the 'dissociation' requirement for obtain "free" consent. In short, to fulfill the character of "specific" the data controller must apply: i) the specification of the purpose as a guarantee against deviation of use, ii) disassociation in consent requests, and iii) a clear separation between the information related to obtaining consent for the data processing activities and information related to other issues. Ad. i): In accordance with article 5, section 1, letter b), of the RGPD, obtaining consent Valid is always preceded by the determination of a specific, explicit and legitimate purpose for the planned treatment activity. The need for specific consent in combination with the notion of limitation of purpose contained in article 5, paragraph 1, letter b), functions as guarantee against the gradual extension or blurring of the purposes for which the treatment is carried out of the data once an interested party has given their authorization to the initial collection of the data. This phenomenon, also known as diversion of use, poses a risk to stakeholders already C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 119 119/177 which may lead to an unforeseen use of personal data by the person responsible for the treatment or third parties and the loss of control by the interested party. If the controller is based on article 6, paragraph 1, letter a), the interested parties must always give your consent for a specific purpose for the processing of data. In consonance with the concept of purpose limitation, with article 5, paragraph 1, letter b), and with the Recital 32, consent may cover different operations, provided that said operations have the same purpose. Needless to say, specific consent can only be obtained when the interested parties are expressly informed about the purposes envisaged for the use of the data that concern them. Without prejudice to the provisions on compatibility of purposes, consent must be specific for each purpose. The interested parties will give their consent understanding that they have control about your data and that these will only be processed for said specific purposes. If a responsible treats data based on consent and, in addition, you want to process said data for another purpose, you must obtain consent for that other purpose, unless there is another legal basis that better reflects the situation… Ad. ii) The consent mechanisms should not only be separated in order to comply with the "free" consent requirement, but must also comply with the consent requirement "specific". This means that a data controller seeking consent to several different purposes, it must facilitate the possibility of opting for each purpose, so that users can give specific consent for specific purposes. Ad. iii) Finally, the data controllers must provide, with each request for separate consent, specific information about the data that will be processed for each purpose, with the In order for the interested parties to know the impact of the different options they have. Of this Thus, data subjects are allowed to give specific consent. This question overlaps with the requirement that those responsible provide clear information, as stated above in section 3.3 ". "3.3. Informed expression of will… ” (this section 3.3 already outlined in the Basis of Previous right). "3.4. Unequivocal expression of will The RGPD clearly establishes that consent requires a declaration by the interested party or a clear affirmative action, which means that consent must always be given by an action or statement. It must be evident that the interested party has consented to an operation specific data processing ... A "clear affirmative action" means that the data subject must have acted deliberately to give your consent to that particular treatment. Recital 32 offers additional guidance on this point ... The use of already checked acceptance boxes is not valid under the GDPR. The silence or the inactivity of the interested party, or simply continuing with a service, cannot be considered as a active indication of having made a choice ... A data controller must also take into account that consent cannot be obtained through the same action by which the user agrees a contract or accepts the terms and general conditions of a service. Global acceptance of the general terms and conditions does not can be considered a clear affirmative action aimed at consenting to the use of data personal. The RGPD does not allow those responsible for the treatment to offer boxes marked previously or opt-out mechanisms that require the intervention of the interested party to avoid the agreement (eg "opt-out boxes") ... ”. Data controllers must design consent mechanisms so that are clear to stakeholders. They must avoid ambiguity and ensure that action by means of which consent is given is distinguished from other actions… ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 120 120/177 This document cites Opinion 15/2011 of the WG29, on the definition of the consent. Regarding consent as a manifestation of unequivocal will, in this Last Opinion indicates: “In order for consent to be unequivocally granted, the procedure for obtaining it and granting does not have to leave any doubt about the intention of the interested party when giving his consent. In other words, the manifestation by which the interested party consents must not leave room for any misunderstanding about your intention. If there is a reasonable doubt about the intent of the person will produce an equivocal situation. As described below, this requirement obliges data controllers to create rigorous procedures for people to give their consent… ”. “This example illustrates the case of the person who remains passive (eg, inaction or 'silence'). Clear consent does not fit well with procedures for obtaining consent to starting from the inaction or silence of the people: the silence or inaction of one party is inherently misleading (the interested party's intention could be assent or simply not perform the action) ”. “… Individual behavior (or rather, lack of action) raises serious doubts about the will according to the person. The fact that the person does not take a positive action does not allow conclude that you have given your consent. Therefore, it does not meet the consent requirement unequivocal". Furthermore, as illustrated below, it will also be very difficult for the person responsible for the data processing provide proof that shows that the person has consented ”. Clause 8 of the "Framework Contract" is dedicated to the "Treatment and transfer of data for commercial purposes by CAIXABANK and the CaixaBank group companies based in consent ” . This is what CAIXABANK generically calls "purposes commercial ” , including: (i) analysis, study and monitoring for the offer and design of products and services adjusted to the customer profile; (ii) commercial offer of products and services of CaixaBank and the CaixaBank Group Companies; (iii) and transfer of data to third parties. The consent of the interested party is the legal basis for the processing of their data personal for such purposes. The aforementioned Clause 8 describes these treatments as follows: "The detail of the uses that will be carried out according to your authorizations is as follows: (i) Detail of the analysis, study and monitoring treatments for the offer and design of products and services tailored to the customer profile. By granting your consent to the purposes detailed here, you authorize us to: a) Proactively carry out risk analysis and apply statistical technical data on their data and customer segmentation, with a triple purpose: 1) Study products or services that can be adjusted to your profile and specific business or credit situation, all to make commercial offers tailored to your needs and preferences, 2) Make the monitoring of products and services contracted, 3) Adjust recovery measures on the defaults and incidents derived from the products and services contracted. b) Associate your data with those of companies with which you have some type of link, both for their ownership and management relationship, in order to analyze possible interdependencies C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 121 121/177 economic in the study of service offers, risk requests and contracting of products. c) Carry out studies and automatic controls of fraud, defaults and incidents derived from contracted products and services. The treatments indicated in sections (i), (ii) and (iii) may be carried out in a automated and entail the elaboration of profiles, with the aforementioned purposes. To this Indeed, we inform you of your right to obtain human intervention in the treatments, to express their point of view, to obtain an explanation about the decision made based on the automated processing, and to challenge said decision. d) Carry out satisfaction surveys by telephone or electronic channel with the aim of assess the services received. e) Design new products or services, or improve the design and usability of existing ones, as well how to define or improve user experiences in their relationship with CaixaBank and the CaixaBank Group companies. (ii) Details of the treatments for the commercial offer of CaixaBank products and services and the CaixaBank Group companies. By granting your consent to the purposes detailed here, you authorize us to: Send commercial communications both on paper and by electronic or telematic means, relating to the products and services that, at any given time: a) CaixaBank or any of the CaixaBank Group Companies b) market other companies in which CaixaBank owns and third parties whose activities are included between banking, investment services and insurer, shareholding, venture capital, real estate, roads, sale and distribution of goods and services, consulting services, leisure and charity-social. The signer will be able to choose at any time the different channels or means by which he wishes or not receive the indicated commercial communications through your digital banking, by exercising their rights, or through their management in the CaixaBank branch network ”. "(Iii) Transfer of data to third parties By granting your consent to the purposes detailed here, you authorize us to transfer your data to companies with which CaixaBank and / or the CaixaBank Group Companies have / n agreements, whose activities are included between banking, investment services and insurance, holding of shares, venture capital, real estate, roads, sale and distribution of goods and services, consulting, leisure and charity-social services, in order that these companies make you commercial offers of products marketed by them. In any case, once a transfer of data is produced by virtue of your authorization, the company receiving the communication would inform the signatory of the processing of their data and its origin ”. Likewise, the personal data of the clients who submit to the cited treatments: “A) All those provided in the establishment or maintenance of commercial or business relationships. b) All those generated in the contracting and operations of products and services with CaixaBank, with the CaixaBank Group Companies or with third parties, such as account or card movements, details of direct debits, payroll direct debits, claims derived from insurance policies insurance, claims, etc. c) All those that CaixaBank or the CaixaBank Group Companies obtain from the provision of services to third parties, when the service is intended for the signer, such as the management of transfers or receipts. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 122 122/177 d) Your status or not as a CaixaBank shareholder as recorded in the entity's records, or the entities that, in accordance with the securities market regulations, must carry the records of the values represented by book entries. e) Those obtained from the social networks that the signer authorizes to consult f) Those obtained from third parties as a result of requests for data aggregation requested by the signer g) Those obtained from the signer's navigations through the digital banking service and other websites of CaixaBank and the CaixaBank Group Companies or the CaixaBank mobile phone application and the Companies of the CaixaBank Group, in which duly identified operates. This data may include information related to geolocation. h) Those obtained from chats, walls, videoconferences or any other means of communication established between the parties. The data of the signer may be complemented and enriched by data obtained from companies providers of commercial information, by data obtained from public sources, as well as by data statistical, socioeconomic (hereinafter, "Additional Information") always verifying that these they comply with the requirements established in the current regulations on data protection ”. Based on this information, CAIXABANK limits the customer's options to the provision of your consent, separately, for each of the three purposes (i), (ii) and (iii) indicated. The summary of the statements made by the client in relation to these "Authorizations" is moved to the heading of the "Framework Contract", to the section relating to personal and economic data of the client, under the heading "Authorizations for the treatment of data ” . Here's an example: "Authorizations for data processing In the terms established in clause 8 and 9 of this Contract, your authorizations for the data processing are the following: Commercial purposes: . Purpose of studies and profiling: You have expressed your non-acceptance and consent to treatment of your data. . Purpose of communication of offers of products, services and promotions: You have expressed their non-acceptance and consent to contact for commercial purposes by any channel or medium, including electronic media. . Transfer of data to third parties: You have expressed your non-acceptance of the transfer to third parties of your data ” . Subsequently, from the checks carried out in the inspection carried out in date 11/28/2019 and the documentation provided by CAIXABANK with its written statement 11/20/2019, it is found that a fourth consent has been added, regarding the treatment of biometric data: "4. Use of my biometric data (facial image, fingerprint, etc.) in order to verify my identity and signature: This authorization will be complemented in each case with the registration of the data biometric to use at all times. In order to verify the identity / signature of your clients, Caixabank uses biometric recognition methods such as facial recognition systems, fingerprint reading and the like. Currently, some of our ATMs already allow you to operations using these methods. () Yes, I accept the use of my biometric data ( ) No". This Agency considers that said consents (four) do not meet the conditions for the expression of the interested party to be considered validly rendered, the that makes the data processing carried out by CAIXABANK illegal based on the consent of the interested party. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 123 123/177 The manifestation made by the client to give these consents may be considered an affirmative act, but not a manifestation of free, specific will, informed and unequivocal to accept the processing of personal data that concern, provided with sufficient guarantees to prove that it is aware of the fact that that you consent and to the extent that you do so. In this case, the consent cannot be considered free because with the signature of the contract, essential aspects related to the processing of their data are imposed on the client personal, reducing their ability to choose; How is the exchange of information that CAIXABANK performs with the entities that make up the CaixaBank Group, which will be analyzed later. On the other hand, as the mechanism for the provision of the consent, it has not been foreseen that the interested party expresses his option on all the purposes for which the data is processed. CAIXABANK carries out data processing that appears grouped in one of the purposes indicated, but that pursue a purpose other than those on which the interested party speaks. The list of treatments that said entity performs for each of the purposes on which the option is offered to the client to consent or not, in reality supposes an extension of the purposes, so the consent given cannot be considered specific as it has not been dissociated sufficiently requests for consent. CAIXABANK considers that the group of consents included in the clause 8 is adequate and that all the treatments included in it are nuances of the same profiling, as can be seen with the convenient debuggers. This Agency does not share that opinion. It is discussed in section (i) about treatments for "the offer and design of products and services adjusted to the client profile" , on which the customer speaks. However, purposes such as “adjust measures recoveries on defaults and incidents derived from products and services contracted ” , “ analyze possible economic interdependencies in risk requests and contracting products " , " assessing the services received " or " designing new products or services, or improve the design and usability of existing ones, as well as define or improve the experiences of users in their relationship with CaixaBank and the Group Companies CaixaBank ” . Section (ii) groups the shipment in a single statement of will of the interested party of commercial communications related to CAIXABANK products and services, the CaixaBank Group companies and third parties. Consent must be given for all processing activities carried out with the same or the same purposes and, when the treatment has several purposes, the consent for all of them, although through a manifestation of expressed will for each of the purposes separately or differently, allowing the interested party to choose for choosing all, a part or none of them. As expressed in Recital 43, no consent can be understood to have been freely given by not being allowed to "authorize separately the different personal data processing operations despite being appropriate in the specific case ” . Recital 32 states that "consent must cover all processing activities carried out for the same purpose or purposes. When the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 124 124/177 processing has multiple purposes, consent must be given for all of them ” . “When the data processing is carried out for several purposes, the solution to meet with the conditions of valid consent lies in the granularity, that is, the separation of these purposes and obtaining consent for each purpose ” (Guidelines of the GT29). Understand that the provision of consent for those purposes implies the acceptance of all the treatments that are included within such purposes, when in In reality some of these treatments pursue different purposes, as has been said, not meets this requirement of separation of purposes and provision of consent for each one of them. In relation to the incorrect grouping of consents, a separate mention requires the indication contained in Clause 8 in relation to the first three treatments that are listed in section (i), according to which these treatments may be carried out in an automated manner and entail profiling. It is obvious that these Automated treatments require an explicit client consent that is not collected in legal form. Furthermore, the consent given is not considered informed. It has already been said here the importance of providing information to data subjects before obtaining their consent, essential so they can make decisions having understood what you are authorizing. Yes the person in charge does not provide accessible information, the user's control will be illusory and the Consent will not constitute a valid basis for the processing of the data. What is stated in Law Foundation IV, on the objections observed in the information that CAIXABANK provides regarding the protection of personal data, they equally affect the consent that could have been given. For this purpose, the observations or objections made in said Legal Basis on language employee, unclear and indeterminate information about data processing personal and the lack of a clear and intelligible formulation of the purposes for which will be used, as well as the lack of information on the specific categories of data that They will be treated for each of the specified purposes. These deficiencies prevent the interested parties from knowing the meaning and real meaning of the indications provided and the real scope of the consent they could give, making it invalid as it is not an informed consent, in relation to the data collection operations or data processing in respect of which appreciated those defects in the information, including the treatment of those data that have not been provided directly by the interested party or are not necessary for the compliance with the contractual relationship that binds you with the entity. The lack of information is evident if the process enabled by CAIXABANK to collect customer consents for the treatment of their personal data, either in person at the entity's offices, through the web portal (for new clients or through the personal area enabled on the web) or the application mobile. These procedures are outlined in detail in the Background of this act and in the Proven Facts. