AEPD (Spain) - PS/00477/2019: Difference between revisions

Latest revision as of 13:43, 13 December 2023

AEPD - PS-00477-2019

Authority:	AEPD (Spain)
Jurisdiction:	Spain
Relevant Law:	Article 6 GDPR Article 13 GDPR Article 14 GDPR
Type:	Complaint
Outcome:	Upheld
Started:
Decided:
Published:	13.01.2021
Fine:	6000000 EUR
Parties:	n/a
National Case Number/Name:	PS-00477-2019
European Case Law Identifier:	n/a
Appeal:	Appealed - Overturned RR/00061/2021
Original Language(s):	Spanish
Original Source:	AEPD (Spain) (in ES)
Initial Contributor:	Paola L.
The Spanish DPA (AEPD) imposed a fine of €6 million on CaixaBank S.A following complaints received from a customer of the bank in 2018 and from the non-profit organization ‘FACUA’ in 2019. CaixaBank infringed Articles 6, 13, and 14 of the GDPR.
English Summary

Facts

On 24/01/2018, an individual (the first complainant) who was a customer of CaixaBank (the defendant) filed a complaint with the AEPD alleging that the defendant forced them to accept the new conditions regarding the protection of personal data, specifically that regarding the transfer of their personal data to all the companies of the CaixaBank group, and that if they wanted to withdraw their consent, they had to correspond individually with each company of the group. The complainant alleged that this is disproportionate considering that the consent for this purpose was given in one single act.
The AEPD proceeded to transfer the complaint to the defendant to which it responded by explaining the processing activities that were based on consent, why they were based on consent, and the mechanisms in place to obtain consent as well as the options available to customers to withdraw their consent whether it was in person, via the website or mobile app. On 01/02/2019, the AEPD closed this investigation due to being expired, as twelve months had elapsed since the complaint was filed (24/01/2018).
On 29/03/2019, a second complaint was received against the defendant, this time from the Association of Consumers and Users in Action – ‘FACUA’ (the second complainant), who filed a complaint in relation to the "Framework Agreement" signed by the customers of this entity, through which their personal data is collected. Essentially, FACUA indicated that this was a boilerplate contract, as customers did not have the option to negotiate its terms and were obliged to consent to the processing of their personal data, including for the purpose of sharing it with third parties.
On 28/05/2019 the AEPD admitted the second complaint and launched an investigation into the matter. The AEPD requested the CaixaBank to provide evidence of the "Framework Agreement" in its current version and previous versions, channels, and methodology for its acceptance and granularity for obtaining consents; as well as the procedures that were enabled for the provision of information in accordance with Article 13 and 14 of the GDPR and the mechanisms to obtain its acceptance. In addition, the AEPD requested evidence of Article 30 record of processing activities, data protection impact assessments, and record of legitimate interest assessments.
Dispute

Was the information that CaixaBank provided to its customers in relation to data protection compliant with the requirements of Articles 13 and 14 of the GDPR?
Holding

In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided in relation to data protection, was imprecise, vague, and was not uniform, it noted that not even the terminology is offered with the same breadth to all customers and in all situations (in some cases the “Framework Agreement” is used, in others the “Consent Agreement” and for other clients only the “Privacy Policy”), and it was not updated in the same way in each case. The AEPD also pointed out that the information provided in relation to the legal basis relied upon, the categories of personal data processed, the purpose of the processing, retention periods, the exercise of rights, and profiles of users and their uses was insufficient.
In relation to Article 6 of the GDPR, The AEPD found that Caixabank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent. The AEPD outlined that "consent was considered an affirmative act, but it could not be considered to be freely, specific, informed, and unequivocal". It is further noted that CaixaBank does not inform about any legal basis that enables the transfer of data to the companies of the CaixaBank Group, therefore the transfer of personal data within the CaixaBank group was unlawful.
In consequence, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review of the company's process and procedures and bring them into compliance with data protection regulations within six months.
Comment

Share your comments here!
Further Resources

Share blogs or news articles here!
English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

Page 1
1/177
 Procedure No.: PS / 00477/2019
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Data Protection Agency and based on the
following
BACKGROUND
FIRST: On 01/24/2018, a letter from Mr. AAA (as far as
the claimant), in which he denounces the entity CAIXABANK, SA (hereinafter
CAIXABANK) for imposing on him, on the same date of the complaint, the obligation to accept the
new conditions regarding the protection of personal data, specifically that relating to the
transfer of your personal data to all group companies, as stated in the section
II of the "new LOPD conditions" established by the entity. Add that to cancel
Said assignment must send a letter to each of the companies, which qualifies as
disproportionate considering that the assignment is accepted in a single act.
Provide a copy of the conditions that motivate the claim, relative to "Authorizations
for data processing ” and “ Exercise of the right of access, cancellation and opposition.
Claims before the Data Protection Authority ” . Through this document, that
appears with the label "Authorizations for data processing" , the interested party "consents
expressly ” the incorporation of all your personal data in a repository
common information, where the data of the companies of the "la Caixa" Group work, so
are processed by CAIXABANK and the companies of the "la Caixa" Group for the purposes set out
detail (two groups of purposes: "Study and monitoring purposes" and "
communication of offer of products, services and promotions ” ).
Likewise, the client is advised that the indicated treatments may be carried out
in an automated way and entail the elaboration of profiles, with the purposes already
indicated. For this purpose, CAIXABANK informs you of your right to obtain the intervention
treatment, to express their point of view, to obtain an explanation about
of the decision made based on the automated processing, and to challenge said decision.
Information is offered on the “data” of the Signatory that will be incorporated in this
Common Repository and it is added that these data will be complemented and enriched by
data obtained from commercial information provider companies, by data obtained from
public sources, as well as statistical, socioeconomic data ( "Additional Information" ).
Finally, the period of conservation of the personal data is indicated and it is offered
information on data protection rights and the possibility of
file a claim with the Spanish Agency for Data Protection.
SECOND: In use of the powers conferred by article 40 of the Organic Law
15/1999, of December 13, Protection of Personal Data (LOPD), after the
receipt of the complaint, the Subdirectorate General for Data Inspection proceeded to
carrying out preliminary investigation actions, indicated with number E / 01475/2018,
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 2
2/177
to clarify the facts denounced and determine if there are circumstances
that justify the initiation of a sanctioning procedure.
In your responses to the two requests that were made to you by the Services
of Inspection during the development of the aforementioned previous actions, the entity
CAIXABANK, informed this Agency that the informative clauses referred to in the
complaint were implemented on the occasion of the contractual changes provided by the
entity to adapt to Regulation (EU) 2016/679, of the European Parliament and of the
Council, of 04/27/2016, regarding the Protection of Natural Persons with regard to the
Processing of Personal Data and the Free Circulation of this Data and by which
repeals Directive 95/46 / EC (hereinafter General Data Protection Regulation or
RGPD), applicable from May 25, 2018.
1. By letter dated 05/16/2018, entered on 05/22/2018, the entity
CAIXABANK informed this Agency as follows:
(…)
Taking advantage of the contractual changes that were to be implemented to adapt to the
GDPR, in 2016 it was decided to follow two principles in the relationships to be established with the
clients: the basis for the commercial activity (treatment) would be the unequivocal consent
the client's; and consents would be collected at the “group” level, to simplify procedures
crossed relationships, requesting authorization from clients for treatment with the
jointly for all the companies of the "group".
(…)
Customers are requested authorization to carry out data analysis treatments and
advertising treatments for a set of ten entities, allowing to evaluate in common
information on all customer products associated with the "CaixaBank Group". I know
centralize consents in a repository, so that any input from
information in it, whether they are notes of consents granted as denied,
supersedes the previous annotation, allowing a customer to revoke consent from
any company in the "group", and vice versa. Any group company is a point of
entrance where the client can grant consents, or withdraw them, with effects to the
whole. (…)
The revocation of consent for commercial purposes automatically takes effect for
all of them, so that the right can be exercised without distinction before anyone and by
any channel. Instead, with respect to cancellation and rectification, each of the
companies is responsible for the commercial relationships it maintains with its customers and for
both of the data that it deals with in the field of the contractual relationship. Without prejudice to the fact that the data
canceled or rectified, if it was capable of being used by the other companies, it will cease to
be it in case of cancellation or it will be updated, in case of rectification. Further,
CAIXABANK informs that a rights assistance system has been implemented
centralized, at group level, in a service supervised by the DPD, this entity being
entry channel, without prejudice to the fact that all companies have their own channel for
the receipt of exercise of rights, including revocation.
Consulted by the data collection of social networks, CAIXABANK clarifies that it has a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 3
3/177
service so that customers who consent to it through internet banking can
link your identification data in networks (Facebook, Twitter and Linkedin) with this service,
to be able to identify them when they use these channels to contact the entity. (…) In
all cases, the client must accept its use and the terms and conditions.
It also informs about data aggregation services, which allow, upon request
of the interested party, add the information of the products that have contracted with other
entities (positions and movements of accounts and cards) and thus have a global vision
of all positions, alerts on receipts, expirations, etc., but do not operate on the
products of the added entities (the customer adds or removes entities at will,
but only among those incorporated into the service).
CAIXABANK includes a detail (screen printing) of the service request process
of aggregation that the client must follow through the entity's website. After
select the entity that you intend to add to the service and enter the data that the client
used to access the selected entity online (access codes), the process requires
the acceptance of the terms and conditions of the service, according to the detail that is outlined
in the Proven Fact 8.
On the other hand, on the possibility, contemplated in the information provided to the
interested parties, to complement or enrich customer data with data obtained from
companies that provide commercial information, public sources, and with statistical data and
socioeconomic, (…).
2. By letter dated 07/17/2018, entered on 07/19/2018, CAIXABANK
provided its response to the second request for information that was sent to it so that
provide details on the mechanism implemented to obtain consent
unequivocal of the client for the treatments carried out for commercial purposes (or other
treatments that exceed the basic activity protected by the legitimate interest of the
entity, eg analytical and business impact treatments); mechanism detail
implemented to allow the customer to revoke the consent granted for any of
the processing of personal data carried out by the CaixaBank Group companies with
legal basis in the consent of the client; and information provided to the client in the
moment of obtaining consent in relation to data processing
personal data carried out by the CaixaBank Group companies, their purpose and the mechanism
to exercise your rights of access, rectification, deletion, limitation of your treatment,
opposition to it and portability of data.
A) on the mechanism to obtain the consent of the client:
It has two channels to collect commercial consents from its clients, which
coincide with the channels that make it possible to become a client of the entity, that is,
in person at offices and through digital channels (CAIXABANK web portal, portal
ImaginBank web and mobile app):
a) The office registration process
The entity informs that this process is carried out through an interview between the client and the
manager, and involves the collection of identification, tax and contact data, data
socioeconomic and work activity data, data on experience, financial situation and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 4
4/177
investment objectives, as well as the collection of authorizations for the use of the data
for commercial purposes. These authorizations are provided by answering three questions
carried out by the manager to the client, one of them broken down into four options.
The information provided by the client during the interview is incorporated into the system and,
once this has been completed, it is reflected in the printing on paper of a "Framework Contract" that the
client signs (provides a copy of a "Framework Agreement" dated 05/24/2018, whose clauses
coincides with the one incorporated in Annex I). In this document a summary of the
information provided (including their answers about the treatments) and a clause with the
detail about the data processing that is planned.
Attach sequence of screens that the manager has to fill in in the registration process
of a person. Among others, those that allow to collect identifying data, digitize the
identification document and signature, data of birth, residence and tax address, data of
contact, taxation and economic data. After filling in several screens (around
to fifteen), the manager must complete the label "Modification of data protection of ...",
in which the "registration of consents" is included (the structure of this screen consists of
outlined in Proven Fact 4).
On a later screen, labeled “Scan signed document from original. Firm
digital " , the client's" Framework Agreement "can be accessed in pdf format. At the end of this
screen, a section "Signed document" is included , which offers the options "Document
Scan ” and “ Scan and Send Document ” .
He adds that the same procedure is followed for existing clients, when necessary.
remediate the information contained in the systems. Since 2016, the Prevention of
Money Laundering and Terrorism Financing and the GDPR motivated this remediation
of customer information (100% of natural person customers were marked as
remediable -when the manager accessed the client file, a warning was displayed indicating that the
client has the "Framework Contract" pending for the manager to start the interview).
It is also possible that the consents are collected or modified for purposes
commercials at later times, with the same management described, but signing a
document that only addresses this point. CAIXABANK provides a copy of this document, which
It is presented as "Authorization for the processing of personal data with
commercial purposes by CaixaBank, SA and companies of the CaixaBank Group ” and that this
entity denominates “Consent Agreement”, the details of which appear in Annex II (as
successive "Agreement of consents" or "Authorization for treatment").
In view of said document, it is verified that it has a structure and content similar to that of
signed by the claimant on 01/24/2018 (outlined in the First Fact), although it has been
provided the provision of consent separately for the same purposes as
are cited in the "Framework Contract" (purpose of study and monitoring; communication of offers
of products, services and promotions; transfer of data to third parties)
Additionally, CAIXABANK continues, has provided the entire network of offices with tablets
digitizers, enabling the "Framework Agreement" and the "Consent Agreement" to be
sign, not on paper, but on the tablet itself. In addition, you plan to update the
tablets to allow the manager and the client to work on "shared screen" and to the client
interact with the device by selecting the options on the treatment of your data.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 5
5/177
b) Registration process through digital channels (CAIXABANK web portal, web portal and
ImaginBank mobile app):
CAIXABANK indicates that its web portal has a service to process customer registration
online, the process of which includes a step that displays a screen through which
They collect consents for the processing of data for commercial purposes (the
detail of the options shown on this screen is outlined in Proven Fact 4).
Add CAIXABANK to the information symbol (i) that appears in the previous screen
leads to another screen “in which it is explained why it is necessary for the customer to respond to
the questions that arise ” . In this new screen it is indicated “(i) We need your
consent. Since May 2018 a new Data Protection Regulation applies.
We have always been concerned about the protection of your data, that is why it is important
that you answer the following questions (Understood) ” . From there you can access the
Clause 8 “Treatment and transfer of data for commercial purposes by CaixaBank and
CaixaBank Group companies based on the consent ” of the“ Framework Agreement ”.
Finally, the summary of the consents granted and the clauses will be shown in
the "Framework Contract" that the client signs at the end of the process. CAIXABANK warns that in the
screen in which the signature is requested shows a summary of the most important aspects
that regulates the contract, among which the authorizations for data processing are indicated.
This screen includes a box to check "I have read and accept the contract . "
The same process follows the registration and collection of consents through the mobile application
from ImaginBank. The screen relative to consents shows the same structure of the
CAIXABANK web portal, substituting the mentions to this entity for ImaginBank.
B) About the mechanism to allow the client to revoke consent:
The exercise of rights and the revocation of "commercial consents", by
clients and non-clients, it can be formulated in multiple ways:
. In person at the entity's offices.
. Through the personal electronic banking space (Caixabank Now and ImaginBank, both in
its web version as in the mobile application).
. Using application forms on the corporate web portal of CAIXABANK or of each
one of the Group companies.
. Through CAIXABANK's telephone service.
. Request by postal delivery or hand delivery.
a) In the face-to-face process, in offices, the employee will register the request in the system
noting "with respect to which company the revocation is formally exercised" , as may
be seen in the screens it shows, one related to rights management and another specific
for the revocation of consents (both have a drop-down that allows
indicate the specific company before which the statement in question is made).
The structure that shows the screen enabled for the manager to register the revocation or
modification of consents that the client wants, under the heading "Modification of
data protection ”, is the same as that indicated above for the “ Registration of consents ”
manifested in person at the office.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 6
6/177
According to CAIXABANK, these requests are registered and sent to a service
centralized attention to rights, which is responsible for giving them the corresponding procedure.
b) The process to follow in the client's private space on the Caixabank Now website will
allows you to select your preferences and obtain information about the proposed treatments
(By clicking on the option "see detail Clause 8" you have direct access to the texts of the "Contract
Framework ”related to each purpose). The detail of the options shown on this screen
It is outlined in Proven Fact 5.
Next, the client is shown a summary with the consents granted, to
that you can check them, and the contract that includes a summary of
those consents. Here is an example of this summary:
<< Operation not yet completed, Check the data and confirm the operation.
Check the data
Study and monitoring purpose: You have expressed your acceptance and consent to the treatment of
data.
Purpose of communication of offers of products, services and promotions: you have stated your NO
acceptance and consent to contact for commercial purposes.
By any channel or medium, including electronic means.
. Through my manager (office)
Transfer of data to third parties: you have expressed your NO acceptance and consent to contact with
commercial purposes.
Read the contract carefully
Confirm the operation… >>.
In the CaixaBank Now mobile application environment, the customer can access
"Configuration - Exercise of rights" and is redirected to the Web portal. However, it clarifies that
This process is being reviewed in order to show the options available in the
own application. Provides a detail of the screen in development "Configuration - Exercise of
rights - Right of revocation ” :
"The personal data protection regulations establish the right to revoke the
data treatment. Below are the data processing that you have authorized:
Authorization to process my data to carry out monitoring and study of operations, generation of
alert of my contracted products, studies and services adjusted to my profile
(I do not accept)
Authorization for CaixaBank to contact me to find out about product offers and
services, as well as promotions and offers that may be of interest to me
(I do not accept)
I accept the transfer of data to third parties
(I do not accept)".
Subsequently, the summary of the demonstrations made is shown, the
introduction of the passwords and, in a new screen, it is indicated “Your right to
revocation. You can check the contract in MailBox ” .
The same indication is made with respect to the ImaginBank application.
c) Use of the application forms available on CAIXABANK's corporate web portal
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 7
7/177
or each of the Group companies.
As indicated, in the first case customers can revoke their consent to
any company of the Group through the CAIXABANK website (a drop-down
for the client to select the company on which they want to revoke consent).
Once the company has been chosen, the right that the client wants to exercise must be selected, also
using a drop-down. One of the options refers to the revocation of
consents, with the possibility of marking three boxes, according to the detail that appears
outlined in Proven Fact 5.
In the second case, when it is intended to revoke consent from the web portal of
a group company, as reported by CAIXABANK, a similar form is displayed and
same operation as the previous one. When accessing the page corresponding to the entity from which the
try, the client is directed to a screen common to all.
d) Finally, reference is made to the request through the telephone service and
by postal delivery.
According to the entity, the Call Centers have at their disposal a tool that allows them to
address the exercise of rights, including the revocation of consents. The
request (the protocol contemplates the recording of the call) and the interested party is informed that
You will receive a written response within one month. The structure shown by the aforementioned
tool for the revocation of consents is similar to the one indicated above
for the "Registration of consents" manifested in person at the office. In each
option, a drop-down is displayed for the employee to mark the option desired by the
client.
3. CAIXABANK consulted for the information provided to the client at the time of the
obtaining the consent of the Group companies, it is indicated that this
Information is contained in the “Framework Agreement” and in the “Consent Agreement”.
THIRD: By resolution dated 02/01/2019, of the Director of the Spanish Agency
of Data Protection, the expiration of the previous actions outlined in the
Second Antecedent, followed by number E / 01475/2018, for the duration of the
twelve months from when the complaint was filed (01/24/2018), in accordance with the
established in article 122 of RD 1720/2007, of December 21, which approves the
Regulations for the development of the LOPD.
This resolution warns about the provisions of article 95.3 of the On the other
part, article 95.3 of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), which establishes
that the expiration will not produce the prescription of the actions of the Administration,
and the opening of a new procedure is admitted when the
prescription, with the incorporation of the acts, the acts and procedures whose content is
it would have remained the same had it not expired.
FOURTH: On 03/29/2019, a letter from the entity had entered this Agency
Association of Consumers and Users in Action - FACUA, in which he makes a claim
against CAIXABANK in relation to the “Framework Contract” signed by the clients of this
entity, through which your personal data is collected, offers them the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 8
8/177
information on this matter and consents are collected for data processing that
are specified. Specifically, FACUA denounces that it is an adhesion contract, whose
content cannot be negotiated by the consumer, who is required to consent to
processing of your personal data and the transfer of them to third companies with the
that it could not be related (authorizations provided for in clause 8 and assignments
mentioned in clause 10 of said contract).
The claimant provides a copy of a "Framework Agreement" dated 10/24/2017, whose
clauses coincides with the one corresponding to the version dated "03/14/2017", which will refer to
below ("Version 3", according to the numbering provided by CAIXABANK).
This claim was transferred to the CAIXABANK entity. In response to what
expressed in the claim, CAIXABANK informed this Agency that it sent FACUA a
writing detailing the process of collecting consent from clients for the purposes
commercial, as well as the operations used to sign the contract, which summarizes how
follow:
. Customers are requested, on all occasions, express consent for the
data analysis, commercial impact and the transfer of your data.
. The contract is not an adhesion contract, since the client can decide whether or not to grant the
consents.
. Additionally, the client has several channels to modify their initial decision
(offices, internet banking, call centers, etc.).
CAIXABANK provides a copy of the communication sent to FACUA, which summarizes part of
what was stated to the Agency in its response of 05/16/2018, and includes a list of the
"Group companies" and an annex with details of the consent collection process
(corresponds to an extract of the training given to employees, which includes the
screens to be completed). From what was informed to FACUA in this communication,
date 05/03/2019, the following should be noted:
. Regarding the collection of consents, it describes the procedure for registering a new client,
which includes your identification and your consent (signature). Before signing the "Contract
Marco ”, the office manager must ask the client whether or not he authorizes the treatment of his
data for commercial purposes (profiling, commercial communications and assignment to
third parties), so that the client verbally expresses his choice in each of the three
questions and the manager fill in the boxes corresponding to this choice
(consent for the treatments explained in clauses 8 and 10 of the "Framework Contract"
-currently 8 and 9). Once these boxes are filled in, the "Framework Contract" is generated
to be signed by the client, collecting them in the header (page 1,
section "Authorizations for data processing"). In case it is not granted
none of the authorizations, in the aforementioned section the following will be indicated:
"Authorizations for data processing
In the terms established in clause 8 and 9 of this Contract, your authorizations for the
data processing are the following:
Commercial purposes:
. Purpose of studies and profiling: You have expressed your non-acceptance and consent to
treatment of your data.
. Purpose of communication of offers of products, services and promotions: You have
expressed their non-acceptance and consent to contact for commercial purposes by
any channel or medium, including electronic media.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 9
9/177
. Transfer of data to third parties: You have expressed your non-acceptance of the transfer to third parties of your
data ” .
It also informs that a new shared screen operation is in the pipeline
that will allow the client to directly read the information about data processing
personal and mark, without intermediaries, those who authorize or not.
. Regarding the revocation of consents and the exercise of rights, you warn that you have
effects for all Group companies and that can be exercised before any of
them, through any of the channels of each of them. Add that it has been named
a Group DPD, who supervises the centralized rights management service, and who
CAIXABANK is an entry channel for exercising rights for all companies.
(…)
FIFTH: The claim outlined in the Fourth Antecedent was admitted for processing through
agreement of the Spanish Agency for Data Protection of 05/28/2019.
In accordance with the provisions of article 67 of Organic Law 3/2018, of 5
December, Protection of Personal Data and Guarantee of Digital Rights (as
successive LOPDGDD), it was agreed to initiate preliminary investigation actions and the
incorporation to the same of all the documentation outlined in the previous events,
composed of the complaint made by the claimant, the documentation corresponding to
the previous actions indicated with number E / 01475/2018, processed on the occasion of that
claim, the claim made by the FACUA entity and the documentation that integrates
the phase of admission to process of the same.
The object of these preliminary investigation actions was determined as the analysis of
the information generally offered by CAIXABANK regarding the protection of
personal data, through all the channels used by the entity (compliance by
CAIXABANK part of the principle of transparency established in articles 5, 12 and
following of the RGPD, and related precepts); the different data processing
personal data carried out by the entity according to the information offered, in relation to
clients or person who have any other relationship with it, and within the framework of the
new regulations applicable from 05/25/2018, including analysis of the mechanisms
employees to obtain the consent of the interested parties; just like him
compliance by the aforementioned entity of the rest of the principles related to the treatment
established in article 5 of the RGPD.
In the development of these preliminary investigative actions, a request was made
of information to CAIXABANK and an inspection visit was made on 11/28/2019:
1. On 11/20/2019, a response was received from CAIXABANK to the request that was
issued by the Inspection Services to provide information on the "Contract
Marco ”, in its current version and previous versions valid as of 05/25/2018, and
possible addenda; channels and methodology for its acceptance and granularity for obtaining
of consents; as well as on the procedures that were enabled to give
know the information on the protection of personal data updated to the RGPD to
clients prior to 05/25/2018 and mechanisms to obtain their acceptance.
a) CAIXABANK points out that, taking into account the preliminary texts of the RGPD,
implemented the “Framework Contract” in June 2016, with six versions dated on
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 10
10/177
06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019 (provide a copy of
these versions). It highlights that there have been no significant changes in this document, that
regulates the entire customer relationship with CAIXABANK and the Group companies whose
products sells that one, informs about all the treatments derived from the relationship
contractual and requests the necessary consents for the treatment of the data of
personal character at Group level.
On the other hand, CAIXABANK advises that product and service contracts also
include the information required by article 13 of the RGPD, in anticipation that it could
mediate time between the signing of the "Framework Agreement" and the contracting of products
(includes a copy of a contract for products and services corresponding to the "Book
Star"); and that there are other services that, due to their specialty, contain their own
data protection clauses (includes the detail of the protection information of
personal data provided to subscribers of the "Shareholder Attention Service" and in the
subscription form to "Events").
b) In relation to the granularity for obtaining the consents, it is indicated that
CAIXABANK and a selection of investee companies, to which it has joined
recently Caixabank Payments & Consumer, EFC, EP, SAU, has been collecting
consents to carry out commercial treatments since 2016 in the terms
set forth in file E / 01475/2018 (Second previous antecedent).
It details the procedure followed by CAIXABANK and by Payments. In the first case,
indicates that the information system guides the manager throughout the process, advising him that he must
consult the customer's preferences and physically provide the tablet so that the customer himself
proceed to mark your options. Once the preferences have been marked, the terminal itself will
indicates that these preferences have been registered and invites you to return the device to
manager. Subsequently, "the manager finalizes and consolidates the document and provides it for signature
to the client ” .
On the next screen, the indication "Tablet Mode" disappears and the following is stated:
“Your consents have been indicated. Thank you for your cooperation. Please return the
Tablet to your manager ” .
It informs that CAIXABANK and its Group request three consents for the three purposes
outlined, breaking down one of them into four options, and clarifies that the first two are
requested at the level of the CaixaBank Group of companies.
Next, it reproduces part of Clause 8 of the aforementioned contract, in which, according to
CAIXABANK, the meaning and specification of the previous literals are explained and the
detail of what data will be processed for purposes i) and ii). The content of this clause
reproduced in CAIXABANK's brief coincides with the one outlined in Annex I.
On this issue, it provides a copy of the screens that allow viewing the registration process
of a client in person in offices. After advancing about fifteen screens,
show two screens corresponding to the collection of consents for the treatment
of personal data, with the label "Authorization / Revocation of consents" and the
indication “Tablet mode. Customer ” . Previously, a screen is shown with a message to
the manager with the indication “According to the General Data Protection Regulation, the client
you must authorize the use of your data. You must then hand over the tablet to the customer so that
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 11
11/177
fill in the consents ” . After pressing the "OK" button , you access the "Mode
Tablet " , to the " Authorization / Revocation of consents " screens , the details of which are
outlined in Proven Fact 4.
Once the options have been selected, the buttons at the bottom of the screen
"Accept" and "Cancel" . Pressing the first one offers a message with the text "Your
consents have been indicated. Thank you for your cooperation. Please return the Tablet to
your manager ” . (…)
It is verified that the “Tablet Mode. Client ” do not contain any link to the
information on the protection of personal data contained in the "Framework Agreement".
In relation to this process, no screen is provided regarding the consolidation of the
document and its signature by the client.
Next, the screens corresponding to the process of “Modification of
consents ” . (…) This screen includes a link to the text: “Authorization / Revocation
treatments for commercial purposes ” . By clicking on this link a message appears to
the manager with the indication “According to the General Data Protection Regulation, the client
you must authorize the use of your data. You must then hand over the tablet to the customer so that
fill in the consents ” . After pressing the "OK" button , you access the "Mode
Tablet ” , to the “ Authorization / Revocation of consents ” screens , the details of which are identical
to the screens of “Authorization / Revocation of consents. Tablet mode. Client ” of
client registration process, which has been referred to in the previous paragraphs, except in
what refers to the use of biometric data, which is not included in this case.
With its reply, CAIXABANK provided a copy of the contract corresponding to
a client, which appears dated 11/06/2019 (hereinafter we will call this
document such as “Version 7 of the Master Agreement” or “Client Master Agreement dated
11/06/2019 ”). It is verified that its content does not match any of the six versions
of the "Framework Contract" provided by the entity itself (in Annex I the
modifications or new informative clauses introduced in this version of the "Contract
Marco ”, which affect data processing in the electronic signature of documents and the
biometric data processing). In the heading of the document, under the heading of
"Authorizations for data processing" are indicated:
“Other purposes: Use of biometric data for the purpose of identity verification and signature. You
has expressed its acceptance and consent ” .
c) On the procedures enabled to publicize the "Privacy Policy"
updated to the RGPD to clients prior to the application of this standard and the mechanisms
To obtain their acceptance, CAIXABANK informs this Agency that said "Policy of
Privacy ”, which is published on the“ caixabank.es ”website, is intended to
complement the information provided to customers in the "Framework Agreement" between June
2016 and May 2018; and give complete information to customers who in May 2018 did not
would have signed the "Framework Contract". Thus, since May 2018 it distinguishes two situations:
. All pre-existing clients have signed a framework contract or have received the “Policy of
Privacy ”(in addition to having it at your disposal on the entity's website).
. All new clients, in their first relationship with the entity, sign a "Contract
Marco ”, which includes all the information of article 13 of the RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 12
12/177
It clarifies that the "Framework Contract" is, since May 2018, the information on the treatment
of the data that is delivered to the client in compliance with the provisions of article 13 of the
RGPD and that the "Privacy Policy" is a document consistent with what is contained in said
contract.
To transfer the "Privacy Policy" to customers, CAIXABANK states that
sent 15,917,507 communications, of which 5,663,683 were made by post and
10,253,824 through remote banking with a warning pop-up (“If you want to know more
about our commitment to your data and your privacy, you have a statement available at
your MailBox -Access MailBox ”).
Accompany a copy of the "Privacy Policy" of CAIXABANK available on the website of the
entity, which is reproduced in Annex V.
2. On the other hand, an inspection visit was made to CAIXABANK on 11/28/2019,
informing the representatives of the entity that said action was aimed at
verify the information you provide on the protection of personal data and the obtaining of
Consents for the data processing carried out.
According to the inspection record, in response to the questions raised, the
representatives of CAIXABANK made the following statements and carried out
the checks that are also detailed:
a) The procedure for the beginning of commercial relations can be carried out
in person, or also through the web and through the application for devices
mobile "CaixaBank" previously downloaded
In person.
The agent requests the identification data, digitizes the identity document, collects
data on residence and fiscal address, taxation and economic data (origin of funds,
public personality, etc.); and hands a tablet to the customer to select the
consents that you wish to grant to the inspected party and to the group companies. Indicated
that there are four groups with Yes / No answers and the text that appears on the tablet is detailed
stating the different groups, which coincides with the text detailed in section b) above
("Authorization / Revocation of consent" screen, which contains the indication "Mode
Tablet ”).
At this time no biometric data is taken except for the signature. If in the future
implant this type of identification, and this consent would have been granted,
will collect this data.
Once the consents have been collected, the agent consolidates and offers the tablet to the client with the
“Framework Contract” document so that you can read it and see the section “Authorizations for
Data processing ”with the consents granted and denied and signing said contract,
which is done on the same Tablet.
Through the CAIXABANK website.
The procedure is carried out on the online platform of the inspected company through a
Guided form for data collection of the future client.
During the inspection, a simulation is performed and it is verified that the first page
ask for the phone number and email. On this same screen a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 13
13/177
window with a text entitled "Processing of personal data and obligations
derived from the prevention of money laundering and terrorist financing ” . There's a
button called "Accept and Continue" . Identification data is requested on the next screen
and address. Next, the identification is carried out by video identification
or through the service of obtaining ownership of external accounts through the service
Iberpay. Then a screen is presented in which the purpose of the account is specified,
screen for obtaining consents, account creation, and contract signing screen,
where you can download the complete "Framework Agreement". Once the checkbox is selected
verification of acceptance of the contract, the signature is carried out by sending the code
numeric to the mobile phone provided by the customer.
Mobile banking via app.
It is possible to start the registration process through the application for mobile devices, but,
After the installation process, at the time the data collection of the interested party begins,
The application redirects the interested party to the web application described in the previous point.
By phone. No registrations are made by this means.
b) A demonstration is carried out on the procedure for modifying the
Consents of a client through their personal space:
Initial situation: all consents "I do not accept"
Data processing: I do not accept
Advertising: I do not accept
Telemarketing advertising: I do not accept
Advertising by electronic means: I do not accept
Advertising by postal mail: I do not accept
Personal manager advertising: I do not accept
Data transfer: I do not accept
Modification: the second level is modified and not the first level
Data processing: Does not support
Advertising: I do not accept
Telemarketing advertising: Does not accept
Advertising by electronic means: Does not accept
Advertising by postal mail: Does not accept
Personal manager advertising: If you accept
Data transfer: Does not accept
It is detected that, although it has been selected not to receive commercial communications from
generic form, by being able to mark one of the media, the receipt of communications is accepted
in this way and the granting is reflected in the document signed by the client (in
Regarding this matter, on 12/10/2019 a letter was received from CAIXABANK,
noting that it has included an informative text to indicate to the interested party that, when marking one
of the media, accepts the receipt of communications in this way: “If, despite not wanting
let us contact you in general, you are interested in receiving information by
any of the following channels, you just have to mark it and we will use it to move you
our news and offers ” ).
A screenshot is attached in which all consents and consent are denied.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 14
14/177
copy of the document generated from the modification of consents. The structure and
content of this screen coincides that the detail outlined in the Second Antecedent,
section 2.Bb), in relation to the revocation of consents through the space
private client on the Caixabank Now website.
A screenshot of enabling a second level consent is attached while
the first in "I do not accept" for commercial communications and document generated from
of the modification of consents.
The content of the documents generated once the customer's statements have been reflected
coincides with the text outlined in Annex II ("Consent Agreement"), with the
variations that are indicated below and that are also outlined in said Annex II:
. The term "revocation" is added to the label of the document and
"Authorization / revocation for the processing of personal data with
commercial purposes by CaixaBank, SS and companies of the CaixaBank group ”.
. The mention of the "common repository" disappears in the presentation of the document, in the
that appeared with the indication “For this, your data will be managed from a repository
common information of the companies of the CaixaBank Group. The data that is
will be incorporated into this common repository will be… ” .
. The section dedicated to "the data to be processed" moves from the presentation
of the document to associate them with purposes 1 (analysis and study of data) and 2 (offer
commercial products and services). In addition, in section c) the mention of the
companies of the CaixaBank Group, and there remains “All those that CaixaBank or the companies of the
Grupo CaixaBank obtain from the provision of services to third parties, when the service
have the signer as the recipient, such as the management of transfers or receipts ” .
. The following text is added: "The authorizations that you grant will remain
valid until revocation or, in the absence thereof, up to six months
since you cancel all your products or services with CaixaBank or any
CaixaBank Group company ” .
. In the authorization (ii) of the section corresponding to purpose 1 (Treatments of
analysis, study and monitoring for the offer and design of adjusted products and services
to the customer profile) the possibility of associating the signer's data with those of
other clients with whom you have some type of family or social bond, relationship
ownership or management, in order to analyze possible economic interdependencies
in the study of service offers, risk requests and product contracting.
. In the section dedicated to the exercise of rights, a mention is added to them,
that does not appear in the text of Annex II, a postal address is indicated to exercise
rights, which was also not recorded, and the possibility of exercising the rights to
through mobile applications.
. Two sections have been added corresponding to the data protection officer already
the validity of the "Framework Contract" once it has been signed by all the parties involved.
c) Exercise of rights.
Any channel in which the client has identified is enabled to exercise
rights. The revocation of consent is applied at the moment it is made and
applies to all group companies.
d) On the information provided to the client so that they consent to access to network data
social: accessed from the personal area of online banking and specify which network
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 15
15/177
individually from among Facebook, Twitter and LinkedIn access is allowed. Appears the
text "Information on the processing of personal data and communications
commercials ”in a text box and a button with the text“ Accept and continue ”.
Annex III outlines the information provided by CAIXABANK to its clients to collect their
consent to access and use data from social networks.
e) The account aggregation service requires a special contract, although the
consent is given in the "Framework Agreement". When starting the process, a text "Contract" appears
in a text region, with the possibility of generating a document in pdf format.
Annex IV outlines the contract that the client formalizes requesting this aggregation service
of accounts, which includes the information offered on the protection of personal data.
f) The treatment described in point 7.3.5 is not carried out. on the aggregated accounts of other
entities. You can exercise the right of opposition to the treatment collected in this point to
through online banking and other enabled channels
g) Regarding the content of 8.ii.h), this possibility has been specified for possible
uses. When a treatment of this type occurs, it will be assessed by the
Impact evaluation.
h) On the mechanisms used to inform about the update of the "
Privacy ”and obtaining the consent of clients, representatives of
CAIXABANK stated that with the first version of the “Framework Contract”, dated June 20,
2016, the new consents began to be collected. In May 2018
they set all consents in old format to "I do not accept". Since this date
Customer consents have been collected through different channels.
During the various updates, more than 15 million communications from
of which 5,663,683 were sent by post and 10,253,824 were made available to
customers through their online banking through a pop-up warning window. He
Communication content is purely informative.
i) Information systems are accessed to verify the consents granted by the
claimant, obtaining the following data:
Consents:
Data processing: Does not support
Telemarketing advertising: If supported
Advertising by electronic means: If supported
Advertising by postal mail: If supported
Personal manager advertising: If supported
Data transfer: -
It is verified that the claimant has not signed the “Framework Contract”, but has granted
consents on January 24, 2018, by signing the document found
in its contractual repository (this document corresponds to the one provided by the
claimant, signed on 01/24/2018, which is outlined in the First Fact).
Additionally, it appears that the claimant modified through the entity Caixabank
Consumer Finance, EFC, SAU, one of the consents in May 2018, no
admitting the data processing (provides an internal email of 11/28/2019, which
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 16
16/177
informs about this modification: “consent 1 reached“ unsigned ”from company 6
(CCF), was signed on May 18. Consents from 3 to 6 were signed with ALF00017
(winning moment) in January 18. The 7th is not signed in the ALF00017, so it is
pending signing ” ).
Screenshots of the information systems of the
CAIXABANK corresponding to the claimant's data, current consents, the
contract of LOPD clauses of January 24, 2018 and justification of the change of the
Consents granted for data processing:
. The query on customer data, in its first section "Operational list", details the
contracted products and a review of your personal data (name, NIF, date of
birth, language, telephone numbers and the image of your ID. It includes two indications: "Program
Family: Does not comply due to income ”and“ Framework Agreement Resolver ”.
In the "Person" section the personal data, economic activity and taxation are detailed.
It also contains subsections related to digital images (ID and signature), alerts ("Edition
framework contract Resolve ”), Commercial consents (Data processing Not supported,
telemarketing advertising Yes, electronic media advertising Yes, postal advertising
If it admits, publicity contact manager If it admits, transfer of data "Authorization / revocation
treatments through the edition of the framework contract… ”), consent history (“ Last
movement 10/16/2019 ”), Right of access, revocation, rectification ... (without annotations).
In the “Documents” section you access the “Contract clauses LOPD” of 01/24/2018. At
In the “Digitization” subsection, the boxes Open Line, Office, Cashiers and
Telemarketing.
SIXTH: On 01/07/2020, the Agency's Inspection Services access the
web caixabank.es, to the "Privacy" section, and the document
called "Processing of personal data based on legitimate interest" . He
The full content of this document is reproduced in Annex VI.
SEVENTH: On 12/26/2019, the Subdirectorate General for Data Inspection
Access the CAIXABANK website (“caixabank.es”) and obtain available information on the
entity.
In the "corporate information" that appears in the "Who we are" section of said
website declares itself "leader in Iberian retail banking", with 15.7 million customers, 37,440
employees, a 29.3% penetration share of individuals in Spain and € 386,622 million of
total assets.
Financial information is also obtained, of which it is worth highlighting that relating to the
Income Statement, which "as of 09/30/2019" reflects an "Operating Margin" of 2,035
millions of euros.
According to the information contained in the Central Mercantile Registry, the "Subscribed Capital"
amounts to 5,981,438,031.00 euros.
EIGHTH: On 01/21/2020 , the Director of the Spanish Agency for Data Protection
agreed to initiate a sanctioning procedure against the CAIXABANK entity, in accordance with
provided for in article 58.2 of the RGPD, for the alleged violation of articles 13 and 14 of the
RGPD, typified in article 83.5.b) of the aforementioned Regulation; for the alleged violation of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 17
17/177
Article 6 of the RGPD, typified in Article 83.5.a) of the aforementioned Regulation; and for the alleged
violation of article 22 of the RGPD, typified in article 83.5.b) of the RGPD; determining
that the penalty that may correspond would amount to a total of 6,500,000.00 euros
(2,000,000, 4,000,000.00 and 500,000 euros, respectively), without prejudice to the results of
The instruction.
The actions outlined in the Background of this act are intended to
analyze the information offered in general by CAIXABANK on the subject of
protection of personal data, through all the channels used by the entity
("Framework Agreement" and the "Consent Agreement" - "Revocation authorization for the
processing of personal data for commercial purposes by CaixaBank, SA and
CaixaBank group companies ”- , the“ Privacy Policy ”accessible through the website of the
entity and the information offered in relation to personal data from social networks and
aggregation service); the different processing of personal data carried out by the
entity according to the information offered, in relation to clients or people who
maintain any other relationship with it, including the analysis of the mechanisms
employees to obtain the consent of the interested parties; just like him
compliance by the aforementioned entity of the rest of the principles related to the treatment
established in article 5 of the RGPD.
The reasons that support the indicated allegations are, briefly, the
following:
a) Infringement of articles 13 and 14 of the RGPD:
. The information offered in the different documents and channels is not uniform.
. Use of imprecise terminology to define the privacy policy.
. Insufficient information on the category of personal data that will be submitted to
treatment.
. Breach of the obligation to report on the purpose of the treatment and legal basis
that legitimizes it, especially in relation to the processing of personal data based
in the legitimate interest.
. Insufficient information on the type of profiles to be made, the uses
specific to which they are going to be used.
. The information provided on the exercise of rights, possibility of claiming before the
Spanish Agency for Data Protection, existence of a Data Protection Delegate
and your contact information, as well as that relating to the data retention periods is not
uniform.
b) Violation of article 6 of the RGPD:
. Insufficient justification of the legal basis for the processing of personal data,
especially in relation to those based on legitimate interest.
. Non-compliance with the requirements established for the provision of a
valid consent, as a manifestation of specific will,
unequivocal and informed.
. Deficiencies in the processes enabled to obtain the consent of the
clients for the processing of their personal data.
. Illegal transfer of personal data to companies of the CaixaBank Group.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 18
18/177
c) b) Violation of article 22 of the RGPD: invalidity of the consent given by the
clients for the data processing regulated in this article.
Likewise, for the purposes provided for in article 58.2.d) of the RGPD, in said agreement of
At the beginning, it was warned that the imputed infractions, if confirmed, may lead to the
imposition on the CAIXABANK entity of the obligation to adopt the necessary measures to
adapt to the personal data protection regulations the processing operations that
performs, the information offered to its clients and the procedure by which they
give their consent for the collection and processing of their personal data, with the
scope expressed in the Basis of Law of the repeated agreement and without prejudice to the
resulting from the instruction.
NINTH: Once the aforementioned initiation agreement was notified, CAIXABANK presented a brief of allegations
in which you request that the non-existence of infringement be declared and, alternatively, the cancellation
of the procedure for expiration and prescription described in the fifth claim; or, in your
defect, the warning or the imposition of the amount of the sanction is agreed
corresponding in its minimal degree. In summary, the aforementioned entity bases its request on the
following considerations:
1. The opening agreement does not correctly reflect the procedures followed by the entity
to inform and request the consent of its clients.
a) On this previous question, he makes two initial clarifications, to clarify, on the one hand, that
their allegations are simultaneously referred to the face-to-face and registration processes
online, unless expressly indicated otherwise, that they follow the same operation in
regarding the information offered and the collection of consents, one through the device
the client and another through the Tablet that the office makes available to the client, who operates
freely using this tool.
It also notes that CAIXABANK and the CaixaBank Group operate under the same concept
brand, being that entity the backbone of the Group, so that the client
interacts with all entities through the different CAIXABANK channels, such as
marketer of all products, as explained in the corporate information that
It is offered on the web, in the section "Who are we?" .
This scheme is transferred to the various facets of data processing, including management
of the consents for treatments with commercial purposes, which is carried out in a
centralized. Understand that it would not be operational to manage consents separately
for treatments to be carried out jointly in the context of the
Group activities for the same purpose with the same means, in relation to data from the
that the Group entities are jointly responsible.
(…)
It is also a regulatory need required by the European Central Bank (...) and
It is also necessary to comply with legal obligations that must be supported by the
of the Group to manage customer information in a coordinated manner, established in
regulations such as the Sustainable Economy Law, Consumer Credit Contracts or
Prevention of Money Laundering and the financing of Terrorism.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 19
19/177
As a consequence of the adoption of this "common repository" model, which was analyzed
In an Impact Assessment, several measures were implemented. Between them:
. Inform the interested parties that consent was granted at the Group level, to all
effects, so that if it is not lent to an entity, none of them could treat the
data;
. Centralized management of data protection rights, being possible to exercise them before
one or all entities, justified by the sectoral regulations that require fraud prevention,
money laundering and risk control;
. Revocation of consent also at Group level (withdrawal of consent to a
treatment for commercial purposes to an entity also means it for the rest).
b) About the client registration process, information and decisions about the treatment of
personal data, highlights that this decision is free for the client and is not predefined.
This information / decision phase in the office is articulated through an interview between the
employee and client, with content that must necessarily be addressed and
which is formalized with the signing of the "Framework Contract", the first version of which with references to the
RGPD is from June 2018 and not November. During the interview, after collecting the data
identification, fiscal, regulatory and economic client, they are consulted about their
preferences and you are asked to mark them yourself on the tablet provided, in which
you can read and analyze the information provided for as long as you consider
necessary, and can make inquiries to the employee, who has been trained to do so.
The result of this is incorporated into a file in pdf format that the system generates in a
individualized and unique for each client, which includes in its initial part their declarations
regarding the processing of your personal data. Taking into account that this document already
contains the particularities and preferences of the client, does not include selection boxes, which
should not lead to the mistake of thinking that said "Framework Contract" does not allow the client to choose
how your personal data will be processed. In fact, technically, the contract cannot
be generated without the client having spoken one way or another. In addition, the interested party
You can review the copy of the contract displayed on the Tablet, check that it includes your
authorizations or consents, request its modification and sign it once you agree with
what is reflected in it.
During this process of obtaining the consents, the client is informed about his
meaning clearly, simply and transparently, you can ask the employee questions and
examine the own version of the "Framework Contract".
For online registration, the operation is essentially the same. In this case, the client marks the
boxes on your device, after reading the meaning of your choices in windows
information that the system forces you to open, as found in the inspection of 11/28/2019;
You can also review the document and sign it if you agree, or delete it otherwise.
In addition, although the "Framework Contract" is the main axis of the relationship with the client, it
has additional information in the "Privacy Policy", in a language
adapted to the environment, simpler and more friendly; as well as in the specific contracts of the
products or services that you contract. These specific contracts incorporate conditions
specific or particularities that the new product or service entails, but there are
on the basis of the "Framework Contract", which they complement.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 20
20/177
In the specific cases of social media and aggregation contracts, to which the
agreement to open the procedure, indicates that they are not representative, due to the scarce
number of clients who have requested them. This merely complementary character explains
that the information is reduced, since it is about clients who were informed in
under the "Framework Agreement". Regarding the social media contract, it warns that the
Access to the service has been suspended for months and as of the date of the brief of allegations it is not
accessible.
In relation to the foregoing, CAIXABANK provides circulars and internal regulations regarding the
data protection information and provision of consent, as well as some
examples of employee training on this subject and the
particular client registration processes, which is updated and complemented by
circular.
It provides two documents with the labels “Rule 47: Confidentiality and data treatment
of a personal nature ” and “ Rule 122: Prevention of money laundering and financing
terrorism ” , as well as some circulars; all of them aimed at employees of the entity.
The first of the cited documents includes, among others, sections on the RGPD,
obligations and principles of treatment, exercise of rights, purposes and communications
of data. We highlight the following aspects:
(…)
Provide two circulars, dated 11/26/2019 "The client will complete the treatment of their
personal data ” and 07/17/2019 “ Solve your doubts about the questions of the Framework Contract.
These are some of the answers to the questions of the Framework Contract ” .
(…)
It also provides a document labeled "The General Regulations for the Protection of
Data ” , also aimed at employees. This document explains basic lines of the
regulations and different assumptions are made to employees in this matter.
Finally, in relation to the issues mentioned in this section, it accompanies
printing of screens corresponding to the personal area of a client, to justify that in
it does not include the link to "My social network data . "
c) The consent contract is used to document the modification of the
consents outside the registration process. In this case the signature by the client is not required
of the "Framework Contract", which is designed to be signed only once, with exceptions.
Only texts related to the circumstances for which the request is requested are presented.
consent or that you want to modify or revoke. It is a unique and clear document
focused on what the client wants to change.
d) As a conclusion to what is indicated in this point, CAIXABANK reiterates that the various
documents you have to regulate the processing of personal data are used in
different moments and scenarios, and not simultaneously. Customer experience is the
to receive a single document; contrary to the image of disorganization and confusion that the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 21
21/177
AEPD seems to have.
2. CAIXABANK has informed the interested parties in the terms provided in articles 13 and
14 of the RGPD.
a) It alleges that it complies with the provisions of article 13 of the RGPD, both in content and in
shape, according to the procedure you described. The procedure is direct and simple, no
responds to the confusing image reflected in the Startup Agreement, offers complete information and
separately, step by step and intuitively.
On the other hand, the information offered in the "Framework Contract" details the identity of the
responsible, contact details of the DPD, purposes of the treatment and legal basis, treatments
based on legitimate interest, retention periods, rights, revocation of the
consent, possibility of filing a claim with the AEPD, communications of
data, existence of automated decisions, and includes a link to the "Policy of
Privacy".
Regarding the rest of the documents ("Privacy Policy", product and service contracts and
"Consent Agreement"), CAIXABANK points out that, considering that the "Agreement
Marco ”informs about the extremes required by the RGPD, it is not necessary that they return to
reproduce them. These other documents are not intended to comply with the provisions of the article
13 of said Regulation, since they are directed to already informed clients.
b) CAIXABANK does not carry out, within the framework of those established in the “Framework Contract”,
treatments that involve decisions based solely on automated processing,
including profiling.
The alleged entity refers to the classification made by the Article 29 Working Group,
made up of the European Data Protection Committee, in the Guidelines on
automated individual decisions and profiling for the purposes of the RGPD, which
distinguishes the following ways of using profiling (WP251 Guidelines):
“There are three possible ways to create profiles:
i)
General profiling;
i)
decisions based on profiling;
ii)
decisions based solely on automated processing, including the preparation of
profiles, which produce legal effects on the interested party or significantly affect him in
similarly (Article 22 (1)).
The difference between ii) and iii) is best seen with the following examples where a person requests
a loan through the internet:
. the case in which a human being decides whether to approve a loan based on an elaborate profile
Only through automated processing corresponds to option ii);
. the case where an algorithm decides whether the loan should be approved and the decision is carried over
automatically to the person in question, without any prior and meaningful evaluation by a
being human, corresponds to option iii) ” .
