AEPD (Spain) - EXP202300944: Difference between revisions
mNo edit summary |
mNo edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 67: | Line 67: | ||
}} | }} | ||
The DPA fined a bank | The DPA fined a bank €2,000,000 for improperly obtaining data subjects' consent to process their personal data. The controller acknowledged its fault and paid a reduced fine of €1,200,000 in accordance with national law. | ||
== English Summary == | == English Summary == | ||
Line 76: | Line 76: | ||
The data subject claimed that, after they expressed their disagreement, the controller stated that failure to sign the form with these clauses would result in the bank account being blocked. | The data subject claimed that, after they expressed their disagreement, the controller stated that failure to sign the form with these clauses would result in the bank account being blocked. | ||
On 30 January 2023, the AEPD informed the controller of the complaint. In its defense brief, the controller stated that it is required by Law 10/2010. In particular, it pointed to Article 11, which obliges financial institutions to guarantee that they are engaging with professional or business activities of the client. The controller interpreted this to mean that the identification of the client was necessary, as well as the collection of information concerning the client’s professional or business activities. | On 30 January 2023, the AEPD informed the controller of the complaint. In its defense brief, the controller stated that it is required by [https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737 Law 10/2010]. In particular, it pointed to Article 11, which obliges financial institutions to guarantee that they are engaging with professional or business activities of the client. The controller interpreted this to mean that the identification of the client was necessary, as well as the collection of information concerning the client’s professional or business activities. | ||
=== Holding === | === Holding === | ||
The AEPD | The AEPD concluded that consent was improperly obtained in this case and the controller thus lacked a legal basis for processing. The AEPD proposed a fine of €2,000,000. The controller acknowledged responsibility of the violations and paid a portion of proposed fine; thus, the fine was reduced 40% to €1,200,000. | ||
The AEPD acknowledged that [https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737 Law 10/2010] requires banks to verify professional and business activities of its clients. However, it noted that the law does not specify how a bank is to assess this data; instead, the controller decides on the form of verification, and it should do so in a way that complies with data protection regulations. The [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2018-5203 Convention] established between the General Treasury for Social Security and the Spanish Association of Financial Entities, which guides financial institutions on compliance with Law 10/2010, also does not establish an obligation to verify personal data with the General Treasury of Social Security. | |||
There was thus no legal obligation requiring the controller to collect its clients’ personal data from the General Treasury of Social Security. However, insofar as this was the method chosen by a controller to comply with Law 10/2010, the AEPD noted that the [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2018-5203 sixth clause of Annex III of the Convention] explicitly requires data subject consent in order for the controller to verify their personal data with the General Treasury of Social Security. | |||
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 2,000,000. | The AEPD found that consent was not properly obtained in this case. As a result, the controller lacked a legal basis for processing pursuant to [[Article 6 GDPR#1|Article 6(1) GDPR]]. The AEPD emphasized that consent is not free when the data subject cannot refuse consent without suffering any damage, or when the fulfillment of a contract or provision of service is dependent on consent even when it is not necessary for the service. In this case, consent was not free because it was included as a non-negotiable aspect of the controller’s contract. Additionally, the controller failed to obtain specific consent in each case where data was being processed for different purposes -- instead, it combined consent to processing for the provision of banking services with consent to processing of the data subject’s data from the General Treasury of Social Security. Finally, consent was not informed because it was presented as a requirement rather than an option within the contract, and because the clause falsely stated that the controller was obligated to process the personal data under national law. | ||
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 2,000,000. | |||
Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €1,200,000. | |||
== Comment == | == Comment == | ||
' | [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, permits a controller to acknowledge responsibility for an alleged violation or to pay a fine proposed by the AEPD in its investigation stage in exchange for a 20% reduction in the fine amount. These actions permit the reduction to stack -- thus, if a controller both acknowledges responsibility and pays the fine prior to the AEPD's final sanction proceedings, then the fine amount is reduced 40%. | ||
== Further Resources == | == Further Resources == |
Latest revision as of 09:28, 24 April 2024
AEPD - EXP202300944 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 4(11) GDPR Article 6(1) GDPR Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 07.12.2022 |
Decided: | 07.03.2024 |
Published: | |
Fine: | 2,000,000 |
Parties: | Caixabank, S.A. |
National Case Number/Name: | EXP202300944 |
European Case Law Identifier: | n/a |
Appeal: | Not appealed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA fined a bank €2,000,000 for improperly obtaining data subjects' consent to process their personal data. The controller acknowledged its fault and paid a reduced fine of €1,200,000 in accordance with national law.
English Summary
Facts
On 7 December 2022, a data subject filed a complaint with the AEPD against Caixabank (the controller). The controller required new clients to sign a contract for provision of services, which included a clause stating that data subjects consent to their data being requested from the General Treasury of Social Security. For existing clients, the same clause was included in a declaration or modification contract. The provision cited Law 10/2010, a Spanish law on the prevention of money laundering and terrorist financing, stating that it required the collection of such data. For both new and existing clients, the contract did not give an option to refuse consent – instead, consent was pre-established by the clause. 3,026,247 new clients signed the contract, and 3,401,052 existing clients signed the modification contract.
The data subject claimed that, after they expressed their disagreement, the controller stated that failure to sign the form with these clauses would result in the bank account being blocked.
On 30 January 2023, the AEPD informed the controller of the complaint. In its defense brief, the controller stated that it is required by Law 10/2010. In particular, it pointed to Article 11, which obliges financial institutions to guarantee that they are engaging with professional or business activities of the client. The controller interpreted this to mean that the identification of the client was necessary, as well as the collection of information concerning the client’s professional or business activities.
Holding
The AEPD concluded that consent was improperly obtained in this case and the controller thus lacked a legal basis for processing. The AEPD proposed a fine of €2,000,000. The controller acknowledged responsibility of the violations and paid a portion of proposed fine; thus, the fine was reduced 40% to €1,200,000.