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 125 125/177 It is worth highlighting the collection of consents carried out in person at the entity's offices, which is formalized with the signing of the “Framework Contract”. CAIXABANK has introduced several modifications to this mechanism since the entry into force of the GDPR. In May 2018 (as stated in CAIXABANK's response dated 05/16/2018), the respective expressions of will of the interested party were expressed verbally in an employee-led interview, who fills in the options by checking the boxes corresponding on the respective screen, which are recorded in the document ("Framework Contract") that is printed later, when the client has already spoken. It is proven that the verbal statements of the client expressing their options about the treatments and purposes indicated, as well as the signing of the document, are carried out without that he has had access to the information contained in the "Framework Contract". Subsequently, according to CAIXABANK, the entire network of digitizing tablets, enabling the "Framework Contract" and the "Contract Consents ”are signed, not on paper, but on the tablet itself. The "Framework Agreement" is subscribed by the client without having access to the document, which is to say that he lends his consent without CAIXABANK providing you with any information. (…) In the inspection carried out at CAIXABANK on 11/28/2019, a new change in the process described above, consisting of arranging for the delivery of a digital tablet the client so that he himself can mark the corresponding consent options, but does not modify the above circumstances. The system guides the manager throughout the process, advising him to consult the client their preferences and physically provide the tablet so that the client can proceed to mark your options. Once the preferences have been marked, the terminal itself tells you that These preferences have been registered and invites you to return the device to the manager (once Once the options have been selected by the customer, the indication "Mode Tablet ” and the following is stated: “ Your consents have been indicated. Thank you for your collaboration. Please return the Tablet to your manager ” ). Subsequently, “the manager finalizes and consolidates the document and facilitates it for the client to sign ” . The “Tablet Mode. Client ” do not contain any link to the information on the protection of personal data contained in the "Framework Agreement". During the registration process through the web, the system displays a screen that allows to the client to mark the options "Yes" or "No" for each one of the consents that are they request. This screen includes a symbol (i) that leads to another screen with a message on the information on data protection and a link that leads to it. However, the information offered is insufficient because it only collects the corresponding to clause 8 "Treatment and transfer of data for commercial purposes by CaixaBank and companies of the CaixaBank Group based on the consent ” of the Contract Framework. In this case, according to CAIXABANK, the signature screen includes a box to check "I have read and accept the contract" . The same objection about the information offered presents the process enabled for the provision of consents in the client's private space on the “Caixabank C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 126 126/177 Now ”and when he uses the mobile application, which redirects to the web portal. These processes do not ensure that the interested party accesses the information in a prior to selecting your consents and signing the document in all cases, which it occurs both in relation to the “Framework Agreement” and the “Consent Agreement”. Therefore, all the detailed treatments whose legal basis comes from determined, as expressed by the CAIXABANK entity itself, by the consent of the interested parties. On the issue analyzed in this section, regarding data processing based on the consent of the interested parties, CAIXABANK, in its writing of allegations to the proposed resolution, is limited to stating that the consents obtained are free, specific, unequivocal and sufficiently informed. Points out simply that the client has the absolute freedom to grant them or not, without consequences negative associated and without conditionalities, that there is no combination of different purposes under the same consent, and that the interested party gives their consent by affirmative action. However, it omits any justification for the irregularities that have been detailed and that support the conclusion on the lack of legal basis of the treatments that CAIXABANK performs based on consent. Faced with the important objections mentioned in relation to the treatments of data that pursue a purpose other than those on which the interested party lends his consent, CAIXABANK states that in Clause 8 of the "Framework Contract" and in the "Consent Agreement" breaks down the only three activities, three purposes, which are carried out under the protection of consent (the profiling of data to offer customers products that may be of interest to you; the choice of the communication channel of the offers; and the possibility of transferring the data to third parties). And he adds that those treatments on that the client has no opportunity to comment are not carried out (he does not say which ones), or are protected by another legal basis, or are simpler and more limited than the AEPD understands. It qualifies as an "error" that does not break the principle of specificity the fact of including within the examples some treatment operations that should have been included in other legal bases, among the treatments that are carried out based on the execution of the contracts or in compliance with laws. It adds that it has been corrected in the New Policy of Privacy including those activities in their respective and correct epigraphs (treatments in execution of a contractual relationship or by legal obligation). In this regard, in its fourth claim, when referring to the information on the profiling, also alleges this "error" and lists the processing operations which, in his opinion, have nothing to do with consent: “- To monitor the products and services contracted, which is clearly a treatment necessary for the execution of the contractual relationship as established in art. 6.1.b) - Adjust recovery measures on defaults and incidents derived from products and contracted services also clearly a necessary treatment for the execution of the relationship contractual as established in art. 6.1.b) - Associate your data with those of companies with which you have some type of link, both because of their relationship C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 127 127/177 property, as well as administration, in order to analyze possible economic interdependencies in the study of service offers, risk requests and product contracting, which is a Treatment necessary for the execution of the contractual relationship as established in art. 6.1.b), and mandatory to comply with Law 10/2014, of June 26, on Regulation, Supervision and Solvency of Credit Institutions, Law 44/2002, on Measures of Reform of the Financial System and others obligations and principles of the regulations on responsible lending, and whose detail is reported in the product requests that customers subscribe when requesting their hiring. - Carry out studies and automatic controls of fraud, defaults and incidents derived from products and services contracted, which is clearly a treatment based on the legitimate interest of CaixaBank, as established in art. 6.1.f), an interest that is summarized in the interest of avoiding fraud that suppose economic or reputational losses. - Conduct satisfaction surveys by telephone or electronic channel in order to assess the services received, which is a necessary treatment for the execution of the contractual relationship As established in art. 6.1.b), and linked to the authorization for the use of the specific channel. - Design products or services, or improve the design and usability of existing ones, as well as define or improve user experiences in their relationship with CaixaBank and the Group Companies CaixaBank, which is a treatment that is not carried out with personal data, if not by analyzing statistics and data added after anonymization processes ” . With this allegation it is being recognized that these operations have purposes other than those expressed in Clause 8 of the "Framework Contract" and in the "Contract of Consents ”under which are grouped the consents on which the client, and also that it is not true that the treatment activities mentioned in those documents can be grouped into the only three purposes that are broken down. Yes These treatments could have a legal basis other than consent, it is clear that They are different treatments and they pursue different purposes. This is evident if We consider that all the treatments to which CAIXABANK refers in its allegations, those collected in the previous list, are linked in Clause 8 of the "contract Marco ”to “ Data processing for commercial purposes by CAIXABANK and the companies of the CaixaBank Group ” , and “ the uses to be made ” are described as “ Treatments of analysis, study and monitoring for the offer and design of products and services adjusted to customer profile ” . There are, in addition, other data processing to which CAIXABANK does not refer in their allegations and that also require the consent of the interested party so that they can be carried out, such as the exchange of information with the companies of the Group. These are substantive defects, which affect the basic principle of the legality of the treatment. Therefore, CAIXABANK's approach, which claims avoid the liability that such non-compliance entails by alleging a mere error not reprehensible. Furthermore, this Agency does not agree that no effect can be attributed to this important irregularity, as CAIXABANK claims, assuming that the activities of processing of the data listed could find protection in another legal basis other than the consent. On the one hand, inaccurate information is being provided to interested parties about the legal bases on which the corresponding treatments are legitimized, which, undoubtedly, it affects the knowledge and expectations that stakeholders may have regarding the rights that correspond to them based on the different legal bases C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 128 128/177 involved and, ultimately, the control they can exercise over your personal data. So by For example, if an interested party does not consent to these treatments. On the other hand, it would be necessary, as has been seen here, a thorough analysis of all the concurrent circumstances in relation to the treatments intended to assess the relevance of the new legal basis that CAIXABANK indicates in its allegations, so that the alleged reasons cannot be given for good. This is evident in relation to the treatments that now, in their allegations, CAIXABANK intends to base on the legitimate interest of the person in charge (“ Carry out studies and automatic controls of fraud, defaults and incidents derived from the products and contracted services ” ) . Accepting this approach would be as much as admitting an interest legitimate occurrence, or later, with respect to which the requirements have not been respected provided for in the personal data protection regulations, in particular the obligation to weigh the rights and interests at stake, and about which is not informed in the Policy of Privacy. CAIXABANK also alleges that the treatments it performs to " Design products or services, or improve the design and usability of existing ones, as well as define or improve the experiences of users in their relationship with CaixaBank and the Group Companies CaixaBank ” , are not carried out with personal data, but rather by analyzing statistics and data added after anonymization processes. But it does not take into account that this activity involves two treatments, the one that gives rise to anonymous information (anonymization itself), subject to data protection regulations, and the treatment that is carry out with the data already anonymized, excluded from said regulations. So, also in In this case, it is necessary to have a legal basis to protect these data processing. It has been the CAIXABANK entity itself that arranged, in the design of its treatment operations, protect the aforementioned treatments in the consent above and is obliged, consequently, to comply with the demands that this entails. About the process enabled to grant consent in person at the office, reiterates that, after giving the consents (or not), the client accesses the full text of the contract so that you can read and review it, so that you may not ratify your choice and "Go back" . Finally, it points out that the AEPD omits the analysis of the process of collecting consents in the non-face-to-face channel (online banking) that he reviewed in the same inspection, in which it was demonstrated that the customer must necessarily access the information before giving consent. In relation to this issue, CAIXABANK does not take into account that the process for formalization of the “Framework Agreement” or the “Consent Agreement, and with it the provision of consent in person, has followed different operations throughout of the analyzed period. As has been stated, the provision by the client of the Consents requested by CAIXABANK, including the signing of the aforementioned documents, will be carried out without the information on the protection of personal data being made available customer's disposal. Even during the process called "Tablet Mode", which is refer the allegations, the client gives consent without receiving that information previously. This does not occur, as stated above, in the process of collecting C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 129 129/177 Consents during the registration process through the web and in the enabled mechanism in the client's private area on the “Caixabank Now” website. In this case, the information is offers the client before they check the options provided, but only the information corresponding to Clause 8 of the "Framework Contract", not all the information. These conclusions about the registration process through the web and the personal area of the clients were already exposed, in the same terms, in the resolution proposal. No It is understood, therefore, that CAIXABANK alleges that the AEPD has omitted the analysis of these consent collection processes. - b) Other processing of personal data based on the consent of the interested parties included in the "Consent Agreement". About the document called "Consent Agreement" serve all the observations and objections made in relation to Clause 8 of the “Framework Contract”, by the similarity of their contents and of the consent collection process, according to been exposed. However, it is worth highlighting two issues in relation to the “Contract of Consents ”or document of“ Authorization / revocation for the processing of data from personal character for commercial purposes by CaixaBank, SA and group companies CaixaBank ” : 1. The information offered to the interested party is less than that offered in the "Framework Contract", since access is only given to a text similar to that of Clause 8 of said Contract. 2. Another matter from which personal data processing without the consent of its holders have to do with the association of data of CAIXABANK clients with the of other clients with whom he has some kind of relationship, family or social, "for the purpose of analyze possible economic interdependencies in the study of service offers, risk requests and product contracting ” . This linking of customer data with personal data of third parties, which was added in the 3rd version of this document in the authorization (ii) of the section corresponding to purpose 1 ( “Analysis treatments, study and monitoring for the offer and design of products and services adjusted to the profile of client ” ), it cannot be carried out on the basis of the pronouncement that the client, who is not the owner of the data in question (it is personal data of third parties that are associated with customer data). - c) Processing of personal data based on the consent of the interested parties included in the "Social media contract". In relation to the processing of data obtained from social networks, they weigh objections to the consent given and the purposes intended with the treatment. In addition, the client consents through a single act and does so for treatments of data for various purposes: From the personal area of online banking, the client consents that CAIXABANK C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 130 130/177 Access and use information from social networks. The tool enabled for this requests the client that selects the network (Facebook, Twitter and LinkedIn), offers the information arranged by the entity in a text box and requires the interested party to press the button enabled with the text "Accept and continue . " With this single action, the client gives his consent to the collection of the personal data mentioned in that information, to the treatments that are detailed and for the different purposes indicated (this information consists of reproduced in full in Annex III): "By clicking on the" Accept and continue "button, you expressly consent that CaixaBank… incorporate the following personal data into files… with the purposes of a) contact you and send you commercial communications by electronic means related to products and services and / or any others that currently or in the future markets CaixaBank, and related to products and services of third parties whose activities are included in those indicated in the following section. b) communicate the data provided by you to Caixabank, SA, with NIF…, address at Av. Diagonal 621 08028 in Barcelona, and to companies and entities whose capital CaixaBank participates directly or indirectly, so that they can direct you commercial communications on paper and by electronic means about the products and services of their respective activities, including banking, investment and insured services, shareholding, venture capital, real estate, roads, sale and distribution of goods and services, consulting services, leisure and charity-social, as well as the communication of your data by said entities to Caixabank, for the purposes set forth in section a) above. c) validate, by the Customer Service in social networks, the data identification that you provide to the same, in order to meet the requests that You direct him. d) validate your identification data when you access other applications of CaixaBank through your Username (Twitter), your User ID (Facebook) or your registered User (Linkedin). e) contact you in the event that it was detected or there were founded suspicions in relation to a possible fraud or impersonation of your identity or activity in social networks, or in the use of CaixaBank channels or applications. Likewise, you expressly consent to CaixaBank's access to those contents and information that you have decided to make public at all times (and, where appropriate, to those contents and information whose access you have specifically allowed) in the social networks indicated, as well as the communication of the aforementioned information, to the companies and entities indicated in section b) above, for their treatment with the following purposes: (i) customization of commercial offers. (ii) profiling and segmentation based on the public information of your profile, in order to recommend and offer you the products and services that best suit your their preferences and needs ”. It is significant that some of the purposes are similar to those mentioned in the Clause 8 of the "Framework Agreement" and the "Consent Agreement" ("Authorization / revocation") for which CAIXABANK provides that the interested party provide their specific consent and, instead, for the processing of personal data obtained of social networks the interested party consents to all treatments and for all purposes C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 131 131/177 by means of a single action, pressing the button enabled with the text “Accept and continue” . Another relevant issue has to do with the communication of data to companies and entities in whose founding capital CaixaBank participates directly or indirectly (in this In this case, it does not speak of the CaixaBank Group of companies, nor does it detail which companies it refers to), which also requires a specific statement from the interested party so that CAIXABANK can carry it out. Likewise, the fact that the consent obtained in relation to with the information obtained from social networks include data communications by the entities indicated in the paragraph before CAIXABANK. No comment includes CAIXABANK on the above circumstances in relation to with the "Social media contract", except for the indication that it was a project that did not have success and unsubscribed. - d) Processing of personal data based on the consent of the interested parties included in the "Aggregation service contract". The same can be said for the aggregation service. This service is provided by CAIXABANK at the request of the interested party and is formalized by signing the contract correspondent. In relation to the consent to the processing of data that the interested party provided with the hiring of this service weigh the same objections. Also in this case the client consents through a single act and does so for data processing with various purposes. The purpose of the relationship is to allow the contractor to manage and display on positions and movements of the products and services that it maintains with other financial entities. However, in accordance with the clauses provided in the model of the contract prepared by CAIXABANK, the signing of the document entails the provision of the Customer consent for data processing for different purposes, some of the which are presented as if it were the pure object of the contract, although they are more beyond the expressed object, with which they are not related. Thus, in section 2 of the Contract, in which its object is defined, it is indicated that the said service "also" aims, based on the aggregated information, "the personalization of commercial offers adjusted to the profile and situation of the contractor by from CaixaBank; the improvement of risk analysis and suitability for contracting products and services requested by the contractor; and the improvement of the management of defaults and incidents derived from the products and services contracted ”. Likewise, section 11 reports on two more purposes: a) the personalization of commercial offers adjusted to the profile and situation of the contractor by part of CaixaBank, in relation to its own products or those of third parties marketed by it. b) Conduct satisfaction surveys by telephone or electronic channel with the aim of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 132 132/177 to assess the services received by CaixaBank ”. In this case, the interested party is warned that these are additional purposes that must expressly consent (it is expressed as follows: “Additionally, in the event that there is expressly consented, the data obtained may be processed with the following