CAIXABANK simply prepares general profiles (option i) and makes decisions based on
profiles (option ii) from those listed in the Guidelines. Therefore, article 22 is not applicable
of the RGPD and neither the duty of information included in article 13.2 f) of the same text
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 22
22/177
legal. Even so, CAIXABANK voluntarily and adequately informs the interested parties of the
extremes provided in the last cited article in compliance with the recommendations
established in those Guidelines, which determine:
“Although the automated decision and profiling do not meet the definition of article 22,
section 1, it is still advisable to provide such information. In any case, the person responsible
of the treatment must offer enough information to the interested party so that the treatment is fair and
comply with the rest of the information requirements of articles 13 and 14 ”.
Consequently, although it is not obliged to do so, for transparency and voluntarily,
informs of all the points provided for in article 13.2 f) and 22 of the RGPD:
. Clause 8 of the “Framework Contract” informs the interested parties of their right to obtain
human intervention in the treatments, to express their point of view, to obtain a
explanation of the decision made based on the automated processing and to challenge said
decision; that is, it is reported in line with the provisions of article 22.3 of the RGPD, despite
if not necessary.
. In line with the provisions of article 13.2 f), it is reported on the existence of profiling, the
importance of the treatment (very minor as it is based on consent) and the
consequence for the interested party ( “If I authorize it, the offers that are sent to me will be
adapted to my profile ” ).
. Regarding the applied logic, CAIXABANK's actions are consistent with the
recommendations of the AEPD published in the "Guide to Adaptation to the RGPD of treatments
that incorporate artificial intelligence. An introduction". He states that CAIXABANK agrees
in which “to comply with this obligation by offering a technical reference to the implementation of
algorithm can be opaque, confusing, and even lead to fatigue ” . Therefore, it facilitates
Clause 8 (i) of the “Framework Contract” a description of the different operations that lead to
carried out and that "allows to understand the behavior of the treatment" .
. It considers that the obligation to inform about the right of opposition is not applicable, for
how much decisions are not made based solely on automated processing. Add
that, however, in different places it warns that the interested party can withdraw their
consent and informs in a generic way about the right of opposition in the section
which deals with data protection rights.
c) It informs about the content provided for in article 14 of the RGPD, despite the fact that the Agency
consider that this requirement is significantly breached in relation to the data
"Supplemented and enriched" by data obtained from other sources.
It points out that, as it already explained in file E / 01475/2018, that CAIXABANK considers
expired, it only complemented data with databases that at that time were not
subject to the LOPD, obtained from companies that provide commercial information, sources
public and with statistical and socioeconomic data. (…)
Currently, the sources and categories of data are reported in Clause 8 of the
"Framework Contract", although the entity is working to update its clauses
informative and gain even more transparency at this point.
In addition, it is reported that the collection of data from third parties will be carried out verifying that
meet the established requirements, which is guaranteed through the Evaluation process
impact, recently shared with the Agency. The application of that protocol
guarantees that any hypothetical database acquisition involves measures to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 23
23/177
inform their holders.
d) the statements about the vagueness and lack of clarity of the information made by the
Agency are subjective and constitutes a mere opinion without foundation and without proof
that determines that lack of clarity of the terms used or that shows what
understand or not the clients, which cannot be extrapolated to the generality of interested parties and
it can be taken as a criterion of what constitutes comprehensible information or not.
On the contrary, CAIXABANK does periodic tests with users and specialists
to ensure that your registration processes are simple and transparent, from which arise
initiative that are put into production. In 2018, it commissioned the external entity specialized in
linguistics a review of different contractual documents in order to verify what could
be understood without difficulty for an average customer profile. One of these documents
analyzed was the "Framework Contract", on which they raised doubts and suggested modifications
minors, concluding that the text was understandable by the average client (cites an example
referred to information on the transfer of data to third parties, in which the aforementioned company reduced
the original format without changing the sense of the text). These works are suspended
until the impact of this procedure can be evaluated.
Another element that has not been considered is the low volume of claims (two
cases).
e) On the other hand, the AEPD criticizes the lack of uniformity between the different documents of
CAIXABANK, in relation to the rights of the interested parties, the possibility of claiming before
the Agency, the retention period, the contact details of the DPO. However, understand
CAIXABANK that the duty of information is fulfilled with the "Framework Contract" and not with the rest
of documents, which are merely complementary. They are not uniform because they pursue
specific purposes and differences occur while documents are being updated in
question.
f) Regarding the lack of motivation for the six-month retention period after the
termination of the contractual relationship, states that it is a self-imposed measure
to protect your customers. Consider that consent for commercial purposes
it could have been configured as valid until its revocation, unlike the
data processing based on the contractual relationship, at the end of which the provisions of
articles 17 RGPD and 32 LOPDGDD. In the treatments based on consent, the
The rules of these articles would operate with their revocation, not based on the passage of time.
It also points out that the GT29 Transparency Guidelines and the AEPD Guide do not
indicate or recommend informing about the reasons that motivate a retention period.
Finally, it states that the difference in term (6 months in some cases and 12 in others)
is motivated because each client has a contract, which means that for each client
there is a single retention period. While admitting that the situation is undesirable and
reports that it is in the process of unification.
g) Regarding the aggregation contract, inform that it has been updated. Consider correct
the indication on the impossibility of offering the service in case of withdrawal of the
consent, since in that case the object of the contract would be frustrated, which consists of,
precisely, in accessing data from other accounts.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 24
24/177
In addition, it is the client who chooses the sources from which information is obtained when selecting
the accounts you want to add and is informed about the categories of data obtained, which are
those included in those accounts.
It does not share the indication contained in the opening agreement on the meaning given by the
Agency to collect the information that this service entails and highlights that it is
subject to regulatory rules, specifically, article 39 of Royal Decree-Law 19/2018,
according to which the service provider will not use, store or access any data for
purposes other than the provision of the service and in accordance with the rules of protection of
data. The use of the data for commercial purposes will only be carried out if the interested party has
said use is consented, as provided in the "Framework Agreement".
CAIXABANK understands that the novelty of the service seems to have confused the Agency,
when the mechanism is exactly the same as a checking account (the data that is
generated in the account statement are used for commercial purposes if the client authorizes it).
The following is indicated in the new Contract model that accompanies:
(…)
3. CAIXABANK requests and obtains free, informed, specific and unequivocal consent
interested parties. Legitimate interest.
a) At present, consent is requested with full transparency, according to the
procedure described above, for four purposes:
. Profiling activities: this consent and operations are clearly reported
that are carried out for this purpose, with the motivation of being transparent in relation to
with what it involves profiling.
. Commercial offer: receive advertising and commercial offers, with the option to mark the channel to
through which you want to receive offers.
. Assignment to third parties: consider that this purpose is self-explanatory and warns that it has not
carried out any assignment.
. Use of biometric data to verify identity and sign: this is a clause
dynamic. It alleges that the clause on data processing referred to by the Agency,
included in the version of the contract signed on 11/06/2019 corresponds to the face-to-face channel,
while the template provided focused on the online channel.
b) The three consents that are collected for commercial purposes (profiling, sending
commercial communications and data transfer) are independent and freely provided
by the interested party through an affirmative act that reflects a free, specific will,
informed and unequivocal.
Consent is free because it can be chosen whether it is given or not, it is presented in a part
differentiated and given the opportunity to analyze and tick the corresponding boxes for themselves
itself, having established an equally easy procedure to remove it; is specific
because it is granted for well defined and delimited purposes; is unequivocal, considering the
act of deliberately checking the box by which you consent to the treatment with
stated purposes; and is informed because all sufficient information has been provided
according to the Guidelines on the consent of the Working Group of Article 29 and the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 25
25/177
Recital 42 of the RGPD.
c) Regarding the information provided regarding consents, CAIXABANK considers
that the AEPD states that customers are not aware of the fact that they give their
consent and the extent to which they do so without justifying this claim and without any proof, and
nor does it prove that any of the elements that make up the information are missing.
In any case, for clarification purposes, it should be noted that there are treatments on which
informs in the "Framework Contract" that they have not been carried out in practice (the most
the one related to transfers to third parties, already mentioned) and that, therefore, cannot
be considered to appreciate any infraction.
Profiling operations include treatments as a result of
that the clause was drawn up in 2016, when there were no clear criteria on the
interpretation of the RGPD, when the truth is that some of the treatments become
legal obligations (fraud control and risk management) or are necessary for the
contractual relationship (monitoring of the relationship or adoption of recovery measures).
The information can be improved by explaining what “profiling” consists of, but this does not invalidate
The consent. In fact, by suppressing some of the information, it becomes even clearer that
authorization is only requested for profiling. Details the following example of a reduced clause:
(…)
There has not been a lack of information, but, in any case, an excess of information,
but there are no hidden treatments in disguise. It is intended, simply, to explain what it is
"Profiling" for commercial purposes.
Therefore, in relation to this clause, no additional boxes are required to collect
other authorizations.
The fact that some information can be improved should not carry a sanction,
but perhaps the warning for the implementation of certain changes. In view of these
possible improvements, CAIXABANK is in a self-evaluation process to improve
their texts and clarify their purposes and legal bases, as well as to eliminate treatments that
they are not carried out. And you are planning a personalized communication process to
totality of clients in which the consents granted are remembered and explained in
new their meaning through a debugged and improved clause.
d) Also in relation to profiling operations, CAIXABANK refers to the
grouping of consents discussed by the Agency. Indicates that you have designed your
consents for the four indicated purposes, describing the different operations
of treatments for each purpose, without seeking a block consent that covers a
purpose that surprises the customer. What the entity intends, he indicates, is to facilitate its
understanding and detail, in accordance with the provisions of Recital 32 of the RGPD
( “Consent must be given for all treatment activities carried out with the
same or the same purposes ” ); as well as what is indicated by the Agency in point 2.4.1 of the
Frequent Consultations (FAQS) and in the “Report on privacy policies on the Internet,
adaptation to the RGPD ” (page 4). If Clause 8 (i) of the “Framework Contract” is analyzed, taking
carried out the purifications that have been indicated before, it is observed that the operations that
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 26
26/177
indicate are nuances of the same profile.
e) CAIXABANK is the CaixaBank Group. The way in which this Group has been articulated
it responds to regulatory reasons, as indicated above.
The entities that comprise it, since the entry into force of the RGPD have had a luck
of shared responsibility for the data that is collected and processed in the context of its
activities. Thus, it would be absurd to request different consents for treatments that
are to be carried out jointly in the context of the Group's activities for a
same purpose and with the same means, in relation to data from which all entities of the
Group are responsible. The opposite would suppose a greater risk for the interested parties that
they would lose real control over them.
Given shared responsibility, it makes no sense to request a separate consent
for the "transfer of data" to other entities that, for regulatory, strategic and
operatives are equally responsible. There is no purpose of its own in the assignment, as it is
all direct and joint responsible entities. Therefore, consent is joint
and by purpose.
Instead of confusing with strange constructions, the customer is asked a question
Simple: whether or not you want the Group to process your data for commercial purposes. The interested party is
free to accept it or not. This option of "all or none" does not limit the ability to decide of the
client. It is simply a consequence of the corporate structure of the Group and its
regulatory obligations.
f) In relation to the processing of data for commercial purposes based on interest
legitimate, CAIXABANK clarifies the operation that follows since the application of RGPD in May
2018, (…) the data of those clients who have not consented to the processing of their data
for commercial purposes, or has revoked the consent previously given to
neither are they treated based on legitimate interest.
For clients prior to that date, distinguish between those who signed the "Framework Agreement" or the
of consents, (...) and those who were asked and have not answered, which are the
only customers whose data is used based on legitimate interest (until the customer
signs the contract).
Thus, treatment based on legitimate interest is reduced to marginal cases, such as a
temporary situation. In addition, it prepared an impact assessment and decided not to send the
"Consent Agreement" to those pre-RGPD clients who, without having signed the
"Framework Contract", they had already expressed "No."
It adds that the statements made by the AEPD are not true. On this, he points out that he has
carried out an impact evaluation on all the treatments carried out on this basis
legitimizing and, within that evaluation, has made the weighing judgment between the interest
legitimacy of the entity and the rights of the interested parties; secondly, it clarifies that
described policy avoids that treatments can be carried out based on the legitimate interest that
had been denied by the owner of the data. It equates the revocation of consent to
opposition to the treatment for those cases in which CAIXABANK can carry out
treatments based on their legitimate interest (such as, for example, the AEPD analyzes and assesses
Report 195/2017, and as reported in clause 7 and on its website (see Fact
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 27
27/177
Fifth of the Initiation Agreement).
In the aforementioned Report of Legitimate Interest of the Minutes of the CAIXABANK Privacy Committee, of
05/15/2018, it is indicated:
(…)
g) Regarding the consents for the purposes indicated in the Aggregation Contract and the
Terms of Social Networks, warns that in these additional documents the
consent, but no new one is obtained; consent is given in the "Contract
Framework". This fact has been confused by the AEPD, when it understands that these contracts
give separate consent
4. Consent is requested for profiling for commercial purposes; and not for adoption
of automated decisions, which do not occur in this context.
According to CAIXABANK, the alleged violation of article 22 of the RGPD is based on an assumption
erroneous, as it does not adopt automated decisions for commercial purposes that produce
significant legal effects on the holders of the data based on the execution of
automated treatments. Simply build general profiles and make decisions
based on profiles (option (i) and (ii) of the WP251 Guidelines).
In this regard, it refers to the allegations already made regarding the duty of information and the
validity of the consent granted and alleges that the Agency has not even proven that
CAIXABANK is effectively carrying out these treatments.
5. In the alternative, CAIXABANK alleges the nullity of the Initiation Agreement due to the expiration of the
previous actions number E / 01475/2018 and because it sanctions infractions that would be
prescribed in accordance with the LOPD.
The AEPD makes use of previous actions started in January 2018 that were
archived for expiration, which are incorporated into new ones through a simple
"Chain" that turns the actions of the AEPD into perennial, contrary to what
pursued by article 122 of the Development Regulation of the LOPD, approved by Real
Decree 1720/2007.
These actions number E / 01475/2018 began in January 2018, as a result of a
complaint, and were filed for expiration on February 1, 2019. However, when
the preliminary investigation actions indicated with number E / 01481/2019 were initiated,
that led to the agreement to initiate this sanctioning procedure, one of the
The first actions were to integrate the aforementioned expired actions. This action leaves
It is clear that what is sought with this procedure is to prosecute and resolve those facts
past events that gave rise to expired proceedings, which were artificially prolonged
up to two years, almost doubling the twelve-month limit indicated in the RLOPD.
Furthermore, the facts analyzed in the previous E / 01475/2018, if they were infractions, would have
prescribed in the terms provided in the LOPD applicable in January 2018. This would be the case
of the infractions considered minor under the LOPD.
This conduct constitutes a fraud of law (article 6.4 of the Civil Code), as the AEPD shields itself
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 28
28/177
in an apparently legal action to achieve a result prohibited by law
legal; it is contrary to article 95.3 LPAC; and entails the nullity of the initiation agreement and the
procedure, proceeding its file.
6. Also in a subsidiary way, it requests that a penalty of warning be imposed or,
not consider said request, which is sanctioned within the scale provided for in sections
fourth and fifth of article 83 of the RGPD.
a) It considers the following graduation criteria applicable as mitigating factors:
. The measures taken by the person in charge (article 83.2.c) of the RGPD): CAIXABANK has
made a significant effort over the last few years, especially since the
entry into force of the RGPD, to provide its customers with relevant information, including
providing the intervention of third parties to verify the adequacy of the legal texts. East
effort is evident with the implementation of the measures recommended by FACUA
(provides a copy of emails related to the actions carried out to address the
recommendations of this entity) and for the actions it has planned to strengthen the
information, which includes the preparation of a new version of the "Framework Contract" and the
sending its clients a communication to remember the consents granted and their
meaning, as well as the possibility to revoke or modify them; in a clear will to
repair any focusing errors that may have occurred.
. The degree of cooperation with the supervisory authority in order to remedy the
situation and mitigate possible adverse effects (article 83.2.f) of the RGPD). CAIXABANK has
shown its willingness to collaborate and the implementation of measures aimed at solving
possible shortcomings, indicated in the brief of allegations itself. Indicates as sample of
this provision the attention paid by the DPD to the claim made by FACUA and the
information provided about said action to the AEPD.
b) The AEPD omits the aforementioned criteria and refers to a series of criteria that
lists, without any motivation or justification and without specifying if they are applied as aggravating factors
or mitigating, which generates defenselessness to the entity. CAIXABANK states that, due to
disproportionate sanctions, understands that the aforementioned criteria are interpreted by
the AEPD as aggravating factors. This entity considers that the following criteria collide with the
reality:
. The nature, severity and duration of the infringement (article 83.2.a) of the RGPD). Considers
that the AEPD intends to impose a high penalty for issues that are not a
especially serious, considering that we are not facing an assumption in which there is no
provided no information, but all information is provided, although the
AEPD considers that some aspect can be improved; special categories of
data.
To date, cases of absolute lack of information have been sanctioned with
warning (PS / 00224/2019 or PS / 00041/2019), having imposed the highest sanction,
for an amount of 250,000 euros, for a much more serious case (PS / 00326/2018). The
disproportion in this case is ostentatious.
In addition, it highlights that under the old LOPD and the LOPDGDD, for prescription purposes, the
infraction for lack of information is considered as minor. However, the proposed sanction
in the start-up agreement, it exceeds the previous sanctions imposed, and is radical compared to
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 29
29/177
new attitude adopted in recent times to try to find a collaborative solution
with the entities that were willing and to resort to the warning.
On the other hand, it highlights that there are only two claims, that no damage has been caused to
clients given that the personal data processing carried out is as necessary
for the development of the activity and are carried out in accordance with the requirements demanded by the
normative, even when some aspect can be improved. This lack of prejudice is
highlighted by the Article 29 Working Group in its Guidelines on the application and
setting administrative fines (WP253), assumed by the European Committee for the Protection of
Data.
Neither did the complainant challenge the filing of his complaint, which he could have done; and not
there have been other complaints or legal actions. That is, no damage has occurred.
. Contrary to the Agency's assessment, it considers that the criterion regarding the
intentionality or negligence appreciated in the commission of the infraction (article 83.2.b) of the
RGPD) should be appreciated as a mitigating factor for the diligent action of the entity, the
establishment of clear procedures regarding the information and provision of
consents, the training given to the employees and the collaboration shown with the
Agency, adapting and perfecting your texts.
. If the commission of any infringement is appreciated, CAIXABANK has not obtained any benefit
financial statement (article 83.2.k) of the RGPD), while it would mean, instead, damage
reputational. It does not monetize the personal data of its customers, nor as a sale for
commercial or for other actions.
The CaixaBank Group experienced volume growth in the first nine months of 2019
business (+ 4.4%), reaching 609,012 million euros, which is due "to the boost
commercial and the improvement of the relationship ” of customers (as indicated in the note of
attached press, published on 10/31/2019 under the title “CaixaBank obtains a profit of
1,266 million and reached 6,201 million in income ” ).
. The Agency includes among the concurrent graduation criteria the high volume of
data and treatments, among which transfers to third parties stand out. However, these
Assignments do not occur or have been proven in any way.
. Personal data of special sensitivity is not processed, which should be appreciated as a
extenuating.
. It is also stated in the initiation agreement that CAIXABANK has not implemented
adequate procedures in the collection and processing of personal data, and that the
Infringement is the consequence of a defect in the designed management system. In this regard,
said entity alleges that the systematic and layered process of information and request for
Consents is exemplary and gives the interested party greater control. Add that a possible
Information defect cannot be understood as a system defect.
. On the degree of responsibility of the person in charge, to which the Agency turns in relation to
the violation of article 6 of the RGPD, indicates that the measures taken during the last
years have been aimed at promoting transparency and compliance with the principles of
data protection, as a reflection of the principle of proactive responsibility and privacy
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 30
30/177
from design and default. Therefore, this criterion must be interpreted as mitigating.
As a conclusion, it highlights that diligent and proactive collaboration must be taken into account,
the measures adopted to alleviate possible information errors, the lack of intentionality
and that the possible infringement would be about information matters that do not have a
special gravity; and based on this, according to the position taken by the AEPD, it would proceed
a warning sanction or, if not appreciated, a sanction within the scale
provided for in the fourth and fifth sections of article 83 of the RGPD.
As a test proposal, it indicates that it intends to use the documentary that already
appears in the files of previous actions E / 01475/2018, E / 03677/2019 and
E / 01481/2019, as well as the documentation provided with your brief of allegations.
TENTH: On 07/02/2020 the opening of the testing period was agreed. The writing
sent on that date to CAIXABANK, through its representation, was rejected,
as stated in the certificate issued by the Electronic Notifications Service and
Enabled Electronic Address.
By letter of 07/16/2020, notified a day later, said
communication to CAIXABANK, informing said entity that it is considered
evidentiary effects of the claim filed and its attached documentation, as well as the
documents and statements obtained by the Subdirectorate General for Data Inspection
in relation to said claim in the information request process prior to admission to
Procedure; as well as the documents obtained and generated by the Inspection Services.
Likewise, the allegations to the initiation agreement formulated
by CAIXABANK and the documentation that accompanies them.
On the other hand, it was agreed to require the CAIXABANK entity so that within a period of
ten business days provide the following information and / or documentation:
"A) Copy of the record of all personal data processing activities carried out under the
CAIXABANK's responsibility to which mention is made in the data collection form
personal information called "Declaration of economic activity and data protection policy
personal ”, in its initial version, together with any addition, modification or exclusion in the content
of the same.
b) Copy of the evaluation / s of the impact on the protection of personal data relative to any
type of personal data processing operations carried out under the responsibility of
CAIXABANK, of those mentioned in the form “Declaration of economic and political activity of
protection of personal data ”, which pose a high risk to the rights and freedoms of the
natural persons, in its initial version and, where appropriate, with details of the modifications or
updates that may have been made.
Likewise, if there has been a change in the risk represented by the processing operations
and if deemed necessary, the result of the examination that CAIXABANK could have
perform to determine if the treatment is in accordance with the impact assessment related to the
data protection (article 35.11 of the RGPD).
c) Copy of the documents in which the evaluation carried out by the CAIXABANK entity is recorded
on the prevalence or not of the interests and fundamental rights of the interested parties over the
CAIXABANK interests in relation to personal data processing operations
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 31
31/177
made under the responsibility of CAIXABANK, of those mentioned in the form "Declaration
of economic activity and personal data protection policy ”, with which the
satisfaction of legitimate interests pursued by the CAIXABANK entity itself or by a third party ”.
In response to the request by CAIXABANK, the term granted was extended by five
business days.
On 08/07/2020, a response letter was received, which CAIXABANK accompanied
the following documentation:
1. Register of personal data processing activities.
(…)
2. Impact evaluations on the protection of personal data.
(…)
3. Evaluation of the prevalence of the legitimate interest of CAIXABANK or third parties against
the interests and fundamental rights of the interested parties.
(…)
ELEVENTH: On 11/24/2020, a resolution proposal was issued in the sense
following:
"1. That by the Director of the Spanish Data Protection Agency the entity is sanctioned
CAIXABANK, SA, for an infringement of articles 13 and 14 of the RGPD, typified in article 83.5.b)
and classified as mild for the purposes of prescription in article 74.a) of the LOPDGDD, with a fine for
amount of 2,000,000 euros (two million euros).
2. That by the Director of the Spanish Agency for Data Protection the entity is sanctioned
CAIXABANK, SA, for an infringement of article 6 of the RGPD, typified in article 83.5.a) and
classified as very serious for the purposes of prescription in article 72.1.b) of the LOPDGDD, with a
fine amounting to 4,000,000 euros (four million euros).
3. That, due to lack of evidence, the non-existence of infringement in relation to the imputation is declared
for a possible violation of the provisions of article 22 of the RGPD
4. That the Director of the Spanish Agency for Data Protection proceeds to impose on the
entity CAIXABANK, SA, within the period to be determined, the adoption of the necessary measures to
adapt the processing operations carried out to the personal data protection regulations,
the information offered to its clients and the procedure by which they must provide their
consent to the collection and processing of your personal data, with the scope expressed in the
Legal Basis X ” of the proposed resolution.
TWELFTH: Notified to the entity CAIXABANK the aforementioned resolution proposal,
a written statement of allegations was received at this Agency, dated 12/18/2020, in which it requests the
annulment of the sanctioning procedure due to (i) the flagrant defenselessness produced by that
entity by violating its presumption of innocence, (ii) the bankruptcy of the principle of trust
legitimate, (iii) defenselessness materialized in previous investigation activities without
subject to any guarantee and (iv) the expiration of the sanctioning procedure.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 32
32/177
Alternatively, it requests the filing of the proceedings due to the absence of an infringement and, in its
defect, that the warning or the imposition of the amount of the sanction is agreed
corresponding in its minimal degree. Base your requests on the following considerations:
- 1. Violation of article 24.2 of the Constitution, presumption of innocence.
The presumption of innocence is broken if the person instructing the file or who is going to resolve it
do not have the ability to assess such evidence impartially, without any kind of
"Pre-trial" , or if they have formed their will before having all the elements in their sight
evidentiary.
In this case, the allegations at the opening of the procedure were presented on the date
03/04/2020. One day before, on 03/03/2020, without even having received the first allegations
of CAIXABANK, in an act of ISMS Forum held in Madrid, the Director of the AEPD,
highest authority of the institution and competent person to resolve this file
and on which the instructor hierarchically depends, publicly stated that “We already have two
or three high-impact sanctioning procedures that will have a great impact
media in relation to the financial sector, will be the first quantitative fines
important by the Agency ” . Not conditionally, but as something that necessarily
is going to happen. In CAIXABANK's opinion, it is difficult to find a greater display of contempt for the
presumption of innocence.
He adds that this is stated in the summary of this intervention made by the prestigious publication
The Law, Francis Lefebvre. Likewise, in a tweet from a person present at the event,
stated that “Mar España announces that two sanctions will be made public shortly
exemplary in the financial sector. A bombshell ” (provides screen impression relative
this tweet). In this regard, CAIXABANK states in its allegations that “a sanction and the
we know, that of BBVA. And, either we were wrong a lot, or the other is ours ” .
Provides "notarial certificate of web verification" , which incorporates the information obtained through
the link
“Https: /elderecho.com/los-pensaron-la-aprobacion-la-entrada-vigor-del-rgpd-la-
data-protection-would-decline-I'm-afraid-they-were-wrong ” . It corresponds to a review of the “XII
Privacy Forum ” held on 03/03/2020, organized by ISM Forum and Data Privacy
Institute (DPI). Includes a section on the intervention starring the Director of the
AEPD, which includes the statements previously highlighted by CAIXABANK.
Ex arts. 24.2, 103. 1 and 3 CE –and art. 6.1 of the ECHR-, any procedure should have
been guided by objectivity and impartiality. As indicated by the ECHR (sic) “justice
not only does it have to be applied, but it must also be apparent that it is administered ” (cf.
Cubber v Belgium October 26, 1984) and “not only must justice be done, but
what to do ” Delcourt Judgment of January 17, 1970.
On the other hand, in this case, according to CAIXABANK, before knowing the allegations of the
entity, the person who has to solve, far from keeping any semblance of justice, has already
decided (publicly) to sanction.
In accordance with article 12.2 i) of the Organic Statute of the AEPD (RD 428/1993 of March 26),
The Director of the Agency has the function of “Initiating, promoting instruction and resolving
disciplinary proceedings referring to those responsible for private files ” . Is the
Director of the Agency who informs that instructor impulse and who will determine the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 33
33/177
forthcoming resolution.
With this, there has been a flagrant violation of the fundamental right to presumption
of innocence, which should lead to the immediate filing of this sanctioning file.
- 2. Bankruptcy of legitimate expectations
There has been a complete failure of the principle of legitimate expectations (article 3 of the Law
40/2015, of October 1, of the Legal Regime of the Public Sector -LRJSP) , interrelated
with the principle of good faith and legal security. This principle implies that "the authority
the public cannot adopt measures that are contrary to a reasonable hope
induced on stability in the decisions of the former, and based on which the
individuals have adopted certain decisions ” (STS 173/2020).
In this case, CAIXABANK points out that the AEPD's assessments refer to a
documentary structure that was expressly communicated to said Agency shortly after
the publication of the GDPR. Specifically, by email dated 08/02/2016, addressed
to the Deputy Director of the AEPD, in which all the points of the “Contract
Framework". Said email was headed as follows "In accordance with what has been said,
Attached is the contract that we intend to implement this fall. To make it more
understandable, I accompany you a short explanation of its purpose and content " .
Regarding this query, CAIXABANK states that the AEPD "answers by telephone
(obviously we have no recording), making some minor suggestion (which is
implemented), without there being a meeting (such possibility was expressly declined).
That framework contract is practically the same (if anything worse) than the one it is today
allegedly deserving of 6 million euros of sanction and, what is almost more serious, a
threat of nullity of everything acted under it ” .
A year later, also after a conversation, CAIXABANK sends to the same recipient
a general presentation about the GDPR implementation and asks for a meeting again,
which is again denied. On pages 11 and 12 of this presentation he again does
reference to the "Framework Contract", with for example a very clear mention of the now reviled
common repository of group companies.
4 and a half years, 2 detailed emails sent, 2 meetings denied and 14 million
contacts with clients later, and completely unaware of the legitimate conviction
of CAIXABANK to be acting correctly, a request is made for the nullity of all
what has been done. CAIXABANK says: “We do not affirm here that everything we have done is
OK, but could we have a "reasonable induced hope" that our way of
was proceeding according to law? It seems difficult to say no . "
This clear breakdown of legitimate expectations should lead to the filing of the file or, as
At least, to reconsider the decision to declare the obtained consents null.
Provide a copy of the emails to which this allegation refers, addressed by the
signatory of the allegations to the proposed resolution to the Deputy Director of the AEPD and the
answers from this.
- 3. Violation of article 24 of the EC: defenselessness generated to CAIXABANK by the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 34
34/177
artificial and unlawful extension of the previous actions, also ignoring their
expiration.
a) The previous actions were not such: it was a sanctioning procedure without guarantees.
CAIXABANK considers that the previous investigation actions supplanted the activity
instructor, since they were used as a true sanctioning procedure (without
guarantees), which constitutes a possible vice of misuse of power in the use of the
mechanisms of instruction and generates helplessness.
Considering the intended purpose with the initiation of preliminary investigation actions,
CAIXABANK understands that the Administration is obliged to initiate the procedure
the sanctioner as soon as he is certain of the commission of the facts and the identity of the
responsible, even if it is not fully accredited (STS of 06/09/2006).
Cites the STS of 12/26/2007 to state that these previous actions will only be
deserving of such consideration to the extent that they “serve the purpose that
justifies, that is, gathering the data and initial indications that serve to judge on the
relevance of giving way to the sanctioning file, and do not distort themselves by transforming
in a surreptitious alternative to the latter. "
And the STS 06/09/2006, which has highlighted the need to safeguard the guarantees
constitutional of the administered in cases like the one at hand: "As it results from this
norm, prior information is not mandatory, having declared this Chamber in a judgment of
November 6, 2000 that "if sufficient data is available to initiate the file, the
Reserved information should not be practiced, because it is unnecessary and because the rights
fundamental defense of art. 24.2 of the EC require that the granting not be delayed
of the status of accused or prosecuted, thus avoiding the risk of using the delay
to carry out interrogations in which the interviewee would find himself in a situation
disadvantageous "."
Well, the AEPD opened some previous proceedings that expired, some
second, and later a disciplinary proceedings were initiated. The AEPD has taken 3 years
to prepare a sanction already decided, with the formal support of previous actions
(a first expired, which led to the opening of a second), without respecting any
essential guarantee of the sanctioning procedure, such as reporting the imputation,
remember the right not to testify against oneself, and a long etcetera, generating
defenselessness in addition to the expiration of the file.
Thus, the proposed resolution rests practically entirely on elements of
charge collected during the preliminary proceedings phase. The only elements of charge
contributed to the procedure during the investigation phase (impact evaluations, registration
treatment and prevalence assessment activities), they have hardly been considered
later, or it is a question of circumstances whose requirement was superfluous, since already
they were held by the AEPD.
In this case, CAIXABANK points out that, although the preliminary investigation actions were
accommodate the requirements of competence and procedure that would enable their adoption, not
they adhere to the purpose that they must cover according to the legislator's design.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 35
35/177
Given that the Proposed Resolution rests de facto, solely and exclusively, on the
elements of conviction and evidence collected during the preliminary proceedings phase, the
The impossibility of using these elements means that the Proposal lacks the
elements necessary to enervate the presumption of innocence.
b) In addition, it entailed the incorporation into the sanctioning file of actions from
of some first previous expired actions.
Article 95 of Law 39/2015, which expressly allows incorporating into a file
administrative “the acts and procedures whose content would have remained the same had it not been
expiration has occurred ” , it can hardly be applied to a sanctioning procedure. At
case of a sanctioning procedure, the expiration becomes a guarantee of the defendant, who
it cannot be in any way harmed by the inaction of the Administration.
In addition, the use of previous actions without time limitation is not acceptable,
beyond the prescription itself, which is the effect that would occur if it were allowed
incorporate expired actions to a sanctioning file
Regarding the block transfer of the expired file, refer to what was declared in STS of
02/24/2004: “We know that the expiration declaration does not prevent the opening of a new
sanctioning procedure insofar as the hypothetical infraction that originated the initiation
of the expired procedure has not prescribed ... And this implies: ... That it does not fit, on the other hand,
that the actions of the first take effect in the new procedure, that is, the
arisen and documented in it as a result of its initiation to verify the reality of what
occurred, the person or persons responsible for it, the charge or charges attributable, or the
content, scope or effects of liability, since then there would be no compliance
to the legal mandate to file the proceedings of the expired procedure ” .
Nor is it possible, according to CAIXABANK, to transfer the file en bloc from a procedure to
other because between the two, given their different nature, there are very divergent principles that
prevent what was acted on in the previous proceedings from going entirely to the file
sanctioner or the previous actions that were really nothing more than the instruction of the
sanctioning file. To these pseudo previous performances, actually true
instruction of the sanctioning procedure, should not have arrived "the actions arising
and documented in it as a result of its initiation to verify the reality of what happened, the
person or persons responsible for it, the charge or charge attributable, or the content,
scope or effects of liability ” something that, as has been proven, really
yes it has been transferred through that very difficult justification catwalk.
c) Additionally, this implies the expiration of the sanctioning file
CAIXABANK considers that the previous actions have constituted an artificial way and
undercover of carrying out investigative actions proper to the sanctioning procedure (cites the
STS of 05.13.2019 (RC 2415/2016) and of 6.05.2015 (RC 3438/2012): “... this Room has
declared that the period prior to the initiation agreement << ... has to be necessarily
brief and not cover up an artificial way of performing acts of instruction and mask and
reduce the duration of the subsequent file itself >> (judgment of May 6, 2015,
Appeal 3438/2012, FJ 2º) ".
Based on this, said entity understands that the time used to carry out these
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 36
36/177
Actions must be included in the calculation of the expiration period of the procedure. He dies to
quo of this period coincides with the beginning of the preliminary investigation actions
This being the case, the expiration period would have elapsed sufficiently, without, on the other hand, the
AEPD has proceeded to the eventual declaration of expiration and "re-opening" of a new
sanctioning procedure. Finally, it adds that, once the file has expired, the offense has
prescribed.
- 4. CAIXABANK has informed the interested parties in the terms provided in the
Articles 13 and 14 of the RGPD and they have understood it.
Before going into the merits of the matter, CAIXABANK clarifies that it does not maintain that its
information was perfect, that there were no errors. In fact, thanks in part to
experience of several years and, in part, to some of the statements made throughout
the different documents emanating from the AEPD throughout the file, has carried out a
exercise to improve your different documents. However, he understands that he does not want
say that there has been any non-compliance: objectively there was all the
information required in articles 13 and 14 RGPD and customers understood the information
that I was facilitating.
a) All the information required in articles 13 and 14 of the RGPD was provided.
39. The information on data protection that is provided to customers through the
"Framework Contract" complies with the provisions of article 13 of the RGPD. It reports on the
identity of the person in charge, contact details of the data protection officer, purposes of the
treatment and legal basis (Clauses 7 and 8), treatments based on legitimate interest
(Clause 7.3.5), recipients or categories of recipients of personal data
(Clauses 7 and 8), conservation period (Clause 11.3), rights (Clause 9, as well as
7.3.5 regarding the opposition to treatments based on legitimate interest), right to
revoke consent (Clause 8), right to file a claim before a
control authority (Clause 9, which includes a link to the Agency's website),
communications of personal data that is a legal or contractual requirement (Clauses 7 and
8). It also includes a link to the "Privacy Policy" (Clause 7.3.6).
No automated decisions are made, so section 2.f) is not applicable.
of article 13 of the RGPD.
Likewise, CAIXABANK provides in any case the information required by art. 14 of the GDPR,
on the categories of personal data and their source of origin (art. 14 d) and f).
Specifically, in Clause 8 of the "Framework Contract" when informing about the possibility
to enrich and complement the data of the signer with “data obtained from sources
public, as well as by statistical, socioeconomic data (hereinafter, "Information
Additional ”) always verifying that they meet the requirements established in the
current regulations on data protection .
b) Despite not being mandatory, the data categories are widely reported.
Although article 13 of the RGPD and the corresponding article 11 of the LOPDGDD do not require
provide interested parties with this information on a mandatory basis, CAIXABANK offers a
Sufficiently descriptive list of the types of data that are treated based on the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 37
37/177
consent, in accordance with the provisions of the Guidelines 05/2020 on the
consent in accordance with Regulation 2016/679 of the European Committee for the Protection of
Data ("CEPD"). What the Agency cannot intend is to impose obligations that are not
establishes the applicable regulations. If a detailed list of all the data were given
specific personal that can be dealt with in this context, I would not be reporting
categories of data processed, but on specific data, which would imply fatigue
informative difficult to beat that has been sanctioned in the past (PS / 00082/2017).
Likewise, it alleges that the information provided on the processing of data from
movements, receipts, payroll, claims and claims, considering that it is about
products and customer operations, who knows the information they include.
It adds that this information does not include sensitive data and warns in this regard that the AEPD does not
you can demand that you report what is not done, based on a suspicion. Even so, in the
The new "Privacy Policy" is expressly indicated, when defining the data category
observed of the operation of the contracted products, that no data of
this nature .
The Agency intends to apply to CAIXABANK information standards that the regulations
does not foresee when it claims that the failure to report on the categories of personal data
that are treated based on legitimate interest (which is not mandatory under the RGPD, nor is it
mentions the CEPD in its guidelines) invalidates subsequent consents that may be
request for commercial purposes.
It is true, as indicated, that the information provided could be improved in
relationship with its presentation, but in no case was it incomplete, so it is
clearly disproportionate the very serious level of the reproach made in the Proposal of
Resolution. In addition, the New Privacy Policy improves the exposure of the
information, detailing in a specific section the specific categories of data and their
breakdown, and subsequently referring to each of them in relation to the
purpose in question.
c) It is not at all proven by the instructor that the clients did not understand the information.
The agency does not prove that the expressions are unclear, beyond the sentence
very summary of the instructor that said lack of clarity is "evident and objective . "
It is understandable that, if the person who is going to issue the resolution, and who is the
regulatory authority in charge of promoting instruction (the Director of the AEPD), has already indicated
publicly one year before the resolution will be sanctioning (we refer to the
first allegation), the instructor understands that the evidentiary effort is unnecessary. But
Obviously, said understanding supposes one (other), violation of the presumption of
innocence.
As indicated in the Transparency Guidelines transcribed in the resolution, the
requirement that the information be "intelligible" means that "it must be understandable
the average member of the target audience ” , and it does not appear in the file that the instructor
have done some checking with average members of the target audience.
d) This part provides evidence that customers fully understood (and understand):
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 38
38/177
surveys.
Assuming a reversal of the burden of proof clearly infringing on our
fundamental rights, has carried out a survey and a user test using a
expert and independent company (provides a copy of the reports of this external company).
(…)
e) This part provides evidence that customers fully understood (and understand):
reports from linguists.
You have submitted the consent clauses to the analysis of a company specialized in
linguistics and consultancy for communication, including legal information, having
The work was directed by a Professor of the Spanish Language (...), an expert and advisor to
communication.
It can be seen in the reports provided (a copy is attached) that two clauses were analyzed
different from the "Framework Contract) that with respect to the data processing clause the
recommendations are minimal and less than those made regarding the other clause
submitted to analysis, which does not concern us in this procedure.
In conclusion, it is verified that an expert analysis considered that the text of the
"Framework Agreement" relating to information on data protection was understandable by the
CaixaBank's average customer, as opposed to the mere non-expert opinion of the AEPD. So continue
calling such information "unclear" would be nothing short of reckless.
In addition, CAIXABANK highlights that it has not received any claim for lack of
information, except for the two that serve as the basis of this resolution (among millions of
clients), who also do not state that they do not understand the texts presented to them.
The aforementioned would be unnecessary to understand the accusation rejected. However,
succinct comments are made to each of the specific blemishes that are made.
f) It is not true that non-uniform information is offered to customers.
The information on data protection that has been working in the various documents
provided to customers has not always been completely uniform due to
only to the process of updating such documents, being in any case something
temporal and consequence of the time intervals that an entity such as CAIXABANK
required for such updates.
In this regard, a copy of a "Framework Agreement" dated 06/08/2018 is attached, as
proof that this document was adapted to the RGPD and that the one included in Annex I, as
version from November 2018, it was actually implemented in June 2018.
Finally, CAIXABANK points out that the resolution seems to show that all customers
access all documents and, uniquely, that all clients have both the
consent contract as the framework contract, and both in all their different
versions, in a kind of documentary bombardment that produces confusion, which is
simply false. The vast majority of clients (more than 95%) have signed the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 39
39/177
“Framework Contract”, in the current version in each case, and only a residual percentage has the
"Consent Agreement", without this implying any loss of information or
confusion. Obviously the privacy policy is common for everyone, but there is no
no discrepancy between this and the other documents.
In any case, in the indicated improvement process, an absolute honesty has been carried out
of all the documents, as set forth in the Sixth Allegation and the documents
contribute.
g) It is not true that imprecise terminology is used with vague formulations, lack of
specification of the personal categories of data processed, and lack of information on the
purposes and confusion of legal bases.
As for these three accusations, it is enough to point out what is credited with the surveys
provided, which CAIXABANK considers sufficient to distort the assertions of the
Resolution motion.
He reiterates his surprise at the fact that it seems to the instructor that they are not enough
descriptive of the data categories in which the mentions to movements are treated,
receipts, payroll or claims. On this question, CAIXABANK raises whether the purpose is that
the microdata obtained from each category of
document, which would imply an information fatigue that is difficult to overcome.
h) There is no undue transfer of data between group companies: there is joint responsibility.
Both at the regulatory level (an area that the AEPD does not question) and at the commercial level, a
transparent co-responsibility regime for interested parties. Without prejudice to improvement
that at the level of transparency has been carried out in the New Privacy Policy,
considers it essential to point out three elements that the AEPD seems to confuse and that lead to
the erroneous conclusion that the alleged assignments within the Group are unlawful:
i. The Agency interprets that there is a transfer of data between the companies of the Group
CaixaBank from data controller to data controller. This is wrong. It does not occur,
legally, any data transfer; but a direct collection of data by the
companies in the field of co-responsibility.
ii. The AEPD separates the non-existent transfer of data as a new and artificial purpose. In
In no case is access by the CaixaBank Group companies constituted as a
purpose in itself. The "assignees" (actually joint controllers) do not access the
themselves arbitrarily, but for the true purposes of which the interested parties
are informed (these are, for regulatory purposes, "commercial purposes" and
when it is necessary for the execution of the contract, as the case may be).
iii. The birth of co-responsibility does not derive from “intended purposes” but from the
joint participation in the determination of the purposes and means of the treatment between the
CaixaBank Group entities (led by CaixaBank). The AEPD does not deny the existence
of co-responsibility, although it claims that it does not apply (especially in relation to
“commercial” treatments) insofar as the attribution of responsibility is not detailed
between the different companies. However, the AEPD errs again by forgetting that the place
where these responsibilities should be attributed that the foreign agency is not the Policy of
Privacy or the Framework Contract, but the joint responsibility contract in the terms
provided for in the CEPD Guidelines 7/2020 (attached a copy of an agreement of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 40
40/177
co-responsibility, which includes an annex for each of the “treatments subject to
co-responsibility and co-responsible ”; these annexes detail the treatments, their
purpose and legitimizing basis, in addition to the data of the "co-responsible" companies.
No annex appears signed by these entities).
In conclusion, neither data transfers occur under the terms provided in the RGPD, nor the
co-responsibility requires a separate consent (within the framework of the “purposes
commercial ”) insofar as it is a factual situation (it is not something agreeable nor does it require a
legal under article 6 RGPD to attend). In addition, the impact evaluation that
the AEPD alleges in Foundation VI that CaixaBank did not contribute (…).
i) There is no deficient information on legitimate interest.
Compared to what is maintained by the AEPD, there is no confusion between treatments based on
legitimate interest and consent, nor are they coincident. Can't give the situation where
a treatment on which it has been said "no" under the legal basis of the
consent, can be made based on legitimate interest, a circumstance that the AEPD does not
has tried.
In any case, the New Privacy Policy has proceeded to eliminate the treatment
based on legitimate interest for commercial purposes that, as indicated in the answer to the
Opening Agreement is a treatment that is not carried out, nor has it ever been carried out.
On the other hand, the New Privacy Policy reconfigures the differences already analyzed in
the Claims to the Initiation Agreement between the treatments based on legitimate interest and
The consent.
In section VI of the Proposed Resolution, the AEPD concludes that “it is not possible
determine the suitability (…), necessity (…) and proportionality… ”of the treatments
based on legitimate interest and that the intrusion on the privacy of the interested party may be high,
the effects may have a negative impact on them. However, it does not provide
any proof that the legitimate interest is not present, invalid or insufficient.
Regarding additional measures or recommendations to reinforce the legitimate interest, it states
CAIXABANK that its absence does not invalidate the legitimate interest. Neither the RGPD nor the LOPDGDD
provide for the making available to the interested party of the impact assessments or the
weighting of legitimate interest, or reinforced opposition mechanisms.
j) There is no lack of information on profiling.
The AEPD argues that complete information is not offered on the types of profiles, their use
and the right of opposition of the interested party.
However, in the "Framework Contract" the first of the purposes for which the
Consent is described as “data analysis and study treatments for the purpose of
commercial by CaixaBank and the Companies of the CaixaBank Group ” , and in the detail of this title,
the concept is extended to the expression “analysis, study and monitoring for the offer and design
of product adjusted to their customer profile ”. Next, in the clause that supports the
collection of consent, processing operations that include
this purpose, where information is provided on the creation of profiles:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 41
41/177
"A) Proactively carry out risk analysis and apply on their technical data
statistics and customer segmentation with a triple purpose:
1) Study products or services that can be adjusted to your profile and business situation or
specific credit, all to make commercial offers tailored to your needs
and preferences.
This information clearly spells out the purpose and, as demonstrated by the
surveys provided, it is clearly understood by customers.
It adds that in this same clause the error was made (corrected in the New
Privacy), to list treatment operations that did not have to do with consent
for profiling. And he lists those specific treatments that, in his opinion, can be covered by
other legal basis (the list of the treatments to which this allegation refers consists of
outlined in Law Foundation VII, in the section that examines the treatment of
data based on the consent of the interested parties).
He considers this error, which has been recognized and corrected, to be reprehensible, but does not break
the principle of specificity of consent. Consent is only required to study
products or services that can be adjusted to the profile and commercial or credit situation
specific customers, to make commercial offers tailored to their needs and
preferences and the rest of the clause, unfortunately superfluous, but it has no
Consequently, different purposes are authorized en bloc.
Finally, CAIXABANK has clarified and specified in the New Privacy Policy the
treatments that involve profiling to prevent the concept from being misinterpreted by a
"Common customer".
k) There is no lack of information on the conservation periods and the exercise of
rights.
CAIXABANK refers to what is indicated in its allegations to the initiation agreement and adds that
These aspects have been clarified and improved in the New Privacy Policy and in
New Framework Contract. Regarding the conservation of personal data once the
contractual relationship, he warns that it was not actually executed and that in the new policy the
mention disappears, canceling the official data.
- 5. There is a legal basis for the treatments and the consents are obtained from
lawful manner.
a) Consents meet all legally established requirements
As detailed in the allegations to the initiation agreement, the consents comply
all the requirements established by the RGPD as interpreted by the CEPD, without
that the Agency has proven that they have not been obtained legally. On the contrary,
content of the file itself shows that the consents obtained are free,
specific, unequivocal and sufficiently informed.
. Consents are free, since the client, at all times, has absolute freedom
to grant them or not, without associated negative consequences, power imbalances,
conditionalities or dissociation of the ends. There is no combination of different
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 42
42/177
purposes under the same consent that limits the freedom of choice of the owner. Thus
three consents are requested and no commercial treatment is carried out based on the
additional consent to these.
. The consents are specific, since, in line with the disassociation requirement,
separate and break down the only activities that are carried out under the consent, that is
In other words, they are specifically and separately asked for the purposes that are intended (the
data profiling to offer customers products that may be of interest to them; the
choice of the communication channel of the offers; and the possibility of transferring the data to
third parties).
The AEPD interprets that there is a dissociation between the stated purposes and those
on which the interested party pronounces. Given this, CAIXABANK reiterates that a large part of the
treatments indicated in the revision documentation version are either not carried out, or
are protected by another legal basis, or are simpler and more limited than the AEPD
understands. As can be seen in the New Privacy Policy, the consent to
profiling activities has been reduced to what is actually done under this
consent, and the rest of the activities that are carried out have been informed in
their respective and correct epigraphs (treatments in execution of a contractual relationship,
or by legal obligation).
In addition, it must be remembered that the Working Group of art. 29 in its document “Guidelines for
consent under Regulation 2016/679 ”establishes that consent can
cover different operations as long as these operations have the same purpose. At
In the case of CaixaBank, there are only three purposes, and it is asked separately and specifically about
them, without any deviation of use. Have made the mistake of including
within the examples some treatment operations that should have been included
in other treatments based on the execution of contracts or compliance with laws,
such as, for example, the recovery actions inherent to credit contracts, not
It undermines the specificity of the consent requested.
. The consents are unequivocal, since the interested party must perform an affirmative act
so that your consent is understood as granted. Consent is not based on
acceptance of a policy or in a mere inaction, but a client is obtained
manifestation, unequivocal positive or negative, corroborated in two steps (choice by marking
the box and signature).
. The consents are informed, and the reproaches regarding the
validity of the information provided by the arguments and evidence provided in the
fourth claim. The client receives all the legally required information and it has been proven
empirically he understands it.
The AEPD indicates that on the “Tablet Mode. Client ”there is no link to the information of
Data Protection. In this sense, it only has to be clarified, again and as it was verified
in person at the inspection, that after giving consents (or not), the client accesses the
complete content of the contract text immediately. Before signing you are presented with the
full text of the contract so that you can read and review it, so that you can not ratify
your choice and "go back" technically. He is also presented at various times the
consent scheme.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 43
43/177
Finally, it points out that the AEPD omits the analysis of the consent collection process
in the non-face-to-face channel (online banking) that he reviewed in his face-to-face inspection dated
November 28, 2019, in which it was demonstrated that the client must necessarily access
to the information before giving consent, as already reiterated in the allegations to the
opening of the procedure.
b) It reiterates that there is no commercial treatment based on legitimate interest, having
reduced these treatments in the new policy to internal management operations, very
low impact on data subjects.
c) It reiterates that there is no illicit transfer of data to group companies, but rather processing in
co-responsibility.
d) The social media contract was absolutely residual, and the aggregation contract was perfectly
lawful.
The Social Media Contract was a "pilot" project that was deployed with respect to a
very small number of clients, who were unsuccessful and canceled, although the AEPD continues
failing this question without taking into account those circumstances for the purposes of the sanction
imposed.
Regarding the Aggregation Contract, the AEPD forgets that its signature is complementary to the
"Framework Contract", so that the consents for the "commercial purposes" in the
framework of co-responsibility have been (where appropriate) duly obtained with the nuances
specific to this type of contract (see the allegations to the initiation agreement). It is not true
that this service is used for the collection of information, as indicated by the AEPD, inasmuch as
This service is provided for in the payment regulations and serves not to dispose of the entity
regarding new actors. In any case, there is a new version of this latest contract
(provides a copy) that clarifies possible doubts that clients and the AEPD may have, which,
Furthermore, like the rest of the contracts, it is being revised to adapt it to the new design that
we detail them in the Sixth Allegation.
