AEPD (Spain) - PS/00500/2020
From GDPRhub
| AEPD (Spain) - PS/00500/2020 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(4) GDPR Article 6(1) GDPR Article 22(1) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | |
| Decided: | |
| Published: | 21.10.2021 |
| Fine: | 3000000 EUR |
| Parties: | CAIXABANK, CONSUMER FINANCE, EFC |
| National Case Number/Name: | PS/00500/2020 |
| European Case Law Identifier: | n/a |
| Appeal: | Rejected AEPD (Spain) RR/00672/2021 |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | Carmen Villarroel |
The Spanish DPA fined a bank €3,000,000 for carrying out profiling for marketing purposes without obtaining valid consent, since it was not specific nor informed.
English Summary
Facts
A data subject filed a complaint against Caixabank, a Spanish bank, alleging that the financial institution had transferred the data subject's personal data to a credit scoring company, despite the data subject and the bank having ended their relationship in 2014. The Spanish DPA (AEPD) launched an investigation and decided to investigate the way the bank was profiling their clients.
The bank, answering to a request made by the AEPD, declared that they were profiling their clients, as defined by Article 4(4) GDPR, in two ways: firstly, in order to determine their clients' creditworthiness and secondly for marketing purposes. According to the statements of the bank, the profiling for determining their clients' creditworthiness was based on a legal obligation deriving from insolvency and credit legislation. The profiling for marketing purposes was based on consent.
The personal data processed for these purposes were Identity data such as ID number and date of birth, financial data, sociodemographic metric such as postal code, country of birth, nationality, dwelling's type, age and civil status, economic data, such as revenue, salary, job, time being a client and risk score. Such data were provided by the data subjects themselves, from credit scoring entities and from other companies from the entity's group, and from the Spanish Bank's risk information centre.
Holding
The AEPD started remarking that, according to Article 5 GDPR, personal data shall be processed lawfully. Particularly, in the case of profiling, processing will be based on consent. The DPA relied on the "Guidelines on Automated individual decision-making and Profiling" from the A29WP to highlight the importance of obtaining valid consent in such a case:
Profiling can be opaque. Often it relies upon data that is derived or inferred from other data, rather than data directly provided by the data subject.
Controllers seeking to rely upon consent as a basis for profiling will need to show that data subjects understand exactly what they are consenting to, and remember that consent is not always an appropriate basis for the processing. In all cases, data subjects should have enough relevant information about the envisaged use and consequences of the processing to ensure that any consent they provide represents an informed choice.
The AEPD also highlighted Articles 6 and 7 GDPR, regarding consent, Recitals 32, 40 a 44 and 47, and the EDPB's "Guidelines 05/2020 on consent", specifically the sections regarding specific and informed consent.
After examining the way the bank was obtaining consent, the DPA determined that the controller was not providing data subject enough information about profiling, as all the information about the processing was placed inside the conditions of the credit contract.
Additionally, with the information provided, the data subject would not be able to understand properly what the processing consisted of and entailed. The information did not specify that the client could receive, this way, marketing from third companies and from unrelated products, nor that it could include the allowance of pre-granted credits. Data subjects did not receive either information about what particular personal data would be used for such processing, nor how detailed the profile was.
The controller did not provide either the option for a granular consent, since the data subject could not consent to every purpose of the processing individually. The total of the actual purposes was not even defined when offering the information about the purposes in the privacy policy. The personal data were also transferred to other companies of the group without consent or a valid agreement between them. In addition, the DPA concluded that the data subjects could not effectively know what kind of personal data was being processed for the profiling, since there was a difference in what was stated in the privacy policy and what the controller communicated to the DPA. The AEPD also remarked that the use of risk score data was not included by the bank in that list, neither was defined as another kind of profiling, therefore lacking information about such processing.
For all the above stated reasons, the DPA concluded that the controller had not obtained valid consent as defined in Article 4(7) GDPR, as it was, firstly, not specific, since purposes were not individually defined, nor they could be gradually consented, and secondly, not informed, since the provided information was not enough. Therefore, consent was not valid as a legitimate basis from Article 6(1) GDPR, in relation to Article 7 GDPR, and thus processing was unlawful.
On these grounds, the AEPD fined the controller €3,000,000. For this, they took into account:
- the risks that profiling poses to data subjects, since it is a particularly invasive practice,
- the link between the processing and the controller's business activities,
- the big size of the company,
- the high amount of personal data and processing activities,
- the high number of affected data subjects.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/133
Procedure No.: PS / 00500/2020
RESOLUTION OF SANCTIONING PROCEDURE
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On November 6, 2018, a letter from Mr.
A.A.A., in which it denounces that the entity CAIXABANK, CONSUMER FINANCE, EFC has
requested to the COMPANY. 1 information on the inscriptions relating to his person in the
COMPANY file 2. It states that at present there is no contract nor has
requested any service from any company of the CAIXABANK group. He points out that although
was a CAIXA client, said relationship was formally terminated in 2014 with the termination of
all existing contracts.
Said claim was transferred to the Data Protection delegate of the person in charge,
in accordance with the provisions of article 9.4 of Royal Decree-Law 5/2018, of 27
July, of urgent measures for the adaptation of Spanish law to the regulations of the
European Union regarding data protection, receiving a response from
CAIXABANK CONSUMER FINANCE EFC, S.A.U., in which an error of
human and punctual character. It was indicated that, although the claimant was a client in the
past, at the date of the claim it had ceased to be. Despite this, their
data was included by mistake in a campaign of pre-granted credits.
On February 6, 2019, the Director of the Spanish Agency for the Protection of
Data agrees not to admit the submitted claim for processing, noting however
in said resolution that “This is without prejudice to the fact that the Agency, applying the powers of
investigation and corrections that it holds, can carry out subsequent actions
relating to the data processing referred to in the claim. "
Said resolution was appealed, claiming the claimant that said entity of which no
is a client, since his relationship with her was punctual and limited in time within the framework
of a sales contract with associated financing completed years before, you have used
the assets solvency files in order to prepare a profile and offer you a
financial service, without requesting your consent. Said appeal was upheld.
SECOND: In view of this claim, dated October 16, 2019, the Director
of the Spanish Data Protection Agency urged the Subdirectorate General of
Data Inspection the initiation of preliminary investigation actions that reveal what
form CAIXABANK CONSUMER FINANCE EFC, S.A.U is conducting profiling of the
personal data of its clients in the context of their commercial activity, in order to
verify its compliance with the personal data protection regulations.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 2/133
THIRD: On February 6, 2020, the General Subdirectorate for Inspection of
Data formulates requirement to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
to provide the following information:
List of activities for the processing of personal data of clients and / or potentials
clients carried out in the development of CAIXABANK's commercial activity
PAYMENTS & CONSUMER EFC, EP, S.A.U. that involve profiling
(according to the definition set forth in article 4.4 of the RGPD, in particular with regard to the
economic situation of the interested parties). For each of the treatment activities
of personal data, input is requested:
1. Definition of the logic applied in profiling and the expected consequences of such
treatment for the interested party.
2. Description of the purpose of the treatment and detail of the basis of legitimation of the
Article 6.1 of the RGPD on which it is based.
3. Procedure followed to comply with the duty of information to the interested party (articles
13 and 14 of the GDPR)
4. Means used to collect consent in the event that the activity of
treatment is covered by article 6.1.a of the RGPD.
5. Categories of interested parties and personal data subject to treatment.
6. Origin or origins of the personal data object of treatment (with indication of the
basis of legitimacy that supports, where appropriate, the use of data collected from sources
external - credit information systems, other companies of the business group,
etc.-).
7. Where appropriate, list of treatment managers who participate in the activity of
profiled on behalf of CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. and copy
of the contracts that govern said treatments.
8. Description of the technical and organizational security measures applied in
under article 32 of the RGPD to the profiling activity.
9. If applicable, a copy of the Personal Data Protection Impact Assessment
(EIPD) performed on profiling activity.
10. Number of interested parties whose personal data have been processed in the development
of profiling activity by category (customer, potential customer) and year (2018 and
2019).
FOURTH: On March 2, 2020, CAIXABANK PAYMENTS & CONSUMER
EFC, EP, S.A. requests an extension of the term due to the impossibility of collecting and
structure the required information within the established period.
On March 3, 2020, the Deputy Director General of Data Inspection
agrees to extend the deadline to respond for a period of five days, which
must be computed from the day following the day on which the first term ends
granted.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 3/133
FIFTH: On June 2, 2020, this Agency has a written entry of
response to the request for information referred to in point
SECOND. In this document the following is stated:
In the first place, reference is made to the fact that “on March 14, 2020, it was published
in the Official State Gazette (BOE) and Royal Decree 463/2020, of 14
March, declaring the state of alarm for the management of the situation of
health crisis caused by COVID-19, which includes in its additional provision
third, the suspension of administrative deadlines, applying the suspension of
terms and the interruption of terms to the entire public sector defined in Law 39/2015,
of October 1, of the Common Administrative Procedure of the Administrations
Public; being, therefore, suspended the terms and interrupted the terms
for the processing of procedures of public sector entities,
decreeing that the computation of said terms will be resumed at the time of the
end of the validity of this Royal Decree, extended, in turn, by Royal
Decree 476/2020, of March 27, by which the state of alarm is extended
declared by virtue of the antecedent legislative text, as well as its extensions
successive. "
Secondly, it makes some preliminary considerations, of which it must be
the following stand out:
- “CAIXABANK PAYMENTS & CONSUMER is the entity resulting from the
merger by absorption between CaixaBank Payments, E.F.C., E.P.,
S.A.U., the absorbed company, and CaixaBank Consumer Finance, E.F.C., S.A.U.,
absorbing company; both wholly owned by CaixaBank, S.A.
(hereinafter, also called “CaixaBank”). This merger took place in
dated July 11, 2019, after having notified the non-opposition of
Banco de España to the structural modification operation, under the
provided for in Law 10/2014 of June 26, on management, supervision and
solvency of credit institutions, as well as the corresponding procedure
authorization from the Ministry of Economy and Business provided for in the Law
5/2015 of April 27, on the promotion of business financing. What
As a result of the aforementioned operation, CaixaBank Consumer Finance,
E.F.C., S.A. has been subrogated by universal succession in all
rights and obligations, acquired and assumed, respectively, by
CaixaBank Payments, E.F.C., E.P., S.A.U., modifying its corporate name
to the current CaixaBank Payments & Consumer, E.F.C., E.P., S.A. "
- “The main activity of CAIXABANK PAYMENTS & CONSUMER consists of
the marketing of credit or debit cards (hereinafter,
called “Cards”), credit accounts with or without a card (hereinafter,
called “Credit Accounts”) and loans (hereinafter, called
“Loans”), (hereinafter, all of them individually named
"Product" and jointly, "Products"), directly or through
third parties -whether agents or Prescribers-, with whom it has subscribed the
corresponding agency or collaboration contracts. Specific: -
Directly, CPC markets some of the aforementioned Products. -
Indirectly, CPC markets through Prescribers and agents. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 4/133
- "It is understood by" Prescriber "or" Prescribers ", those entities with which
CPC has signed a collaboration agreement, based on which, these are
undertake to offer their customers the possibility of contracting the Products
of CPC to mainly finance the purchase price of the products
and / or services marketed by them (Prescribers) at their points of sale,
either in person or online (for example, establishments such as
*** ESTABLISHMENT.1 or *** ESTABLISHMENT.2 and
*** ESTABLISHMENT. 3). In particular, CPC Products
marketed through Prescribers are Cards, Accounts
Credit and Loans. "
- “Finally, an agent is understood to be CaixaBank, S.A. (onwards,
indistinctly the “Agent” or “CaixaBank”), entity with which CPC maintains
an agency agreement, by virtue of which CaixaBank promotes and concludes, at
Through its channels, the CPC Cards, as well as, where appropriate, loans
of refinancing the debt derived from these Cards. "
Regarding the personal data processing activities that in the development
of its commercial operations involve the elaboration of profiles, according to the definition
set forth in article 4.4 of the RGPD, in particular with regard to the situation
data of the interested parties, indicates that they are the following:
I. "Analysis of the repayment capacity or risk of non-payment of a
interested in your Request for a Product: It consists of the evaluation by
CPC part of a Product Request (Card, Credit Account or
Loan, hereinafter the "Request") received from an interested party (in
hereinafter, "Applicant" or "Applicants"). This evaluation involves a
processing of personal data that is specified in the necessary assessment
repayment capacity or solvency of the Applicant (probability of
risk of default). Said assessment is carried out, within the framework of the Request
received, in order to comply with the provisions of the regulations that, in
quality of financial credit establishment and payment institution,
It is applicable to CPC (Prudential and Solvency Regulations and
Responsible Loan). "
II. "Analysis of the capacity for repayment or risk of non-payment in the management
of credit risk granted to customers: It consists of monitoring
continuous capacity of repayment or risk of default of customers to
who CAIXABANK PAYMENTS & CONSUMER has granted
financing and, therefore, with which it maintains a credit risk with two
purposes i) the management of the credit risk granted to them in
compliance with certain legal obligations (specifically, the
Prudential and Solvency Regulations and Responsible Lending, as
as it is defined in section I.A.6 of this writing); and, ii) the
commercial management in accordance with the consents obtained from
holders of the data (clients) with the subsequent purpose of offering them
products and services tailored to your needs, which may include
assignment of “pre-granted” credit limits (pre-grant of a
credit based on the information available to the Entity). "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 5/133
III. "Analysis and selection of target audience: It consists of the analysis and selection,
prior to a certain commercial impact, of a target audience
(made up of those clients of CAIXABANK PAYMENTS &
CONSUMER that meet, where appropriate, the requirements designed to be
impacted by a potential campaign in order to offer you
Products). Said treatment is carried out in accordance with the
consents obtained from the owners of the data (clients). "
Regarding the categories of data holders that are treated in the execution of the
detailed treatments, points out that “it only deals with data of interested parties who are
Clients of the Entity or applicants for its Products. Does not perform data processing
about interested parties that could be called “potential clients”, understood as
These, data holders who have no current relationship with CPC or who previously did not
have requested a Product through any of the established channels. "
Third, the examination of what was stated by CPC regarding the activity
called “analysis of the repayment capacity or risk of non-payment for the
management of credit risk granted to clients during the contractual relationship ”
highlight the following aspects:
1. Regarding the purposes and bases of legitimation of the treatment, it is stated that
has two purposes:
I. "The management of the credit risk granted, in compliance with
certain legal obligations of the Prudential Regulations and of
Solvency and Responsible Loan, applicable when the Product is
a credit account since, by allowing the availability of credit
consistently granted, this (Product) must adapt
constantly to the updated solvency capacity of the interested party.
As stated, the enabling title to carry out this purpose, give
compliance with regulatory requirements, is the legal obligation, of
in accordance with article 6.1 c) of the RGPD.
II. Commercial management in the event that you have the consent of the
data owner. Said treatment provides, among others, to be able to label the
client in order to grant him a “pre-grant” (grant of a
credit based solely on the information available to the Entity).
In this case, only the data of those customers who have
given your consent for profiling. "
2. Regarding the logic applied in profiling and the expected consequences of
said treatment for the interested party sets out the following:
“CAIXABANK PAYMENTS & CONSUMER uses a logic that has been defined in
the financing process of the Entity. This financing process consists of
of different policies explained below and based on which they are
assigns customers (…).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 6/133
i. (…) This label is the one used by CPC to categorize its clients in
relationship with the promotional activity that on them could make
Loans or Credit Accounts. (…)
• (…)
• (…)
• (…)
• (…)
As mentioned, this direct financing is for commercial purposes.
so CPC only uses it in those clients who have consented to the
treatment of your data. Those who have not consented, consequently,
separate from the previous ones by including themselves -for the sole purpose of respecting what
requested in relation to the processing of your data- in the subcategory of
Direct financing - D - Not assessable. The implication of such a subcategory is, for
Therefore, customers with this 1 - D LABEL cannot be included in
commercial campaigns.
ii. (…)
• (…)
• (…)
• (…)
• (…)
Finally, also in this case, customers who have not authorized the
treatment of your data in the subcategory Financing Prescriber - D - No
assessable. These are, therefore, clients who have not given their consent to the
profiling data processing.
i. (…)
(…)
(…)
(…)
Finally, as in the other labels, there is the subcategory Extension of
limits D - Not assessable that incorporates those clients who have not authorized the
processing of your personal data and, consequently, cannot be
object of commercial campaigns.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 7/133
i. (…)
to) (…)
b) (…)
(…)
• (…)
• (…)
• (…)
• (…)
3. Regarding the personal data object of treatment, it is indicated that they are the
following:
- Identification: DNI / NIE / Passport and date of birth.
- Financial: CPC internal data obtained or derived from the relationship
existing contract between it and its client and consult solvency files and
to the Risk Information Center (CIR) of the Banco del Banco de España.
- Sociodemographic: postal code, country of birth and nationality, type of
housing and seniority and marital status.
- Socioeconomic: income and pay, employment status and profession, seniority
bank and domiciled entity.
- Others: risk score.
4. Regarding the origin of the personal data object of treatment, detail, for the
categories of data indicated in the previous section, the following sources:
- Data provided by the Applicant in the Product Application itself.
- CPC data in relation to the Applicant in the event that it is already
customer and provided that CPC has data on their payment behavior.
- Data from external sources: in accordance with the regulations that result from
application to CPC as a financial credit institution and payment institution,
the following information is also incorporated:
Information on the consolidated Group of Group entities
CaixaBank.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 8/133
Result of consulting credit information systems.
Result of the query to the Risk Information Center
(CIR) of the Bank of Spain.
(…)
5. Regarding the means used to collect consent in the event of
that the treatment activity is covered by article 6.1.a of the RGPD, informs that
the channels through which it collects consents for commercial purposes from its
customers are listed below:
a) Through the Prescribers.
b) Through its CaixaBank Agent.
a) “Through the Prescribers In relation to this channel, we can differentiate three
(3) different ways of collecting:
i. The first is through the employees of the Prescribers themselves, who,
at the time of the formalization of the financing contracts with the clients
who want to contract the Products offered by CAIXABANK PAYMENTS &
CONSUMER, they are asked about each of the consents, for later
translate the answer given by you for each of them in the Conditions
Individuals of the financing contract signed for this purpose.
In this regard, the three (3) tools provided by CAIXABANK PAYMENTS
& CONSUMER to the Prescribers' sellers so that they can carry out the
capturing the information necessary to process the operations of
financing and, therefore, also to obtain the aforementioned consents,
are the Web "*** WEB.1", the app of capture (its use is made through
a tablet carried by the sellers of Prescribers who are constantly
movement through the store) and the “Web Auto” (…), which are the software provided by
part of CAIXABANK PAYMENTS & CONSUMER to the Prescribers, connected
with the systems of that (CAIXABANK PAYMENTS & CONSUMER), so that
your sellers process the financing operations by introducing
of the personal and economic data of the clients and the contractual data of
operations (TIN, APR, amortization months, etc.), as well as collecting the
consents, which will later be reflected in the Conditions
Individuals of the financing contracts that are formalized and delivered to the
customers."