purposes… ” ). Considering the mechanisms enabled by CAIXABANK to provide the consent to which this clause refers, we understand that it refers to the expressions of will obtained through the "Framework Contract" or through the "Contract of Consents ”, and the objections to the consents obtained have already been indicated through these documents. In addition, in relation to what is expressed in the service contract of aggregation, it should be added that neither of these two documents consent of the client for the personalization of commercial offers adjusted to the profile and situation of the contractor by CAIXABANK, in relation to third-party products marketed by this entity. Therefore, CAIXABANK has not provided for the provision of the consent for the purpose a) indicated above in relation to third-party products. On the other hand, it should be noted that the purposes and treatments on which informs the aggregation service contract do not make any reference to the companies of the CaixaBank Group. Therefore, with the signing of this contract, it cannot be understood that the consent for the purposes indicated in the "Framework Contract" and in the "Contract of Consents ”, which include the use by those companies of the data collected on the occasion of this service. It is therefore an illegal communication of data. Finally, it is interesting to highlight one more observation about the object of the aggregation. According to the contract, this service is intended to manage and display information on positions and movements of products that the interested party maintains in other entities. However, despite this description of the object and the term "management" that is included, it is noted in the same document that the service does not allow operations or transactions on the products of third parties and that the provision of the same will be reflected in the possibility of the contractor to visualize through the bank digital aggregated information. Considering this limitation of the object, the data that is collected and the use that is intends to perform, it could be understood that the aggregation service rather seems to It was designed for the collection of information by the responsible entity. Even more so We consider that the contract itself provides that non-acceptance or subsequent opposition to the Processing of your data for the detailed purposes implies that CAIXABANK “will not be able to or (in your case) you must stop offering the aggregation service ” and that, in the event that the data are processed with the consent of the interested party, they may be processed as long as the consent, even after the contractual relationship has ended. CAIXABANK denies this observation, alleging that the Agency has not understood the nature of this service, which is provided for in the payment regulations and serves not to deposition the entity with respect to new actors. However, that conclusion is not It results from analyzing the nature of this service, but from the purposes, especially commercial or advertising, and the elaboration of profiles that were imposed as the object of the contract. That same payment regulation cited by CAIXABANK establishes the prohibition of use personal data for purposes other than the provision of the service. The Royal Decree- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 133 133/177 Law 19/2018, of November 23, on payment services and other urgent measures in the field financial, refers to the rules of access to information related to payment accounts and to the use of that information. Specifically, in its article 39.1.f) it provides the following: "Article 39. Rules for access to information on payment accounts and use of such information in case of account information services. 1. The payment service provider that provides the account information service: f) will not use, store or access any data, for purposes other than the provision of the service of information about accounts expressly requested by the user of the payment service, in accordance with the rules on data protection ” . In relation to the Aggregation Service Contract, and also with the Terms of Social Networks, CAIXABANK has indicated that the signing of these documents is complementary to the "Framework Contract", which in these additional documents does not obtain a new consent, which is granted in the "Framework Contract". This does not agree with what is expressed in those documents and in the "Contract Framework". This contract does not require the provision of any consent for the treatment of these data, but is limited to reporting on the use of data obtained from social networks and the aggregation service that the interested party has authorized. That authorization can only be provided by accepting the Social Media Terms and the signing of the Aggregation Service Contract in the manner indicated above. Specifically, the "Framework Agreement" indicates the following: " The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the offer commercial products and services will be: e) Those obtained from the social networks that the signer authorizes to consult f) Those obtained from third parties as a result of requests for data aggregation requested by the signer ”. Finally, it is interesting to note that the new Aggregation Service Contract does not includes the performance of data processing for the purposes indicated. Regarding commercial purposes, refers to the authorizations that the client has granted and advises on the possibility of managing them in the office, through digital or mobile banking. On the other hand, there is no evidence that the references contained in the "Contract Marco ”to the use of data obtained from this service have been adapted to changes in the Aggregation Service Contract. - Other processing of personal data without legal basis On the other hand, there are other data treatments that appear in the information that CAIXABANK facilitates its clients that they are carried out without any basis of legitimacy: As detailed in the previous Legal Basis, CAIXABANK uses data personal ( "movements", "receipts", "payroll", "claims" and "claims" ) generated in the contracting and operation of products and services contracted by the interested party with third parties ( “All those generated in the contracting and operations of products and services… with the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 134 134/177 Companies of the CaixaBank Group or with third parties ” ). It follows that CAIXABANK, under the condition of data controller, collects and uses personal data that it does not obtain directly from the interested parties. Is about personal data from third parties that CAIXABANK uses for the purposes expressed in the information provided to the interested parties. There is no legal basis that legitimizes the use of these personal data. CAIXABANK is not the entity responsible for this data obtained from third-party products, which limits the possibility of using the information in question for their own purposes. Also in relation to this question it is necessary to take into account the limitations on the use of personal data imposed by Royal Decree-Law 19/2018 cited above. In its article 65 it expressly refers to the protection of personal data in the following terms: "Article 65. Data protection. 1. The treatment and transfer of data related to the activities to which this real refers decree-law are subject to the provisions of Regulation (EU) 2016/679 of Parliament Council, of April 27, 2016, regarding the protection of natural persons in the regarding the processing of personal data and the free circulation of these data and by which repeals Directive 95/46 / CE and in the Spanish data protection regulations, and in the regulations national that develops it ”. - Processing of personal data based on the legitimate interest of the person in charge The analysis of this issue must initially take into account the provisions of the Article 1.2 of the RGPD, according to which “This Regulation protects the rights and fundamental freedoms of natural persons and, in particular, their right to protection of personal data ” . For this, all the circumstances that surround the collection and processing of data and the way in which they are fulfilled or reinforced the principles, rights and obligations required by the data protection regulations of personal character. Article 6 of the RGPD requires that the processing of personal data, to be lawful, can be protected by any of the bases of legitimacy that it establishes and that the responsible for the treatment is able to demonstrate that, indeed, it concurred in the processing operation the legal basis that it invokes (article 5.2, principle of proactive responsibility). The legal bases of the treatment that are detailed in article 6.1 RGPD are related to the broader principle of legality of article 5.1.a) of the RGPD, precept which provides that personal data will be treated " lawfully, loyally and transparently in relationship with the interested party ”. In relation to the legal basis of the legitimate interest, invoked by CAIXABANK to the treatments described, the aforementioned article 6 establishes: "1. The treatment will only be lawful if at least one of the following conditions is met: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 135 135/177 f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller of the treatment or by a third party, provided that the interests or the fundamental rights and freedoms of the interested party that require the protection of personal data, particularly when the interested party is a child ... ”. Recital 47 of the RGPD specifies the content and scope of this base legitimizing the treatment. The interpretive criteria that are extracted from this Considering are, among others, (i) that the legitimate interest of the controller prevails over the interests or rights and freedoms fundamentals of the data owner, in view of the reasonable expectations that the latter has, based on the relationship it maintains with the person responsible for the treatment; (ii) will be it is essential that a “ meticulous evaluation ” of the rights and interests at stake be carried out, also in those cases in which the interested party can reasonably foresee, in the moment and in the context of the data collection, that the treatment with such an end; (iii) the interests and fundamental rights of the owner of the personal data could prevail over the legitimate interests of the controller when the data is processed is carried out in such circumstances in which the interested party " does not reasonably expect" that a further processing of your personal data is carried out. It should be added that the interested party, in all cases, can exercise the right to opposition, which also involves a new evaluation of the interests of the controller and owner of the data, except in cases of commercial prospecting, in which the exercise of the right forces to interrupt the treatments without any evaluation (article 21.3 of the RGPD). It is interesting to highlight some aspects collected in Opinion 6/2014 prepared by the Article 29 Working Group on the “ Concept of legitimate interest of the person responsible for the processing of data under article 7 of Directive 95/46 / CE ", dated 04/09/2014, especially the factors that can be valued when the mandatory weighing of the rights and interests at stake. Although Opinion 6/2014 was issued to favor a uniform interpretation of Directive 95/46 then in force, repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and that the reflections offered are an example and application of principles that inspire also the RGPD, such as the principle of proportionality, or general principles of the Community law, such as the principles of equity and respect for the law and the law, many of his reflections can be extrapolated to the application of current regulations. As indicated, so that section f) of article 6.1. RGPD may constitute the legitimizing basis for the processing of personal data that is carried out, mandatory, and prior to the treatment, a weighting, an “evaluation meticulous ” , of the rights and interests at stake: the legitimate interest of the person responsible for the treatment, on the one hand, and on the other, both the interests and the rights and freedoms fundamentals of those affected. Weighting that is essential, because only when I eat As a result, the legitimate interest of the data controller prevails over the rights or interests of the owners of the data may operate as legal basis of the treatment of the aforementioned interest. Regarding the weighting test, the repeated Opinion indicates the following: "The legitimate interest of the person responsible for the treatment, when it is minor and not very pressing, in general, only nullifies the interests and rights of data subjects in cases where the impact on these C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 136 136/177 rights and interests are even more trivial. On the other hand, an important and compelling legitimate interest may, in some cases and subject to guarantees and measures, justify even a significant intrusion into privacy or any other significant impact on the interests or rights of the interested parties. Here it is important to highlight the special role that guarantees can play in reducing a undue impact on data subjects and therefore to change the balance of rights and interests to the extent that the legitimate interest of the data controller prevails. By Of course, the use of guarantees alone is not sufficient to justify any type of treatment in any context. Furthermore, the guarantees in question must be adequate and sufficient, and must, unquestionably and significantly, reduce the repercussion for the interested parties ” . The aforementioned Opinion refers to the multiple factors that can operate in the weighting of the interests at stake and groups them into these categories: (a) the evaluation of the legitimate interest of the controller, the nature and source of legitimate interest and if the data processing is necessary for the exercise of a right fundamental, is otherwise in the public interest or benefits from recognition of the affected community; (b) the impact or repercussions on data subjects and their reasonable expectations about what will happen to your data ( “what a person considers reasonably acceptable under circumstances ” ), as well as the nature of the data and the way in which they are processed; underlining that the claim is not that the data processing carried out by the responsible does not have any negative impact on the interested parties but prevent the impact is “ disproportionate ”; (c) the provisional equilibrium and (d) additional guarantees that could limit an undue impact on the interested party, such such as data minimization, privacy protection technologies, increased transparency, the general and unconditional right to opt-out and the data portability. First of all, the Opinion underlines that the implication that the person responsible for the treatment may have in the data processing carried out is that of "interest", which is already referenced in the previous Legal Basis to indicate that it is related to purpose, but it is a broader concept ( “purpose is the specific reason why process the data: the purpose or intention of the data processing. One interest for another On the other hand, it refers to a greater involvement that the controller may have in the treatment, or the benefit that the controller obtains from the treatment ” ). It is also broader than that of fundamental rights and freedoms, hence, regarding those affected are weighed not only their fundamental rights and freedoms, but also their "Interests" . According to GT29, “an interest must be articulated with sufficient clarity to allow the balancing test to be carried out against the interests and fundamental rights of the interested party. Furthermore, the interest at stake must also be pursued by the controller. This requires a real and current interest, which is corresponds to present activities or benefits that are expected in a very future next. In other words, interests that are too vague or speculative are not they will be enough ” . In addition, the "interest" of the data controller, as established in article 6.1.f) of the RGPD and before article 7.f) of the Directive, it must be "legitimate" , which means, says the Opinion, which must be "lawful" (respectful of applicable national and EU legislation). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 137 137/177 However, the WG29 adds that “The legitimacy of the interest of the data controller it is only a starting point, one of the elements that must be analyzed under article 7, letter f). Whether Article 7, letter f) can be used as a legal basis or not will depend the result of the next balancing test ”; "If the interest pursued by the controller is not compelling, it is more likely that the interest and rights of the interested party prevail over the legitimate - but less important - interest of the responsible for the treatment. Similarly, this does not mean that less interest compelling of the data controller cannot sometimes prevail over the interests and rights of the data subjects: this normally happens when the impact of the treatment about stakeholders is also less important ” . And exposes the following example: "Serve as an example: those responsible for the treatment may have a legitimate interest in knowing the preferences of your customers so that this allows them to better personalize their offers and, ultimately term, offer products and services that better respond to the needs and desires of your customers. In light of this, Article 7 (f) may constitute an appropriate legal basis in some types of market activities, online and offline, provided that adequate guarantees (including, but not limited to, a viable mechanism that allows to oppose the treatment by virtue of article 14, letter b), as will be explained in section III.3.6 The right to object and beyond). However, this does not mean that data controllers can refer to article 7, letter f), as a legal basis for improperly monitoring online and offline activities of your customers, combining huge amounts of data about them, from different sources, which were initially collected in other contexts and for different purposes, and create -and, for For example, with the intermediation of data brokers, also trade with them - complex profiles of the personalities and preferences of customers without their knowledge, without a viable mechanism of opposition, not to mention the absence of informed consent. It is likely that said profiling activity represents a significant intrusion on customer privacy and, When this happens, the interests and rights of the interested party will prevail over the interest of the responsible for the treatment ” . Ultimately, the concurrence of said interest in the data controller does not necessarily means that article 6.1 f) RGPD can be used as a basis legal treatment. Whether or not it can be used as a legal basis it will depend on the result of the balancing test. In addition, the treatment must be that necessary to satisfy the legitimate interest pursued by the person in charge, so that less invasive means are always preferred to serve the same purpose. Need means here that the treatment is essential for the satisfaction of the aforementioned interest, so that, if said objective can be achieved reasonably otherwise less impactful or intrusive, the interest legitimate cannot be invoked. The term “ need ” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a own and independent meaning in Community legislation. It is a " concept autonomous community law ” (STJUE of 12/16/2008, case C-524/2006, section 52). On the other hand, the European Court of Human Rights (ECHR) has also offered guidelines for interpreting the concept of need. In section 97 of its Judgment of 03/25/1983 states that the " necessary adjective is not synonymous with" indispensable "nor does it have the flexibility of the expressions “admissible,“ ordinary ”,“ useful ”,“ reasonable ”or“ desirable ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 138 138/177 On the impact or repercussion that the data processing has on the interests or fundamental rights and freedoms of the interested parties, indicates that the more "negative" or “Uncertain” may be the impact of treatment, it is more unlikely than treatment in its set may be considered legitimate. “The Task Force makes it clear that it is crucial to understand that relevant 'impact' is a much broader concept than damage or harm to one or more stakeholders in particular. The term 'Impact' as used in this Opinion covers any possible consequences (potential or actual) of data processing. For the sake of clarity, we also emphasize that the concept is not related to the notion of violation of personal data and is much broader than the repercussions that may arise from said violation. On the contrary, the notion of impact, such as used here, it encompasses the various ways in which an individual may be affected, positively or negatively, due to the processing of your personal data ”. “In general, the more negative and uncertain the impact of treatment may be, the more unlikely it is. that the treatment is considered, as a whole, legitimate. The availability of alternative methods for achieve the objectives pursued by the data controller, with less negative impact on the interested party, should, without a doubt, be a pertinent consideration in this context ”. As sources of potential repercussions for stakeholders he cites the probability that the risk may materialize and the seriousness of the consequences, noting that this concept of “severity may take into account the number of potentially affected ” . The assessment of the nature of the personal data that has been object of treatment ) , if the data has been made available to the public by the interested party or by a third party, a fact - says the Opinion - that can be an evaluation factor especially whether the publication was carried out with a reasonable expectation of data reuse for certain purposes: “… Does not mean that data that appears in and of itself innocuous can be processed freely ... even such data, depending on how it is processed, can have an impact significant about people ”. The way in which the person in