- 6. On the measures proposed in Law Foundation X, of the proposal for
resolution and remediation already operated by CAIXABANK. Inadmissibility of measures
of cessation.
The mentions to the cessation of treatments that are made in the proposed resolution are
totally disproportionate for the present case, in which the only action taken
reproach is the writing of the informative texts, through which it informs its
clients of their treatments. The fair, proportionate and adequate measure would be to urge
remedy those information deficits.
It should be taken into account that the AEPD has taken three years to substantiate the present
procedures and, during this process, has not considered the facts sufficiently
serious enough to contact the company to urge a remediation of the treatments
or of the information, to which it should be added that the documentation was sent one year and
half before.
Likewise, it must be taken into account that the interruption of treatments or collection of new
Consents would imply an irreparable impact, both on the Entity and on the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 44
44/177
clients, much more pronounced even in the current global health situation, which forces
restrict movements, visits that clients come to make arrangements at the offices.
Privacy Information Enhancements
By contrast, the publication of a new privacy policy, the communication of it to
all clients and the renewal of all consent collection processes, which
are already being implemented, as well as personalized communication of all changes to
all the clients of the entity, reminding them of the consents
granted in their day, explaining them according to the new drafting standards
adopted and reminding customers of the possibility of revoking them, are sufficiently
repair companies to estimate that CAIXABANK would have remedied any deficit estimated by the
AEPD.
These measures, which were intended to be implemented coinciding with the second anniversary of the
RGPD, and that they have been delayed due to the impact of this procedure and the situation
current health system, is based on the following components (attached a copy of the documents and
Screenshots cited):
- New structure of the documents through which customers are informed
- Privacy Policy (version 12/2020)
- Framework Agreement (version 12/20220)
- New screens of the consent collection processes on tablet and banking to
distance.
- Massive communication to clients informing of the changes
a) New structure of the documents through which customers are informed
The "Framework Agreement", which contains the general regulation of the client's relations with the
entity, and that it seemed the best option to also report on data processing,
It will be replaced by a new Privacy Policy, as a document dedicated to informing the
clients on this matter, given the dimension of the information that in the interpretation
current estimate that it should be provided. To facilitate permanent customer access to the
itself, will be permanently hosted on the company's website
(www.caixabank.com/politicaprivacidad)
The “Framework Contract”, which will continue to be the first contract signed by a client when interacting
with the Entity, it will be used to collect customer consents, but only
will collect detailed information referring to the consents and basic mentions that
establishes art. 11 of the LOPDGDD, referring the client for more information to the second
layer, the Privacy Policy. Product contracts, and other forms, will contain
also only the basic mentions established by art. 11 of the LOPDGDD.
A total uniformity in the information is intended, as well as a much deeper detail
Of the same.
b) Privacy Policy (version 12/2020)
The Privacy Policy is already in force and published on the web, where you can consult and
download in pdf format. In his brief of allegations, he outlines the structure of this
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 45
45/177
document, which consists of 11 sections.
c) Co-responsibility agreement
Together with the Policy, a co-responsibility agreement has been drawn up in the treatment of
data between Group companies. This agreement defines the purposes and means of the
treatments, as well as the basic rules to be observed by all the companies that make up
these treatments in co-responsibility. Information about it also appears in the
policy and more detail in the web address outlined in it
www.caixabank.es/empresasgrupo.
d) New Framework Agreement (version 12/20220)
The new Framework Contract is closed, in the process of layout and put into production in
the entity's information systems. The final implementation date is set for
Systems Update (IOP) January 2021.
The new Framework Agreement has been completely redesigned and has been drafted in new
format under the recommendations of a linguistics company, to provide it with a
clear and transparent wording for users. The text has been accompanied by examples and
warning calls that are intended to reinforce the information offered to customers
All the information has been unified in a single clause, which offers basic information on
data protection (responsible for the data, and the possibility of processing
in co-responsibility, of the Data Protection Delegate, of the possibility of exercising the
rights recognized in the RGPD and to file claims with the AEPD, of the
categories of data that are processed and data processing), redirecting to
detailed information to the Privacy Policy published on the Web, as established in art.
11 of the LOPDGG. The same terminology is used in both documents.
Although it is a document understood as a first layer, it continues to be the support
to obtain the consents. To ensure that this consent is
informed, renewed and detailed information is given about them, maintaining the same
wording that the Privacy Policy.
In his brief of allegations, he outlines the new structure of this document, which dedicates the
section 4 to the processing of personal data.
e) New screens of the consent collection processes on tablet for offices
and remote banking (web and mobile).
This update, which will be in production in January 2021, improves the information and
usability, providing examples and ensuring that the authorization process is maintained
always in the possession of the client (shared tablet screens). The obligation to
access information and the provision of consent through a clear exercise
affirmative, separately for each of the purposes.
New consents have been incorporated, although this is not a remediation.
New treatments that require
consent.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 46
46/177
f) Mass communication to clients informing of the changes
To publicize all the above modifications, a statement has been prepared that
will be sent to the entire customer base informing about the new Privacy Policy, and
reminding them of the consents granted (including the new wording), the treatment
of your data in co-responsibility by the companies of the CaixaBank Group, the right to
oppose the treatments and other rights provided in the RGPD.
With this communication any information deficit that could be understood is remedied
Regarding all the data processing carried out by CAIXABANK and any
understanding deficit that may have occurred.
He insists that these improvements are the result of 4 years of experience, his own and that of others, but not
they mean that the information currently provided violates any rule.
- 7. On the necessary proportionality of sanctions and their graduation.
Disproportionate sanction imposed.
a) In a subsidiary manner, it considers that the following mitigating factors apply:
. Any measure taken by the person in charge or in charge of the treatment to alleviate the
damages suffered by the interested parties (art. 83.2.c) RGPD): In addition to what is indicated in
the Claims to the Initiation Agreement [see section 6.1.a)], which continues to be
fully applicable and that the AEPD simply disregards indicating that they lack the
"Sufficient relevance"; CAIXABANK has proceeded to further clarify the information provided
to their clients and the procedure by which they request consent, to such an extent
that the imposition of the corrective measures proposed by
the AEPD (Fundamental of Law X and proposal of resolution Fourth of the Proposal of
Resolution). The potential infringement related to the alleged information deficit has been entirely
regularized (if any such regularization was necessary) and any adverse effects
suppressed.
. The degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement (art. 83.2.f) RGPD): as already
was indicated in the Arguments to the Initiation Agreement [see section 6.1.b)], and
highlighted in the actions carried out by CaixaBank throughout the procedure (within and
outside its framework), CaixaBank has only cooperated and walked hand in hand with
the AEPD to achieve greater clarity and protection of the interested parties. Actually yes
Some lack of collaboration has been reciprocal, given the absolute reluctance of the
AEPD to meet with this entity.
b) Unprecedented disproportion of the sanction imposed
The AEPD recognizes that it is not a case of absence of information and qualifies the
offense as minor (therefore, its assessment should be limited to the behavior
of CAIXABANK in the year prior to the Initiation Agreement for obvious reasons of prescription).
Likewise, there are no data transfers outside the framework of the joint responsibility of
factual and currently formal existing in the CaixaBank Group (without the free will of
subjects has been diminished in any case). However, it imposes on CAIXABANK a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 47
47/177
unprecedented penalty 8 times higher than the highest fine imposed under the GDPR (if not
we take into account “the other” exemplary sanction of the financial sector, recently known).
And 3 times higher than the maximum foreseen under the previous regime for the most infringements
serious, ignoring and simply denying the application of the mitigations that CAIXABANK
detailed in the Allegations to the Initiation Agreement and which are hereby reiterated. Specific,
the application of those provided for in articles 83.2.a), b) and k) RGPD, as well as the
listed in sections c), d) and e) and f) of the Sixth Claim of the Claims to the
Initiation Agreement.
c) Possibility of warning
Finally, with regard to the warning, the AEPD seems to want to imply that the
warning is addressed only to natural persons, when it itself (see by way of
example the PS / 00072/2019; or PS / 00096/2019) has resorted to this proportional measure in the
passed with legal persons.
d) Conclusion
In conclusion, taking into account the new information that CAIXABANK customers go
to receive and the proactive and exemplary attitude of CAIXABANK, this entity understands that the
The measures set out in Legal Basis X of the proposed resolution remain
without effect, even before the final resolution, as all behaviors are remedied, or
in the process of remediation due to technological imperatives, and that the proportionate measure that the
AEPD, where appropriate and in a subsidiary way, should apply is the warning. further
and taking into account the patent application of mitigating criteria, this part understands that
It would proceed to calculate the amount of the penalty that, if applicable, was imposed, applying, within
of the scale provided for in the fourth and fifth paragraphs of article 83 RGPD, its minimum degree.
Finally, considering that strategic and sensitive data is provided for the
entity, requests that the information provided be kept confidential and not
communicated to any third party.
Of the actions carried out in this procedure and of the documentation
Obrante in the file, the following have been accredited:
PROVEN FACTS
FIRST: On 01/24/2018, a claim made at this Agency
by the claimant against CAIXABANK, in relation to the new conditions regarding
protection of personal data whose acceptance requires that entity, questioning the
transfer of your personal data to all the companies of the CaixaBank Group and the
procedure provided to cancel said assignment, which, according to the claimant, requires directing
a letter to each of the companies. He requested that CAIXABANK be urged to modify the
the conditions mentioned.
The claimant provided a copy of the aforementioned conditions, which appears with the labels
"Authorizations for data processing" and "Exercise of the right of access, cancellation
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 48
48/177
and opposition. Claims before the Data Protection Authority ” .
In relation to this claim, CAIXABANK informed this Agency that the clauses
informative to which the complaint refers were implemented on the occasion of the changes
contractual provisions arranged for adaptation to Regulation (EU) 2016/679.
SECOND: On 03/29/2019, a claim made at this Agency
by the entity Association of Consumers and Users in Action - FACUA, against
CAIXABANK, in relation to the "Framework Contract" signed by the clients of this entity,
through which your personal data is collected, the information is offered to them in
this matter and consents are collected for the data processing specified.
FACUA denounces that the content of this contract cannot be negotiated by the interested party, at
that consent to the processing of your personal data and the transfer of the
same to third companies with which it may not have a relationship (authorizations
provided for in clause 8 and assignments mentioned in clause 10 of said contract).
FACUA provided a copy of a "Framework Agreement" dated 10/24/2017.
THIRD: The CAIXABANK entity has declared to this Agency that it began its adaptation to
RGPD in 2016 and that this adaptation was carried out mainly through the
implementation in June 2016 of the personal data collection form called
"Framework Contract", used by CAIXABANK as a priority to comply with the
transparency requirements regarding the protection of personal data and so that the
clients can give their consent to the processing of their personal data at the
of "Group" , with the purposes indicated in the aforementioned document.
The "Framework Contract" is presented as mandatory subscription for new clients,
establishing that the signature of the document implies that it “knows, understands and accepts its
content ” . It is expressly provided that the terms and conditions apply
general to all "commercial relationships" of the interested party "with CaixaBank and the companies
of the CaixaBank Group, and therefore, the subscription and validity of this Agreement, respecting
the corresponding rights of choice that the Signatory grants the clause, is
necessary for the contracting and maintenance of product or service contracts ” .
CAIXABANK has stated that in the case of existing clients a notice was included in
the client file indicating to the manager that the “Framework Contract” had not been formalized.
In its response to the Inspection Services dated 11/20/2019, CAIXABANK stated
that the "Framework Contract" informs about all the treatments derived from the relationship
contractual.
CAIXABANK has contributed six versions of the "Framework Contract" to the proceedings, dated on
06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019.
The first three versions refer to the LOPD and do not refer to specific issues
regulated in the RGPD, such as the legal basis of the treatment (legal obligation, interest
legitimate or consent); rights of deletion, limitation and portability; right to
file a claim with the Spanish Agency for Data Protection; existence of a
data protection officer and means enabled to contact him. The version
3rd constituted the information offered by CAIXABANK on 05/25/2018.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 49
49/177
In its response to the Inspection Services dated 11/20/2019, CAIXABANK provided a copy
of the "Framework Contract corresponding to a client", which appears signed on 11/06/2019.
It is verified that its content does not coincide in its entirety with any of the six versions
of the "Framework Contract" provided by the entity itself (version 7).
In section 1 of the "Framework Contract" the identification data of the client and its
declaration of economic activity. Among other data, there are those related to name,
surname, tax identifier, date of birth, nationality, address, marital status,
matrimonial regime, contact information, fixed and variable income, entity in which it provides
service or gross annual income.
The information that is provided to the interested party in this document in relation to the protection
personal data is structured according to the legal basis that legitimizes the treatment of the
data, dedicating section 7 to the treatments “based on the execution of contracts,
legal obligations and legitimate interest and privacy policy ” (includes a subsection
regarding the "processing of biometric data in the electronic signature of documents" ), and the
section 8 to the “treatment and transfer of data for commercial purposes by CaixaBank and the
CaixaBank group companies based on consent ” . Paragraphs 9 are added
"Exercise of rights regarding data protection" and 10 "Delegate for the Protection of
Data " , as well as a subsection dedicated to " Data retention period " , inserted
in section 11 referring to the duration, resolution and modification of the contract.
During the contracting process, the client must express the consents for the
processing of personal data that are requested from the interested party in clause 8,
incorporating the options selected by the client in the header of the document, at the
section of personal and socioeconomic data. The consents requested from the client
are grouped into the following three purposes:
“(I) data analysis and study treatments for commercial purposes by CaixaBank and companies
of the CaixaBank group
(ii) the treatments for the commercial offer of products and services by CaixaBank and the companies of the
CaixaBank group
(iii) the transfer of data to third parties ” .
In relation to these three consents, Clause 8 indicates: “In order to make
your availability a global offer of products and services, your authorization to (i) the treatments
analysis and study of data, and (ii) for the commercial offer of products and services, in case
If granted, it will include CaixaBank, and the companies of the CaixaBank group detailed
at www.CaixaBank.es/empresasgrupo (the “CaixaBank Group companies”) who may
share and use them for the stated purposes ” .
The copy of the "Framework Contract" provided by CAIXABANK with its response to the Services of
Inspection dated 11/20/2019 (version 7), which appears dated 11/06/2019, contemplates the
provision by the client of a fourth consent referred to data processing
biometrics. In the heading of the document provided, under the heading of "Authorizations
for data processing ”it is indicated: “ Other purposes: Use of biometric data with
purpose of identity verification and signature. You have expressed your acceptance and
consent ” .
The entire content of the "Contract
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 50
50/177
Marco ”, in its versions dated 03/14/2017, 11/12/2018, 12/20/2018 and 09/17/2019, as well
as the content of the "Framework Agreement" dated 11/06/2019 (version 7). The content of the
version 4, dated by CAIXABANK on 11/12/2018, as well as the modifications made
later it is included as Annex I.
FOURTH: The formalization of the form for collecting personal data and providing the
consent to the processing of personal data called "Framework Agreement"
takes place during the client registration process, which can be done in person at
offices or through digital channels.
a) The office registration process is carried out through an interview between the client and the manager.
During this process, the manager must fill in the sequence of screens provided in the
system incorporating the information (personal data) provided by the client. After
fill in several screens (around fifteen), the screen labeled "Modification
of data protection of… ” , whose structure is the following:
"High consents
CaixaBank data protection (RGPD)
The client authorizes CaixaBank to:
1. Use your data to:
. Carry out studies and monitoring of operations
. Manage alerts for the products you have contracted
. Study products and services tailored to your CaixaBank Group profile
( ) If not
2. Participate in promotional campaigns and commercial offers of the CaixaBank Group through the
channels
() Yes
() Telemarketing
() Electronic means such as SMS, email and others
() Postcard advertising
() Commercial contacts of the entity's managers
( ) No
3. Transfer customer data to third parties
( ) If not
(OK) (Cancel) ”.
For the provision of these consents, during this interview the client responds
verbally to the three questions that the manager asks about the indicated purposes, one
of them broken down into four options, and it incorporates the responses into the system. One time
After the interview, the completed "Framework Contract" is printed on paper and signed
for the client.
In its response to the Inspection Services of 07/17/2018, CAIXABANK states that,
later, it equipped the entire network of offices with digitizing tablets, making it possible for the
"Framework Contract" is signed, not on paper, but on the tablet itself.
CAIXABANK, with its response to the AEPD, dated 05/03/2019, provided documentation
referring to the training given to its employees in which it is indicated:
(…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 51
51/177
The operation followed in this process was modified again, establishing a system of
"Shared screen" to enable the customer to mark the options selected by himself
same on a tablet that the manager puts at your disposal.
CAIXABANK with its letter of 11/20/2019, sent in response to the requirements of
information from the Inspection Services of the AEPD provided screen printing
corresponding to the process of registering a client. After advancing about fifteen screens,
A screen is displayed with a message for the manager with the indication “According to the
General Data Protection Regulation, the client must authorize the use of their data. TO
You must then hand over the tablet to the client to fill in the consents ” .
Once the manager presses the "Accept" button on that screen, two screens are displayed
corresponding to the collection of consents for the processing of data
personal, with the label "Authorization / Revocation of consents" and the indication "Mode
Tablet. Customer ” . The detail is as follows:
"Protection of personal data Caixabank group
I authorize the Caixabank group to:
1. Use my data for study and profiling purposes:
If I authorize it, the offers that are sent to me will be adapted to my profile
() Yes, I accept that the offers are based on my profile
( ) No
2. Receive advertising and commercial offers
If I do not authorize it, not even my manager will be able to contact me to inform me of products of interest to me.
() Yes, I agree to receive offers by the following means:
() Telemarketing
() Electronic means such as SMS, email and others
( ) Post mail
() Commercial contacts through any channel of my manager
( ) No
3. Transfer my data to third parties with whom the Caixabank group has agreements:
If I authorize it, at the time my data is transferred, I will be informed of which third party the
recipient of the data and, if I do not agree, I may revoke this authorization
() Yes, I agree to transfer the data to third parties
( ) No
4. Use of my biometric data (facial image, fingerprint, etc.) in order to verify my
identity and signature: This authorization will be complemented in each case with the registration of the data
biometric to use at all times. In order to verify the identity / signature of your clients,
Caixabank uses biometric recognition methods such as facial recognition systems,
fingerprint reading and the like. Currently, some of our ATMs already allow you to
operations using these methods.
() Yes, I accept the use of my biometric data
( ) No
The preferences that you have indicated here will be included on the first page of your framework contract ” .
Once the options have been selected, the buttons at the bottom of the screen
"Accept" and "Cancel". When pressing the first one, the message “Your consents have been
indicated. Thank you for your cooperation. Please return the Tablet to your manager ” . (…)
The “ Tablet Mode. Client " do not contain any link to information on the subject
protection of personal data contained in the "Framework Agreement".
In relation to this process, no screen was provided regarding the consolidation of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 52
52/177
document and its signature by the client.
b) The client registration process through the CAIXABANK web portal and mobile application (the
application redirects the data subject to the web application), includes a step that shows a
screen through which consent is collected for the processing of data with
commercial purposes. The screen shows the following options:
<< Manage your data (i)
Do you want to find out about our news in a personalized way?
Processing of your data to receive a personalized service from the Caixabank Group
Treatment of your data for the purposes of analysis, study and monitoring of the offer and design of
products and services adapted to the customer profile by Caixabank and companies of the Caixabank Group.
More information
No
Yes
Processing of your data to receive offers of Caixabank products and services
Processing of your data for the commercial offer of Caixabank products and services and companies
of the Caixabank Group
More information
No
Yes
Transfer of your data to third parties with whom Caixabank and Caixabank Group companies have
agreements
Processing of your data by third parties with whom Caixabank and Caixabank Group companies have
agreements, to receive offers of products and services from such third parties.
More information
No
Yes
(Continue) >>
During this process of providing consent, access is made possible by the
client to clause 8 of the "Framework Contract". At the end of the process the "Contract
Marco ”with the summary of the consents granted and the clauses, for signature by the
customer ( "View and download framework contract" ). A box is included to check “I have read and
I accept the contract ” and the “ Previous ” and “ Continue ” buttons .
In the inspection carried out at CAIXABANK on 11/28/2019, the download was verified
complete of the "Framework Agreement" and that, once the acceptance box of the
contract, the signature is carried out using a numerical code sent to the mobile phone
provided by the customer.
FIFTH: As reported by CAIXABANK to the Inspection Services in its response to
07/17/2018, this entity also collects the consent of its clients for the treatment
of data for "commercial purposes" and transfer of data to third parties, through the document
labeled as "Authorization for the processing of personal data for purposes
commercial by CaixaBank, SA and companies of the CaixaBank group ” , that CAIXABANK
called “Consent Agreement” and it is also used to modify them in
moments after the discharge process.
a) The process of formalizing this document in the office is similar to that of the "Framework Contract"
and has followed the same evolution over time (printing and signature of the document, digital signature and
"Tablet mode"), but signing a document that only includes the points indicated.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 53
53/177
Through this document, the provision of consent has been provided separately.
for the same purposes mentioned in the "Framework Contract". The system displays the
Screen enabled for the manager to register the revocation under the heading "Modification of
data protection ” , whose structure is similar to that shown for the provision of the
consent during the client registration process, including the incorporation of the room
consent that is requested from the client in relation to the processing of data
biometric, verified in the inspection carried out on 11/28/2019.
Three versions of this "Consent Agreement" are incorporated into the proceedings
(the one provided by the claimant on 01/24/2018, outlined in Fact One -Version
1; the one provided by CAIXABANK on 07/10/2018, outlined in the Second Fact and
transcribed in Annex II -Version 2; and the one attached to the Inspection Certificate dated 11/28/2019,
outlined in Fact Four, Version 3 (the differences are also included in Annex II
of this Version 3 compared to Version 2).
In version 3 of the document, the one provided during the inspection of 11/28/2019, in the
denomination of the document the term "revocation" is added and
"Authorization / revocation for the processing of personal data for purposes
commercial by CaixaBank, SS and companies of the CaixaBank group ”.
The information offered in the "Consent Agreement" regarding the protection of
personal data coincides, almost literally, with clause 8 of the “Framework Agreement”.
b) The process to revoke consents through the client's private space in the
CAIXABANK website shows a screen with the following structure:
<< Authorizations for commercial purposes
Modification
You can then modify the treatment that Caixabank performs on your information
I accept the treatment of my data to monitor and study alerts for my products
contracted, studies and services adjusted to my profile. See detail Clause 8
I accept I do not accept
I accept that Caixabank contact me to find out those offers of products and services, as well
as promotions and offers that may be of interest to me. See detail Clause 8
I accept I do not accept
Indicate if Caixabank can contact you in any of the following ways
() Through my manager (office)
() Through postal communications
() By email, SMS and other electronic channels
() By telemarketing
I accept that my data is shared with companies with which Caixabank has signed agreements with
the purpose of being able to receive offers of products and services from these companies. See detail Clause 8
I accept I do not accept >>
During this process, access by the client to the information contained is possible
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 54
54/177
in clause 8 of the “Framework Contract”. Once the options are selected, the client is shown
a summary with the consents granted ( “Operation not yet completed, Check
the data and confirm the operation ” ) and the contract that includes a
summary of these consents ( "Read the contract carefully. Confirm the operation" ).
c) In the environment of the CaixaBank Now mobile application, the customer can access
"Configuration - Exercise of rights" and is redirected to the Web portal.
d) CAIXABANK informed the Inspection Services, in its response dated 07/17/2018, that the
client can revoke consents by using forms available in the
CAIXABANK corporate web portal (indicates that it allows you to revoke consent for
any Group company) or on the web portal of each of the Group companies (at
access the page corresponding to the entity in question, the client is directed to a
screen common to all). It offers the possibility of marking three boxes with the detail
following:
“() I do not wish to receive a personalized service from the CaixaBank Group (data processing with
purposes of analysis, study and monitoring for the offer and design of products and services
adjusted to your profile by CaixaBank and CaixaBank group companies)
() I do not wish to receive offers of personalized products and services from CaixaBank and companies of the
CaixaBank group
() I do not want my data to be communicated for commercial purposes of third parties with
CaixaBank has agreements ” .
d) Revocation of consent through the telephone service: the Call Centers
have at their disposal a tool that allows you to deal with the revocation of the
consents. The structure shown by the aforementioned tool for the revocation of the
Consents is similar to that indicated for the process of registering clients in the office ( “Registration of
consents ” ).
CAIXABANK, in its response of 05/03/2019 to the transfer of the claim made by
FACUA, informed this Agency that the revocation of the consents has effects for
all the Group companies and that can be exercised before any of them, for
any of the channels of each one.
According to CAIXABANK, these requests for revocation or modification of consents
are registered and are referred to a centralized rights service, which
is in charge of giving them the corresponding procedure.
The entire content of the "Contract
Consent ”, in all its versions (the content of version 2 and the differences in
version 3 with respect to version 2 are included as Annex II).
SIXTH: Section 7 of the "Framework Agreement" contains a reference to the privacy policy
of CAIXABANK, accessible through the entity's website ( “You can find
complementary information to that provided in this contract, regarding the
processing of your personal data at www.CaixaBank.com/privacidad ” ).
The document "Privacy Policy", with thirteen sections, provides generic information on
the identity of the person in charge (without referring to the existence of a “common repository” to
CAIXABANK and the Group companies), data collected, information obtained from
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 55
55/177
browsing the web and mobile applications, purposes, legal basis that covers the
data processing, security, data retention, assignments, transfers
internations, data protection officer and rights of the interested party. It is interesting to highlight
that this "Privacy Policy", when referring to uses based on consent,
warns the interested party that they may use "all the data we have about you" ; and in the
section "To whom is my data disclosed?" is informed about the exchange of information
with companies of the CaixaBank Group.
In its response to the Inspection Services dated 11/20/2019, CAIXABANK informed
this Agency that said privacy policy is intended to complement the
information provided to customers through the "Framework Agreement" between June 2016 and May
from 2018; and give complete information to clients who in May 2018 had not signed
the "Framework Agreement". Thus, since May 2018 it distinguishes two situations:
. All pre-existing clients have signed a framework contract or have received the
Privacy (in addition to having it at your disposal on the entity's website).
. All new clients, in their first relationship with the entity, sign a "Contract
Marco ”, which includes all the information of article 13 of the RGPD.
It is declared reproduced in this act, for evidentiary purposes, the full content of the Policy
Privacy accessible through the CAIXABANK website.
SEVENTH: The "Framework Agreement", in section 8, details the personal data used with
the purposes described in that same section. Among them are mentioned “the data
obtained from social networks that the signatory authorizes to consult ” . Accessed from the area
online banking staff and the network for which access is allowed is specified
(Facebook, Twitter and LinkedIn). A box includes a text with the indication "Information
on the processing of personal data and commercial communications ” ; and a button
with the text "Accept and continue . " With this single action, the client gives his consent to
the collection of the personal data mentioned in that information and the treatments
that are detailed.
This information is declared reproduced in this act for evidentiary purposes (it is stated
fully in Annex III):
EIGHTH: Section 8 of the "Framework Agreement" details the personal data used with the
purposes described in that same section. Among the data used for these purposes
mention is made of "data obtained from third parties as a result of requests for
aggregation of data requested by the signer ” . Said request is formalized through the
subscription by the client of the so-called Aggregation Service Agreement.
This service allows you to add the information of the products that you have contracted with other
entities (positions and movements of accounts and cards) and thus have a global vision
of all positions, alerts on receipts, expirations, etc., but do not operate on the
products of the aggregated entities. The client adds or removes entities at will,
but only among those incorporated into the service.
The process of requesting the aggregation service is followed through the website of
CAIXABANK. After selecting the entity that you intend to add to the service and
enter the data that the client uses to access the selected entity online (passwords
access), the process requires the acceptance of the terms and conditions of the service.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 56
56/177
“On the one hand Caixabank, SA and on the other the people whose circumstances and representation
specified below, agree to formalize the contractual relationships that
are expressed under the following conditions:
Contractor data
Name and surname
Document number".
(link to a document in pdf format. with the indication "Version to print or save" ).
(link to download the Acrobat Reader program, with the indication “If you don't have the
program…, you can download Acrobat Reader ” )
( "Accept and continue" button )
Next, the process requires confirmation of the operation by entering
of a key. On the other hand, it does not include any verification that leaves proof of the reading
of the document "Terms and conditions of service" .
It is declared reproduced in this act, for evidentiary purposes, the complete clauses of the
Aggregation service contract (it is fully outlined in Annex IV).
NINTH: In your response to the Inspection Services of this Agency, dated 05/16/2018,
CAIXABANK stated that, on the occasion of the changes that the adaptation to the RGPD entailed,
in 2016 it established that the consent of the clients for the treatment of their data
personnel for “commercial purposes” would be collected at the “group” level, jointly
for all companies in the "group".
Version 2 of the document "Consent Agreement" refers to a "repository
common ”of personal data in the indication “ For this, your data will be managed from a
common repository of information on the CaixaBank Group companies. The data that is
will be incorporated into this common repository will be ... ” (this reference to the“ common repository ”in the
presentation of the aforementioned document disappears in its 3rd version).
(…) And a “common repository of consents”, which stores the authorizations for
commercial treatments granted by clients to Group companies, allowing
that a client revokes the consent from any company of the Group, and conversely,
with effects automatically for all of them.
(…)
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of the RGPD recognizes to each Authority of
Control, and as established in articles 47, 48, 64.2 and 68.1 of the LOPDGDD, the
Director of the Spanish Agency for Data Protection is competent to initiate and
solve this procedure.
Article 63.2 of the LOPDGDD determines that: “The procedures processed by the
Spanish Data Protection Agency will be governed by the provisions of Regulation (EU)
2016/679, in this organic law, by the regulatory provisions issued in its
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 57
57/177
development and, as long as they do not contradict them, in the alternative, by the general rules
on administrative procedures. "
II
Previously, it is deemed appropriate to analyze the exceptions alleged by
CAIXABANK, on the basis of which it requests the declaration of nullity of the proceedings, as well
such as the formal questions raised by said entity.
- 1. Violation of article 24.2 of the Constitution, presumption of innocence.
First, it invokes Articles 24.2, 103.1 and 2 of the EC, and Article 6 of the Convention
European Commission on Human Rights (ECHR), and alleges a possible violation of the principle of
presumption of innocence due to lack of objectivity and impartiality of the body that has the
competence to resolve the procedure, deduced by CAIXABANK from some
statements made by the Director of the AEPD in a public act, through which
the imposition of "quantitatively significant" fines is announced . The statement to which
CAIXABANK refers to is the following:
“We already have two or three high-impact sanctioning procedures that are going to have a lot of
media impact in relation to the financial sector, will be the first quantitative fines
important by the Agency ”.
Of this declaration, made during the period granted to the interested party to present
allegations at the opening of the procedure, CAIXABANK deduces that the will of the body
that has the competence to resolve was formed without even knowing those allegations
and without having all the evidence in view.
In the administrative sanctioning area, the impartiality of the adjudicatory body is
linked to the right of the interested party to a process with all the guarantees. It is guaranteed with
the reasons for abstention or objection and with due separation between the phases of
instruction and resolution of the sanctioning procedure, separation between phases that in this
case has not gone bankrupt and that it is scrupulously respected in all the procedures of this
nature followed in the AEPD.
For the sake of legal certainty, the reasons for abstention or disqualification have been
regulated by an exhaustive list of circumstances that respond to objective reasons,
thus avoiding that the interested parties can appreciate causes of abstention or challenge
based on own or particular criteria.
In our administrative system, the appearance of partiality is estimated by the
concurrence, objectively justified, of the reasons regulated in articles 23 and 24 of the
Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP):
“Article 23. Abstention.
1. The authorities and personnel at the service of the Administrations in which some of the
Circumstances indicated in the following section will refrain from intervening in the procedure and
They will communicate to their immediate superior, who will resolve the proceeding.
2. The following are reasons for abstention:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 58
58/177
a) Have a personal interest in the matter in question or in another whose resolution could be influenced by
that; be an administrator of a company or interested entity, or have pending litigation with
any interested.
b) Have a marital bond or assimilable de facto situation and blood relationship
within the fourth degree or affinity within the second, with any of the interested parties, with the
administrators of interested entities or companies and also with the advisors, representatives
legal entities or agents involved in the procedure, as well as sharing a professional office or
be associated with them for advice, representation or mandate.
c) Having an intimate friendship or manifest enmity with any of the persons mentioned in the
previous section.
d) Having intervened as an expert or as a witness in the procedure in question.
e) Have a service relationship with a natural or legal person directly interested in the matter, or
have provided professional services of any kind in the last two years and in any
circumstance or place.
Article 24. Challenge.
1. In the cases provided for in the preceding article, recusal may be promoted by those interested in
any time during the processing of the procedure.
2. The challenge will be raised in writing in which the cause or causes on which it is based will be stated ”.
Ultimately, it is a matter of the person making the decision not having any
personal interest in the matter and has not participated in the procedure as an expert or witness,
so that it can resolve according to the general interest, without any type of influence beyond
that interest that can lead you to decide in a certain way.
On the other hand, in accordance with the doctrine of our Constitutional Court,
that is claimed from public servants is not the personal and procedural impartiality that
It requires judicial bodies, but rather that they act with objectivity and submission to the law.
Thus, in STC 174/2005, of July 4, the following is declared:
“In this regard, it should be remembered that although this Court has reiterated that, in principle, the requirements
derived from the right to a process with all the guarantees apply to the administrative procedure
However, there has also been a special emphasis on the fact that said application must
performed with the required modulations to the extent necessary to preserve the values
essentials found at the base of art. 24.2 CE and the legal certainty guaranteed by art.
9.3 CE, as long as they are compatible with their own nature (by all, STC 197/2004, of 15
November, FJ 2). More specifically, and with regard specifically to the guarantee of
impartiality, it has been pointed out that it is one of the cases in which it is necessary to modulate its
projection in the administrative sanctioning procedure, since said guarantee “cannot
be predicated of the sanctioning Administration in the same sense as with respect to the organs
judicial "(STC 2/2003, of January 16, FJ 10), therefore," without prejudice to the interdiction of all
arbitrariness and subsequent judicial review of the sanction, strict impartiality and independence
of the organs of the judiciary is not, in essence, predicable to the same extent of an organ
administrative law ”(STC 14/1999, of February 22, FJ 4), concluding that the independence and
impartiality of the judge, as a requirement of the right to a trial with all guarantees, is a
guarantee characteristic of the judicial process that does not extend simply to the administrative procedure
sanctioning (STC 74/2004, of April 22, FJ 5) ”.
And STC 14/1999, of February 22, states the following:
“An erroneous understanding of the content of the constitutional requirements of judicial impartiality and
his alleged transfer in totum to whoever intervenes in the administrative sanctioning procedure in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 59
59/177
Instructor quality, leads the appellant to affirm the injury of his right to a process with all the
guarantee.
(…)
It should be reiterated here again, as we did in STC 22/1990 (4th legal basis), that "without
prejudice to the interdiction of all arbitrariness and the subsequent judicial review of the sanction, the
strict impartiality and independence of the organs of the judiciary is not, in essence, predicable
to the same extent of an administrative body ".
What can be claimed from the Instructor, ex arts. 24 and 103 CE, it is not that he acts in the situation of
personal and procedural impartiality that is constitutionally required of judicial bodies when
exercise jurisdiction, but act with objectivity, in the sense that we have given to this concept
in SSTC 234/1991, 172/1996 and 73/1997, that is, performing their functions in the
procedure with personal disinterest. To this end the possibility of recusal established by
the art. 39 of Organic Law 12/1985, on the Disciplinary Regime of the Armed Forces (hereinafter
LORDFA) which refers to art. 53 of the Military Procedural Law, whose catalog of cases keeps, in this
scope, evident similarity, with that provided for in the Organic Law of the Judicial Power, although the
listed in one and the other obey, according to what has been stated, a different foundation.
(…)
None of the reasons given can be addressed, not only because, in general, and according to
previously stated, the doctrine cannot be transferred without further ado to the administrative sanctioning area
constitutional elaborated on the impartiality of the judicial organs, but because in the case
present, and in view of the configuration of the legal grounds for disqualification, the
concurrence of any element that would demand the removal of the Instructor due to loss of
necessary objectivity. It is not observed in the questioned Instructor, nor has the interested party provided data
justified in this regard, the presence of direct or indirect personal interest in the resolution of the
sanctioning file (…) ”.
In this case, it must first be specified that CAIXABANK, despite its
allegation of lack of impartiality of the adjudicatory body, has not formally raised the
challenge of the Director of the AEPD, nor does he make any reference to the reasons listed in
those items.
In this regard, it should be taken into account that, to declare the nullity of the
actions for the reasons alleged, it is necessary to fully demonstrate the
concurrence of one of those reasons that could have effectively influenced the
Decision adopted through the present resolution.
However, it is considered appropriate to record in this act the non-attendance
of any of the causes of abstention or recusal established in the precepts
transcribed, which allows to conclude that the alleged lack of impartiality does not exist. Does not have
personal interest in the object of the procedure; no bond, friendship or enmity with him
interested; nor has he intervened as an expert or witness in the procedure.
This resolution is adopted in accordance with the Law, according to objective criteria, and without
that the adjudicatory body has prejudged the matter in question through actions
previous formalities or through their intervention in previous phases of the procedure. This
intervention has not taken place in any way, beyond the adoption of the
opening of the procedure as established by the applicable procedural regulations.
The demonstration to which CAIXABANK has referred does not fall within the
cases of disqualification and abstention listed above and do not advance the decision, either
so that they cannot be appreciated with the scope intended by said entity.
Neither that manifestation, nor any other circumstance, have broken the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 60
60/177
impartiality of the investigating body, which has had all the powers attributed to it by the
regulation in question and full freedom to dictate its resolution proposal, as evidenced by
the fact that said proposal has reduced the infractions that were imputed in the
agreement to open the sanctioning procedure.
The intervention of the Director in the event held on 03/03/2020 is related,
rather, with the adoption of the agreements to open the procedures to which the
CAIXABANK refers in its allegations, both from the financial sector. The reference to these
agreements as of wide impact for the affected sectors and with media relevance
has to do with the novelties regulated in the RGPD and, in particular, those related to the new
compliance and oversight model. In relation to the latter, the
important amounts contemplated in the Regulation for the purpose of what, how does this
norm, may have a dissuasive character.
In the opinion of this Agency, specify in the initiation agreement issued the offense that
could have committed and its possible sanction is adjusted to the provisions of article 68 of the
LOPDGDD and article 64.2 of the LPACAP (in this case, of the different corrective powers
provided for in article 58.2 of the RGPD, the Agency deemed appropriate the imposition of
fine, in addition to the adoption of measures to adjust its performance to the regulations,
considering the indications of infringement appreciated at the time of opening and without
detriment to what could result from the instruction of the procedure). Thus, it cannot be said
that to indicate the possible sanction that could correspond for the imputed infractions is
determinant of defenselessness or that involves a breakdown of the principle of separation of
phases of instruction and resolution.
On the other hand, the instruction of the procedure has been in accordance with the regulations
procedural, without being able to appreciate any irregularity in the processing of the
procedure, in which, in addition, all the guarantees of the interested party have been respected,
including the presumption of innocence. CAIXABANK, in this case, has seen all the
guarantees of the interested party provided by the procedural regulations and it cannot be said that the
determination of the amount of the fine in the opening agreement implies no loss of
said guarantees causing helplessness.
It should be noted that both in the present proceeding and the other cited by the
CAIXABANK entity, the resolution issued has lowered the amount of the initial penalty in
attention to the allegations of the parties, as is the case in so many cases of
sanctioning procedures processed by the AEPD.
All you have to do is go to the Agency's website, where all the
resolutions issued in sanctioning procedures, to verify the large number of
those that end with a resolution of the file of actions, as well as those others in
those that increased or decreased the amount of the penalty set in the opening agreement or
agreed to the application of a corrective power other than the fine, once a
Proposal of the instructor or at the initiative of the decision-making body.
- 2. Bankruptcy of legitimate expectations.
On the other hand, CAIXABANK requests the filing of the file for an alleged
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 61
61/177
violation of the principle of legitimate expectations or reconsideration of the declaration of
nullity of the consents obtained.
It bases this request on the query made shortly after the GDPR was published,
through emails addressed to the "Deputy Director of the AEPD" , regarding the
implementation of the RGPD and the documents analyzed in the file, especially the
“Framework Contract”, on which, according to CAIXABANK, only some
minor considerations in telephone conversation, which were attended by the
interested entity. It indicates that those emails repeatedly requested the holding of
a meeting between the AEPD and CAIXABANK for this purpose, which was denied.
From having communicated to the AEPD the main actions that would lead to
carried out for the adequacy of its performance to the RGPD, including the reference to the so-called
“Common repository”, CAIXABANK deduces its legitimate conviction of having been
acting correctly and that he may have had a "reasonable induced hope" that his
The way to proceed was in accordance with the law.
The aforementioned principle of legitimate expectations is included in article 3
of the LRJSP:
"Article 3. General principles.
1. Public Administrations serve the general interests objectively and act in accordance
with the principles of efficiency, hierarchy, decentralization, deconcentration and coordination, with
full submission to the Constitution, the Law and the Law.
They must respect the following principles in their actions and relationships:
(…)
e) Good faith, legitimate trust and institutional loyalty ” .
It is a manifestation of the doctrine of "proper acts" and is related to the
principle of legal certainty. The principle of legitimate expectations can be understood as the
Citizens' confidence in the future action of Public Administrations
taking into account their past performances, considering the expectations they generate, although
always safeguarding the principle of legality, so that principle may not
invoked to save situations contrary to the norm.
The STS of December 18, 2007 refers to the principle of trust protection
citing the terms of a previous Judgment of May 10, 1999:
<< Thus, the STS of 10-5-99 (RJ 1999, 3979), recalls "the doctrine on the principle of protection of the
legitimate trust, related to the most traditional in our security system
legal and good faith in the relations between the Administration and individuals, and which involves, according to
the doctrine of the Court of Justice of the European Communities and the jurisprudence of this Chamber,
that the public authority cannot adopt measures that are contrary to the hope induced by
reasonable stability in the decisions of the former, and based on which individuals have
made certain decisions. […] On the other hand, in the STS of 1-2-99 (RJ 1999, 1633),
remember that "this principle cannot be invoked to create, maintain or extend, within the scope of
Public law, situations contrary to the legal system, or when the preceding act results
a contradiction with the purpose or interest protected by a legal norm that, by its nature, is not
liable to protect one. discretionary conduct by the Administration that involves the
recognition of rights and / or obligations arising from acts of the same. […]
One thing is the irrevocability of the declaratory acts of rights outside the channels of
revision established in the Law (articles 109 and 110 of the Administrative Procedure Law of 1958
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 62
62/177
[RCL 1958, 1258, 1469, 1504 and RCL 1959, 585], 102 and 103 of the Law of Legal Regime of the
Public Administrations and Common Administrative Procedure, Law 30/1992 [RCL 1992, 2512,
2775 and RCL 1993, 246], modified by Law 4/1999 [RCL 1999, 114, 329]), and another respecting the
Legitimate confidence generated by own action that must necessarily be projected into the field of
discretion or autonomy, not that of the regulated aspects or regulatory requirements against
those that, in Administrative Law, what is resolved in act or in precedent that
was contrary to those. Or, in other words, it cannot be said that the trust
deposit in an act or precedent that is contrary to mandatory norm ">>.
The STS of February 22, 2016 (rec. 1354/2014) refers to the requirements that must be
concur to assess legitimate confidence:
"It should be taken into account that legitimate trust requires, ultimately, the concurrence of three
essential requirements. Namely, that it is based on undeniable and external signs (1); what hopes
generated in the administered must be legitimate (2); and that the final conduct of the Administration
is contradictory with the previous acts, is surprising and incoherent (3). Exactly what
It occurs in the case under review, based on the facts mentioned above, which is irrelevant.
Let us remember that, with respect to legitimate expectations, we have been declaring repeatedly, for all,
Judgment of December 22, 2010 (contentious-administrative appeal nº 257/2009), that «the principle
pio of good faith protects the legitimate expectations that may have been placed in the
behavior of others and imposes the duty of consistency in their own behavior. What is so much
as saying that the principle implies the requirement of a behavioral duty that consists in the
It is necessary to observe in the future the behavior that the previous acts made foresee and accept the
binding consequences arising from the acts themselves constituting an assumption of law.
tion to the legitimate expectations of the parties "venire contra factum propium".
This same Judgment refers to confidence in the stability of the criteria of the
Administration, evidenced in previous acts in the same sense.
On the other hand, the STS of September 21, 2015 (rec. 721/2013), in its Foundation
Fourth Law, declares the following:
“In the aforementioned judgment of this jurisdictional Chamber of February 23, 2000, the application of the
The principle of protection of legitimate expectations is conditioned not so much by the fact that
any type of psychological conviction in the particular beneficiary, but rather to accredit the
existence of external signs produced by the Administration "sufficiently conclusive" to
that reasonably induce him to trust in the legality of the administrative action ” .
Therefore, that hope or confidence generated must be "legitimate" and based on
previous external acts, the meaning of which is undoubtedly contrary to what was agreed
subsequently, without having to include in this principle of legitimate expectations a mere
psychological conviction of the individual.
In this case, it appears that CAIXABANK sent several emails to
"Deputy Director AEPD" , by way of consultation, accompanying a copy of the "Framework Contract"
provided by that entity as a form for collecting personal data and with the
informative clauses on the protection of personal data, as well as a program
on the actions taken, in which, in addition, he requested the holding of a meeting
for the purpose of commenting on such documents and actions. It also appears that this
meeting did not take place.
It is clear that these emails were answered by the recipient, by the
same route, with the following messages:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 63
63/177
. Email dated 07/27/2016:
"Subject: Meeting
Good morning…, in order to assess the possibility of holding a meeting, send me a brief
explanation of the policy you have adopted and the text of the informative clauses. We will talk
in September ” .
. Email from 09/11/2017:
"Subject: RE: RGPD Presentation at CaixaBank
Good morning, I would appreciate if possible, if you could send me the presentation in a format that can
print as it is impossible for me to do so ” .
In this case, CAIXABANK does not have previous external events ( "signs
undeniable externalities ” ) that may be considered favorable to said entity in a
conclusive and sufficient to have induced it to think that the AEPD validated the
Actions undertaken by the entity to adapt its performance to the RGPD.
Beyond the criticism that CAIXABANK could make to this AEPD for having been
your inquiries or your requests for a meeting to analyze the documentation that
was preparing, the truth is that the responses of this Agency contained in the emails
provided by the interested party do not have any legally binding content nor do they contain
any pronouncement on the issues to which the allegations refer. In
definitively, they do not represent external acts of the Administration that could
derive a future violation of the principle of the "legitimate confidence of the administered",
now invoked.
The actions of this Agency have not influenced in any way the conduct of
CAIXABANK determining the infractions analyzed, nor has this Agency carried out
any action that has allowed said entity to conclude that in the documentation of
data protection formalized by the same or in its processes of collection and treatment of
personal data does not exist any element that contravenes the provisions of the RGPD and
LOPDGDD. CAIXABANK cannot provide any statement or action from this
Agency that led to this alleged confusion, simply because there is no action
some in that sense.
In short, projecting the doctrine of the Supreme Court to the present case, and in the
terms of the STS of December 18, 2007, it turns out that there are no circumstances that
allow us to understand that CAIXABANK has been surprised by the performance of the
Administration.
Finally, it is considered appropriate to point out, firstly, that the emails to
those referred to by CAIXABANK do not belong to or comprise any regulated action of the
Administration and, secondly, that the AEPD has enabled consultation channels for
that citizens and those responsible for processing personal data may raise
your doubts in the matter of your competence, but these channels cannot be used for
this Agency supervises and fully validates the actions undertaken by those
responsible, unless a rule so expressly provides.
Furthermore, it is surprising that CAIXABANK intends to found the bankruptcy of the principle of
legitimate confidence in the forwarding of two emails to the Deputy to the Directorate of the
AEPD, in which a meeting was requested on the texts that were attached.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 64
64/177
First, from a formal perspective, it should be noted that the allegations
they highlight in bold the recipient of the emails, whom they incorrectly describe
naming him as "Deputy Director of the AEPD", despite the fact that said job
did not exist in the Agency's job list, as is fully known
by CAIXABANK when in document number 3 that it provides in relation to this
argumentation is addressed to the “AEPD Deputy”. What it might suggest, beyond a mere mistake
material, an intentional will to give more importance at this time to the remission
of the aforementioned emails according to the relevance of the position to which they were addressed.
And, what is materially more relevant, is that it is intended to establish said allegation
in compliance with the principle of proactive responsibility, regulated in the RGPD as a
essential element of the new compliance model designed by said standard. Interpretation
what exactly is contrary to the provisions of the Regulation, in which the principle of
proactive responsibility refers to those responsible for the treatment the requirement to carry out
risk analysis for the rights and freedoms of those affected and adopt
autonomously the measures that allow guaranteeing them through the measures that in the
described themselves.
Maxime when in relation to these measures the only provision of the RGPD on
consultations with the supervisory authority is related to the Impact Assessments on the
Data Protection, when it shows that the treatment would involve a high risk if
the person in charge does not take measures to mitigate it, in accordance with article 36 of said regulation.
To which is added that, without having proceeded to the analysis of the documentation submitted or
speak out about it, CAIXABANK was informed that the meetings would not be held
arguing precisely that proactive responsibility requires the person responsible for the
processing carry out their own analyzes and autonomously adopt the measures that
guarantee and allow demonstrating compliance with their obligations.
Therefore, the allegation of violation of the principle of trust must be rejected
legitimate and, if not, reaffirm the full responsibility of CAIXABANK in the analysis of
the risks associated with the initiatives developed to comply and demonstrate compliance
of the RGPD.
- 3. Expiration of the previous actions.
In its arguments at the opening of the procedure, CAIXABANK invoked the expiration
of the preliminary investigation actions indicated with number E / 01475/2018, initiated
due to the claim presented on 01/24/2018, and whose documentation was
incorporated into the new investigative actions initiated with number E / 01481/2019.
Based on this, it considers that the possible infractions analyzed in the proceedings
previous that were declared expired by resolution of 02/01/2019 would have prescribed,
under the terms provided in Organic Law 15/1999, of December 13, on the Protection of
Personal Data (LOPD).
Subsequently, in its allegations to the motion for a resolution, CAIXABANK alleges
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 65
65/177
a possible violation of Article 24 of the EC due to the defenselessness produced by the extension
artificial and unlawful of the previous investigation actions, also ignoring their
expiration. He substantiates this claim according to the following considerations:
. The previous investigative actions supplanted the instructional activity, since it was
used as a true sanctioning procedure, which constitutes a possible vice of
misuse of power in the use of instructional mechanisms. For this very
reason, the sanctioning procedure must be considered expired by the expiration of the term
planned for its resolution, counted from the beginning of the previous actions of
investigation.
. It understands that such consideration is only attributed to actions that allow data to be collected
and indications about the facts committed and those responsible, and the
procedure as soon as there is certainty about the commission of the facts and their author. According
CAIXABANK, in this case they do not adhere to the purpose provided in the applicable regulations.
. The previous actions developed (a first expired, which led to the opening of
a second) did not respect any essential guarantee of the sanctioning procedure, such
such as reporting the accusation, remembering the right not to testify against oneself, etc.
. Given that the Proposed Resolution rests de facto, solely and exclusively, on the
elements of conviction and evidence collected during the preliminary proceedings phase, the
impossibility of using them means that the proposal lacks the elements
necessary to enervate the presumption of innocence.
. The bulk transfer of the expired file is not acceptable, nor is it possible to
acted in the previous actions, pass in full to the sanctioning file.
. The use of previous actions without time limitation is not acceptable, beyond
of the prescription itself.
This allegation by CAIXABANK is based on different pronouncements of
our Supreme Court, but it contains statements that are contradictory in
Some cases or refer to assumptions of events different from the one that concerns us in others.