Provide three screen prints that correspond to these three
tools. In them it is observed that consent is requested for the
following purposes, being able to choose whether or not in each modality:
- “I authorize the CaixaBank Group to use my data for study and
profiling "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 9/133
- "I authorize the sending of advertising and commercial offers from the Group
CaixaBank by the following means ”, which in turn allows consent or not for
each of the following sections):
- Telemarketing
- Electronic means such as SMS, email and others
- Post mail
- Commercial contacts through any channel of my manager
- "I authorize the transfer of my data to third parties with whom the CaixaBank Group has
agreements "
- “I authorize the CaixaBank Group to use my biometric data (image, fingerprint
fingerprint, etc.) in order to verify my identity and signature. This authorization is
It will be complemented with the registration of biometric data to be used in each
moment"
A screenshot of the AUTO web tool is also provided in the
which is allowed to consult more details. According to the printing provided the detail
consists of the following:
"Consents and protection of personal data
The authorizations you provide now or have previously provided
can be revoked at any time via
www.caixabankpc.com/ exercise of rights.
If you grant authorization (1) the offers that are sent to you will be
adapted to your profile.
Authorizations (2) (3) (4) and (5) refer to the channels through the
that you agree to be contacted by the Caixabank group either by phone, by
electronic means, by post and / or in person.
If you do not authorize a channel, the Caixabank group will not be able to contact you to
offer you products of your interest.
If you provide the authorization (6) at the time the data is transferred,
will inform you of which third party is the recipient of your data and if you do not agree
agreement you can revoke that authorization.
The authorization (7) is to be able to verify your identity / signature since in the
Grupo Caixabank we use biometric recognition methods such as
facial recognition systems, fingerprint reading and the like. "
ii. "The second form of recruitment within this group is through the web portal
CAIXABANK PAYMENTS & CONSUMER authorized to process the operation
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 10/133
financing by the client himself, which will have been redirected by clicking
in a link incorporated in the website of the Prescriber in question. So by
For example, the interested party who decides to apply for the card (...) will initiate the application in the
Prescriber's own portal *** ESTABLISHMENT. 1 and will immediately be
redirected to the web portal enabled for this purpose by and from CAIXABANK PAYMENTS &
CONSUMER where the entire contracting procedure will be carried out.
In this case, it is the client himself, through his computer / tablet, who marks the
response for each of the planned treatments, which are then
They will be transcribed in the Particular Conditions of the financing contract
formalized. "
Attached, as ANNEX DOCUMENT No. 13, is the screen that the client sees
and in which the consents are collected, as well as ANNEX DOCUMENT No.
14, an example of how the consents granted by the client are reflected in
the Particular Conditions of the financing contract.
Annex 13 contains a printout of the screen in which the
consents, which coincide with those described above in point
relative to the prescribers channel.
Annex 14 is called APPLICATION-CREDIT AGREEMENT. Is structured
in various sections relating to personal data of the owner and co-owner, to the
purchase, financing plan, etc. Of these sections, it is worth highlighting the
indicated in the sections SUMMARY OF DATA PROCESSING AND
AUTHORIZATIONS FOR DATA PROCESSING.
The SUMMARY OF TREATMENTS section contains the following information:
"The processing of your data with respect to which you can facilitate your
authorization in the terms established in this contract are the
following:
"COMMERCIAL PURPOSES:
A. Data processing by Caixabank Payments
& Consumer and the Caixabank Group companies with
study and profiling purposes to inform you of the products
that are tailored to your interests / needs, as well as to the
monitoring of the contracted services and products, carrying out
surveys and design of new services and products.
B. Data processing by Caixabank Payments
& Consumer and the Caixabank Group companies with the
purpose of communicating offers of products, services and
promotions marketed by them, their own or third parties whose
activities are included between banking, services of
investment and insurance companies, shareholding, venture capital,
real estate, road, sale and distribution of goods or services,
consulting, leisure and charity-social services.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 11/133
C. Transfer of data by Caixabank Payments &
Consumer and Caixabank Group companies to third parties with
the purpose that they can send you communications
commercial. Said third parties will be dedicated to the activities
banking, investment and insurance services, holding
shares, venture capital, real estate, roads, sales and
distribution of goods and services, consulting services, leisure and
charitable-social.
OTHER PURPOSES
A. Treatment of biometric data that you provide by
Caixabank Payments & Consumer and the companies of the
GrupoCaixabank, such as facial image, voice, fingerprints,
graphs, etc., in order to verify your identity and signature with the
help of biometric recognition methods. "
In the AUTHORIZATIONS FOR DATA PROCESSING section there are
a series of sections in each of which, both for the owner and for
the co-owner, two boxes appear, one to mark yes and another to mark no, the
various authorizations to carry out data processing. These authorizations,
are as follows:
A) "I authorize the processing of my data for the purpose of study and
analysis by Caixabank Payments & Consumer and the companies
of the Caixabank group. "
B) "I consent to the processing of my data by Caixabank
Payments & Consumer and the Caixabank group companies with the
purpose for these to communicate offers of products, services and
promotions through the channels I authorize. " In this case, the yes / no boxes
are broken down for each of the following channels: Telemarketing,
Electronic means such as SMS, email and others, Postal mail. Contacts (edit)
commercials through any channel of my manager.
C) “I authorize Caixabank Payments & Consumer and the
Caixabank group companies give my data to third parties. "
i. The third way is through the telephone call in which the
sellers of the Prescribers and managers of CAIXABANK PAYMENTS &
CONSUMER. In this case, the Prescriber's seller facilitates by telephone the
CAIXABANK PAYMENTS & CONSUMER manager all customer data
necessary to formalize the financing operation and it processes it. One time
approved the contract, the client, through the Particular Conditions of the
contract that you must sign, defines the granting of your consents
marking freely and in handwriting your option on the boxes
enabled for this purpose, as can be seen in DOCUMENT No. 14
attached to this writing ”.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 12/133
This document has been described in the previous point.
a) “Through its Agent CaixaBank. Additionally, CPC is a beneficiary of the
Consents granted, where appropriate, by customers to CaixaBank.
We attach an example of the consent collection screens in the
CaixaBank offices where it is the customer who, interacting
directly with the device that the employee gives him (Tablet), proceeds to
signal your preferences in relation to the processing of your data. "
In the screen printing, which he incorporates in his writing, various
authorizations for each of which there is the option to mark yes or no in
its respective box. The authorizations refer, as in the previous cases:
-To the use of the data for study and profiling purposes, clarifying that
If authorized, the offers that are sent to you will be adapted to the profile of the
interested.
- To receive advertising and commercial offers. At this point it is also allowed
choose the channels to receive advertising by checking the respective box.
- To transfer the data to third parties with whom the Caixabank group has agreements.
-The use of biometric data in order to verify my identity and signature.
6. Regarding the procedure followed to comply with the duty of
information to the interested party (articles 13 and 14 of the RGPD) indicates that “Attached, as
ANNEX DOCUMENT No. 12, copy of the general conditions that is provided to the
interested in the framework of the contracting of a product and in which it is reported
provided for in article 13; not being applicable, therefore, the provisions of the
Article 14 of the RGPD. "
The document contained in annex 12 called "GENERAL CONDITIONS
OF THE APPLICATION-CREDIT AGREEMENT ”contains various sections,
referring to section number 26 to the "Processing of personal data
based on the execution of contracts, legal obligations and legitimate interest and
Privacy Policy". This point is structured in turn in 10 sections, of which
which interests to transcribe here the information contained in points 26.1 and 26.4.
"26.1 Processing of personal data in order to manage
Commercial Relations.
The personal data of the Holder, both those that he himself provides, as well as
those derived from commercial, business and contractual relationships
that are established between the Holder and CaixaBank Payments & Consumer either in
the commercialization of its own products and services, either in its capacity as
mediator in the commercialization of third-party products and services (in
hereinafter all referred to as Commercial Relations), or the
Commercial Relations of CaixaBank Payments & Consumer and the companies
of the CaixaBank Group with third parties and those made from them,
will be incorporated into files owned by CaixaBank Payments & Consumer and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 13/133
the CaixaBank Group companies that are holders of the Commercial Relations,
to be treated in order to comply with and maintain them,
verify the correctness of the operation and the commercial purposes that the Holder
accept in this contract.
These treatments include the digitization and registration of documents
identification and signature of the Holder, and their making available to the internal network
of CaixaBank Payments & Consumer, to verify the identity of the
Owner in the management of their Commercial Relations.
The treatments indicated, except those for commercial purposes whose
Acceptance is voluntary for the Holder, they are necessary for the
establishment and maintenance of Commercial Relations, and
They will necessarily be understood as valid while said Relationships
Commercials continue in force. Consequently, at the time of
cancellation by the Holder of all Commercial Relations with CaixaBank
Payments & Consumer and / or with the CaixaBank Group companies, the
aforementioned data processing will cease, your data will be canceled
in accordance with the provisions of the applicable regulations, keeping them CaixaBank
duly limited its use until the derivative actions have been prescribed
thereof"
"26.4. Treatment and transfer of data for commercial purposes by
CaixaBank and the CaixaBank Group companies based on consent.
In the Particular Conditions of this contract it will be collected, under the heading
authorizations for data processing, the authorizations that you
grant or revoke us in relation to:
(i) Data analysis and study treatments for commercial purposes by
CaixaBank Payments & Consumer and companies of the CaixaBank Group.
(ii) The treatments for the commercial offer of products and services by
CaixaBank Payments & Consumer and the companies of the CaixaBank Group.
(iii) The transfer of data to third parties.
In order to put at your disposal a global offer of products and
services, your authorization to (i) data analysis and study treatments, and
(ii) for the commercial offer of products and services, if granted,
It will include CaixaBank Payments & Consumer and the Group companies
CaixaBank detailed in www.caixabank.es/empresasgrupo (the “companies of the
Grupo CaixaBank ”) who may share and use them for the purposes
indicated.
The detail of the uses of the data that will be carried out in accordance with their
authorizations is as follows:
(i) Detail of the analysis, study and monitoring treatments for the offer
and design of products and services tailored to the customer profile. Granting your
consent to the purposes detailed here, you authorize us to:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 14/133
a) Proactively carry out risk analysis and apply on your data
statistical and customer segmentation techniques, with a triple purpose:
1) Study products or services that can be adjusted to your
profile and specific business or credit situation, all to
make commercial offers tailored to your needs and
preferences,
2) Track the products and services contracted,
3) Adjust recovery measures on defaults and incidents
derived from the products and services contracted.
b) Associate your data with those of other clients or companies with which you have
some type of bond, both family or social, as well as their property relationship
and administration, in order to analyze possible interdependencies
economic in the study of service offers, risk requests and
contracting of products.
c) Carry out studies and automatic controls of fraud, defaults and incidents
derived from the products and services contracted.
d) Carry out satisfaction surveys by telephone or electronically.
with the aim of evaluating the services received.
e) Design new products or services, or improve the design and usability of
existing, as well as define or improve user experiences in their
relationship with CaixaBank Payments & Consumer and the Group companies
CaixaBank.
The treatments indicated in this point (i) may be carried out in a
automated and entail the elaboration of profiles, with the purposes already
indicated. For this purpose, we inform you of your right to obtain the
human intervention in the treatments, to express their point of view, to
get an explanation about the treatment decision
automated, and to challenge said decision.
(ii) Details of the treatments for the commercial offer of products and services
of CaixaBank Payments & Consumer and the companies of the CaixaBank Group.
By granting your consent to the purposes detailed here, you
authorizes:
Send commercial communications both on paper and by means
electronic or telematic, related to the products and services that, in each
moment: a) commercializes CaixaBank Payments & Consumer or any of
the CaixaBank Group companies b) sell other companies
owned by CaixaBank Payments & Consumer and third parties whose
activities are included between banking, investment services and
insurer, shareholding, venture capital, real estate, roads, for sale
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 15/133
and distribution of goods and services, consulting services, leisure and charity-
social.
The Holder may choose at any time the different channels or media through which
that you want or not to receive the indicated commercial communications through
your internet banking, through the exercise of your rights, or through your
management in the CaixaBank branch network.
The data that will be processed for the purposes of (i) data analysis and study,
and (ii) for the commercial offer of products and services, they will be:
a) All those provided in the establishment or maintenance of
commercial or business relationships.
b) All those generated in the contracting and operations of products and
services with CaixaBank Payments & Consumer, with companies in the
Grupo CaixaBank or with third parties, such as account movements or
cards, details of direct debits, direct debits,
claims derived from insurance policies, claims, etc.
c) All those that CaixaBank Payments & Consumer or the companies of the
Grupo CaixaBank obtain from the provision of services to third parties,
when the service is intended for the Owner, such as the
management of transfers or receipts.
d) Whether or not you are a CaixaBank shareholder as stated in the
records of this, or of the entities that according to the regulations
regulator of the securities market must keep records of the
values represented by book entries.
e) Those obtained from the social networks that the Owner authorizes to consult.
f) Those obtained from third parties as a result of requests for
aggregation of data requested by the Holder.
g) Those obtained from the Owner's browsing through the web service
of CaixaBank Payments & Consumer and other websites this and / or the
CaixaBank Group companies or mobile phone application of
CaixaBank Payments & Consumer and / or the Group companies
CaixaBank, in which it operates properly identified. These dates
they can include information related to geolocation.
h) Those obtained from chats, walls, videoconferences or any other
means of communication established between the parties.
The data of the Holder may be supplemented and enriched by data
obtained from companies that provide commercial information, by data
obtained from public sources, as well as statistical data,
socioeconomic (hereinafter, "Additional Information") always verifying
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 16/133
that they comply with the requirements established in the current regulations
on data protection. "
7. Regarding the number of interested parties whose personal data have been processed in the
development of profiling activity by category (client, potential client) and year
(2018 and 2019), (…).
Finally, regarding the third activity that it carries out called “Analysis and
selection of target audience ”states the following:
1. Regarding the definition of the logic applied in the profiling and the
anticipated consequences of said treatment for the interested party, states that “The
treatment activity called Commercial Profiling responds to the
CPC's need to analyze, select and extract, prior to its impact
commercial, the target audience to which commercial communications will be directed
associated with a potential campaign.
For this purpose, CPC selects and extracts the information of the clients to whom
Potentially they will be sent the commercial communications of the campaign in
question.
For this, personal data from internal CPC sources are processed
(Host, DataPool and DataWareHouse) of those of their clients who have authorized
expressly commercial profiling treatment and subsequently have not
revoked. On the aforementioned repositories (Host, DataPool and DataWareHouse),
takes a list of clients based on the result obtained once the
treatment based on the client's consent, detailed in the previous section (“II.
Analysis of the repayment capacity or risk of non-payment for risk management
of credit granted to clients ”) and on said list of clients, filters of
selection based on identifying data such as age ranges, language of
communication, sex, location or address, in order to proceed with the extraction
of the target audience to which the campaign will be directed. Ultimately, the system
generates a file with the selection of the target audience that meets the conditions
set once the filters have been applied.
It should be noted, however, that the selection criteria that, in essence,
they constitute the logic applied to profiling, they do not become standardized parameters
rather, they are segments that vary and are adjusted to the needs of the
Product or characteristics associated with the commercial or promotional initiative of
the intended launch, as well as the type or volume of the data
that CAIXABANK PAYMENTS & CONSUMER has with respect to each of
the interested.
For its part, the consequence that the profiling activity carried out by
CAIXABANK PAYMENTS & CONSUMER generates on the client, is limited to the
fact that it will, or will not, become part of a list that could potentially be
used in the framework of a commercial campaign. "
2. Regarding the description of the purpose of the treatment and detail of the base of
legitimation of article 6.1 of the RGPD on which it is based, states that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 17/133
"CAIXABANK PAYMENTS & CONSUMER treats the personal data of the
interested parties associated with the Commercial Profiling activity in order to know if the
themselves meet the necessary conditions for inclusion in a potential
commercial campaign and improve the impact of your commercial campaigns. Definitely,
Although expressed in different terms, the profiling process linked to this
treatment activity is carried out with the aim of generating the list with the public
objective that, in subsequent moments, can be exploited to impact customers
through communications with commercial content. For its part, regarding the title
enabling, is the one provided for in art. 6.1.a) of the RGPD (consent).
3. Regarding the procedure followed to comply with the duty of information to the
interested party (articles 13 and 14 of the RGPD), refers to what was stated in the activity of
treatment "Analysis of the repayment capacity or risk of non-payment for the management
of credit risk granted to customers ”in which reference was made to the document
Annex No. 12.
4. With regard to the means used to collect consent in
In the event that the processing activity is covered by article 6.1.a of the RGPD,
It also refers to those indicated in the treatment activity “Analysis of the
repayment capacity or default risk for credit risk management
awarded to customers. "
5. Exposes the following regarding the categories of interested parties and data
personal object of treatment:
“The category of interested parties that are the object of the treatment called Commercial Profiling
It is that of clients with a current contract with CPC. The category of potential clients in
no case is the object of this treatment activity "
"The personal data subject to treatment are the following:
- Identifiers: customer identifier, NIF / NIE / Passport, name and surname, date
of birth, gender, postal address, email, telephone (landline or mobile) and
communication language.
Financial: products and services contracted and condition of
owner / beneficiary / attorney-in-fact and the label resulting from the treatment described in the
previous section II). "
6. Regarding the origin of the personal data object of treatment (with indication of
the basis of legitimation that sustains, states that “The origin of the data of
personal character object of treatment is the interested party and internal sources
own of CAIXABANK PAYMENTS & CONSUMER, already described in point 1 of
this section (III. Treatment: "Commercial Profiling"), as well as the labels
detailed in the previous section (Analysis of the repayment capacity or risk of
non-payment for the management of credit risk granted to clients). In this case, the
The basis of legitimation is the consent of the interested party (art. 6.1.a RGPD). "
7. Regarding the number of interested parties whose personal data have been processed in the
development of profiling activity by category (client, potential client) and year
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 18/133
(2018 and 2019), points out that “In the first place, it must be indicated that the numbers that are
reflected below refer only to the category of customers, position
that this profiling activity does not process data from potential clients,
in accordance with what is stated in point b) of the Preliminary Considerations. (…). "
SIXTH: Information is obtained on the volume of sales of the entity being the
Turnover results for the year 2019 of € 872,976,000. Capital
social account amounts to € 135,155,574.