The AEPD acknowledged that Law 10/2010 requires banks to verify professional and business activities of its clients. However, it noted that the law does not specify how a bank is to assess this data; instead, the controller decides on the form of verification, and it should do so in a way that complies with data protection regulations. The Convention established between the General Treasury for Social Security and the Spanish Association of Financial Entities, which guides financial institutions on compliance with Law 10/2010, also does not establish an obligation to verify personal data with the General Treasury of Social Security.
There was thus no legal obligation requiring the controller to collect its clients’ personal data from the General Treasury of Social Security. However, insofar as this was the method chosen by a controller to comply with Law 10/2010, the AEPD noted that the sixth clause of Annex III of the Convention explicitly requires data subject consent in order for the controller to verify their personal data with the General Treasury of Social Security.
The AEPD found that consent was not properly obtained in this case. As a result, the controller lacked a legal basis for processing pursuant to Article 6(1) GDPR. The AEPD emphasized that consent is not free when the data subject cannot refuse consent without suffering any damage, or when the fulfillment of a contract or provision of service is dependent on consent even when it is not necessary for the service. In this case, consent was not free because it was included as a non-negotiable aspect of the controller’s contract. Additionally, the controller failed to obtain specific consent in each case where data was being processed for different purposes -- instead, it combined consent to processing for the provision of banking services with consent to processing of the data subject’s data from the General Treasury of Social Security. Finally, consent was not informed because it was presented as a requirement rather than an option within the contract, and because the clause falsely stated that the controller was obligated to process the personal data under national law.
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 2,000,000.
Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €1,200,000.
Comment
Law 39/2015, a Spanish law concerning administrative proceedings, permits a controller to acknowledge responsibility for an alleged violation or to pay a fine proposed by the AEPD in its investigation stage in exchange for a 20% reduction in the fine amount. These actions permit the reduction to stack -- thus, if a controller both acknowledges responsibility and pays the fine prior to the AEPD's final sanction proceedings, then the fine amount is reduced 40%.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26 File No.: EXP202300944 RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE VOLUNTEER From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: On March 7, 2024, the Director of the Spanish Agency for Data Protection agreed to initiate sanctioning proceedings against CAIXABANK, S.A. (hereinafter, the claimed party), through the Agreement transcribed: << File No.: EXP202300944 AGREEMENT TO START SANCTIONING PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following: FACTS FIRST: D. A.A.A. (hereinafter, the complaining party) dated December 7, 2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against CAIXABANK, S.A. with NIF A08663619 (hereinafter, CAIXABANK). The reasons on which the claim is based are the following: The complaining party states that CAIXABANK has requested a series of data, in accordance with the provisions of Law 10/2010, of April 28, on the prevention of money laundering and terrorist financing. He adds that the information collected is reflected in a document called "Declaration/Modification of data for the business relationship (Form 5433)", but before signing the form (which contains your personal and financial data), verify that, in the wording of one of its clauses, it is indicated that You expressly consent to CAIXABANK requesting your data from the General Treasury of Social Security, without being given the option to express their refusal to this respect, so consent is already pre-established. Thus, it indicates that after showing its disagreement in this regard, CAIXABANK reports that the process followed by it was a routine process that was applied to all clients equally and that, if they did not sign with those conditions, they would proceed to block your bank account. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/26 And, provide the following relevant documentation: Screenshot of your personal area, showing that the document “Model 5433 Active. Economic” is pending signature. Copy of the aforementioned document (Form 5433) which, among others, indicates what following: “6. The declarant states that he has been informed by CaixaBank that the legislation current law on the prevention of money laundering obliges banking entities to obtain information about their economic activity from their clients and carry out a verification of the same. For this exclusive purpose of verifying the information provided, you give your express consent to CaixaBank so that on your behalf may request such information from the General Treasury of Social Security. The data obtained from the General Treasury of Social Security will be used exclusively for the management indicated above. In the event of non-compliance of this obligation on the part of CaixaBank and/or the personnel who provide it services, all the actions provided for in Organic Law 3/2018 will be carried out, December 5, Protection of Personal Data and guarantee of rights digital”. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to CAIXABANK, so that proceed to its analysis and inform this Agency within a period of one month, of the actions carried out to adapt to the requirements provided for in the regulations of Data Protection. The transfer, which was carried out in accordance with the rules established in Law 39/2015, of October 1, of the Common Administrative Procedure of Administrations Public (hereinafter, LPACAP), was collected on January 30, 2023 as It appears in the acknowledgment of receipt that is in the file. On March 9, 2023, this Agency received a response letter indicating: 1. That CAIXABANK is obliged to obtain information about the purpose and nature of the business relationship and to continuously monitor said relationship according to the Law 10/2010, of April 28, on the Prevention of money laundering and financing of terrorism (hereinafter "LPBCFT"), and its Regulations (Regulation of Law 10/2010, of April 28, on the prevention of money laundering and financing of terrorism, hereinafter, "RLPBCFT"). And it refers to the following article: "Article 11 RLPBCFT. Continuous monitoring of the business relationship. 1. The obligated subjects will carry out a scrutiny of the operations carried out during throughout the business relationship in order to ensure that they coincide with the activity professional or business of the client, and with its operational background […]” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/26 That in order to carry out said "scrutiny", the LPBCFT expressly obliges and enables collect information from your clients in order to know the nature of their activity professional or business and adopt measures that allow reasonable verification the veracity of the information: "Article 5 LPBCFT. Purpose and nature of the business relationship. The obligated subjects will obtain information about the purpose and intended nature of the business relationship. In particular, obligated subjects will collect from their clients information in order to know the nature of your professional or business activity and will adopt measures aimed at reasonably verifying the veracity of said information. Such measures will consist of the establishment and application of verification procedures for activities declared by clients. („,)" 2. That this mandate is the one reflected in document Model 5433 “Declaration/Modification of data for the business relationship” where they are collected data, specifically the socioeconomic ones, and it is reported that CAIXABANK has the obligation to verify the data provided. 