charge treats the data; whether they have been disclosed to the public or have been made available to large numbers of people or if large amounts of data are process or combine with other data ( “for example, in the case of profiling, with commercial purposes, for purposes of compliance with the law or others ” ). On this question it is said: “Apparently innocuous data, when treated on a large scale and combined with other data, can lead to interference with more sensitive data, as demonstrated in Scenario 3 above, which gives as an example the relationship between pizza consumption patterns and insurance premiums for healthcare. In addition to potentially leading to the processing of more sensitive data, such analysis may also lead to strange, unexpected and sometimes inaccurate predictions, for example, concerning the behavior or personality of the affected persons. Depending on the nature and impact of these predictions, this can be highly intrusive in the privacy of the person ” . All this, without forgetting the reasonable expectations of the interested parties: “… It is important to consider whether the position of the data controller, the nature of the relationship or the service provided, or the applicable legal or contractual obligations (or other promises made at the time of data collection) could give rise to reasonable expectations of a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 139 139/177 stricter confidentiality and stricter limitations on further use. Usually, the more specific and restrictive the context of data collection, the more constraints it is likely to be used. In this case, again, it is necessary to take into account the factual context and not simply rely on the fine print of the text ” . The Opinion also considers pertinent when evaluating the impact of the treatment to analyze the position of the data controller and the interested party; your position may be more or less dominant with respect to the interested party depending on whether the person responsible for the treatment is a person, a small organization or a large company, even a multinational company: “A multinational company may, for example, have more resources and bargaining power than the individual data subject and may therefore be in a better position to impose on the data subject what you think is your "legitimate interest". This may be all the more so if the company has a dominant position in the market ” . When weighing the interests and rights at stake, the GT29 understands that the compliance with the general obligations imposed by the regulations, including the principles proportionality and transparency, help to ensure that the requirements are met legitimate interest. Although, it clarifies that this does not mean that the fulfillment of those horizontal requirements, by itself, are always sufficient. If, finally, after the evaluation, it is not clear how to achieve equilibrium, the taking additional guarantees can help reduce undue impact and ensure that the treatment may be based on legitimate interest. As additional measures includes, for example, the facilitation of voluntary and unconditional exclusion mechanisms, or increased transparency: “The concept of responsibility is closely linked to the concept of transparency. With the purpose of allow data subjects to exercise their rights and allow wider public scrutiny for part of the interested parties, the Working Group recommends that those responsible for the treatment explain to stakeholders clearly and easily the reasons why they believe their interests prevail over the interests or fundamental rights and freedoms of the interested parties, and also explain to them the guarantees they have adopted to protect their personal data, including, where appropriate, the right to opt out of treatment ”. "As explained on page 46 of Opinion 3/2013 of the Working Group on the limitation of purpose (cited in footnote 9 above), in the case of profiling and taking automated decisions, interested parties or consumers must be given access to their profiles to guarantee transparency, as well as the logic of the decision-making process (algorithm) that gave place to the development of said profiles. In other words: organizations should disclose their criteria for decision making. This is a fundamental guarantee and is especially important in the world of big data. Whether or not an organization offers this Transparency is a very pertinent factor that should also be considered in the proof of balancing ”. By referring to the right to object and the opt-out mechanism or right unconditional opposition, the WG29 reflects on advertising based on profiles of the client, which requires a follow-up of the activities and personal data of the interested parties, which are analyzed with sophisticated automated methods. He concludes the following: “In this sense, it is useful to recall the Opinion of the Working Group on the limitation of the purpose, where it was specifically stated that when an organization wishes to analyze or predict specifically the personal preferences, behavior and attitudes of customers C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 140 140/177 individuals that will subsequently motivate the «decisions or measures» adopted in relation to such clients ... free, specific, informed and informed consent should almost always be required unequivocal of "voluntary inclusion", since otherwise the reuse of the data may not considered compatible. Most importantly, such consent should be required, for For example, for tracking and profiling for prospecting, advertising behavioral, data marketing, location-based advertising, or digital research market based on monitoring ” . The information included in the "Framework Agreement" on these data processing based on the legitimate interest of CAIXABANK: “7.3.5 Treatments based on legitimate interest Unless you have told us, or tell us otherwise in the future, we will send you updates and information about products or services similar to those you already have contracted. We will also process your information (account movements, card movements, loans, etc.) to personalize your commercial experience in our channels based on previous uses, to offer you products and services that fit your profile, to apply benefits and promotions that we have in force and to which you are entitled, and to assess whether we can assign you credit limits pre-granted that you can use when you consider it most appropriate. In these treatments we will only use information provided by you, or generated from the own products contracted during the last year. If you do not want these treatments to be carried out, you can object to them communicating it to us in any of our offices, in the P.O. Box nº 209 of Valencia (46080), at the electronic address www.CaixaBank.com/ejerciciodederechos, or through the options enabled for this purpose in their digital banking and in our mobile applications ”. For any other commercial use, consent will be requested, as established in clause following. According to CAIXABANK, legitimate interest is the legal basis for the processing that carried out with the "commercial purposes" indicated in section 7.3.5 of the "Framework Contract" (erroneously included within the subsection dedicated to "Data processing of personal character for regulatory purposes ” ) and section 03 of the“ Privacy Policy ” (with content similar to the above): sending information and updates about products or services similar to those that the client already has contracted; customize the customer's commercial experience in the entity's channels based on previous uses, to offer you products and services that fit your profile, to apply benefits and promotions that we have in force and to which you are entitled, and to evaluate if we can assign you pre-granted credit limits that you can use when you consider it most timely. However, as stated in the previous Legal Basis, it has it has been proven that CAIXABANK carries out other processing of personal data based on to the legitimate interest that are not known by the client, which is not informed in any case, and that, due to the breadth of personal data used and the different purposes for which are treated, affect multiple aspects of the client's personal life, so such treatments are considered illegal. Among them the following were mentioned: (…) In relation to the processing of data for commercial purposes based on interest legitimate referred to in the "Framework Agreement" and in the "Privacy Policy", During the testing phase, (…), CAIXABANK has stated that they are not taking carry out the following treatments: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 141 141/177 . Sending information about products or services similar to those that you already have contracted or information that we believe may be of interest to you, or that we believe may have a reasonable expectation of receiving. . Study of the information that we have about you (account movements, card movements, loans, etc.) to personalize your experience with the Entity, for example by first showing in ATMs and websites their most common operations, or offering products and services that are adjust to your profile and apply the benefits and promotions in force at all times. However, in its brief of allegations, (…), according to which the data of those clients who have not consented to the processing of their data for commercial purposes, or have previously given consent for this has been revoked, they are not treated on the basis of legitimate interest. It adds that it only processes personal data in relationship with those who were asked and did not answer, that is, who have not signed the "Framework Agreement" nor the "Consent Agreement". From what follows that it is performing these personal data processing. (…) In relation to these treatments with "commercial purposes" based on the interest legitimate, it was also indicated when dealing with the duty of information, that they are similar to treatments that CAIXABANK protects in the consent of the client and the consequences that arise from this circumstance in relation to the validity of these treatments. Specifically, the realization of personalized offers, the application of benefits and promotions or the allocation of pre-granted credits, are data processing similar to those outlined by citing other purposes based on consent ( “Studying products or services that can be adjusted to your profile and specific business or credit situation, all this to make commercial offers tailored to your needs and preferences ” ), motivating that the description of the purposes and enumeration of data processing contained in the information offered causes confusion to the interested parties. Of this Thus, data processing based on legitimate interest similar to that of others carried out on the basis of the client's consent, which, moreover, is not lend in a valid way, as discussed above. It could lead to a situation in which data processing is carried out based on the legitimate interest that would have been denied by the affected party. On the other hand, taking into account that CAIXABANK records personal data “from Commercial Relations, or Commercial Relations of CAIXABANK and the companies of the Grupo CaixaBank with third parties ” , it is not possible to understand whether the sending of “ information and updates about products or services similar to those who have already contracted " are refers to own products, those of Group companies or third parties. Serve in this regard same observations already expressed previously on the use of data collected from products of the Group companies or third parties. It was also said that the information provided does not specify any legitimate interest of CAIXABANK, which is limited to indicating the data processing carried out with this database legal. Therefore, the circumstances expressed in the Law Foundation are reiterated on the lack of justification of the legitimate interest sufficiently to allow the proof of balance between the interest of the person in charge and the rights of the interested party to determine C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 142 142/177 those that prevail, necessary to determine the legality of the treatments carried out Here we reiterate what has already been indicated about the insufficient information provided on the categories of data that will be used and on the determination of the purposes, or on the types of profiles that will be made and the specific uses and applications that will be those profiles; and, especially, the lack of information on the specific interest of the responsible, that is not expressed, due to the limitations and difficulties, if not impediment, that supposes at the time of realizing an evaluation on the concurrence of an interest legitimate prevalent, real and not speculative. And also what has already been indicated about the language used; the indefiniteness of the purposes for which the personal data will be used ( "know the customer better" and "improve the products and services ” or “ develop the business model ” , etc.) and the exhaustive analysis of the information related to clients that carry such purposes; or about the types of profiles to be carried out and the specific uses and applications that will be given to these profiles. Carrying out the weighting judgment in this case also requires assessing the breadth of the types of data that are collected by CAIXABANK, and make said assessment in conjunction with the highlights in the preceding paragraphs, especially with the uncertainty of the purposes for which personal data are processed. This has the consequence that the treatments carried out are not predictable for an average citizen. This being the case, it is impossible for the interested party, or this supervisory authority, to be able to assess whether the processing operations carried out are necessary, or if, on the contrary, The same result could be obtained by less invasive means; nor can it be concluded, even less, that the interest invoked is prevalent. This legal basis requires the existence of real interests, not speculative and that, Also, they are legitimate. And not only the existence of that legitimate interest means that they can perform those treatment operations. It is also necessary that these treatments are necessary to satisfy that interest and consider the repercussion for the interested party. In In this case, a data combination is carried out whose scope has not been defined and is perform profiling operations to offer products and services that conform to said profile, to apply benefits and promotions that CAIXABANK has in force and to which the client has the right, and to evaluate whether it is possible to assign credit limits that you can use when you see fit. Therefore, the intrusion the privacy of the interested party may be high and the effects may have repercussions negatively. Considering the limitations set forth, suitability is not credited (if the measure allows to achieve the proposed objective); need (that there is no other measure more moderate); proportionality in the strict sense (more benefits or advantages than damages), the data processing indicated above. In addition to the above, the following circumstances are taken into account: . The lack of transparency about the logic of the treatment consisting in the preparation of profiling, which can lead to product discrimination and impact C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 143 143/177 financial potential that may have the character of excessive. . The high number of affected, as well as the large amount of data that is processed and combined with other data. Said combination of data, due to the lack of definition of the data that will be used, does not respect the aforementioned proportionality nor does it allow the weighing judgment necessary to assess the concurrence of a legitimate interest that justifies the treatment of the data. . The dominant position of the person in charge over the interested party, due to his condition of great company and one of the market leaders in its sector. A special importance must also be given to the absence of measures or additional guarantees that, although not required by the applicable regulations, are consider a good practice that favors the appreciation of the legitimate interest of the responsible when in the weighing judgment it was not clear how to achieve equilibrium, to the extent that they reduce the impact of the treatment on the privacy of the interested party. Among them, the increased transparency and the enabling of mechanisms opt-out. Regarding transparency, CAIXABANK does not make available to interested parties the Report on the weighting of legitimate interest or impact assessments. Neither does CAIXABANK offer opt-out mechanisms. It is limited to inform on the possibility of exercising the right of opposition, which is nothing but a requirement normative. This right requires a new weighting, in accordance with the provisions of the Article 21 of the RGPD ( “the data controller will stop processing personal data, Unless it proves compelling legitimate reasons for the treatment that prevail over interests, rights and freedoms of the interested party ” ) and has nothing to do with the opt-out or unconditional opt-out mechanisms are recommended. In summary, contrary to what was stated by CAIXABANK in its allegations, of In accordance with the foregoing, it is proven that this entity performs data processing personal data of its clients based on legitimate interest, including treatment with commercial purposes. On the other hand, for the reasons stated, it has not been proven that the interest that CAIXABANK claims to prevail over the interests and rights and fundamental freedoms of clients; and the guarantees offered are not sufficient to bridging the imbalance that occurs with these data processing operations personal. Consequently, it must be concluded that the legitimate interest of CAIXABANK does not prevail as a legitimate basis for the treatment. CAIXABANK alleges that the AEPD concludes that it is not possible to determine suitability, necessity and proportionality of these treatments, and that the intrusion into the privacy of the interested can be high, without providing any evidence in this regard. However, it is a CAIXABANK to whom it corresponds to prove the concurrence of the legitimate interest for the data processing operations that you intend to base on this legal basis, to who corresponds to specify the interest pursued and make the weighing judgment that justify. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 144 144/177 Also in relation to this question, it refers to the changes introduced in the New Privacy Policy, implying with these alleged corrections that no there are responsibilities to be demanded from the facts analyzed, which must be rejected absolutely by inappropriate. Specifically, it alleges that it has proceeded to eliminate the treatment based on legitimate interest for commercial purposes, but omits any reference to the rest of the circumstances that determine the illegality of the treatments analyzed in this section and that they are not carried out exclusively for commercial purposes. Finally, it should be noted that the conclusion obtained from this examination does not contradict what expressed in the Report of the Legal Office of the AEPD 195/2017, to which it refers CAIXABANK, both in the aforementioned impact assessment, which contains the report of weighting of the legitimate interest, as in its brief of allegations. The premises evaluated in said report do not conform to the present assumption, in the that detailed personal data processing has a much broader purpose that those analyzed in said report regarding the purposes of the treatment as the information or personal data used. - Other processing of personal data without legal basis. Communication of data to CaixaBank Group companies. On the other hand, it is also necessary to analyze the transfer of data to Group companies CaixaBank that is included in the “Framework Agreement”, about which the interested party is not consulted. It is reiterated here that said document is presented as mandatory subscription for the client, expressly stating that the signature of the document supposes that it "knows, understand and accept its content ” . It is also established that the terms and conditions are of general application to all "commercial relationships" of the interested party "with CaixaBank and the CaixaBank Group companies, and therefore, the subscription and validity of this Contract, respecting the corresponding rights of choice that for the Signatory grant the clause, it is necessary for the contracting and maintenance of contracts of products or services ” . In the same section relating to the object of the contract, it indicates that "informs and regulates" about "authorizations for the use of data of the signer to carry out activity commercial of CaixaBank and the companies of the CaixaBank Group ” . Allusions to the CaixaBank Group companies occur throughout the entire "Framework Contract" and place it, practically, at the same level of intervention as CAIXABANK: "7.1 Processing of personal data in order to manage the Relationships Commercial. The personal data of the Signatory, both those that the same contribution, as those derived of the Commercial Relations, or Commercial Relations of CaixaBank and the companies of the Group CaixaBank with third parties and those made from them, will be incorporated into files owned by CaixaBank and the CaixaBank Group companies that are holders of the Commercial Relations… ”. 