SEVENTH: On December 23, 2020, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure to the claimed, with
in accordance with the provisions of articles 63 and 64 of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (hereinafter,
LPACAP), for the alleged violation of Article 6 of the RGPD, typified in Article
83.5.a of the RGPD, stating that the corresponding sanction would amount to
a total of 3,000,000.00 euros, without prejudice to the results of the instruction.
EIGHTH: Once the aforementioned initiation agreement was notified, the investigated entity presented
of December 2020 written, reiterated on January 4, 2021, requesting
extension of term in order to present allegations. The extension of the
deadline dated December 30, 2020, a brief of allegations was submitted on the
January 19, 2021, in which you request the cancellation of the start-up agreement,
subsidiarily the file of the proceedings and subsidiarily, in the event that it is
consider you responsible for the infractions of article 6, that the
warning or, failing that, that the amount of the sanction is imposed in its degree
minimum. In any case, the consents obtained are not declared null and, if
If this is the case, the AEPD orders the measures that in its opinion may be
adequate to improve compliance with data protection regulations.
The aforementioned entity bases its requests on the allegations that, briefly, are
set out below, which is divided into two groups:
A. In relation to the initiation agreement and the violation of principles of
administrative action and the sanctioning procedure
1. It considers that for the Agency the complaint to which the fact refers first
of the commencement agreement, it is relevant for its adoption, since in the SECOND
factual antecedent, it is stated verbatim that “In view of this claim, with
dated October 16, 2019, the Director of the Spanish Agency for the Protection of
data urged the Subdirectorate General for Data Inspection to initiate actions
previous research that reveal how CAIXABANK CONSUMER
FINANCE EFC, S.A.U is profiling the personal data of its
clients in the context of their commercial activity, in order to verify their suitability
to the personal data protection regulations. "
It points out that the facts that motivate the initiation of a sanctioning procedure
are part of the minimum content of the initiation agreement (article 64.2.b of the Spanish Law
39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations, hereinafter LPACAP) and that, despite the relevance that
has the complaint in the Initiation Agreement, some details about the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 19/133
procedure followed with such Claim since, although it is mentioned that it was
transferred to the Data Protection Delegate of the person responsible for the treatment, no
refers to the date of the transfer (November 29, 2018); indicated
erroneously that the transfer of the claim was carried out in accordance with
provided for in article 65.4 of the LOPDGDD, when it was carried out in accordance with
with the provisions of article 9.4 of Royal Decree-Law 5/2018 (BOE July 30, 2018,
repealed on December 7, 2018 by the LOPDGDD and it is obvious that on February 7
of 2019, the AEPD agreed not to admit the aforementioned claim for processing.
No motivation is attached by the Agency to the fact that a
inadmissibility of processing a claim gives rise 8 months later to the beginning of a
previous investigation actions. There is no direct connection between the
content of the inadmissible claim and the initiation of preliminary actions. Since the
object of the complaint not admitted for processing, was the fact that the complainant was
included in a campaign of pre-granted credits and that such commercial communication
was attributed to human error, qualified as punctual and exceptional, on the other
partly, an error not related to the logic or the profiling process,
but rather for having considered that the interested party was still a client of the Entity,
measures were adopted at the time so that it did not happen again, an error that, in
In any case, it did not generate any damage to the interested party or to third parties.
Of a punctual and exceptional human error that had as the only consequence for the
interested in its inclusion in a commercial campaign and in respect of which the Director of
the AEPD agreed not to admit the claim for processing, apparently it follows that 8
months later, the same Director urge the Subdirectorate General of Inspection of
Data to initiate preliminary investigation actions, in order to obtain
information on the way in which CAIXABANK CONSUMER FINANCE EFC, S.A.U
was “profiling the personal data of its customers in the context of
its commercial activity ", in order" to verify its adequacy to the regulations of
personal data protection".
2. Affirms that in general, the possibility of opening a period of information or
of previous actions before initiating a sanctioning procedure is foreseen in
Article 55 of the LPACAP, and corresponds exclusively to the competent body for
initiate such an administrative procedure take that decision in its entirety, it is
In other words, not merely agreeing on the beginning, it should also specify the scope of the
investigation. In this case, such decision corresponds exclusively to the Director of
the AEPD, as head of the administrative body. The information request
raised on February 6, 2020 clearly exceeded the instructions on
the previous actions taken by the Director of the Agency, in particular regarding the
scope of the investigation, since what was urged by the Director of the AEPD, the
October 16, 2019, was to find out how the data profiling was carried out
personals of "CPC clients"; however, the information requirement
completed surprisingly expanded its scope since the Inspector decided to also include
to “potential customers”, a change that is undoubtedly significant that exceeds the
attributions of the personnel who carry out the research activity, which come
specified in article 53 of the LOPDGDD, since these must be limited to
investigate what the head of the administrative body has decided should be
object of previous investigation actions. We don't know if we have to continue
attributing this circumstance to a new error in the processing or if it is practical
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 20/133
It is common for inspectors to arbitrarily decide on the scope of the
previous investigation actions, ignoring the instructions of the owner of the
administrative body; We hope, in any case, that the Agency will pronounce
respect.
3. Affirms that, perhaps, the explanation for some of the doubts raised about the
reasons why the Initiation Agreement has been issued lies in the fact that
that the actions related to this have been fed by another procedure
sanctioning against CAIXABANK, S.A. (procedure number: PS / 00477/2019), whose
lengthy processing runs parallel to the actions related to the Agreement on
Start, and in which it has also been the object of investigation, and resolution, the same
collection of consents for profiling, so that we
we would find before an alleged case of violation of the principle "non bis in idem",
in the first place from the material perspective, which requires the Agency to avoid
duplicity of sanctions for the same acts, that is, it could lead to
the same conduct be sanctioned twice, since the conduct that gives rise to the Agreement
Start (alleged lack of consent for profiling treatment) is the
same that has already been subject to resolution by the AEPD on January 7, 2021
in the sanctioning procedure against CAIXABANK, S.A., for which the Agreement of
Start, in the unlikely event that the procedure continues to be processed
sanctioning action brought against CPC, could violate the principle “non bis in idem”,
prohibited in our legal system.
CPC is part of the CaixaBank Group. The way this has been articulated
The Group responds to the regulation of the banking sector, which means that many
treatments are carried out under a co-responsibility regime; in particular, that
co-responsibility applies to the treatment identified in section 6.1.
(TREATMENTS BASED ON CONSENT), with the letter A, described
as “Analysis of your data for the elaboration of profiles that help us to offer you
products that we think may interest you ”, in the privacy policy of
CAIXABANK, S.A., in its version of December 17, 2020, publicly available
at https://www.caixabank.es/particular/general/politica-privacidad.html, and in the Policy
CPC Privacy Policy, available at https://www.caixabankpc.com/, at the bottom of the page
in the link "Privacy Policy".
There is an identity of the sanctioned subject, since CAIXABANK, S.A. and CPC are part
of the CaixaBank Group, which as companies act under a co-responsibility regime
regarding treatments that involve the elaboration of profiles for the same
business activity, and in both cases the alleged infringement of the
Article 6 of the RGPD on the same treatment and with material link to a
same collection of consents; therefore, we are faced with an indisputable
identity of the subject, fact and foundation, consequently what is adjusted to law would be
proceed to file the agreement to initiate the sanctioning procedure initiated
against CPC, in order for this Agency to comply with the legal system and not
arbitrarily separate from your own administrative precedents (question on the
that we will influence, from another perspective and in detail, later).
4. It alleges that Article 9.3 of the Constitution prohibits the arbitrary action of the
public powers, and article 103 obliges the Public Administration to serve with
objectivity of the general interests, considering that the agreement to initiate this
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 21/133
sanctioning procedure is an arbitrary action that does not objectively pursue
the general interest, evidencing, in addition, a discriminatory treatment with respect to other
managed. It is surprising to this part that, if the Agency had a special
concern about the adaptation to the personal data protection regulations of
the treatments carried out by financial entities, it would not have proceeded to
propose a preventive audit plan since, as provided in article 54 of the
LOPDGDD, the Presidency of the Spanish Data Protection Agency may
agree to carry out preventive audit plans referring to the treatment of
a specific sector of activity. Which causes us astonishment and raises doubts about the
application of the principle of equal treatment is that for other sectors it seems that the
Agency has been more sensitive and has preferred to carry out a more
preventive in its supervisory activity. The administrative action of the AEPD
is erratic based on the application of disparate criteria when deciding what
mechanisms to use with one or other entities or sectors, especially considering
account that the Director of the institution in public statements has equated
certain sectors and, however, afterwards it has decided to apply performance criteria
very different administrative.
We are well aware that already in 2016 CAIXABANK, S.A. shared with the
AEPD aspects that have now been sanctioned, or for which it is intended
now sanction CPC, when it decided of its own accord to communicate to the authority a
documentary structure related to the adaptation of the Caixabank Group to the RGPD,
also expressly requesting a meeting or contacts, in order to obtain and adopt
criteria and recommendations that the AEPD would have liked to convey in this regard;
initial steps that were unsuccessful despite the insistence of CAIXABANK,
S.A .. Thus, the Caixabank Group adopted a diligent and preventive attitude, and the
The effect has been that the AEPD has adopted an exclusively punitive attitude with the
Caixabank Group. Where, then, is the role that the AEPD must assume,
according to the provisions of article 57.1.d of the RGPD, to “promote awareness of
those responsible and in charge of the treatment about the obligations that
they concern ”.
5. When the Director of the AEPD, in interviews with the media
communication at the beginning of 2020, advanced the result of files
sanctioners just initiated, violated the principle of presumption of innocence
(question on which we will discuss in depth later), but it also lacked
to the due discretion that an authority must maintain in relation to this type of
matters, and even further, he also forgot the provisions of article 54.2 of the RGPD,
which provides that: “The member or members and the staff of each supervisory authority
shall be subject, in accordance with the law of the Union or of the States
members, to the duty of professional secrecy, both during their mandate and after
of the same, in relation to the confidential information of which they have had
knowledge in the performance of their functions or the exercise of their powers. ”; So,
to give three examples, we have the following interviews and public interventions
of the Director of the AEPD, the Ilma. Ms. Mar España Martí:
- On January 13, 2020, in an interview in "Cinco Días" by El País, it is used as
holder of the same one of the statements of the Director of the AEPD: “There is
files to large companies that can end in very high penalties "
https://cincodias.elpais.com/cincodias/2020/01/10/legal/1578667140_483443.html
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 22/133
- On February 9, 2020, in another interview in “La Voz de Galicia”, it is used again
as holder one of the declarations of the Directorate of the AEPD; in this case
with full conviction that it will be sanctioned: “There will be sanctions very
important for violating data protection "
https://www.lavozdegalicia.es/noticia/sociedad/2020/02/08/marespana-habra-
important-sanctions-violate-
dataprotection / 00031581176394099239215.htm
- On March 13, 2020, in the chronicle of the magazine “Elderecho.com” (from the editorial
Lefebvre), on the XII Privacy Forum, organized by ISMS Forum,
together with the Data Privacy Institute (DPI), held on March 3, 2020 at the
Main Auditorium CaixaForum Madrid, a part of the intervention of the
Director of the AEPD in the following terms, which already provided more details
precise information on these planned sanctions: “We already have two or three procedures
high-impact sanctions that will have a lot of media coverage in
relationship with the financial sector, will be the first major quantitative fines
by the Agency. "
In relation to the last manifestation referenced, it is evident that the repercussion
media is the main result sought by these sanctioning procedures against
referred to, despite still being at that time in phases of
very initial processing, an impact derived from the fact that they were going to involve
"Significant quantitative fines", not so much for the result of protection of the right
fundamental to the protection of personal data and data subjects, which is not
that is in the background, but simply seems to have no relevance whatsoever
in those sanctioning procedures; at least that conclusion can be drawn from
what was expressed by the Director of the AEPD, since there does not seem to be a general interest to
protect, nor damages to remedy, nor legal assets to preserve.
Everything remains in the goal of achieving: "a lot of media coverage."
It should be remembered that the request for information that was addressed to CPC took place
on February 6, 2020 and the agreement to initiate the disciplinary proceedings against
CAIXABANK, S.A. on January 21, 2020. As has been amply put in
evidence, already at that very moment, the Director of the AEPD had the capacity to
foresee that there would be very important sanctions; previously, just a month before, the
December 2, 2019, the AEPD had agreed to start the procedure
sanctioning the entity BBVA, which was resolved with the imposition of a total fine
of five million euros; that is, in less than 3 months, actions were started in
relation to financial entities and it was already known that all of them would result in
large administrative fines, some fines with amounts not imposed until the
moment, everything and that the RGPD and its sanctioning regime was already applicable from the
May 25, 2018.
Regarding the aforementioned violation of the fundamental right to the presumption of
innocence, recognized by article 24.2 of the Spanish Constitution, the
Constitutional Court has projected the content of this fundamental right in the
administrative sanctioning procedures. For this purpose, SSTC 129 and 131,
both of June 30, establish: “(…) the presumption of innocence governs without
exceptions in the sanctioning system and must be respected in the imposition
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 23/133
of any sanctions, be they criminal or administrative (...), since the exercise
de ius puniendi in its various manifestations is conditioned by article 24.2
of the Constitution to the game of evidence and to a contradictory procedure in which
they can defend their own positions. "
This principle is also expressly stated for the
administrative sanctioning procedures in article 53.2.b) of the LPACAP.
The presumption of innocence has a double essential meaning; on the one hand, it is a
rule of judgment and, on the other, constitutes a rule of treatment, that is, in relation to
with the treatment that must be given to the accused during the processing of the procedure
sanctioner. In this sense, constitutional jurisprudence forces us to consider
innocent to the accused and to treat him as such during the processing of the entire
procedure, both inside and outside of it, which means that it cannot
be punished before proven guilty. Thus, STC 25/2003, of 10
February, stresses that “the presumption of innocence, in addition to constituting a principle or
An informing criterion of the criminal procedural order is, above all, a right
fundamental by virtue of which a person accused of an offense cannot be
considered guilty until the conviction is declared in this way ”.
Ad extra, the presumption of innocence as a treatment rule implies that the
Administration cannot harm the accused in other areas, precisely because
be processing a sanctioning procedure against him or, in general, for being
suspected of having committed an administrative offense.
In the present case, we are before the initiation of a sanctioning procedure,
preceded by a request for prior information of February 6, 2020. Well,
Well, before the mandatory administrative period expired to respond to
said requirement, specifically, on March 3, in an act of the ISMS Forum
held in Madrid, as has already been described in detail above, the
Director of the AEPD, highest authority of the institution, and competent person to
resolve the present file, he publicly pointed out the existence of two or three
High-impact sanctioning procedures that were to have a great impact
media in relation to the financial sector.
In accordance with articles 24.2, 103. 1 and 3 CE –and art. 6.1 of the European Convention
of Human Rights-, any action of the Public Administration must
obey the principles of objectivity and impartiality; however, in this case, without
have still assessed the response to the request for information, since this
was presented on June 2, 2020 (almost three months after the aforementioned
statements of the Director), the person who has to resolve, and who, in addition,
As the highest authority, inspectors and instructors report hierarchically to the
AEPD, far from keeping any semblance of justice, decided (publicly) that
there would be a sanction, and this without only having agreed to initiate the procedure
sanctioner.
It should be noted that the Director of the AEPD is not only the one who dictates the resolutions
Instead, according to article 12.2 i) of the Organic Statute of the AEPD (RD
428/1993 of March 26), has as one of its functions that of “Initiating, promoting the
instruction and resolve the disciplinary proceedings concerning those responsible for
private files ". And it should also be noted that the AEPD is the only one of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 24/133
so-called independent administrations that does not have the highest
resolution of files to a collegiate body but to a single person. Therefore,
there is no debate in the claim that it is your will alone that informs the urge
instructor and the one who will determine the final resolution of the administrative file. Then
Well, if the person who is going to resolve this sanctioning procedure himself, the
person who has been promoting their instruction, in short, the highest authority
of the institution, it was clear to me, before hearing what CPC had to say about it,
that he was going to sanction him, and he was so clear as to say it in a public act, difficult
is to understand that there has not been a flagrant infringement of the right
fundamental to the presumption of innocence (article 24.2 of the Constitution). This in
definitively, it should lead to the immediate nullity of the administrative actions.
Likewise, the resolutions of sanctioning procedures of this
Agency in which the person responsible for the treatment is sanctioned for infringement of the
Article 6 RGPD (see PPSS 00235/2019, 00182/2019, 00415/2019) and that, taking into
the status of a large company and business volume, among others, is not even close to
sanctions reach the economic level of the sanction proposal contained in the
this Initiation Agreement, since they are sanctions that have ranged between the
€ 60,000 and € 120,000.
In this sense, it is not understood what this Agency relies on to modulate the
economic sanctions since the Initiation Agreement neither motivates nor explains
minimally the application of the criteria for graduation of the sanction, nor the fact of
deviate from them in the proposed sanction, in the case of very
similar.
In line with the previous point, in a subsidiary manner, and in the unlikely assumption that
this Agency resolved that it should sanction CPC for the infringements charged and
did not accept these allegations, this representation understands that they would result
of application the following criteria for assessing the sanctions established in the
Article 83.2 RGPD (as mitigating circumstances): (a) Any measure taken by the
responsible or in charge of the treatment to alleviate the damages suffered by
stakeholders (art. 83.2.c) RGPD): CPC has made a significant effort during
the last years - and especially since the entry into application of the GDPR and the merger
held on July 11, 2019 - to provide your customers with the information
pertinent on the treatment of your personal data in an appropriate way. The
The clearest example of this initiative is constituted by the different versions of the
privacy policies and clauses, a fact that reaffirms the proactivity and spirit of
continuous improvement of CPC. This behavior demonstrates a clear exercise of
transparency and loyalty, as well as proactive and diligent activity by CPC
in relation to compliance with data protection regulations, in addition to
demonstrate CPC's eagerness to repair potential errors, if any, at the time of
Obtain the consent of the interested parties.
The degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement (art. 83.2.f) GDPR):
CPC has shown, at all times, its willingness to collaborate with the Agency in order to
to improve those aspects of the treatments that are susceptible to improvement.
As shown in this Brief, CPC has launched
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 25/133
a series of measures aimed at this improvement in the collection of consents.
Thus, these circumstances must be valued by the Agency as mitigating. It fits
remember that both CPC and its data protection officer have been, in all
available to cooperate and have been proactive in responding to
any requirements of the Agency.
The degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement (art. 83.2.f) GDPR):
CPC has shown, at all times, its willingness to collaborate with the Agency in order to
to improve those aspects of the treatments that are susceptible to improvement.