3. That “As can be seen, the processing of the claimant's data by this entity (collection of data necessary to monitor the relationship and mandatory verification or verification) is carried out in strict compliance with the regulations that apply to it.” 4. In relation to the blocking of accounts, it refers to, among other information, that: to. According to article 7.3 LPBCFT: "the obligated subjects will not establish relations of business, nor will they execute operations when they cannot apply the security measures. due diligence provided for by law, ending the business relationship when it does not can apply these measures". While also determining: "that the refusal of entities to establish business relationships or to execute operations or the termination of the relationship due to not being able to apply the measures of due diligence will not entail, unless there is unjust enrichment, any type of responsibility for the entity". b. That in section 4 of model 5433 it is stated that: "4. The declarant declares that the data provided is his and complete and acknowledges that the inaccuracy or lack of veracity of the same and/or in the documents provided (accuracy or truthfulness that CaixaBank reserves the right to verify by own means), as well as non-compliance with the commitments acquired in virtue thereof may be sufficient cause for the denial by CaixaBank and/or the companies of the CaixaBank group of the establishment of the relationship of business or the contracting of any product or service and will empower CaixaBank and/or any of the companies in the CaixaBank group to suspend and, including ending the business relationship that, if applicable, has been established." c. Manifest: “As you can see, the eventual termination of the business relationship causes of the client's inaction regarding the provision of that data legally required and/or due to the lack of mandatory verification or verification thereof. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/26 In no case, contrary to what was stated by the claimant - without any evidentiary activity that justifies such a statement -, the absence of the provision of consent for the verification of the (necessary) data provided for the knowledge of the business relationship, through consultation of the database of the TGSS (as reported in section 6 of Form 5433), or its timely revocation, implies or may imply the extinction of the business relationship with CaixaBank, whose action in terms of money laundering prevention is limited rigorously to the LPBCFT and the RLPBCFT.” 5. That there is no claim by the claimant in their systems. That he understands that the claimant is exercising the right of revocation so proceed to register said revocation in their systems and its effectiveness immediate. Provide a copy of the letter dated 03/08/2023 and addressed to the claimant where informs that they have proceeded to revoke their consent for the consultation of data to the TGSS>>. THIRD: On March 7, 2023, in accordance with article 65 of the LOPDGDD, the claim presented by the complaining party was admitted for processing. FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: 1. The “Know Your Customer” process (hereinafter KYC) is the process by which Caixabank complies with the established due diligence obligations by the LPBCFT, obligations that imply the identification of the client and obtaining information relating to your professional activity, including the obligation to verify reasonably activity in the case of customers with higher than average risk, as well as guarantee that in all cases the information remains updated through review processes. For all this, this process is carried out: - At the time of registration of a client in the entity. - Periodically, to update the information. In this case it can be either periodically from 1 to 5 years depending on the risk or when the client communicates variations in information. 2. There is a collaboration agreement between the General Security Treasury Social (hereinafter, TGSS), the Spanish Banking Association, the Confederation Spanish Savings Banks and the National Union of Credit Cooperatives on transfer of information, whose sole objective is to allow financial entities C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/26 consult certain information about your clients in order to verify it and comply with the due diligence measures established by the LPBCFT. To this agreement he adhered Caixabank on April 28, 2021. In its sixth clause (“Responsibility for the operation of the SVFI”) it is indicated: “(…) Likewise, each Collaborating Financial Entity is obliged to guarantee, with respect to to each request you make: a) That the requests refer to natural persons who initiate business relationships with the Financial Entity or to persons with respect to whom, after a period of time reasonable, it is necessary to update your information. b) That prior to the request for information by the Financial Entity This collaborator has the corresponding express authorization, signed by the interested, and agreed between the parties. (See Annex III). c) That it undertakes to safeguard the authorizations for the clients. Because of control or audit actions carried out by the TGSS as data owner assigned, the Financial Entities are obliged to provide the documentation that work in its possession within a period that may not exceed ten calendar days from its application. This same period will also apply to requests that, where appropriate, could be carried out by the Data Protection Agency. (…)” The content of Annex III of the aforementioned agreement has the following content: 3. In the processes of registering new clients, all personal data information that he contributes is consolidated in the document “Framework Contract”, which must be signed by the new client. The registration process for new clients that CAIXABANK established after joining the agreement on April 28, 2021 was modified on the following dates: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/26 - In office: In May 2023. - In digital banking (CaixaBankNow) and mobile banking (app): In June 2023. Therefore, in this process of registering new clients there are differences depending on the period. time in which it has been carried out: a) From CAIXABANK's accession to the agreement on April 28, 2021 until the modifications to the new customer registration process carried out in 2023: (i) The Framework Contract model contains the following: “(…) You state that you have been informed by Caixabank that the Current legislation on the prevention of money laundering requires banking entities to obtain from their clients the information of their economic activity and to carry out a verification of it. With This exclusive purpose of verifying the information provided, lends its express consent to Caixabank so that on your behalf we can request the General Treasury of Social Security said information. The data obtained from the General Treasury of the Social Security will be used exclusively for the management indicated previously (…). […] 4.PROCESSING OF PERSONAL DATA […] 4.4 Processed data […] >Data that you have provided us when registering your contracts or during your relationship with us through interviews or forms. These are data typologies and data details: […] Data on your professional or work activity and socioeconomic: activity professional or work, income or remuneration, family unit or circle, educational level, assets, tax data and tax data. […] >Data obtained from publicly accessible sources, public records or external sources. These are the types of data and the details of the data: […] 4.5 What treatments we carry out with your data. The treatments that we will carry out with your data are diverse and They respond to different purposes and legal bases: >Treatments based on consent for the purposes of: -Personalization of the commercial offer through other channels. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/26 -Transfer of data to other companies. - Identification of clients and signing of documentation through the use of biometrics. -Application of personal conditions in joint ownership contracts […] >Treatments necessary to comply with regulatory obligations, mainly for the purpose of: -Comply with regulations on the prevention of money laundering and financing of terrorism. -Comply with tax regulations. -Comply with the obligations derived from the policies of international financial sanctions and countermeasures. -Handling complaints and claims. […] (ii) In the registration processes for new clients, there is a process to grant, or not, consents exclusively in relation to the following treatments: “Personalization of the offer of products and services according to the analysis of your data”, “Communication of the offer of products and services by channels”, “Transfer of data to other companies”, “Apply personal conditions in co-ownership contracts.” (iii) The revocation of consents was done through a form, in office. (iv) That in the temporary period from the date 12/7/2021 until dates indicated above when the processes of registration of new clients in 2023, have completed the KYC registration process, signing the framework contract, a total of 3,026,247 people for the different channels. b) Since the modifications to the new client registration process carried out in the year 2023: (i) The Framework Contract model contains the following: 5. PROCESSING OF PERSONAL DATA. […] 5.4 Processed data […] 〉 Data that you have provided us when registering your contracts or during your relationship with us through interviews or forms. These are the typologies and details of the data: […] • Data on your professional or work activity and socioeconomic: professional or work activity, income or remuneration, unit or circle family, educational level, assets, fiscal data and tax data. […] 〉 Data obtained from publicly accessible sources, public records or external sources. These are the typologies and details of the data: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/26 […] • Data from the General Treasury of Social Security: data identification and contact details of the payer, professional activity data or labor (CNAE, self-employed worker and/or employed person, group of the worker's contribution). […] 5.5 What treatments we carry out with your data. The treatments that we will carry out with your data are diverse and They respond to different purposes and legal bases: 〉 Treatments based on consent, with the purposes of: − Personalization of the offer of products and services according to the analysis of your data. − Communication of the commercial offer through other channels. − Transfer of data to other companies for the submission of offers commercial. − Verification of economic activity to comply with the regulations for the prevention of money laundering and financing of terrorism. […] 〉 Treatments necessary to comply with regulatory obligations, mainly for the purpose of: − Comply with money laundering prevention regulations and the financing of terrorism. − Comply with tax regulations. − Comply with the obligations derived from the policies of sanctions and international financial countermeasures. − Address complaints and claims. […]” (ii) In the KYC procedures for registering new clients, it is stated that may or may not grant consent for data verification with the TGSS both in the office and on the website www.caixabank.es, as in the entity's mobile application. It is also stated that the consent through the three channels mentioned above. 4. In the processes of updating the client's personal data information already existing, what you have to sign is form 5433 (Declaration/Modification of data for the business relationship). The process of updating customer personal data information is already existing ones that CAIXABANK established after its accession to the agreement on April 28, 2021 was modified on the following dates: - In office: In February 2023. - In digital banking (CaixaBankNow): In May 2023 - In mobile banking (app): In June 2023. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/26 Therefore, in such a process of updating the information on the personal data of existing clients, there are differences depending on the time period in which the done: a) From CAIXABANK's accession to the agreement on April 28, 2021 until modifications to the data information updating process personal data from existing clients carried out in 2023: (i) In the "Declaration/Modification of data for the business relationship (Form 5433)", contain the following clauses that, indicated by CAIXABANK in His letter of November 30, 2023, is “The information in relation to the data treatment": "5. Processing of personal data The person responsible for the treatment is CaixaBank, S.A., with NIF A-08663619 Contact information of the Data Protection Officer: www.CaixaBank.com/degadoprotecciondedatos The data requested are necessary for the management and execution of the service and/or contracting requested, and will be processed for that purpose; Likewise, they will be treaties to comply with required regulatory obligations. These Data may be communicated to authorities and public bodies, for compliance with a required legal obligation, as well as service providers and third parties necessary for the management and execution of relationships derived from the service and/or contractual. The Data will be processed while the relationships remain in force. derived from the service and/or contractual established, and will be preserved (during the limitation period of the actions derived from said relationships) for the sole purpose of complying with the required legal obligations, and for the formulation, exercise or defense of claims. Exercise of rights and claims before the Data Protection Authority. The data owner may exercise the rights in relation to your personal data according to with current regulations, in the CaixaBank offices, in the POST OFFICE BOX 209-46080 VALÈNCIA or at www.CaixaBank.com/ejerciciodederechos. 6. The declarant states that he has been informed by CaixaBank of that the current legislation on the prevention of money laundering obliges banking entities to obtain from their clients the information on your economic activity and to carry out a verification Of the same. For this exclusive purpose of verifying the information provided, you give your express consent to CaixaBank so that in your name can request the General Treasury of Social Security such information. The data obtained from the General Treasury of the Social security will be used exclusively for the management noted above. In the event of non-compliance with this obligation on the part of CaixaBank and/or the personnel who provide it services, all actions provided for in the Law will be carried out Organic 3/2018, of December 5, on Data Protection Personal and guarantee of digital rights. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/26 (ii) The revocation of said consent was done through a form, in office. (iii) That in the temporary period from the date 12/07/2021 until dates indicated above when the processes were launched KYC of the year 2023, they have completed the KYC process of updating personal data information, signing document 5433, a total of 3,401,052 people through different channels. b) Since the modifications to the information updating process the personal data of existing clients carried out in 2023: (i) CAIXABANK, in its letter of October 31, 2023, indicates: - That the client must give again all the information that he already declared at discharge. - “Once all the fields have been verified, you will be shown a summary of the data to the client and must sign the updated information or modified, which is consolidated in document KYC 5433, which the client signs (…).” In that "Declaration/Modification of data for the relationship of business (Form 5433)", contain the same clauses that, CAIXABANK indicated in its letter of November 30, 2023, to exception to clause 6. “- If the client has not given consent to the verification of their economic activity, the client will be asked if they wish to lend their consent to the processing of your data for this purpose, (…)” (ii) Consent can be revoked both in the office and at the website www.caixabank.es, as well as in the entity's mobile application. FIFTH: According to the report collected from the AXESOR tool, the entity CAIXABANK, S.A. is a large company established in 1980, and with a volume of business of 1,310,563,000 euros in 2022. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of the RGPD grants to each authority of control and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD, The Director of the Agency is competent to initiate and resolve this procedure. Spanish Data Protection. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/26 in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Previous issues In accordance with the provisions of article 4.2 of the GDPR, "processing" means: any operation or set of operations performed on personal data or sets of personal data, whether by automated procedures or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, dissemination or any other form of access enablement, collation or interconnection, limitation, deletion or destruction; In the present case, in accordance with the provisions of article 4.2 of the RGPD, CAIXABANK is the one who processes the personal data of its clients, collecting your personal data and consulting it with the TGSS. To this end, it establishes a procedure for obtaining information with data personal data of clients and collection of consent to verify said data personal data before the TGSS, through a form called “framework contract”, for cases of registration of new clients, and “form 5433 (Declaration/Modification of data for the business relationship)”, for cases of updating the data personal data of existing clients. Documents, both, mandatory subscription. Therefore, in this procedure the established procedure will be analyzed by CAIXABANK for the provision of consent to CAIXABANK clients so that it can consult their personal data to verify the obtained in response to the LPBCFT before the TGSS. III Article 6.1 of the GDPR According to article 6 of the GDPR “Legitimacy of processing: 1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his personal data for one or more specific purposes; b) the processing is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the processing is necessary for compliance with a legal obligation applicable to the responsible for the treatment; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/26 d) the processing is necessary to protect vital interests of the interested party or another Physical person; e) the processing is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the controller; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that regarding said interests do not prevail over the interests or fundamental rights and freedoms of the interested party requiring the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not be application to the processing carried out by public authorities in the exercise of their functions.” In this case, CAIXABANK states that the verification of the personal data of its clients before the TGSS, obtained in compliance with the obligations imposed by the LPBCFT, is a consequence of the legal obligation imposed by Law 10/2010, of 28 April, prevention of money laundering and terrorist financing (LPBCFT), which includes in its article 2, the obligated subjects in the Prevention of Money Laundering: Financial Entities (banks, savings banks, cooperatives credit, etc.), Insurance Companies, Credit Institutions, etc. In this sense, this same law regulates in its article 5, that “the obligated subjects They will collect information from their clients in order to know the nature of their activity professional or business and will adopt measures aimed at reasonably verifying the veracity of said information. Such measures will consist of the establishment and application of procedures for verification of activities declared by clients. These procedures will take into account the different level of risk and will be based on obtaining the clients of documents that are related to the declared activity or in the obtaining information about it that is not related to the client himself.” (emphasis added) Adding in its article 6 that “The obligated subjects will apply security measures continuous monitoring of the business relationship, including scrutiny of the operations carried out throughout said relationship in order to guarantee that they coincide with the knowledge that the obligated subject has of the client and his business profile and risk, including the origin of funds and ensuring that documents, data and information available are up to date.” For its part, RD 304/2014, of May 5, which approves the Regulation of Law 10/2010, of April 28, on the prevention of money laundering and financing of terrorism, which is developed by the LPBCFT, establishes: “Article 10. Purpose and nature of the business relationship. 1. The obligated subjects will collect information from their clients in order to know the nature of your professional or business activity. The activity declared by the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/26 client will be registered by the obligated subject prior to the beginning of the relationship of business. 2. The obligated subjects will verify the activities declared by the clients in the following assumptions: a) When the client or the business relationship presents risks greater than the average, by regulatory provision or because it appears from the risk analysis of the obligated subject. b) When the monitoring of the business relationship shows that the operations active or passive assets of the client do not correspond to their declared activity or their operational background. 3. Actions to verify the declared professional or business activity They will be graduated based on risk and will be carried out through documentation provided by the client, or by obtaining information from reliable sources independent. Likewise, obligated subjects will be able to verify the activity professional or business of clients through in-person visits to the offices, warehouses or premises declared by the client as places where they carry out their activity commercial, leaving a written record of the result of said visit. (…) Article 11. Continuous monitoring of the business relationship. 1. The obligated subjects will carry out a scrutiny of the operations carried out during throughout the business relationship in order to ensure that they coincide with the activity professional or business of the client and with its operational background. The subjects obligated will increase monitoring when they appreciate risks higher than the average by regulatory provision or because it appears from the risk analysis of the obligated subject. (…) 2. The obligated subjects will periodically carry out review processes in order to ensure that the documents, data and information obtained as a consequence of the application of due diligence measures are kept up to date and find current. (…)” (emphasis added) In accordance with the aforementioned regulations, the treatment carried out by the entity banking consists of, on the one hand, collecting information from clients in the terms C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/26 made explicit in the LPBCFT and, on the other hand, adopt measures aimed at verifying reasonably the veracity of said information. Thus, it is true that sector regulations determine the obligation to verify the professional and business activities of the subjects with whom you are going to do business. Not anticipating, however, that this should be done in a manner determined, and must be the person responsible for the processing of personal data (in the present case, CAIXABANK) who must decide such verification procedure, the which must comply with the regulations on data protection staff. The Agreement signed with the TGSS on the transfer of information, to which it has adhered CAIXABANK on April 28, 2021, in order to facilitate credit institutions the compliance with anti-money laundering regulations, through a mechanized computer procedure that allows establishing a daily process of request for data by financial entities and transmission of information from the TGSS, it could be an appropriate mechanism for the fulfillment of its obligations but not necessarily unique. In the sixth clause and in Annex III of the Agreement between the General Treasury of the Social Security, the Spanish Banking Association, the Spanish Confederation of Savings Banks and the National Union of Credit Cooperatives, on transfer of information, to which CAIXABANK alludes in its writings, is evident that the interested party must consent so that the banking entity can verify the personal data before the TGSS and is effectively collected, the clause by which can give express consent to verify the information. But although this is the way in which the agreement considers that this consent for the purposes of allowing verification in the TGSS systems, This is not the only way to verify personal data, in the terms aforementioned of the LPCBCFT and its implementing regulations. The regulations do not establish the obligation to verify personal data information before the TGSS, but is provided by the client and subsequently, taking into