8. treatment and transfer of data for commercial purposes by CAIXABANK and the companies of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 145 145/177 CaixaBank Group based on consent This document will include on its first page, under the heading of authorizations for the data processing, the authorizations that you grant us or revoke us in relation to: (i) The data analysis and study treatments for commercial purposes by CaixaBank and companies of the CaixaBank Group (ii) The treatments for the commercial offer of products and services by CaixaBank and the companies of the CaixaBank Group (iii) The transfer of data to third parties In order to make a global offer of products and services available to you, your authorization to (i) data analysis and study treatments, and (ii) for the commercial offer of products and services, if granted, will include CaixaBank, and the companies of the CaixaBank group detailed at www.CaixaBank.es/empresasgrupo (the “CaixaBank Group companies”) who They can share and use them for the indicated purposes. The authorizations you grant will remain in effect until they are revoked or, in the absence of this, until 6 months after you cancel all your products or services with the Entity. The detail of the uses of the data that will be carried out in accordance with your authorizations is as follows ... (already detailed above) ”. "The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the offer commercial products and services will be ... (already detailed above) " "11.3 Data Conservation Period ... In accordance with the regulations, the data will be kept for the sole purpose of complying with those legal obligations imposed on CaixaBank and / or Group Companies… ”. The "Privacy Policy" also refers to the "exchange of commercial information among the CaixaBank Group companies ” . The concept of "Business Group" is defined in point 19 of article 4 of the RGPD: << "Business group": group made up of a controlling company and its companies controlled >> . On the scope to be attributed to this concept from the point of view of the RGPD, it is necessary to consider what is stated in Considerations 37 and 48 of said Regulation: “(37) A business group must be constituted by a company that exercises control and the controlled companies, and it must be the company that exercises control that can exercise a dominant influence in the other companies, for reasons, for example, ownership, participation financial, rules by which it is governed, or power to enforce data protection rules personal. A company that controls the processing of personal data in companies that they are affiliated should be considered, together with such companies, a 'business group' ”. "(48) Those responsible who are part of a business group or entities affiliated with a central body may have a legitimate interest in transmitting personal data within the group business for internal administrative purposes, including the processing of personal data of customers or employees. The general principles applicable to the transmission of personal data, within a business group, a company located in a third country are not affected " . The CaixaBank Group, in principle, can be understood within this concept, from the point of view of the protection of personal data, with the entity CAIXABANK as C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 146 146/177 controlling company. But the information exchange that carries out CAIXABANK in favor of the CaixaBank Group companies has no place in the shares which may be based on the legitimate interest referred to in Recital 48, referring to the transmission of personal data within the business group "for administrative purposes internal ” . Nothing to do with the transfers of data referred to in the "Framework Contract" and the purposes for which they are intended. With this, it is not excluded that other data communications could be admitted personal, with other purposes, that could be justified by the concept of group business, even based on legitimate interest. To all this, must be added the defects appreciated in the information offered that is have pointed out in this act. CAIXABANK does not even inform about the legal basis that justifies this global exchange of information with the companies of the CaixaBank Group. Neither does any of the consents requested from clients include any that refers to this transfer of personal data of CAIXABANK customers to companies of the CaixaBank Group, which cannot be considered covered by the three consents collected. In addition to the objections noted on the validity of the consents provided by customers, this transfer of data constitutes a specific purpose in itself considered itself, which requires a manifestation of the client's will by which the client consent that this communication of personal data can be carried out. CAIXABANK no collects specific consent from its clients for this transfer of data. This lack of design or provision of a specific mechanism to collect the consent of their clients in order to transfer data to Group companies is not remedied with the signature by the client of the repeated "Framework Contract", which occurs without receiving the accurate information and does not imply a statement by the customer about the use of their personal data from the CaixaBank Group companies. This use entails the prior transfer of the data by CAIXABANK to the companies of the Group without the interested party has manifested in this regard, that is, without the consent of the interested party. Acceptance through a single action, such as the signing of the contract, becomes invalid the consent given by the interested party regarding the use of the data for purposes other than the execution of the contract or business relationship maintained by the interested party and the responsible entity or, what is the same, with respect to all those treatments that require a differentiated and granular consent. In relation to communication of data to the companies of the CaixaBank Group, this explicit consent and separate would require enabling the selection of the specific company or companies to be refers to the consent for the assignment that could be provided. The requirement that “consent must be given through a clear affirmative act that reflects a manifestation of free will, specific, informed, and unequivocal of the interested party to accept the treatment of personal data that concern ” , understanding that “ inaction should not constitute consent ” (Recital 32). Consent must also be given for all activities of treatment carried out for the same or the same purposes and, when the treatment has several purposes, consent must be given for all of them through a manifestation of will expressed for each of the purposes separately or differently, allowing the interested choose to choose all, a part or none of them. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 147 147/177 Consent cannot be understood freely given as it has not been allowed “To authorize separately the different personal data processing operations despite be appropriate in the specific case ” (Recital 43). The Article 29 Working Group, in its document “Guidelines on the consent under Regulation 2016/679 ” , which has been cited on several occasions, refers to the dissociation of the purposes of the treatment and the freedom that the interested parties to choose which purposes they accept, instead of having to consent to a set of purposes. It adds that " When the data is processed for purposes diverse, the solution to fulfill the condition of valid consent will be in the granularity, that is, in the dissociation of said purposes and obtaining consent for each of them " , and cites the following example: "[Example 7] In the same request for consent, a retailer asks its customers for consent to use your data to send them advertising by email and to share your data with other companies in your group. This consent is not granular since it is not possible to consent for separated for these two different purposes and, therefore, the consent will not be valid. In this case, specific consent should be obtained to send contact details to partners commercial. Such specific consent will be considered valid for each partner (see also the section 3.3.1) whose identity has been provided to the interested party at the time of obtaining their consent and to the extent that it is sent for the same purpose (in this example, a commercial purpose) ” . Therefore, all data transfers made by CAIXABANK become illegal. to companies of the CaixaBank Group. In the same way, all the treatments carried out are considered irregular or illegal. CAIXABANK out of personal data that are provided by the entities belonging to the CaixaBank Group, relating to clients of the latter. Apart from this exchange of information, Clause 8 of the "Framework Contract" indicate that the client grants his authorization "in relation to: (i) The analysis treatments and study of data for commercial purposes by CaixaBank and companies of the CaixaBank Group; (ii) The treatments for the commercial offer of products and services by CaixaBank and the CaixaBank Group companies ”. With this, CAIXABANK intends that the interested parties give, to CAIXABANK itself, their consent for other companies of the Group perform personal data processing, which cannot be accepted. CAIXABANK has stated in its allegations that the CaixaBank Group operates under the same brand concept, with that entity as the axis. It indicates that this circumstance is transferred to the various facets of the treatment of data, including the management of consents for processing purposes commercial, which are to be carried out jointly in the context of the activities of the Group for the same purpose with the same means, in relation to data from which the Group entities are jointly responsible. And add that each entity has its database own (only accesses the data necessary for the provision of its services), but that all have “a kind of shared responsibility” , they are jointly responsible for the treatment, so there is no purpose of its own in the transfer that justifies the provision of a separate consent. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 148 148/177 On the other hand, CAIXABANK alleges that this "integration of all bases" is a regulatory requirement for correct risk management and necessary for compliance with legal obligations, which must be supported by the coordinated management of information. But, Even in this risk management, the risk of the business group that must be quantified for regulatory purposes, of individual risk, which should only be be valued by the entity with which the interested party maintains a contractual relationship. In In any case, nothing is said to the client about this co-responsibility (in the “Framework Contract”, When reporting on regulatory purposes only reference is made to responsibilities and obligations of CAIXABANK). Finally, CAIXABANK notes that this issue was the subject of an evaluation of impact, which does not contribute. CAIXABANK, however, has not justified that we are faced with an alleged of co-responsibility, beyond the exchange of information between Group companies CaixaBank that are necessary for regulatory purposes or for compliance with a legal obligation, which are not questioned in these proceedings. In this case, the attribution of responsibilities between the different Group companies required by the RGPD, nor the functions and obligations of these companies in its relationship with the interested parties; and there is also no evidence that the corresponding agreement that regulates these circumstances in a transparent way, which, in addition, it must be made available to interested parties. The obligation to formalize that agreement in which the respective responsibilities are determined, as well as that of putting it into disposition of the interested parties in their essential aspects, is established in article 26 of the GDPR: "Article 26 Co-responsible for the treatment 1.When two or more managers jointly determine the objectives and means of the treatment will be considered joint controllers of the treatment. The joint controllers will determine transparently and by mutual agreement their respective responsibilities in complying with the obligations imposed by this Regulation, in particular with regard to the exercise of rights of the interested party and their respective obligations to supply information to which referred to in articles 13 and 14, except, and to the extent that, their respective responsibilities are governed by the law of the Union or of the Member States that applies to them. Said agreement may designate a point of contact for stakeholders. 2. The agreement indicated in section 1 shall duly reflect the respective functions and relationships of the joint controllers in relation to the interested parties. The interested parties will be made available essential aspects of the agreement. 3. Regardless of the terms of the agreement referred to in section 1, the interested parties may exercise the rights recognized by this Regulation against, and against, each one of those responsible ” . On the contrary, considering the data used by the CaixaBank Group and the uses to which they are intended, already detailed in the Fundamentals that analyze the information offered to customers, it follows that the exchange of all information between all companies that comprise it respond more to "commercial" purposes, unrelated to the relationship contractual, such as the realization of commercial impacts and the design of new products or services, for which all data related to the client available in all Group companies, those provided by the interested party and those that “are generated in the contracting and operating products and services ” , with CaixaBank and with the Companies of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 149 149/177 CaixaBank Group, including the profiles made from such data. CAIXABANK He even stated that he had arranged that the consent of the clients for the Processing of your personal data for "commercial purposes" would be collected at the "Group", jointly for all the companies of the "group". This exchange, as has been said, occurs between all the companies of the Group, that is, each of the companies that make up said Group shares personal data registered in their information systems with all the others. The data was said to be would manage “from a common information repository of the Group's companies CaixaBank ”. Thus, said exchange does not occur only between CAIXABANK and the rest or between them and CAIXABANK only. Although the present procedure is intended to analyze the infractions attributed to CAIXABANK and does not reach the rest of the companies of the Group, make this global exchange clear to record the irregular action that took place has been producing. If to that we add the detail of the companies that make up the repeated Group CaixaBank and the specific commercial activity that each of them carries out, the irregularity is even more apparent. Obviously, there cannot be co-responsibility of all the companies of the Group CaixaBank in relation to the treatment of data that the contract entails, of whatever type, that a client formalizes with one of them. If more than one company is involved in the contract, The rest of the companies, which do not participate in any way in this contract, cannot be considered co-responsible. It is enough to examine the entities that make up the CaixaBank Group and the purpose of their businesses, to conclude that this global co-responsibility cannot occur, which would mean admit that all act as responsible for the treatment of customer data of a of these companies, even if they do not participate in the specific contractual relationship formalized by the client. The Privacy Policy contains the following detail: "Your bank CAIXABANK, SA The issuer of your credit and debit cards CAIXABANK PAYMENTS, EFC, EP, SAU The issuer of your prepaid cards CAIXABANK ELECTRONIC MONEY, EDE, SL Your insurer VIDACAIXA, SAU DE SEGUROS Y REASEGUROS The marketer of your funds CAIXABANK ASSET MANAGEMENT, SGIIC, SAU Your social bank, expert in microcredits NUEVO MICRO BANK, SAU Your consumer finance company CAIXABANK CONSUMER FINANCE, EFC, SAU Your renting company CAIXABANK EQUIPMENT FINANCE, SAU Your e-commerce company PROMOCAIXA, SA The company that manages payments in your stores COMERCIA GLOBAL PAYMENTS, EP, SL ” . The intervention of more than one Group company in the relationship that formalizes the Nor does the client determine, without further ado, the joint responsibility of both. It will be necessary to analyze each of the cases to conclude what is appropriate in this regard. It so happens that some of these activities and the relationships that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 150 150/177 link each company with the client is expressly regulated in a standard, which provides the nature of their participation from the point of view of the protection of personal data, so it cannot be left to the will of these companies to provide a different frame. A clear example can be found in the regulations governing mediation in private insurance, for cases in which the financial institution or commercial companies controlled or participated by it, enter into an insurance agency contract with a insurance company and carry out the activity of insurance mediation as an insurance agent using the distribution networks of the credit institution, assuming the character of Banking-Insurance Operator. In these cases, article 62 of Law 26/2006, of July 17, on the mediation of private insurance and reinsurance states that, for the purposes of the LOPD, “a. Agents exclusive insurance and exclusive banking-insurance operators will have the status of responsible for the treatment of the insurance company with which they had concluded the corresponding agency contract, in the terms provided in this Law ”. This rule has been repealed by Royal Decree-Law 3/2020, of February 4, of Urgent measures incorporating various Spanish legal systems European Union directives in the field of public procurement in certain sectors; private insurance; of pension plans and funds; of the tax field and tax litigation. This Royal Decree-law does not modify the previous scheme: “Article 203. Condition of person in charge or in charge of the treatment. 1. For the purposes set forth in Organic Law 3/2018, of December 5, as well as in the Regulations (EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection of natural persons with regard to the processing of personal data and the free movement of these dates: a) Insurance agents and banking-insurance operators will be in charge of the treatment of the insurance company with which they had entered into the corresponding agency, in the terms provided in title I ". “Article 204. Other data protection regulations. 2. Insurance agents and banking-insurance operators may only process the data of the interested in the terms and with the scope of the insurance agency contract and always in the name and on behalf of the insurance company with which they have entered into the contract. The banking-insurance operators will not be able to process the data related to their intermediary activity for purposes of its corporate purpose without the unequivocal and specific consent of the affected ”. In any case, the information exchange designed by CAIXABANK and the CaixaBank Group companies do not comply with the concept of “co-responsibility”, which is establishes for specific treatments, “when two or more managers determine jointly the objectives and the means of the treatment ” ; and that requires a decision-making power of all responsible that is not given in this case. In accordance with the foregoing, the allegations to the proposal of resolution made by CAIXABANK, in which it states that there is no undue assignment personal data, but a transparent co-responsibility regime is established for the interested parties, which derives from a direct collection of the data by the companies in the scope of joint responsibility and joint participation in the determination of goals and C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 151 151/177 media. There is no co-responsibility regime, nor can it be said that it was transparent to the clients. In fact, CAIXABANK at no previous time has had the agreement of co-responsibility, so it was never before able to make available to the interested parties the essential aspects of an agreement that did not exist. Not even in the previous phases has alleged this co-responsibility, referring to this matter in its allegations to the agreement of initiation of the procedure, noting that all the Group companies have “a sort of shared responsibility ” , as already indicated. And neither does the Activity Register Treatment includes operations in which CAIXABANK intervenes as joint controller. It has been on the occasion of the processing of allegations to the proposed resolution when CAIXABANK has raised this claim and has provided a "Co-responsibility Agreement", that appears in the "Sixth Allegation" of the brief of allegations to the proposed resolution among the new measures implemented, which appears unsigned by the entities that supposedly involved in its formalization. In his allegations about graduation from the The sanction refers to data transfers made within the framework of “the de facto co-responsibility, and currently formal ” . However, this agreement does not remedies the irregular situation maintained during the period of time prior to the opening of the process. On the other hand, CAIXABANK has not provided the essential information for have sufficient elements to assess whether the conditions are met, from the point of factual and not only formal view, for that co-responsibility in each of the treatments to those referred to in the agreement provided, considered case by case; nor to conclude if all entities have complied with the regulatory provisions, especially those relating to duty of transparency and the existence of a legal basis for the treatment. If it can be said, as indicated above, that CAIXABANK has not complied with these provisions in relation to the exchange of information regarding their customers with the companies that make up the Group, and would not be met in relation to these alleged joint treatments, about which you have not informed clients duly and for which there is no legal basis. (…) Finally, it is considered appropriate to cite the Guidelines 07/2020, on the concepts of data controller and data processor in the RGPD, adopted by the CEPD on September 2, 2020, in which the assumption of joint responsibility is rejected as use for advertising purposes of a database shared by a group of Business: “Joint control can also be excluded if several entities use a base of shared data or a common infrastructure, if each entity independently determines its own ends. Example: marketing operations in a group of companies using a database shared. A group of companies uses the same database for the management of clients and potential clients. This database is hosted on servers of the parent company which, therefore, is a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 152 152/177 in charge of the treatment of the companies with respect to the storage of the data. Each Group entity enters the data of its own customers and potential customers and processes them solely for your own purposes. In addition, each entity decides independently on access, retention periods, correction or deletion of your customers and customer data potentials. They cannot access or use the data of others. The mere fact that you are Companies using a shared group database does not imply joint control as such. In these circumstances, each company is therefore a data controller ”. Consequently, in accordance with the above findings, the facts set forth in this Legal Basis constitute a violation of Article 6 of the RGPD, in relation to article 7 of the same legal text and article 6 of the LOPDGDD, which gives place to the application of the corrective powers that article 58 of the RGPD grants to the Spanish Agency for Data Protection. VIII Article 22 of the RGPD allows "automated individual decisions, including the profiling ” if such a decision is necessary for the execution of the contract, it is authorized by Union or Member State law or is based on the consent of the interested party, which entails compliance with the obligation to inform about it. Said article establishes the following: "Article 22. Automated individual decisions, including profiling 1. Any interested party shall have the right not to be the subject of a decision based solely on the automated processing, including profiling, that produces legal effects on him or her affect significantly in a similar way. 2. Paragraph 1 shall not apply if the decision: a) is necessary for the conclusion or execution of a contract between the interested party and a person in charge of the treatment; b) is authorized by Union or Member State law that applies to the responsible for the treatment and that also establishes adequate measures to safeguard the rights and freedoms and the legitimate interests of the interested party, or c) is based on the explicit consent of the interested party. 