As shown in this Brief, CPC has launched
a series of measures aimed at this improvement in the collection of consents.
Thus, these circumstances must be valued by the Agency as mitigating. It fits
remember that both CPC and its data protection officer have been, in all
available to cooperate and have been proactive in responding to
any requirements of the Agency.
Omitting the criteria previously indicated, the Initiation Agreement refers, without
justification or motivation, to the following criteria in relation to each
imputed infringement, limiting itself to its simple enumeration, without even indicating its
application as an aggravating or mitigating
we are able to understand the intention of the AEPD (and we only have, given the
disproportionate proposed penalties interpret as aggravating).
Next, we refer to those criteria that are most notably far from
reality:
(a) The nature, seriousness and duration of the infringement (art. 83.2.a) RGPD): It results
surprising that the AEPD proposes the imposition to CPC of a fine of such an amount
elevated for issues that are not particularly serious:
- We are not facing a case in which CPC has radically dispensed with the
Obligations related to obtaining consents, without prejudice to the fact that the
AEPD considers that certain issues should be corrected, which could
make improvements to the way consents are collected.
- No special categories of data are treated (art. 9 RGPD and 9 LOPDGDD).
- To date, the sanctions imposed for violation of article 6 RGPPD have not
reached the economic level proposed in this Initiation Agreement (with the
exception of the sanction imposed on the entity BBVA, already referenced).
- There is only one claim from a CPC client (claim, let's remember,
inadmissible for processing)
That said, even in the event that the Agency appreciates hypothetical
indications of the commission of an infringement of the regulations on data protection
personal, it should be taken into account that no damage or harm has been caused
to CPC clients.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 26/133
The processing of personal data, in accordance with the operations explained with the
maximum level of detail in the response to the request for information, are the
necessary for the development of CPC's own activity, as well as for the
corresponding purposes when the basis of legitimation of the treatment is the
consent freely given by the interested party, and are carried out in accordance with the
requirements demanded by the applicable regulations on data protection and the
sectoral regulations.
It should be highlighted the importance that the RGPD first and the LOPDGDD later have
granted to the fact that the conduct of the data controller causes a
serious and effective damage to the rights of those affected. In the present case
We understand that no such damage has occurred and that, therefore, it is neither serious nor
cash.
The former Article 29 Working Group, in its Guidelines on the application and
setting administrative fines for the purposes of Regulation 201 6/679 (WP 253,
adopted on October 3, 2017), ratified by the European Protection Committee
Data (hereinafter, "CEPD"), refers to this issue in the following terms:
“If the interested parties have suffered damages, the level of
the same. The processing of personal data may generate risks for
individual rights and freedoms, as stated in recital 75:
«The serious and serious risks to the rights and freedoms of natural persons
variable probability, may be due to the processing of data that could cause
Physical, material or immaterial damages, particularly in cases where
that the treatment may give rise to problems of discrimination, usurpation of
identity or fraud, financial loss, reputational damage, loss of
confidentiality of data subject to professional secrecy, unauthorized reversal of the
pseudonymization or any other significant economic or social damage; in the
cases in which the interested parties are deprived of their rights and freedoms or are
prevent exercising control over your personal data; in cases where the data
personal treaties reveal ethnic or racial origin, political opinions, religion
or philosophical beliefs, union membership and the processing of genetic data,
data related to health or data on sexual life, or convictions and offenses
criminal or related security measures; in the cases in which they are evaluated
personal aspects, in particular the analysis or prediction of aspects related to the
job performance, financial situation, health, preferences or interests
personal, reliability or behavior, situation or movements, in order to create or
use personal profiles; in the cases in which personal data of
vulnerable people, particularly children; or in cases in which the treatment
involves a large amount of personal data and affects a large number of
interested ». Whether damages have been suffered or are likely to be suffered due to
to the infringement of the Regulation, the supervisory authority must take this into account when
when selecting the corrective measure, even if the supervisory authority lacks
powers to grant specific compensation for damages
suffered ”.
Well, as we say, in the present case no harm has been proven.
any for the rights of those affected, nor has the sole claimant been able to prove
such damages, their claim having been inadmissible by the Agency. This
This circumstance must be taken into special account when determining the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 27/133
hypothetical infraction and the sanction that, if applicable, could be imposed. It
above is also credited by the fact that there have been no other
complaints or legal actions for these events. That is, no damage has occurred
any that could be the subject of an action before the jurisdictional bodies
competent since CPC has acted, at all times, in full compliance with the
regulations on personal data protection.
(b) The intentionality or negligence appreciated in the commission of the infraction.
There is no intentional conduct in relation to the violation of the regulations
protection of personal data. CPC has acted diligently,
establishing clear procedures in relation to the information put into
disposition of clients and procedures for obtaining consent from
the same. CPC has a desire for continuous improvement and transparency, a fact that is reflected
in the evolution of the documents and in the improvement of the information contained in the
themselves.
(c) The high link of CPC activity with the performance of treatments of
personal information.
CPC is a subsidiary of the CaixaBank Group and, as a financial credit institution,
its activity is consumer finance and means of payment; in no case, your
main activity is the processing of personal data of its clients more
beyond what is necessary for the development of that main activity, nor
Nor does it benefit financially from the processing of the personal data of its
customers.
(d) High volume of data and processing that constitutes the object of the file.
The volume of data corresponds to the essential to be able to carry out with
CPC's activity is normal and, in no case, does the alleged infringement affect
all the processing of personal data carried out by CPC, nor is it
uses all the information relating to customers.
6. There is a breach of the principle of legitimate confidence in the Initiation Agreement.
administrative action; As has already been described in these allegations, on
November 2018, the AEPD transmitted the claim and made a request for
information (Ref. E / 09305/2018) to the Data Protection Delegate following a
complaint filed by D.A.A.A .. Based on the information provided by CPC and
Based on the reasons stated, the AEPD, on February 7, 2019, agreed to
the inadmissibility of processing the claim presented, a fact that generated the CPC
legitimate confidence in their performance in accordance with the law; months later they start
previous investigation actions, supposedly based on the Claim,
resulting in the Initiation Agreement.
We have already asked ourselves before: how is it possible to start a
previous investigation actions based on a claim that has not been
admitted for processing by the AEPD itself?
This action can only be incardinated in a bankruptcy of trust
legitimate, one of the essential principles of administrative action. Saying
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 28/133
principle, of jurisprudential construction first by the CJEU and then by the Court
Supreme, and subsequently recognized in article 3 of Law 40/2015, of 1
October, of the Legal Regime of the Public Sector, is closely interrelated
with the principle of good faith and legal security and implies that "the public authority
cannot take action that is contrary to a reasonable expectation
induced on stability in the decisions of the former, and based on which
individuals have adopted certain decisions ”(STS 173/2020).
On the other hand, there is as a reference the permissiveness with respect to other subjects. In this
In this sense, the AEPD has made public other actions, of a preventive nature, that
provide a series of recommendations to other sectors of activity, in relation to
the relevant legality basis to apply in terms of profiling
commercial; recommendations that CPC applies equivalently in the
setting up your treatments.
As we say, those recommendations for other sectors create a trust
legitimate, reinforced by the AEPD's own conduct by refraining from sanctioning
acts of an identical nature to those attributed to CPC, which would completely enervate the
enforceable requirement of guilt "for legitimate and invincible belief of being acting
lawfully ”(Sic. SAN of March 30, 1999). 50. In this sense too, the
doctrine derived from the SAN of October 19, 2006 concludes that “(…) The relationship
of those administered with the Administration must be based on legitimate confidence,
confidence that can only be generated when you have predictability and security in the
action of the Administration. (…) And no reproach can be made for the
Administration -not even simple non-observance- to the one who adjusted his performance to
his guidelines - he "observed" them fully ".
7. There is also an artificial and unlawful extension of the previous actions;
As has been repeatedly described, the AEPD, in its own words, initiates a
sanctioning procedure in view of an inadmissible claim being processed. The
Previous investigation actions agreed by the AEPD supplanted the activity
instructor, having been prolonged to near expiration.
The Initiation Agreement rests, practically in its entirety, on charge elements
collected during the pre-action phase.
The preliminary investigation actions constitute an enabling mechanism of the
performance of the Administration conferred upon it "in order to achieve a better
determination of the facts and circumstances that justify the processing of the
procedure "(article 67 of Organic Law 3/2018) or" in order to know the
circumstances of the specific case and whether or not to initiate the procedure "
(Article 55 LPACAP).
The initiation of preliminary investigation actions has a very limited purpose:
to combine an indicative base of elements of judgment (not evidence) that allow
have a minimum certainty of the occurrence of the event, its typicality and the person
responsible, and with it, the relevance of initiating a sanctioning procedure
about it.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 29/133
From the moment the Administration is certain of the commission of the
facts and the identity of the person responsible, even if it is not fully accredited, the
itself is obliged, for the sake of due respect for the Constitution and the
guarantees enshrined therein, to immediately initiate the appropriate procedure
sanctioner.
In this sense, the Supreme Court has shown, among others in the
Judgment of December 26, 2007, that the preliminary investigation actions only
will be worthy of such consideration (and therefore, of the legal regime applicable to
the same) "to the extent that those preliminary or preparatory proceedings serve the
purpose that really justifies them, that is, to gather the data and initial indications that serve
to judge on the pertinence of giving way to the sanctioning file, and there is no
denaturalize becoming a surreptitious alternative to the latter. "
Similarly, the Judgment of the Supreme Court of June 9, 2006, has
highlighted the need to safeguard the constitutional guarantees of the administered
in cases such as the one in question: "As is the result of this rule, the prior information
is not mandatory, having declared this Chamber in a judgment of November 6,
2000 that “if sufficient data is available to initiate the file, the information
reserved should not be practiced, because it is unnecessary and because the rights
fundamental defense of art. 24.2 of the C.E. demand that the
granting the status of accused or expediente, thus avoiding the risk of
use the delay to conduct interrogations in which the person being interrogated would be
in a disadvantageous situation '".
It is especially striking in this case, the time elapsed between the
inadmissibility of processing the claim and the request for prior information, this
is, more than a year; or the extension of the period of previous actions of
investigation for a period of 14 months, yes, taking into account the already
mentioned incidence of the pandemic.
The Supreme Court itself, in its Judgment of May 6, 2015, establishes the following: "(...) this
The Chamber has declared that this period prior to the initiation agreement «(...) must be
necessarily brief and not to conceal an artificial way of carrying out acts of instruction
and mask and reduce the duration of the subsequent file itself ”(judgment of 6
May 2015, appeal 3438/2012, F.J 2º ".
In addition, during this period a parallel procedure has taken place
sanctioning against CAIXABANK S.A. (matrix of the group to which CPC belongs), where
coincidentally, an infringement of article 6 RGPD is also imputed, in
relation to the same treatment. Thus, taking into account the inadmissibility for processing of the
claim, the time elapsed until giving rise to the previous actions and the
sanctioning proceeding against the CPC parent company, it follows that both the
previous actions such as the agreement to initiate the sanctioning procedure subject to
These allegations (Penalty Procedure) are the result of the information
obtained in another administrative procedure.
B. In relation to the alleged offense.
The consent of the interested parties is specific and duly informed. At
Initiation Agreement the AEPD values, erroneously, that the consent collected
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 30/133
by CPC for profiling purposes is not specific since the body
administrative interprets that it does not meet the requirement of separation of the purposes and
consequent provision of consent for each of them, to which is added
the assessment that the consent given is not informed either.
Thus, due to the absence of the requirements relating to the provision of consent
specific and informed, presumably this would not be valid, implying, therefore,
that the treatments based on the consent of the interested party would lack
legitimation for an alleged breach of the provisions of article 6 of the RGPD.
The foregoing is justified in the Initiation Agreement, based on five operational factors
current CPC that, according to the AEPD, would not be aligned with the provisions of the
applicable regulations regarding the protection of personal data.
i. There is an alleged extension of the purposes of the treatment: it is affirmed by the
AEPD that, when informing about the treatments for the "offer and design of products
and services tailored to the client's profile ”, added purposes such as:
- Adjust recovery measures on defaults and derived incidents
of the products and services contracted;
- Analyze possible economic interdependencies in the study of offers of
services, risk requests and product contracting;
- Assess the services received;
- Design new products or services, or improve the design and usability of
existing ones, as well as define or improve user experiences in their
relationship with CaixaBank Payments & Consumer and the Group companies
CaixaBank.
ii. The data is communicated to the companies of the Group without legal basis: the
Consent is requested for the CaixaBank Group, which according to the AEPD constitutes
a communication of data to the companies of the Group, which in turn would constitute a
specific purpose in itself which would therefore require a manifestation of
Will of the interested party by which he consents that it can be carried out.
iii. The interested party cannot know the data that will be processed for profiling:
According to the AEPD, the information provided to the interested party includes data that does not
are going to be processed and, however, you are allegedly not informed of the
treatment of other data that will be the object of the same, such as consulting files
solvency and the Risk Information Center of the Bank of Spain or the
called “Risk Score”.
iv. Data are processed in solvency files for profiling purposes for the purposes of
credit rating without legal basis for the treatment.
v. The interested party is not informed about the profiling operation related to the “Risk
Score ”: according to the AEPD, the interested party is not informed about this new operation of
outlined, nor on the legal basis that allows its realization, nor on the
data used to carry it out.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 31/133
It is claimed that each of the above statements does not correspond to the
reality claiming that:
i. There is no extension of the purposes of the treatment.
The AEPD argues that the requests for
consent since, when informing about the analysis and study treatments
data for commercial purposes, including treatments not compatible with said
purpose and that, therefore, require a specific consent request.
The truth is that this confusion is due to a slight error in the informative clause, in the
that the mistake was made (corrected in the current CPC Privacy Policy,
aligned in turn with that of CAIXABANK, S.A.), to list treatment operations
that are not carried out based on the consent obtained for profiling; specific:
- Track the products and services contracted: treatment
necessary for the execution of the contractual relationship with the interested party;
- Adjust recovery measures on defaults and incidents derived from
the products and services contracted: treatment necessary for the execution
of the contractual relationship with the interested party;
- Associate your data with those of other clients or companies with which you have
some type of bond, both family or social, as well as their property relationship
and administration, in order to analyze possible interdependencies
economic in the study of service offers, risk requests and
contracting of products: treatment necessary for the execution of the
contractual relationship with the interested party. In addition, it is a necessary treatment
to comply with the obligations established in Law 10/2014, of 26 of
June, on the Regulation, Supervision and Solvency of Credit Institutions, in the
Law 44/2002, on Financial System Reform Measures, as well as for the
compliance with the other obligations and principles of the regulations on
responsible lending;
- Carry out studies and automatic controls of fraud, defaults and incidents
derived from the products and services contracted: Treatment carried out by
be necessary for the satisfaction of the legitimate interest of CPC to avoid fraud
that they suppose economic or reputational losses to him;
- Carry out satisfaction surveys by telephone channel or electronically
in order to assess the services received: Treatment necessary for the
execution of the contractual relationship with the interested party;
- Design new products or services or improve the design and usability of
existing, as well as define or improve user experiences in their
relationship with CPC and the CaixaBank Group companies: It is a treatment that
It is not done with personal data but by analyzing statistics and data
added after anonymization processes.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 32/133
This incident, after being detected, has been corrected by the CaixaBank Group and, by
Therefore, also by CPC, through the development of a new Privacy Policy
in which the treatments carried out are correctly and precisely detailed
for analysis and study for commercial purposes.
However, despite CPC recognizing the aforementioned circumstances, and
regardless of whether it has been corrected, this is not intended to
consequence that consents are being collected for different purposes
under a single and unifying question, a fact that could effectively affect the
principle of specificity of consent.
Consent is only requested for the purpose of studying products or
services that could be adjusted to the profile or specific commercial or credit situation
of customers to send you commercial offers tailored to your needs and
preferences.
The fact that other additional purposes have been included when reporting on the
The above purpose does not imply that different purposes are authorized en bloc: in the
In the event that the interested party gives their consent to the profiling, only
will process your data for the initial purpose based on the consent given. The rest
of the purposes will be carried out only in the event that the requirements are met
necessary so that the listed legal bases converge in each case
previously.
ii. The data is not communicated to the companies of the CaixaBank Group without legal basis
The Initiation Agreement indicates that the fact of requesting the consents for the
Grupo CaixaBank constitutes a communication of data to the companies of the Group.
Said alleged communication of data to the companies of the Group would constitute a
specific purpose in itself that would require, therefore, according to the AEPD, a
manifestation of will of the interested party by which he consents that he can take
finished.
However, it should be noted that there is no data communication whatsoever
since there is a co-responsibility regime between the companies of the Group
CaixaBank, because there is an agreement to jointly determine the objectives and
means of treatment object of the Initiation Agreement, as provided in article 26
of the GDPR.
As specified by the CEPD, in its “Guidelines 07/2020 on the concepts of
controller and processor in the GDPR ”(adopted on September 2, 2020), the
The assessment of co-responsibility should be based on a factual analysis, rather than
formal, on the influence on the determination of the purposes and means of the treatment;
For example, stewardship may take the form of a decision made by
two or more entities, or it may be the result of convergent decisions of two or more
more entities in terms of essential ends and means. Therefore, the
co-responsibility is based on decisions made by the different
entities that want to act as joint controllers of the treatment; that is, it depends
of their willingness to act jointly, without prejudice to the fact that, in cases
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 33/133
concrete, a norm may also expressly establish that
co-responsibility.
The situation of co-responsibility based on convergent decisions is derived from the
jurisprudence of the Court of Justice of the European Union, so that
consider that decisions converge in ends and means if they complement each other
yes and are necessary for the treatment to take place, so that a criterion
important to identify convergent decisions in this context is whether the
treatment as a whole would not be possible without the participation of the entities
co-responsible.
Likewise, the CEPD indicates that the existence of co-responsibility does not imply
necessarily equal responsibility of the different operators involved in the
processing of personal data; on the contrary, the CJEU has clarified that those
operators may be involved in different stages of treatment and with
different degree of intervention, so that the level of responsibility of each
of them must be evaluated taking into account all relevant aspects and
circumstances of the particular case.
Therefore, there is no communication of the data between the companies of the Group
but a direct collection of them by companies in the field of
co-responsibility.
The consents object of the Initiation Agreement are managed within the framework of the
mentioned co-responsibility. This is because it would not be operational for
Group entities, not easy to handle for the interested parties themselves, to manage
separately the consents for those treatments that are carried out
jointly in the context of the activities of the CaixaBank Group for a
same purpose and with the same means, in relation to data of which the entities of the
Group are jointly responsible.
However, the aforementioned co-responsibility does not respond only to doing more
operational management of consents and to facilitate the management and
understanding of the treatments carried out based on your consent but also
to regulatory needs.