Thus, for example, CAIXABANK alleges that the previous actions carried out did not
respected any essential guarantees of the sanctioning procedure, such as reporting
the imputation, remember the right not to testify against oneself, etc. However, it based
this allegation in what was expressed by the Supreme Court in Sentence of 06/09/2006, referred
to an alleged disciplinary of the Armed Forces.
On the other hand, it is not understood that, on the one hand, it is said that the motion for a resolution
rests in its entirety on charge elements collected during the proceedings phase
previous investigation and, on the other hand, it is defended that the previous actions
developed were denatured and did not adhere to “the purpose that they must cover according to
to the design of the legislator ” , when, precisely, the purpose of carrying out such
investigations is none other than obtaining those evidences that justify the processing of a
sanctioning procedure. For the same reason, it is not understood that the
immediate opening of the sanctioning procedure, even if it has not been fully proven
the offense.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 66
66/177
Likewise, that purpose being the basis for carrying out the
previous investigation, this Agency does not share the assertion contained in the allegations of
CAIXABANK on the "impossibility" of use in the proposed resolution of the
elements of conviction and evidence collected during the preliminary proceedings phase.
On the other hand, it is argued that the actions of a procedure
expired cannot take effect in the new sanctioning file that may be initiated
when the offense has not prescribed (STS of 02/24/2004). However, in this case, the
expiration occurred with respect to the previous actions E / 01475/2018, and not the
sanctioning procedure.
Regarding this question regarding the transfer or use of the documentation of the
the previous actions that were declared expired, some of the
affirmations contained in the brief of allegations to the proposed resolution. In
Specifically, said letter indicates that “there are very divergent principles that prevent
the actions taken in the previous proceedings go entirely to the sanctioning file ” , or that
"To these pseudo previous actions, in reality true instruction of the procedure
sanctioner, the actions arising and documented in it should not have reached
root of its initiation ” . In this case, there has been no transfer of documentation
from the sanctioning procedure to the previous actions, but to the contrary, as is normal; and
nor has documentation been transferred from an expired procedure to a new one
procedure, simply because the expiration of the sanctioning procedure has not been
produced.
Likewise, it is said by CAIXABANK that the previous actions did not comply with “the
purpose to be served according to the legislator's design , ” but it is not said that another
"Design" pursued by the AEPD with the performance of these actions, other than to achieve a
better determination of the facts and circumstances that justify the processing of a
sanctioning procedure.
It even alleges “a possible deviation of power in the use of the
mechanisms of instruction ” , understood as <<“ a contravention of the teleological sense of
the administrative activity carried out ”(STS of 7-4-86),“ a distortion of the normal
purpose of the act ”(STS of 11-4-89), a“ non-use of administrative authority in a
objective, in accordance with the objective pursued ”(STS of 12-5-86). Said procedural deviation
it can happen “not only when it is proven that the Administration is pursuing a
private or an unspeakable purpose, alien to any defense of the general interests,
but this teleological deviation can also occur when pursuing an interest
foreign public and, therefore, different from that provided by the legal system for the case "
(Judgments of the Supreme Court of March 18, 2011 and May 11, 2012) ”>> (citations
included by CAIXABANK in their allegations to the proposal).
In this regard, it argues that the repeated previous investigative actions
"They supplanted the teaching activity . " However, CAIXABANK does not explain how it has
used in this case the administrative sanctioning power in a manner not in accordance with the
purpose pursued, or what contravention of the teleological sense of the administrative activity
has occurred or how the purpose of the administrative act has been distorted, nor
what private purpose or public interest other than that provided for in the regulation pursues in this
case the Administration.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 67
67/177
On this issue, the Supreme Court, in a Judgment of 05/13/2013, has declared:
“In this regard, it should be noted that, according to the jurisprudence of this jurisdictional Chamber, the
concurrence of misuse of power cannot be based on mere presumptions or conjectures, being
necessary to prove sufficient facts or elements to form in the Court the conviction that the
Although the Administration accommodated its actions to the law, it did so for a purpose other than
claimed by the applicable norm, which, in this process, has not happened ”.
In this case, not only are sufficient facts or elements not proven to form the
conviction that the Administration acted for a purpose other than that intended by the
rule, but not even assumptions or conjectures have been made about the
concurrence of the alleged misuse of power.
In the same way, CAIXABANK does not explain what specific procedure carried out in the
framework of the preliminary investigation actions is actually an administrative procedure
that should have been held within the sanctioning procedure, what procedure or procedures
specific actions of the sanctioning procedure have been supplanted by the previous actions, or
what steps of the procedure have been avoided because of the previous actions
made, or how defenseless all this has generated the interested entity.
On the contrary, prior investigation actions were carried out perfectly
justified, with the purpose of achieving a better determination of the facts and
circumstances (article 67 LOPDGDD), during which necessary information was collected
for the determination of the facts, without carrying out during the course of the same procedures
some of the sanctioning procedure, which was initiated based on the evidence
obtained and with the sole purpose of applying the established regulatory provisions.
A first claim was received, dated 01/24/2018, in which the
Obligation to accept the new conditions regarding the protection of personal data
implemented by CAIXABANK (provided a copy), and it was decided to carry out actions
previous investigation, indicated with number E / 01475/2018, for the clarification of
the facts denounced and determine if there were circumstances that justified the initiation
of a sanctioning procedure.
Within the framework of these preliminary actions, CAIXABANK received two
requirements for said entity to provide essential information to assess the
informative clauses offered by the entity to its clients. Among other information,
requested that entity provide details on the architecture and operation of the
"Common repository"; procedure for the exercise of rights; obtaining personal data
social networks, aggregation services and third parties; about him
data enrichment; detail on the mechanism implemented to collect the
unequivocal consent of the client for the treatment of their data and mechanism for
revoke it; and information provided to the client at the time of obtaining the
consent in relation to the processing of personal data carried out by the
CaixaBank Group companies and their purpose.
Subsequently, a new complaint regarding the
“Framework Contract”, which was submitted to the prior process of admission for processing, following the
mechanism provided for in article 65.4 of the LOPDGDD, which consists of transferring the
same to the data protection delegates appointed by those responsible or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 68
68/177
responsible for the treatment, for the purposes provided in article 37 of the aforementioned regulation, or
these when they have not designated them, so that they proceed to the analysis of said
complaints and to respond to them within a month. It is an optional procedure,
so that this transfer is carried out if the Agency so deems it.
The result of said transfer was not satisfactory, therefore, for the intended purposes
In its article 64.2 of the LOPDGDD, it was agreed to admit the claim presented
by agreement that was duly notified to the claimant, and not to CAIXABANK,
in accordance with the provisions of article 65.5 of the LOPDGDD.
In accordance with the provisions of article 67 of the LOPDGDD, it was agreed to start
new preliminary investigation actions, indicated with number E / 01481/2019, and the
incorporation of the second claim received and the documentation that
integrates the phase of admission to processing of the latter. Likewise, the entire
documentation corresponding to the previous actions indicated with the number
E / 01475/2018, including the claim that gave rise to them.
The object of these new preliminary investigation actions was determined
analysis of the information generally offered by CAIXABANK on the subject of
protection of personal data, through all the channels used by the entity
(CAIXABANK's compliance with the principle of transparency established in the
articles 5, 12 and following of the RGPD, and related precepts); the different treatments of
personal data carried out by the entity according to the information offered, in relation to
with clients or person who have any other relationship with it, and within the framework of
the new regulations applicable from 05/25/2018, including the analysis of the mechanisms
employees to obtain the consent of the interested parties; just like him
compliance by the aforementioned entity of the rest of the principles related to the treatment
established in article 5 of the RGPD.
During the course of this new preliminary phase of investigation, a request was made
of information to CAIXABANK (a copy of all versions of the "Framework Contract" and
possible addenda, information on the channels and methodology to accept the
privacy and granularity of the consents, as well as the procedures enabled
to publicize the updated privacy policy to clients prior to its validity and
acceptance mechanisms) and an inspection visit was made to verify the process of
In-person registration at the office, through the web and mobile application, and for verification of the
consent modification process, among other issues.
It cannot be said, in view of the foregoing, that in this case the previous actions
were not necessary or were not carried out to gather data and evidence on the facts
committed and those responsible.
Indeed, the previous actions number E / 01475/2018 were declared
expired by resolution of 02/01/2019, over the course of a twelve-month period
provided for in article 122 of RD 1720/2007, of December 21, which approves the
Regulations for the development of the LOPD. Said resolution warned about the provisions of
Article 95.3 of the LPACAP, which establishes that the expiration will not produce by itself
only the prescription of the actions of the Administration, and the opening of a new
procedure when the prescription has not occurred.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 69
69/177
This expiration does not have the effect intended by CAIXABANK. Nothing prevents, therefore,
the opening of new investigations, with the incorporation of the documentation
that integrates expired actions. To this must be added the receipt of a new
claim dated 03/29/2019, which is why these new actions of
investigation to be initiated had as their object both claims, which resulted in
to the investigation file E / 01475/2018 and this one received on 03/29/2019.
No legal consequence can be attributed to this fact, beyond the rule of
the prescription and the effects attributed to it.
On the other hand, it is appropriate to respond to the allegation regarding the expiration of the procedure
sanctioning declared by CAIXABANK. Based on the consideration maintained by this
entity regarding the impersonation of the instructional activity by the previous actions of
investigation, which, as has already been said, has no basis whatsoever, understands that the procedure
sanctioning must be considered expired by the expiration of the period foreseen for its
resolution, counted from the beginning of the preliminary investigation actions.
This claim must also be rejected. The approach that CAIXABANK
made on this issue in its allegations to the opening does not comply with the law. Should
It should be noted that the expiration period of this procedure, established in nine
months, it is computed from the date on which its beginning is agreed, resulting in inappropriate
add to this computation, in order to measure the duration of the administrative file, no
another period, such as the time of the preliminary investigation actions, or the time that
elapses between the completion of these actions and the opening of the procedure, nor the
time corresponding to the phase of admission for processing of the claims presented.
This has been repeatedly stated by our Supreme Court. In Judgment of
10/21/2015 cites the Judgment of 12/26/2007 (resource 1907/2005), which states the following:
“[…] The term of the procedure […] is counted from the initiation of the sanctioning file, which
obviously excludes from the computation the time of the reserved information ";" […] The major or minor
duration of the preliminary phase does not entail the expiration of the subsequent procedure " .
Also in the Supreme Court ruling of 10/13/2011 (resource 3987/2008) that
examines a ground of appeal relating to the computation of the expiration period of the procedure,
the following is declared:
“We cannot share the reasoning presented by the Court of Instance to establish a dies a quo
different from that established by law, indicating as the initial date of the computation the day following the
completion of preliminary informational proceedings.
[…]
Well, once these previous actions have been carried out, the time it takes the Administration to
agreeing to initiate the procedure […] may have the appropriate consequences regarding the
calculation of the prescription (extinction of the right); but it cannot be taken into consideration
effects of expiration, since this figure is intended to ensure that once the
procedure the Administration does not exceed the term available to resolve. On the foundation
third of the sentence under appeal, the Court of Instance makes an interpretation of the rule that is not
according to the nature of the institution of expiration, since unlike the prescription, which is
cause of extinction of the right or responsibility in question, expiration is a way of
termination of the procedure due to the expiration of the period established in the norm, so its appreciation
does not prevent, if the period established for the prescription of the action of
restoration of urban legality by the Administration, the initiation of a new
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 70
70/177
process".
Finally, regarding the prescription of the infractions invoked by CAIXABANK
In accordance with the provisions of the LOPD, it is enough to point out that it is not this rule that typifies
infractions analyzed in this procedure.
The object of the sanctioning procedure, as well as that of the previous actions of
research, already mentioned, which is perfectly defined in the Law Foundation
following, is related to the information offered in general by
CAIXABANK regarding the protection of personal data; the different treatments of
personal data carried out by the entity according to the information offered, including the
analysis of the mechanisms used to obtain the consent of the
interested; as well as compliance by the aforementioned entity of the rest of the principles
relating to treatment.
All this, within the framework of the new regulations, constituted by the RGPD, applicable
since 05/25/2018, and the LOPDGDD, in force from the day following its publication in
the Official State Gazette, which took place on 12/06/2018.
The two claims that give rise to the procedure, including the first of them,
received on 01/24/2018, are related to the changes implemented by
CAIXABANK for its adaptation to the RGPD, and this has been recognized by the entity itself
interested.
The action carried out by CAIXABANK is analyzed from the application of the RGPD,
that is, as of 05/25/2018, in relation to the extremes that constitute the object of the
procedure, and the alleged infractions appreciated according to the
sanctioner regulated in the RGPD and the LOPDGDD. This being the case, the prescription of
infractions must be assessed in accordance with the provisions of this sanctioning regime and not in
that established in Organic Law 15/1999 (LOPD).
In this sanctioning procedure, the following infractions are charged:
1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified
in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the
LOPDGDD.
2. Infringement for breach of the provisions of article 6 of the RGPD, typified in the
article 83.5.a) and classified as very serious for the purposes of prescription in article 72.1.b) and
c) of the LOPDGDD.
In accordance with the provisions of articles 72.1 and 74.1 of the LOPDGDD, the
Infractions considered very serious will prescribe after three years and minor infractions
prescribe in one year, counted from the commission of the offense and until the opening of the
procedure with knowledge of the interested party.
In this case, all the factual circumstances that appear in the
Following legal grounds, which support the commission of the infractions that are
declares in this act, they took place within the year prior to the opening of the procedure, in
the case of the minor infraction, and within the previous three years, in the case of the infraction
very serious; with the limit in the latter case of the date of application of the RGPD (05/25/2018),
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 71
71/177
attending to the object of the aforementioned file.
This being the case, neither of the two offenses committed had prescribed at the time
when the notification to CAIXABANK of the opening of the procedure took place.
- 4. The enumeration of the graduation criteria in the opening agreement, without
any motivation and without specifying whether they are applied as aggravating or mitigating
cause of helplessness.
In the opinion of this Agency, the agreement to initiate the procedure is in accordance with the provisions
in article 68 of the LOPDGDD, according to which it will be enough to specify the facts that
motivate the opening, identify the person or entity against which the procedure is directed,
the offense that could have been committed and its possible sanction (in this case, of the different
corrective powers contemplated in article 58.2 of the RGPD, the Agency deemed appropriate
the imposition of a fine, in addition to the adoption of measures to adjust its performance to the
regulations, without prejudice to what could result from the instruction of the procedure).
In the same sense, article 64.2 of the LPACAP is expressed, which establishes
expressly the minimum content of the initiation agreement. According to this precept, among others
details, must contain “the facts that motivate the initiation of the procedure, its possible
legal qualification and the penalties that may correspond, without prejudice to what results
of the instruction ” .
In this case, not only are the aforementioned requirements fully met, but also
which goes further by offering reasons that justify the possible legal qualification of
the facts valued at the beginning and, even, the circumstances that may influence the
the determination of the sanction.
In accordance with the foregoing, it cannot be said to point out the possible sanction that
may correspond for the imputed infractions, with mention of the circumstances that
influence is your determination, is a cause of helplessness. CAIXABANK, in this case, has seen
respecting all the guarantees of the interested party provided by the procedural regulations and cannot
be said that the enumeration of the circumstances or factors of graduation of the fine
suppose any reduction of said guarantees causing defenselessness.
Article 68 of the aforementioned LOPDGDD regulates the content that the agreement must include
initiation of the sanctioning procedure. However, it is the minimum content required,
of the elements that must be detailed in the aforementioned agreement to determine its validity.
But nothing prevents that, as indicated above, the circumstances are mentioned
that can influence the determination of the sanction, which will undoubtedly benefit
of the interested party, who sees his right of defense reinforced and favored.
III
The actions outlined in the Background of this act are intended to
analyze the information offered in general by CAIXABANK on the subject of
protection of personal data, through all the channels used by the entity
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 72
72/177
(CAIXABANK's compliance with the principle of transparency established in the
articles 5, 12 and following of the RGPD, and related precepts); the different treatments of
personal data carried out by the entity according to the information offered, in relation to
with clients or person who have any other relationship with it, including the
analysis of the mechanisms used to obtain the consent of the
interested; as well as compliance by the aforementioned entity of the rest of the principles
related to the treatment established in article 5 of the RGPD.
All this, within the framework of the new regulations, constituted by the RGPD, applicable
since 05/25/2018, and the LOPDGDD, in force from the day following its publication in
the Official State Gazette, which took place on 12/06/2018.
The CAIXABANK entity has reported that it began its adaptation to the RGPD in the year
2016, and that it was carried out mainly through the implementation of the
document called “Framework Contract” in June 2016, of which six
versions since then, dated 06/20/2016, 11/22/2016, 03/14/2017, 11/12/2018,
12/20/2018 and 09/17/2019, according to that entity has informed this Agency. Too a
declared that the "Framework Contract" regulates the entire customer relationship with CAIXABANK and
the Group companies whose products it sells, informs of all the
treatments derived from the contractual relationship and requests the necessary consents
for the treatment of personal data at the Group level. This document, which
It serves as a form for collecting personal data and that the client signs with his signature,
is the one employed by CAIXABANK as a priority to comply with the requirements
transparency and manifestation of consent by clients for the
processing of your personal data.
Of the six versions, the 4th version will be reviewed in this procedure.
(Annex I), dated by CAIXABANK on 11/12/2018, and the two subsequent ones that modify it
slightly (the 5th version presents some modifications in section 6.4 “Subscription of
documents and contracts by electronic signature ” , and deletes section 7.2, referring to
"Treatment of biometric data in the electronic signature of documents" ; and version 6
presents changes in section 4 "Compliance with regulatory obligations in
tax ” , but without significant changes in terms of data protection
personal), since it is these versions that appear with a greater adaptation to the
GDPR and, furthermore, for temporary reasons.
The first three versions (1, 2 and 3) refer to the LOPD and do not refer to
specific issues regulated in the RGPD, such as the legal basis of the treatment
(legal obligation, legitimate interest or consent); rights of deletion, limitation and
portability; right to file a claim with the Spanish Agency for the Protection of
Data; existence of a data protection officer and means enabled to contact
with the same.
In the proposed resolution, it was indicated that the 3rd version of the "Framework Contract"
constituted the information offered by CAIXABANK on 05/25/2018 and that it
shows the deficiencies expressed, among others.
In relation to this issue, CAIXABANK has alleged that version 4 was
implemented in June 2018 and not in November of that year, and provides a copy of a "Contract
Marco ”signed by a client on 06/08/2018, whose content coincides with the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 73
73/177
corresponding to this 4th version, outlined in Annex I.
It should be noted in this regard that it was the CAIXABANK entity itself that dated the
version 4 of this document in November 2019, as stated in the documentation
contributed to inspection services. In any case, this circumstance does not modify
none of the conclusions expressed in the motion for a resolution or in this act
on the defects of information appreciated and in relation to the treatment of the data,
based on the content of this 4th version and those made subsequently by CAIXABANK.
It has already been said that the changes produced in versions 5 and later with respect to the
version 4 only affect the processing of biometric data in the electronic signature of
documents and compliance with regulatory obligations in tax matters.
The aforementioned 4th version, dated by CAIXABANK on 11/12/2018, is the first version that
refers to specific issues regulated in the RGPD, such as the legal basis
of the treatment (legal obligation, legitimate interest or consent); erasure rights,
limitation and portability; right to file a claim with the Spanish Agency for
Data Protection; existence of a data protection officer and authorized means
to contact him. The complete content of this version, in relation to
protection of personal data, appears in Annex I.
This "Framework Contract", as stated in section 2, establishes the basic rules
that will regulate the commercial, business and contractual relationships that are formalized between
the client and CAIXABANK. Thus, this document dedicates sections 3 to 6 to inform and regulate
about essential issues governing Business Relationships, such as the
relating to the prevention of money laundering and the financing of terrorism, the
compliance with regulatory obligations in tax matters, the application of sanctions
international economic-financial and the fight against fraud or the general aspects of
the contracting of products and services, which will not be the object of the actions, except
the mentions to the treatments that derive from these questions contained in the
following sections of the contract.
The following sections of the "Framework Contract" deal with the "Policy of
Privacy ”, the use and treatment of personal data and authorizations
for the use of the data that is carried out for the development of commercial activity
owned by CaixaBank and the CaixaBank Group companies, which are of interest for the purposes of
present sanctioning procedure.
It is also interesting to analyze in this file the information on protection
of data offered in general by CAIXABANK and the mechanisms for providing the
consent enabled by other means, channels or channels, referred to in
the background of this agreement, based on the fact that the "Framework Contract" contains a reference
specific to these other media. Specifically, we refer to the following documents:
. "Privacy Policy" available on the entity's website: section 7 of the "Contract
Frame ”contains indicates “ You can find complementary information to which you are
facilitates in this contract, regarding the processing of your personal data in
www.CaixaBank.com/privacidad ” .
. Social media contract: section 8 of the “Framework Contract” details the data
personal used for the purposes described in that same section. Among them are
they mention "the data obtained from social networks that the signer authorizes to consult" . Bliss
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 74
74/177
authorization is provided in the so-called Social Networks Contract.
. Aggregation service contract: section 8 of the “Framework Contract” details the
personal data used for the purposes described in that same section. Between the
data used for the purposes described in the same section 8 of the "Framework Agreement" is
mention “data obtained from third parties as a result of requests for
aggregation of data requested by the signer ” . Said request is formalized through the
called Aggregation Service Contract.
In addition to the aforementioned "Framework Contract", to offer information on the
protection of personal data and obtain the consent of its clients for the
data processing for "commercial" purposes and transfer of data to third parties, CAIXABANK
uses the document called by said entity "Consent Agreement" . According
It appears in the label of this document, through it the client is requested "Authorization
for the processing of personal data for commercial purposes by CaixaBank,
SA and companies of the CaixaBank group ” .
Of this "Agreement of consents", three
versions (the one provided by the claimant on 01/24/2018, outlined in the First Fact
-Version 1; the one provided by CAIXABANK on 07/10/2018, outlined in the Second Fact
and transcribed in Annex II -Version 2; and the one attached to the Inspection Certificate dated 11/28/2019,
outlined in Fact Four, the details of which are also included in Annex II -Version 3).
For temporary reasons, the document examination procedure is dispensed with
provided by the claimant, prior to the date of application of the RGPD.
On the other hand, considering the object of the preliminary investigation actions
aforementioned, the information offered on this matter in the
forms used to contract products or services that, due to their specialty,
include their own data protection clauses, as reported by the entity
CAIXABANK. Except for what is related to the aforementioned contracts, for which the client
consent to access to personal data on social networks and "aggregation service".
And neither does it examine the action that the companies that make up
the so-called “CaixaBank Group” for compliance with the principle of transparency or the
specific procedures that they have enabled to obtain the consent of their
clients for the processing of personal data that they carry or intend to carry out, or in
relation with the other aspects outlined.
The analysis of the procedures established by CAIXABANK is also excluded.
for the management of clients' rights, only interested in the mechanisms
arranged so that the client can revoke the consents he had given, in
the extent to which this mechanism is also used for the modification of said
consents, and therefore may lead to the provision of new ones.
Likewise, although part of the information contained in the
Impact Evaluations provided by CAIXABANK, which have been outlined in the
Background, no data security analysis is carried out.
In accordance with the foregoing, the conclusions that may be derived from this
procedure will not suppose any pronouncement regarding the previous aspects
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 75
75/177
discarded, or in relation to the CaixaBank Group entities.
IV
In accordance with the delimitation expressed in the previous Law Foundation, to
The effects of this procedure are of interest in the content related to data protection of
personal nature of the "Framework Agreement" and the "Consent Agreement" ( "Authorization
revocation for the processing of personal data for commercial purposes by
CaixaBank, SA and companies of the CaixaBank group ” ), the“ Privacy Policy ”accessible to
through the entity's website and the information offered in relation to personal data
of social networks and aggregation service. The content of these documents consists
reproduced in Annexes.
The "Framework Contract", which serves as a data collection form and which is the
document used primarily to provide information on the protection of
personal data, is presented as mandatory subscription for the client, establishing
expressly that the signature of the document implies that it "knows, understands and accepts its
content ” . It is also established that the terms and conditions are of general application.
to all "commercial relationships" of the interested party "with CaixaBank and the Group companies
CaixaBank, and therefore, the subscription and validity of this Agreement, respecting the
corresponding rights of choice that the Signatory grants the clause, is
necessary for the contracting and maintenance of product or service contracts ” .
The options or "choice" referred to in the previous paragraph have to do with
consents collected in the clauses of the "Framework Contract" subject to its effective
acceptance by the client, which must be provided during the contracting process and
that are incorporated, once those options have been expressed by the client, to the data section
personal and socioeconomic status of the bedside. It is about the consents for the
processing of personal data that are requested from the interested party in clause 8 (outlined and
segmented, receipt of commercial impacts and transfer to third parties).
The information provided to the interested party in this document in relation to the
protection of personal data is structured according to the legal basis that legitimizes the
treatment of the data, dedicating section 7 to the treatments “based on the execution
of contracts, legal obligations and legitimate interest and privacy policy ” , section 8
to the “treatment and transfer of data for commercial purposes by CaixaBank and the companies
of the CaixaBank group based on consent ” .
The aforementioned section 7 includes a subsection related to "data processing
biometric in the electronic signature of documents ” and provides information on the
"Treatments based on legitimate interest" , included as one of the headings of the
Subsection that informs about data processing "for regulatory purposes" .
For its part, section 8 reports on treatments based on the
"Consent" , which CAIXABAN groups into the following three purposes, and also informs
on the "data" that will be processed for the first two purposes of the aforementioned
continuation:
“(I) data analysis and study treatments for commercial purposes by CaixaBank and companies
of the CaixaBank group
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 76
76/177
(ii) the treatments for the commercial offer of products and services by CaixaBank and the companies of the
CaixaBank group
(iii) the transfer of data to third parties ” .
To what is indicated, sections 9 "Exercise of rights in matters of
data protection ” and 10 “ Data Protection Delegate ” , as well as a subsection
dedicated to the "Data conservation period" , inserted in section 11 referring to the
duration, resolution and modification of the contract.
Section 11 is not related to the procedure (applicable law and jurisdiction). AND
section 13 corresponds to the signing of the document. Its label is “Digitization of the
signature and identification documentation of the client ” and offers the following information:
"The signature that the Signatory stamps at the bottom of this Contract, in addition to having the purpose of
Acceptance of the content of this Contract, will be used for digitization and registration, in order to
to serve as a basis for verifying signatures that are stamped on any document that is
present to CaixaBank… ”.
“[…] For the identification of the client by the entity's employees, the Signatory authorizes
CaixaBank, expressly, the digitization and registration of its official identification document, which
which includes the digitization of its image contained in the photograph that it incorporates ”.
The following Law Fundamentals will not detail the content of the
document called by CAIXABANK "Consent Agreement"
("Authorization / Revocation"), since its structure and content coincide almost literally
with Clause 8 of the “Framework Agreement” (the references that in these Fundamentals of
Right are made to this clause 8 or section 8 serve equally to the "Contract of
Consents ”, unless otherwise specified). However, the
differences that can be seen between both documents.
Likewise, the "Privacy Policy" document available on the CAIXABANK website,
which is incorporated as Annex V, with thirteen sections, provides a generic information on the
identity of the person in charge (without referring to the existence of a "common repository" to
CAIXABANK and the Group companies), data collected, information obtained from
browsing the web and mobile applications, purposes, legal basis that covers the
data processing, security, data retention, assignments, transfers
internations, data protection officer and rights of the interested party. It is interesting to highlight
that this "Privacy Policy", when referring to uses based on consent,
warns the interested party that they may use "all the data we have about you" ; and in the
section "To whom is my data disclosed?" is informed about the exchange of information
with companies of the CaixaBank Group.
Finally, in relation to the obtaining and use of personal data of the
interested in social networks or obtained from the aggregation service, is informed about data,
purposes, treatments based on the consent and rights of the interested party. In the last
In addition, it is informed about data processing based on legitimate interest and
data retention.
The full content of this information (except the sections excluded from analysis)
It is reproduced in Annexes.
V
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 77
77/177
Article 5 "Principles relating to treatment" of the RGPD establishes:
"1.The personal data will be:
a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and
transparency");
b) collected for specific, explicit and legitimate purposes, and will not be further processed as
manner incompatible with said purposes; in accordance with Article 89 (1), further processing
of personal data for archival purposes in the public interest, scientific research and
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of
purpose ");
c) adequate, pertinent and limited to what is necessary in relation to the purposes for which they are processed
("Data minimization");
d) accurate and, if necessary, updated; All reasonable steps will be taken to ensure that
delete or rectify without delay personal data that are inaccurate with respect to the purposes
for which they are processed ("accuracy");
e) maintained in a way that allows the identification of the interested parties for no longer than
necessary for the purposes of processing personal data; personal data may
be kept for longer periods provided they are treated exclusively for archival purposes
in the public interest, scientific or historical research purposes or statistical purposes, in accordance with
Article 89 (1), without prejudice to the application of technical and organizational measures
regulations imposed by this Regulation in order to protect the rights and freedoms of the
data subject ("limitation of the conservation period");
f) treated in such a way as to guarantee adequate security of personal data, including the
protection against unauthorized or illegal processing and against its loss, destruction or damage
accidental, through the application of appropriate technical or organizational measures ("integrity and
confidentiality ').
2. The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and
able to prove it ('proactive responsibility') ”.
In relation to the aforementioned principles, what is stated in the
Recital 39 of the aforementioned RGPD:
"39. All processing of personal data must be lawful and fair. For natural persons it should be
totally clear that data is being collected, used, consulted or otherwise processed
personal data that concern them, as well as the extent to which said data is or will be processed. He
The principle of transparency requires that all information and communication regarding the treatment of said
data is easily accessible and easy to understand, and that simple and clear language is used. Saying
The principle refers in particular to the information of the interested parties about the identity of the person in charge
treatment and the purposes thereof and the information added to ensure fair treatment and
transparent regarding the affected natural persons and their right to obtain confirmation and
communication of personal data concerning them that are subject to treatment. The
natural persons must be aware of the risks, regulations, safeguards and rights
relating to the processing of personal data as well as how to enforce your rights in
relation to treatment. In particular, the specific purposes of the processing of personal data
must be explicit and legitimate, and must be determined at the time of collection. The data
Personal data must be adequate, relevant and limited to what is necessary for the purposes for which
be treated. This requires, in particular, to ensure that their term of office is limited to a strict minimum.
conservation. Personal data should only be processed if the purpose of the treatment could not
be reasonably accomplished by other means. To ensure that personal data is not kept
longer than necessary, the data controller must establish deadlines for its deletion or
Periodic revision. All reasonable steps should be taken to ensure that they are rectified or
delete personal data that are inaccurate. Personal data must be treated in a way
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 78
78/177
that guarantees adequate security and confidentiality of personal data, including for
prevent unauthorized access or use of said data and the equipment used in the treatment ”.
SAW
Article 4 of the RGPD, under the heading "Definitions", provides the following:
"2)" treatment ": any operation or set of operations carried out on personal data or
sets of personal data, whether by automated procedures or not, such as collection,
registration, organization, structuring, conservation, adaptation or modification, extraction, consultation,
use, communication by transmission, broadcast or any other form of access authorization,
collation or interconnection, limitation, deletion or destruction ”.
In accordance with these definitions, the collection of personal data through
of forms enabled for this purpose constitutes data processing, with respect to which the
data controller must comply with the principle of transparency, established
in article 5.1 of the RGPD, according to which personal data will be “treated in a manner
lawful, loyal and transparent in relation to the interested party (legality, loyalty and transparency) ” ; and
developed in Chapter III, Section 1, of the same Regulation (articles 12 and following).
Article 12.1 of the aforementioned Regulation establishes the obligation of the person responsible for
treatment of taking the appropriate measures to "provide the interested party with all information
indicated in articles 13 and 14, as well as any communication in accordance with articles
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way
access, in clear and simple language, in particular any information addressed to a
child".
In the same sense, article 7 of the RGPD is expressed for cases in which the
consent of the interested party is given in the context of a written statement, such as
occurs in the present case. According to this article, said request for consent “is
presented in such a way that it is clearly distinguished from other matters, in an intelligible way
and easily accessible and using clear and simple language ” . It is added in this precept that
no part of the declaration that constitutes an infringement of these Regulations will be
binding.
Article 13 of the aforementioned legal text details the “information that must be provided
when the personal data is obtained from the interested party ” and the aforementioned article 14 is
refers to the “information that must be provided when personal data has not been
obtained from the interested party ” .
In the first case, when the personal data is collected directly from the
interested party, the information must be provided at the same time that that
data Collect. Article 13 of the RGPD details this information in the following terms:
1.When personal data relating to him are obtained from an interested party, the person responsible for the treatment,
at the time these are obtained, you will provide all the information indicated below:
a) the identity and contact details of the person in charge and, where appropriate, of their representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the processing for which the personal data are intended and the legal basis for the processing;
d) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the
responsible or a third party;
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 79
79/177
e) the recipients or categories of recipients of the personal data, if applicable;
f) where appropriate, the intention of the person responsible to transfer personal data to a third country or
international organization and the existence or absence of an adequacy decision of the Commission, or,
in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, paragraph
second, reference to adequate or appropriate warranties and means of obtaining a copy of
these or the fact that they have been borrowed.
2. In addition to the information mentioned in section 1, the data controller will provide the
interested party, at the time the personal data is obtained, the following information
necessary to guarantee fair and transparent data processing:
a) the period during which the personal data will be kept or, when this is not possible, the criteria
used to determine this term;
b) the existence of the right to request the data controller access to personal data
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, or to oppose the
treatment, as well as the right to data portability;
c) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2,
letter a), the existence of the right to withdraw consent at any time, without affecting
the legality of the treatment based on the consent prior to its withdrawal;
d) the right to file a claim with a supervisory authority;
e) if the communication of personal data is a legal or contractual requirement, or a necessary requirement
to sign a contract, and if the interested party is obliged to provide personal data and is
informed of the possible consequences of not providing such data;
f) the existence of automated decisions, including profiling, referred to in article
22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic applied, as well as
as the importance and expected consequences of said treatment for the interested party.
3.When the controller plans the further processing of personal data for a
purpose other than that for which they were collected, will provide the interested party, prior to said
further processing, information on that other purpose and any additional information relevant to the
of section 2.
4.The provisions of paragraphs 1, 2 and 3 shall not apply when and to the extent that the
interested party already has the information ”.
Article 14 regulates the information that must be provided in relation to the data that
are not collected directly from the interested party:
"1. When the personal data has not been obtained from the interested party, the person responsible for the treatment
will provide you with the following information:
a) the identity and contact details of the person in charge and, where appropriate, of their representative;
b) the contact details of the data protection officer, if applicable;
c) the purposes of the processing to which the personal data are intended, as well as the legal basis of the
treatment;
d) the categories of personal data in question;
e) the recipients or categories of recipients of the personal data, if applicable;
f) where appropriate, the intention of the person responsible to transfer personal data to a recipient in a third
country or international organization and the existence or absence of a decision on the adequacy of the
Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49,
Section 1, second paragraph, reference to adequate or appropriate guarantees and the means to
obtain a copy of them or the fact that they have been loaned.
2. In addition to the information mentioned in section 1, the data controller will provide the
interested party the following information necessary to guarantee fair data processing and
transparent with respect to the interested party:
a) the period during which the personal data will be kept or, when that is not possible, the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 80
80/177
criteria used to determine this term;
b) when the treatment is based on article 6, paragraph 1, letter f), the legitimate interests of the
responsible for the treatment or a third party;
c) the existence of the right to request the data controller access to personal data
relating to the interested party, and their rectification or deletion, or the limitation of their treatment, and to oppose the
treatment, as well as the right to data portability;
d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2,
letter a), the existence of the right to withdraw consent at any time, without affecting
to the legality of the treatment based on the consent before its withdrawal;
e) the right to file a claim with a supervisory authority;
f) the source from which the personal data come and, where appropriate, if they come from access sources
public;
g) the existence of automated decisions, including profiling, referred to in the
Article 22, paragraphs 1 and 4, and, at least in such cases, significant information on the logic
applied, as well as the importance and expected consequences of such treatment for the
interested.
3.The person responsible for the treatment will provide the information indicated in sections 1 and 2:
a) within a reasonable period, once the personal data has been obtained, and at the latest within a
month, taking into account the specific circumstances in which said data is processed;
b) if the personal data are to be used for communication with the interested party, no later than the
moment of the first communication to said interested party, or
c) if it is planned to communicate them to another recipient, at the latest at the time the data
personal information are communicated for the first time.
4. When the person responsible for the treatment plans the subsequent treatment of personal data for
a purpose other than that for which they were obtained, will provide the interested party, before said
further processing, information on that other purpose and any other relevant information indicated in the
section 2.
5. The provisions of paragraphs 1 to 4 shall not apply when and to the extent that:
a) the interested party already has the information;
b) the communication of such information is impossible or involves a disproportionate effort,
in particular for the treatment for archival purposes in the public interest, scientific research purposes
or historical or statistical purposes, subject to the conditions and guarantees indicated in article 89,
paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article
may prevent or seriously impede the achievement of the objectives of such treatment. In such
cases, the controller shall adopt adequate measures to protect the rights, freedoms and interests
legitimate interests of the interested party, including making the information public;
c) the obtaining or the communication is expressly established by the Law of the Union or of the
Member States that applies to the controller and that establishes appropriate measures
to protect the legitimate interests of the data subject, or
d) when personal data must continue to be confidential on the basis of a
obligation of professional secrecy regulated by the law of the Union or of the Member States,
including an obligation of secrecy of a statutory nature ” .
For its part, article 11.1 and 2 of the LOPDGDD provides the following:
"Article 11. Transparency and information to the affected
1. When personal data are obtained from the affected party, the person responsible for the treatment may give
compliance with the duty of information established in article 13 of Regulation (EU) 2016/679
providing the affected party with the basic information referred to in the following section and indicating a
electronic address or other means that allows easy and immediate access to the remaining
information.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 81
81/177
2. The basic information referred to in the previous section must contain, at least:
a) The identity of the person responsible for the treatment and their representative, if applicable.
b) The purpose of the treatment.
c) The possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU)
2016/679.
If the data obtained from the affected party were to be processed for profiling, the information
You will also understand this circumstance. In this case, the affected party must be informed of
your right to object to the adoption of automated individual decisions that produce effects
legal acts on him or significantly affect him in a similar way, when this right to
in accordance with the provisions of article 22 of Regulation (EU) 2016/679 ” .
In relation to this principle of transparency, it also takes into account the
expressed in Recitals 32, 39, reproduced in the previous Legal Basis,
42, 47, 58, 60, 61 and 72 of the RGPD. Part of the content of these is reproduced below
Considering ourselves:
(32) Consent must be given by a clear affirmative act that reflects a manifestation of
free, specific, informed, and unequivocal will of the interested party to accept the processing of data from
personal character concerning you, such as a written statement, including by means
electronic, or verbal statement. This could include checking a box on a website on the internet,
choose technical parameters for the use of information society services, or
any other statement or conduct that clearly indicates in this context that the interested party
accepts the proposal for the treatment of your personal data. Therefore, the silence, the boxes already
marked or inaction should not constitute consent. Consent must be given for all
the treatment activities carried out with the same or the same purposes. When the treatment has
various purposes, consent must be given for all of them. If the consent of the interested party has been
to give as a result of a request by electronic means, the request must be clear, concise and not
unnecessarily disturbing the use of the service for which it is provided.
(42) When the treatment is carried out with the consent of the interested party, the person responsible for the
treatment must be able to demonstrate that he has given his consent to the operation of
treatment. In particular in the context of a written statement made on another matter,
there must be guarantees that the interested party is aware of the fact that he gives his consent and
to the extent that it does. In accordance with Council Directive 93/13 / EEC (LCEur 1993, 1071),
A model declaration of consent must be provided previously prepared by the
responsible for the treatment with an intelligible and easily accessible formulation that uses a language
clear and simple, and that does not contain abusive clauses. For the consent to be informed, the
The interested party must know at least the identity of the person responsible for the treatment and the purposes of the
treatment for which the personal data is intended. Consent must not
be considered freely provided when the interested party does not enjoy a true or free choice or not
You can deny or withdraw your consent without suffering any harm.
(47) The legitimate interest of a data controller, including that of a controller who is
may communicate personal data, or that of a third party, may constitute a legal basis for the
treatment, provided that the interests or rights and freedoms of the interested party do not prevail,
taking into account the reasonable expectations of the interested parties based on their relationship with the
responsable. Such a legitimate interest could arise, for example, when there is a relevant relationship and
appropriate between the interested party and the controller, as in situations in which the interested party is a client
or is at the service of the person in charge. In any case, the existence of a legitimate interest would require a
meticulous evaluation, including whether a data subject can reasonably foresee, at the time and in
the context of the collection of personal data, which may be processed for this purpose. In
In particular, the interests and fundamental rights of the interested party could prevail over the
interests of the data controller when the personal data is processed in
circumstances in which the interested party does not reasonably expect a treatment to take place
further ... The processing of personal data strictly necessary for the prevention of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 82
82/177
Fraud is also a legitimate interest of the data controller in question. He
processing of personal data for direct marketing purposes can be considered carried out by
legitimate interest.
(58) The principle of transparency requires that all information directed to the public or the interested party be
concise, easily accessible and easy to understand, and use clear and simple language, and,
also, if applicable, it is displayed ...
(60) The principles of fair and transparent treatment require that the interested party be informed of the
existence of the treatment operation and its purposes. The data controller must provide the
interested party as much additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which the data is processed
personal. The interested party must also be informed of the existence of profiling and of
the consequences of such elaboration. If the personal data is obtained from the interested parties,
They should also be informed of whether they are obliged to provide them and of the consequences in the event that
don't ...
(61) Interested parties should be provided with information on the processing of their personal data in
the time they are obtained from them or, if they are obtained from another source, within a reasonable time,
depending on the circumstances of the case ...
(72) Profiling is subject to the rules of this Regulation that govern the
processing of personal data, such as the legal bases of the processing or the principles of
Data Protection…
CAIXABANK, according to proven facts, performs data processing
personal data obtained from customers, directly or "indirectly" , as well as data
personal data obtained from sources other than those interested or inferred by the
entity. It is therefore obliged to provide information in the terms established in the
RGPD and the LOPDGDD.
- The information offered to CAIXABANK clients is not uniform.
Analyzed the information on the protection of personal data offered by
CAIXABANK, considering the various documents and channels through which it is offered,
It is found that it is not uniform, not even in terminology, it is not offered with the same
breadth to all clients and in all situations (in some cases the “Contract
Marco ”, in others the“ Consent Agreement ”and for other clients only the“ Policy
Privacy ”), and it is not updated in the same way in each case.
CAIXABANK has argued that the duty of information is fulfilled with the "Contract
Marco ”and not with the rest of the documents, which are merely complementary to that one, which
are used at different times and scenarios, and not simultaneously, and are not intended to
object to comply with what is mandated by article 13 of said Regulation, since they are addressed to clients
already informed.
However, this claim does not coincide with the checks carried out. It is true
that the "Framework Contract" is the document used primarily, which also serves
as a form for collecting personal data and for the provision of consents
collected by CAIXABANK for commercial purposes. But it has been proven that the
information on data protection was provided to some customers only
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 83
83/177
through the "Consent Agreement" and the "Privacy Policy", without them having
signed the "Framework Contract".
The "Consent Agreement", although it has been used and currently uses
as a document to revoke and modify consents, it was conceived as a
document to "authorize" data processing based on this legal basis, as well as
than the "Framework Contract", and has not lost that character (its initial name was
"Authorization for the processing of personal data for commercial purposes
by CaixaBank, SA and companies of the CaixaBank Group ” ; and the current "Authorization / Revocation
for the processing of personal data for commercial purposes by CaixaBank,
SA and companies of the CaixaBank Group ” ). It is proven that the
"Framework Contract" for the collection of consents, not in the case of all clients.
The CAIXABANK entity itself, in its response to the Inspection Services of the
Agency dated 07/17/2018, stated that the "Consent Agreement" is used, not
only to modify the consents given, but also to collect them. He
The claimant is an example of a client who has not signed the "Framework Agreement" and provided their
consents through the "Consent Agreement", signed on 01/24/2018 and
modified in May 2018, as could be seen in the inspection carried out on the
11/28/2019 (as of this date, the claimant had not signed the “Framework Contract”)
The same can be said of the "Privacy Policy" available on the website of the
entity. Although it is indicated in the "Framework Contract" that includes "complementary information to
the one provided in this contract ” , the Privacy Policy has also been the
only information on protection of personal data that some clients have received, the
which did not sign the “Framework Agreement” or the “Consent Agreement”.
CAIXABANK was consulted in this regard by the Agency's Inspection Services
on the procedures enabled to publicize the updated "Privacy Policy"
to the RGPD to clients prior to the application of this rule and the mechanisms to collect
your acceptance. In its response of 11/20/2019, CAIXABANK reported that said "Policy of
Privacy ”is intended to provide complete information to customers who in May 2018
they had not signed the framework contract; and distinguishes since May 2018 the situations
following:
. The one corresponding to "pre-existing" clients who signed the "Framework Contract" or who
received the "Privacy Policy".
. That of new clients, who in their first relationship sign the "Framework Contract".
In relation to the "Privacy Policy", you have provided details about your transfer to
existing customers as of May 2018, specifically, the sending of 15,917,507 communications,
of which 5,663,683 were made by postal mail and 10,253,824 through banking to
distance with a warning pop up (“If you want to know more about our commitment to your
data and your privacy, you have a statement available in your MailBox -Access MailBox ”).
Also in its brief of allegations at the opening of the procedure, the aforementioned entity
refers to clients prior to May 2018, distinguishing between those who have signed the
“Framework Agreement”, those who have signed the “Consent Agreement” and those others to whom
you asked and they didn't answer.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 84
84/177
On the other hand, these documents are not uniform in their content either,
as will be described in the following sections and Fundamentals of Law.
As an example of these differences, the
valued between the "Framework Contract" and the "Consent Contract", being the most
It is significant that this last document offers information basically equivalent to the
Clause 8 of the "Framework Contract", so that customers who sign this document
they do without having essential information. But this is not the only difference in terms of
information content:
. Version 2 of the "Consent Agreement" (Annex II) referred to the management of
the data "from a common information repository of the CaixaBank Group Companies"
that does not appear in the “Framework Contract” (this indication disappears in Version 3 of that
document).
. Differences regarding the exercise of rights, existence of a Protection Delegate of
Data and the data retention period, which are detailed in the last two sections
of this Legal Basis.
. Version 3 of the "Consent Agreement", in the authorization (ii) of section
corresponding to purpose 1 ( “Analysis, study and follow-up treatments for
offer and design of products and services adjusted to the client profile ” ) the possibility is added
to associate the data of the signer with those of other clients, which does not appear in the "Contract
Framework".
As can be seen, the different information that customers receive has to do with
the document used in each case to provide the information, in addition to its different
content, beyond the processes of updating those documents alleged by
CAIXABANK to justify this deficiency.
CAIXABANK says nothing about those circumstances in its brief of allegations to
the proposal, in which it only indicates that said proposal seems to show that all
clients have access to all documents and, uniquely, that all clients have both
the "Consent Agreement" as the "Framework Agreement", which does not coincide with what
exposed.
CAIXABANK denies this lack of uniformity, but, at the same time, alleges that the
improvement process that it has developed has been a co-honesty of all the
documents.
-
Use of imprecise terminology and vague formulations
In accordance with the foregoing, at the time of collecting personal data the
data controller must provide interested parties with the information established in
the cited standards, “in a concise, transparent, intelligible and easily accessible way, with a
clear and simple language ” .
CAIXABANK does not report clearly and systematically on data processing
personal or the purposes for which they will be used.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 85
85/177
Sometimes information on key aspects such as categories of data
personal processed, the purposes or the legal basis that enables the treatment, employs
unclear and imprecise expressions, or vague formulations, with ambiguous meanings in
some cases, and whose true scope is not developed; expressions that are repeated and that
CAIXABANK uses to support different actions, treatments, purposes or
legitimations.
In addition, with some of these expressions, the data protection policy is
shown as a benefit for the client, implying that its non-acceptance will mean
loss of customer benefits.
Expressions such as "get to know you better", "customize
your experience "," commercial offers tailored to your needs and preferences "," improve the
design and usability of the products "," products and services adjusted to your profile ",
"Information generated from the products themselves", "analysis and study", "study products and
services "or" design products and services "," for our own management "," give you a better
service "," communicate your data to third parties with whom we have an agreement "," expectation
reasonable to receive ”,“ management needs ”,“ analysis, study and follow-up for the offer
and design of products and services adjusted to the profile ” .
Nor can the interested party clearly deduce the meaning of these expressions from
starting from the context in which the information is offered and the expression of will is collected
of the interested party, or from the context of the contractual relationship that binds the
interested party with the responsible entity. On this contextual basis or factual context, the
client is not able to understand the data to be recorded or the meaning of the
purposes pursued by CAIXABANK with the treatment, when these are not specified
clearly, especially considering the variety and complexity of the purposes of the
personal data processing carried out by CAIXABANK in its capacity as entity
financial institution that occupies a relevant position in the market, which requires a
additional when specifying the information on the aforementioned aspects.
From all this it follows that the information offered in this matter is indeterminate in
the aspects indicated and difficult to understand by any interested party, regardless of
your qualifications, and demonstrates the extent to which you need to be an expert to understand
such information and its scope.
The terminology in those expressions, in short, is alien to compliance
strict principle of transparency, and prevents interested parties from knowing the meaning and
real meaning of the indications provided and the real scope of the consents that
can be provided, which means understanding that the right to data protection has been violated
personal, understood as the ability of the affected to decide on treatment.
CAIXABANK, in its arguments at the opening of the procedure, limits itself to qualifying
these arguments as subjective appraisals, with no evidence to show what
understand or not the clients, adding that external work has been carried out to verify
that the contractual documents can be easily understood by the average customer, the
which does not contribute.
However, in the opinion of this Agency, the lack of clarity of those formulas or
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 86
86/177
expressions is obvious and objective, as demonstrated by the difficulty of concluding
its real and concrete scope.
The expressions so repeated by CAIXABANK in the documents reviewed are
include as examples of bad practices in the document of the Article Working Group
29 “Guidelines on transparency under Regulation 2016/679” , adopted on
11/29/2017 and revised on 04/11/2018.
These Guidelines analyze the scope to be attributed to the elements of
transparency established in article 12 of the RGPD, according to which the person responsible for the
treatment will take the appropriate measures to "provide the interested party with all information
indicated in articles 13 and 14, as well as any communication in accordance with articles
15 to 22 and 34 related to the treatment, in a concise, transparent, intelligible and easy way
access, with clear and simple language ” , which must be related to what is expressed in
Recital 39 of the aforementioned Regulation. From what is stated in these Guidelines, it is
highlight at this time the following:
"The requirement that the information be" intelligible "means that it must be understandable to the
average member of the target audience. Intelligibility is closely linked to the requirement of
use clear and simple language. A data controller who acts responsibly
You will proactively get to know the people you collect information about and can use this
knowledge to determine what said audience is likely to understand… ”.
<< Clear and simple language
In the case of “written” information »(and when written information is communicated verbally, or
through auditory or audiovisual methods, also for people with vision problems), have
to follow best practices to write clearly. The EU legislator has already used
previously a similar linguistic requirement (appealing to the use of “clear and understandable terms”) and
it is also explicitly mentioned in the context of consent in recital 42
of the RGPD. The obligation to use clear and simple language implies that the information must
be facilitated in the simplest possible way, avoiding sentences and complex linguistic structures. The
information must be concrete and categorical; should not be formulated in abstract or ambivalent terms
nor leave room for different interpretations. Specifically, the purposes and legal basis of the treatment
of personal data must be clear.
Examples of Poor Practice
The following statements are not clear enough regarding the purpose of the treatment:
. "We may use your personal data to develop new services" (since it is not clear
what “services” are treated and how the data will help to develop them);
. "We may use your personal data for research purposes" (since it is not clear what type
of "research" refers); and
. "We may use your personal data to offer you personalized services" (since there is no
clear what this "customization" implies).