3. In the cases referred to in section 2, letters a) and c), the data controller shall adopt the adequate measures to safeguard the rights and freedoms and the legitimate interests of the interested party, at least the right to obtain human intervention from the person in charge, to express your point of view and challenge the decision. 4. The decisions referred to in paragraph 2 shall not be based on the special categories of data referred to in Article 9 (1), unless Article 9 (2) applies, letter a) or g), and adequate measures have been taken to safeguard the rights and freedoms and legitimate interests of the interested party ”. Furthermore, what is expressed in recitals 71 and 72 of the RGPD is taken into account. “(71) The interested party must have the right not to be the subject of a decision, which may include a measure, that evaluates personal aspects related to him, and that is based solely on the treatment automated and produces legal effects on it or significantly affects it in a similar way, such as the Automatic denial of an online credit application or online contracting services in the that there is no human intervention. This type of treatment includes profiling consisting of any form of processing of personal data that evaluates personal aspects C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 153 153/177 relating to a natural person, in particular to analyze or predict aspects related to the job performance, financial situation, health, personal preferences or interests, reliability or the behavior, situation or movements of the data subject, to the extent that produces legal effects on him or significantly affects him in a similar way. However, they must allow decisions based on such treatment, including profiling ... in cases where those that the interested party has given their explicit consent. In any case, such treatment must be subject to appropriate safeguards, including information specific to the interested party and the right to obtain human intervention, to express their point of view, to receive a explanation of the decision made after such evaluation and to challenge the decision. Such a measure no it must affect a minor. In order to guarantee fair and transparent treatment with respect to the interested party, taking into account the specific circumstances and context in which personal data is processed, the person responsible for the The treatment should use appropriate mathematical or statistical procedures for the elaboration of profiles, apply appropriate technical and organizational measures to ensure, in particular, that correct the factors that introduce inaccuracies in personal data and reduce the maximum risk of error, secure personal data so that possible risks are taken into account for the interests and rights of the interested party and prevent, among other things, discriminatory effects in natural persons for reasons of race or ethnic origin, political opinions, religion or beliefs, union membership, genetic condition or health status or sexual orientation, or that result in measures that produce such an effect. Automated decisions and profiling about the basis of particular categories of personal data should only be allowed under conditions specific. (72) Profiling is subject to the rules of this Regulation that govern the processing of personal data, such as the legal bases of the processing or the principles of Data Protection…". The aforementioned regulations prohibit decisions based solely on treatment automated, including profiling, that produce legal effects in the interested or significantly affect you in a similar way, unless such decisions are based on the explicit consent of the same. An important aspect regarding automated individual decisions has to be see with the use of personal data for the elaboration of customer profiles, understood as any form of personal data processing that evaluates aspects personal information relating to a natural person. According to art. 13.1.f) of the RGPD, section 2, the person in charge is obliged to inform on the “existence of automated decisions, including the elaboration of profiles, to which referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the applied logic, as well as the importance and expected consequences of said treatment for the interested party ” . The information that CAIXABANK offers to its clients in the different documents that are subject to analysis refers expressly to profiling in numerous Sometimes and on others, the purposes or treatments that entail carrying out profiling operations. The "Privacy Policy" accessible through the CAIXABANK website, by referring to uses based on the consent of the interested party, informs: “04 WE CANNOT HIDE IT FROM YOU: WE WANT TO KNOW YOU BETTER! (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 154 154/177 Uses based on your consent Only if you authorize us when we ask, we would like to process all the data that we have about you to get to know you better, that is, to study your needs to know what new products and services are adjusted to your preferences and analyze the information that allows us to have determined in advance what your creditworthiness is. We would also send you product offers from all Group companies and third parties that we think they may interest you ”. In Clause 8 of the “Framework Contract”, so repeated, CAIXABANK refers to the "Treatment and transfer of data for commercial purposes by CaixaBank and the companies of the CaixaBank group based on consent ” , which are grouped as follows: (i) Detail of the analysis, study and monitoring treatments for the offer and design of products and services tailored to the customer profile. (ii) Details of the treatments for the commercial offer of CaixaBank products and services and the CaixaBank Group companies. (iii) Transfer of data to third parties These subsections correspond to three consents that are collected from the interested and which are outlined on the first page of the document, under the heading "Authorizations for treatment" . The description of the first group of treatments (i) in other documents or channels of collection of consents is expressed as follows: . Purpose of studies and profiling. . Carry out studies and monitoring of operations; manage alerts for the products you have hired; study products and services tailored to your CaixaBank Group profile. . Authorization for profiled and segmented. This first group of treatments, “ Detail of the analysis, study and follow-up for the offer and design of products and services adjusted to the client's profile ” , details five purposes: "By granting your consent to the purposes detailed here, you authorize us to: a) Proactively carry out risk analysis and apply statistical and technical data on customer segmentation, with a triple purpose: 1) Study products or services that may be tailored to your profile and specific business or credit situation, all to make offers sales tailored to your needs and preferences, 2) Track products and contracted services, 3) Adjust recovery measures on defaults and incidents derived from the products and services contracted. b) Associate your data with those of companies with which you have some type of link, both for their ownership and management relationship, in order to analyze possible interdependencies economic in the study of service offers, risk requests and product contracting. c) Carry out studies and automatic controls of fraud, defaults and incidents derived from products and services contracted ... ”. And in relation to these purposes, the following is indicated: "The treatments indicated in sections (i), (ii) and (iii) may be carried out in a automated and entail the elaboration of profiles, with the aforementioned purposes. For this purpose, We inform you of your right to obtain human intervention in the treatments, to express your point of view, to obtain an explanation about the decision made based on the automated processing, and to challenge said decision ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 155 155/177 CAIXABANK advises the client that the indicated treatments may be carried out in an automated way and lead to profiling. To this end, CAIXABANK will informs about “their right to obtain human intervention in the treatments, to express your point of view, to obtain an explanation about the decision made based on the automated processing, and to challenge said decision ” . With this, CAIXABANK advises on profiling operations that correspond with automated individual decisions regulated in article 22 of the RGPD, which These profiles will be used to make automated decisions with legal effects for the interested or that will significantly affect you in a similar way. In this case, according to As indicated, the interested party has the right to be informed by virtue of what is established in the Article 13.2.f) of the RGPD, including in that information all the issues that that letter mentions, as is the applied logic, the importance and expected consequences of said treatment for the interested party, as well as the possibility of opposing the adoption of these automated individual decisions, and the right to have all the Provided guarantees (in addition to the information specific to the interested party, the right to obtain human intervention, to express their point of view, to receive an explanation of the decision taken after such evaluation and to challenge the decision). The legal basis for these actions is based, according to the information that facilitates the interested-clients, with their consent. This information, and the evidence on the irregularity of the consents provided by CAIXABANK clients for the processing of their personal data, determined the imputation to said entity in the agreement to open the procedure of a alleged infringement due to the violation of article 22 of the RGPD. However, the instruction of the procedure has not confirmed that CAIXABANK carry out data processing as regulated in this article 22 of the RGPD, that is, to make decisions based solely on automated processing and that produce legal effects on the interested party or significantly affect him in a way Similary. Some data processing involves the use of profiles of which could result in discriminatory effects for the interested parties (such as, for example, credits pre-granted prices, prices adjusted to the client's profile, benefits and promotions). But I do not know has evidence that these treatments respond to the concept of "individual decision automated " and that effectively produce legal effects or significantly affect the interested. If so, CAIXABANK must consider the provisions of the aforementioned article 22 of the RGPD and comply with the expressed demands and the requirements that allow consider that the consent has been given in a valid way, if this were the basis legal. Consequently, it is deemed appropriate, due to lack of evidence, to declare the nonexistence of infringement in relation to the imputation for an alleged breach of the established in article 22 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 156 156/177 IX In the event of an infringement of the RGPD precepts, among the corrective powers available to the Spanish Data Protection Agency, such as supervisory authority, article 58.2 of said Regulation contemplates the following: “2 Each supervisory authority shall have all the following corrective powers indicated at continuation: (…) d) order the person in charge or in charge of the treatment that the treatment operations conform to the provisions of this Regulation, where appropriate, in a certain way and within a specified term; (…) i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each particular case; " . According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d) above is compatible with the sanction consisting of an administrative fine. X In the present case, the breach of the principle of transparency established in articles 12, 13 and 14 of the RGPD, as well as the principle of legality of the treatment regulated in article 6 of the same Regulation, with the scope expressed in the previous Fundamentals of Law, which implies the commission of respective infractions typified in article 83.5 of the RGPD, which under the heading " General conditions for the imposition of administrative fines ” provides the following: "Violations of the following provisions will be sanctioned, in accordance with section 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, a amount equivalent to a maximum of 4% of the total annual global business volume for the year financial statement, opting for the one with the highest amount: a) the basic principles for the treatment, including the conditions for consent in accordance with Articles 5, 6, 7 and 9; b) the rights of the interested parties in accordance with articles 12 to 22; (…) ” . In this regard, the LOPDGDD, in its article 71 establishes that “They constitute offenses the acts and conducts referred to in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this law organic ” . For the purposes of the limitation period, articles 72 and 74 of the LOPDGDD indicate: “Article 72. Violations considered very serious. 1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very serious and will prescribe after three years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. c) Failure to comply with the requirements of Article 7 of Regulation (EU) 2016/679 for the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 157 157/177 validity of consent. (…) k) The impediment or the obstruction or the repeated neglect of the exercise of the rights established in articles 15 to 22 of Regulation (EU) 2016/679 ”. “Article 74. Infractions considered minor. The remaining infringements of a merely formal nature are considered minor and will prescribe a year. the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in in particular, the following: a) Failure to comply with the principle of transparency of information or the right to information of the affected by not providing all the information required by articles 13 and 14 of Regulation (EU) 2016/679 " . In order to determine the administrative fine to be imposed, the provisions of articles 83.1 and 83.2 of the RGPD, precepts that state : "1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with the this article for the infractions of this Regulation indicated in paragraphs 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, to additional or replacement title of the measures referred to in article 58, paragraph 2, letters a) to h) and j). When deciding the imposition of an administrative fine and its amount in each individual case, the due account: a) the nature, seriousness and duration of the offense, taking into account the nature, scope or purpose of the treatment operation in question as well as the number of interested parties affected and the level of damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damage and damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the violation; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the responsible or the manager notified the infringement and, if so, to what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or the person in charge in relation to the same matter, compliance of said measures; j) adherence to codes of conduct under article 40 or to certification mechanisms approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement." For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD provides: "1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 are will be applied taking into account the graduation criteria established in section 2 of the aforementioned Article. 2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, they may also be taken into account: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 158 158/177 a) The continuing nature of the offense. b) The linking of the offender's activity with the processing of personal data. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have led to the commission of the offense. e) The existence of a merger by absorption process after the commission of the offense, which does not it can be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to mechanisms of alternative conflict resolution, in those cases in which there are controversies between those and anyone interested ”. In this case, considering the seriousness of the violations found, the imposition of a fine, in addition to the adoption of measures. In a subsidiary manner and for reasons of proportionality, CAIXABANK has requested that other corrective powers are imposed that allow the implementation of certain changes that you have in process to debug the errors in the informative clauses and improve them, as is the warning, and points out that this measure has been applied in some cases to legal persons and not only natural persons (he cites as an example the procedures PS / 00072/2019; or PS / 00096/2019). Additionally, in the event that the previous petition, requests that a sanction be imposed to a minimum degree. It is not possible to accept the request made by CAIXABANK to impose other corrective powers, specifically, the warning, which is intended for persons physical and when the sanction constitutes a disproportionate burden (recital 148 of the RGPD). In this case, unlike the precedents invoked by CAIXABANK, no None of the assumptions that would support the application of the warning, for which, obviously, other factors must also be considered, such as the offense committed and its seriousness. In the present case, the irregularities committed are much more serious and have a greater impact than that expressed by CAIXABANK, who aims to reduce the assumption analyzed to a few simple defects of the information offered that they do not deserve any reproach other than their rectification. For the same reasons, and considering the criteria for graduation of sanctions indicated below, the request for the imposition of a penalty is also rejected. tion to its minimum degree. In accordance with the transcribed precepts, in order to set the amount of the sanctions of fine to impose in the present case to the defendant, as responsible for infractions typified in article 83.5.a) and b) of the RGPD, it is necessary to graduate the corresponding fine impose for each of the offenses charged as follows: 1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the LOPDGDD: It is estimated that the following factors concur as aggravating factors that reveal greater unlawfulness and / or culpability in the conduct of the CAIXABANK entity: a) The nature, seriousness and duration of the offense: the verified facts put in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 159 159/177 The entire action carried out by CAIXABANK, as a whole, is questionable, since the Infringements result from the personal data management procedures designed by that entity for the adequacy of those processes to the RGPD, which are considered irregular from the moment of the collection of personal data, questioning all the activity carried out by the responsible entity since the entry into force of the RGPD. I know takes into account, however, that it is not a case of total absence of information, but that the disputed facts result from not providing the interested parties sufficient and adequate information in relation to the various treatments carried out. In this regard, CAIXABANK alleges that the issues analyzed in the procedure are not particularly serious, considering that all the information is provided, although the AEPD understands that it can be improved; that the offense is classified as minor; and it has not caused damage to the only two claimants, given that the treatments carried out are the necessary for the development of the activity. Contrary to what is stated by said entity, it is understood that the deficiencies appreciated are particularly serious, since they affect substantive aspects of the principle of transparency and all the processing operations carried out, which are not limited to the treatments necessary for the development of the activity, as indicated CAIXABANK. None of the precedents cited in the allegations can be assimilated into in any way to the present assumption. b) The intentionality or negligence appreciated in the commission of the offense: the actions have proven negligent conduct in relation to the violation of the regulations of personal data protection. The violations found, given their evidence, should have been warned by an entity with the characteristics of CAIXABANK and avoided when design your personal data management processes. CAIXABANK understands that the establishment of clear procedures in relation to The information and the provision of consents implies that this graduation criterion of The sanction should be considered as mitigating, without considering that the infractions are they consider committed precisely the opposite. Furthermore, violations are not only non-compliance with the requirements for obtaining consent or the operations carried out on this legal basis. c) The continuing nature of the offense, in the sense interpreted by the National Court, as a permanent offense. d) The high link of the activity of the offender with the performance of data processing personal: all operations that constitute the business activity carried out by CAIXABANK involve personal data processing operations. e) The condition of a large company of the responsible entity and its volume of business: it is a leading company in the financial sector with a strong national presence. According to information that appears on the “ caixabank.es ” website , as of 12/26/2019, CAIXABANK declares itself the leader in retail banking, with a 29.3% penetration share of individuals in Spain. TO 09/30/2019, the Income Statement reflects an “Operating Margin” of 2,035 million euros. According to the information contained in the Central Mercantile Registry, the "Subscribed Capital" amounts to 5,981,438,031.00 euros. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 160 160/177 f) High volume of data and processing that constitutes the object of the file: the Infractions affect all the data processing carried out by CAIXABANK that does not are necessary for the execution of the contract, in which all the information is used relating to customers. g) High number of interested parties: the perceived defects affect all clients natural persons of the entity. According to the information available on the web "caixabank.es" to On 12/26/2019, the entity had 15.7 million clients. h) The imputed entity does not have adequate procedures in place for action in the collection and processing of personal data, so that the infringement is not consequence of an anomaly in the operation of these procedures, but a defect in the personal data management system designed by the person in charge. It has taking into account that the non-compliances found are structural and do not result from a punctual non-compliance. According to CAIXABANK, an information defect cannot be understood as a defect of the system. However, it is clear that the present assumption does not refer, simply, to a defect of information. Considering the exposed factors, the assessment of the fine for the The offense charged is 2,000,000 euros. 2. Infringement for breach of the provisions of article 6 of the RGPD, in relation to article 7 of the same legal text and article 6 of the LOPDGDD, typified in article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) and c) of the LOPDGDD: It is estimated that they concur as aggravating factors, in addition to the exposed factors in relation to the aforementioned offense, indicated with letters b), c), d), e), g) and h), the following factors that reveal greater unlawfulness and / or culpability in the conduct of the CAIXABANK entity: a) The nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operations in question: infractions result from the personal data management procedures designed by CAIXABANK for the adaptation of these processes to the RGPD, which are considered irregular from the collection of personal data and the provision of consents requested from the clients right then and there. The severity of the infractions increases according to the scope or purpose of the processing operations in question, which include the profiling using excessive information. b) The degree of responsibility of the person in charge, taking into account the technical measures and organizational applied by virtue of articles 25 and 32; considering that the facts found show that CAIXABANK has not taken care that in the treatment of data is used exclusively the data necessary for the intended purpose. Faced with this, the adoption of measures in recent years cannot be opposed aimed at promoting privacy from the design. What is relevant is that such measures are appropriate and, in relation to the foregoing, those adopted by CAIXABANK are not. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 161 161/177 c) The benefits obtained as a result of the commission of the offense: the information related to customers is used to design new products or services or improve existing and for the dissemination of them. To appreciate this benefit it is not necessary that the responsible entity has monetized the personal data, making data sales with commercial purposes, as claimed by CAIXABANK. d) The nature of the damages caused to the interested persons or third persons: the high degree of interference in the privacy of CAIXABANK clients is taken into account and that all information is communicated to third parties (companies of the CaixaBank Group). The transfers have taken place and have been accredited. CAIXABANK itself has recognized the exchange of information with the companies of the Group. e) High volume of data and processing that constitutes the object of the file; between the that highlight, in a significant way, the transfer of personal data to third parties. Alleges the responsible entity that has not initiated the data transfers, without considering those made to the CaixaBank Group entities. f) The categories of personal data affected by the infringement, which includes customer profiles, inferred using all available customer information, including collected for compliance with legal obligations. This conclusion is not affected by the fact that the treatments do not use data of special category, manifested by CAIXABANK. Considering the exposed factors, the assessment of the fine for the The offense charged is 4,000,000 euros. The allegations at the opening of the procedure made by the entity CAIXABANK do not contain any observations on the circumstances indicated with the letters c), d), e), f) and g) of point 1. Instead, it requested that the measures taken be taken into account as mitigating to regularize the situation revealed in the claim outlined in the Fact Fourth tested, implementing the measures recommended by the organization of consumers and users who submitted the claim; along with the purpose of draw up a new "Framework Contract"; as well as the degree of cooperation shown to put remedy the irregular situation and mitigate possible adverse effects. These actions are not considered of sufficient relevance to be considered in this procedure for the purposes intended by CAIXABANK. With the measures taken in relation to the aforementioned claim, related only to the face-to-face process of obtaining the client's consent, there has not been a true regularization, nor has mitigated the adverse effects of the offenses committed. On the other hand, the elaboration of A new “Framework Contract” is nothing but the necessary consequence of the irregularity of the document used by CAIXABANK and analyzed in this procedure. So, the request to consider such actions as a mitigating circumstance is rejected. In its allegations to the resolution proposal, CAIXABANK declares reproduced their allegations to the commencement agreement, without formulating, in this case, no C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 162 162/177 consideration of the graduation criteria indicated by letters c), d), e), f) and g) of the point 1. In these allegations, he again requests that they be taken into account as mitigating the measures taken by CAIXABANK, as well as the degree of cooperation shown, within and outside the framework of the procedure, to remedy the infringement and mitigate the possible adverse effects of the offense. Finally, CAIXABANK warns about the unprecedented disproportion of the sanction imposed, considering that it is a case of minor infraction and not of absence of information, and that there are no data transfers outside the framework of co-responsibility de facto and currently formal entity that exists in the CaixaBank Group (without the free will The will of the subjects has been diminished in any case). It adds that the proposed sanction ta is 8 times higher than the highest fine imposed under the GDPR (if we do not take into account “The other” exemplary sanction of the financial sector, recently known), and 3 times higher than maximum foreseen under the previous regime for the most serious infractions, ignoring the application cation of the mitigating factors that CAIXABANK details in its allegations. In the opinion of this Agency, the cooperative attitude of CAIXABANK cannot be admitted, that he has consistently denied the facts, despite his evidence. On the other hand, none of the circumstances expressed by said entity to establish mentioning the disproportion of the sanction concurs in this case, in which there is also a very serious infringement, to which CAIXABANK does not usually refer in any of its allegations attempts to reduce the assumption analyzed, as has already been said, to mere errors in the information provided to customers. Precisely, one of the determining facts, not The only one of the very serious infringement has to do with the transfer of customer data, all the data and all the clients, that CAIXABANK makes to the companies of the Caixa Group- Bank, on which the interested party does not have the opportunity to comment, being committed Take your free choice. In any case, the proportionality of the sanction results from the application of the criteria of graduation established in the corresponding infractions and sanctions regime, which is applicable to the facts, that is, the current regime. Thus, it does not proceed qualify the sanction imposed as disproportionate by resorting to the infractions regime and sanctions regulated by Organic Law 15/1999 (LOPD), to affirm that the sanction im- set is so many times higher than those provided for in that Organic Law, but rather than the norm that establishes the measures to be imposed in this case, that is, the RGPD. This Regulation, in its article 83.3, establishes that breaches of the Articles 13, 14, and 6 of the same RGPD will be sanctioned with administrative fines of 20,000,000 euros (twenty million euros) maximum or, in the case of a company, of an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount. Considering this regulation and the graduation criteria previously assessed, the fine imposed on CAIXABANK is not disproportionate. It is useless to argue that the LOPD provided penalties for amounts lower. The truth is that, in this aspect, as in many others, the RGPD has been a paradigm shift in the protection of personal data, establishing measures with a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 163 163/177 clear deterrent. It is enough to examine the sanctions that, in this matter, have recently imposed other European countries, which are public, to understand the scope of the change that the application of the RGPD entails. Below are links to some of these resolutions, as examples: . https://edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty- 50-million-euros_es; . https://edpb.europa.eu/news/national-news/2020/aggressive-telemarketing-practices-vodafone-fined- over-12-million-euro_es; . https://edpb.europa.eu/news/national-news/2020/belgian-dpa-imposes-eu600000-fine-google-belgium- not-respecting-right-be_es. On the other hand, CAIXABANK also understands that it is appropriate to qualify as mitigating fact of having proceeded to further clarify the information offered to its clients and the procedure by which consent is requested, to such an extent that it would be the all unnecessary the imposition of the corrective measures proposed by the AEPD. The aforementioned entity has stated in its brief of allegations that it has provided a new structure of the documents through which it informs clients on the matter that it concerns us, preparing a new Privacy Policy, as a basic document, and modifying the "Framework Agreement" so that it offers only basic information and refer to the Privacy Policy, as the second layer. As indicated, a total uniformity and deeper detail of information. And has provided a copy of both documents, together with the “Co-responsibility Agreement”, which was referred to in the Basis of Law VII when dealing with data communications to Group companies CaixaBank, screen printing related to the consent collection processes. CAIXABANK also points out that it has arranged a massive communication to customers reporting on changes. This Agency considers that the actions mentioned, given the evidence obtained in the present case, are a requirement of the principle of proactive responsibility and the diligence regarding compliance with the data protection regulations that must expected of an entity such as CAIXABANK and that the RGPD itself expressly imposes, including the obligation to review and update the organizational measures that guarantee the adequacy of your data processing with the RGPD. And this Agency also considers that there is no true regularization of the situation generated by the breaches found, nor have their effects been mitigated. On the one hand, the statement made by CAIXABANK in its plea cannot be accepted, according to which the only action that is criticized is the writing of the informative texts, through which it informs its clients about the processing of their personal data. And, on the other hand, in relation to the consents given and the treatments of data that it carries out, CAIXABANK is limited to indicating that the mentions to the cessation of treatments are disproportionate. In its submissions, it makes no reference to the regularization in its records of the annotations corresponding to the consents collected to date, or the suspension of personal data processing classified as illegal in these actions or the deletion of personal data collected from third parties or inferred by the entity itself. Once again, as has been said so many times before, CAIXABANK intends to reduce the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 164 164/177 issues arising from information defects, from which it can only be derived, his judgment, the demand to correct them. However, contrary to what was intended by CAIXABANK, the breach of the provisions of article 6 of the RGPD, together with the seriousness and impact of the defects appreciated in the information offered to those interested. Thus, the alleged correction of the information contained in the documents provided by CAIXABANK, even assuming this correction is complete, it does not constitute a true regularization of the irregular situation found in the present procedure sanctioner. Therefore, the request to consider such actions as a extenuating circumstance. On the other hand, CAIXABANK does not provide any report or evaluation, nor does it explain how it has adapted the documents that determine the configuration of this new Privacy and would allow its analysis by this control authority (eg, the registry of processing activities, impact assessment reports or weighting of interest legitimate). CAIXABANK has enjoyed numerous opportunities to contribute this documentation during the processing of the procedure. In each and every one of the communications that have been sent to you have been warned about the principle of access permanent regulation regulated in article 53 “Rights of the interested party in the Administrative Procedure ” of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations, which recognizes to those interested in the procedure the right to know, at any time, the status of the processing and to formulate allegations, use the means of defense admitted by the Legal System, and provide documents at any stage of the procedure prior to the hearing process. Consequently, it is not possible to consider the irregular situation regularized. XI In accordance with the provisions of article 58.2.d) of the RGPD, each control may “order the person in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, where appropriate, of a in a certain way and within a specified period… ” . In this case, considering the circumstances expressed in relation to the Appreciated breaches, it is appropriate to require CAIXABANK so that, within the period indicated in the operative part, adapt to the personal data protection regulations the processing operations carried out, the information offered to its customers and the procedure by which they give their consent for the collection and processing of your personal data. In those cases in which the interested party has not been duly informed about the circumstances regulated in articles 13 and 14 of the RGPD or the interested party had not given your valid consent, CAIXABANK will not be able to carry out the collection and treatment of personal data. The same applies in relation to the treatments of data based on the legitimate interest of the person in charge and with all those declared illegal C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 165 165/177 in this act, including communications of personal data to companies of the CaixaBank Group. All this with the scope and in the sense expressed in the Fundamentals of Law of this act. Likewise, it is appropriate to require CAIXABANK to notify the entities of the Grupo CaixaBank to which it has communicated personal data of customers so that delete such data and stop using them. It is also appropriate to require CAIXABANK to cease the processing of the personal data provided to it by entities belonging to the CaixaBank Group, relating to the latter's clients. It is noted that not meeting the requirements of this body may be considered as a serious administrative offense by “not cooperating with the control ” in the face of the requirements made, such conduct may be assessed at the time of the opening of an administrative procedure punishing with a pecuniary fine. In relation to these measures, which are intended to repair the irregular situation generated by CAIXABANK in the treatment of the data of its clients and the clients of the entities of the CaixaBank Group, as well as the correction of the information offered in matter of personal data protection, said entity has stated that they would represent a irreparable impact, but without describing what this impact consists of and without justifying why it is irreparable. In any case, no particular circumstances can be alleged to justify the non-application of the rule. It also warns about the current global health situation, which restricts visits to offices by customers. This Agency understands that it intends to reflect the difficulties posed by this crisis to regularize the situation of customers. However, the term granted in the operative part is considered sufficient to carry out the relevant regularization. Therefore, in accordance with the applicable legislation and the graduation criteria of the sanctions whose existence has been proven, the Director of the Spanish Agency for Data Protection RESOLVES: FIRST: IMPOSE the entity CAIXABANK, SA, with NIF A08663619 , for an infraction of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild to prescription effects in article 74.a) of the LOPDGDD, a fine in the amount of 2,000,000 euros (two million euros). SECOND: IMPOSE the entity CAIXABANK, SA, for an infringement of article 6 of the RGPD, typified in article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD, a fine of 4,000,000 euros (four millions of euros). THIRD: DECLARE the non-existence of infringement in relation to the imputation to the entity CAIXABANK, SA of a possible violation of the provisions of article 22 of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 166 166/177 RGPD. FOURTH: REQUIRE the entity CAIXABANK, SA, so that, within six months, adapt to the personal data protection regulations the processing operations of personal data that you carry out, the information offered to your clients and the procedure through which they must give their consent for the collection and treatment of your personal data, with the scope expressed in Law Foundation XI. At indicated period, CAIXABANK, SA must justify before this Spanish Protection Agency of Data the attention of this requirement. FIFTH: NOTIFY this resolution to CAIXABANK, SA SIX: Advise the sanctioned person that he must make the imposed sanction effective once the This resolution is executive, in accordance with the provisions of art. 98.1.b) of the law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter LPACAP), within the voluntary payment period established in art. 68 of General Collection Regulation, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering, indicating the NIF of the sanctioned person and the procedure number that appears in the heading of this document, in the restricted account number ES00 0000 0000 0000 0000 0000 , opened in the name of the Spanish Agency for Data Protection in the bank CAIXABANK, SA. Otherwise, it will be collected in the executive period. Once the notification has been received and once it is executed, if the date of execution is between the days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to on the 20th of the following or immediately subsequent business month, and if it is between the 16th and last of each month, both inclusive, the payment term will be until the 5th of the second month next or immediate after business. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution It will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties They may optionally file an appeal for reconsideration before the Director of the Agency Spanish Data Protection Agency within a month from the day following the notification of this resolution or directly administrative contentious appeal before the Chamber of the Contentious-administrative of the National Court, in accordance with the provisions of the Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13 July, regulating the Contentious-administrative Jurisdiction, within two months to count from the day after notification of this act, as provided in article 46.1 of the aforementioned Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may provisionally suspend the final administrative resolution if the interested party manifests his intention to file a contentious-administrative appeal. If this is the case, the The interested party must formally communicate this fact by writing to the Agency Spanish Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 167 167/177 You must also send the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency is not aware of the filing of the contentious-administrative appeal within a period of two months from the following notification of this resolution, it would terminate the suspension precautionary. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 168 168/177 ANNEX I Version 4 of the "Framework Contract", dated by CAIXABANK on 11/12/2018: (…) Modifications to the previous text or new informative clauses introduced by Version 5 of the "Framework Contract", dated by CAIXABANK on 12/20/2018. (…) Modifications to the previous text or new informative clauses introduced by the document provided by CAIXABANK with its response to the Inspection Services and date 11/20/2019, which has been referred to in this act as "Version 7 of the Framework Contract" or “Client Framework Agreement dated 11/06/2019. (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 169 169/177 ANNEX II Document provided by CAIXABANK on 07/10/2018, called by the same "Contract of Consents ”, which is outlined in the Second Fact of this Agreement: (…) Modifications to the previous text introduced by the document that is incorporated into the Minutes corresponding to the inspection carried out at the CAIXABANK premises on the 11/28/2019 (Attachments 4 and 5): (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 170 170/177 ANNEX III Information offered for access to information of the interested party in SOCIAL NETWORKS (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 171 171/177 ANNEX IV AGGREGATION SERVICE (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 172 172/177 ANNEX V Privacy Policy available on the CaixaBank entity's website. 01 WHO ARE WE? CaixaBank, as you already know, is the largest bank in Spain by number of customers, and it sells, in addition to its products and services, those of a large group of investee companies, with activities in the sectors of payment services, investment, insurance, holding of shares, venture capital, real estate, roads, sale and distribution of goods and services, consulting services, leisure and charitable-social. The list of these companies can be found at www.CaixaBank.es/empresasgrupo and their data, in the Annex at the end of this communication (hereinafter we will call them companies of the CaixaBank Group). 02 WHAT DO WE NEED TO USE YOUR DATA FOR? Uses for contractual purposes The first and main reason why we need to process your data is for the provision of the services that you have contracted with us and for our own management. This treatment is essential. If we don't, we won't be able to manage your accounts, cards, insurance, etc. Uses for legal or regulatory purposes At CaixaBank, and at the CaixaBank Group companies, we are bound by different regulations to process your data to comply with the obligations that they have. They are rules that establish, for example, regulatory reporting obligations, money laundering prevention measures capital and terrorist financing or tax controls and reports. In these cases, the Treatment of the data is limited to what is necessary to comply with those obligations or legally required responsibilities. Uses for the purpose of preventing fraud We also need to process your data to prevent fraud, as well as to guarantee the security, both of your information and of our networks and information systems. As you may have seen, these three types of treatments are essential to be able to maintain your relationship with us. Without them we could not provide our services 03 AND MY DATA WILL NOT BE USED FOR MORE PURPOSES? The above uses are those necessary to provide you with our services but, with your trust, we would like to offer you much more. Uses for commercial purposes based on legitimate interest Unless you have told us, or tell us otherwise, we will send you updates and information about products or services similar to those you already have contracted. We will also use your information (account movements, card movements, loans, etc.) to personalize your experience with us, for example by showing you first in the ATMs and websites your most common operations; to offer you products and services that conform to your profile and thus not bother with what does not interest you; to apply the benefits and promotions that we have in force and to which you have the right, because we do not want you to miss any of the advantages of being our client: and to evaluate if we can assign you credit limits pre-granted that you can use when you consider it most appropriate, so, when you need it, We will be able to assist you with the greatest speed. Do not worry. In these treatments we will not use more information than the one you have given us or the one generated from the products contracted during the last year and, if you prefer not to Let's do it, you just have to tell us, at any of our offices, at PO box no. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 173 173/177 209 of Valencia (46080), at the electronic address www.CaixaBank.es/ejerciciodederechos or through the options enabled for this purpose in your internet banking and in our applications mobiles. For any other commercial use that we want to do, we will ask you before, as you are going to see continuation. Remember that one of our core values is trust. 04 WE CANNOT HIDE IT FROM YOU: WE WANT TO KNOW YOU BETTER! Nowadays, there are many possibilities of using the information to get to know yourself better, give yourself a better service, be more attentive and always ready to attend to your needs. Therefore, We will ask for authorization to process your data a little more than what we told you before. If you have already tried it, or try it in the future, surely you will not regret it, but do not worry, no you have to decide now, we will ask you about it in the office, in electronic channels or in your relations with the rest of the CaixaBank Group companies. Uses based on your consent Only if you authorize us when we ask, we would like to process all the data that we have about you to get to know you better, that is, to study your needs to know what new products and services are adjusted to your preferences and analyze the information that allows us to have determined in advance what your creditworthiness is. We would also send you product offers from all Group companies and third parties that we think they may interest you. As we have told you, CaixaBank is a great family, so when you authorize us these treatments you will benefit from the joint work of the CaixaBank Group companies in the table that follow (remember that the list will be updated at all times in the link www.CaixaBank.es/empresasgrupo). Your bank CAIXABANK, SA The issuer of your credit and debit cards CAIXABANK PAYMENTS, EFC, EP, SAU The issuer of your prepaid cards CAIXABANK ELECTRONIC MONEY, EDE, SL Your insurer VIDACAIXA, SAU DE SEGUROS Y REASEGUROS The marketer of your funds CAIXABANK ASSET MANAGEMENT, SGIIC, SAU Your social bank, expert in microcredits NUEVO MICRO BANK, SAU Your consumer finance company CAIXABANK CONSUMER FINANCE, EFC, SAU Your renting company CAIXABANK EQUIPMENT FINANCE, SAU Your e-commerce company PROMOCAIXA, SA The company that manages payments in your stores COMERCIA GLOBAL PAYMENTS, EP, SL Finally, if you want, we can communicate your data to third parties with whom we have agreements, whose activities are included between banking, investment services, forecasting and insurer, shareholding, venture capital, real estate, roads, sale and distribution of goods and services, consulting services, leisure and charity-social. We want you to be very clear that we respect your choices and act in accordance with them, so that we will treat your data only for those purposes that, among the three above, we you have expressly authorized. 05 AND WHAT HAPPENS TO MY DATA WHEN I BROWSE THE WEB PAGES OR THE MOBILE APPLICATIONS OF THE CAIXABANK GROUP? When you browse our web pages or use our mobile applications, we want to be able to personalize your experience to make it as exceptional as possible. It is also possible that we want to remind you of our products and offers when you are browsing the internet. You already know that cookies are used for that. We will inform you at all times of the details of its use C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 174 174/177 in the Cookies Policy, which you will find on all our web pages, as well as in the conditions of use of the mobile applications that you download. There we will describe to you at all times what data we can collect, how and what it is used for. In addition, most web browsers allow you to manage your preferences regarding the use of the cookies. Remember that you can adjust the browser at any time to reject or delete certain cookies at your discretion. Likewise, the privacy settings of the mobile device allow you to manage the treatment of your data. 06 BY THE WAY, WHAT DATA OF ME IS PROCESSED? As you can imagine, thanks to the trust you have placed in us, we have a lot of information about you. We have already told you what we use them for and how you can control each At the moment these uses, but what specific information of yours are we going to treat? Basically, they are your identifying and detail data of the professional or work activity, your data of contact and financial and socio-economic data, both those you have provided us and those that generated from the products or services contracted. Also, only if you consent to it when we consult it, we may process data that we obtain from the provision of services to third parties when you are the recipient of the service, those obtained from the networks that you authorize us to consult, those obtained from third parties as a result of services aggregation of data that you request, those obtained from the navigations you make through the service internet banking, mobile phone applications and other websites of the companies of the Grupo CaixaBank or those obtained from companies that provide commercial information. 07 ARE HEALTH DATA, IDEOLOGY OR OTHER SPECIAL OR SENSITIVE DATA PROCESSED? In general, we do not need to process certain data of yours that are considered as special categories of data, for example those related to ethnic or racial origin, political opinions, religious convictions or sexual identity. If it is necessary to treat this type of sensitive data, in each case we will request your consent explicit. These are some of the situations in which we will need to use any of this data: Health data related to insurance products Health data is within the category of sensitive data, and its treatment is essential in the marketing of certain insurance products (health, life ...). When we market these products, the person in charge of the health data is the insurance company, therefore we want that you know that all insurance companies whose products we commercialize respect and They strictly comply with the data protection regulations. Biometric data collected in the electronic signature of documents When we use electronic signature systems, on occasions, for your greater security and comfort, biometric elements are used in the creation of the signature, for example the signature trace on tablets digitizers or fingerprints on the mobile phone. These data are essential to make sure that you are the one who is using the applications and that, therefore, no one is impersonating your identity. For the use of these means of signature or identification you must explicitly accept these biometric data processing. 08 IS MY DATA SECURE? For us the security of your data is essential, and we assume the obligation and commitment to protect them at all times. Therefore, within this standard of maximum protection, we protect them against treatments not authorized or illegal and against their loss, destruction or accidental damage, and we have implemented the more rigorous information security protocols following the best practices in this matter. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 175 175/177 09 HOW LONG DO I NEED TO SAVE MY DATA? We will process your data as long as the authorizations for use that you have given us remain in force. granted or you have not canceled the contractual or business relationships with us. We will stop treating them once the authorizations for use that you have given us have been revoked or, if you have not revoked the authorizations but you have ceased to be a client, six months after they ended contractual or business relationships established, provided that your data is not necessary to the purposes for which they were collected or processed. This does not mean that we delete them immediately, as we are bound by different regulations to keep the information for a certain time (in many cases up to ten years), but in accordance with the regulations, your data will only be kept to comply with these legal obligations, and for the formulation, exercise or defense of claims, during the limitation period of the actions derived from the contractual or business relationships subscribed. 10 TO WHOM IS MY DATA COMMUNICATED? In addition to the exchange of commercial information between the companies of the CaixaBank Group (of which you previously reported), on certain occasions we need to share certain information with third parties to be able to provide our services, either because a regulation requires them, or because we need the support of specialist companies to help us in our work. Below we explain with whom we can share your information, always with the maximum security and confidentiality: Communication of data for the fulfillment of a legal obligation As we have explained to you, we collaborate with the authorities, courts and public bodies. If the regulations establish it, we will share with them the information they request. Communication of data for the execution of a contractual relationship Sometimes, we turn to service providers with potential access to personal data. These providers provide adequate and sufficient guarantees in relation to data processing, since we carry out a responsible selection of service providers that incorporates specific requirements in the event that the services involve the processing of data from personal character. Next, you will see what types of services we order: FINANCIAL BACKOFFICE SERVICES ADMINISTRATIVE SUPPORT SERVICES AUDIT AND CONSULTING SERVICES LEGAL SERVICES AND RECOVERY OF ASSETS AND UNPAID PAYMENT SERVICES MARKETING AND ADVERTISING SERVICES SURVEY SERVICES CALL CENTER SERVICES LOGISTICS SERVICES PHYSICAL SECURITY SERVICES COMPUTER SERVICES (SYSTEMS AND INFORMATION SECURITY, CYBERSECURITY, INFORMATION SYSTEMS, ARCHITECTURE, ACCOMMODATION, PROCESS OF DATA) TELECOMMUNICATIONS SERVICES (VOICE AND DATA) PRINTING, ENVELOPE, POSTCARD AND MESSAGING SERVICES INFORMATION CUSTODY AND DESTRUCTION SERVICES (DIGITAL AND PHYSICAL) BUILDINGS, FACILITIES AND EQUIPMENT MAINTENANCE SERVICES We can also communicate your data to third parties that are necessary for the development, compliance and control of the contracts for products and services that you have signed with us, for example, to clearing houses or systems for the execution of transfers or receipts or for the payment of rates or taxes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 176 176/177 11 IS MY DATA TRANSFERRED OUTSIDE THE EUROPEAN ECONOMIC AREA? The treatment of your data is carried out, in general, by service providers located within the European Economic Area or in countries that have been declared with an adequate level of protection. In other cases, we guarantee the security and legitimacy of the processing of your data by requiring their suppliers that have binding corporate standards that guarantee the protection of the information in a similar way to those established by European standards, which are subject to to the Privacy Shield, in the case of service providers in the US, or who subscribe to the clauses European Union type. At all times we will ensure that, whoever has your information to help us provide our services, it does so with all guarantees. 12 DO CAIXABANK AND THE COMPANIES IN ITS GROUP HAVE A DELEGATE FOR THE PROTECTION OF DATA? Indeed, as required by data protection regulations, the companies of the Group CaixaBank has a Data Protection delegate who ensures that all the processing that is carried out are made with full respect for your privacy and the applicable regulations at all times. The Data Protection delegate is at your disposal to answer all the questions you may have relating to the processing of your personal data and the exercise of your rights. You can contact with the Data Protection delegate at: www.CaixaBank.es/delegadoprotecciondedatos 13 WHAT RIGHTS DO I HAVE IN RELATION TO MY DATA AND ITS TREATMENTS? These are the rights that you can exercise in relation to your data: Right of access: Right to know what data of yours we are treating. Right to revoke consent: Right to withdraw consent at any time when you have given us authorization to process your data. Right of rectification: Right to have your data rectified or completed if it is inaccurate. Right of opposition: Right to oppose those treatments based on legitimate interest. Right of deletion: Right to have your data deleted when it is no longer necessary for the purposes for which they were collected. Right of limitation: Right to limit the processing of your data (in certain assumptions, expressly provided for in the regulations). Right of portability: Right to have your data delivered to you (data processed for the execution of the products and services and data that we process with your consent) so that you can transmit them to another responsible. You can exercise your rights in any of the channels that we put at your disposal: - At the offices of CaixaBank or the Group companies - By postal communication addressed to the Post Office box No. 209 of Valencia (46080) - At the electronic address www.CaixaBank.es/ejerciciodederechos - Through the options enabled for this purpose in your internet banking and in our applications mobile Additionally, you already know that, if in spite of everything you have any claim derived from the treatment of your data that we have not been able to solve, you can direct it to the Spanish Protection Agency Data (www.agpd.es). Note: The Privacy Policy includes an Annex in which the Group companies are listed CaixaBank (the same ones listed in point 04), indicating your address, NIF and registration in the Mercantile Registry and Special Administrative Registry of the Bank of Spain, Registry Administrative of Insurance Entities of the General Directorate of Insurance and Pension Funds, Registry of Management Companies of Collective Investment Institutions of the National Commission of the Stock Market, as appropriate in each case. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 177 177/177 ANNEX VI Document called "Treatment of personal data based on interest legitimate ” , obtained from the caixabank.es website, in the“ Privacy ”section, on 01/07/2020: << Processing of personal data based on legitimate interest We inform you that, in accordance with the provisions of article 6.1.f) of the General Regulations of Data Protection, CaixaBank, on occasions, processes its customers' data based on legitimate interest. Below you will find a list of all the treatments that CaixaBank can carry out with this legal base. This list will be permanently updated to include new treatments, or give unsubscribe those that are stopped. You can oppose the treatments that we list below by indicating it in any from our offices, in writing to PO Box 209 of Valencia (46080), at the address electronic www.CaixaBank.es/ejerciciodederechos or through the options enabled for this purpose in your internet banking and mobile apps. Treatments based on legitimate interest . Sending information about products or services similar to those that you already have contracted or information that we believe may be of interest to you, or that we believe may have a reasonable expectation of receiving. . Study of the information that we have about you (account movements, account movements card, loans, etc.) to personalize your experience with the Entity, for example showing you their most common operations first at ATMs and websites, or offering products and services that fit your profile and apply the current benefits and promotions in every moment. . Monitoring of the fulfillment of the objectives, incentives or awards set to our employees. . Communication of data between CaixaBank and the companies in which it has a stake for the purpose to carry out internal reports (without personal data), which allow us, among others aspects, carry out market studies and mathematical models to establish the strategy of CaixaBank Group business. . Creation of statistical models (without personal data) that help the Entity to better understand the preferences and tastes of our customers, collaborating in the improvement of design and execution of commercial actions, as well as making aggregate reports on the result of the models to carry out the monitoring of customer behavior. . Structuring and profiling of the information processed by the Entity to maintain the resources and technical systems prepared to efficiently meet management needs. . Control and supervision of the Entity's activity through samples and self-evaluations with the purpose of identifying and assessing possible risks in the commercialization of products, controls and evaluate compliance with internal rules and regulations. . Control and supervision of operations in order to prevent fraud, both to customers and to the Entity itself. . Use of contact data of employees or representatives of legal entities to maintain relations with the legal entity in which it provides services >>. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es