In this sense, a large part of the CaixaBank Group entities, including
CPC, a special diligence is required of them when granting an operation of
active; diligence that translates into the duty to carry out an analysis in
depth of the client's ability to borrow, as well as to meet
the obligations derived from the contracting of its products. These obligations are
set out in the regulations on transparency of operations and protection of the
clientele (see articles 29.1 and 14 of Law 2/2011, of March 4, on the Economy
Sustainable. and Law 16/2011, of June 24, on consumer credit contracts,
respectively).
Additionally, the aforementioned regulations also require taking into account the regulations
specific information on risk management and internal control included in the legislation
current on prudential regulation of credit institutions. The regulations on
prudential regulation of credit institutions, or regulations on credit requirements
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 34/133
solvency, has been implemented and adapted to the Union legal system
European through the following standards:
- EU Regulation No. 575/2013, of June 26, 2013, on the requirements
prudential of solvency and risks of credit institutions and companies of
investment;
- Directive 2013/36 / EU, of June 26, 2013, on access to the activity of the
credit institutions and the prudential supervision of credit institutions and
investment companies, transposed into Spanish law by Law 10/2014 and
Royal Decree 84/2015.
In accordance with the regulations listed, the entities and consolidable groups of
credit institutions (1) must effectively control risks, both
individually as an aggregate (2), a fact that implies that the Consolidated Group
CaixaBank must carry out risk management in the joint or global scope of the
mentioned Group. This management includes the admission of risks and, consequently, the
study of the solvency and capacity of return of the applicant of an operation of
active.
(1) Circular 4/2017, of November 27, of the Bank of Spain, to entities of
credit, on rules of public and reserved information and state models
financial, defines the nature and content of the consolidable groups of entities
of credit:
Consolidable groups of credit institutions: These are those groups that have to
comply with prudential requirements, on a consolidated or sub-consolidated basis,
established in Regulation (EU) 575/2013 of the European Parliament and of the Council,
of June 26, 2013 […].
(2) Article 40.1 of Law 10/2014 establishes the subjective scope of application of the
Solvency regulations, this being applicable to:
a) To credit institutions
b) Consolidable groups and subgroups of credit institutions
It should also be mentioned that the European Central Bank, in the exercise of its
supervisory powers, carried out the inspection identified as OSI-2017-1-
ESCAX-3084, in which he identified a deficient aspect in relation to the
Requirements of the Prudential and Solvency Regulations applicable to the Group
Consolidated CaixaBank, the non-integration of all the databases of the
entities of the Consolidated Group.
Due to the above, co-responsibility does not only imply benefits
operational for the Group but is necessary for the proper compliance with the
legal obligations of CPC and of the rest of the entities of the Consolidated Group
CaixaBank. This necessarily implies that said co-responsibility will have
implications not only in those treatments carried out in strict
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 35/133
compliance with mandatory legal obligations but also some carried out in
basis for the consent of the interested parties.
This would be the case of data analysis and study treatments for the purpose of
commercial. It is necessary to take into account the type of products marketed by
the CaixaBank Group and, specifically, by CPC. As reported in the response to
Information requirement prior to the Initiation Agreement, CPC, while
financial credit establishment, offers and markets loans. Therefore, and
Although the treatment related to commercial profiling is carried out based on the
consent of the interested party, it must be done in compliance with legal obligations
applicable in each case.
In other words, considering that personalized loan offers
are binding on CPC (in the sense that, if the client accepts the offer, the
product conditions will be those previously offered), when performing them CPC must
also comply with the prudential and solvency regulations, even when the treatment
It is done based on the consent of the interested party.
It is for the above reasons that the CaixaBank Group chose to carry out a management
centralized consent for commercial purposes, including the treatment
data analysis and study; so the fact that consent is requested
for the CaixaBank Group it does not constitute a communication of data to the companies of the
Group, but is a consequence of co-responsibility in the terms set forth
in the previous paragraphs
iii. The duty to inform the interested parties is adequately fulfilled in relation to
with the data that is processed for profiling
In the Initiation Agreement it is considered that the interested party cannot know the data that
will be treated for profiling since the information provided will include
include data that will not be subject to such treatment and, however, always
According to the AEPD, you are not informed of the processing of other data that will be the object of the
same.
Based on the foregoing, and according to the criteria of the AEPD, it is concluded that the
consent given for profiling purposes is not properly
reported, so this would not be valid.
In this regard, it is necessary to take into account two factors: first, the
fact that the categories of data being processed are not among the
minimum information described in article 13 of the RGPD so that the consent
be informed; secondly, and despite not being mandatory to report it, the
The information provided does allow interested parties to know the data that will be
treat for profiling. Next, both will be developed in greater depth.
listed factors.
Regarding the obligation to inform about the type of data object of
treatment, it should be noted that neither article 13 RGPD, nor the corresponding
Article 11 of the LOPDGDD, require that interested parties be provided with this information on
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 36/133
mandatory form; Yes, it is required under article 14 RGPD when the data is not
obtained directly from the interested party, but this is not the case analyzed by the AEPD.
Additionally, in the RGPD itself, by establishing in its recital 42 the
information that the interested party must know for consent to be
informed, it is determined that at least he must know the identity of the
responsible for the treatment and the purposes of the treatment for which they are intended
Personal information.
Notwithstanding the foregoing, CPC decided to provide interested parties with information
additional regarding the processing of your personal data. Thus, in addition to
the minimum information established by article 13 RGPD, it was reported the
categories of personal data being processed for the purpose of analysis and
data study.
Regarding said information provided, the AEPD considers that it is insufficient,
erroneously stating that CPC does not report the consultation to solvency files and
to the Central Bank of Risk Information of the Bank of Spain or the “Risk Score”. Is not
It is true that such uses of the data are not reported, and we understand that this
claim is due to the lack of analysis of the information provided in your
set to stakeholders.
The AEPD limits the information provided to interested parties in relation to the
personal data object of treatment to the following:
The data that will be processed for the purposes of (i) data analysis and study, and (ii)
for the commercial offer of products and services will be:
a) All those provided in the establishment or maintenance of relationships
commercial or business.
b) All those generated in the contracting and operations of products and services
with CaixaBank Payments & Consumer, with the CaixaBank Group companies or with
third parties, such as, account or card movements, receipt details
direct debits, payroll direct debits, claims derived from insurance policies,
claims, etc.
c) All those that CaixaBank Payments & Consumer or the companies of the Group
CaixaBank obtain from the provision of services to third parties, when the service has
as a recipient to the Holder, such as the management of transfers or receipts.
d) Whether or not you are a CaixaBank shareholder as recorded in the records of
this, or of the entities that according to the regulations of the market of
values must keep records of the values represented by means of
book entries.
e) Those obtained from the social networks that the Owner authorizes to consult.
f) Those obtained from third parties as a result of requests for aggregation of
data requested by the Owner.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 37/133
g) Those obtained from the Owner's navigations through the service of the website of
CaixaBank Payments & Consumer and other websites of this and / or the Group companies
CaixaBank or mobile phone application of CaixaBank Payments & Consumer and / or of
the companies of the CaixaBank Group, in which it operates, duly identified. These
Data may include information regarding geolocation.
h) Those obtained from chats, walls, videoconferences or any other means of
communication established between the parties.
The data of the Holder may be complemented and enriched by data obtained
of companies that provide commercial information, based on data obtained from sources
public, as well as by statistical, socioeconomic data (hereinafter, "Information
Additional ”) always verifying that they meet the requirements established in
current regulations on data protection.
The previous fragment, transcribed in the Initiation Agreement, is part of the conditional
general that is provided to the interested party in the framework of the contracting of a product and in
the one that is informed of the provisions of article 13 of the RGPD. However, the AEPD, by
assess the information provided to interested parties regarding the typology of
data object of treatment, has not taken into account the rest of the general conditions.
Specifically, the transcribed fragment corresponds to point 26.4. (ii) of
general conditioned. In this sense, it is indicated as a typology of data processed for
the purpose of data analysis and study, “All those provided in the establishment or
maintenance of commercial or business relationships ”(underlined excerpt in the
fragment transcript herein).
It could only be considered that not enough information is provided regarding
to the categories of personal data being processed if provided
exclusively this fragment of text to those interested, but it adds more
information.
In section 26.3 of the general conditions (prior to 26.4.ii transcribed in the Agreement
Start) specifies in greater detail what data will be processed for the establishment
o maintenance of commercial relations:
“Payments & Consumer and, where appropriate, the CaixaBank Group companies, is
obliged by different regulations and agreements to carry out certain treatments of
data of the people with whom it maintains Business Relationships, as indicated
in the following sections of this clause (hereinafter, “Treatments with
Regulatory Purposes ”). These treatments are necessary for the establishment
and maintenance of Commercial Relations with CaixaBank Payments &
Consumer and / or with the companies of the CaixaBank Group, and the Holder's opposition to the
themselves would necessarily entail the cessation (or non-establishment, where appropriate) of
these relationships. In any case, Treatments for Regulatory Purposes are
shall be limited exclusively to the stated purpose, without prejudice to other purposes or
uses that the Holder authorizes according to the provisions of clause 26.4. of the present
document"
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 38/133
Thus, in the transcribed fragment it is indicated that, due to the need to comply with
specific regulations applicable to CPCs, the establishment and maintenance of
commercial relationships with CPC will require specific data processing that is
will be finalized later. In addition, in the same fragment it is indicated that said
treatments will be limited to regulatory purposes, without prejudice to the fact that, in the case
authorized by the interested party, they can also be used for other purposes.
Regarding the categories of data that according to the AEPD are not included in the
information provided to data subjects in relation to the categories of data
object of treatment, these are effectively included in points 26.3.3 and 26.3.4
of the general conditioning.
In this way, in point 26.3.3 it is reported about the query to files of
credit information (among which are those necessary to obtain the “Risk
Score ”, as will be explained later):
26.3.3 Communication with credit information systems.
The Holder is informed that CaixaBank Payments & Consumer, in the study of the
establishment of Commercial Relations, you can consult information on
credit information systems. Likewise, in the event of non-payment of any of the
Obligations derived from Commercial Relations, data related to non-payment
may be communicated to these systems.
And, in point 26.3.4, it is reported about the query to the Information Center of
Risks of the Bank of Spain:
26.3.4. Communication of data to the Risk Information Center of the Bank of
Spain
The Holder of the right who assists CaixaBank Payments & Consumer is informed to
Obtain reports from the Bank of Spain's Risk Information Center (CIR)
on the risks that could be registered in the study of the establishment of
Business relationships. […]
Therefore, it is not true that, as the AEPD considers, information is not provided
Enough about the data to be processed for profiling. Information
provided to the interested parties should be analyzed as a whole and not only
fragments of it.
iv. It is not true that data on solvency files are processed for the purposes of
profiling for credit rating purposes without legal basis for processing
The Initiation Agreement refers to the provisions of the third section of article 20
of the LOPDGDD to determine that the treatment carried out by CPC of data
works in solvency files for profiling purposes for rating purposes
Credit is done without legal basis for the treatment.
This part understands that the reference to the third section of the aforementioned article is
It is due to an error since this refers to the treatment carried out by the entity
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 39/133
to maintain the credit information system, and as it was specified in the
response to the Request for information dated June 2, 2020 between the
activities carried out by CPC are missing systems maintenance
credit information.
Therefore, the reference to the third section of article 20 of the LOPDGDD does not
it would be adequate in the present case.
Notwithstanding the foregoing, this part can answer the possible question that
can do the AEPD about what is the legitimizing basis for processing data
works in solvency files for profiling purposes for rating purposes
credit.
In this sense, as stated in the response to the Request for information
Prior to the Initiation Agreement, CPC can perform treatments focused on analyzing the
capacity of repayment or risk of non-payment of the interested party based on two bases
legal processing, depending on the factual event in question:
- Exclusively compliance with legal obligations applicable to CPC: It would be the
case (i) of the analysis of the repayment capacity or risk of non-payment of a
interested in their request for a product, and (ii) the analysis of the capacity of
return or risk of non-payment in the management of credit risk granted to clients.
In these cases, CPC performs an assessment of the ability to return or
solvency of the interested party in compliance with the Prudential and Solvency Regulations and
of Responsible Loan, as stated in the response to the Request for
information and in this Brief.
- Consent of the interested party: It would be the case of the treatments carried out on the basis of
to the consent of the interested party for the analysis and study of data with the
commercial. The purpose of these treatments is to offer interested parties products
and services tailored to your needs (including the possible allocation of limits
of pre-granted credit), selecting the target audience before carrying out a
certain business impact.
However, it is necessary to take into account, as previously stated in the
this writing, the nature of the products and services marketed by CPC,
as well as the regulatory implications that this entails.
The fact that certain treatments are carried out based on the consent of the
interested party does not exclude that CPC must comply with the legal obligations associated with
said treatments. In the case of the preparation of commercial offers adapted to the
profile of the interested parties CPC must comply with the established legal obligations
in the Prudential and Solvency Regulations and Responsible Lending since the
Products marketed are credit accounts and loans.
In this way and taking into account that in the realization of a personalized offer
to a client it is binding on CPC (in the sense that, if the client
accepts the offer, the services will be provided in the terms previously indicated by
CPC), CPC has the obligation to, prior to making the offer,
assess the ability to return and solvency of the interested party. Otherwise, CPC
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 40/133
would be in breach of the Prudential and Solvency and Loan Regulations
Responsable.
Therefore, even when the treatment is carried out based on the consent of the
interested party, CPC must comply with the legal obligations established in the Regulations
Prudential and Solvency and Responsible Loan; therefore, when performing a
personalized offer to an interested party, CPC must assess their ability to return
and solvency, consulting the data contained in information systems
credit.
v. It is not true that the interested party is not informed about the profiling operation
relative to the "Risk Score"
It is stated in the Initiation Agreement that CPC does not adequately inform the
interested parties about the treatment related to obtaining the data called
"Risk Score", considering that obtaining said data constitutes an operation of
independent data profiling and should therefore also be reported in an independent way
specific.
(…). When informing interested parties about the processing of their data, it is not mentioned
obtaining this specific data since, although it is obtained with the
intervention of a processor, does not differ from simple analysis and
data study carried out for both regulatory purposes and with
commercial purposes.
In this sense and in terms of the legal basis that allows its realization, it is the same
than in the rest of the cases, that is, when it is carried out to carry out the
assessment of the ability to return or solvency of the interested party exclusively
within the framework of your request for a product or credit management granted to
clients, the legal basis is compliance with legal obligations applicable to CPC.
On the other hand, when it is carried out for commercial purposes, the legal basis of the
treatment will be the consent of the interested party, taking into account that to carry out
carry out the treatment of analysis and study of data for commercial purposes will be
It is also necessary to observe the prudential and solvency regulations.
As for the data used to obtain the "Risk Score", it is the data
in credit information systems.
Therefore, the interested parties are duly informed about the treatment
carried out to obtain the “Risk Score”, by integrating said transaction of
treatment within the analysis and study of data carried out for both
regulatory and commercial purposes.
According to each of the points previously exposed, it can be concluded that
effectively the consent given for the profiling purposes analyzed
complies with the requirement of separation of purposes and provision of consent
for each of them, in addition to being duly informed, so this is
valid.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 41/133
NINTH: In accordance with the provisions of article 77 of the LPACAP, on the date
June 22, 2021, it is agreed to open a test practice period,
Considering that the claim filed is reproduced for evidentiary purposes, the
documentation corresponding to the transfer of the claim to the claimed entity,
the appeal for reconsideration presented by the complaining party, as well as the
documentation in the investigation file E / 10053/2019. Also,
considers reproduced for evidentiary purposes, the allegations to the initiation agreement
PS / 00500/2020 presented by CAIXABANK PAYMENTS & CONSUMER EFC, EP,
S.A.U. It is agreed to incorporate into the file the privacy policy that appears in the
website of the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
On the other hand, it is agreed to require said entity to provide the information and
following documentation within 10 business days:
Date of implementation of the new privacy policy and period during the
that the previous one was in force.
Copy of the co-responsibility agreement referred to in the new
privacy policy and in the allegations to the initiation agreement presented.
Documents in which information is provided to clients to obtain
of the consent to carry out treatments for commercial purposes,
such as, by way of example, the so-called “general conditions” and, if they have been
subject to modifications, date on which these were produced.
Contract made with the entity *** COMPANY.3 for the risk activity
score.
Caixabank group business volume in 2020.
By means of diligence of July 2, 2021, a capture of
screen with the privacy policy of CAIXABANK PAYMENTS & CONSUMER
EFC, EP, S.A.U. listed on their website. The following is reproduced
indicated in points 5 and 6.1 of said policy:
"5. Data categories
At CaixaBank Payments & Consumer we will process different personal data in order to
manage the Contractual Relationships that you establish with us, to carry out the rest of
the data processing that derives from your status as a client and, if you have given us your
consent, to also carry out the processing of your data for the activities that are
detailed in section 6.1.
To facilitate your understanding, we have arranged the data that we process in the categories that
detailed below.
Not all the categories of data that we detail are used for all the treatments of
data. In section 6, where we detail the data processing we carry out, you
You will be able to consult specifically for each specific treatment the categories of data that are
use, thus having the necessary information that allows you to exercise, if you wish, your
rights recognized by the RGPD, especially those of opposition and revocation of the
consent.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 42/133
The categories of data used by the different treatments set out in section 6 are
the following:
> Data that you have provided us when registering your contracts or during your relationship with
us. These data are:
identification and contact data: your identification document, name and surname,
gender, postal, telephone and electronic contact information, residence address,
nationality and date of birth, and language of communication.
Socio-economic data: detail of professional or work activity, income or
remuneration, family unit or circle, educational level, assets, tax data and
tax data.
financial data: products and services contracted, relationship with the product
(condition of owner, authorized or representative), MiFID category.
biometric data: facial pattern, voice biometrics or fingerprint pattern.
> Data observed in the maintenance of products and services. These data are:
financial data: the information of the notes and movements made in
current accounts, including the type of operation, the issuer, the amount, and the concept,
information on investments made and their evolution, information on
financing, statements of operations with debit and credit cards, products
contracted and payment history.
It is important that you know that we will not process data observed in the maintenance of
products and services that may contain information that reveals their origin
ethnic or racial, your political views, your religious or philosophical convictions, your
union membership, the processing of genetic data, biometric data aimed at
uniquely identify you, data related to your health or data related to your life
or sexual orientation ("Sensitive Data").
whether or not you are a CaixaBank shareholder.
digital data: the data obtained from the communications that we have established
between you and us in chats, walls, videoconferences, phone calls or
equivalent means and the data obtained from your browsing through our pages
web or mobile applications and the navigation you perform on them (device ID,
Advertising ID, IP address and browsing history), if you have accepted
the use of cookies and similar technologies on your browsing devices.
geographic data: the geolocation data of your mobile device provided
for the installation and / or use of our mobile applications, when there is one
authorized in the configuration of the application itself.