account the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/26 different level of risk, there is a general obligation to establish and apply verification procedures for activities declared by clients. Therefore, in order to consult personal data with the TGSS, given that the Law does not does not impose this route on banking entities nor does it constitute a legal obligation consultation with the TGSS, for the purposes of verification of data information personal information provided by the claimant, it would be necessary to obtain the consent of the interested party, not to impose the use of said mechanism, and always conditioned to the specific cases in which the standard requires such verification. In this sense, article 4.11 of the GDPR establishes that the “consent of the interested party” is “any manifestation of free, specific, informed and unequivocal statement by which the interested party accepts, either through a declaration or a clear affirmative action, the processing of personal data that concerns you” Consent is understood as a clear affirmative act that reflects a manifestation of free, specific, informed and unequivocal will of the interested party accept the processing of personal data that concerns you, provided with sufficient guarantees to prove that the interested party is aware of the fact that you give your consent and to the extent to which you do so. Likewise, it must be given for all treatment activities carried out with the same or same purposes, so that, when the processing has several purposes, it must give consent for all of them specifically and unequivocally. To this In this regard, the legality of the treatment requires that the interested party be informed about the purposes for which the data are intended (informed consent). Furthermore, consent must be given freely. It is understood that the consent is not free when the interested party does not enjoy true or free choice or you cannot deny or withdraw your consent without suffering any damage, or when the fulfillment of a contract or provision of service is dependent on the consent, even when this is not necessary for said compliance. This occurs when consent is included as a non-negotiable part of the general conditions. Without these conditions, the consent given by the interested party would not determine a control over your personal data and its destination. On the other hand, the European Data Protection Committee in the document “Guidelines 05/2020 on consent under Regulation 2016/679”, which updates the guidelines on consent adopted by the Article Working Group 29 on 11/28/2017, reviewed and approved on 04/10/2018 refers to this and indicates that: "3. In general, consent can only be an adequate legal basis if it is offers the interested party control and a real capacity of choice regarding whether they want accept or reject the conditions offered or reject them without suffering any damage. When requesting consent, the data controller has the obligation to evaluate whether said consent will meet all the requirements for obtaining a valid consent. If obtained in full compliance with the GDPR, the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/26 Consent is a tool that gives data subjects control over whether the personal data that concerns them will be processed or not. If not, the control of the interested party will be merely illusory and consent will not be a legal basis valid for the treatment, which will convert said treatment activity into a illicit activity. These guidelines go on to state: “13. The term "free" implies real choice and control on the part of those concerned. As a general rule, the GDPR establishes that, if the subject is not truly free to choose, you feel obligated to give your consent or you will suffer negative consequences if does not give it, then the consent cannot be considered valid. If the consent is included as a non-negotiable part of the conditions It is generally assumed that it has not been freely given. Consequently, it is not consent will be considered to have been freely given if the interested party cannot deny or withdraw consent without prejudice.” They also indicate: “62. The GDPR reinforces the requirement that consent must be informed. Of Pursuant to Article 5 of the GDPR, the transparency requirement is one of the fundamental principles, closely related to the principles of loyalty and legality. Providing information to interested parties before obtaining their consent is essential so that they can make informed decisions, understand what are authorizing and, for example, exercise their right to withdraw their consent. If he responsible does not provide accessible information, the user's control will be illusory and Consent will not constitute a valid basis for data processing. 63. If the requirements regarding informed consent are not met, the consent will not be valid and the person responsible may be in breach of article 6 of the GDPR 64. For consent to be informed, it is necessary to inform the interested party certain elements that are crucial to be able to choose. Therefore, the EDPB is of the opinion that At least the following information is required to obtain valid consent: i the identity of the person responsible for the treatment. ii the purpose of each of the processing operations for which the authorization is requested consent. iii what (type of) data is to be collected and used. Iv the existence of the right to withdraw consent. V information on the use of data for automated decision-making in accordance with Article 22(2)(c) where applicable, and I saw information about the possible risks of data transfer due to the absence of a decision on the adequacy of adequate guarantees, as stated described in article 46” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/26 In the present case, since CAIXABANK joined the agreement on April 28 from 2021 until the modifications of the procedure in 2023: - Consent cannot be considered free because with the signing of the framework contract or model 5433 is required for all clients to verify their data personal data is carried out through consultation with the TGSS. This absolutely limits the choice of such people to decide whether they want CAIXABANK to carry carry out such verification of personal data through consultation with the TGSS, since It is not mandatory, as stated. - Likewise, consent must be given for all treatment activities carried out for the same or same purposes, so that, when the treatment has several purposes, consent must be given for all of them specifically and unequivocal. But in the present case it cannot be considered specific and unambiguous whenever the mechanisms for providing consent for clients of CAIXABANK so that it can consult the personal data of its clients before the TGSS, through the framework contract model and the model are already pre-established, just as if it were a pre-checked box. - Consent cannot be considered informed because: a) The framework contract, which the new clients signed, indicated, for a side, which “gives its express consent to Caixabank so that on its behalf We can request said information from the General Treasury of Social Security” if well, section 4.5 of such contract does not include such treatment within section regarding “Treatments based on consent”. b) Form 5433, which existing clients had to sign for the update of his personal data, indicated that “The declarant states that he has been informed by CaixaBank that the current legislation on prevention of Money laundering forces banking entities to obtain from their clients the information on your economic activity and to verify it. For this exclusive purpose of verifying the information provided, lend your express consent to CaixaBank so that on its behalf it can request the General Treasury of Social Security said information.” Information that needs to be add to what such people already had when they signed the aforementioned framework contract. The information offered could cause confusion to an average citizen, because: - It did not allow express consent, but consent was reflected in a standard clause of the models to which it was obligatory to adhere. - Such clause mentioned the legal obligations regarding LPBCFT. - In the information that was given about the processing of personal data, as such treatment was not expressly included in the treatments whose legal basis was consent, it could be directly related to the treatments related to