Examples of good practices
. "We will retain your purchase history and use details of the products you have purchased
above to suggest other products that we think might also interest you ”(it is clear that
types of data will be processed, that the interested party will be the object of personalized product advertising and
that your data will be used in this regard);
. “We will retain and evaluate information about your recent visits to our website and how
navigate through the different sections of the same in order to analyze and understand the use that the
people make our website and be able to make it more intuitive ”(it is clear what type of data is
will treat and the type of analysis that the person in charge is going to carry out); and
. “We will keep a record of the articles on our website that you have clicked on and we will use
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 87
87/177
that information to personalize, from the articles you have read, the advertising that we show you
on this website to suit your interests ”(it is clear what personalization entails and
how the interests attributed to the interested party have been identified) >> .
The foregoing must be interpreted, in any case, taking into account the principles
established in article 5 of the RGPD, especially the principle of loyalty. Recital 42
of the same text also refers that the form in which the information is offered in
Personal data protection must not contain unfair terms.
- Information on the processing of personal data based on the relationship
contractual.
In the section dedicated to purpose 1 "Management of business relationships" ,
CAIXABANK informs about the treatment of the following personal data:
. The personal data provided by the client.
. Personal data derived from business relationships.
. Personal data derived from commercial relationships of CAIXABANK and
CaixaBank Group companies with third parties (this section does not refer to the relationship
business of the interested party / client with CAIXABANK, but to relationships of this entity and those that
make up the Group with third parties; without explaining the nature of these relationships with third parties and
without specifying what data of these relationships are necessary for the execution of the contract
subscribed by the interested party / client, nor who is the owner of that data).
. Personal data "made from them" (without specifying if it refers to the last
indicated or all of the above).
. Digitization and registration of identification documents and signature.
It is estimated that the information included in this section should be rectified and
suitably completed in such a way that it allows to assess and determine with certainty if the
outlined treatments can be covered by this legal basis (the execution of the contract) or,
on the contrary, its collection and subsequent treatment requires the consent of the interested party. Is
It is necessary to know what CAIXABANK understands by data derived from the relationships
commercial or data "made from them" and what use is given to them for the
fulfillment of the contractual relationship.
Likewise, it is necessary to point out the confusion that it produces on the legal basis of the
treatment (treatments for the execution of the contract or based on consent) the
Mention made in this section to "Commercial Relations" and what CAIXABANK
called "commercial purposes". The sub-section label indicates “Treatments of
personal data in order to manage business relationships " , within
a more general section relating to processing "based on the performance of the contract" ,
while the text also refers to the treatments that the signer accepts
for commercial purposes. The text reads like this: "The personal data of the signer ...
will be incorporated ... to be treated in order to comply with and maintain the
themselves (commercial relations) , verify the correctness of the operation and the purposes
commercials that the signer accepts in this contract ” .
- Information on the categories of personal data subjected to treatment;
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 88
88/177
and on the specific categories of personal data that will be processed for each
one of the specific purposes.
The information offered is incomplete in relation to key aspects, such as the
categories of personal data processed.
In accordance with the criteria stated by the European Committee for the Protection of
Data, that information would be necessary in relation to those data processing whose
legal basis is determined by the consent of the interested party. This is how the Group understood it
of Article 29 in its document “Guidelines on consent under the
Regulation 2016/679 ” , adopted on 11/28/2017, revised and approved on 04/10/2018 (these
Guidelines have been updated by the European Data Protection Committee on
05/04/2020 through the document “Guidelines 05/2020 on consent in accordance with
to Regulation 2016/679 ” , which keeps the parts that are transcribed literally identical
then).
The Article 29 Working Group draws its conclusions from the definition
of the "consent" contained in article 4 of the RGPD, which is expressed in the terms
following:
"11)" consent of the interested party ": any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either through a declaration or a clear action
affirmative, the processing of personal data that concerns him ” .
From this definition, they are specified as necessary elements for the validity of the
consent to the following:
. Manifestation of free will
. specific
. informed and
. unequivocal by which the interested party accepts, either through a declaration or a clear
affirmative action, the processing of personal data concerning you.
In relation to the element "manifestation of specific will" it is said:
“3.2. Specific manifestation of will
(…)
Ad. ii) The consent mechanisms should not only be separated in order to comply with the
"free" consent requirement, but must also comply with the consent requirement
"specific". This means that a data controller seeking consent to
several different purposes, it must facilitate the possibility of opting for each purpose, so that users
can give specific consent for specific purposes.
Ad. iii) Finally, the data controllers must provide, with each request for
separate consent, specific information about the data that will be processed for each purpose, with the
In order for the interested parties to know the impact of the different options they have. Of this
Thus, data subjects are allowed to give specific consent. This question overlaps with the
requirement that those responsible provide clear information ”.
Furthermore, consent, to be valid, must be informed. This item is
analyzed in the aforementioned "guidelines" as follows:
3.3. Informed manifestation of will
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 89
89/177
The GDPR reinforces the requirement that consent must be informed. In accordance with the
Article 5 of the RGPD, the requirement of transparency is one of the fundamental principles,
closely related to the principles of loyalty and lawfulness. Provide information to interested parties
before obtaining their consent is essential so that they can make informed decisions,
understand what they are authorizing and, for example, exercise your right to withdraw your
consent. If the person in charge does not provide accessible information, the user's control will be
illusory and consent will not constitute a valid basis for the processing of the data.
If the requirements for informed consent are not met, the consent will not be valid
and the person in charge may be in breach of article 6 of the RGPD.
3.3.1. Minimum content requirements for consent to be "informed"
For the consent to be informed, it is necessary to communicate to the interested party certain elements that
they are crucial to choosing. Therefore, the WG29 believes that it requires, at least, the information
following to obtain valid consent:
i) the identity of the data controller,
ii) the purpose of each of the processing operations for which consent is requested,
iii) what (type of) data will be collected and used,
iv) the existence of the right to withdraw consent,
v) information on the use of the data for automated decisions in accordance with article
22, paragraph 2, letter c), where relevant, and
vi) information on the possible risks of data transfer due to the absence of a
decision of adequacy and adequate guarantees, as described in article 46 >> .
The information provided in the "Framework Agreement" on the types of data
personal data of clients who undergo treatment is not contained, in general, in
a specific section, but is included in each of the sections outlined at the
detail the structure of the document, articulated around the legal bases, purposes and
Intended data processing.
In view of the interpretive criteria on the notion of "informed consent"
offered by the European Data Protection Committee, it is considered that CAIXABANK does not
provides sufficient information on the type of data that will be submitted to
treatments whose legal basis is the consent of the interested parties.
This insufficiency is observed in the "Framework Contract" and in the "Contract of
Consents "in relation to the purposes of" data analysis and study " and " for the
commercial offer of products and services ” , which are reported in section 8
"Treatment and transfer of data for commercial purposes by CaixaBank and the companies of the
CaixaBank Group based on consent ” . In this section it is indicated that they will be treated:
among others, the following data:
“B) All those generated in the contracting and operations of products and services with CaixaBank,
with the CaixaBank Group Companies or with third parties, such as account or card movements,
details of direct debits, payroll direct debits, claims derived from insurance policies
insurance, claims, etc. ”.
"G) Those obtained from the signer's navigations through the digital banking service and other websites of
CaixaBank and the CaixaBank Group Companies or the CaixaBank mobile phone application and the
Companies of the CaixaBank Group, in which duly identified operates. This data may include
information related to geolocation.
h) Those obtained from chats, walls, videoconferences or any other means of communication
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 90
90/177
established between the parties ”.
All this refers to the data processed by reason of the products and services
contracted, so that, although these are known by the user, he cannot know the
that will be selected from the use of such products and services. The same can be said
Regarding the navigation data and those obtained from the communications that are
established between the client and the entity.
This information warns the interested party that CAIXABANK may treat "all"
data that "are generated in the contracting and operations of products and services".
Here are some examples, preceded by the expression "such as" and ending
with the expression , "etc." , the use of which should be avoided when offering information on
Data Protection.
Nor are the examples given descriptive enough to
understand the categories of data that will be processed ( "transactions", "receipts", "payroll",
" Claims" and "claims" ) . In relation to "direct debit" it is indicated that
they will deal with the “details” of the same; and with respect to all these examples it is indicated, as already
it has been said that "all" data will be processed .
In view of this information, it is clear that CAIXABANK will process data
personnel generated in the contracting and operation of products and services contracted with
that entity.
With this information it is not clear what personal data CAIXABANK will record
for each “movement”, “receipt”, “payroll”, “claim” or “claim” (will the concept
and issuer corresponding to the payment of a union fee?). It could even happen that the
information collected by the responsible entity from the products and services
contracted was composed of sensitive data or special categories of data
personal, for example, the aforementioned union dues or dues paid to parties
politicians, or to religious entities, or for the use of services provided by entities
sanitary or religious.
It is not concluded that CAIXABANK processes personal data such as those
indicated in the previous paragraph. It is said here, simply, in a foundation that analyzes the
information offered by CAIXABANK to its clients, that this information is defective in the
insofar as it does not allow the recipient of the information to know with certainty all the
categories of personal data that will be used by that entity and that, even, the
repeated information, due to its lack of specificity, could be covering a collection
and unacceptable processing of personal data.
The "Privacy Policy" also refers to the use of data
generated from the contracted products and services ( “Basically, your data is
identification and details of the professional or work activity, your contact information and the
financial and socioeconomic data, both those that you have provided us and those that
generated from the products or services contracted. Also… we may process data that
we obtain from the provision of services to third parties when you are the recipient of the
service… ” ) .
Also when referring to the personal data that will be used for treatment of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 91
91/177
data based on the legitimate interest of the entity, the "Framework Contract" informs about the use
of information "generated from the products contracted during the last year". In
This section of the “Framework Contract” regarding legitimate interest states:
“We will also treat your information (account movements, card movements, loans, etc.)
to personalize your commercial experience in our channels based on previous uses, to
offer you products and services that fit your profile, to apply benefits and promotions that
we have in force and to which you are entitled, and to assess whether we can assign you credit limits
pre-granted that you can use when you consider it most appropriate.
In these treatments we will only use information provided by you, or generated from the
own products contracted during the last year ”.
In this case, insufficient information on the categories of data to be processed is not
related to the need for informed consent, given that it concerns
treatments based on the legitimate interest of the entity. However, the
possible relationship between these processing of personal data based on the interest
legitimate and the treatments based on the consent of the interested parties. The use of
Personal data based on legitimate interest gives rise to the creation of profiles, which can
be later used for treatment with commercial purposes based on the
consent of the interested parties; and such personal data, including those outlined, will be
communicate to the companies of the CaixaBank Group. This being the case, the defects in the information
in relation to the processing of data based on legitimate interest equally affect the
validity of consent.
The obligation to report on the category of data that will be submitted to
treatment is breached also in relation to the data that are not provided to the
responsible for the interested party, but are obtained by him from external sources or are
inferred by the entity itself. Provide information on the types of personal data
submitted to treatment that are not collected directly from the interested parties is required
expressly in article 14.1 d) of the RGPD.
As detailed above, CAIXABANK not only uses personal data
generated in the contracting and operation of products and services contracted with that
entity, but also those generated from products and services contracted by the interested party
with third parties ( “All those generated in the contracting and operations of products and
services… with the CaixaBank Group Companies or with third parties ” ). In relation to these
data, the same examples mentioned above are detailed ( "movements", "receipts",
"Payroll", "claims" and "claims" ), on which the aforementioned objections serve
regarding them.
It follows that CAIXABANK, under the condition of data controller,
collects and uses personal data that it does not obtain directly from the interested parties. Is about
personal data from third parties that CAIXABANK uses for the purposes
expressed in the information provided to the interested parties.
This is not the only allusion to personal data obtained from third parties, external sources
or inferred by the CAIXABANK entity contained in the "Framework Contract":
. In relation to the treatments necessary for the execution of the contract, information is provided on the
incorporation into the entity's files of data derived from the relationships
commercial of CAIXABANK and the companies of the Group with third parties; and data made
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 92
92/177
from the above.
. In the section that informs about "Treatment of personal data with
regulatory purposes ” , the following references are included:
“ (Ii) Verifications will be made of the information provided by the Signatory, contrasting it with
external sources, such as the databases of the General Treasury of Social Security or
other public bodies, Public Registries, Official Gazettes, or companies that provide
Information services".
“(Iv) The information available to you regarding the Signatory will be exchanged (assigned and received) with
the CaixaBank Group companies
(v) The current or past performance of positions of public responsibility will be verified by the
signatory.
(vi) The relationship of the Signatory with companies will be verified with internal and external sources and,
case, its position of control in the ownership structure of the same.
(vii) The Signatory will be classified in different degrees in accordance with the Admission Policy of
Clients, based on the information provided and that resulting from the operations carried out by the
Signatory".
. In the same sub-section regarding data processing for regulatory purposes
It is also reported on the consultation of data registered in compliance files or
breach of monetary obligations (erroneously included in this subsection) and the
Risk Information Center of the Bank of Spain, CIRBE (erroneously included in
this subsection):
“7.3.3 Communication with files of compliance or non-compliance with monetary obligations.
The Signatory is informed that CaixaBank, in the study of the establishment of Commercial Relations,
You can consult information in compliance files or non-compliance with obligations
money ”.
“7.3.4 Communication of data to the Risk Information Center of the Bank of Spain
The Signatory is informed of the right that CaixaBank SA assists to obtain from the Central
Risk Information of the Bank of Spain (CIR) reports on the risks it may have
registered in the study of the establishment of Commercial Relations ”.
. In section 8, regarding data processing based on consent (and
also in the "Consent Agreement") it is expressly added that the data of the
client "may be complemented and enriched by data obtained from companies
providers of commercial information, by data obtained from public sources, as well as by
statistical, socioeconomic data (hereinafter, "Additional Information") always
verifying that they comply with the requirements established in the current regulations on
data protection ” , without providing any details about the categories of personal data that
they will be obtained from these external sources.
Also, the Privacy Policy "includes information on data processing
of health "in the marketing of certain insurance products (health, life ...)" . On
these personal data, it is clarified that the person responsible is the insurance company:
“When we market these products, the person responsible for health data is the company
insurance company, therefore we want you to know that all insurance companies whose products
we commercialize respect and strictly comply with the data protection regulations ”.
With the information provided, as indicated above, it is not clear what
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 93
93/177
Personal data are processed or what data CAIXABANK will record.
The use by CAIXABANK of personal data from products and
services of third parties, from external sources or inferred by the entity itself, requires that
provide interested parties with the appropriate information and have a legal basis that protects
the treatment.
It should be noted that the obtaining of personal data is not questioned in this case
from files of compliance with monetary obligations and CIRBE to manage
the products and services contracted, provided that it is necessary for the execution of the
contract. This is the basis that determines access to this information.
However, the use of these personal data by CAIXABANK is not
limits to checking the situation of the interested party for the formalization of an operation of
risk, but also with the purposes based on consent. Given
that in clause or section 8 information is provided on the treatment of "all" the data provided
in the establishment or maintenance of commercial or business relationships, it is estimated
from CAIXABANK to report on the specific categories of personal data that
will be obtained from the files of compliance or non-compliance with monetary obligations and
of the CIRBE.
On the other hand, in the case of personal data from products and services of
third parties, the responsibility for these personal data corresponds to the entity that owns the
product purchased by the interested party or provider of the service contracted by the same.
When it comes to third-party products or services marketed by
CAIXABANK, as in the case of insurance products, this entity accesses such data
under the condition of person in charge of treatment, for her mediating intervention. This Agency
questions the use of this data by that entity and for the purposes that
are indicated, considering that they are not own products. The condition of manager
treatment under which CAIXABANK intervened in these cases limits the possibility of
use the information in question for their own purposes.
In short, personal data is collected and processed without the owners of the same
be aware that CAIXABANK is accessing them to register them in their
information systems, subjects them to treatments about which the client is not informed
in a clear, precise and simple way, and with non-explicit and undetermined purposes, against
of the principles related to the treatment established in article 5 of the RGPD (loyalty,
limitation of the purpose and minimization of data), since, from the information
facilitated, considering their inconcretion, the interested party cannot know, as the
Constitutional Court, “to what use is it being destined and, on the other hand, the power to oppose
that possession and uses ” . This lack of precision renders the information provided ineffective
about the data processing that is intended.
What is indicated above contrasts with the information provided through the website of
the entity on the personal data collected from social networks:
. Twitter: Name, username, tweets, and user profile information, including biography and
location information.
. Facebook: User ID, email address, gender, date of birth, city
current, and preferences expressed by you by clicking on "Like" (or Likes).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 94
94/177
. Linkedin: Registered user, name and surname, email address, profile URL,
Profile information and Groups.
And not only does it not specify what data will be processed, but it also does not
duly informs in all cases about the specific categories of personal data
that will be treated for each of the specified purposes.
The need to complete the information offered to customers in the sense
expressed is especially relevant when it comes to data not provided by the
customer, but inferred by the entity itself from the use of products, services and channels.
It cannot be accepted that all information is intended for all uses, that all data
collected, from the interested party or third parties, or inferred can be used for all
purposes, without delimiting.
This occurs in relation to the purpose expressed in section 8 of the "Contract
Marco ”and in the“ Consent Agreement ”regarding the “ transfer of data to third parties ” with the
consent as a legal basis. With the information provided it is not possible that the
interested party has a clear idea about the personal data that will be transferred to the entities of
the sectors indicated .
In this regard, the Opinion of the aforementioned Article 29 Working Group,
"Guidelines on consent under Regulation 2016/679" , adopted on
11/28/2017, revised and approved on 04/10/2018, and revised again in May 2020,
When referring to the obligation to inform about the data that will be collected and used, it refers to
Opinion 15/2011 on the definition of consent, as “manifestation of
specific will ” :
“To be valid, consent must be specific. In other words, consent
indiscriminate without specifying the exact purpose of the treatment is not admissible.
To be specific, consent must be understandable: clearly and precisely refer to the
scope and consequences of data processing. It cannot refer to an indefinite set of
treatment activities. This means, in other words, that consent applies in a
limited context.
Consent must be given in relation to the various aspects of the treatment, clearly
identified. This implies knowing what the data are and the reasons for the treatment. This knowledge
It should be based on the reasonable expectations of the parties. Therefore, the "specific consent"
it is intrinsically related to the fact that consent must be informed. Exists
a requirement of precision of consent with respect to the different elements of the treatment of
data: it cannot be claimed to encompass "all legitimate purposes" pursued by the controller
treatment. The consent must refer to the treatment that is reasonable and necessary in
relationship with the purpose ”.
In General, as has been said, the principle of transparency should be understood as a
fundamental aspect of the principles of lawful and fair treatment. It is interesting to reiterate
expressed in Recitals 39 and 60 and the references they contain to the need to
provide information to ensure fair and transparent treatment:
"39. All processing of personal data must be lawful and fair. For natural persons it should be
totally clear that data is being collected, used, consulted or otherwise processed
personal data that concern them, as well as the extent to which said data is or will be processed ... Said
The principle refers in particular to the information of the interested parties about the identity of the person in charge
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 95
95/177
treatment and the purposes thereof and the information added to ensure fair treatment and
transparent regarding the affected natural persons and their right to obtain confirmation and
communication of personal data concerning them that are subject to treatment. The
natural persons must be aware of the risks, regulations, safeguards and rights
relating to the processing of personal data ”.
"60. The principles of fair and transparent treatment require that the interested party be informed of the
existence of the treatment operation and its purposes. The data controller must provide the
interested party as much additional information is necessary to guarantee fair treatment and
transparent, taking into account the specific circumstances and context in which the data is processed
personal ”.
And in the also cited document of the Working Group on Article 29 "Guidelines
on transparency under Regulation 2016/679 ” , adopted on 11/29/2017 and
revised on 04/11/2018, which analyzes the scope to be attributed to the principle of
transparency, it indicates:
“A fundamental consideration of the principle of transparency outlined in these provisions is that
the interested party must be able to determine in advance the scope and consequences derived from the
treatment, and that you should not be surprised at a later time by the use that has been made of
your personal information".
In relation to the information about the category of personal data that are
collected and used by CAIXABANK, alleges that article 13 of the RGPD does not require
provide data subjects with this information on a mandatory basis, although, however,
offers a sufficiently descriptive list of the types of data that are treated based on the
consent, in accordance with the provisions of the Guidelines 05/2020 on the
consent in accordance with Regulation 2016/679, of the European Committee for the Protection of
Data (CEPD).
Likewise, it alleges (i) that the information it provides on the treatment of
data on movements, receipts, payroll, claims and claims, considering that
It deals with products and operations of the client, who knows the information they include; and (ii) that
that information does not include sensitive data.
In this regard, it warns that the obligation that the AEPD intends to impose would entail,
one hand, the need to report on specific data, which would imply information fatigue
difficult to beat; and, on the other hand, it would also mean informing about what is not done, in
based on a suspicion of processing of sensitive data.
This claim cannot be upheld, in accordance with the arguments already presented.
in this section. This Agency considers that the review of those concepts (movements,
receipts, payroll, claims and claims), without including the detail of the data categories
they include, it is insufficient to understand the obligation to report on the
categories of personal data that are collected and subjected to treatment and, ultimately,
so that the interested party can have the essential and necessary information for taking their
decisions and understand what you are authorizing, as well as for the exercise of your rights.
Without forgetting that those concepts are included as examples, preceded by the
expression "such as" and followed by the term "etc." .
Regarding the suspicion of this Agency about the possibility that CAIXABANK
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 96
96/177
could be protecting, with the information offered, the collection and treatment of categories
special data, it must be reiterated that it results from the information itself offered in
the documents object of the proceedings. On the one hand, it is said that data may be obtained
of products and services contracted by the client, “such as account movements or
cards, details of direct debits, direct debits…, etc. " , and on the other hand,
It is also indicated that “all the data generated in the contracting and
operational ” of those products and services. Then, nothing prevents understanding that they could
collect by CAIXABANK categories of data such as issuer and concept of receipts
domiciled, which could refer to the payment of a union dues, payments to an entity
of health care, fees to a political party or donations to a religious entity,
civil society associations or political activism groups, which could serve to promote
link the interested party with certain ideological positions, race, religion, etc.
In any case, this question has not determined any imputation to
CAIXABANK for data processing of this nature, although this
circumstance, as has been said, to the extent that the information provided is
defective and could serve as cover for the collection and processing of personal data
unacceptable.
The aforementioned serves both to obtain personal data
generated in the contracting of products and services with CAIXABANK, such as those generated
in contracting products and services with third parties.
On the other hand, in relation to information on the category of personal data
that are not obtained from the interested party, CAIXABANK claims that it complies with this obligation
informing in Clause 8 of the "Framework Contract" when it is indicated that "the data of the signer
may be complemented and enriched by data obtained from companies providing
commercial information, by data obtained from public sources, as well as by data
statistical, socioeconomic (hereinafter, "Additional Information") always verifying that
These comply with the requirements established in the current regulations on the protection of
data ” .
However, with this information the interested party does not have details about the types of
data that will be collected from these external sources or how they will be supplemented and
enriched. It is not enough for these purposes to indicate that data will be collected from
external sources, from supplier companies or public sources, which are not categories of
personal information; nor is it sufficient to indicate that the customer's data is
will be complemented with statistical and socioeconomic data without further detail that delimits the
categories to actually be covered.
Nothing is indicated either by CAIXABANK in its allegations about the data
made from all of the above.
It is also alleged by CAIXABANK that this information cannot be required in
relationship with the categories of data that are treated based on legitimate interest. However,
this Agency does not require this information as expressed by CAIXABANK. What I know
defends is the need to inform in such cases when the information processed based on the
legitimate interest, including the profiles prepared with this legal basis, is also used
for consent-based treatments.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 97
97/177
Similarly, in the case of interest-based personal data processing
made with personal data that were not obtained from the interested party, the obligation
to inform about the categories of personal data used in this treatment comes
also determined by the provisions of article 14 of the RGPD.
Also in relation to information on categories of personal data
CAIXABANK warns that it improves the information in its new Privacy Policy . There is not
more than seeing the information on data categories that CAIXABANK has included in this
new document, contributed to the proceedings together with its allegations to the
resolution, to understand that the analyzed information cannot be understood as satisfactory,
that it is not enough to refer to account movements or cards, receipts,
payroll, claims and claims. Some examples taken from this new Policy serve
of Privacy to illustrate about categories of data that CAIXABANK does not detail in the
documents object of the present proceedings, nor could the interested party deduce from the
information provided: family unit or circle; tax data; tax data;
information on investments made and their evolution; or grouping of clients in
categories and segments based on age, assets, operations, consumption habits,
preferences, demographics.
Finally, CAIXABANK considers that the incorporation of all that information
relating to the type of data would lead to an excessively long document,
liable to cause information fatigue in the interested parties. The WG29 Guidelines on
Transparency recommend avoiding that consequence, but such a purpose cannot be taken
as a justification for omitting necessary information. It forces the information to be structured
adequately, but not limit it.
These Guidelines require data controllers to demonstrate responsibility
proactively in the development and use of methods to comply with the requirements of
transparency that avoid the fatigue of the interested party. Although they offer numerous
recommendations and examples of different modalities to provide information,
warns that the data controllers are the ones who decide the tools of
information they use.
- Information on the purposes to which the personal data of the
clients and the legal basis of the treatment. Confusion of legal bases.
Regarding the purposes to which the personal data of the clients will be used and
the legal basis of the treatment, the entity CAIXABANK, in the "Framework Contract" refers
Similar treatments in relation to different purposes, protected by the legitimate interest
in some cases and in consent in others. This may mean that a treatment is not
consented by the interested party is finally carried out under the legitimate interest of the
responsible, undermining the ability of customers to decide on the destination of their
personal information.
In relation to the treatments based on legitimate interest, information is provided
on the purposes in the following terms:
. “We will send you updates and information about products or services similar to those already
have contracted ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 98
98/177
. "Personalize your commercial experience in our channels based on previous uses"
. "Offer you products and services that fit your profile."
. "Apply benefits and promotions that we have in force and to which you are entitled"
. "Evaluate if we can assign pre-granted credit limits."
In relation to treatments based on consent, information is provided
on the purposes in the following terms:
. "Study products or services that can be adjusted to your profile and business or credit situation"
. "Make commercial offers tailored to your needs and preferences"
. "Design new products or services"
. “Define or improve user experiences in their relationship with CaixaBank and the Companies of the
CaixaBank Group ”.
. “Send commercial communications both on paper and by electronic or telematic means,
relating to the products and services that, at any given time: a) CaixaBank or any of
the CaixaBank Group Companies b) market other companies in which CaixaBank owns and
third parties".
The information offered can cause confusion, to an average citizen, about the
legal basis that justifies the treatment, in the sense expressed.
In this case, (…) it appears that this entity was aware of the deficiencies
described above, assessed in relation to the information on the legal basis of the
treatment.
(…)
On the other hand, in the document by which the client signs the registration in the
aggregation service the customization of offers is included as an object of the contract
adjusted to the profile and situation of the contractor by CAIXABANK and the
improvement of risk analysis and suitability for contracting products and services
requested by the contractor and the improvement of the management of defaults and incidents derived from
the products and services contracted; and among the treatments that are cited for the purpose of
managing the service includes improving the management of non-payments and incidents and the
product tracking; while the "Framework Contract" requires the
Client consent to carry out personal data processing with these
purposes (the mention of the treatments indicated in the object of the service contract
aggregation and in relation to service management has been removed in the new version of
this contract provided by CAIXABANK with its statement of allegations).
The information on the purposes, in general, is closely linked to the principle of limitation of
the purpose, regulated in article 5.1 b) of the RGPD, which establishes the following:
"1. The personal data will be:
b) collected for specific, explicit and legitimate purposes, and will not be further processed as
manner incompatible with said purposes; in accordance with Article 89 (1), further processing
of personal data for archival purposes in the public interest, scientific research and
historical or statistical purposes shall not be considered incompatible with the initial purposes ("limitation of
purpose ")".
The importance of this principle is determined by its object, which is none other than
establish the limits within which personal data can be processed and the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 99
99/177
extent to which they can be used, as well as determining the data that can be collected.
To be "explicit" , an end must be unequivocal and clearly stated, in detail
enough for the interested party, any interested party, to know in a certain way how they will be or
data not processed and favoring the exercise of their rights and the evaluation of the
compliance with regulations. To be "explicit" , the purpose must also be disclosed, as
that must take place at the time the personal data is collected
On this issue, the Article 29 Working Group ruled in its Opinion
03/2013, on limitation of purposes. In this work, it was considered that they should be rejected,
by nonspecific, the purposes expressed with vague or too general formulas,
such as "improving user experience" , "marketing purposes" or
"Future research".
This Opinion indicates that the more complex the data processing is
personal, the purposes should be specified in a more detailed and exhaustive manner, "including,
among other things, the way in which personal data is processed. They must also
disclosure of the decision criteria used to create customer profiles ” .
In accordance with the foregoing, the purposes for which the data will be processed
personal information about which CAIXABANK informs its clients, do not conform to the
mentioned transparency requirements, especially if we consider the huge amount
of personal data that it submits to treatment, individually or globally considered, and the
complex technical processes to which they are subjected, especially for the elaboration of
profiles, which are used for all the purposes described in the information offered to
Your clients:
. "Personalize your commercial experience in our channels".
. "Offer you products and services that fit your profile."
. "Analysis, study and monitoring treatments for the offer and design of products and services
adjusted to the customer profile ”.
. "Study products or services that can be adjusted to your profile and business or credit situation."
. "Commercial offers tailored to your needs and preferences."
. "Define or improve user experiences."
In CAIXABANK's allegations, once again, the conclusions
obtained by this Agency from the analysis of the documents in question, this time in relation to
with the confusion caused by the information about the data processing carried out in
basis of legitimate interest and consent, highlighted above, and, again, again,
warns that the New Privacy Policy "reconfigures the divergences between the
treatments based on legitimate interest and consent ” .
And also in this case does not offer any explanation for the above deficiencies, to
which CAIXABANK does not refer to.
- Information about the legitimate interest of the person in charge
Likewise, the aforementioned precepts establish the obligation of the person responsible to inform
on the legitimate interests on which the processing of personal data is based (the
Articles 13 and 14 of the RGPD establish the obligation to inform about "legitimate interests
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 100
100/177
of the person in charge or of a third party ” ). However, the information offered by CAIXABANK
remains undefined as to the basis of the treatment, so it does not substantiate
duly this authorization for the treatment of data, resulting, therefore, contrary
to the principle of transparency.
Recital 47 of the RGPD is especially clarifying in the task of specifying
the content and scope of this legitimizing basis of the treatment, described in letter f) of the
Article 6.1 of the RGPD. From what is stated in this Considering, it is interesting to highlight as a
interpretative, that the application of this legitimizing base must be predictable for its
recipients, taking into account their reasonable expectations.
The Article 29 Working Group prepared Opinion 6/2014 on the “ Concept of
legitimate interest of the data controller under article 7 of the
Directive 95/46 / CE ”, dated 04/09/2014. Although this Opinion 6/2014 was issued for
favor a uniform interpretation of Directive 95/46 then in force, repealed by the
RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the RGPD, and having
Note that the reflections that the Opinion offers are an exponent and application of principles
that also inspire the GDPR -such as the principle of proportionality- or of principles
general rules of Community law - the principle of equity and respect for the law and
Law- many of his reflections can be extrapolated to the application of current regulations,
the RGPD.
The said Opinion refers to the "Concept of interest" in the following Terms:
"The concept of" interest "is closely related to the concept of" purpose "mentioned in
Article 6 of the Directive, although these are different concepts. In terms of protection of
data, "purpose" is the specific reason why the data is processed: the purpose or intention of the
data processing. An interest, on the other hand, refers to a greater involvement than the
responsible for the treatment may have in the treatment, or to the benefit that the person responsible for the
treatment obtains -or that the company can obtain- from the treatment.
For example, a company may have an interest in ensuring the health and safety of personnel who
work at your nuclear power plant. Therefore, the company may have the purpose of applying
specific access control procedures that justify the processing of certain data
specific personnel in order to ensure the health and safety of personnel.
An interest must be articulated clearly enough to allow the balancing test
It is carried out contrary to the interests and fundamental rights of the interested party.
Furthermore, the interest at stake must also be "pursued by the controller." This
requires a real and current interest, which corresponds to present activities or benefits that are
look forward to the very near future. In other words, interests that are too vague or
speculative will not be enough.
The nature of the interest can vary. Some interests may be compelling and beneficial to
society in general, such as the interest of the press in publishing information on corruption
government or interest in conducting scientific research (subject to appropriate safeguards).
Other interests may be less pressing for society as a whole or, in any case,
the impact of your search on society may be more disparate or controversial. This can, for
For example, apply to the economic interest of a company in learning as much as possible about its
potential clients in order to better target advertising on their products and services ”.
In the conclusions section of this Opinion the following is added:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 101
101/177
"The concept of" interest "is the broadest implication that the controller may have
in the treatment, or the benefit that it obtains, or that the company may obtain, from the treatment.
This can be compelling, clear, or controversial. The situations referred to in the article
7, letter f), may therefore vary from the exercise of fundamental rights or the protection of
important personal or social interests to other less obvious or even problematic contexts.
… It must also be articulated with sufficient clarity and must be specific enough to
allow the balancing test to be performed against interests and rights
fundamentals of the interested party. It must also represent a real and current interest, that is, it must not be
speculative".
The "interest" goes beyond the "purpose . " In terms of the GT29 it represents "a greater
implication that the controller may have in the treatment, or the benefit
that the data controller obtains ” ; while "purpose", in terms of
data protection, “is the specific reason why the data is processed: the objective or the
intention of data processing.
In this case the "interest" is not expressed. The CAIXABANK entity does not report in the
"Framework Agreement" or in the "Privacy Policy" about any specific interest when referring to
the data processing that you plan to carry out under this legal basis. Is limited
to indicate the treatments carried out with this legal basis and the purposes, mainly
commercial, for which personal data are processed, but no legitimate interest of
CAIXABANK in the sense expressed.
This Agency considers that these processing of personal data, such as
are based on the documents by which the interested parties are informed
in terms of data protection, they cannot rely on the legal basis of interest
legitimate, which requires an evaluation to determine the interests or rights that prevail.
This weighting must take into account “the reasonable expectations of the interested parties
based on their relationship with the person in charge ” , understood as what the interested party can
perceive or deduce as reasonable by itself based on the specific circumstances that
occur in each case, which was predicted at the time of data collection in a way that
reasonable.
The term “reasonable expectation” should always be used sparingly,
taking into account the position held responsible and interested and the legal nature of
the relationship or service that links them, which could lead to the subsequent use of the data
this one's personal. The context is taken into account to be able to define, based on all this,
the subsequent processing of the data that the interested party can expect to be carried out. This
"Reasonable expectation" of the customer must be deducted by itself.
The information provided by CAIXABANK on the use of data based on the
legitimate interest is contrary to the previous approach, since such information is
insufficient to justify this legal authorization and to carry out the weighting judgment that
allow to determine if said reasons prevail over the interests and rights of the
interested party, limiting the possibility that the client can correctly weigh the
performance of the entity. The specific determination of the interest of CAIXABANK, articulated
with sufficient clarity, it will allow the interested party to oppose their own interests. It enables,
also, a better analysis of the reality and actuality of said interest.
All this without forgetting what has already been indicated in relation to the use of imprecise terms
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 102
102/177
and vague formulations in the information provided, in particular with regard to the definition of
the purposes.
Regarding the legitimate interest of the person in charge and the weighting test, the document
of the Working Group on Article 29 “Guidelines on transparency under the
Regulation 2016/679 ” , adopted on 11/29/2017 and revised on 04/11/2018, offers the
following criteria:
“The specific interest in question must be identified for the benefit of the interested party. As a matter of
good practice, the data controller can also provide the data subject with the information
resulting from the "weighting test" that must be carried out in order to benefit from the provisions
in article 6, paragraph 1, letter f), as a lawful basis for processing, prior to any
collection of the personal data of the interested parties. To avoid information fatigue, this can
be included within a tiered privacy statement / notice (see section 35).
In any case, the position of the WG29 is that the information addressed to the interested party must make clear
that he can obtain information on the weighting test upon request. This turns out
essential for transparency to be effective when stakeholders doubt whether the examination of
weighting has been carried out loyally or wish to file a claim with the
control".
On the other hand, regarding the data processing carried out based on the interest
legitimate, both the "Framework Agreement" and the "Privacy Policy" indicate the following:
. Sending "updates and information about products or services similar to those you already have
hired ”.
. Information processing “personalize your commercial experience in our channels based on
previous uses ”.
. Offer of products and services "that fit your profile"
. Data processing “to apply benefits and promotions that we have in force and to which
have the right "
. Data processing "to assess whether we can assign you pre-granted credit limits."
However, it has been verified that CAIXABANK performs other data processing
personal based on the legitimate interest about which he does not inform at any time to the
interested. (…)
Some of these treatments, and others, are also mentioned in the document
called "Processing of personal data based on legitimate interest" , to which
can be accessed through the website "caixabank.es" , incorporated into the actions by the
Inspection Services of the Agency dated 07/01/2020, which is reproduced in
Annex VI:
. Monitoring of the fulfillment of the objectives, incentives or awards set for our employees.
. Communication of data between CaixaBank and the companies in which it has a stake for the purpose of
make internal reports (without personal data), which allow us, among other aspects,
carry out market studies and mathematical models to establish the business strategy of the
CaixaBank Group.
. Creation of statistical models (without personal data) that help the Entity to know
better the preferences and tastes of our clients, collaborating in the improvement of the design and execution
of commercial actions, as well as making aggregate reports on the results of the models
to track customer behavior.
. Structuring and profiling of the information processed by the Entity to maintain the resources and
technical systems prepared to efficiently meet management needs.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 103
103/177
. Control and supervision of the Entity's activity through samples and self-evaluations with the
purpose of identifying and assessing possible risks in the marketing of products, controls and
evaluate compliance with internal rules and regulations.
. Control and supervision of operations in order to prevent fraud, both to customers and to the
own Entity.
However, this document is not provided to interested parties nor does it record any
reference to it in the "Framework Agreement", the "Consent Agreement" or in the "Policy
of Privacy ”, so that CAIXABANK cannot be certain about the access of the
customers to this information and is not in a position to prove this access.
About this document called "Treatment of personal data in
basis of legitimate interest ”it is also worth highlighting that the list of treatments based on
in the legitimate interest that it contains, it is presented as an open list that "will be updated
permanently to include new treatments, or cancel those that are stopped
perform". This statement by CAIXABANK should be rejected as it could lead to
the performance of data processing on which the users are not promptly informed
interested in the documents that they subscribe on protection of personal data,
as is the case in the examples indicated.
If the interested parties are not duly informed about the treatments, and even less
on the specific interest pursued by the person in charge with these treatments on which
it is not reported, it is difficult for them to face the legitimate interests of CAIXABANK to
their own interests and rights, nor do they have the opportunity to even exercise the right to
opposition.
In its brief of allegations to the proposed resolution, CAIXABANK does not make
no mention of this lack of information on the legitimate interest pursued, which implies
a breach of the provisions of article 13.1.d) of the RGPD, nor to the other
circumstances expressed in this section.
- Information on profiling
Another important aspect related to the subject analyzed has to do with the use of
personal data for the preparation of customer profiles, understood as any
form of personal data processing that evaluates personal aspects related to a
Physical person. According to art. 13.1.c) of the RGPD, the person in charge must inform the interested party of
the purposes of the treatment, as well as its legal basis, which means that you must inform
on the elaboration of profiles when the person responsible has foreseen such purpose and specify the
legal basis that protects the treatment for that purpose.
Article 11 of the LOPDGDD establishes the minimum content of the basic information
to be provided to the interested party:
"2. The basic information referred to in the previous section must contain, at least:
(…)
If the data obtained from the affected party were to be processed for profiling, the information
will also understand this circumstance ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 104
104/177
Recital 60 of the RGPD also refers to the obligation to “inform the
interested party about the existence of profiling and the consequences of said
elaboration".
On the principles relating to the processing of personal data, when these
consist of profiling, the Guidelines of the Article 29 Working Group
on automated individual decisions and profiling for the purposes of
Regulation 2016/679, adopted on 10/03/2017 and revised on 02/06/2018, indicate what
following:
“Transparency of treatment is a fundamental requirement of the GDPR.
The profiling process is usually invisible to the person concerned. It works by creating data
derived or inferred about people ("new" personal data that have not been directly
provided by the interested parties themselves). People have different levels of understanding and
It can be difficult to understand the complex techniques of profiling processes and
automated decisions ”.
“Taking into account the basic principle of transparency that sustains the RGPD, those responsible for the
treatment must ensure that they clearly and easily explain to people the operation
profiling or automated decisions.
In particular, when the treatment involves decision-making based on the preparation of
profiles (regardless of whether they fall within the scope of the provisions of Article 22), you must
clarify to the user the fact that the treatment is for both a) profiling and
of b) adoption of a decision based on the profile generated
Recital 60 establishes that providing information about profiling is part of the
of the transparency obligations of the data controller according to article 5, paragraph 1,
letter a). The interested party has the right to be informed by the person responsible for the treatment, in
certain circumstances, regarding your right to object to "profiling"
regardless of whether individual decisions have been made based solely on the
automated processing based on profiling ”.
“The person responsible for the treatment must explicitly mention to the interested party details about the right
opposition according to article 21, paragraphs 1 and 2, and present them clearly and regardless of any
other information (Article 21, paragraph 4).
According to article 21, paragraph 1, the interested party can oppose the treatment (including the elaboration
of profiles) for reasons related to your particular situation. Those responsible for the treatment
are specifically obliged to offer this right in all cases in which the treatment is
based on article 6, paragraph 1, letters e) or f) ”.
The information object of the actions refers to the elaboration of profiles in
numerous times when describing the purposes for which the data will be used, or
the purposes that are detailed entail these profiling operations. So can
be understood, for example, in relation to the personalization of offers or the experience of the
client or the purpose of “knowing you better” .
Therefore, CAIXABANK processes the personal data of its clients to
proceed to its profiling, which it uses later. In most cases in the
which refers to the elaboration of profiles or the use of data that are the result of
profiling activities, the basis of its action is based, according to the information
that it facilitates to the interested parties, in their consent (Clause 8 of the Framework Contract);
except in what refers to the "personalization of the experience" of the client or sending
information in which he may have an interest, which CAIXABANK protects in the interest
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 105
105/177
legitimate, on which it has already been indicated that the information is insufficient.
For the reasons already expressed in relation to the lack of justification of interest
legitimate, processing operations that include the preparation of
profiles or that are based on these profiles and that have a legal basis in the legitimate interest
of the person in charge.
In addition, in relation to the profiling operations, in the opinion of this
Agency, the information requirements described. CAIXABANK is limited to informing about
actions that can be developed adapted to the "customer profile" or "personalized" , but not
offers information on the type of profiles to be made, the specific uses to which
that these profiles are going to be used or the possibility that the interested party can exercise the
right of opposition in application of article 21.2 RGPD, when the profiling is
related to direct marketing activities.
In the terms of the GT29, it is not “ explained to people in a clear and simple way the
profiling ” nor are they warned about adopting
decisions “on the basis of the generated profile” , regardless of whether they fall within the scope
of the provisions of article 22.
The concept of profiling is not systematized by CAIXABANK. Of
In fact, the Privacy Policy only talks about “knowing you better, that is, studying your
needs to know what new products and services fit your preferences and
analyze the information that allows us to determine in advance what your
creditworthiness ” , omitting profiling, despite the fact that this purpose,
as stated, it is necessary to do a previous profiling.
This is a breach of the provisions of article 11 of the LOPDGDD.
In this case, in addition, the treatment operations based on the profiling of the
customer go beyond improving the experience or sending commercial offers
adjusted to the needs and preferences of the client, to the point that said profiling
is used by CAIXABANK to design products and services or improve the design and
usability of existing ones, that is, for your own business.
CAIXABANK dedicates a subsection of its allegations to the elaboration of profiles,
but without offering any explanation of the deficiencies noted, to which it does not refer.
In relation to the profiling operations, in its allegations at the opening of the
procedure warns CAIXABANK that treatments were included in the drafted clause
in 2016 (refers to Clause 8 of the “Framework Contract”, the one relating to treatments based on
in the client's consent), when clear criteria were not available, which could
rely on another legal basis other than consent, such as legal obligations
(fraud control and risk management) or the contractual relationship (monitoring and adoption of
recovery stockings). He adds that what has been produced is an excess of information.
Later, in its allegations to the motion for a resolution, it reiterates this allegation
indicating that the error was made in that clause (corrected in the New
Privacy), to list treatment operations that did not have to do with consent
for profiling. And he lists the specific treatments that, in his opinion, can be covered by
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 106
106/177
another legal basis different from the legitimate interest (the list of the treatments to which it refers
this allegation is outlined in the following Legal Basis).
However, this claim is not related to the deficiencies found in the
information offered on the elaboration of profiles, previously expressed, and is subject to
analysis in the following Legal Basis, in the section that examines the treatments
of data based on the consent of the interested parties. It should be clarified now that it has been the
CAIXABANK own entity which decided to protect the profiles in the consent.
On the other hand, it must be added that the conclusions expressed do not judge the
information offered due to its breadth (CAIXABANK alleges an excess of information and provides
an example of a reduced clause), but it is evaluated if it is sufficient and adequate to the standard.
In relation to this issue of the profiles, CAIXABANK alleges that in Clause
8 of the “Framework Contract”, it is informed about the purposes indicating that the
consent for the “analysis, study and follow-up for the offer and product design
adjusted to your client profile ” , and information is provided on the elaboration of profiles by making explicit the
treatment operations that include this purpose ( "Study products or services
that can be adjusted to your profile and specific business or credit situation ” ) .
It has already been said previously that the information offered sometimes refers to the
profiling by describing the purposes for which the data will be used
personal. But that information contained in Clause 8 of the "Framework Contract" does not save
any other information on purposes that involve profiling operations on
those that the customer is not warned about. Furthermore, CAIXABANK does not explain the lack of information, in
general, on the types of profiles and the uses to which they are to be put, so that the
interested party has clear knowledge of the operation of these profiles and, above all, of
the consequences of its elaboration. These circumstances are not mentioned by CAIXABANK
in their allegations, and nothing is said in them to justify not informing the
interested in the possibility of exercising the right of opposition, when appropriate.
- Information on the exercise of rights, possibility of claiming before the Agency
Spanish Data Protection, existence of a Delegate for the Protection of
Data and your contact details and retention periods.
On the other hand, the information provided by CAIXABANK on the exercise of
rights, possibility of claiming before the Spanish Agency for Data Protection,
existence of a Data Protection Delegate and their contact details is not uniform in
all documents analyzed.
The "Framework Agreement" and the "Privacy Policy" of CAIXABANK inform about the
rights that correspond to the interested party regarding the protection of personal data,
including the revocation of the consents granted, as well as the channels for
exercise them. They also inform about the possibility of filing a claim with the
Spanish Agency for Data Protection and on the existence of a Protection Delegate
of Data of the CaixaBank Group of companies, indicating the means to contact
the same.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 107
107/177
The "Consent Agreement" or document of "Authorization / Revocation of
consents ”, on the other hand, in version 2, it reported on the possibility of exercising the
rights, but without mentioning those established in the applicable regulations, and neither
referred to the existence of a Data Protection Delegate; yes, you are
deficiencies were corrected in version 3 of the document.
To refer to the use of data based on legitimate interest, the "Framework Agreement"
expressly warns about the possibility of objecting. The Privacy Policy does not
mentions the right to object, but it indicates “… if you prefer that we not do it, just
you have to tell us, in… ”. The right to object is also reported in the
document inserted in the CAIXABANK website regarding the "Treatment of data of character
personal based on legitimate interest ”.
The information that is offered for access to personal data of customers in
social networks informs about the rights contained in the LOPD, not in the RGPD:
"You may exercise the rights of access, rectification, cancellation and opposition in accordance with the
data protection regulations. To exercise these rights, you must go to the address of
CaixaBank… ”.
Likewise, the contract that regulates the aggregation service informs about the rights
and channels for its exercise, the possibility of contacting the Protection Delegate of
Data and to claim before this Agency, but does not expressly mention the possibility of
revoke consent and the right to object the following is indicated:
"The non-acceptance or subsequent opposition to the processing of your data, for the purposes below
detailed information, implies that CaixaBank will not be able or (where appropriate) will stop offering you the
aggregation".
This information is modified in the new stipulations of the Service Contract
Aggregation, (…)
- Information on terms of conservation of personal data
As indicated in relation to the issues indicated in the previous section,
The information provided on the data retention periods is not uniform in
the documents object of the proceedings.
Regarding data conservation, the "Framework Agreement" includes a section
specific to this question (11.3) with the following content:
"Your data will be processed as long as the contractual or business relationships remain in force
established or commercial use authorizations granted.
Once the authorizations for use have been revoked, or six months after the relationship ends
contractual or business established, your data not being necessary for the purposes for which
were collected or processed, your data will no longer be processed.
In accordance with the regulations, the data will be kept for the sole purpose of complying with those
legal obligations imposed on CaixaBank and / or Group Companies, and for the formulation, exercise or
defense of claims, during the limitation period of the actions derived from the relations
contractual or business subscribed ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 108
108/177
However, in section 7.1 "Processing of personal data with the
purpose of managing Commercial Relations ”it is indicated that the data will be canceled with
the termination of all business relationships, without mentioning the six-month period
after business relationships:
“… At the time of cancellation by the Signatory of all Commercial Relations, the
aforementioned data processing will cease, and your data will be canceled in accordance with the provisions
in the applicable regulations, CaixaBank keeping their use duly limited until they have
prescribed actions derived from them ”.
On the other hand, the so-called "Consent Agreement" or
" Authorization / revocation for the processing of personal data for purposes
commercial by CaixaBank, SA and companies of the CaixaBank group ” , for its part, indicated in
its version 2 that the data would be processed as long as the
use authorizations granted or established contractual or business relationships,
but without warning about the use during the six months after the end of
said contractual relationships. That six-month data usage period was
added in version 3 of this document, with a scope similar to that outlined in the
"Framework contract":
"The authorizations you grant will remain in effect until they are revoked or, in the absence of
this, up to six months after you cancel all your products or services with
CaixaBank or any company of the CaixaBank Group ” .
Similar content contains the section of the "Privacy Policy" relative to the
conservation of personal data.
In none of the cases is the conservation of the data motivated during the six
months after the contractual or business relationships.
Information regarding access to personal data of customers in social networks
does not contain any indication about the retention of personal data; Meanwhile he
contract that regulates the aggregation service, although it informs that the data will be processed
while the contractual relationships remain in force, it warns that, in the event that
The data is processed in accordance with your consent, it may be processed as long as it is not
withdraw, even after the relationship. In the clauses of the contract of this aggregation service
indicated:
"The data will be processed as long as the relationships derived from the relationships remain in force
contractual, and will be kept (during the prescription period of actions derived from
said relationships) for the sole purpose of complying with the required legal obligations, and for the
formulation, exercise or defense of claims. However, in the event that the data is processed
According to your consent, they may be processed until you withdraw it.
Notwithstanding the foregoing, CaixaBank informs you that it will proceed to delete the data from its systems
collected by the aggregation service:
(i) in the event of elimination of a financial institution, CaixaBank will proceed to eliminate
the data of the eliminated financial institution.
(ii) in the event that the contractor notifies us of his withdrawal from the Service, CaixaBank will proceed to the
elimination of the data of all third financial entities ”.
(In the new clause of the Aggregation Service Contract, the information is modified
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 109
109/177
on the conservation of personal data in relation to the treatments with the purpose
commercial, indicating that they will be treated until the revocation of consent or until
twelve months after the end of the contractual relationship).
CAIXABANK has alleged that the retention period of six months after the
contractual relationship is a self-imposed measure, that there is no legal obligation to motivate
that period and that the indication of a period of six months in one cases and twelve in others
responds to the fact that each client has a contract, so there is no single term of
conservation.
On this issue, it should be clarified that the opportunity is not judged here and
regularity of these periods, whether or not they comply with the principle established in article 5 of the RGPD,
but the information offered, which is not uniform in the information offered to the
interested. The imputed entity itself has highlighted in its brief of allegations the
convenience of regularizing this information.
These differences in terms of the retention period cannot be justified by the
contract that binds the client with the entity, since the term in question does not refer to the
conservation of the data related to the business relationship, but refers to the
use authorizations.