> Data inferred or deduced by CaixaBank Payments & Consumer from the analysis and
treatment of the rest of the data categories. These data are:
Clusters of clients into categories and segments based on their age, assets
and estimated income, operations, consumption habits, preferences or propensities to
product contracting, demographics and relationship with other customers or categorization
according to the regulations on Markets in Financial Instruments (“MiFID”).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 43/133
scoring scores that assign probabilities of payment or non-payment or limits of
risk.
> Data that you have not provided us directly, obtained from sources accessible to the
public, public records or external sources. These data are:
financial and credit solvency data obtained from the Asnef and Badexcug files.
data on risks maintained in the financial system obtained from the database
of the Central Bank of Risk Information of the Bank of Spain (CIRBE).
data of persons or entities that are included in laws, regulations, guidelines,
resolutions, programs or restrictive measures regarding economic sanctions-
financial institutions imposed by the United Nations, the European Union, the
Kingdom of Spain, United Kingdom and / or the U. S. Department of the Treasury’s Office of
Foreign Assets Control (OFAC).
cadastral or statistical data obtained from companies that facilitate studies
Socioeconomic and demographic statistics associated with geographic areas or codes
postcards, not to specific people.
digital data obtained from your browsing through third-party web pages (ID
device, advertising ID, IP address, browsing history), if there is
Accepted the use of cookies and similar technologies on your browsing devices.
data from social networks or the internet, that you have made public or that authorize us to
Consult."
In point 6 of said privacy policy under the title "What treatments
we carry out with your data ”, the following is stated:
"The treatments that we will carry out with your data are diverse, and respond to
different purposes and legal bases:
> Treatments based on consent
> Necessary treatments for the execution of the Contractual Relations
> Necessary treatments to comply with regulatory obligations
> Treatments based on the legitimate interest of CaixaBank Payments & Consumer "
Section 6.1 of said privacy policy contemplates the following treatments
based on consent:
A. Analysis of your data for the elaboration of profiles that help us to
offer you products that we think may interest you
B. Commercial offer of products and services through the selected channels.
C. Transfer of data to companies that are not part of the CaixaBank Group
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 44/133
D. Identification of clients and signature of documentation through the use of biometrics.
In point 6.1 of the aforementioned privacy policy, the following is stated:
"TREATMENTS BASED ON CONSENT.
These treatments are legally based on your consent, as established in art.
6.1.a) of the RGPD.
We may have requested that consent through different channels, for example, to
through our electronic channels or in any of the CaixaBank Group companies. Yes
For any reason, we have never asked for your consent, these
treatments will not be applied to you.
You can check the authorizations that you have consented to or denied us, and
modify your decision at any time and free of charge on the CaixaBank website
Payments & Consumer (www.caixabankpc.com) and in each of the companies in the
CaixaBank Group, or in your private area of the CaixaBank website or mobile applications
Payments & Consumer and at the CaixaBank offices.
The treatments based on your consent are indicated below ordered from (A)
to (D). We will indicate for each one of them: the description of the purpose (Purpose), if they are or
no treatments carried out under a co-responsibility regime with other companies of the Group
CaixaBank (Joint Controllers / Data Controller), and the categories of data
used (Categories of processed data).
A. Analysis of your data for the elaboration of profiles that help us to offer you
products that we think may interest you.
Purpose: The purpose of this data processing is to use the categories of data that
We indicate below, to develop profiles that allow us to identify you with segments
of customers with similar characteristics to yours and suggest products and services that
we believe that they may interest you, as well as establishing the periodicity with which we
we interact with you.
Through this treatment we will analyze your data to try to deduce your preferences or
needs and thus be able to make commercial offers that we believe may have more
interest than generic offers.
When the offers that we want to transmit to you consist of products that involve the payment of
installments or financing, we will carry out a pre-assessment of solvency to calculate the limit of
adequate credit to be offered, in accordance with the principles of responsibility in the offer of
financing products required by the Bank of Spain.
It is important that you know that this treatment, including the pre-assessment of solvency in the
products with risk, is limited to the indicated purpose of suggesting products and services that
we believe that you may be interested, and it is not used, in any case, to deny any
product or service or credit limit.
You always have at your disposal our complete catalog of products and services, and
This treatment does not prejudge, limit or condition your access to them, which, in the event that
You request them, they will be evaluated with you in accordance with the ordinary procedures of CaixaBank
Payments & Consumer.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 45/133
We will only carry out this treatment of your data if you have given us your consent
for it. Your consent will remain in effect as long as you do not withdraw it.
If you cancel all your products or services with the CaixaBank Group companies, but forget
withdraw your consent, we will do it automatically.
Categories of data processed: The categories of data that we will process for this purpose, whose
content is detailed in section 5, they are:
> data that you have provided us
> data observed in the maintenance of products and services, with the exception of data
sensitive
> data inferred or deduced by CaixaBank Payments & Consumer.
> data that you have not provided us directly.
Co-responsible for the treatment: The treatment of your data of the indicated categories, with
the purpose of analysis for the elaboration of profiles that help us to offer you products
that we think may interest you, are carried out under a co-responsibility regime by the
following companies of the CaixaBank Group:
> CaixaBank, S.A.
> CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
> CaixaBank Electronic Money, EDE, S.L.
> VidaCaixa, S.A.U., insurance and reinsurance
> Nuevo Micro Bank, S.A.U.
> CaixaBank Equipment Finance, S.A.U.
> Promo Caixa, S.A.U.
> Comercia Global Payments, E.P. S.L.
> Buildingcenter, S.A.U.
> Imagintech S.A.
You will find the list of companies that process your data, as well as the essential aspects of
the joint responsibility treatment agreements at: www.caixabank.es/empresasgrupo. "
Accessing from said link, the following text can be read:
“In order to carry out the treatments indicated below, CaixaBank and
The CaixaBank Group companies will process your data jointly, deciding in a manner
brings together the objectives (“what the data is used for”) and the means used (“how it is used
the data ”) being, therefore, jointly responsible for these treatments (Entities
Co-responsible).
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 46/133
The treatments for which CaixaBank and the CaixaBank Group companies will process
together their data are the following (you can see the detail of the companies of the Group
Caixabank that make up the perimeter of each of the treatments carried out in
co-responsibility by clicking on each of the following links):
Carry out the commercial activities of: (i) analysis of your personal data for the
profiling to help us offer you products that we think may be
interest you; (ii) commercial offer of products and services through the selected channels, and
(iii) transfer of data to companies that are not part of the CaixaBank Group;
Comply with the following regulations applicable to Group companies
CaixaBank: (i) the regulations on the prevention of money laundering and financing of
terrorism; (ii) regulations on tax matters; (iii) the obligations derived from the
policies of sanctions and international financial countermeasures, as well as (iv) the
obligations to grant and manage credit operations and the consultation and
communication of risks to the Risk Information Center of the Bank of Spain
(CIRBE).
Carry out the analysis of the solvency and repayment capacity of the applicants
of products that involve financing.
In accordance with the provisions of the applicable regulations, the Co-Responsible Entities have
signed a co-responsibility agreement for certain treatments, the elements of which
essential are the following:
(i) That, for certain treatments identified in the Privacy Policy, the
Co-Responsible Entities will act in a coordinated or joint manner.
(ii) That they have proceeded to determine the security, technical and organizational measures,
appropriate to ensure a level of security appropriate to the risk inherent to the
processing of personal data object of co-responsibility.
(iii) That they have a single window mechanism for the exercise of the rights of the
interested parties, assuming the commitment of the duty of collaboration and assistance in those
cases in which it is appropriate.
(iv) That they comply with the obligation to respect the duty of secrecy and keep the due
confidentiality of personal data that is processed in the framework of the activities of
Informed data processing.
(v) Regardless of the terms of the joint responsibility agreement, the interested parties
may exercise their rights regarding data protection against each of the
responsible."
TENTH: In response to what is requested by CAIXABANK PAYMENTS & CONSUMER
EFC, EP, S.A.U, the period granted to provide documentation was extended by five
business days.
On July 12, 2021, a written response to the opening of the period was received
practice test, which indicates that the date of publication of the new
privacy policy is from January 18, 2021 and that said privacy policy
replaces the previous one, which had been in force from July 21, 2019 until
January 17, 2021.
28001 - Madrid 6 sedeagpd.gob.es 47/133
Said letter also states the following:
“Attached as an Annex to this document is the joint responsibility agreement to which
referenced in the aforementioned privacy policy, as well as in the allegations to
Initiation agreement presented, previously provided during the Procedure
Sanctioner PS / 00477/2019 to CAIXABANK, S.A. hereinafter, the "Penalty Procedure
to CAIXABANK ”), and whose essential aspects are published in
https://www.caixabank.es/particular/general/tratamiento -de-datosempresas-del-grupo.html.
The aforementioned co-responsibility agreement defines the purposes and means of the
treatments, as well as the basic rules to be observed by all the companies that make up
these treatments in co-responsibility, and duly reflects the existing agreement regarding
to the respective responsibilities in terms of data protection referred to in the
Article 26 of the General Data Protection Regulation (EU) 2016/679; it's found
pending signature pending the resolution of the request for the application of measures
precautionary measures related to the Sanctioning Procedure against CAIXABANK, which could
imply the modification of its content. "
Regarding the information provided to the interested parties to obtain their
consent, it is stated that “the information
provided for the performance of treatments for commercial purposes, previously provided
in the response to the Request for information received on February 6, 2020 (in
hereinafter, the "Information Request").
Although they have been foreseen, no modifications have yet been made to the aforementioned
information from your contribution in the response to the Request for information, pending
of the resolution of the request for the application of precautionary measures related to the
Sanctioning Procedure to CAIXABANK, which could affect the modifications of the
mentioned documentation, planned at this time.
This Annex also includes the information provided to interested parties for the
obtaining your consent to carry out treatments for commercial purposes,
when consent is collected from the banking channel (CAIXABANK). This
documentation, previously provided in the course of the Penalty Procedure to
CAIXABANK, was modified in March 2021, within the framework of the aforementioned actions
aimed at the implementation of the new privacy policy.
In relation to the contract with the entity *** EMPRESA.3, it is attached as annex III, “the contract
of services carried out with the entity *** EMPRESA.3, previously provided in the response to the
already mentioned Information request. Likewise, it is reported that the aforementioned
contract has not undergone modifications since its contribution to the Spanish Protection Agency
of data.
Finally, regarding the volume of business of the Group or CAIXABANK it is indicated that “as of December 31,
December 2020 is estimated at twelve thousand one hundred seventy-two million euros. Bliss
Information is extracted from pages 248 and 249 (“Annex 6 - Annual bank information”) of the
Consolidated Annual Accounts of the CaixaBank Group, available at
https://www.caixabank.com/deployedfiles/caixabank_com/Estaticos/PDFs/Accionistasinversore
s / In formacion_General / Consolidated_Annual_Accounts_CBK_2020_EN.pd "
Provides as annex II the following documents:
GENERAL CONDITIONS OF THE APPLICATION-CREDIT AGREEMENT, in
whose heading appears the entity CaixaBank Payments & Consumer and the date
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 48/133
April 10, 2020. The content of said document coincides with the one sent after
the requirement of the Data Inspection carried out on February 6, 2020 as
Annex 12.
This document is structured in various sections, of which number 26
contemplates in different sections various aspects of data processing
such as the different treatments according to their basis of legitimation, the exercise of
rights on the part of the interested parties or the period of conservation of the data
among other issues. Thus, section 26.1 refers to the Treatments of
personal data in order to manage the Relationships
Commercial; section 26.3 to the processing of personal data with
regulatory purposes, this section in turn is divided into various subsections
such as those related to Treatments for the adoption of diligence measures
due in the prevention of money laundering and financing of the
terrorism (26.3.1), treatment for compliance with the management policy of
International financial sanctions and countermeasures (26.3.2), communication with
credit information systems (26.3.3.), communication of data to the Central
Risk Information of the Bank of Spain (26.3.4), etc. Section 26.4 is
refers to the Processing and transfer of data for commercial purposes by CaixaBank
and the CaixaBank Group companies based on consent. The section
26.1 and 26.4 are transcribed in the fifth factual antecedent of the
present motion for a resolution.
Framework Agreement whose heading appears CaixaBank, and in which section 4.1 is
indicates that “the person responsible for the processing of your personal data in
contractual and business relationships is CaixaBank, S.A., with NIF A08663619 and
Address at calle Pintor Sorolla, 2-4 Valencia. " Adding the following:
"Co-responsible for treatment: In addition, for certain treatments that are
report in detail in the aforementioned policy, CaixaBank and the companies of the Group
CaixaBank will jointly process your data, jointly deciding the
objectives (“what the data is used for”) and the means used (“how data are used
data ”) being, therefore, jointly responsible for these treatments. The treatments
for which CaixaBank and the CaixaBank Group companies will treat
together their data are the following:> carry out commercial activities
of: (i) analysis of your personal data for the elaboration of profiles that we
help to offer you products that we think you may be interested in; (ii) offer
commercial products and services through the selected channels, and (iii) assignment of
data to companies that are not part of the CaixaBank Group; (…)
You will find the list of companies that process your data, as well as the aspects
essential of the treatment agreements in co-responsibility in:
www.caixabank.es/empresasgrupo. "
On the point. 4.5 of this document, entitled “What treatments do we carry out with your
data ”, he points out regarding the treatments based on consent, the
following purposes:
- Analysis of your data for the elaboration of profiles that help us to offer you
products that we think may interest you.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 49/133
- Make our commercial offer of products and services available to you through
selected channels.
- Transfer of data to companies that are not part of the CaixaBank Group to
that they make commercial offers of products they sell.
- Identification of clients and signature of documentation through the use of biometrics.
- Application of personal conditions in jointly owned contracts.
This document is not dated. In the information provided in the
writing sent to this Agency, it is stated that “This Annex also includes
the information provided to the interested parties to obtain their
consent to carry out treatments for commercial purposes, when
consent is collected from the banking channel (CAIXABANK). This
documentation, previously provided in the course of the Procedure
Sanctioning CAIXABANK, was modified in March 2021, within the framework of the
mentioned actions aimed at the implementation of the new policy of
Privacy."
Screenshots in which the consent of the clients is requested.
- A screenshot on the prescribing channel, which exactly matches
the one described for said channel in point 5 of the fifth antecedent of the present
motion for resolution.
- Screen capture of new client office (face-to-face onboarding, in the
which states the following: “delivers the tablet to the client so that he can fill out
himself the consents ”and screenshots added to the new client Portal
Web (digital onboarding). In both modalities, information is provided
basic for the client on the processing of personal data indicating that the
responsible for the treatment is: “Caixabank, with NIF A08663619 and address at
Pintor Sorolla street, 2-4 Valencia. Co-responsible for the treatment “For
certain activities Caixabank, S.A. and the Group companies
Caixabank will process your data together. You will find the list of
companies that process your data, as well as the essential aspects of the
treatment agreements in co-responsibility in
www.caixabank.es/empresasgrupo. "
Regarding consents, it is indicated in both modalities that
“You authorize the companies of the CaixaBank group to:
Analyze your data to create profiles to help us offer you
products that we think may interest you. If we have your consent,
we will configure or design an offer of adjusted products and services
to your characteristics as a client, by analyzing your data and
profiling with your information. "
Here are two boxes in which you can check yes or no. On
other sections consent is requested to communicate the commercial offer
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 50/133
of products and services through the channels that are selected and to transfer the data
to companies that are not part of the Caixabank Group with which they have
agreements.
Regarding the analysis treatments for profiling, it is provided
also in both modalities the following information: "These treatments
have your consent as a legal basis, as established in article
6.1.a of the General Data Protection Regulation. " It is reiterated to
below the information offered in the privacy policy related to this
type of treatments regarding the purpose, categories of data processed and
joint controllers of the treatment. However, when it comes to data
treaties indicates: "the categories of data that we will treat for this purpose
The content of which is detailed in section 5 of our Privacy Policy.
Privacy (www.Caixabank.es/privacy policy) are: data that you give us
will have provided, data observed in the maintenance of the products and
services with the exception of sensitive data, data inferred or deduced by
Caixabank, data that you have not provided us directly. " Not listed in
none of the screens describe this data.
Co-responsibility agreement. This agreement is not dated or signed. The
number 6 regarding its duration indicates that “This Agreement shall enter into force
on the date of its signature and will remain in force indefinitely, without prejudice to
the revision and necessary modifications of its terms and content for its
adaptation, where appropriate, to current regulations that are applicable in each
moment..."
This agreement contains the following definition: “Co-responsible for the Treatment or
Co-responsible: Means those responsible who jointly determine the
objectives, purposes and means of the Treatment detailed in Annex 1. "
In the aforementioned annex it mentions the following treatments object of
co-responsibility regarding “commercial activities”:
a) analysis of personal data for the elaboration of profiles that help us to
offer products that we believe may be of interest to the customer
Purpose: The purpose of this data processing is to use the categories of data
indicated in the CaixaBank Privacy Policy
(www.caixabank.com/politicaprivacidad) to create profiles that allow
Co-responsible identify the customer with customer segments of similar
characteristics to be able to offer you products and services that may interest you, as well
as, to establish the periodicity with which the Joint Controllers relate
with the.
Legitimating base: The legitimizing base of this treatment is consent
granted by the interested parties.
b) Commercial offer of products and services through the selected channels.
Purpose: The purpose of this data processing is to make available to the client
communications of commercial offers related to products and services of its own or of
third parties marketed by CaixaBank and / or the CaixaBank Group entities. Are
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 51/133
Communications will only be sent to the client through the channels that previously
he has authorized us by giving his consent.
Legitimating base: The legitimizing base of this treatment is consent
granted by the interested parties.
c) transfer of data to entities that are not part of the CaixaBank Group Purpose: The
The purpose of this treatment is to transfer the data of the interested parties to entities that do not
are part of the CaixaBank Group with which the Joint Controllers have agreements,
with the purpose that they make them commercial offers of the products that
they market.
Legitimating base: The legitimizing base of this treatment is consent
granted by the interested parties. "
Then list the co-managers who would be the following:
CAIXABANK, S.A
CAIXABANK PAYMENTS & CONSUMER, E.F.C., E.P., S.A.U.
CAIXABANK ELECTRONIC MONEY, EDE, S.L
VIDACAIXA, S.A.U., DE SEGUROS Y REINSUROS
NUEVO MICRO BANK, S.A.U
CAIXABANK EQUIPMENT FINANCE, S.A.U
PROMO CAIXA, S.A.U.