the legal obligation on the LPBCFT, a rule referred to in the mod.los clause C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/26 Therefore, in accordance with the evidence available at this time of agreement to initiate sanctioning proceedings, and without prejudice to what results from the instruction, it is considered that the known facts could be constituting an infraction, attributable to the claimed party, for violation of the article 6.1 of the RGPD in relation to the procedure that had been established CAIXABANK to obtain the consent of its clients to verify certain personal data related to the LPBCFT before TGSS. IV Classification of the offense The infringement attributed to CAIXABANK is classified in the article 83.5 a) of the RGPD, which considers that the violation of “the basic principles for the processing, including the conditions for consent pursuant to articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article 83 of the cited Regulation, “with administrative fines of a maximum of €20,000,000 or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount.” The LOPDGDD in its article 71, Infractions, states that: “They constitute infractions the acts and conduct referred to in sections 4, 5 and 6 of article 83 of the Regulation (EU) 2016/679, as well as those that are contrary to this law organic”. And in its article 72, it considers for the purposes of prescription, which are: “Infringements considered very serious: 1. Based on what is established in article 83.5 of Regulation (EU) 2016/679, considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of Regulation (EU) 2016/679. (…). V Sanction proposal In order to establish the administrative fine that should be imposed, the following must be observed: provisions contained in articles 83.1 and 83.2 of the RGPD, which indicate: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/26 When deciding the imposition of an administrative fine and its amount in each case individual will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question such as the number of interested parties affected and the level of damages that have suffered; a) intentionality or negligence in the infringement; b) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; c) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied in under articles 25 and 32; d) any previous infraction committed by the person responsible or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the controller or processor notified the infringement and, if so, in what extent; i) when the measures indicated in Article 58, paragraph 2, have been ordered previously against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76, “Sanctions and corrective measures” establishes that: "2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of medical treatments. personal information. c) The benefits obtained as a consequence of the commission of the infraction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/26 d) The possibility that the conduct of the affected person could have induced the commission of the infringement. e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when not mandatory, a data protection delegate. h) The submission by the person responsible or in charge, on a voluntary basis, to alternative conflict resolution mechanisms, in those cases in which "There are disputes between them and any interested party." In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, for the purposes of setting the amount of the fine sanction impose in the present case for the infringement classified in article 83.5 of the RGPD of for which the defendant is held responsible, in an initial assessment, it is estimated the following factors concurrently: As aggravating circumstances: - The nature, severity and duration of the infringement (article 83. 2.a) of the RGPD), since the events revealed affected all of its clients from the accession of CAIXABANK to the agreement with the TGSS on April 28, 2021 until February 2023 Specifically, it affected, from December 7, 2021 to the dates indicated above when the KYC processes of the year were launched 2023: (i) To 3,026,247 people who signed the framework contract. (ii) To 3,401,052 people who signed form 5433. - The intention or negligence of the infringement (article 83.2. b) of the RGPD). CAIXABANK joined the agreement with the TGSS on April 28, 2021, an agreement that requires the financial entity, in its sixth clause, to have the corresponding express authorization, signed by the interested party. However, they have demanded the consent in an adhesion clause without real possibility of consent, being fully aware of the requirements of the agreement signed with the TGSS. In this sense, the SAN of October 17, 2007 (rec. 63/2006) is very illustrative, which indicates that “…the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender fails behaves with the required diligence. And in assessing the degree of diligence it must The professionalism or otherwise of the subject must be especially considered, and there is no doubt that, In the case now examined, when the appellant's activity is constant and abundant handling of personal data, emphasis must be placed on rigor and “exquisite care to comply with the legal provisions in this regard” - The circumstance of article 83.2.e) RGPD: “Any previous infraction committed by the responsible or the person in charge of the treatment.” Recital 148 of the GDPR states “In order to strengthen the application of the rules of this Regulation [...]” and indicates in this regard that “It must, however, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/26 Special attention should be paid to the nature, severity and duration of the infringement, its intentional character [...] or to any pertinent infraction [...]”. Thus, in accordance with section e) of article 83.2. GDPR, in determining the amount of the administrative fine sanction cannot fail to be valued all those previous infractions of the person responsible or of the person in charge of treatment in in order to gauge the illegality of the analyzed behavior or the guilt of the subject offender. Furthermore, a correct interpretation of the provision of article 83.2.e) RGPD does not can ignore the purpose pursued by the rule: to decide the amount of the sanction of administrative fine in the individual case raised, always taking into account that the sanction is proportional, effective and dissuasive. There are numerous sanctioning procedures processed by the AEPD in which The person complained of has been sanctioned for violating article 6.1 of the RGPD: Yo. PS/00477/2019. Resolution issued on January 5, 2021 in which a penalty of 2,000,000 euros for articles 13 and 14 of the RGPD and 4,000,000 for the Article 6 of the GDPR. The events concerned the transfer of data to companies in the cluster. ii. PS/00500/2020. Resolution issued on September 22, 2021 in which imposed a penalty of 3,000,000 euros. The events dealt with the procedures for obtaining consent to create profiles for commercial. iii. PS/00226/2020. Resolution issued on February 4, 2022 in which it was imposed a penalty of 2,000,000 euros for article 6 in relation to article 7.4 of the RGPD and 100,000 euros for article 6.1. The events dealt with the consent collection procedure and the existence of consents premarked. iv.PS/00254/2023. Resolution issued on October 19, 2023 in which it was imposed a fine of 200,000 euros. The events concerned the maintenance of data personal information in the credit information file when the debt had been sold to a third party. CAIXABANK took advantage of the two planned reductions. - The activity of the allegedly infringing entity is linked to the processing of data from both clients and third parties. In the activity of the claimed entity The processing of personal data of your clients is essential, therefore that, given its volume, the significance of this activity, the object of the This claim is very high (article 76.2.b) of the LOPDGDD in relation to with article 83.2.k). Considering the exposed factors, in order to decide on the imposition of a administrative fine and its amount, in accordance with the evidence that was currently has an agreement to initiate the sanctioning procedure and without prejudice to what results from the instruction, taking into account the circumstances C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/26 of the case and the criteria established by article 83.2 of the RGPD with