Throughout this Legal Basis the deficiencies have been described
appreciated in relation to the fulfillment of the duty of information in matters of protection
of data by CAIXABANK, which can be summarized, succinctly, as follows:
. The information offered to CAIXABANK clients is not uniform. Papers
arranged by CAIXABANK to inform customers use different terminology
to refer to the same questions and do not have the same content, so it is not
offers the information with the same breadth in all cases.
. Vague terminology and vague formulations are used, with ambiguous meanings in
some cases, and whose true scope is not developed, making it difficult for the recipient of
the information can conclude its real and concrete scope.
. The information offered on the processing of personal data based on the relationship
contractual does not allow assessing whether all the treatments included in this section can
rely on that legal basis.
. Information on the categories of personal data subject to processing; and about the
specific categories of personal data that will be processed for each of the purposes
specific. This requirement is not met in relation to:
. Data processing whose legal basis is determined by consent
of the interested party, for which personal data obtained from the use of the
products and services contracted by the client, navigation data and those obtained from
the communications established between the client and the entity.
. Data processing whose legal basis is determined by the legitimate interest of
CAIXABANK and whose purpose is to prepare profiles that are subsequently
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 110
110/177
used to carry out data processing based on the consent of the
interested.
. The personal data obtained by CAIXABANK from external sources or inferred by the
own entity. These include the data obtained by CAIXABANK from products
and services contracted by the interested parties with third parties, including those of those
products and services of third parties marketed by CAIXABANK; as well as the data
that derive from CAIXABANK's own commercial relations with third parties and
data made from the above.
. Not all cases are duly informed about the categories of personal data
Specific that will be treated for each of the specified purposes.
. Information on the purposes for which the personal data of the clients will be used and
the legal basis of the treatment. Confusion of legal bases.
. The "Framework Contract" refers to similar treatments in relation to different purposes,
covered by legitimate interest in some cases and consent in others.
. The document signed by the client for registration in the aggregation service informs
on purposes linked to the object of the contract that in the "Framework Contract", instead,
associated with treatments for which the client's consent is required.
. Information about the legitimate interest of the person in charge:
. The "interest" is not expressed. The CAIXABANK entity does not inform in the "Framework Contract" or
in the "Privacy Policy" about any specific interest when referring to the
data processing that you plan to carry out under this legal basis.
. The information is insufficient to justify this legal authorization and to carry out the
weighing judgment that allows determining whether said reasons prevail over the
interests and rights of the interested party, limiting the possibility that the client can
correctly weigh the performance of the entity.
. CAIXABANK processes personal data based on the legitimate interest in
those that do not inform the interested parties at any time.
. The document called "Treatment of personal data based on the
legitimate interest ” includes a relationship of treatments based on the legitimate interest that
it is presented as an open listing.
. Profiling information
. The legitimate interest of CAIXABANK in the elaboration of profiles for the
"Personalization of the experience" of the client or sending information in which the client
may be interested.
. No information is offered on the type of profiles to be made, the uses
specific to which these profiles are going to be used or their operation and
consequences of its elaboration.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 111
111/177
. There is no information on the exercise of the right of opposition, when the profiling is
related to direct marketing activities.
. The Privacy Policy omits the creation of profiles in relation to the
purpose of “getting to know you better, that is, studying your needs to know what new
products and services are adjusted to your preferences and analyze the information that we
let you determine in advance what your creditworthiness is ” .
. Information on the exercise of rights, possibility of claiming before the Spanish Agency
of Data Protection, existence of a Data Protection Delegate and their data from
contact and retention periods.
. The "Consent Agreement" informed about the possibility of exercising the rights,
but without mentioning those that are established in the applicable regulations.
. The right to object is not mentioned in the Privacy Policy.
. The information that is offered for access to personal data of customers in networks
Social reports on the rights contained in the LOPD, not in the RGPD.
. The contract that regulates the aggregation service did not expressly mention the
possibility to revoke consent and exercise the right of opposition.
. The information on retention periods for personal data is not uniform:
. According to section 11.3 of the "Framework Agreement", personal data will no longer be processed at
within six months of the end of the contractual relationships; while in the section
7.1 of the same document does not mention said term and it is reported that the treatments
They will cease with the cancellation of the contractual relationships.
. The so-called “Consent Agreement”, in its version 2, did not warn about the
use of personal data during the six months after the end of
said contractual relationships. That six-month data usage period
was added in version 3.
. Information regarding access to personal data of customers on social networks does not
contains no indication about the storage of personal data.
. The contract that regulates the aggregation service reported that the data processing
based on the consent of the client may be carried out as long as it is not withdrawn, even
relationship ended. The new clauses of this contract indicate that they will be
treated until the revocation of consent or until twelve months after
the termination of the contractual relationship.
CAIXABANK, in its allegations, limits itself to stating in a generic way that it complies
the requirements established in the applicable regulations, in articles 13 and 14 of the RGPD, or
well to deny the stated conclusions, without offering in any case any justification on
the irregularities observed, which he does not even mention.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 112
112/177
On many occasions, it simply qualifies those defects or defaults as a
mere error to which no effect can be attributed. At other times, at the same time
denies those non-compliances, admits the defects and claims that the improvement process
developed has corrected them. He goes on to state that he does not claim that the information was
perfect or that there were no errors, but that does not mean that there was
any breach.
This is the case, for example, in relation to the lack of uniformity of information
offered; the confusion about the legal bases generated by the information offered by the
data processing carried out based on legitimate interest and consent;
information on the legitimate interest pursued and the processing of personal data
carried out for commercial purposes covered by this legal basis; in relation to
profiling; or in relation to the information provided on the exercise of
rights and the period of data conservation.
In general, CAIXABANK presents this supposed regularization as sufficient to
prevent any type of responsibility from being demanded, without considering that it is
substantive or substantive breaches that affect the validity of the information and
basic principles of the protection of personal data.
On the other hand, in its allegations to the proposed resolution, CAIXABANK
refers as a priority to the question regarding the compression of the text, in relation to the
use of imprecise terminology and vague formulations, although it is only one of
the many highlights in the overview above. The aforementioned entity alleges that it has not
proven that the expressions used are not clear and understandable for the “member
target audience ” (Guidelines on Transparency), violating the principle of
presumption of innocence, and provides the result of a survey and a user test
carried out by an external and independent company that, according to CAIXABANK, certifies that
Clients fully understand the information provided (the details of these jobs
externalities are outlined in the Twelfth Antecedent). In this regard, it clarifies that
By providing this evidence you are assuming a reversal of the burden of proof
violator of their fundamental rights.
These external studies were carried out through telephone surveys of 171 clients,
the first, and 100 non-client users, the second.
The first of these surveys consisted of reading to the respondent an extract from the
Clause 8 of the "Framework Contract", to ask them later some questions about the
same (...)
In the second work, the user collection screens were transferred to
consent, its dynamics and context, as well as the integrity of clause 8 of the “Contract
Marco ”, simulating the experience of a signer of this document in an office. (…)
CAIXABANK also provides a report from a company specialized in linguistics
on the analysis made of two clauses of the "Framework Contract", one of them Clause 8,
in which the recommendations made are minimal.
With the result of this study and of those surveys, according to which a percentage
average higher than 90% had understood that the information offered in the aforementioned Clause 8
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 113
113/177
included the content of the questions, CAIXABANK intends to respond, not only to the
question concerning the use of imprecise terminology, but also many other
breaches outlined in this Legal Basis, such as the lack of
specification of the categories of personal data processed, the lack of information on the
purposes and confusion of legal bases.
This Agency does not share the approaches expressed by CAIXABANK in its
allegations. In the preceding sections it has been demonstrated with sufficient rigor and detail
that CAIXABANK does not comply with the established information requirements and that the
Non-compliances found are not the result of mere errors, so the claim must be rejected.
exemption from liability to CAIXABANK based on the alleged regularization of those
mistakes, made by the one who invokes them.
Regarding the lack of evidence on the non-understanding by clients of the texts
analyzed, alleged by CAIXABANK, it is understood that this Agency has tested the use of the
expressions that are cited in the corresponding section of this Legal Basis and
has sufficiently substantiated the reasons why terminology and expressions
used must be rejected.
This conclusion is based on consolidated criteria, such as those expressed by the Group
of Article 29 in its “Guidelines on transparency under the Regulations
2016/679 ” , which are known as CAIXABANK. The Article 29 Working Group will
established under Directive 95/46 / EC on an advisory and independent basis, and whose
Opinions and recommendations serve as an interpretive element in the matter that we
occupies, admitted by jurisprudence. It is currently the European Committee for the Protection of
Information about the body with competence to issue guidelines, recommendations and good practices
in order to promote the consistent application of the GDPR.
On the other hand, the use of these indeterminate expressions occurs throughout
all the text of the documents that are analyzed, and not only in Clause 8 of the “Contract
Marco ”, to which the studies provided by CAIXABANK refer. Therefore,
The conclusions of these studies show nothing to the contrary regarding the lack of definition of the
information offered, in general.
It is not said here that the information provided is not fully comprehensible, since
that obviously difficulties in understanding ambiguous expressions or
Indeterminate affect the parts of the text in which they are used. But if it can be said
that the understanding by the client of a part of the text of a document does not mean that
understand all text in all documents.
And it should also be noted that the information is not valid for the sole fact that
is understandable. The studies provided do not refer to important aspects that are
questioned in this resolution, whose understanding by clients does not modify the
conclusions of this Agency and the consequences of non-compliance
respective. This can be said, as an example, (i) in relation to the defects appreciated
on the lack of information on the legal basis of the treatments: although the interested parties
understand that their data will be provided to the Group companies, this circumstance does not
overcomes the lack of information on the legal basis for this transfer of data; or (ii) regarding the
use of personal data obtained from "the contracting and operations of products and
services with third parties ” : the fact that the client understands that this data will be used does not
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 114
114/177
saves the lack of information on the categories of personal data that are collected and
undergo treatment; or (iii) on the data processing mentioned in Clause 8
that have a purpose other than the three indicated in the repeated Clause 8: although the client
understand these treatment activities, does not resolve that they are carried out without basis
legal (as will be seen in the following Legal Basis).
From a technical point of view, the work carried out indicates nothing about the selection
of the sample of clients who were interviewed (only indicated that they have
selected people who signed the "Framework Contract" in the last year); the statements of
the questions are schematic, not precise and clarifying the content of the information, and
They do not have as their object essential aspects, such as those related to profiles, their elaboration
and utilization; and it is not acceptable for the survey to be conducted on an extract from the
information, the content of which also does not exactly coincide with that of Clause 8 of the
"Framework contract". It is, in short, a minimal survey compared to the
purposes and data processing that are contemplated in the information provided by CAIXABANK
to its clients in terms of data protection.
Consequently, in accordance with the evidence presented, the facts described
in this Legal Basis constitute a violation of the principle of
transparency regulated in articles 13 and 14 of the RGPD, which gives rise to the application of the
corrective powers that article 58 of the aforementioned Regulation grants to the Spanish Agency for
Data Protection.
VII
Articles 6 and 7 of the same RGPD refer, respectively, to the “Legality of the
treatment ” and the “ Conditions for consent ”:
Article 6 of the RGPD.
"1. The treatment will only be lawful if at least one of the following conditions is met:
a) the interested party gave their consent for the processing of their personal data for one or more
specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party is a party or for
the application at his request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the person responsible for the
treatment;
d) the treatment is necessary to protect vital interests of the interested party or of another natural person;
e) the treatment is necessary for the fulfillment of a mission carried out in the public interest or in the
exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller
of the treatment or by a third party, provided that the interests or the
fundamental rights and freedoms of the interested party that require the protection of personal data,
in particular when the interested party is a child.
The provisions of letter f) of the first paragraph shall not apply to the treatment carried out by the
public authorities in the exercise of their functions.
2. Member States may maintain or introduce more specific provisions in order to adapt
the application of the rules of this Regulation with respect to the treatment in compliance with the
section 1, letters c) and e), setting more precisely specific treatment requirements and other
measures to ensure lawful and equitable treatment, including other specific situations
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 115
115/177
treatment according to chapter IX.
3. The basis of the treatment indicated in section 1, letters c) and e), must be established by:
a) Union law, or
b) the law of the Member States that applies to the controller.
The purpose of the treatment must be determined in said legal basis or, in relation to the
Treatment referred to in section 1, letter e), will be necessary for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers conferred on the person responsible for
treatment. Said legal basis may contain specific provisions to adapt the application of
rules of this Regulation, among others: the general conditions that govern the legality of the
treatment by the person in charge; the types of data being processed; the interested
affected; the entities to which personal data may be communicated and the purposes of such
communication; the limitation of the purpose; the data retention periods, as well as the
processing operations and procedures, including measures to ensure processing
lawful and equitable, such as those relating to other specific treatment situations pursuant to the chapter
IX. The law of the Union or of the Member States shall fulfill an objective of public interest and shall be
proportional to the legitimate aim pursued.
4. When the treatment for a purpose other than that for which the personal data was collected
is not based on the consent of the interested party or on the law of the Union or of the States
members that constitute a necessary and proportionate measure in a democratic society to
safeguard the objectives indicated in article 23, paragraph 1, the data controller, with
in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:
a) any relationship between the purposes for which the personal data was collected and the purposes
the planned further processing;
b) the context in which the personal data was collected, in particular with regard to the
relationship between the interested parties and the data controller;
c) the nature of the personal data, specifically when special categories of data are processed
personal data, in accordance with article 9, or personal data regarding convictions and offenses
criminal, in accordance with article 10;
d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or pseudonymization ”.
Article 7 of the RGPD.
"1. When the treatment is based on the consent of the interested party, the person in charge must be
capable of demonstrating that he consented to the processing of his personal data.
2. If the consent of the interested party is given in the context of a written statement that is also
refer to other matters, the consent request will be presented in such a way that it distinguishes
clearly of the other matters, in an intelligible and easily accessible way and using clear and
simple. Any part of the declaration that constitutes infringement of this will not be binding.
Regulation.
3. The interested party will have the right to withdraw their consent at any time. The withdrawal of
Consent will not affect the legality of the treatment based on the consent prior to its withdrawal.
Before giving consent, the interested party will be informed of this. It will be so easy to remove the
consent how to give it.
4. When assessing whether consent has been freely given, the fullest extent will be taken into account
possible the fact whether, among other things, the performance of a contract, including the provision of a
service, is subject to consent to the processing of personal data that are not necessary for
the execution of said contract ”.
In relation to what is established in the articles reviewed, the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 116
116/177
expressed in recitals 32 (already reviewed), 40, 41, 42 (already reviewed), 43, 44 and 47 (already
cited in the previous Legal Basis) of the RGPD. From what is expressed in these
recitals, the following should be noted:
(43) To ensure that consent has been freely given, it should not constitute a
valid legal basis for the processing of personal data in a specific case in the
that there is a clear imbalance between the interested party and the controller, in particular
when said person responsible is a public authority and it is therefore unlikely that the
consent has been freely given in all the circumstances of that particular situation. I know
presumes that consent has not been freely given when it does not allow the separate authorization of the
different personal data processing operations despite being appropriate in the specific case, or
when the performance of a contract, including the provision of a service, is dependent on the
consent, even when it is not necessary for said compliance.
(44) The processing must be lawful when necessary in the context of a contract or the intention
to conclude a contract.
It is also necessary to take into account the provisions of article 6 of the LOPDGDD:
"Article 6. Treatment based on the consent of the affected party
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679, the term
consent of the affected party any manifestation of free, specific, informed and unequivocal will
by which he accepts, either through a declaration or a clear affirmative action, the treatment
of personal data concerning you.
2. When it is intended to base the processing of the data on the consent of the affected party for a
plurality of purposes, it will be necessary to state specifically and unequivocally that said
consent is given for all of them.
3. The execution of the contract may not be subject to the affected party consenting to the treatment of the
personal data for purposes that are not related to the maintenance, development or control
of the contractual relationship ” .
In the present case, CAIXABANK contemplates in the “Framework Contract” that the
clients the use of their personal data for the following purposes (excluding
purposes referred to by said entity as "regulatory" ):
1. Manage business relationships: comply and maintain them, verify the
correction of the operation, verify the identity of the signer, establishment and maintenance
of commercial relations.
2. Sending information and updates about products or services similar to those that
already have hired; personalize the customer's business experience across the channels
entity based on previous uses, to offer you products and services that fit your
profile, to apply benefits and promotions that we have in force and to which it has
right, and to assess whether we can assign you pre-granted credit limits that may
use when it deems appropriate.
3. Commercial purposes:
. Offer and design of products and services adjusted to the client profile.
. Commercial offer of products and services of CaixaBank and the Group Companies
CaixaBank.
. Transfer of data to third parties.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 117
117/177
4. Transfer of personal data to the companies of the CaixaBank Group.
5. Manage the client's signature and, where appropriate, verify the identity of the signer in successive
operations, through the use of pattern contrast methods. This purpose is
pursues through the processing of biometric data.
In relation to these purposes, CAIXABANK refers to the fulfillment of the
contractual relationship as a legitimate basis for the purposes indicated in number 1
previous; to the legitimate interest as a legal basis for the use of the data for the indicated purpose
in section 2 above; and consent in relation to the purposes indicated in the
section 3.
CAIXABANK does not inform about any legal basis that enables data transfers
to the companies of the CaixaBank Group.
Information on the processing of biometric data was initially included in the
“Framework contract” as a sub-section of section 7 ( “Treatment of data of character
personnel based on the execution of contracts, legal obligations and legitimate interest and
privacy policy ), but without clearly specifying the legal basis of the treatment; and
currently they are protected by the consent of the interested parties.
- Processing of personal data based on the consent of the interested parties
contemplated in the “Framework Agreement” (clause 8) and “Consent Agreement”.
In accordance with the above, data processing requires the existence of a
legal basis that legitimizes it, such as the consent of the interested party validly given,
necessary when there is no other legal basis than those mentioned in article 6.1
of the RGPD or the treatment pursues a purpose compatible with that for which the data were collected
data.
Article 4 of the RGPD) defines “consent” as follows:
"11)" consent of the interested party ": any manifestation of free will, specific, informed and
unequivocal by which the interested party accepts, either through a declaration or a clear action
affirmative, the processing of personal data that concerns him ” .
Consent is understood as a clear affirmative act that reflects a
manifestation of free, specific, informed and unequivocal will of the interested party to accept
the processing of personal data that concerns you, provided with guarantees
sufficient so that the person in charge can prove that the interested party is aware of the
fact that you consent and the extent to which you do so. And it must be given to all
the treatment activities carried out for the same or same purposes, so that, when
the treatment has several purposes, consent must be given for all of them in a
specific and unequivocal, without the execution of the contract being subject to the fact that the affected
consent to the processing of your personal data for purposes that are not related
with the maintenance, development or control of the business relationship. In this regard, the legality
of the treatment requires that the interested party be informed about the purposes for which they are intended
the data (informed consent).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 118
118/177
Consent must be freely given. It is understood that consent does not
is free when the interested party does not have a true or free choice or cannot deny or
withdraw your consent without suffering any harm; or when you are not allowed to authorize
separate the different personal data processing operations despite being adequate
in the specific case, or when the fulfillment of a contract or service provision is
dependent on consent, even when it is not necessary for such compliance.
This occurs when consent is included as a non-negotiable part of the
general conditions or when the obligation to agree to the use of
personal data additional to those strictly necessary.
Without these conditions, the provision of consent would not offer the interested party a
true control over your personal data and their destination, and this would make it illegal to
treatment activity.
The Article 29 Working Group analyzed these issues in its document
"Guidelines on consent under Regulation 2016/679" , adopted on
11/28/2017, reviewed and approved on 04/10/2018.
These Guidelines have been updated by the European Data Protection Committee
on 05/04/2020 through the document “Guidelines 05/2020 on consent with
according to Regulation 2016/679 ” (it keeps the parts that are transcribed
then). In this document 5/2020 it is expressly stated that the opinions of the
Article 29 (WP29) Working Group on consent remain relevant,
provided they are consistent with the new legal framework, stating that these guidelines do not
they replace previous opinions, but rather expand and complete them.
From what is indicated in the document of the GT29 previously mentioned, it is interesting now
highlight some of the criteria related to the validity of consent, specifically
on the elements "specific" , "informed" and "unequivocal" :
“3.2. Specific manifestation of will
Article 6, paragraph 1, letter a), confirms that the consent of the interested party for the treatment of
your data must be given "for one or more specific purposes" and that an interested party can choose with
with respect to each of these purposes. The requirement that consent must be "specific" has
in order to guarantee a level of control and transparency for the interested party. This requirement has not been
amended by the GDPR and remains closely linked to the consent requirement
"informed". At the same time, it must be interpreted in line with the 'dissociation' requirement for
obtain "free" consent. In short, to fulfill the character of "specific" the
data controller must apply:
i) the specification of the purpose as a guarantee against deviation of use,
ii) disassociation in consent requests, and
iii) a clear separation between the information related to obtaining consent for the
data processing activities and information related to other issues.
Ad. i): In accordance with article 5, section 1, letter b), of the RGPD, obtaining consent
Valid is always preceded by the determination of a specific, explicit and legitimate purpose for the
planned treatment activity. The need for specific consent in combination with the
notion of limitation of purpose contained in article 5, paragraph 1, letter b), functions as
guarantee against the gradual extension or blurring of the purposes for which the treatment is carried out
of the data once an interested party has given their authorization to the initial collection of the data.
This phenomenon, also known as diversion of use, poses a risk to stakeholders already
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 119
119/177
which may lead to an unforeseen use of personal data by the person responsible for the
treatment or third parties and the loss of control by the interested party.
If the controller is based on article 6, paragraph 1, letter a), the interested parties must
always give your consent for a specific purpose for the processing of data. In consonance
with the concept of purpose limitation, with article 5, paragraph 1, letter b), and with the
Recital 32, consent may cover different operations, provided that said
operations have the same purpose. Needless to say, specific consent can only be obtained
when the interested parties are expressly informed about the purposes envisaged for the use of the data
that concern them.
Without prejudice to the provisions on compatibility of purposes, consent must be
specific for each purpose. The interested parties will give their consent understanding that they have control
about your data and that these will only be processed for said specific purposes. If a responsible treats
data based on consent and, in addition, you want to process said data for another purpose, you must
obtain consent for that other purpose, unless there is another legal basis that better reflects the
situation…
Ad. ii) The consent mechanisms should not only be separated in order to comply with the
"free" consent requirement, but must also comply with the consent requirement
"specific". This means that a data controller seeking consent to
several different purposes, it must facilitate the possibility of opting for each purpose, so that users
can give specific consent for specific purposes.
Ad. iii) Finally, the data controllers must provide, with each request for
separate consent, specific information about the data that will be processed for each purpose, with the
In order for the interested parties to know the impact of the different options they have. Of this
Thus, data subjects are allowed to give specific consent. This question overlaps with the
requirement that those responsible provide clear information, as stated above
in section 3.3 ".
"3.3. Informed expression of will… ” (this section 3.3 already outlined in the Basis of
Previous right).
"3.4. Unequivocal expression of will
The RGPD clearly establishes that consent requires a declaration by the interested party or a
clear affirmative action, which means that consent must always be given by an action
or statement. It must be evident that the interested party has consented to an operation
specific data processing ...
A "clear affirmative action" means that the data subject must have acted deliberately to
give your consent to that particular treatment. Recital 32 offers additional guidance
on this point ...
The use of already checked acceptance boxes is not valid under the GDPR. The silence or the
inactivity of the interested party, or simply continuing with a service, cannot be considered as a
active indication of having made a choice ...
A data controller must also take into account that consent cannot
be obtained through the same action by which the user agrees a contract or accepts the terms and
general conditions of a service. Global acceptance of the general terms and conditions does not
can be considered a clear affirmative action aimed at consenting to the use of data
personal. The RGPD does not allow those responsible for the treatment to offer boxes marked
previously or opt-out mechanisms that require the intervention of the interested party to
avoid the agreement (eg "opt-out boxes") ... ”.
Data controllers must design consent mechanisms so that
are clear to stakeholders. They must avoid ambiguity and ensure that action by means of
which consent is given is distinguished from other actions… ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 120
120/177
This document cites Opinion 15/2011 of the WG29, on the definition of the
consent. Regarding consent as a manifestation of unequivocal will, in this
Last Opinion indicates:
“In order for consent to be unequivocally granted, the procedure for obtaining it and
granting does not have to leave any doubt about the intention of the interested party when giving his
consent. In other words, the manifestation by which the interested party consents must not
leave room for any misunderstanding about your intention. If there is a reasonable doubt about the intent of the
person will produce an equivocal situation.
As described below, this requirement obliges data controllers to create
rigorous procedures for people to give their consent… ”.
“This example illustrates the case of the person who remains passive (eg, inaction or 'silence').
Clear consent does not fit well with procedures for obtaining consent to
starting from the inaction or silence of the people: the silence or inaction of one party is
inherently misleading (the interested party's intention could be assent or simply not
perform the action) ”.
“… Individual behavior (or rather, lack of action) raises serious doubts about the will
according to the person. The fact that the person does not take a positive action does not allow
conclude that you have given your consent. Therefore, it does not meet the consent requirement
unequivocal". Furthermore, as illustrated below, it will also be very difficult for the person responsible for the
data processing provide proof that shows that the person has consented ”.
Clause 8 of the "Framework Contract" is dedicated to the "Treatment and transfer of data
for commercial purposes by CAIXABANK and the CaixaBank group companies based
in consent ” . This is what CAIXABANK generically calls "purposes
commercial ” , including: (i) analysis, study and monitoring for the offer and design
of products and services adjusted to the customer profile; (ii) commercial offer of products and
services of CaixaBank and the CaixaBank Group Companies; (iii) and transfer of data to
third parties.
The consent of the interested party is the legal basis for the processing of their data
personal for such purposes.
The aforementioned Clause 8 describes these treatments as follows:
"The detail of the uses that will be carried out according to your authorizations is as follows:
(i) Detail of the analysis, study and monitoring treatments for the offer and design of products and
services tailored to the customer profile.
By granting your consent to the purposes detailed here, you authorize us to:
a) Proactively carry out risk analysis and apply statistical technical data on their data
and customer segmentation, with a triple purpose: 1) Study products or services that
can be adjusted to your profile and specific business or credit situation, all to
make commercial offers tailored to your needs and preferences, 2) Make the
monitoring of products and services contracted, 3) Adjust recovery measures on the
defaults and incidents derived from the products and services contracted.
b) Associate your data with those of companies with which you have some type of link, both for their
ownership and management relationship, in order to analyze possible interdependencies
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 121
121/177
economic in the study of service offers, risk requests and contracting of
products.
c) Carry out studies and automatic controls of fraud, defaults and incidents derived from
contracted products and services.
The treatments indicated in sections (i), (ii) and (iii) may be carried out in a
automated and entail the elaboration of profiles, with the aforementioned purposes. To this
Indeed, we inform you of your right to obtain human intervention in the treatments, to
express their point of view, to obtain an explanation about the decision made based on the
automated processing, and to challenge said decision.
d) Carry out satisfaction surveys by telephone or electronic channel with the aim of
assess the services received.
e) Design new products or services, or improve the design and usability of existing ones, as well
how to define or improve user experiences in their relationship with CaixaBank and the
CaixaBank Group companies.
(ii) Details of the treatments for the commercial offer of CaixaBank products and services and the
CaixaBank Group companies.
By granting your consent to the purposes detailed here, you authorize us to:
Send commercial communications both on paper and by electronic or telematic means,
relating to the products and services that, at any given time: a) CaixaBank or any of
the CaixaBank Group Companies b) market other companies in which CaixaBank owns and
third parties whose activities are included between banking, investment services and
insurer, shareholding, venture capital, real estate, roads, sale and distribution of
goods and services, consulting services, leisure and charity-social.
The signer will be able to choose at any time the different channels or means by which he wishes or not
receive the indicated commercial communications through your digital banking, by exercising
their rights, or through their management in the CaixaBank branch network ”.
"(Iii) Transfer of data to third parties
By granting your consent to the purposes detailed here, you authorize us to transfer your data to
companies with which CaixaBank and / or the CaixaBank Group Companies have / n agreements, whose
activities are included between banking, investment services and insurance, holding
of shares, venture capital, real estate, roads, sale and distribution of goods and services,
consulting, leisure and charity-social services, in order that these companies make you
commercial offers of products marketed by them.
In any case, once a transfer of data is produced by virtue of your authorization, the company receiving the
communication would inform the signatory of the processing of their data and its origin ”.
Likewise, the personal data of the clients who submit to the
cited treatments:
“A) All those provided in the establishment or maintenance of commercial or business relationships.
b) All those generated in the contracting and operations of products and services with CaixaBank,
with the CaixaBank Group Companies or with third parties, such as account or card movements,
details of direct debits, payroll direct debits, claims derived from insurance policies
insurance, claims, etc.
c) All those that CaixaBank or the CaixaBank Group Companies obtain from the provision of
services to third parties, when the service is intended for the signer, such as the management of
transfers or receipts.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 122
122/177
d) Your status or not as a CaixaBank shareholder as recorded in the entity's records, or the
entities that, in accordance with the securities market regulations, must carry the
records of the values represented by book entries.
e) Those obtained from the social networks that the signer authorizes to consult
f) Those obtained from third parties as a result of requests for data aggregation
requested by the signer
g) Those obtained from the signer's navigations through the digital banking service and other websites of
CaixaBank and the CaixaBank Group Companies or the CaixaBank mobile phone application and the
Companies of the CaixaBank Group, in which duly identified operates. This data may include
information related to geolocation.
h) Those obtained from chats, walls, videoconferences or any other means of communication
established between the parties.
The data of the signer may be complemented and enriched by data obtained from companies
providers of commercial information, by data obtained from public sources, as well as by data
statistical, socioeconomic (hereinafter, "Additional Information") always verifying that these
they comply with the requirements established in the current regulations on data protection ”.
Based on this information, CAIXABANK limits the customer's options to the
provision of your consent, separately, for each of the three purposes (i), (ii) and
(iii) indicated. The summary of the statements made by the client in relation to these
"Authorizations" is moved to the heading of the "Framework Contract", to the section relating to
personal and economic data of the client, under the heading "Authorizations for the treatment
of data ” . Here's an example:
"Authorizations for data processing
In the terms established in clause 8 and 9 of this Contract, your authorizations for the
data processing are the following:
Commercial purposes:
. Purpose of studies and profiling: You have expressed your non-acceptance and consent to
treatment of your data.
. Purpose of communication of offers of products, services and promotions: You have
expressed their non-acceptance and consent to contact for commercial purposes by
any channel or medium, including electronic media.
. Transfer of data to third parties: You have expressed your non-acceptance of the transfer to third parties of your
data ” .
Subsequently, from the checks carried out in the inspection carried out in
date 11/28/2019 and the documentation provided by CAIXABANK with its written statement
11/20/2019, it is found that a fourth consent has been added, regarding the treatment
of biometric data:
"4. Use of my biometric data (facial image, fingerprint, etc.) in order to verify my
identity and signature: This authorization will be complemented in each case with the registration of the data
biometric to use at all times. In order to verify the identity / signature of your clients,
Caixabank uses biometric recognition methods such as facial recognition systems,
fingerprint reading and the like. Currently, some of our ATMs already allow you to
operations using these methods.
() Yes, I accept the use of my biometric data
( ) No".
This Agency considers that said consents (four) do not meet the conditions
for the expression of the interested party to be considered validly rendered, the
that makes the data processing carried out by CAIXABANK illegal based on the
consent of the interested party.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 123
123/177
The manifestation made by the client to give these consents may
be considered an affirmative act, but not a manifestation of free, specific will,
informed and unequivocal to accept the processing of personal data that
concern, provided with sufficient guarantees to prove that it is aware of the fact that
that you consent and to the extent that you do so.
In this case, the consent cannot be considered free because with the signature of the
contract, essential aspects related to the processing of their data are imposed on the client
personal, reducing their ability to choose; How is the exchange of information that
CAIXABANK performs with the entities that make up the CaixaBank Group, which will be analyzed
later.
On the other hand, as the mechanism for the provision of the
consent, it has not been foreseen that the interested party expresses his option on all the purposes
for which the data is processed. CAIXABANK carries out data processing that appears
grouped in one of the purposes indicated, but that pursue a purpose other than
those on which the interested party speaks. The list of treatments that
said entity performs for each of the purposes on which the option is offered to the client
to consent or not, in reality supposes an extension of the purposes, so the
consent given cannot be considered specific as it has not been dissociated
sufficiently requests for consent.
CAIXABANK considers that the group of consents included in the clause
8 is adequate and that all the treatments included in it are nuances of the same
profiling, as can be seen with the convenient debuggers.
This Agency does not share that opinion. It is discussed in section (i) about treatments
for "the offer and design of products and services adjusted to the client profile" , on which the
customer speaks. However, purposes such as “adjust measures
recoveries on defaults and incidents derived from products and services
contracted ” , “ analyze possible economic interdependencies in risk requests and
contracting products " , " assessing the services received " or " designing new products or
services, or improve the design and usability of existing ones, as well as define or improve the
experiences of users in their relationship with CaixaBank and the Group Companies
CaixaBank ” .
Section (ii) groups the shipment in a single statement of will of the interested party
of commercial communications related to CAIXABANK products and services, the
CaixaBank Group companies and third parties.
Consent must be given for all processing activities carried out with
the same or the same purposes and, when the treatment has several purposes, the
consent for all of them, although through a manifestation of expressed will
for each of the purposes separately or differently, allowing the interested party to choose
for choosing all, a part or none of them. As expressed in Recital 43, no
consent can be understood to have been freely given by not being allowed to "authorize
separately the different personal data processing operations despite being
appropriate in the specific case ” . Recital 32 states that "consent must
cover all processing activities carried out for the same purpose or purposes. When the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 124
124/177
processing has multiple purposes, consent must be given for all of them ” .
“When the data processing is carried out for several purposes, the solution to meet
with the conditions of valid consent lies in the granularity, that is, the
separation of these purposes and obtaining consent for each purpose ” (Guidelines of the
GT29).
Understand that the provision of consent for those purposes implies the
acceptance of all the treatments that are included within such purposes, when in
In reality some of these treatments pursue different purposes, as has been said, not
meets this requirement of separation of purposes and provision of consent for each
one of them.
In relation to the incorrect grouping of consents, a separate mention
requires the indication contained in Clause 8 in relation to the first three
treatments that are listed in section (i), according to which these treatments may be
carried out in an automated manner and entail profiling. It is obvious that these
Automated treatments require an explicit client consent that is not
collected in legal form.
Furthermore, the consent given is not considered informed. It has already been said here
the importance of providing information to data subjects before obtaining their consent,
essential so they can make decisions having understood what you are authorizing. Yes
the person in charge does not provide accessible information, the user's control will be illusory and the
Consent will not constitute a valid basis for the processing of the data.
What is stated in Law Foundation IV, on the objections observed in the
information that CAIXABANK provides regarding the protection of personal data,
they equally affect the consent that could have been given. For this purpose, the
observations or objections made in said Legal Basis on language
employee, unclear and indeterminate information about data processing
personal and the lack of a clear and intelligible formulation of the purposes for which
will be used, as well as the lack of information on the specific categories of data that
They will be treated for each of the specified purposes.
These deficiencies prevent the interested parties from knowing the meaning and real meaning of
the indications provided and the real scope of the consent they could give,
making it invalid as it is not an informed consent, in relation to the
data collection operations or data processing in respect of which
appreciated those defects in the information, including the treatment of those data that
have not been provided directly by the interested party or are not necessary for the
compliance with the contractual relationship that binds you with the entity.
The lack of information is evident if the process enabled by
CAIXABANK to collect customer consents for the treatment of their
personal data, either in person at the entity's offices, through the web portal
(for new clients or through the personal area enabled on the web) or the application
mobile. These procedures are outlined in detail in the Background of this act and
in the Proven Facts.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 125
125/177
It is worth highlighting the collection of consents carried out in person at
the entity's offices, which is formalized with the signing of the “Framework Contract”. CAIXABANK has
introduced several modifications to this mechanism since the entry into force of the GDPR.
In May 2018 (as stated in CAIXABANK's response dated 05/16/2018), the
respective expressions of will of the interested party were expressed verbally in
an employee-led interview, who fills in the options by checking the boxes
corresponding on the respective screen, which are recorded in the document
("Framework Contract") that is printed later, when the client has already spoken.
It is proven that the verbal statements of the client expressing their options
about the treatments and purposes indicated, as well as the signing of the document, are carried out without
that he has had access to the information contained in the "Framework Contract".
Subsequently, according to CAIXABANK, the entire network of
digitizing tablets, enabling the "Framework Contract" and the "Contract
Consents ”are signed, not on paper, but on the tablet itself. The "Framework Agreement" is
subscribed by the client without having access to the document, which is to say that he lends his
consent without CAIXABANK providing you with any information.
(…)
In the inspection carried out at CAIXABANK on 11/28/2019, a new
change in the process described above, consisting of arranging for the delivery of a digital tablet
the client so that he himself can mark the corresponding consent options, but
does not modify the above circumstances.
The system guides the manager throughout the process, advising him to consult the
client their preferences and physically provide the tablet so that the client can proceed to
mark your options. Once the preferences have been marked, the terminal itself tells you that
These preferences have been registered and invites you to return the device to the manager (once
Once the options have been selected by the customer, the indication "Mode
Tablet ” and the following is stated: “ Your consents have been indicated. Thank you for your
collaboration. Please return the Tablet to your manager ” ). Subsequently, “the manager finalizes and
consolidates the document and facilitates it for the client to sign ” .
The “Tablet Mode. Client ” do not contain any link to the
information on the protection of personal data contained in the "Framework Agreement".
During the registration process through the web, the system displays a screen that allows
to the client to mark the options "Yes" or "No" for each one of the consents that are
they request. This screen includes a symbol (i) that leads to another screen with a message
on the information on data protection and a link that leads to it.
However, the information offered is insufficient because it only collects the
corresponding to clause 8 "Treatment and transfer of data for commercial purposes
by CaixaBank and companies of the CaixaBank Group based on the consent ” of the Contract
Framework. In this case, according to CAIXABANK, the signature screen includes a
box to check "I have read and accept the contract" .
The same objection about the information offered presents the process enabled for the
provision of consents in the client's private space on the “Caixabank
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 126
126/177
Now ”and when he uses the mobile application, which redirects to the web portal.
These processes do not ensure that the interested party accesses the information in a
prior to selecting your consents and signing the document in all cases, which
it occurs both in relation to the “Framework Agreement” and the “Consent Agreement”.
Therefore, all the detailed treatments whose legal basis comes from
determined, as expressed by the CAIXABANK entity itself, by the
consent of the interested parties.
On the issue analyzed in this section, regarding data processing
based on the consent of the interested parties, CAIXABANK, in its writing of
allegations to the proposed resolution, is limited to stating that the consents
obtained are free, specific, unequivocal and sufficiently informed. Points out
simply that the client has the absolute freedom to grant them or not, without consequences
negative associated and without conditionalities, that there is no combination of different
purposes under the same consent, and that the interested party gives their consent
by affirmative action.
However, it omits any justification for the irregularities that have been
detailed and that support the conclusion on the lack of legal basis of the treatments
that CAIXABANK performs based on consent.
Faced with the important objections mentioned in relation to the treatments of
data that pursue a purpose other than those on which the interested party lends his
consent, CAIXABANK states that in Clause 8 of the "Framework Contract" and in the
"Consent Agreement" breaks down the only three activities, three purposes, which are
carried out under the protection of consent (the profiling of data to offer customers
products that may be of interest to you; the choice of the communication channel of the offers;
and the possibility of transferring the data to third parties). And he adds that those treatments on
that the client has no opportunity to comment are not carried out (he does not say which ones), or
are protected by another legal basis, or are simpler and more limited than the AEPD
understands.
It qualifies as an "error" that does not break the principle of specificity the fact of including
within the examples some treatment operations that should have been included
in other legal bases, among the treatments that are carried out based on the execution of the
contracts or in compliance with laws. It adds that it has been corrected in the New Policy of
Privacy including those activities in their respective and correct epigraphs (treatments
in execution of a contractual relationship or by legal obligation).
In this regard, in its fourth claim, when referring to the information on the
profiling, also alleges this "error" and lists the processing operations
which, in his opinion, have nothing to do with consent:
“- To monitor the products and services contracted, which is clearly a treatment
necessary for the execution of the contractual relationship as established in art. 6.1.b)
- Adjust recovery measures on defaults and incidents derived from products and
contracted services also clearly a necessary treatment for the execution of the relationship
contractual as established in art. 6.1.b)
- Associate your data with those of companies with which you have some type of link, both because of their relationship
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 127
127/177
property, as well as administration, in order to analyze possible economic interdependencies in
the study of service offers, risk requests and product contracting, which is a
Treatment necessary for the execution of the contractual relationship as established in art. 6.1.b), and
mandatory to comply with Law 10/2014, of June 26, on Regulation, Supervision and Solvency of
Credit Institutions, Law 44/2002, on Measures of Reform of the Financial System and others
obligations and principles of the regulations on responsible lending, and whose
detail is reported in the product requests that customers subscribe when requesting their
hiring.
- Carry out studies and automatic controls of fraud, defaults and incidents derived from
products and services contracted, which is clearly a treatment based on the legitimate interest of
CaixaBank, as established in art. 6.1.f), an interest that is summarized in the interest of avoiding fraud
that suppose economic or reputational losses.
- Conduct satisfaction surveys by telephone or electronic channel in order to assess
the services received, which is a necessary treatment for the execution of the contractual relationship
As established in art. 6.1.b), and linked to the authorization for the use of the specific channel.
- Design products or services, or improve the design and usability of existing ones, as well as define or
improve user experiences in their relationship with CaixaBank and the Group Companies
CaixaBank, which is a treatment that is not carried out with personal data, if not by analyzing
statistics and data added after anonymization processes ” .
With this allegation it is being recognized that these operations have purposes
other than those expressed in Clause 8 of the "Framework Contract" and in the "Contract of
Consents ”under which are grouped the consents on which the
client, and also that it is not true that the treatment activities mentioned in
those documents can be grouped into the only three purposes that are broken down. Yes
These treatments could have a legal basis other than consent, it is clear that
They are different treatments and they pursue different purposes. This is evident if
We consider that all the treatments to which CAIXABANK refers in its
allegations, those collected in the previous list, are linked in Clause 8 of the "contract
Marco ”to “ Data processing for commercial purposes by CAIXABANK and the companies
of the CaixaBank Group ” , and “ the uses to be made ” are described as “ Treatments of
analysis, study and monitoring for the offer and design of products and services adjusted to
customer profile ” .
There are, in addition, other data processing to which CAIXABANK does not refer in
their allegations and that also require the consent of the interested party so that they can
be carried out, such as the exchange of information with the companies of the Group.
These are substantive defects, which affect the basic principle of the legality of the
treatment. Therefore, CAIXABANK's approach, which claims
avoid the liability that such non-compliance entails by alleging a mere error not
reprehensible.
Furthermore, this Agency does not agree that no effect can be attributed to this
important irregularity, as CAIXABANK claims, assuming that the activities of
processing of the data listed could find protection in another legal basis other than the
consent.
On the one hand, inaccurate information is being provided to interested parties about
the legal bases on which the corresponding treatments are legitimized, which,
undoubtedly, it affects the knowledge and expectations that stakeholders may have
regarding the rights that correspond to them based on the different legal bases
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 128
128/177
involved and, ultimately, the control they can exercise over your personal data. So by
For example, if an interested party does not consent to these treatments.
On the other hand, it would be necessary, as has been seen here, a thorough analysis of all
the concurrent circumstances in relation to the treatments intended to assess the
relevance of the new legal basis that CAIXABANK indicates in its allegations, so
that the alleged reasons cannot be given for good.
This is evident in relation to the treatments that now, in their allegations,
CAIXABANK intends to base on the legitimate interest of the person in charge (“ Carry out studies
and automatic controls of fraud, defaults and incidents derived from the products and
contracted services ” ) . Accepting this approach would be as much as admitting an interest
legitimate occurrence, or later, with respect to which the requirements have not been respected
provided for in the personal data protection regulations, in particular the obligation to
weigh the rights and interests at stake, and about which is not informed in the Policy of
Privacy.
CAIXABANK also alleges that the treatments it performs to " Design products
or services, or improve the design and usability of existing ones, as well as define or improve the
experiences of users in their relationship with CaixaBank and the Group Companies
CaixaBank ” , are not carried out with personal data, but rather by analyzing statistics and data
added after anonymization processes. But it does not take into account that this activity
involves two treatments, the one that gives rise to anonymous information (anonymization
itself), subject to data protection regulations, and the treatment that is
carry out with the data already anonymized, excluded from said regulations. So, also in
In this case, it is necessary to have a legal basis to protect these data processing.
It has been the CAIXABANK entity itself that arranged, in the design of its
treatment operations, protect the aforementioned treatments in the consent
above and is obliged, consequently, to comply with the demands that this entails.
About the process enabled to grant consent in person at the office,
reiterates that, after giving the consents (or not), the client accesses the full text of the
contract so that you can read and review it, so that you may not ratify your choice and
"Go back" . Finally, it points out that the AEPD omits the analysis of the process of collecting
consents in the non-face-to-face channel (online banking) that he reviewed in the same
inspection, in which it was demonstrated that the customer must necessarily access the
information before giving consent.
In relation to this issue, CAIXABANK does not take into account that the process for
formalization of the “Framework Agreement” or the “Consent Agreement, and with it the
provision of consent in person, has followed different operations throughout
of the analyzed period. As has been stated, the provision by the client of the
Consents requested by CAIXABANK, including the signing of the aforementioned documents, will be
carried out without the information on the protection of personal data being made available
customer's disposal. Even during the process called "Tablet Mode", which is
refer the allegations, the client gives consent without receiving that information
previously.
This does not occur, as stated above, in the process of collecting
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 129
129/177
Consents during the registration process through the web and in the enabled mechanism
in the client's private area on the “Caixabank Now” website. In this case, the information is
offers the client before they check the options provided, but only the information
corresponding to Clause 8 of the "Framework Contract", not all the information.
These conclusions about the registration process through the web and the personal area of
the clients were already exposed, in the same terms, in the resolution proposal. No
It is understood, therefore, that CAIXABANK alleges that the AEPD has omitted the analysis of these
consent collection processes.
- b) Other processing of personal data based on the consent of the
interested parties included in the "Consent Agreement".
About the document called "Consent Agreement" serve all the
observations and objections made in relation to Clause 8 of the “Framework Contract”, by the
similarity of their contents and of the consent collection process, according to
been exposed.
However, it is worth highlighting two issues in relation to the “Contract of
Consents ”or document of“ Authorization / revocation for the processing of data from
personal character for commercial purposes by CaixaBank, SA and group companies
CaixaBank ” :
1. The information offered to the interested party is less than that offered in the "Framework Contract",
since access is only given to a text similar to that of Clause 8 of said Contract.
2. Another matter from which personal data processing without the consent of
its holders have to do with the association of data of CAIXABANK clients with the
of other clients with whom he has some kind of relationship, family or social, "for the purpose of
analyze possible economic interdependencies in the study of service offers,
risk requests and product contracting ” . This linking of customer data with
personal data of third parties, which was added in the 3rd version of this document in the
authorization (ii) of the section corresponding to purpose 1 ( “Analysis treatments,
study and monitoring for the offer and design of products and services adjusted to the profile of
client ” ), it cannot be carried out on the basis of the pronouncement that the
client, who is not the owner of the data in question (it is personal data of third parties
that are associated with customer data).
- c) Processing of personal data based on the consent of the
interested parties included in the "Social media contract".
In relation to the processing of data obtained from social networks, they weigh
objections to the consent given and the purposes intended with the
treatment. In addition, the client consents through a single act and does so for treatments
of data for various purposes:
From the personal area of online banking, the client consents that CAIXABANK
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 130
130/177
Access and use information from social networks. The tool enabled for this requests the
client that selects the network (Facebook, Twitter and LinkedIn), offers the information arranged
by the entity in a text box and requires the interested party to press the button enabled with
the text "Accept and continue . " With this single action, the client gives his consent to the
collection of the personal data mentioned in that information, to the treatments
that are detailed and for the different purposes indicated (this information consists of
reproduced in full in Annex III):
"By clicking on the" Accept and continue "button, you expressly consent that
CaixaBank… incorporate the following personal data into files… with the
purposes of
a) contact you and send you commercial communications by electronic means
related to products and services and / or any others that currently or in the future
markets CaixaBank, and related to products and services of third parties whose activities
are included in those indicated in the following section.
b) communicate the data provided by you to Caixabank, SA, with NIF…, address
at Av. Diagonal 621 08028 in Barcelona, and to companies and entities whose capital
CaixaBank participates directly or indirectly, so that they can direct you
commercial communications on paper and by electronic means about the products and
services of their respective activities, including banking,
investment and insured services, shareholding, venture capital, real estate,
roads, sale and distribution of goods and services, consulting services, leisure and
charity-social, as well as the communication of your data by said entities to
Caixabank, for the purposes set forth in section a) above.
c) validate, by the Customer Service in social networks, the data
identification that you provide to the same, in order to meet the requests that
You direct him.
d) validate your identification data when you access other applications of
CaixaBank through your Username (Twitter), your User ID
(Facebook) or your registered User (Linkedin).
e) contact you in the event that it was detected or there were founded
suspicions in relation to a possible fraud or impersonation of your identity or activity in
social networks, or in the use of CaixaBank channels or applications.
Likewise, you expressly consent to CaixaBank's access to those contents and
information that you have decided to make public at all times (and, where appropriate, to
those contents and information whose access you have specifically allowed) in the
social networks indicated, as well as the communication of the aforementioned information, to the
companies and entities indicated in section b) above, for their treatment with the
following purposes:
(i) customization of commercial offers.
(ii) profiling and segmentation based on the public information of your profile,
in order to recommend and offer you the products and services that best suit your
their preferences and needs ”.
It is significant that some of the purposes are similar to those mentioned in the
Clause 8 of the "Framework Agreement" and the "Consent Agreement"
("Authorization / revocation") for which CAIXABANK provides that the interested party provide their
specific consent and, instead, for the processing of personal data obtained
of social networks the interested party consents to all treatments and for all purposes
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 131
131/177
by means of a single action, pressing the button enabled with the text “Accept and continue” .
Another relevant issue has to do with the communication of data to companies and
entities in whose founding capital CaixaBank participates directly or indirectly (in this
In this case, it does not speak of the CaixaBank Group of companies, nor does it detail which companies it refers to),
which also requires a specific statement from the interested party so that CAIXABANK
can carry it out.
Likewise, the fact that the consent obtained in relation to
with the information obtained from social networks include data communications by the
entities indicated in the paragraph before CAIXABANK.
No comment includes CAIXABANK on the above circumstances in relation to
with the "Social media contract", except for the indication that it was a project that did not have
success and unsubscribed.
- d) Processing of personal data based on the consent of the
interested parties included in the "Aggregation service contract".
The same can be said for the aggregation service. This service is provided by
CAIXABANK at the request of the interested party and is formalized by signing the contract
correspondent.
In relation to the consent to the processing of data that the interested party
provided with the hiring of this service weigh the same objections. Also in this
case the client consents through a single act and does so for data processing with
various purposes.
The purpose of the relationship is to allow the contractor to manage and display
on positions and movements of the products and services that it maintains with other
financial entities. However, in accordance with the clauses provided in the model
of the contract prepared by CAIXABANK, the signing of the document entails the provision of the
Customer consent for data processing for different purposes, some of the
which are presented as if it were the pure object of the contract, although they are more
beyond the expressed object, with which they are not related.
Thus, in section 2 of the Contract, in which its object is defined, it is indicated that the
said service "also" aims, based on the aggregated information, "the
personalization of commercial offers adjusted to the profile and situation of the contractor by
from CaixaBank; the improvement of risk analysis and suitability for contracting products
and services requested by the contractor; and the improvement of the management of defaults and incidents
derived from the products and services contracted ”.
Likewise, section 11 reports on two more purposes:
a) the personalization of commercial offers adjusted to the profile and situation of the contractor by
part of CaixaBank, in relation to its own products or those of third parties marketed by it.
b) Conduct satisfaction surveys by telephone or electronic channel with the aim of
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 132
132/177
to assess the services received by CaixaBank ”.