COMERCIA GLOBAL PAYMENTS, E.P. S.L.
BUILDINGCENTER, S.A.U.
IMAGINTECH, S.A.
In successive annexes other treatments object of co-responsibility are contemplated,
whose legitimizing basis is in the fulfillment of legal obligations or the
execution of contractual relationships.
Contract signed with the entity *** COMPANY.3 for the risk activity
score. As indicated in said contract, dated June 2, 2020,
the contract signed on May 2, 2017 has been renewed,
expanded in turn on May 2, 2019 to incorporate the
services that are outlined in Annex I (not attached). They are parts
in said contract CAIXABANK and CAIXABANK PAYMENTS &
CONSUMER and the entities (…) designating the latter two
jointly as a SUPPLIER. This document contains two
clauses:
The first clause of said contract relating to the modifying novation does not
extinction of clause 15 of the contract, replaces the aforementioned clause with effect
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 52/133
retroactive to May 25, 2018, with new elements related to the person in charge
treatment, in order to adapt the risk score services to the obligations
regulations contained in the LOPDGDD and the RGPD
In the second of the clauses, it is agreed to incorporate annex I (annex of
services) a clause relating to specific aspects of the data processing of
personal nature of the risk score service. Said clause refers to the
description of the treatment, indicating that for the sole purposes of providing the
CAIXABANK AND CAIXABANK PAYMENTS & CONSUMER “risk score” service
make the following information available to the provider "(...)." They are drawn to
then the following treatments by the provider: exploitation,
consultation and destruction; the type of data (DNI (NIE / Passport) and categories
of affected stakeholders (clients, non-client participants). Refering to
purpose of the treatment it is indicated that the provider will use the data of character
personal object of treatment solely and exclusively for the fulfillment of the
ANNEX I, not being able to use them, in any case, for their own purposes. Annex I does not
Attached.
ELEVENTH: On 08/06/2021, a resolution proposal was issued in the
following sense:
FIRST: That the Director of the Spanish Data Protection Agency
sanction CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U., with NIF
A08980153, for a violation of Article 6.1 of the RGPD, typified in Article 83.5
of the RGPD, and classified as very serious for the purposes of prescription in article 73 of
the LOPDGDD, with a fine of 3,000,000 euros (three million
euros.
SECOND: That the Director of the Spanish Agency for Data Protection
proceed to impose on the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP,
S.A.U within the period to be determined, the adoption of the necessary measures to
adapt procedures to personal data protection regulations
through which it collects its clients' consent to create profiles with
commercial purposes, with the scope expressed in Law Foundation VII.
TWELFTH: Notified to the entity CAIXABANK PAYMENTS & CONSUMER
EFC, EP, S.A.U the aforementioned resolution proposal, dated 08/13/2021 was entered
in this Agency writing in which an extension of the term was requested to formulate
allegations. Once the extension of the term was granted, on 09/03/2021 it entered into
this Agency written allegations, in which the cancellation of the
initiation agreement, alternatively the file of the proceedings and alternatively,
in the event that you are considered responsible for the infractions of article 6 of the
RGPD, that the warning is agreed or, failing that, that the amount is imposed
of the corresponding sanction in its minimum degree. It also requests again that
In any case, the consents obtained are not declared null and, if it were the
case, the AEPD orders the measures that in its opinion may be
adequate to improve compliance with data protection regulations.
Declares reproduced in their entirety their allegations to the initiation agreement and formulates the
considerations, also divided into two groups, which are briefly exposed to
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 53/133
continuation:
A) IN RELATION TO THE NULLITY OF THE ACTIONS
CPC alleges that it cannot share that the connection between the claim initially
inadmissible for processing and the Agreement to Initiate this Penalty Procedure is
support in "the request for information about the claimant to a solvency file
patrimonial without your consent and the subsequent offer of a financial product, which
assumes that the data of said person has been used improperly to carry
carried out a profiling on the basis of which said product was offered '
On the one hand, it is stated that it is "assumed" that profiling has been carried out without
consent, obviating that, as has already been explained in allegations
previous, which are considered reproduced here, once the consent is obtained (for
Therefore, consent is requested), to carry out the customization of the
product offering based on customer data analysis (profiling), exists,
in addition, a legal obligation on the part of CPC not to offer financial products
that may not be suitable according to the profile of the economic and financial capacity of the
potential recipient of the commercial offer; Therefore, before offering them, they must
Verify aspects of solvency of the potential recipients of these products.
For this reason, the profiling referred to in the AEPD, in which, among others, it is used
information on solvency, the use of that type of data specifically would have its
basis of legality in the fulfillment of a legal obligation by the person in charge
of the treatment, although it is framed in a treatment for which previously
has requested the consent of the interested party.
In addition, it affirms that relevant information for the defense has been omitted since in the
initiation agreement, no reference was made to the fact that the interested party filed an appeal
of replacement to the inadmissibility of his claim and this was estimated by the AEPD.
2. Regarding the allegation on the alleged breach of article 55.1
of the LPACAP, in connection with article 53 of the LOPDGDD, whereby CPC
considers that the data inspection would have exceeded the scope of the phase
of previous investigation, indicates that the AEPD recognizes a new error, in this case
It seems to be of "transcription" an error impossible to detect, nor to confirm by this part
in any way, in such a way that the AEPD, highlighting its alleged error,
deactivates a potential cause of nullity of the administrative procedure, thereby
once again the need for information and actions in
the framework of a sanctioning procedure must be characterized by its precision and rigor
in all those circumstances that are relevant.
"The AEPD affirms, in an added justification effort, that as such treatments
of "potential customers" do not exist, since in fact CPC has reported it, not
research actions have been carried out on this type of treatment,
diverting attention from what is relevant, not so much the performances
actually carried out, but rather those that purportedly wanted to be carried out
exceeding the inspection activity of what was ordered by the Director of the
AEPD; Another thing is that, by advancing in the investigative actions, there would have been
had to renounce this objective, since there were no such treatments, which does not diminish
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 54/133
in any degree the excess initially raised. We don't know what
if such treatments had existed, but it is reasonable to think that the
investigation had been carried out outside the scope specified by the Director
of the AEPD.
3. Regarding the alleged violation of the non bis in idem principle, CPC values that the
The same collection of consents for the elaboration of profiles was the subject of
investigation and sanction in the sanctioning procedure against CAIXABANK, S.A,
number PS / 00477/2019, as long as there is identity of subject, fact and foundation, without
that can accept the arguments of the AEPD, valuing as non-existent the
co-responsibility for lack of accreditation of the same, since carrying out a
processing of personal data based on joint responsibility is a decision
own of the entities that want to act as joint controllers, except in those
assumptions in which such a circumstance is predefined in a standard.
He affirms that it generates an extraordinary confusion and insecurity not knowing how to identify
what other instruments of accreditation of joint responsibility agreed between
some of the CaixaBank Group entities for some data processing
personal, for which they have jointly determined ends and means, all
collected in the agreement and policies, should be provided in the opinion of the AEPD, and even more
we are surprised that the burden of proof is reversed on this issue as it should
it will be the AEPD who will provide evidence or proof that there is no
co-responsibility of the treatment object of the Sanctioning Procedure, since
CPC has provided solid and more than sufficient evidence that indeed
there is such co-responsibility.
Article 26 of the RGPD is very clear about it; the existence of co-responsibility
is based on a mutual agreement of two or more data controllers on
their respective responsibilities so that a specific treatment complies with the
Regulation, and this agreement must obey the factual reality of the treatments, in
as to that such managers jointly determine the objectives and means
of the treatment; therefore, we are facing a decision that, in general,
may or may not adopt two or more data controllers, so that such
decision cannot be discretionally questioned by third parties as long as
as long as there is a requirement that such managers have determined
jointly the objectives and the means of treatment, as is the case of the
Treatment object of the Proposal for Resolution.
And the confusion increases when, as an argument to refute the violation of the
principle non bis in idem, the AEPD refers to the fact that in the case of
co-responsibility, that is, it has gone from "not being accredited but, to
judgment of this Agency, its existence is not even admissible in e / present
course ", to assess how it would act if it existed, arguing that
several co-responsible parties could be punished for the same facts
considering that the responsibility does not have to apply to a single subject,
the latter question with which we can agree but which, evidently,
if this is the case, it should have been processed in the same procedure or, at least,
taking into account the responsibility quota when graduating the sanction
corresponding, and therefore calculating the sanction based on such co-responsibility,
question that we are not aware that has been taken into account, or perhaps yes, since the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 55/133
duality of arguments, a priori contradictory used by the AEPD, leads us to not
know if the violation of the non bis in idem principle does not exist because there is no
co-responsibility or because the AEPD has considered that there is co-responsibility and has
chosen to sanction according to the part of the treatment carried out by each
co-responsible; undoubtedly a clearer statement by the AEPD
it would reduce the degree of defenselessness that as a whole generates for CPC the
procedure processed by the AEPD.
4. Regarding the allegation about the arbitrary action of the AEPD in this
procedure, none of the explanations and justifications developed by the AEPD
are convincing, since the discriminatory treatment with respect to
similar procedures, and we cannot admit that the AEPD resorts to an obvious and
simple generic reference to which you have applied the elements established in the article
83 of the RGPD and article 76.2 of the LOPDGDD, explaining that they are listed in the
own motion for a resolution, thus responding to a part of the allegation, without
has entered to assess the examples of specific procedures that CPC transferred in
their allegations to the Initiation Agreement, without giving explanation about "resolutions of
sanctioning procedures of the AEPD in which the person responsible for /
treatment for infringement of article 6 RGPD (vid, PPSS 00235/2019, 00182/2019,
00415/2019) and that, taking into account the condition of a large company and volume of
business, among others, the sanctions are not even close to the economic level of the
proposed sanction contained in this Initiation Agreement, since they are
penalties that have ranged between € 60,000 and € 120,000 "
It alleges that, as evidence of this differential treatment, it will focus on the "Plan of
ex officio inspection on distance contracting in operators of
telecommunications and energy marketers' whose results report was
published by the AEPD on October 29, 2020; available at the following link
https://www.aepd.es/es/prensa-y-comunicacion/notas-deprensa/aepd-publica-
results-audit-contracting-telecommunications-energy.
According to CPC, it is surprising, to say the least, that they opted for the
preventive instrument of audit plans, precisely for the sector
telecommunications.
The Annual Report of the Spanish Data Protection Agency includes a table
prepared by the AEPD in which the 10 areas of activity with the highest
number of claims received in 2019 and their comparison with 2018. The
information on the number of claims included in the aforementioned table of
data, indicates that in both areas of activity the claims represent the
same percentage, each of them 4% of the total claims (for
2019), and, if we take into account the absolute data, the claims in relation to
"Financial entities / creditors", were in 2018 a total of 576, being for the
"Telecommunications" sector in the same period 451 complaints. And, in the case
of 2019, the claims presented were 464 in relation to “Entities
financial / creditors "and 424 for the" Telecommunications "sector, that is, a
incidence of claims practically the same, but surprisingly, in one case there was
chooses to adopt a preventive measure ("Telecommunications"), and in another a measure
punitive ("Financial institutions / creditors"), which results in an obvious treatment
unequal, which is not justified, and which also has not been motivated by the AEPD.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 56/133
Quite the contrary, rightly the Director of the AEPD herself, in statements
public, has come to equate both sectors in terms of claims
received by the Agency, specifically in an interview published by "La Voz de
Galicia ", of February 9, 2020, available at
https://www.lavozdegalicia.es/noticia/sociedad/2020/02/08/mar-espana-habra-
important sanctions-infringe-data-protection / 00031581176394099239215.htm, in
the one that when asked which sectors received the most complaints, the
Director replied that: "There are many complaints from the
telecommunications, not because it is where the data processing is worst, but
because it is one of the sectors where the consumer is most used to
to file claims, and also from financial institutions, therefore, there is still
understands less the unequal treatment of both sectors, for "Telecommunications"
ordering preventive measures, and for the "Financial institutions / creditors'
acting with punitive measures, when in the opinion of the Director of the AEPD they are
equivalent sectors from the perspective of claims on protection of
data received at the Agency.
5. With regard to the alleged violation of the fundamental right to
presumption of innocence, CPC reiterates the allegations made in the initial agreement
of the present sanctioning procedure, adding that “regarding the suggestion
that is made to us in the Proposal for Resolution that the lack of impartiality of the
administrative body alleged by CPC should have been accompanied by a
formal challenge of the Director of the AEPD, the truth is that CPC has already assessed in its
moment that the abstention assumptions of article 23.2 of the Law did not concur
40/2015, and, consequently, it was not proposed to request the challenge suggested in the
Proposal for a Resolution, which does not invalidate that we consider that rationally
there are indications of arbitrariness and defenselessness in that the aforementioned
resolutions of other procedures, including the Resolution Proposal,
seek notoriety and media impact, not said by us, but by the own
Director of the AEPD in the media, that if these are not true
statements, perhaps the Agency should have taken action against such media;
Indeed, the regulation provides for assessed causes of abstention, which allow
formally raise a challenge, but the fact remains that the fact is that
such assumptions do not concur, does not prevent arbitrary actions or defenselessness, or
even of deviation of power, for example, notoriety is sought, especially when the
The mandate of the current Director of the AEPD has ended since last July 27
of 2019. "
6. Regarding the alleged artificial and unlawful extension of the previous actions
reiterates the allegations made to the agreement to initiate the sanctioning procedure
and affirms that the Inception Agreement rests, practically in its entirety, on
elements of charge collected during the phase of previous actions, not complying
with the purpose attributed to them by the legal system, as will be explained further
forward, so that in fact, and not in law, they were carrying out
instructional actions beyond the simple search for evidence to initiate
sanctioning procedure, reaching its expiration date, that is to say, evidently such and
As the instructor mentions in the Resolution Proposal, there was no agreement to
beginning in which such instruction was sustained, therefore, these previous actions being
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 57/133
for its content contrary to law, and in fact precisely of that we complain,
actions were advanced that could not yet be carried out.
It is especially striking in this case, the time elapsed between the
inadmissibility of processing the claim and the request for prior information, this
is, more than a year, without taking into account the aforementioned lack of information regarding the
Appeal for reconsideration of inadmissibility, which was upheld by the AEPD, without having
knowledge of it this part; or the extension of the period of previous actions
of research for a period of 14 months, yes, taking into account the incidence
of the pandemic.
The Supreme Court itself, in its Judgment of May 6, 2015, establishes the following: this Chamber
has declared that the period prior to the initiation agreement «(...) must be
necessarily brief and not to conceal an artificial way of carrying out acts of instruction
and mask and reduce the duration of the subsequent file itself ”(judgment of 6
May 2015, appeal 3438/2012, F. J 29; this is what we mean when
We use the expression of "artificial extension" of the previous actions in which
Investigative acts related to the events were in fact carried out
object of the Proposal for Resolution.
B. IN RELATION TO THE ALLEGED INFRINGEMENT COMMITTED BY CPC
The AEPD affirms that the information that is provided to the interested parties to obtain
consent "is incomplete and insufficient", identifying a series of
deficiencies in the aforementioned information in relation to the treatments whose purpose is
"the offer and design of products and services adjusted to the profile of / client"
Thus, with respect to the processing operation that involves carrying out "in a manner
proactive risk analysis and apply statistical and technical data on
customer segmentation "it is said that it is not indicated (i) what type of profile is going to
be elaborated, (ii) the purpose of profiling.
Regarding "monitoring the products and services contracted",
The AEPD observes the same deficiency, that is, "the purpose or type of
profile to be elaborated "; and regarding the operations to adjust measures
recoveries on defaults and incidents derived from products and services
contracted "initially only appreciates as a deficiency the fact that" it is not indicated
what type of profile is going to be carried out "since the AEPD expressly states that
"the purpose of the profile is indicated '
In relation to the lack of information on the type of profile, we must show our
It is surprising that the AEPD raises such a lack of information since, not even in the
guidelines of the CEPD or in other consulted documents of the AEPD itself,
specific that such information should be provided on the "type of profile", and how
added, it is worth mentioning that it is not defined or specified in these documents what
list or catalog of types or categories of profiles should be used to indicate that
intends to develop a specific "type of profile", nor is it argued that this will serve for the
interested party has information that is relevant to decide to authorize, or
no, the treatment.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 58/133
It is clear that all the profiles that can be developed in the context of the relationship
of a client with a bank or financial entity will be related to that
exercise. Therefore, there are no different "types of profile" to elaborate since they are all
related to the relationship established between the entity and the client; maybe the
AEPD, when referring to 'type of profile' (we insist that it is an unused concept
in the CEPD guidelines and not in the AEPD documents), you want to refer
to the "type of evaluation or judgment about a person", which in any case leads us to
this assumption to the same answer, will be a profile derived from the relationship between the
entity and the interested party. Different would be the case of a company whose main activity
is to elaborate profiles, where perhaps a distinction of types of profiles would be accommodated,
but this is not the case of CPC, whose main activities derive from its object
social, not being part of it the elaboration of profiles as an activity
general or main but rather instrumental and accessory in the framework of their
business activities.
In the Guidelines on Transparency under Regulation (EU) 2016/679 (W P
260 rev. 01), when the information to be provided on the
Profiling refers to the provisions of the RGPD; that is, it is required
provide information on the use of profiles, as well as "meaningful information
on the underlying logic and the notable and anticipated consequences of the treatment
for the interested party ", based on such a statement in a part of the content of
recital 60: "the interested party must also be informed of the existence of the
profiling and the consequences of such elaboration
In any case, the WP260 refers to the aforementioned "Guidelines on decisions
automated individual and profiling ", in order to" obtain guidance
Additional information on how to implement transparency in the circumstances
specific characteristics of profiling
We must add that the annex to WP260 identifies the type of information that
must be provided to the interested parties, depending on various circumstances that
they can concur in the processing of personal data; thus, it is worth mentioning that in
the first column does not refer to 'profile type' as a
information to be provided to interested parties, referring exclusively to the "existence of
automated decisions, including profiling, and, where appropriate,
meaningful information about the applied logic, as well as the importance and
expected consequences of said treatment for the interested party ", and referring in their
Comments on the Guidelines on Individual Decision Guidelines
automated and profiling.
Therefore, in the Guidelines on Transparency under Regulation (EU)
2016/679 does not identify that the type of profile is information that in a way
mandatory should be provided to interested parties, nor does it propose it as an orientation or
a good practice; therefore, no mention is made of this type of information
to comply with the principle of transparency of the GDPR. The CEPD does not consider that
it is necessary to provide such information that the AEPD now requires in its Proposal
of Resolution.