respect to the violation committed, allows for an initial fine of 2,000,000 euros. SAW Adoption of measures If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” The imposition of this measure is compatible with the sanction consisting of an administrative fine, as provided in art. 83.2 of the GDPR. In such case, in the resolution that is adopted, this Agency may require the responsible so that within the period determined: Adequately inform and obtain consent, under the terms of the GDPR, from the clients of the entity that, since the accession of CAIXABANK on April 28, 2021 to agreement with the TGSS and until the modifications of the process in 2023, had signed a framework contract and/or a form 5433 (Declaration/Modification of data for the business relationship) and that they had not been adequately informed and/or your consent had not been obtained, in the terms set forth in this initiation agreement, in relation to the verification of personal data before the TGSS in the terms of the LPBCFT. It is warned that failure to comply with the possible order to adopt measures imposed by This body in the sanctioning resolution may be considered as a administrative offense in accordance with the provisions of the RGPD, classified as infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the above, by the Director of the Agency Spanish Data Protection, HE REMEMBERS: FIRST: START SANCTIONING PROCEDURE against CAIXABANK, S.A. with NIF A08663619, for the alleged violation of article 6.1 of the RGPD, typified in the article 83.5 of the GDPR. SECOND: APPOINT D. R.R.R. as instructor. and, as secretary, Ms. S.S.S., indicating that they may be challenged, if applicable, in accordance with the provisions of the articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP). THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the claim filed by the complaining party and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Inspection of Data in the actions prior to the start of this sanctioning procedure. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/26 FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1 October, of the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be, for the alleged violation of article 6.1 of the RGPD, typified in article 83.5 of said regulation, administrative fine of amount TWO MILLION EUROS (€2,000,000.00), without prejudice to what results from the instruction. FIFTH: NOTIFY this agreement to CAIXABANK, S.A. with NIF A08663619, granting him a hearing period of ten business days to formulate the allegations and present the evidence you consider appropriate. In his writing of allegations must provide your NIF and the file number that appears in the heading of this document. If within the stipulated period you do not make allegations to this initial agreement, the same may be considered a proposal for a resolution, as established in the article 64.2.f) of the LPACAP. In accordance with the provisions of article 85 of the LPACAP, you may recognize your responsibility within the period granted for the formulation of allegations to the present initiation agreement; which will entail a 20% reduction in the sanction that may be imposed in this procedure. With the application of this reduction, the penalty would be established at ONE MILLION SIX HUNDRED THOUSAND EUROS (€1,600,000.00), resolving the procedure with the imposition of this sanction. Likewise, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which will mean a 20% reduction in the amount. With the application of this reduction, The sanction would be established at ONE MILLION SIX HUNDRED THOUSAND EUROS (€1,600,000.00) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The reduction for the voluntary payment of the penalty is cumulative with that corresponding apply for recognition of responsibility, provided that this recognition of the responsibility becomes evident within the period granted to formulate allegations at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if both reductions were to be applied, the amount of the penalty would remain established at ONE MILLION TWO HUNDRED THOUSAND EUROS (€1,200,000.00). In any case, the effectiveness of any of the two mentioned reductions will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction. In the event that you choose to proceed with the voluntary payment of any of the amounts indicated above (€1,600,000.00 or €1,200,000.00), you must make it effective by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of Data Protection in the banking entity CAIXABANK, S.A., indicating in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/26 concept the reference number of the procedure appearing in the heading of this document and the reason for the reduction in the amount to which it applies. Likewise, you must send proof of income to the General Subdirectorate of Inspection to continue the procedure in accordance with the quantity entered. The procedure will have a maximum duration of twelve months from the date of the initiation agreement. After that period has elapsed without it having been issued and notified resolution will expire and, consequently, the proceedings will be archived; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP, There is no administrative appeal against this act. Sea Spain Martí Director of the Spanish Data Protection Agency >> SECOND: On March 28, 2024, the claimed party has proceeded to pay of the penalty in the amount of 1200000 euros making use of the two reductions provided for in the initiation Agreement transcribed above, which implies the recognition of responsibility. THIRD: The payment made, within the period granted to formulate allegations to The opening of the procedure entails the waiver of any action or appeal pending. administrative against sanction and recognition of responsibility in relation to the facts referred to in the Initiation Agreement. FOURTH: In the aforementioned Initiation Agreement transcribed above, it was stated that If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the which each control authority may “order the person responsible or in charge of the treatment that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period…” Having received a letter by which CAIXABANK, S.A. reports that it has adopted the necessary measures to prevent the events from occurring again determinants of the infraction committed, this Agency acknowledges receipt of the same, without this statement implying any pronouncement on the regularity or legality of the measures adopted. Please note the provisions of article 5.2 of the GDPR, which establishes the principle of proactive responsibility when it states that “The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and capable of prove it.” This principle refers to the obligation that falls on the responsible for the treatment not only for designing, implementing and observing the measures legal, technical and organizational measures so that the data processing is C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/26 in accordance with the regulations, but to remain actively attentive throughout the entire life cycle of the treatment so that this compliance is correct, being also able to prove it. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations dictated in its development and, insofar as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Termination of the procedure Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter, LPACAP), under the heading “Termination in sanctioning procedures” provides the following: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, The procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction has only a pecuniary nature or a penalty can be imposed pecuniary sanction and another of a non-pecuniary nature but the inadmissibility of the second, the voluntary payment by the alleged responsible, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/26 3. In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased “regularly.” According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: DECLARE the termination of procedure EXP202300944, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to CAIXABANK, S.A.. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, interested parties may file an appeal administrative litigation before the Administrative Litigation Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. 1219-21112023 Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es