In this case, the interested party is warned that these are additional purposes that
must expressly consent (it is expressed as follows: “Additionally, in the event that there is
expressly consented, the data obtained may be processed with the following
purposes… ” ). Considering the mechanisms enabled by CAIXABANK to provide the
consent to which this clause refers, we understand that it refers to the
expressions of will obtained through the "Framework Contract" or through the "Contract
of Consents ”, and the objections to the consents obtained have already been indicated
through these documents. In addition, in relation to what is expressed in the service contract
of aggregation, it should be added that neither of these two documents
consent of the client for the personalization of commercial offers adjusted to the profile and
situation of the contractor by CAIXABANK, in relation to third-party products
marketed by this entity. Therefore, CAIXABANK has not provided for the provision of the
consent for the purpose a) indicated above in relation to third-party products.
On the other hand, it should be noted that the purposes and treatments on which
informs the aggregation service contract do not make any reference to the companies of the
CaixaBank Group. Therefore, with the signing of this contract, it cannot be understood that the
consent for the purposes indicated in the "Framework Contract" and in the "Contract of
Consents ”, which include the use by those companies of the data collected
on the occasion of this service. It is therefore an illegal communication of data.
Finally, it is interesting to highlight one more observation about the object of the
aggregation. According to the contract, this service is intended to manage and display
information on positions and movements of products that the interested party maintains in
other entities. However, despite this description of the object and the term "management"
that is included, it is noted in the same document that the service does not allow
operations or transactions on the products of third parties and that the provision
of the same will be reflected in the possibility of the contractor to visualize through the bank
digital aggregated information.
Considering this limitation of the object, the data that is collected and the use that is
intends to perform, it could be understood that the aggregation service rather seems to
It was designed for the collection of information by the responsible entity. Even more so
We consider that the contract itself provides that non-acceptance or subsequent opposition to the
Processing of your data for the detailed purposes implies that CAIXABANK “will not be able to or
(in your case) you must stop offering the aggregation service ” and that, in the event that the
data are processed with the consent of the interested party, they may be processed as long as the
consent, even after the contractual relationship has ended.
CAIXABANK denies this observation, alleging that the Agency has not understood the
nature of this service, which is provided for in the payment regulations and serves not to
deposition the entity with respect to new actors. However, that conclusion is not
It results from analyzing the nature of this service, but from the purposes, especially
commercial or advertising, and the elaboration of profiles that were imposed as the object of the
contract.
That same payment regulation cited by CAIXABANK establishes the prohibition of
use personal data for purposes other than the provision of the service. The Royal Decree-
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 133
133/177
Law 19/2018, of November 23, on payment services and other urgent measures in the field
financial, refers to the rules of access to information related to payment accounts and
to the use of that information. Specifically, in its article 39.1.f) it provides the following:
"Article 39. Rules for access to information on payment accounts and use of such information in
case of account information services.
1. The payment service provider that provides the account information service:
f) will not use, store or access any data, for purposes other than the provision of the service of
information about accounts expressly requested by the user of the payment service, in accordance
with the rules on data protection ” .
In relation to the Aggregation Service Contract, and also with the Terms of
Social Networks, CAIXABANK has indicated that the signing of these documents is
complementary to the "Framework Contract", which in these additional documents does not obtain a
new consent, which is granted in the "Framework Contract".
This does not agree with what is expressed in those documents and in the "Contract
Framework". This contract does not require the provision of any consent for the treatment
of these data, but is limited to reporting on the use of data obtained from
social networks and the aggregation service that the interested party has authorized. That
authorization can only be provided by accepting the Social Media Terms
and the signing of the Aggregation Service Contract in the manner indicated above. Specifically, the
"Framework Agreement" indicates the following:
" The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the offer
commercial products and services will be:
e) Those obtained from the social networks that the signer authorizes to consult
f) Those obtained from third parties as a result of requests for data aggregation
requested by the signer ”.
Finally, it is interesting to note that the new Aggregation Service Contract does not
includes the performance of data processing for the purposes indicated. Regarding
commercial purposes, refers to the authorizations that the client has granted and
advises on the possibility of managing them in the office, through digital or mobile banking.
On the other hand, there is no evidence that the references contained in the "Contract
Marco ”to the use of data obtained from this service have been adapted to changes in the
Aggregation Service Contract.
- Other processing of personal data without legal basis
On the other hand, there are other data treatments that appear in the information that
CAIXABANK facilitates its clients that they are carried out without any basis of legitimacy:
As detailed in the previous Legal Basis, CAIXABANK uses data
personal ( "movements", "receipts", "payroll", "claims" and "claims" ) generated in
the contracting and operation of products and services contracted by the interested party with third parties
( “All those generated in the contracting and operations of products and services… with the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 134
134/177
Companies of the CaixaBank Group or with third parties ” ).
It follows that CAIXABANK, under the condition of data controller,
collects and uses personal data that it does not obtain directly from the interested parties. Is about
personal data from third parties that CAIXABANK uses for the purposes
expressed in the information provided to the interested parties.
There is no legal basis that legitimizes the use of these personal data.
CAIXABANK is not the entity responsible for this data obtained from third-party products,
which limits the possibility of using the information in question for their own purposes.
Also in relation to this question it is necessary to take into account the limitations
on the use of personal data imposed by Royal Decree-Law 19/2018 cited above.
In its article 65 it expressly refers to the protection of personal data in the
following terms:
"Article 65. Data protection.
1. The treatment and transfer of data related to the activities to which this real refers
decree-law are subject to the provisions of Regulation (EU) 2016/679 of Parliament
Council, of April 27, 2016, regarding the protection of natural persons in the
regarding the processing of personal data and the free circulation of these data and by which
repeals Directive 95/46 / CE and in the Spanish data protection regulations, and in the regulations
national that develops it ”.
- Processing of personal data based on the legitimate interest of the person in charge
The analysis of this issue must initially take into account the provisions of the
Article 1.2 of the RGPD, according to which “This Regulation protects the rights and
fundamental freedoms of natural persons and, in particular, their right to protection
of personal data ” . For this, all the circumstances that
surround the collection and processing of data and the way in which they are fulfilled or reinforced
the principles, rights and obligations required by the data protection regulations of
personal character.
Article 6 of the RGPD requires that the processing of personal data, to be
lawful, can be protected by any of the bases of legitimacy that it establishes and that the
responsible for the treatment is able to demonstrate that, indeed, it concurred in the
processing operation the legal basis that it invokes (article 5.2, principle of
proactive responsibility).
The legal bases of the treatment that are detailed in article 6.1 RGPD are
related to the broader principle of legality of article 5.1.a) of the RGPD, precept
which provides that personal data will be treated " lawfully, loyally and transparently in
relationship with the interested party ”.
In relation to the legal basis of the legitimate interest, invoked by CAIXABANK to
the treatments described, the aforementioned article 6 establishes:
"1. The treatment will only be lawful if at least one of the following conditions is met:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 135
135/177
f) the treatment is necessary for the satisfaction of legitimate interests pursued by the controller
of the treatment or by a third party, provided that the interests or the
fundamental rights and freedoms of the interested party that require the protection of personal data,
particularly when the interested party is a child ... ”.
Recital 47 of the RGPD specifies the content and scope of this base
legitimizing the treatment.
The interpretive criteria that are extracted from this Considering are, among others, (i)
that the legitimate interest of the controller prevails over the interests or rights and freedoms
fundamentals of the data owner, in view of the reasonable expectations that the latter
has, based on the relationship it maintains with the person responsible for the treatment; (ii) will be
it is essential that a “ meticulous evaluation ” of the rights and interests at stake be carried out,
also in those cases in which the interested party can reasonably foresee, in
the moment and in the context of the data collection, that the treatment with
such an end; (iii) the interests and fundamental rights of the owner of the personal data could
prevail over the legitimate interests of the controller when the data is processed
is carried out in such circumstances in which the interested party " does not reasonably expect" that
a further processing of your personal data is carried out.
It should be added that the interested party, in all cases, can exercise the right to
opposition, which also involves a new evaluation of the interests of the controller and owner
of the data, except in cases of commercial prospecting, in which the exercise of the right
forces to interrupt the treatments without any evaluation (article 21.3 of the RGPD).
It is interesting to highlight some aspects collected in Opinion 6/2014 prepared by the
Article 29 Working Group on the “ Concept of legitimate interest of the person responsible for the
processing of data under article 7 of Directive 95/46 / CE ", dated
04/09/2014, especially the factors that can be valued when the
mandatory weighing of the rights and interests at stake. Although Opinion 6/2014 was
issued to favor a uniform interpretation of Directive 95/46 then in force,
repealed by the RGPD, given the almost total identity between its article 7.f) and article 6.1.f) of the
RGPD, and that the reflections offered are an example and application of principles that inspire
also the RGPD, such as the principle of proportionality, or general principles of the
Community law, such as the principles of equity and respect for the law and the law,
many of his reflections can be extrapolated to the application of current regulations.
As indicated, so that section f) of article 6.1. RGPD may constitute
the legitimizing basis for the processing of personal data that is carried out, mandatory,
and prior to the treatment, a weighting, an “evaluation
meticulous ” , of the rights and interests at stake: the legitimate interest of the person responsible for the
treatment, on the one hand, and on the other, both the interests and the rights and freedoms
fundamentals of those affected. Weighting that is essential, because only when I eat
As a result, the legitimate interest of the data controller prevails over the
rights or interests of the owners of the data may operate as legal basis of the
treatment of the aforementioned interest.
Regarding the weighting test, the repeated Opinion indicates the following:
"The legitimate interest of the person responsible for the treatment, when it is minor and not very pressing, in general,
only nullifies the interests and rights of data subjects in cases where the impact on these
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 136
136/177
rights and interests are even more trivial. On the other hand, an important and compelling legitimate interest
may, in some cases and subject to guarantees and measures, justify even a significant intrusion into
privacy or any other significant impact on the interests or rights of the interested parties.
Here it is important to highlight the special role that guarantees can play in reducing a
undue impact on data subjects and therefore to change the balance of rights and interests
to the extent that the legitimate interest of the data controller prevails. By
Of course, the use of guarantees alone is not sufficient to justify any type of
treatment in any context. Furthermore, the guarantees in question must be adequate and
sufficient, and must, unquestionably and significantly, reduce the repercussion for the interested parties ” .
The aforementioned Opinion refers to the multiple factors that can operate
in the weighting of the interests at stake and groups them into these categories:
(a) the evaluation of the legitimate interest of the controller, the nature and source
of legitimate interest and if the data processing is necessary for the exercise of a right
fundamental, is otherwise in the public interest or benefits from recognition of the
affected community;
(b) the impact or repercussions on data subjects and their reasonable expectations about what
will happen to your data ( “what a person considers reasonably acceptable under
circumstances ” ), as well as the nature of the data and the way in which they are
processed; underlining that the claim is not that the data processing carried out by the
responsible does not have any negative impact on the interested parties but prevent the
impact is “ disproportionate ”;
(c) the provisional equilibrium and
(d) additional guarantees that could limit an undue impact on the interested party, such
such as data minimization, privacy protection technologies, increased
transparency, the general and unconditional right to opt-out and the
data portability.
First of all, the Opinion underlines that the implication that the person responsible for the
treatment may have in the data processing carried out is that of "interest", which is already
referenced in the previous Legal Basis to indicate that it is related to
purpose, but it is a broader concept ( “purpose is the specific reason why
process the data: the purpose or intention of the data processing. One interest for another
On the other hand, it refers to a greater involvement that the controller may have in the
treatment, or the benefit that the controller obtains from the treatment ” ).
It is also broader than that of fundamental rights and freedoms, hence, regarding
those affected are weighed not only their fundamental rights and freedoms, but also their
"Interests" .
According to GT29, “an interest must be articulated with sufficient clarity to
allow the balancing test to be carried out against the interests and
fundamental rights of the interested party. Furthermore, the interest at stake must also be
pursued by the controller. This requires a real and current interest, which is
corresponds to present activities or benefits that are expected in a very future
next. In other words, interests that are too vague or speculative are not
they will be enough ” .
In addition, the "interest" of the data controller, as established in article 6.1.f)
of the RGPD and before article 7.f) of the Directive, it must be "legitimate" , which means, says the
Opinion, which must be "lawful" (respectful of applicable national and EU legislation).
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 137
137/177
However, the WG29 adds that “The legitimacy of the interest of the data controller
it is only a starting point, one of the elements that must be analyzed under article
7, letter f). Whether Article 7, letter f) can be used as a legal basis or not will depend
the result of the next balancing test ”; "If the interest pursued by the
controller is not compelling, it is more likely that the interest and rights
of the interested party prevail over the legitimate - but less important - interest of the
responsible for the treatment. Similarly, this does not mean that less interest
compelling of the data controller cannot sometimes prevail over the interests
and rights of the data subjects: this normally happens when the impact of the treatment
about stakeholders is also less important ” .
And exposes the following example:
"Serve as an example: those responsible for the treatment may have a legitimate interest in knowing the
preferences of your customers so that this allows them to better personalize their offers and, ultimately
term, offer products and services that better respond to the needs and desires of your
customers. In light of this, Article 7 (f) may constitute an appropriate legal basis in
some types of market activities, online and offline, provided that
adequate guarantees (including, but not limited to, a viable mechanism that allows to oppose the treatment
by virtue of article 14, letter b), as will be explained in section III.3.6 The right to object and
beyond).
However, this does not mean that data controllers can refer to article 7,
letter f), as a legal basis for improperly monitoring online and offline activities
of your customers, combining huge amounts of data about them, from different
sources, which were initially collected in other contexts and for different purposes, and create -and, for
For example, with the intermediation of data brokers, also trade with them - complex profiles
of the personalities and preferences of customers without their knowledge, without a viable mechanism of
opposition, not to mention the absence of informed consent. It is likely that said
profiling activity represents a significant intrusion on customer privacy and,
When this happens, the interests and rights of the interested party will prevail over the interest of the
responsible for the treatment ” .
Ultimately, the concurrence of said interest in the data controller does not
necessarily means that article 6.1 f) RGPD can be used as a basis
legal treatment. Whether or not it can be used as a legal basis
it will depend on the result of the balancing test.
In addition, the treatment must be that necessary to satisfy the legitimate interest
pursued by the person in charge, so that less invasive means are always preferred
to serve the same purpose. Need means here that the treatment is essential
for the satisfaction of the aforementioned interest, so that, if said objective can be achieved
reasonably otherwise less impactful or intrusive, the interest
legitimate cannot be invoked.
The term “ need ” used in article 6.1 f) of the RGPD has, in the opinion of the CJEU, a
own and independent meaning in Community legislation. It is a " concept
autonomous community law ” (STJUE of 12/16/2008, case C-524/2006, section
52). On the other hand, the European Court of Human Rights (ECHR) has also offered
guidelines for interpreting the concept of need. In section 97 of its Judgment of
03/25/1983 states that the " necessary adjective is not synonymous with" indispensable "nor does it have the
flexibility of the expressions “admissible,“ ordinary ”,“ useful ”,“ reasonable ”or“ desirable ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 138
138/177
On the impact or repercussion that the data processing has on the interests or
fundamental rights and freedoms of the interested parties, indicates that the more "negative" or
“Uncertain” may be the impact of treatment, it is more unlikely than treatment in its
set may be considered legitimate.
“The Task Force makes it clear that it is crucial to understand that relevant 'impact' is a
much broader concept than damage or harm to one or more stakeholders in particular. The term
'Impact' as used in this Opinion covers any possible consequences (potential or actual)
of data processing. For the sake of clarity, we also emphasize that the concept is not
related to the notion of violation of personal data and is much broader than the
repercussions that may arise from said violation. On the contrary, the notion of impact, such as
used here, it encompasses the various ways in which an individual may be affected, positively or
negatively, due to the processing of your personal data ”.
“In general, the more negative and uncertain the impact of treatment may be, the more unlikely it is.
that the treatment is considered, as a whole, legitimate. The availability of alternative methods for
achieve the objectives pursued by the data controller, with less negative impact
on the interested party, should, without a doubt, be a pertinent consideration in this context ”.
As sources of potential repercussions for stakeholders he cites the probability
that the risk may materialize and the seriousness of the consequences, noting that
this concept of “severity may take into account the number of potentially
affected ” .
The assessment of the nature of the personal data that has been
object of treatment ) , if the data has been made available to the public by the interested party or
by a third party, a fact - says the Opinion - that can be an evaluation factor especially
whether the publication was carried out with a reasonable expectation of data reuse
for certain purposes:
“… Does not mean that data that appears in and of itself innocuous can be processed
freely ... even such data, depending on how it is processed, can have an impact
significant about people ”.
The way in which the person in charge treats the data; whether they have been disclosed to the public or
have been made available to large numbers of people or if large amounts of data are
process or combine with other data ( “for example, in the case of profiling, with
commercial purposes, for purposes of compliance with the law or others ” ). On this question it is said:
“Apparently innocuous data, when treated on a large scale and combined with other data,
can lead to interference with more sensitive data, as demonstrated in Scenario 3 above,
which gives as an example the relationship between pizza consumption patterns and insurance premiums for
healthcare.
In addition to potentially leading to the processing of more sensitive data, such analysis may
also lead to strange, unexpected and sometimes inaccurate predictions, for example, concerning the
behavior or personality of the affected persons. Depending on the nature and
impact of these predictions, this can be highly intrusive in the privacy of the person ” .
All this, without forgetting the reasonable expectations of the interested parties:
“… It is important to consider whether the position of the data controller, the nature of the relationship or
the service provided, or the applicable legal or contractual obligations (or other promises made
at the time of data collection) could give rise to reasonable expectations of a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 139
139/177
stricter confidentiality and stricter limitations on further use. Usually,
the more specific and restrictive the context of data collection, the more constraints it is
likely to be used. In this case, again, it is necessary to take into account the factual context and not
simply rely on the fine print of the text ” .
The Opinion also considers pertinent when evaluating the impact of the treatment to analyze the
position of the data controller and the interested party; your position may be more or less
dominant with respect to the interested party depending on whether the person responsible for the treatment is a
person, a small organization or a large company, even a multinational company:
“A multinational company may, for example, have more resources and bargaining power than the
individual data subject and may therefore be in a better position to impose on the data subject
what you think is your "legitimate interest". This may be all the more so if the
company has a dominant position in the market ” .
When weighing the interests and rights at stake, the GT29 understands that the
compliance with the general obligations imposed by the regulations, including the principles
proportionality and transparency, help to ensure that the requirements are met
legitimate interest. Although, it clarifies that this does not mean that the fulfillment of those
horizontal requirements, by itself, are always sufficient.
If, finally, after the evaluation, it is not clear how to achieve equilibrium, the
taking additional guarantees can help reduce undue impact and ensure
that the treatment may be based on legitimate interest. As additional measures
includes, for example, the facilitation of voluntary and unconditional exclusion mechanisms,
or increased transparency:
“The concept of responsibility is closely linked to the concept of transparency. With the purpose of
allow data subjects to exercise their rights and allow wider public scrutiny for
part of the interested parties, the Working Group recommends that those responsible for the treatment
explain to stakeholders clearly and easily the reasons why they believe their interests
prevail over the interests or fundamental rights and freedoms of the interested parties, and
also explain to them the guarantees they have adopted to protect their personal data, including,
where appropriate, the right to opt out of treatment ”.
"As explained on page 46 of Opinion 3/2013 of the Working Group on the limitation of
purpose (cited in footnote 9 above), in the case of profiling and taking
automated decisions, interested parties or consumers must be given access to their profiles to
guarantee transparency, as well as the logic of the decision-making process (algorithm) that gave
place to the development of said profiles. In other words: organizations should disclose their
criteria for decision making. This is a fundamental guarantee and is especially
important in the world of big data. Whether or not an organization offers this
Transparency is a very pertinent factor that should also be considered in the proof of
balancing ”.
By referring to the right to object and the opt-out mechanism or right
unconditional opposition, the WG29 reflects on advertising based on profiles of the
client, which requires a follow-up of the activities and personal data of the
interested parties, which are analyzed with sophisticated automated methods. He concludes the following:
“In this sense, it is useful to recall the Opinion of the Working Group on the limitation of the
purpose, where it was specifically stated that when an organization wishes to analyze or predict
specifically the personal preferences, behavior and attitudes of customers
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 140
140/177
individuals that will subsequently motivate the «decisions or measures» adopted in relation to
such clients ... free, specific, informed and informed consent should almost always be required
unequivocal of "voluntary inclusion", since otherwise the reuse of the data may not
considered compatible. Most importantly, such consent should be required, for
For example, for tracking and profiling for prospecting, advertising
behavioral, data marketing, location-based advertising, or digital research
market based on monitoring ” .
The information included in the "Framework Agreement" on
these data processing based on the legitimate interest of CAIXABANK:
“7.3.5 Treatments based on legitimate interest
Unless you have told us, or tell us otherwise in the future, we will send you updates and
information about products or services similar to those you already have contracted.
We will also process your information (account movements, card movements, loans, etc.)
to personalize your commercial experience in our channels based on previous uses, to
offer you products and services that fit your profile, to apply benefits and promotions that
we have in force and to which you are entitled, and to assess whether we can assign you credit limits
pre-granted that you can use when you consider it most appropriate.
In these treatments we will only use information provided by you, or generated from the
own products contracted during the last year.
If you do not want these treatments to be carried out, you can object to them
communicating it to us in any of our offices, in the P.O. Box nº 209 of Valencia
(46080), at the electronic address www.CaixaBank.com/ejerciciodederechos, or through the options
enabled for this purpose in their digital banking and in our mobile applications ”.
For any other commercial use, consent will be requested, as established in clause
following.
According to CAIXABANK, legitimate interest is the legal basis for the processing that
carried out with the "commercial purposes" indicated in section 7.3.5 of the "Framework Contract"
(erroneously included within the subsection dedicated to "Data processing of
personal character for regulatory purposes ” ) and section 03 of the“ Privacy Policy ”
(with content similar to the above): sending information and updates about
products or services similar to those that the client already has contracted; customize the
customer's commercial experience in the entity's channels based on previous uses, to
offer you products and services that fit your profile, to apply benefits and
promotions that we have in force and to which you are entitled, and to evaluate if we can
assign you pre-granted credit limits that you can use when you consider it most
timely.
However, as stated in the previous Legal Basis, it has
it has been proven that CAIXABANK carries out other processing of personal data based on
to the legitimate interest that are not known by the client, which is not informed in any case, and
that, due to the breadth of personal data used and the different purposes for which
are treated, affect multiple aspects of the client's personal life, so such
treatments are considered illegal. Among them the following were mentioned:
(…)
In relation to the processing of data for commercial purposes based on interest
legitimate referred to in the "Framework Agreement" and in the "Privacy Policy",
During the testing phase, (…), CAIXABANK has stated that they are not taking
carry out the following treatments:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 141
141/177
. Sending information about products or services similar to those that you already have contracted or
information that we believe may be of interest to you, or that we believe may have a
reasonable expectation of receiving.
. Study of the information that we have about you (account movements, card movements,
loans, etc.) to personalize your experience with the Entity, for example by first showing
in ATMs and websites their most common operations, or offering products and services that are
adjust to your profile and apply the benefits and promotions in force at all times.
However, in its brief of allegations, (…), according to which the data of those
clients who have not consented to the processing of their data for commercial purposes, or have
previously given consent for this has been revoked, they are not treated on the basis of
legitimate interest. It adds that it only processes personal data in
relationship with those who were asked and did not answer, that is, who have not signed the
"Framework Agreement" nor the "Consent Agreement". From what follows that it is
performing these personal data processing.
(…)
In relation to these treatments with "commercial purposes" based on the interest
legitimate, it was also indicated when dealing with the duty of information, that they are similar to
treatments that CAIXABANK protects in the consent of the client and the consequences that
arise from this circumstance in relation to the validity of these treatments.
Specifically, the realization of personalized offers, the application of benefits and
promotions or the allocation of pre-granted credits, are data processing similar to
those outlined by citing other purposes based on consent ( “Studying products or
services that can be adjusted to your profile and specific business or credit situation, all
this to make commercial offers tailored to your needs and preferences ” ),
motivating that the description of the purposes and enumeration of data processing
contained in the information offered causes confusion to the interested parties. Of this
Thus, data processing based on legitimate interest similar to that of
others carried out on the basis of the client's consent, which, moreover, is not
lend in a valid way, as discussed above. It could lead to a situation in
which data processing is carried out based on the legitimate interest that would have been
denied by the affected party.
On the other hand, taking into account that CAIXABANK records personal data “from
Commercial Relations, or Commercial Relations of CAIXABANK and the companies of the
Grupo CaixaBank with third parties ” , it is not possible to understand whether the sending of “ information and
updates about products or services similar to those who have already contracted " are
refers to own products, those of Group companies or third parties. Serve in this regard
same observations already expressed previously on the use of data collected from
products of the Group companies or third parties.
It was also said that the information provided does not specify any legitimate interest of
CAIXABANK, which is limited to indicating the data processing carried out with this database
legal. Therefore, the circumstances expressed in the Law Foundation are reiterated
on the lack of justification of the legitimate interest sufficiently to allow the proof of
balance between the interest of the person in charge and the rights of the interested party to determine
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 142
142/177
those that prevail, necessary to determine the legality of the treatments carried out
Here we reiterate what has already been indicated about the insufficient information provided on the
categories of data that will be used and on the determination of the purposes, or on the
types of profiles that will be made and the specific uses and applications that will be
those profiles; and, especially, the lack of information on the specific interest of the
responsible, that is not expressed, due to the limitations and difficulties, if not impediment, that
supposes at the time of realizing an evaluation on the concurrence of an interest
legitimate prevalent, real and not speculative.
And also what has already been indicated about the language used; the indefiniteness of the purposes
for which the personal data will be used ( "know the customer better" and "improve the
products and services ” or “ develop the business model ” , etc.) and the exhaustive analysis of the
information related to clients that carry such purposes; or about the types of profiles
to be carried out and the specific uses and applications that will be given to these profiles.
Carrying out the weighting judgment in this case also requires assessing the breadth
of the types of data that are collected by CAIXABANK, and make said assessment
in conjunction with the highlights in the preceding paragraphs, especially with the
uncertainty of the purposes for which personal data are processed.
This has the consequence that the treatments carried out are not
predictable for an average citizen.
This being the case, it is impossible for the interested party, or this supervisory authority, to be able to
assess whether the processing operations carried out are necessary, or if, on the contrary,
The same result could be obtained by less invasive means; nor can it be concluded,
even less, that the interest invoked is prevalent.
This legal basis requires the existence of real interests, not speculative and that,
Also, they are legitimate. And not only the existence of that legitimate interest means that they can
perform those treatment operations. It is also necessary that these treatments
are necessary to satisfy that interest and consider the repercussion for the interested party. In
In this case, a data combination is carried out whose scope has not been defined and is
perform profiling operations to offer products and services that conform to said
profile, to apply benefits and promotions that CAIXABANK has in force and to which
the client has the right, and to evaluate whether it is possible to assign credit limits
that you can use when you see fit. Therefore, the intrusion
the privacy of the interested party may be high and the effects may have repercussions
negatively.
Considering the limitations set forth, suitability is not credited (if the measure
allows to achieve the proposed objective); need (that there is no other measure more
moderate); proportionality in the strict sense (more benefits or advantages than damages),
the data processing indicated above.
In addition to the above, the following circumstances are taken into account:
. The lack of transparency about the logic of the treatment consisting in the preparation of
profiling, which can lead to product discrimination and impact
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 143
143/177
financial potential that may have the character of excessive.
. The high number of affected, as well as the large amount of data that is processed and
combined with other data. Said combination of data, due to the lack of definition of the data that
will be used, does not respect the aforementioned proportionality nor does it allow the weighing judgment
necessary to assess the concurrence of a legitimate interest that justifies the treatment of
the data.
. The dominant position of the person in charge over the interested party, due to his condition of great
company and one of the market leaders in its sector.
A special importance must also be given to the absence of measures or
additional guarantees that, although not required by the applicable regulations, are
consider a good practice that favors the appreciation of the legitimate interest of the
responsible when in the weighing judgment it was not clear how to achieve equilibrium,
to the extent that they reduce the impact of the treatment on the privacy of the interested party.
Among them, the increased transparency and the enabling of mechanisms
opt-out.
Regarding transparency, CAIXABANK does not make available to interested parties the
Report on the weighting of legitimate interest or impact assessments.
Neither does CAIXABANK offer opt-out mechanisms. It is limited to inform
on the possibility of exercising the right of opposition, which is nothing but a requirement
normative. This right requires a new weighting, in accordance with the provisions of the
Article 21 of the RGPD ( “the data controller will stop processing personal data,
Unless it proves compelling legitimate reasons for the treatment that prevail over
interests, rights and freedoms of the interested party ” ) and has nothing to do with the
opt-out or unconditional opt-out mechanisms are recommended.
In summary, contrary to what was stated by CAIXABANK in its allegations, of
In accordance with the foregoing, it is proven that this entity performs data processing
personal data of its clients based on legitimate interest, including treatment with
commercial purposes.
On the other hand, for the reasons stated, it has not been proven that the interest
that CAIXABANK claims to prevail over the interests and rights and
fundamental freedoms of clients; and the guarantees offered are not sufficient to
bridging the imbalance that occurs with these data processing operations
personal.
Consequently, it must be concluded that the legitimate interest of CAIXABANK does not prevail
as a legitimate basis for the treatment.
CAIXABANK alleges that the AEPD concludes that it is not possible to determine suitability,
necessity and proportionality of these treatments, and that the intrusion into the privacy of the
interested can be high, without providing any evidence in this regard. However, it is a
CAIXABANK to whom it corresponds to prove the concurrence of the legitimate interest for the
data processing operations that you intend to base on this legal basis, to
who corresponds to specify the interest pursued and make the weighing judgment that
justify.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 144
144/177
Also in relation to this question, it refers to the changes introduced in the
New Privacy Policy, implying with these alleged corrections that no
there are responsibilities to be demanded from the facts analyzed, which must be rejected
absolutely by inappropriate. Specifically, it alleges that it has proceeded to eliminate the
treatment based on legitimate interest for commercial purposes, but omits any
reference to the rest of the circumstances that determine the illegality of the treatments analyzed
in this section and that they are not carried out exclusively for commercial purposes.
Finally, it should be noted that the conclusion obtained from this examination does not contradict what
expressed in the Report of the Legal Office of the AEPD 195/2017, to which it refers
CAIXABANK, both in the aforementioned impact assessment, which contains the report of
weighting of the legitimate interest, as in its brief of allegations.
The premises evaluated in said report do not conform to the present assumption, in the
that detailed personal data processing has a much broader purpose
that those analyzed in said report regarding the purposes of the treatment as the
information or personal data used.
- Other processing of personal data without legal basis. Communication of data to
CaixaBank Group companies.
On the other hand, it is also necessary to analyze the transfer of data to Group companies
CaixaBank that is included in the “Framework Agreement”, about which the interested party is not consulted.
It is reiterated here that said document is presented as mandatory subscription for
the client, expressly stating that the signature of the document supposes that it "knows,
understand and accept its content ” . It is also established that the terms and conditions are
of general application to all "commercial relationships" of the interested party "with CaixaBank and
the CaixaBank Group companies, and therefore, the subscription and validity of this
Contract, respecting the corresponding rights of choice that for the Signatory
grant the clause, it is necessary for the contracting and maintenance of contracts of
products or services ” .
In the same section relating to the object of the contract, it indicates that "informs and regulates"
about "authorizations for the use of data of the signer to carry out activity
commercial of CaixaBank and the companies of the CaixaBank Group ” .
Allusions to the CaixaBank Group companies occur throughout the entire
"Framework Contract" and place it, practically, at the same level of intervention as
CAIXABANK:
"7.1 Processing of personal data in order to manage the Relationships
Commercial.
The personal data of the Signatory, both those that the same contribution, as those derived
of the Commercial Relations, or Commercial Relations of CaixaBank and the companies of the Group
CaixaBank with third parties and those made from them, will be incorporated into files owned by
CaixaBank and the CaixaBank Group companies that are holders of the Commercial Relations… ”.
8. treatment and transfer of data for commercial purposes by CAIXABANK and the companies of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 145
145/177
CaixaBank Group based on consent
This document will include on its first page, under the heading of authorizations for the
data processing, the authorizations that you grant us or revoke us in relation to:
(i) The data analysis and study treatments for commercial purposes by CaixaBank and companies
of the CaixaBank Group
(ii) The treatments for the commercial offer of products and services by CaixaBank and the companies of the
CaixaBank Group
(iii) The transfer of data to third parties
In order to make a global offer of products and services available to you, your authorization to
(i) data analysis and study treatments, and (ii) for the commercial offer of products and
services, if granted, will include CaixaBank, and the companies of the CaixaBank group
detailed at www.CaixaBank.es/empresasgrupo (the “CaixaBank Group companies”) who
They can share and use them for the indicated purposes.
The authorizations you grant will remain in effect until they are revoked or, in the absence of
this, until 6 months after you cancel all your products or services with the
Entity.
The detail of the uses of the data that will be carried out in accordance with your authorizations is as follows ... (already
detailed above) ”.
"The data that will be processed for the purposes of (i) data analysis and study, and (ii) for the offer
commercial products and services will be ... (already detailed above) "
"11.3 Data Conservation Period ...
In accordance with the regulations, the data will be kept for the sole purpose of complying with those
legal obligations imposed on CaixaBank and / or Group Companies… ”.
The "Privacy Policy" also refers to the "exchange of commercial information
among the CaixaBank Group companies ” .
The concept of "Business Group" is defined in point 19 of article 4 of the RGPD:
<< "Business group": group made up of a controlling company and its companies
controlled >> .
On the scope to be attributed to this concept from the point of view of the
RGPD, it is necessary to consider what is stated in Considerations 37 and 48 of said
Regulation:
“(37) A business group must be constituted by a company that exercises control and the
controlled companies, and it must be the company that exercises control that can exercise a
dominant influence in the other companies, for reasons, for example, ownership, participation
financial, rules by which it is governed, or power to enforce data protection rules
personal. A company that controls the processing of personal data in companies that
they are affiliated should be considered, together with such companies, a 'business group' ”.
"(48) Those responsible who are part of a business group or entities affiliated with a
central body may have a legitimate interest in transmitting personal data within the group
business for internal administrative purposes, including the processing of personal data of customers
or employees. The general principles applicable to the transmission of personal data, within a
business group, a company located in a third country are not affected " .
The CaixaBank Group, in principle, can be understood within this concept, from
the point of view of the protection of personal data, with the entity CAIXABANK as
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 146
146/177
controlling company. But the information exchange that carries out
CAIXABANK in favor of the CaixaBank Group companies has no place in the shares
which may be based on the legitimate interest referred to in Recital 48, referring to
the transmission of personal data within the business group "for administrative purposes
internal ” . Nothing to do with the transfers of data referred to in the "Framework Contract" and the
purposes for which they are intended.
With this, it is not excluded that other data communications could be admitted
personal, with other purposes, that could be justified by the concept of group
business, even based on legitimate interest.
To all this, must be added the defects appreciated in the information offered that is
have pointed out in this act. CAIXABANK does not even inform about the legal basis that justifies
this global exchange of information with the companies of the CaixaBank Group.
Neither does any of the consents requested from clients include any that
refers to this transfer of personal data of CAIXABANK customers to companies of the
CaixaBank Group, which cannot be considered covered by the three consents
collected. In addition to the objections noted on the validity of the consents
provided by customers, this transfer of data constitutes a specific purpose in itself
considered itself, which requires a manifestation of the client's will by which the client
consent that this communication of personal data can be carried out. CAIXABANK no
collects specific consent from its clients for this transfer of data.
This lack of design or provision of a specific mechanism to collect the
consent of their clients in order to transfer data to Group companies is not
remedied with the signature by the client of the repeated "Framework Contract", which occurs without receiving the
accurate information and does not imply a statement by the customer about the use of their
personal data from the CaixaBank Group companies. This use entails the
prior transfer of the data by CAIXABANK to the companies of the Group without the
interested party has manifested in this regard, that is, without the consent of the interested party.
Acceptance through a single action, such as the signing of the contract, becomes
invalid the consent given by the interested party regarding the use of the data
for purposes other than the execution of the contract or business relationship maintained by the
interested party and the responsible entity or, what is the same, with respect to all those
treatments that require a differentiated and granular consent. In relation to
communication of data to the companies of the CaixaBank Group, this explicit consent and
separate would require enabling the selection of the specific company or companies to be
refers to the consent for the assignment that could be provided.
The requirement that “consent must be given through a
clear affirmative act that reflects a manifestation of free will, specific, informed, and
unequivocal of the interested party to accept the treatment of personal data that
concern ” , understanding that “ inaction should not constitute consent ”
(Recital 32). Consent must also be given for all activities of
treatment carried out for the same or the same purposes and, when the treatment has several
purposes, consent must be given for all of them through a manifestation of will
expressed for each of the purposes separately or differently, allowing the
interested choose to choose all, a part or none of them.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 147
147/177
Consent cannot be understood freely given as it has not been allowed
“To authorize separately the different personal data processing operations despite
be appropriate in the specific case ” (Recital 43).
The Article 29 Working Group, in its document “Guidelines on the
consent under Regulation 2016/679 ” , which has been cited on several occasions,
refers to the dissociation of the purposes of the treatment and the freedom that the
interested parties to choose which purposes they accept, instead of having to consent to a
set of purposes. It adds that " When the data is processed for purposes
diverse, the solution to fulfill the condition of valid consent will be in the
granularity, that is, in the dissociation of said purposes and obtaining consent
for each of them " , and cites the following example:
"[Example 7]
In the same request for consent, a retailer asks its customers for consent to use
your data to send them advertising by email and to share your data with other
companies in your group. This consent is not granular since it is not possible to consent for
separated for these two different purposes and, therefore, the consent will not be valid. In this case,
specific consent should be obtained to send contact details to partners
commercial. Such specific consent will be considered valid for each partner (see also the
section 3.3.1) whose identity has been provided to the interested party at the time of obtaining their
consent and to the extent that it is sent for the same purpose (in this example, a commercial purpose) ” .
Therefore, all data transfers made by CAIXABANK become illegal.
to companies of the CaixaBank Group.
In the same way, all the treatments carried out are considered irregular or illegal.
CAIXABANK out of personal data that are provided by the entities
belonging to the CaixaBank Group, relating to clients of the latter.
Apart from this exchange of information, Clause 8 of the "Framework Contract"
indicate that the client grants his authorization "in relation to: (i) The analysis treatments and
study of data for commercial purposes by CaixaBank and companies of the CaixaBank Group; (ii)
The treatments for the commercial offer of products and services by CaixaBank and the
CaixaBank Group companies ”. With this, CAIXABANK intends that the interested parties
give, to CAIXABANK itself, their consent for other companies of the Group
perform personal data processing, which cannot be accepted.
CAIXABANK has stated in its allegations that the CaixaBank Group operates under
the same brand concept, with that entity as the axis.
It indicates that this circumstance is transferred to the various facets of the treatment of
data, including the management of consents for processing purposes
commercial, which are to be carried out jointly in the context of the activities
of the Group for the same purpose with the same means, in relation to data from which the
Group entities are jointly responsible. And add that each entity has its database
own (only accesses the data necessary for the provision of its services), but that
all have “a kind of shared responsibility” , they are jointly responsible for the
treatment, so there is no purpose of its own in the transfer that justifies the provision of
a separate consent.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 148
148/177
On the other hand, CAIXABANK alleges that this "integration of all bases" is a
regulatory requirement for correct risk management and necessary for compliance with
legal obligations, which must be supported by the coordinated management of information. But,
Even in this risk management, the risk of the business group that
must be quantified for regulatory purposes, of individual risk, which should only be
be valued by the entity with which the interested party maintains a contractual relationship. In
In any case, nothing is said to the client about this co-responsibility (in the “Framework Contract”,
When reporting on regulatory purposes only reference is made to responsibilities and
obligations of CAIXABANK).
Finally, CAIXABANK notes that this issue was the subject of an evaluation of
impact, which does not contribute.
CAIXABANK, however, has not justified that we are faced with an alleged
of co-responsibility, beyond the exchange of information between Group companies
CaixaBank that are necessary for regulatory purposes or for compliance with a
legal obligation, which are not questioned in these proceedings.
In this case, the attribution of responsibilities between the different
Group companies required by the RGPD, nor the functions and obligations of these companies
in its relationship with the interested parties; and there is also no evidence that the
corresponding agreement that regulates these circumstances in a transparent way, which,
in addition, it must be made available to interested parties. The obligation to formalize that
agreement in which the respective responsibilities are determined, as well as that of putting it into
disposition of the interested parties in their essential aspects, is established in article 26 of the
GDPR:
"Article 26 Co-responsible for the treatment
1.When two or more managers jointly determine the objectives and means of the
treatment will be considered joint controllers of the treatment. The joint controllers will determine
transparently and by mutual agreement their respective responsibilities in complying with the
obligations imposed by this Regulation, in particular with regard to the exercise of
rights of the interested party and their respective obligations to supply information to which
referred to in articles 13 and 14, except, and to the extent that, their respective responsibilities are governed
by the law of the Union or of the Member States that applies to them. Said agreement may
designate a point of contact for stakeholders.
2. The agreement indicated in section 1 shall duly reflect the respective functions and relationships of
the joint controllers in relation to the interested parties. The interested parties will be made available
essential aspects of the agreement.
3. Regardless of the terms of the agreement referred to in section 1, the interested parties
may exercise the rights recognized by this Regulation against, and against, each
one of those responsible ” .
On the contrary, considering the data used by the CaixaBank Group and the uses
to which they are intended, already detailed in the Fundamentals that analyze the information offered
to customers, it follows that the exchange of all information between all
companies that comprise it respond more to "commercial" purposes, unrelated to the relationship
contractual, such as the realization of commercial impacts and the design of new products
or services, for which all data related to the client available in all
Group companies, those provided by the interested party and those that “are generated in the
contracting and operating products and services ” , with CaixaBank and with the Companies of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 149
149/177
CaixaBank Group, including the profiles made from such data. CAIXABANK
He even stated that he had arranged that the consent of the clients for the
Processing of your personal data for "commercial purposes" would be collected at the
"Group", jointly for all the companies of the "group".
This exchange, as has been said, occurs between all the companies of the Group,
that is, each of the companies that make up said Group shares personal data
registered in their information systems with all the others. The data was said to be
would manage “from a common information repository of the Group's companies
CaixaBank ”.
Thus, said exchange does not occur only between CAIXABANK and the rest or between them and
CAIXABANK only. Although the present procedure is intended to analyze the
infractions attributed to CAIXABANK and does not reach the rest of the companies of the Group,
make this global exchange clear to record the irregular action that took place
has been producing.
If to that we add the detail of the companies that make up the repeated Group
CaixaBank and the specific commercial activity that each of them carries out, the
irregularity is even more apparent.
Obviously, there cannot be co-responsibility of all the companies of the Group
CaixaBank in relation to the treatment of data that the contract entails, of whatever type,
that a client formalizes with one of them. If more than one company is involved in the contract,
The rest of the companies, which do not participate in any way in this contract, cannot be
considered co-responsible.
It is enough to examine the entities that make up the CaixaBank Group and the purpose of their
businesses, to conclude that this global co-responsibility cannot occur, which would mean
admit that all act as responsible for the treatment of customer data of a
of these companies, even if they do not participate in the specific contractual relationship formalized by the
client.
The Privacy Policy contains the following detail:
"Your bank CAIXABANK, SA
The issuer of your credit and debit cards CAIXABANK PAYMENTS, EFC, EP, SAU
The issuer of your prepaid cards CAIXABANK ELECTRONIC MONEY, EDE, SL
Your insurer VIDACAIXA, SAU DE SEGUROS Y REASEGUROS
The marketer of your funds CAIXABANK ASSET MANAGEMENT, SGIIC, SAU
Your social bank, expert in microcredits NUEVO MICRO BANK, SAU
Your consumer finance company CAIXABANK CONSUMER FINANCE, EFC, SAU
Your renting company CAIXABANK EQUIPMENT FINANCE, SAU
Your e-commerce company PROMOCAIXA, SA
The company that manages payments in your stores COMERCIA GLOBAL PAYMENTS, EP, SL ” .
The intervention of more than one Group company in the relationship that formalizes the
Nor does the client determine, without further ado, the joint responsibility of both. It will be necessary to analyze
each of the cases to conclude what is appropriate in this regard.
It so happens that some of these activities and the relationships that
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 150
150/177
link each company with the client is expressly regulated in a standard,
which provides the nature of their participation from the point of view of the protection of
personal data, so it cannot be left to the will of these companies to provide a
different frame.
A clear example can be found in the regulations governing mediation in
private insurance, for cases in which the financial institution or commercial companies
controlled or participated by it, enter into an insurance agency contract with a
insurance company and carry out the activity of insurance mediation as an insurance agent
using the distribution networks of the credit institution, assuming the character of
Banking-Insurance Operator.
In these cases, article 62 of Law 26/2006, of July 17, on the mediation of
private insurance and reinsurance states that, for the purposes of the LOPD, “a. Agents
exclusive insurance and exclusive banking-insurance operators will have the status of
responsible for the treatment of the insurance company with which they had concluded the
corresponding agency contract, in the terms provided in this Law ”.
This rule has been repealed by Royal Decree-Law 3/2020, of February 4, of
Urgent measures incorporating various Spanish legal systems
European Union directives in the field of public procurement in certain
sectors; private insurance; of pension plans and funds; of the tax field and
tax litigation. This Royal Decree-law does not modify the previous scheme:
“Article 203. Condition of person in charge or in charge of the treatment.
1. For the purposes set forth in Organic Law 3/2018, of December 5, as well as in the Regulations
(EU) 2016/679 of the European Parliament and of the Council, of April 27, 2016, regarding the protection
of natural persons with regard to the processing of personal data and the free movement of
these dates:
a) Insurance agents and banking-insurance operators will be in charge of the
treatment of the insurance company with which they had entered into the corresponding
agency, in the terms provided in title I ".
“Article 204. Other data protection regulations.
2. Insurance agents and banking-insurance operators may only process the data of the
interested in the terms and with the scope of the insurance agency contract and
always in the name and on behalf of the insurance company with which they have entered into the contract.
The banking-insurance operators will not be able to process the data related to their intermediary activity
for purposes of its corporate purpose without the unequivocal and specific consent of the
affected ”.
In any case, the information exchange designed by CAIXABANK and the
CaixaBank Group companies do not comply with the concept of “co-responsibility”, which is
establishes for specific treatments, “when two or more managers determine
jointly the objectives and the means of the treatment ” ; and that requires a decision-making power of
all responsible that is not given in this case.
In accordance with the foregoing, the allegations to the proposal of
resolution made by CAIXABANK, in which it states that there is no undue assignment
personal data, but a transparent co-responsibility regime is established
for the interested parties, which derives from a direct collection of the data by the companies in the
scope of joint responsibility and joint participation in the determination of goals and
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 151
151/177
media.
There is no co-responsibility regime, nor can it be said that it was transparent to
the clients. In fact, CAIXABANK at no previous time has had the agreement of
co-responsibility, so it was never before able to make available to the interested parties the
essential aspects of an agreement that did not exist. Not even in the previous phases has
alleged this co-responsibility, referring to this matter in its allegations to the agreement of
initiation of the procedure, noting that all the Group companies have “a sort of
shared responsibility ” , as already indicated. And neither does the Activity Register
Treatment includes operations in which CAIXABANK intervenes as joint controller.
It has been on the occasion of the processing of allegations to the proposed resolution when
CAIXABANK has raised this claim and has provided a "Co-responsibility Agreement",
that appears in the "Sixth Allegation" of the brief of allegations to the proposed resolution
among the new measures implemented, which appears unsigned by the entities that
supposedly involved in its formalization. In his allegations about graduation from the
The sanction refers to data transfers made within the framework of “the
de facto co-responsibility, and currently formal ” . However, this agreement does not
remedies the irregular situation maintained during the period of time prior to the opening of the
process.
On the other hand, CAIXABANK has not provided the essential information for
have sufficient elements to assess whether the conditions are met, from the point of
factual and not only formal view, for that co-responsibility in each of the treatments to
those referred to in the agreement provided, considered case by case; nor to conclude if all
entities have complied with the regulatory provisions, especially those relating to
duty of transparency and the existence of a legal basis for the treatment.
If it can be said, as indicated above, that CAIXABANK has not
complied with these provisions in relation to the exchange of information regarding their
customers with the companies that make up the Group, and would not be met in relation to
these alleged joint treatments, about which you have not informed clients
duly and for which there is no legal basis.
(…)
Finally, it is considered appropriate to cite the Guidelines 07/2020, on the concepts of
data controller and data processor in the RGPD, adopted by the CEPD
on September 2, 2020, in which the assumption of joint responsibility is rejected as
use for advertising purposes of a database shared by a group of
Business:
“Joint control can also be excluded if several entities use a base of
shared data or a common infrastructure, if each entity independently determines its
own ends.
Example: marketing operations in a group of companies using a database
shared.
A group of companies uses the same database for the management of clients and potential clients.
This database is hosted on servers of the parent company which, therefore, is a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 152
152/177
in charge of the treatment of the companies with respect to the storage of the data. Each
Group entity enters the data of its own customers and potential customers and processes them
solely for your own purposes. In addition, each entity decides independently on access,
retention periods, correction or deletion of your customers and customer data
potentials. They cannot access or use the data of others. The mere fact that you are
Companies using a shared group database does not imply joint control as such.
In these circumstances, each company is therefore a data controller ”.
Consequently, in accordance with the above findings, the facts
set forth in this Legal Basis constitute a violation of Article 6 of the
RGPD, in relation to article 7 of the same legal text and article 6 of the LOPDGDD, which gives
place to the application of the corrective powers that article 58 of the RGPD grants to the
Spanish Agency for Data Protection.
VIII
Article 22 of the RGPD allows "automated individual decisions, including the
profiling ” if such a decision is necessary for the execution of the contract, it is
authorized by Union or Member State law or is based on the
consent of the interested party, which entails compliance with the obligation to inform
about it. Said article establishes the following:
"Article 22. Automated individual decisions, including profiling
1. Any interested party shall have the right not to be the subject of a decision based solely on the
automated processing, including profiling, that produces legal effects on him or her
affect significantly in a similar way.
2. Paragraph 1 shall not apply if the decision:
a) is necessary for the conclusion or execution of a contract between the interested party and a person in charge
of the treatment;
b) is authorized by Union or Member State law that applies to the
responsible for the treatment and that also establishes adequate measures to safeguard the
rights and freedoms and the legitimate interests of the interested party, or
c) is based on the explicit consent of the interested party.
3. In the cases referred to in section 2, letters a) and c), the data controller shall adopt the
adequate measures to safeguard the rights and freedoms and the legitimate interests of the
interested party, at least the right to obtain human intervention from the person in charge, to
express your point of view and challenge the decision.
4. The decisions referred to in paragraph 2 shall not be based on the special categories of data
referred to in Article 9 (1), unless Article 9 (2) applies,
letter a) or g), and adequate measures have been taken to safeguard the rights and freedoms and
legitimate interests of the interested party ”.
Furthermore, what is expressed in recitals 71 and 72 of the RGPD is taken into account.
“(71) The interested party must have the right not to be the subject of a decision, which may include a measure,
that evaluates personal aspects related to him, and that is based solely on the treatment
automated and produces legal effects on it or significantly affects it in a similar way, such as the
Automatic denial of an online credit application or online contracting services in the
that there is no human intervention. This type of treatment includes profiling
consisting of any form of processing of personal data that evaluates personal aspects
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 153
153/177
relating to a natural person, in particular to analyze or predict aspects related to the
job performance, financial situation, health, personal preferences or interests,
reliability or the behavior, situation or movements of the data subject, to the extent that
produces legal effects on him or significantly affects him in a similar way. However, they must
allow decisions based on such treatment, including profiling ... in cases where
those that the interested party has given their explicit consent. In any case, such treatment must
be subject to appropriate safeguards, including information specific to the
interested party and the right to obtain human intervention, to express their point of view, to receive a
explanation of the decision made after such evaluation and to challenge the decision. Such a measure no
it must affect a minor.
In order to guarantee fair and transparent treatment with respect to the interested party, taking into account the
specific circumstances and context in which personal data is processed, the person responsible for the
The treatment should use appropriate mathematical or statistical procedures for the elaboration of
profiles, apply appropriate technical and organizational measures to ensure, in particular, that
correct the factors that introduce inaccuracies in personal data and reduce the maximum
risk of error, secure personal data so that possible risks are taken into account
for the interests and rights of the interested party and prevent, among other things, discriminatory effects
in natural persons for reasons of race or ethnic origin, political opinions, religion or beliefs,
union membership, genetic condition or health status or sexual orientation, or that result in
measures that produce such an effect. Automated decisions and profiling about the
basis of particular categories of personal data should only be allowed under conditions
specific.
(72) Profiling is subject to the rules of this Regulation that govern the
processing of personal data, such as the legal bases of the processing or the principles of
Data Protection…".
The aforementioned regulations prohibit decisions based solely on treatment
automated, including profiling, that produce legal effects in the
interested or significantly affect you in a similar way, unless such decisions are
based on the explicit consent of the same.
An important aspect regarding automated individual decisions has to be
see with the use of personal data for the elaboration of customer profiles,
understood as any form of personal data processing that evaluates aspects
personal information relating to a natural person.
According to art. 13.1.f) of the RGPD, section 2, the person in charge is obliged to inform
on the “existence of automated decisions, including the elaboration of profiles, to which
referred to in article 22, paragraphs 1 and 4, and, at least in such cases, significant information
on the applied logic, as well as the importance and expected consequences of said
treatment for the interested party ” .
The information that CAIXABANK offers to its clients in the different documents that
are subject to analysis refers expressly to profiling in numerous
Sometimes and on others, the purposes or treatments that entail carrying out
profiling operations.
The "Privacy Policy" accessible through the CAIXABANK website, by referring to
uses based on the consent of the interested party, informs:
“04 WE CANNOT HIDE IT FROM YOU: WE WANT TO KNOW YOU BETTER!
(…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 154
154/177
Uses based on your consent
Only if you authorize us when we ask, we would like to process all the data that
we have about you to get to know you better, that is, to study your needs to know what new
products and services are adjusted to your preferences and analyze the information that allows us to have
determined in advance what your creditworthiness is.
We would also send you product offers from all Group companies and third parties that
we think they may interest you ”.
In Clause 8 of the “Framework Contract”, so repeated, CAIXABANK refers to the
"Treatment and transfer of data for commercial purposes by CaixaBank and the companies of the
CaixaBank group based on consent ” , which are grouped as follows:
(i) Detail of the analysis, study and monitoring treatments for the offer and design of products and
services tailored to the customer profile.
(ii) Details of the treatments for the commercial offer of CaixaBank products and services and the
CaixaBank Group companies.
(iii) Transfer of data to third parties
These subsections correspond to three consents that are collected from the
interested and which are outlined on the first page of the document, under the heading
"Authorizations for treatment" .
The description of the first group of treatments (i) in other documents or channels of
collection of consents is expressed as follows:
. Purpose of studies and profiling.
. Carry out studies and monitoring of operations; manage alerts for the products you have
hired; study products and services tailored to your CaixaBank Group profile.
. Authorization for profiled and segmented.
This first group of treatments, “ Detail of the analysis, study and
follow-up for the offer and design of products and services adjusted to the client's profile ” ,
details five purposes:
"By granting your consent to the purposes detailed here, you authorize us to:
a) Proactively carry out risk analysis and apply statistical and technical data on
customer segmentation, with a triple purpose: 1) Study products or services that may be
tailored to your profile and specific business or credit situation, all to make offers
sales tailored to your needs and preferences, 2) Track products and
contracted services, 3) Adjust recovery measures on defaults and incidents derived from
the products and services contracted.
b) Associate your data with those of companies with which you have some type of link, both for their
ownership and management relationship, in order to analyze possible interdependencies
economic in the study of service offers, risk requests and product contracting.
c) Carry out studies and automatic controls of fraud, defaults and incidents derived from
products and services contracted ... ”.
And in relation to these purposes, the following is indicated:
"The treatments indicated in sections (i), (ii) and (iii) may be carried out in a
automated and entail the elaboration of profiles, with the aforementioned purposes. For this purpose,
We inform you of your right to obtain human intervention in the treatments, to express your point
of view, to obtain an explanation about the decision made based on the automated processing,
and to challenge said decision ”.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 155
155/177
CAIXABANK advises the client that the indicated treatments may be carried out
in an automated way and lead to profiling. To this end, CAIXABANK will
informs about “their right to obtain human intervention in the treatments, to express
your point of view, to obtain an explanation about the decision made based on the
automated processing, and to challenge said decision ” .
With this, CAIXABANK advises on profiling operations that correspond
with automated individual decisions regulated in article 22 of the RGPD, which
These profiles will be used to make automated decisions with legal effects for the
interested or that will significantly affect you in a similar way. In this case, according to
As indicated, the interested party has the right to be informed by virtue of what is established in the
Article 13.2.f) of the RGPD, including in that information all the issues that that letter
mentions, as is the applied logic, the importance and expected consequences of said
treatment for the interested party, as well as the possibility of opposing the adoption of
these automated individual decisions, and the right to have all the
Provided guarantees (in addition to the information specific to the interested party, the right to obtain
human intervention, to express their point of view, to receive an explanation of the decision
taken after such evaluation and to challenge the decision).
The legal basis for these actions is based, according to the information that
facilitates the interested-clients, with their consent.
This information, and the evidence on the irregularity of the consents
provided by CAIXABANK clients for the processing of their personal data,
determined the imputation to said entity in the agreement to open the procedure of a
alleged infringement due to the violation of article 22 of the RGPD.
However, the instruction of the procedure has not confirmed that
CAIXABANK carry out data processing as regulated in this article 22 of the
RGPD, that is, to make decisions based solely on automated processing and
that produce legal effects on the interested party or significantly affect him in a way
Similary.
Some data processing involves the use of profiles of which could
result in discriminatory effects for the interested parties (such as, for example, credits
pre-granted prices, prices adjusted to the client's profile, benefits and promotions). But I do not know
has evidence that these treatments respond to the concept of "individual decision
automated " and that effectively produce legal effects or significantly affect the
interested.
If so, CAIXABANK must consider the provisions of the aforementioned article 22 of the
RGPD and comply with the expressed demands and the requirements that allow
consider that the consent has been given in a valid way, if this were the basis
legal.
Consequently, it is deemed appropriate, due to lack of evidence, to declare the
nonexistence of infringement in relation to the imputation for an alleged breach of the
established in article 22 of the RGPD.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 156
156/177
IX
In the event of an infringement of the RGPD precepts, among the
corrective powers available to the Spanish Data Protection Agency, such as
supervisory authority, article 58.2 of said Regulation contemplates the following:
“2 Each supervisory authority shall have all the following corrective powers indicated at
continuation:
(…)
d) order the person in charge or in charge of the treatment that the treatment operations conform to
the provisions of this Regulation, where appropriate, in a certain way and within
a specified term;
(…)
i) impose an administrative fine in accordance with Article 83, in addition to or instead of the measures
mentioned in this section, according to the circumstances of each particular case; " .
According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.
X
In the present case, the breach of the principle of
transparency established in articles 12, 13 and 14 of the RGPD, as well as the principle of legality
of the treatment regulated in article 6 of the same Regulation, with the scope expressed in
the previous Fundamentals of Law, which implies the commission of respective infractions
typified in article 83.5 of the RGPD, which under the heading " General conditions for the
imposition of administrative fines ” provides the following:
"Violations of the following provisions will be sanctioned, in accordance with section 2, with
administrative fines of up to EUR 20,000,000 or, in the case of a company, a
amount equivalent to a maximum of 4% of the total annual global business volume for the year
financial statement, opting for the one with the highest amount:
a) the basic principles for the treatment, including the conditions for consent in accordance with
Articles 5, 6, 7 and 9;
b) the rights of the interested parties in accordance with articles 12 to 22; (…) ” .
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
offenses the acts and conducts referred to in sections 4, 5 and 6 of article 83
of Regulation (EU) 2016/679, as well as those that are contrary to this law
organic ” .
For the purposes of the limitation period, articles 72 and 74 of the LOPDGDD indicate:
“Article 72. Violations considered very serious.
1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679, they are considered very
serious and will prescribe after three years the infractions that suppose a substantial violation of the
articles mentioned therein and, in particular, the following:
(…)
b) The processing of personal data without any of the conditions of legality of the
treatment established in article 6 of Regulation (EU) 2016/679.
c) Failure to comply with the requirements of Article 7 of Regulation (EU) 2016/679 for the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 157
157/177
validity of consent.
(…)
k) The impediment or the obstruction or the repeated neglect of the exercise of the rights
established in articles 15 to 22 of Regulation (EU) 2016/679 ”.
“Article 74. Infractions considered minor.
The remaining infringements of a merely formal nature are considered minor and will prescribe a year.
the articles mentioned in paragraphs 4 and 5 of article 83 of Regulation (EU) 2016/679 and, in
in particular, the following:
a) Failure to comply with the principle of transparency of information or the right to information of the
affected by not providing all the information required by articles 13 and 14 of Regulation (EU)
2016/679 " .
In order to determine the administrative fine to be imposed, the provisions
of articles 83.1 and 83.2 of the RGPD, precepts that state :
"1. Each supervisory authority shall ensure that the imposition of administrative fines in accordance with the
this article for the infractions of this Regulation indicated in paragraphs 4, 9 and 6 are
in each individual case effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each individual case, to
additional or replacement title of the measures referred to in article 58, paragraph 2, letters a) to h) and
j). When deciding the imposition of an administrative fine and its amount in each individual case, the
due account:
a) the nature, seriousness and duration of the offense, taking into account the nature, scope or
purpose of the treatment operation in question as well as the number of interested parties affected
and the level of damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to mitigate the damage and
damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the
technical or organizational measures that have been applied by virtue of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the infringement and
mitigate the possible adverse effects of the violation;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in particular if the
responsible or the manager notified the infringement and, if so, to what extent;
i) when the measures indicated in article 58, paragraph 2, have been previously ordered
against the person in charge or the person in charge in relation to the same matter, compliance
of said measures;
j) adherence to codes of conduct under article 40 or to certification mechanisms
approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as
financial benefits obtained or losses avoided, directly or indirectly, through the
infringement."
For its part, article 76 " Sanctions and corrective measures" of the LOPDGDD provides:
"1. The sanctions provided for in sections 4, 5 and 6 of article 83 of Regulation (EU) 2016/679 are
will be applied taking into account the graduation criteria established in section 2 of the aforementioned
Article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679, they may also
be taken into account:
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 158
158/177
a) The continuing nature of the offense.
b) The linking of the offender's activity with the processing of personal data.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have led to the commission of the offense.
e) The existence of a merger by absorption process after the commission of the offense, which does not
it can be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to mechanisms of
alternative conflict resolution, in those cases in which there are controversies between
those and anyone interested ”.
In this case, considering the seriousness of the violations found, the
imposition of a fine, in addition to the adoption of measures.
In a subsidiary manner and for reasons of proportionality, CAIXABANK has requested that
other corrective powers are imposed that allow the implementation of certain changes
that you have in process to debug the errors in the informative clauses and improve them,
as is the warning, and points out that this measure has been applied in some cases to
legal persons and not only natural persons (he cites as an example the procedures
PS / 00072/2019; or PS / 00096/2019). Additionally, in the event that the
previous petition, requests that a sanction be imposed to a minimum degree.
It is not possible to accept the request made by CAIXABANK to impose other
corrective powers, specifically, the warning, which is intended for persons
physical and when the sanction constitutes a disproportionate burden (recital 148 of the
RGPD). In this case, unlike the precedents invoked by CAIXABANK, no
None of the assumptions that would support the application of the
warning, for which, obviously, other factors must also be considered, such as
the offense committed and its seriousness. In the present case, the irregularities committed are
much more serious and have a greater impact than that expressed by CAIXABANK, who
aims to reduce the assumption analyzed to a few simple defects of the information offered
that they do not deserve any reproach other than their rectification.
For the same reasons, and considering the criteria for graduation of sanctions
indicated below, the request for the imposition of a penalty is also rejected.
tion to its minimum degree.
In accordance with the transcribed precepts, in order to set the amount of the sanctions
of fine to impose in the present case to the defendant, as responsible for infractions
typified in article 83.5.a) and b) of the RGPD, it is necessary to graduate the corresponding fine
impose for each of the offenses charged as follows:
1. Infringement for breach of the provisions of articles 13 and 14 of the RGPD, typified
in article 83.5.b) and classified as mild for prescription purposes in article 74.a) of the
LOPDGDD:
It is estimated that the following factors concur as aggravating factors that reveal
greater unlawfulness and / or culpability in the conduct of the CAIXABANK entity:
a) The nature, seriousness and duration of the offense: the verified facts put in
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 159
159/177
The entire action carried out by CAIXABANK, as a whole, is questionable, since the
Infringements result from the personal data management procedures designed by that
entity for the adequacy of those processes to the RGPD, which are considered irregular
from the moment of the collection of personal data, questioning all
the activity carried out by the responsible entity since the entry into force of the RGPD. I know
takes into account, however, that it is not a case of total absence of
information, but that the disputed facts result from not providing the interested parties
sufficient and adequate information in relation to the various treatments carried out.
In this regard, CAIXABANK alleges that the issues analyzed in the procedure
are not particularly serious, considering that all the information is provided, although
the AEPD understands that it can be improved; that the offense is classified as minor; and it has not
caused damage to the only two claimants, given that the treatments carried out are the
necessary for the development of the activity.
Contrary to what is stated by said entity, it is understood that the deficiencies
appreciated are particularly serious, since they affect substantive aspects of the
principle of transparency and all the processing operations carried out, which are not
limited to the treatments necessary for the development of the activity, as indicated
CAIXABANK. None of the precedents cited in the allegations can be assimilated into
in any way to the present assumption.
b) The intentionality or negligence appreciated in the commission of the offense: the actions
have proven negligent conduct in relation to the violation of the regulations of
personal data protection. The violations found, given their evidence, should
have been warned by an entity with the characteristics of CAIXABANK and avoided when
design your personal data management processes.
CAIXABANK understands that the establishment of clear procedures in relation to
The information and the provision of consents implies that this graduation criterion of
The sanction should be considered as mitigating, without considering that the infractions are
they consider committed precisely the opposite. Furthermore, violations are not
only non-compliance with the requirements for obtaining consent or the
operations carried out on this legal basis.
c) The continuing nature of the offense, in the sense interpreted by the National Court,
as a permanent offense.
d) The high link of the activity of the offender with the performance of data processing
personal: all operations that constitute the business activity carried out by
CAIXABANK involve personal data processing operations.
e) The condition of a large company of the responsible entity and its volume of business: it is a
leading company in the financial sector with a strong national presence. According to
information that appears on the “ caixabank.es ” website , as of 12/26/2019, CAIXABANK declares itself the leader
in retail banking, with a 29.3% penetration share of individuals in Spain. TO
09/30/2019, the Income Statement reflects an “Operating Margin” of 2,035 million
euros. According to the information contained in the Central Mercantile Registry, the "Subscribed Capital"
amounts to 5,981,438,031.00 euros.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 160
160/177
f) High volume of data and processing that constitutes the object of the file: the
Infractions affect all the data processing carried out by CAIXABANK that does not
are necessary for the execution of the contract, in which all the information is used
relating to customers.
g) High number of interested parties: the perceived defects affect all clients
natural persons of the entity. According to the information available on the web "caixabank.es" to
On 12/26/2019, the entity had 15.7 million clients.
h) The imputed entity does not have adequate procedures in place for action in the
collection and processing of personal data, so that the infringement is not
consequence of an anomaly in the operation of these procedures, but a
defect in the personal data management system designed by the person in charge. It has
taking into account that the non-compliances found are structural and do not result from a
punctual non-compliance.
According to CAIXABANK, an information defect cannot be understood as a defect
of the system. However, it is clear that the present assumption does not refer,
simply, to a defect of information.
Considering the exposed factors, the assessment of the fine for the
The offense charged is 2,000,000 euros.
2. Infringement for breach of the provisions of article 6 of the RGPD, in relation to
article 7 of the same legal text and article 6 of the LOPDGDD, typified in article 83.5.a)
and classified as very serious for the purposes of prescription in article 72.1.b) and c) of the
LOPDGDD:
It is estimated that they concur as aggravating factors, in addition to the exposed factors
in relation to the aforementioned offense, indicated with letters b), c), d), e), g) and h), the
following factors that reveal greater unlawfulness and / or culpability in the conduct of the
CAIXABANK entity:
a) The nature, severity and duration of the offense, taking into account the nature,
scope or purpose of the processing operations in question: infractions
result from the personal data management procedures designed by CAIXABANK
for the adaptation of these processes to the RGPD, which are considered irregular from the
collection of personal data and the provision of consents requested from the
clients right then and there. The severity of the infractions increases according to the
scope or purpose of the processing operations in question, which include the
profiling using excessive information.
b) The degree of responsibility of the person in charge, taking into account the technical measures and
organizational applied by virtue of articles 25 and 32; considering that the facts
found show that CAIXABANK has not taken care that in the treatment of
data is used exclusively the data necessary for the intended purpose.
Faced with this, the adoption of measures in recent years cannot be opposed
aimed at promoting privacy from the design. What is relevant is that such measures
are appropriate and, in relation to the foregoing, those adopted by CAIXABANK are not.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 161
161/177
c) The benefits obtained as a result of the commission of the offense: the information
related to customers is used to design new products or services or improve
existing and for the dissemination of them. To appreciate this benefit it is not necessary that
the responsible entity has monetized the personal data, making data sales with
commercial purposes, as claimed by CAIXABANK.
d) The nature of the damages caused to the interested persons or third persons:
the high degree of interference in the privacy of CAIXABANK clients is taken into account
and that all information is communicated to third parties (companies of the CaixaBank Group).
The transfers have taken place and have been accredited. CAIXABANK itself has
recognized the exchange of information with the companies of the Group.
e) High volume of data and processing that constitutes the object of the file; between the
that highlight, in a significant way, the transfer of personal data to third parties. Alleges the
responsible entity that has not initiated the data transfers, without considering those made to
the CaixaBank Group entities.
f) The categories of personal data affected by the infringement, which includes
customer profiles, inferred using all available customer information, including
collected for compliance with legal obligations. This conclusion is not affected by the
fact that the treatments do not use data of special category, manifested by
CAIXABANK.
Considering the exposed factors, the assessment of the fine for the
The offense charged is 4,000,000 euros.
The allegations at the opening of the procedure made by the entity
CAIXABANK do not contain any observations on the circumstances indicated with the
letters c), d), e), f) and g) of point 1.
Instead, it requested that the measures taken be taken into account as mitigating
to regularize the situation revealed in the claim outlined in the Fact
Fourth tested, implementing the measures recommended by the organization of
consumers and users who submitted the claim; along with the purpose of
draw up a new "Framework Contract"; as well as the degree of cooperation shown to put
remedy the irregular situation and mitigate possible adverse effects.
These actions are not considered of sufficient relevance to be considered in this
procedure for the purposes intended by CAIXABANK. With the measures taken in
relation to the aforementioned claim, related only to the face-to-face process of
obtaining the client's consent, there has not been a true regularization, nor has
mitigated the adverse effects of the offenses committed. On the other hand, the elaboration of
A new “Framework Contract” is nothing but the necessary consequence of the irregularity of the
document used by CAIXABANK and analyzed in this procedure. So,
the request to consider such actions as a mitigating circumstance is rejected.
In its allegations to the resolution proposal, CAIXABANK declares reproduced
their allegations to the commencement agreement, without formulating, in this case, no
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 162
162/177
consideration of the graduation criteria indicated by letters c), d), e), f) and g) of the
point 1.
In these allegations, he again requests that they be taken into account as mitigating
the measures taken by CAIXABANK, as well as the degree of cooperation shown, within and
outside the framework of the procedure, to remedy the infringement and mitigate the possible
adverse effects of the offense.
Finally, CAIXABANK warns about the unprecedented disproportion of the sanction
imposed, considering that it is a case of minor infraction and not of absence of
information, and that there are no data transfers outside the framework of co-responsibility
de facto and currently formal entity that exists in the CaixaBank Group (without the free will
The will of the subjects has been diminished in any case). It adds that the proposed sanction
ta is 8 times higher than the highest fine imposed under the GDPR (if we do not take into account
“The other” exemplary sanction of the financial sector, recently known), and 3 times higher than
maximum foreseen under the previous regime for the most serious infractions, ignoring the application
cation of the mitigating factors that CAIXABANK details in its allegations.
In the opinion of this Agency, the cooperative attitude of CAIXABANK cannot be admitted,
that he has consistently denied the facts, despite his evidence.
On the other hand, none of the circumstances expressed by said entity to establish
mentioning the disproportion of the sanction concurs in this case, in which there is also
a very serious infringement, to which CAIXABANK does not usually refer in any of its allegations
attempts to reduce the assumption analyzed, as has already been said, to mere errors in the
information provided to customers. Precisely, one of the determining facts, not
The only one of the very serious infringement has to do with the transfer of customer data,
all the data and all the clients, that CAIXABANK makes to the companies of the Caixa Group-
Bank, on which the interested party does not have the opportunity to comment, being committed
Take your free choice.
In any case, the proportionality of the sanction results from the application of the criteria
of graduation established in the corresponding infractions and sanctions regime, which
is applicable to the facts, that is, the current regime. Thus, it does not proceed
qualify the sanction imposed as disproportionate by resorting to the infractions regime and
sanctions regulated by Organic Law 15/1999 (LOPD), to affirm that the sanction im-
set is so many times higher than those provided for in that Organic Law, but rather than the norm that
establishes the measures to be imposed in this case, that is, the RGPD.
This Regulation, in its article 83.3, establishes that breaches of the
Articles 13, 14, and 6 of the same RGPD will be sanctioned with administrative fines of
20,000,000 euros (twenty million euros) maximum or, in the case of a company,
of an amount equivalent to a maximum of 4% of the total annual global business volume of the
previous financial year, opting for the highest amount. Considering this regulation
and the graduation criteria previously assessed, the fine imposed on CAIXABANK is not
disproportionate. It is useless to argue that the LOPD provided penalties for amounts
lower.
The truth is that, in this aspect, as in many others, the RGPD has been a
paradigm shift in the protection of personal data, establishing measures with a
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 163
163/177
clear deterrent. It is enough to examine the sanctions that, in this matter, have
recently imposed other European countries, which are public, to understand the scope
of the change that the application of the RGPD entails. Below are links to
some of these resolutions, as examples:
. https://edpb.europa.eu/news/national-news/2019/cnils-restricted-committee-imposes-financial-penalty-
50-million-euros_es;
. https://edpb.europa.eu/news/national-news/2020/aggressive-telemarketing-practices-vodafone-fined-
over-12-million-euro_es;
. https://edpb.europa.eu/news/national-news/2020/belgian-dpa-imposes-eu600000-fine-google-belgium-
not-respecting-right-be_es.
On the other hand, CAIXABANK also understands that it is appropriate to qualify as mitigating
fact of having proceeded to further clarify the information offered to its clients and the
procedure by which consent is requested, to such an extent that it would be the
all unnecessary the imposition of the corrective measures proposed by the AEPD.
The aforementioned entity has stated in its brief of allegations that it has provided a
new structure of the documents through which it informs clients on the matter that
it concerns us, preparing a new Privacy Policy, as a basic document, and
modifying the "Framework Agreement" so that it offers only basic information and
refer to the Privacy Policy, as the second layer. As indicated, a total
uniformity and deeper detail of information. And has provided a copy of both
documents, together with the “Co-responsibility Agreement”, which was referred to in the
Basis of Law VII when dealing with data communications to Group companies
CaixaBank, screen printing related to the consent collection processes.
CAIXABANK also points out that it has arranged a massive communication to customers
reporting on changes.
This Agency considers that the actions mentioned, given the evidence
obtained in the present case, are a requirement of the principle of proactive responsibility and
the diligence regarding compliance with the data protection regulations that must
expected of an entity such as CAIXABANK and that the RGPD itself expressly imposes,
including the obligation to review and update the organizational measures that guarantee the
adequacy of your data processing with the RGPD.
And this Agency also considers that there is no true regularization of the
situation generated by the breaches found, nor have their effects been mitigated.
On the one hand, the statement made by CAIXABANK in its plea cannot be accepted,
according to which the only action that is criticized is the writing of the informative texts,
through which it informs its clients about the processing of their personal data.
And, on the other hand, in relation to the consents given and the treatments
of data that it carries out, CAIXABANK is limited to indicating that the mentions to the cessation of
treatments are disproportionate. In its submissions, it makes no reference to the
regularization in its records of the annotations corresponding to the consents
collected to date, or the suspension of personal data processing
classified as illegal in these actions or the deletion of personal data
collected from third parties or inferred by the entity itself.
Once again, as has been said so many times before, CAIXABANK intends to reduce the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 164
164/177
issues arising from information defects, from which it can only be derived,
his judgment, the demand to correct them. However, contrary to what was intended by
CAIXABANK, the breach of the provisions of article 6 of the
RGPD, together with the seriousness and impact of the defects appreciated in the information
offered to those interested.
Thus, the alleged correction of the information contained in the documents provided
by CAIXABANK, even assuming this correction is complete, it does not constitute a
true regularization of the irregular situation found in the present procedure
sanctioner. Therefore, the request to consider such actions as a
extenuating circumstance.
On the other hand, CAIXABANK does not provide any report or evaluation, nor does it explain how it has
adapted the documents that determine the configuration of this new
Privacy and would allow its analysis by this control authority (eg, the registry of
processing activities, impact assessment reports or weighting of interest
legitimate).
CAIXABANK has enjoyed numerous opportunities to contribute this
documentation during the processing of the procedure. In each and every one of the
communications that have been sent to you have been warned about the principle of access
permanent regulation regulated in article 53 “Rights of the interested party in the
Administrative Procedure ” of Law 39/2015, of October 1, on the Common Administrative Procedure
of the Public Administrations, which recognizes to those interested in the procedure the
right to know, at any time, the status of the processing and to formulate
allegations, use the means of defense admitted by the Legal System, and
provide documents at any stage of the procedure prior to the hearing process.
Consequently, it is not possible to consider the irregular situation regularized.
XI
In accordance with the provisions of article 58.2.d) of the RGPD, each
control may “order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate, of a
in a certain way and within a specified period… ” .
In this case, considering the circumstances expressed in relation to the
Appreciated breaches, it is appropriate to require CAIXABANK so that, within the period
indicated in the operative part, adapt to the personal data protection regulations the
processing operations carried out, the information offered to its customers and the
procedure by which they give their consent for the collection and
processing of your personal data.
In those cases in which the interested party has not been duly informed about
the circumstances regulated in articles 13 and 14 of the RGPD or the interested party had not
given your valid consent, CAIXABANK will not be able to carry out the collection and
treatment of personal data. The same applies in relation to the treatments of
data based on the legitimate interest of the person in charge and with all those declared illegal
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 165
165/177
in this act, including communications of personal data to companies of the
CaixaBank Group.
All this with the scope and in the sense expressed in the Fundamentals of Law
of this act.
Likewise, it is appropriate to require CAIXABANK to notify the entities of the
Grupo CaixaBank to which it has communicated personal data of customers so that
delete such data and stop using them. It is also appropriate to require
CAIXABANK to cease the processing of the personal data provided to it
by entities belonging to the CaixaBank Group, relating to the latter's clients.
It is noted that not meeting the requirements of this body may be
considered as a serious administrative offense by “not cooperating with the
control ” in the face of the requirements made, such conduct may be assessed at the time of
the opening of an administrative procedure punishing with a pecuniary fine.
In relation to these measures, which are intended to repair the irregular situation
generated by CAIXABANK in the treatment of the data of its clients and the clients of
the entities of the CaixaBank Group, as well as the correction of the information offered in
matter of personal data protection, said entity has stated that they would represent a
irreparable impact, but without describing what this impact consists of and without justifying why it is
irreparable.
In any case, no particular circumstances can be alleged to justify the non-application
of the rule.
It also warns about the current global health situation, which restricts visits to
offices by customers. This Agency understands that it intends to reflect the
difficulties posed by this crisis to regularize the situation of customers. However,
the term granted in the operative part is considered sufficient to carry out the
relevant regularization.
Therefore, in accordance with the applicable legislation and the graduation criteria of
the sanctions whose existence has been proven,
the Director of the Spanish Agency for Data Protection RESOLVES:
FIRST: IMPOSE the entity CAIXABANK, SA, with NIF A08663619 , for an infraction
of articles 13 and 14 of the RGPD, typified in article 83.5.b) and classified as mild to
prescription effects in article 74.a) of the LOPDGDD, a fine in the amount of
2,000,000 euros (two million euros).
SECOND: IMPOSE the entity CAIXABANK, SA, for an infringement of article 6 of the
RGPD, typified in article 83.5.a) and classified as very serious for the purposes of prescription
in article 72.1.b) of the LOPDGDD, a fine of 4,000,000 euros (four
millions of euros).
THIRD: DECLARE the non-existence of infringement in relation to the imputation to the
entity CAIXABANK, SA of a possible violation of the provisions of article 22 of the
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 166
166/177
RGPD.
FOURTH: REQUIRE the entity CAIXABANK, SA, so that, within six months,
adapt to the personal data protection regulations the processing operations of
personal data that you carry out, the information offered to your clients and the procedure
through which they must give their consent for the collection and treatment
of your personal data, with the scope expressed in Law Foundation XI. At
indicated period, CAIXABANK, SA must justify before this Spanish Protection Agency
of Data the attention of this requirement.
FIFTH: NOTIFY this resolution to CAIXABANK, SA
SIX: Advise the sanctioned person that he must make the imposed sanction effective once the
This resolution is executive, in accordance with the provisions of art. 98.1.b) of the law
39/2015, of October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter LPACAP), within the voluntary payment period established in art. 68 of
General Collection Regulation, approved by Royal Decree 939/2005, of July 29,
in relation to art. 62 of Law 58/2003, of December 17, by entering,
indicating the NIF of the sanctioned person and the procedure number that appears in the
heading of this document, in the restricted account number ES00 0000 0000 0000 0000
0000 , opened in the name of the Spanish Agency for Data Protection in the bank
CAIXABANK, SA. Otherwise, it will be collected in the executive period.
Once the notification has been received and once it is executed, if the date of execution is between the
days 1 and 15 of each month, both inclusive, the term to make the voluntary payment will be up to
on the 20th of the following or immediately subsequent business month, and if it is between the 16th and
last of each month, both inclusive, the payment term will be until the 5th of the second month
next or immediate after business.
In accordance with the provisions of article 50 of the LOPDGDD, this Resolution
It will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the interested parties
They may optionally file an appeal for reconsideration before the Director of the Agency
Spanish Data Protection Agency within a month from the day following the
notification of this resolution or directly administrative contentious appeal before the Chamber
of the Contentious-administrative of the National Court, in accordance with the provisions of the
Article 25 and in section 5 of the fourth additional provision of Law 29/1998, of 13
July, regulating the Contentious-administrative Jurisdiction, within two months to
count from the day after notification of this act, as provided in article
46.1 of the aforementioned Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, you may
provisionally suspend the final administrative resolution if the interested party manifests
his intention to file a contentious-administrative appeal. If this is the case, the
The interested party must formally communicate this fact by writing to the Agency
Spanish Data Protection, presenting it through the Electronic Registry of the
Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the
remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 167
167/177
You must also send the Agency the documentation that proves the effective filing
of the contentious-administrative appeal. If the Agency is not aware of the
filing of the contentious-administrative appeal within a period of two months from the
following notification of this resolution, it would terminate the suspension
precautionary.
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 168
168/177
ANNEX I
Version 4 of the "Framework Contract", dated by CAIXABANK on 11/12/2018:
(…)
Modifications to the previous text or new informative clauses introduced by Version 5
of the "Framework Contract", dated by CAIXABANK on 12/20/2018.
(…)
Modifications to the previous text or new informative clauses introduced by the
document provided by CAIXABANK with its response to the Inspection Services and date
11/20/2019, which has been referred to in this act as "Version 7 of the Framework Contract" or
“Client Framework Agreement dated 11/06/2019.
(…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 169
169/177
ANNEX II
Document provided by CAIXABANK on 07/10/2018, called by the same "Contract of
Consents ”, which is outlined in the Second Fact of this Agreement:
(…)
Modifications to the previous text introduced by the document that is incorporated into the Minutes
corresponding to the inspection carried out at the CAIXABANK premises on the
11/28/2019 (Attachments 4 and 5):
(…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 170
170/177
ANNEX III
Information offered for access to information of the interested party in SOCIAL NETWORKS
(…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 171
171/177
ANNEX IV
AGGREGATION SERVICE
(…)
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 172
172/177
ANNEX V
Privacy Policy available on the CaixaBank entity's website.
01 WHO ARE WE?
CaixaBank, as you already know, is the largest bank in Spain by number of customers, and it sells,
in addition to its products and services, those of a large group of investee companies, with activities
in the sectors of payment services, investment, insurance, holding of shares, venture capital,
real estate, roads, sale and distribution of goods and services, consulting services, leisure and
charitable-social.
The list of these companies can be found at www.CaixaBank.es/empresasgrupo and their data, in the
Annex at the end of this communication (hereinafter we will call them companies of the CaixaBank Group).
02 WHAT DO WE NEED TO USE YOUR DATA FOR?
Uses for contractual purposes
The first and main reason why we need to process your data is for the provision of the
services that you have contracted with us and for our own management. This treatment is
essential. If we don't, we won't be able to manage your accounts, cards, insurance, etc.
Uses for legal or regulatory purposes
At CaixaBank, and at the CaixaBank Group companies, we are bound by different regulations to
process your data to comply with the obligations that they have. They are rules that
establish, for example, regulatory reporting obligations, money laundering prevention measures
capital and terrorist financing or tax controls and reports. In these cases, the
Treatment of the data is limited to what is necessary to comply with those obligations or
legally required responsibilities.
Uses for the purpose of preventing fraud
We also need to process your data to prevent fraud, as well as to guarantee the
security, both of your information and of our networks and information systems.
As you may have seen, these three types of treatments are essential to be able to maintain your
relationship with us. Without them we could not provide our services
03 AND MY DATA WILL NOT BE USED FOR MORE PURPOSES?
The above uses are those necessary to provide you with our services but, with your trust,
we would like to offer you much more.
Uses for commercial purposes based on legitimate interest
Unless you have told us, or tell us otherwise, we will send you updates and information
about products or services similar to those you already have contracted.
We will also use your information (account movements, card movements, loans,
etc.) to personalize your experience with us, for example by showing you first in the
ATMs and websites your most common operations; to offer you products and services that conform to
your profile and thus not bother with what does not interest you; to apply the benefits and promotions that
we have in force and to which you have the right, because we do not want you to miss any of the
advantages of being our client: and to evaluate if we can assign you credit limits
pre-granted that you can use when you consider it most appropriate, so, when you need it,
We will be able to assist you with the greatest speed.
Do not worry. In these treatments we will not use more information than the one you have given us
or the one generated from the products contracted during the last year and, if you prefer not to
Let's do it, you just have to tell us, at any of our offices, at PO box no.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 173
173/177
209 of Valencia (46080), at the electronic address www.CaixaBank.es/ejerciciodederechos or
through the options enabled for this purpose in your internet banking and in our applications
mobiles.
For any other commercial use that we want to do, we will ask you before, as you are going to see
continuation. Remember that one of our core values is trust.
04 WE CANNOT HIDE IT FROM YOU: WE WANT TO KNOW YOU BETTER!
Nowadays, there are many possibilities of using the information to get to know yourself better, give yourself a
better service, be more attentive and always ready to attend to your needs. Therefore,
We will ask for authorization to process your data a little more than what we told you before.
If you have already tried it, or try it in the future, surely you will not regret it, but do not worry, no
you have to decide now, we will ask you about it in the office, in electronic channels or in your
relations with the rest of the CaixaBank Group companies.
Uses based on your consent
Only if you authorize us when we ask, we would like to process all the data that
we have about you to get to know you better, that is, to study your needs to know what new
products and services are adjusted to your preferences and analyze the information that allows us to have
determined in advance what your creditworthiness is.
We would also send you product offers from all Group companies and third parties that
we think they may interest you.
As we have told you, CaixaBank is a great family, so when you authorize us these
treatments you will benefit from the joint work of the CaixaBank Group companies in the table that
follow (remember that the list will be updated at all times in the link
www.CaixaBank.es/empresasgrupo).
Your bank CAIXABANK, SA
The issuer of your credit and debit cards CAIXABANK PAYMENTS, EFC, EP, SAU
The issuer of your prepaid cards CAIXABANK ELECTRONIC MONEY, EDE, SL
Your insurer VIDACAIXA, SAU DE SEGUROS Y REASEGUROS
The marketer of your funds CAIXABANK ASSET MANAGEMENT, SGIIC, SAU
Your social bank, expert in microcredits NUEVO MICRO BANK, SAU
Your consumer finance company CAIXABANK CONSUMER FINANCE, EFC, SAU
Your renting company CAIXABANK EQUIPMENT FINANCE, SAU
Your e-commerce company PROMOCAIXA, SA
The company that manages payments in your stores COMERCIA GLOBAL PAYMENTS, EP, SL
Finally, if you want, we can communicate your data to third parties with whom we have agreements,
whose activities are included between banking, investment services, forecasting and
insurer, shareholding, venture capital, real estate, roads, sale and distribution of goods
and services, consulting services, leisure and charity-social.
We want you to be very clear that we respect your choices and act in accordance with them,
so that we will treat your data only for those purposes that, among the three above, we
you have expressly authorized.
05 AND WHAT HAPPENS TO MY DATA WHEN I BROWSE THE WEB PAGES OR THE
MOBILE APPLICATIONS OF THE CAIXABANK GROUP?
When you browse our web pages or use our mobile applications, we want to be able to
personalize your experience to make it as exceptional as possible. It is also possible that
we want to remind you of our products and offers when you are browsing the internet.
You already know that cookies are used for that. We will inform you at all times of the details of its use
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 174
174/177
in the Cookies Policy, which you will find on all our web pages, as well as in the conditions
of use of the mobile applications that you download.
There we will describe to you at all times what data we can collect, how and what it is used for.
In addition, most web browsers allow you to manage your preferences regarding the use of the
cookies. Remember that you can adjust the browser at any time to reject or delete
certain cookies at your discretion.
Likewise, the privacy settings of the mobile device allow you to manage the treatment of your
data.
06 BY THE WAY, WHAT DATA OF ME IS PROCESSED?
As you can imagine, thanks to the trust you have placed in us, we have a lot of
information about you. We have already told you what we use them for and how you can control each
At the moment these uses, but what specific information of yours are we going to treat?
Basically, they are your identifying and detail data of the professional or work activity, your data of
contact and financial and socio-economic data, both those you have provided us and those that
generated from the products or services contracted.
Also, only if you consent to it when we consult it, we may process data that we obtain from
the provision of services to third parties when you are the recipient of the service, those obtained from the networks
that you authorize us to consult, those obtained from third parties as a result of services
aggregation of data that you request, those obtained from the navigations you make through the service
internet banking, mobile phone applications and other websites of the companies of the
Grupo CaixaBank or those obtained from companies that provide commercial information.
07 ARE HEALTH DATA, IDEOLOGY OR OTHER SPECIAL OR SENSITIVE DATA PROCESSED?
In general, we do not need to process certain data of yours that are considered as
special categories of data, for example those related to ethnic or racial origin, political opinions,
religious convictions or sexual identity.
If it is necessary to treat this type of sensitive data, in each case we will request your consent
explicit. These are some of the situations in which we will need to use any of this data:
Health data related to insurance products
Health data is within the category of sensitive data, and its treatment is essential
in the marketing of certain insurance products (health, life ...). When we market
these products, the person in charge of the health data is the insurance company, therefore we want
that you know that all insurance companies whose products we commercialize respect and
They strictly comply with the data protection regulations.
Biometric data collected in the electronic signature of documents
When we use electronic signature systems, on occasions, for your greater security and comfort,
biometric elements are used in the creation of the signature, for example the signature trace on tablets
digitizers or fingerprints on the mobile phone. These data are essential to
make sure that you are the one who is using the applications and that, therefore, no one is
impersonating your identity.
For the use of these means of signature or identification you must explicitly accept these
biometric data processing.
08 IS MY DATA SECURE?
For us the security of your data is essential, and we assume the obligation and commitment to
protect them at all times.
Therefore, within this standard of maximum protection, we protect them against treatments not
authorized or illegal and against their loss, destruction or accidental damage, and we have implemented the
more rigorous information security protocols following the best practices in this
matter.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 175
175/177
09 HOW LONG DO I NEED TO SAVE MY DATA?
We will process your data as long as the authorizations for use that you have given us remain in force.
granted or you have not canceled the contractual or business relationships with us.
We will stop treating them once the authorizations for use that you have given us have been revoked or, if you have not
revoked the authorizations but you have ceased to be a client, six months after they ended
contractual or business relationships established, provided that your data is not necessary to
the purposes for which they were collected or processed.
This does not mean that we delete them immediately, as we are bound by different regulations to
keep the information for a certain time (in many cases up to ten years), but in accordance with the
regulations, your data will only be kept to comply with these legal obligations, and for the
formulation, exercise or defense of claims, during the limitation period of the actions
derived from the contractual or business relationships subscribed.
10 TO WHOM IS MY DATA COMMUNICATED?
In addition to the exchange of commercial information between the companies of the CaixaBank Group (of which you
previously reported), on certain occasions we need to share certain information
with third parties to be able to provide our services, either because a regulation requires them, or
because we need the support of specialist companies to help us in our work.
Below we explain with whom we can share your information, always with the maximum
security and confidentiality:
Communication of data for the fulfillment of a legal obligation
As we have explained to you, we collaborate with the authorities, courts and public bodies. If the
regulations establish it, we will share with them the information they request.
Communication of data for the execution of a contractual relationship
Sometimes, we turn to service providers with potential access to personal data.
These providers provide adequate and sufficient guarantees in relation to data processing,
since we carry out a responsible selection of service providers that incorporates
specific requirements in the event that the services involve the processing of data from
personal character.
Next, you will see what types of services we order:
FINANCIAL BACKOFFICE SERVICES
ADMINISTRATIVE SUPPORT SERVICES
AUDIT AND CONSULTING SERVICES
LEGAL SERVICES AND RECOVERY OF ASSETS AND UNPAID
PAYMENT SERVICES
MARKETING AND ADVERTISING SERVICES
SURVEY SERVICES
CALL CENTER SERVICES
LOGISTICS SERVICES
PHYSICAL SECURITY SERVICES
COMPUTER SERVICES (SYSTEMS AND INFORMATION SECURITY,
CYBERSECURITY, INFORMATION SYSTEMS, ARCHITECTURE, ACCOMMODATION, PROCESS
OF DATA)
TELECOMMUNICATIONS SERVICES (VOICE AND DATA)
PRINTING, ENVELOPE, POSTCARD AND MESSAGING SERVICES
INFORMATION CUSTODY AND DESTRUCTION SERVICES (DIGITAL AND PHYSICAL)
BUILDINGS, FACILITIES AND EQUIPMENT MAINTENANCE SERVICES
We can also communicate your data to third parties that are necessary for the development, compliance
and control of the contracts for products and services that you have signed with us, for example, to
clearing houses or systems for the execution of transfers or receipts or for the payment of
rates or taxes.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 176
176/177
11 IS MY DATA TRANSFERRED OUTSIDE THE EUROPEAN ECONOMIC AREA?
The treatment of your data is carried out, in general, by service providers located
within the European Economic Area or in countries that have been declared with an adequate level of
protection.
In other cases, we guarantee the security and legitimacy of the processing of your data by requiring
their suppliers that have binding corporate standards that guarantee the protection of the
information in a similar way to those established by European standards, which are subject to
to the Privacy Shield, in the case of service providers in the US, or who subscribe to the clauses
European Union type.
At all times we will ensure that, whoever has your information to help us
provide our services, it does so with all guarantees.
12 DO CAIXABANK AND THE COMPANIES IN ITS GROUP HAVE A DELEGATE FOR THE PROTECTION OF
DATA?
Indeed, as required by data protection regulations, the companies of the Group
CaixaBank has a Data Protection delegate who ensures that all the processing that is carried out
are made with full respect for your privacy and the applicable regulations at all times.
The Data Protection delegate is at your disposal to answer all the questions you may
have relating to the processing of your personal data and the exercise of your rights. You can contact
with the Data Protection delegate at: www.CaixaBank.es/delegadoprotecciondedatos
13 WHAT RIGHTS DO I HAVE IN RELATION TO MY DATA AND ITS TREATMENTS?
These are the rights that you can exercise in relation to your data:
Right of access: Right to know what data of yours we are treating.
Right to revoke consent: Right to withdraw consent at any time
when you have given us authorization to process your data.
Right of rectification: Right to have your data rectified or completed if it is inaccurate.
Right of opposition: Right to oppose those treatments based on legitimate interest.
Right of deletion: Right to have your data deleted when it is no longer necessary for the
purposes for which they were collected.
Right of limitation: Right to limit the processing of your data (in certain
assumptions, expressly provided for in the regulations).
Right of portability: Right to have your data delivered to you (data processed for the execution of
the products and services and data that we process with your consent) so that you can transmit them to
another responsible.
You can exercise your rights in any of the channels that we put at your disposal:
- At the offices of CaixaBank or the Group companies
- By postal communication addressed to the Post Office box No. 209 of Valencia (46080)
- At the electronic address www.CaixaBank.es/ejerciciodederechos
- Through the options enabled for this purpose in your internet banking and in our applications
mobile
Additionally, you already know that, if in spite of everything you have any claim derived from the treatment
of your data that we have not been able to solve, you can direct it to the Spanish Protection Agency
Data (www.agpd.es).
Note: The Privacy Policy includes an Annex in which the Group companies are listed
CaixaBank (the same ones listed in point 04), indicating your address, NIF and registration
in the Mercantile Registry and Special Administrative Registry of the Bank of Spain, Registry
Administrative of Insurance Entities of the General Directorate of Insurance and Pension Funds,
Registry of Management Companies of Collective Investment Institutions of the National Commission of the
Stock Market, as appropriate in each case.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
Page 177
177/177
ANNEX VI
Document called "Treatment of personal data based on interest
legitimate ” , obtained from the caixabank.es website, in the“ Privacy ”section, on 01/07/2020:
<< Processing of personal data based on legitimate interest
We inform you that, in accordance with the provisions of article 6.1.f) of the General Regulations of
Data Protection, CaixaBank, on occasions, processes its customers' data based on legitimate interest.
Below you will find a list of all the treatments that CaixaBank can carry out with this
legal base. This list will be permanently updated to include new treatments, or give
unsubscribe those that are stopped.
You can oppose the treatments that we list below by indicating it in any
from our offices, in writing to PO Box 209 of Valencia (46080), at the address
electronic www.CaixaBank.es/ejerciciodederechos or through the options enabled for this purpose
in your internet banking and mobile apps.
Treatments based on legitimate interest
. Sending information about products or services similar to those that you already have contracted or
information that we believe may be of interest to you, or that we believe may have
a reasonable expectation of receiving.
. Study of the information that we have about you (account movements, account movements
card, loans, etc.) to personalize your experience with the Entity, for example
showing you their most common operations first at ATMs and websites, or offering
products and services that fit your profile and apply the current benefits and promotions
in every moment.
. Monitoring of the fulfillment of the objectives, incentives or awards set to our
employees.
. Communication of data between CaixaBank and the companies in which it has a stake for the purpose
to carry out internal reports (without personal data), which allow us, among others
aspects, carry out market studies and mathematical models to establish the strategy of
CaixaBank Group business.
. Creation of statistical models (without personal data) that help the Entity to
better understand the preferences and tastes of our customers, collaborating in the improvement of
design and execution of commercial actions, as well as making aggregate reports on the
result of the models to carry out the monitoring of customer behavior.
. Structuring and profiling of the information processed by the Entity to maintain the resources and
technical systems prepared to efficiently meet management needs.
. Control and supervision of the Entity's activity through samples and self-evaluations with
the purpose of identifying and assessing possible risks in the commercialization of products, controls
and evaluate compliance with internal rules and regulations.
. Control and supervision of operations in order to prevent fraud, both to customers and to
the Entity itself.
. Use of contact data of employees or representatives of legal entities to maintain
relations with the legal entity in which it provides services >>.
C / Jorge Juan, 6
www.aepd.es
28001 - Madrid
sedeagpd.gob.es
@@ Line 19: / Line 19: @@
 |Date_Decided=
 |Date_Published=13.01.2021
-|Year=
+|Year=2021
 |Fine=6000000
 |Currency=EUR
@@ Line 44: / Line 44: @@
 |Appeal_To_Body=
-|Appeal_To_Case_Number_Name=
+|Appeal_To_Case_Number_Name=RR/00061/2021
-|Appeal_To_Status=
+|Appeal_To_Status=Appealed - Overturned
-|Appeal_To_Link=
+|Appeal_To_Link=https://www.aepd.es/es/documento/reposicion-ps-00477-2019.pdf
 |Initial_Contributor=Paola L.
-|
+|}}
-}}
-The Spanish DPA (AEPD) initiated a sanctioning procedure against CaixaBank S.A following a complaint received by a customer of the bank in 2018 and a complaint received by the non-profit organization ‘FACUA’ in 2019. A fine of €6 million imposed to CaixaBank for infringing Articles 6, 13, and 14 of the GDPR.
+The Spanish DPA (AEPD) imposed a fine of €6 million on CaixaBank S.A following complaints received from a customer of the bank in 2018 and from the non-profit organization ‘FACUA’ in 2019. CaixaBank infringed Articles 6, 13, and 14 of the GDPR.
 ==English Summary==
@@ Line 59: / Line 58: @@
 On 24/01/2018, an individual (the first complainant) who was a customer of CaixaBank (the defendant) filed a complaint with the AEPD alleging that the defendant forced them to accept the new conditions regarding the protection of personal data, specifically that regarding the transfer of their personal data to all the companies of the CaixaBank group, and that if they wanted to withdraw their consent, they had to correspond individually with each company of the group. The complainant alleged that this is disproportionate considering that the consent for this purpose was given in one single act.
-The AEPD proceeded to transfer the complaint to the defendant to which it responded by explaining the processing activities that were based on consent, why they were based on consent, and the mechanisms in place to obtain consent as well as the options available to customers to withdraw their consent whether it was in person, via the website or mobile app. On 01/02/2019, the AEPD closed this investigation as expired, as twelve months had elapsed since the complaint was filed (24/01/2018).
+The AEPD proceeded to transfer the complaint to the defendant to which it responded by explaining the processing activities that were based on consent, why they were based on consent, and the mechanisms in place to obtain consent as well as the options available to customers to withdraw their consent whether it was in person, via the website or mobile app. On 01/02/2019, the AEPD closed this investigation due to being expired, as twelve months had elapsed since the complaint was filed (24/01/2018).
 On 29/03/2019, a second complaint was received against the defendant, this time from the Association of Consumers and Users in Action – ‘FACUA’ (the second complainant), who filed a complaint in relation to the "Framework Agreement" signed by the customers of this entity, through which their personal data is collected. Essentially, FACUA indicated that this was a boilerplate contract, as customers did not have the option to negotiate its terms and were obliged to consent to the processing of their personal data, including for the purpose of sharing it with third parties.
 On 28/05/2019 the AEPD admitted the second complaint and launched an investigation into the matter. The AEPD requested the CaixaBank to provide evidence of the "Framework Agreement" in its current version and previous versions, channels, and methodology for its acceptance and granularity for obtaining consents; as well as the procedures that were enabled for the provision of information in accordance with Article 13 and 14 of the GDPR and the mechanisms to obtain its acceptance. In addition, the AEPD requested evidence of Article 30 record of processing activities, data protection impact assessments, and record of legitimate interest assessments.
 ===Dispute===
 Was the information that CaixaBank provided to its customers in relation to data protection compliant with the requirements of Articles 13 and 14 of the GDPR?
@@ Line 75: / Line 72: @@
 In consequence, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review of the company's process and procedures and bring them into compliance with data protection regulations within six months.
 ==Comment==
 ''Share your comments here!''