In the Guidelines on Automated Individual Decisions and Preparation of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 59/133
profiles for the purposes of Regulation 2016/679 (WP251rev.01), when they are developed
the general provisions on profiling and automated decisions,
in the section dedicated to the principle of legality, loyalty and transparency, in what
Regarding transparency, it refers to the fact that in the "Guidelines on
transparency of the Article 29 Working Group "deals with more detail on the
transparency, therefore it makes a general reference to the document analyzed in the
previous section of our claims.
The CEPD affirms that "people have different levels of understanding and can
difficult to understand the complex techniques of the
profiles and automated decisions "; that is, the CEPD advocates information
free of complexities, alluding to the provisions of article 12.1 of the RGPD: "the
data controller must provide interested parties with concise information,
transparent, intelligible and easily accessible on the treatment of your data
personal ", delves into this question when, alluding to a guide from the Office
of the Australian Information Commissioner, stating that: 'Statements
confidentiality should communicate practices on the handling of information from
clear and simple, but also comprehensively and with sufficient
specificity to be significant "The conclusion is that it must be reported in a
"clear and simple"; more information does not necessarily mean more
transparency, and this must be balanced by being comprehensive and providing
exclusively the detail of what is really significant, avoiding, for
Therefore, the well-known "information fatigue", for which the use of layers of information and
different times when it can be reported more or less exhaustively and
detail, they must be taken into account as we will analyze later.
In this sense, the aforementioned guide from the Australian Information Commissioner also
affirm that “the very technology that allows a greater collection of information
staff also provides the opportunity to prepare confidentiality statements
more dynamic, multi-layered and user-centric. "This last element
has been a common denominator in the information that CPC and the CaixaBank Group have
provided to its clients in relation to the processing of their personal data, and that
Now with the aforementioned resolutions, the AEPD has clearly put itself in crisis,
advocating an information model for stakeholders where it only has
present completeness and detail (useful or not), where it is not clear where
the level of understanding of the information provided must be placed, pretending
that this adapts to the understanding of the AEPD itself, not so much of the people who
they must actually receive that information. Let us remember that the CEPD refers
expressly that "people have different levels of understanding and can
difficult to understand the complex techniques of the
profiles ".
The guidelines that we are analyzing, with regard to the situations in which
those responsible for the treatment "intend to rely on consent as a basis
for profiling 'they say that the controller must
demonstrate "that stakeholders understand exactly what they are consenting to." On
In this regard, the CaixaBank Group has proactively verified this understanding
through studies that have involved clients. But it is that, in addition, Group
CaixaBank has not received complaints from interested parties who have
evidence that the information provided to them in the different layers
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 60/133
informative information has generated significant doubts, not even this question is part of
of the claim that gives rise to the Proposal for Resolution. And it should still be added that
In this matter, the AEPD is reversing the burden of proof, since it does not provide
any indication or evidence that the information provided is not understandable;
remember that the CEPD believes that "stakeholders must have sufficient
information on the use and the intended consequences of the treatment to ensure
that any consent they give constitutes an informed choice. "This part
wants to emphasize that the CEPD refers to "sufficient information" (not information
exhaustive that would cause a reaction of not reading the informative notices), and
that such information should be about "use and consequences"; not mentioning
the CEPD the "type of profile" now required by the AEPD, considering that not reporting
This information is a deficiency that has partially led him to conclude that
the consent obtained by CPC is not valid.
Referring to the "right to be informed," the CEPD insists that "those responsible for the
treatment must ensure that they explain to people, clearly and simply, the
operation of profiling "; fleeing, therefore, from complicated and
extensive explanations, adding that what is relevant is that it is clear "to the user
the fact that the treatment is for the purposes of both a) profiling and
b) adoption of a decision based on the profile generated. "Let us remember that, as
As has been accredited, CPC informs the interested parties both that they are elaborating
profiles, as well as the decision made based on them, related to
exclusively with the sending of commercial offers.
And, in relation to other types of information that must be provided to the interested parties,
It is very relevant to mention the reference made by the CEPD in these guidelines
to the right of access (article 15 of the RGPD), so that as it is well expressed, "the
Article 15 offers the interested party the right to obtain details of any data
personnel used for profiling, including categories of data
used to prepare a profile adding that, in addition to the general information, "the
data controller has the duty to make the data used available
as input data to create profiles, as well as to facilitate access to the
information about the profile and details about the segments to which it has been assigned
to the interested party "(perhaps by" type of profile "the AEPD refers to the" segments
assigned to the client "); that is, in no case is such informational detail required
by the AEPD of the information obligations of articles 13 and 14 but that, in
In any case, such exhaustive information must be provided when the interested party has
exercised the right of access recognized by article 15 of the RGPD, and it is here
where the AEPD is confused by requiring that, in the different layers of information that
are made available to all customers, types of information must be included that
it is only reasonable and common sense that it is made available to customers
as a result of a request for the right of access in relation to the treatment
that includes the use of profiles.
In addition, the CEPD itself establishes limits to the scope of the information that must be
be provided in connection with profiling when you state that "the
Recital 63 provides some protection for data controllers
affected by the disclosure of trade secrets or intellectual property, which
may be especially relevant in relation to profiling. "And it is
that recital 63 establishes that the right of access "should not affect
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 61/133
negatively to the rights and freedoms of third parties, including secrets
commercial or intellectual property and, in particular, property rights
intellectual property that computer programs protect ». By extension, we interpret that
Such protection extends to the algorithms used for profiling, which
include, among other things, the specific data that is used, which does not
hinders the provision of information on categories of data
used, but not necessarily the exhaustive detail of such data, or how it is
use, and it is not necessary to report on the result of the application of
the aforementioned information analysis algorithms or techniques, which could be
even protected by Law 1/2019, of February 20, on Business Secrets,
but yes of the consequences that it can have for the interested parties; that is, the
Regulation as a whole advocates a balanced model in terms of information
to be provided in relation to profiling, taking into account
both the rights and freedoms of the people whose data are subject to treatment
such as the rights of those responsible for processing certain information
that could constitute business secrets of a general nature, and, in particular,
the commercial secrets referred to in the RGPD itself.
In Annex I of the Automated Individual Decision Guidelines and
profiling includes some good practice recommendations;
We emphasize that these are recommendations from a set of good
practices that should not be construed as mandatory or binding but, as
as expressly stated at the beginning of the aforementioned annex •. "The following
Good practice recommendations will help data controllers to
comply with the requirements of the provisions of the GDPR on profiling and
automated decisions "; that is, these are good practices that have
as a purpose "to help" to comply with the provisions of the RGPD but, in no case, will
pose as obligations for those responsible for processing.
The good practices recommended by the CEPD, regarding the right to
information, propose that, in addition to taking into account in general the
envisaged in WP260 (transparency guidelines), when the
processing of personal data involving automated individual decisions
or profiling, the data controller must offer information
significant on the applied logic, so that, as stated by the CEPD,
recommends that "instead of offering a complex mathematical explanation of
how algorithms or machine learning work, the person responsible for the
Treatment should consider using clear and comprehensive ways to provide
information to the interested party, for example: "(and here we add that it is
exclusively of some guidelines, since they are just some examples):
the categories of data that have been or will be used in the preparation of
profiles or the decision-making process; (and here we add we, who do not know
refers to the detail of all the data that will be used) the reasons why
These categories are considered relevant; how the profiles used are made
in the automated decision-making process, including the statistics used in the
analysis; why this profile is relevant to the decision process
automated; and how it is used for a decision regarding the data subject
It must be taken into account that these recommendations do not apply in their entirety to the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 62/133
treatment affected by this Penalty Procedure since the object
of the Proposed Resolution refers exclusively to the elaboration of profiles,
not including decision-making based solely on treatment
automated system that may produce legal effects on CPC's clients or that
may similarly affect significantly since the purpose of profiling does not
It is other than selecting customers to direct offers of products and services, for
Therefore, a purely commercial purpose and that, in any case, the fact that a
client is not included in a commercial campaign does not imply, of course, that
is automatically excluded from the possibility of contracting or using the products or
services offered by CPC to some of its clients since it always has the
option to contact CPC in order to be interested in or request the service or product
that is of interest to you.
As you can easily deduce from the information that the CEPD recommends
that are provided to the interested parties, it has not been mentioned, in any case,
inform about the "type of profile", as the AEPD claims it should have been
mandatorily informed by CPC, always without forgetting that, in any
In this case, we are facing recommendations for good practices.
Regarding the "Guidelines 5/2020 on consent in the sense of the
Regulation (EU) 2016/679 ", refers to the CEPD" opines "(once again
the scope of the guidelines is confirmed as recommendations and criteria for
assist compliance) that at least the following information is required to
obtain valid consent:
i. the identity of the data controller,
ii. the end of each of the processing operations for which the
request consent,
iii. what (type of) data is to be collected and used,
iv. the existence of the right to withdraw consent,
v. information on the use of data for automated decisions,
in accordance with Article 22 (2) (c), where relevant, and
saw. information on the possible risks of data transfer due to
to the absence of a decision of adequacy and adequate guarantees, such and
as described in article 46, "
Here we do not find any reference to the "type of
profile "referred to by the AEPD in the Resolution Proposal as a deficiency of the
information provided by CPC to its clients.
Finally, it states that it has analyzed documents published by the AEPD in relation to
to treatments that involve the use of artificial intelligence, which include the
reference to the use of such techniques for profiling and the result has been
that neither in the document dedicated to the "Adequacy to the RGPD of treatments that
incorporate Artificial Intelligence "(February 2020), nor in the" Requirements for Audits
of Treatments that include AI ", you can find information on the types of
profiles that could be elaborated, nor is referenced, when
address issues related to the information to be provided to data subjects,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 63/133
that the "type of profile" is an issue that should be informed in a way
specific to stakeholders.
Therefore, with regard to the aforementioned lack of information on the "type of profile",
we cannot agree that it is an informational deficiency that may have
legal effects, since it is not required to provide such information in
relation to the right to information, without prejudice to the fact that, based on the right to
access such information could be provided, all and that is not the assumption
object of the Proposal for Resolution. To all this must be added that there is no
classification or catalog of types of profiles to apply, so that different
Responsible parties could refer to the same profile in different ways, still creating
more confusion in the stakeholders; therefore, the absence of such information does not
can be considered an information deficiency that leads to the conclusion that the
information provided by CPC is incomplete and insufficient and, consequently,
Such circumstance cannot be used as a basis for declaring an infringement, nor the
illegality of consents.
Continuing with the treatments whose purpose is the "analysis, study and follow-up
for the offer and design of products and services adjusted to the client ", it is stated by
part of the AEPD that does not indicate the purpose in the treatments of letter a) and b) of the
number 1. (according to the structure used in the "GENERAL CONDITIONS OF THE
APPLICATION-CREDIT AGREEMENT). Nor can we share such a conclusion
since the main purpose is reported, which is none other than the "analysis, study
and monitoring for the offer and design of products and services adjusted to the profile of the
client ", together with a grouping of treatment operations that are carried out
carried out to analyze risks and segment clients based on their data
personal, in order to:
"Study products or services that can be adjusted" to the profile of the clients of
CPC and specific commercial or credit situation, for the purposes of "making offers
commercial'
"Track the products and services contracted"
The AEPD, in its guide "Risk management and impact assessment in treatment of
personal data "(June 2021), affirms that, when determining with precision the
purposes of a personal data processing, it may be possible to confuse the "purpose
last of the treatment "with measures or processes (treatment operations) that are
carried out in an instrumental way to achieve the purpose proposed by the
responsible for the treatment.
The ultimate purpose of the treatment object of the Proposal for Resolution is none other than the
"analysis, study and monitoring for the offer and design of products and services
adjusted to the client ", so that, to achieve this purpose, CPC has decided
jointly, within the framework of co-responsibility of the aforementioned treatment, carry
carry out various treatment operations to achieve some objectives
intermediate. or, where appropriate, has used what are still instrumental means
for the achievement of the ultimate purpose of the treatment.
As a whole, CPC specifies and reports both the main purpose pursued
as well as everything that implies the use of the personal data of its clients to
achieve this end, in sufficient detail to be understood by the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 64/133
clients, without causing them the typical information fatigue due to excess information
without real relevance to authorize the use of your personal data.
There is no doubt that, as a result of the information that CPC provides to
your customers, they know that their data will be used to offer them products
CPC based on your profile. We do not understand what doubts the way in
that you have been informed about the purpose; neither has the AEPD transmitted with
clarity what is not understood or what could cause confusion to customers of
CPC in relation to the use to be made of their data, if they consent to it.
Clients know that in order for CPC to send them commercial offers, always prior
consent, a profile will be created with your personal data, which includes
assess your risks, so that the product offering is appropriate for your
financial capacity, which also implies that CPC takes into account what
characteristics have the products and services that you already have contracted (follow-up
and incidents).
Of course, any process that involves transferring information to a third party, in
in this case clients, it is susceptible to be improved, both in the expression itself and
in the techniques to be used to inform in the clearest and most efficient way possible; but
from there to conclude that from the set of information that CPC provides to its
clients derive deficiencies of such magnitude that they imply that the information is
incomplete and insufficient there is an extraordinary margin of discretion on the part
of the Agency, especially when it has not demonstrated, in any case, that the
information on the end of the treatments is incomplete or insufficient, limiting
to say that it is, without further argument, or at least not adjusting its
arguments to law, as has been shown in these
allegations, demanding informative content in relation to transparency and
right of information to which neither the RGPD, nor the LOPDGDD, and that neither so
They are only included in the recommendations of the CEPD.
Therefore, the information that has been provided to its customers by
CPC in relation to the treatments of "analysis, study and follow-up for the offer
and product design ", complies with the obligations of transparency and information
provided for in the regulation, being this complete and sufficient for customers to be
aware of what use will be made of their personal data, as it has
has been revealed in the set of previous allegations, although, such and
as already claimed in the Home Agreement, in the Group's new "Privacy Policy"
CaixaBank, under the heading "A. Analysis of your data for profiling
to help us offer you products that we think may be of interest to you. "
proceeded to incorporate improvements in relation to the information provided to the
interested parties, precisely derived from the incidence that the AEPD is having
by exercising its sanctioning power in the CaixaBank Group.
Regarding the rest of the treatment operations carried out for the
"analysis, study and monitoring for the offer and design of products and services
adjusted to the client's profile "(letters b, c, d and e), on which the AEPD maintains that
the categories of data used are not reported. In the initiation agreement the AEPD
maintains that the interested party cannot know the data that will be processed for the
outlined since the information provided includes data that does not
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 65/133
will be subject to such treatment and, however, according to the AEPD, you are not informed
of the processing of other data that will be the object of the same. Reiterate here the
allegations made to the initiation agreement that the categories of data
object of the treatment are not among the minimum information described in the
Article 13 of the RGPD so that consent is informed and that despite not being
mandatory to report it the information provided as a whole does allow
know the data to be processed for profiling.
The AEPD, in relation to the configuration of the mechanism for the provision of the
consent, states that "it has not been foreseen that the interested party expresses his option
on all the purposes for which the data is processed. It is discussed in section (i) of
treatments for "the offer and design of products and services adjusted to the profile of
client ", assuming that in himself he already understands three different ends"; in this
In this sense, we refer to what has already been expressed in regard to the ultimate goal of the
treatment and the necessary distinction, according to the opinion of the AEPD, regarding the
different operations or processes that are carried out in an instrumental way or
as intermediate objectives.
As we already argued at the time, "consent is only requested with the
purpose of studying products or services that could be adjusted to the profile or
specific commercial or credit situation of customers to send you offers
commercial tailored to your needs and preferences. '
To what has already been alleged in relation to obtaining consent in the brief of
response to the Initiation Agreement and the confusion arising from an error in the clause
informative, we want to add that such circumstance does not obey, in any case, a
intention of hiding information or confusing CPC clients, or any other type
of intention of CPC to breach its obligations in terms of protection
of data, not meeting the necessary requirement of guilt to be able to impose
an administrative sanction since, as the AEPD well knows, the criterion
jurisprudential that any sanction regardless of conduct must be ruled out
guilty or negligent; so we want to show that, in no case,
CPC has sought a result of disinformation, concealment or generation of
confusion in their clients, considering that such consequences have not occurred,
since no claims have been made by their clients in this regard-,
starting the entire Sanctioning Procedure from a discretionary assessment, therefore,
neither substantiated nor accredited by the AEPD, in that the information
provided in relation to the treatments is not sufficient or clear, of which it is
would lead to an uninformed obtaining of consent, an opinion that we cannot
share, and that our clients have not formally raised, not even in
the claim origin of this Penalty Procedure.
The AEPD refers in its Resolution Proposal to the changes introduced
in the CaixaBank Group Privacy Policy which, among other issues, adapts n
the information about the treatments to the requirements of the AEPD and they try
improve the information provided to CPC customers. To the AEPD such
changes also do not satisfy him, stating that they do not meet the demands
imposed by data protection regulations, in particular with regard to the
treatment based on consent, identified as "analysis of your data
for the elaboration of profiles that help us to offer you products that we believe
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 66/133
may interest you ", which corresponds to the treatment object of the Proposal for
Resolution.
To reach the above conclusion, the AEPD has limited itself to analyzing a paragraph of the
new Privacy Policy, specifically the following: "Through this treatment
we will analyze your data to try to deduce your preferences or needs and thus
to be able to make commercial offers that we believe may be of more interest than
generic offers from which it states that it only contains generic expressions,
that:
"They do not identify what type of preferences or needs it refers to" "or what type of
offers can give rise "" without, on the other hand, being informed of the type of profile that
is going to take place.
It is simply unheard of that such informational content is required. With respect to
"type of profile" we have already extended enough to show that it is not
It is information that CPC is obliged to provide to attend to the
requirements of the data protection regulations and that, in addition, not only form
part of the recommendations made by the CEPD.
As the AEPD must know, profiling is still an activity
dynamic in terms of the results it can give. In this case, the "needs and
preferences "can change, depending on many environment variables.
Of course, despite this, it is more than reasonable to think that it is, in any case,
of needs and preferences related to the products and services offered by CPC,
that are perfectly delimited in its portfolio of products and services and in the
own corporate purpose of the company, and that are known by its customers, since they are
advertise by different means.
Consequently, it does not seem that detailing such "needs and preferences" can
contribute anything relevant to CPC clients within the framework of a Policy of
Privacy, as long as they are aware of what CPC's business activity is, as well
like the products and services you can offer. In any case, it does not provide the
AEPD any legal basis to demand such specification since it does not refer to the
legal precept or recommendation that allows you to conclude that they should be detailed
such "needs and preferences that we insist can be deduced with character
general relationship that CPC establishes with its clients.
In the same way it happens with the supposed information deficiency regarding
informs about the "type of offers" that can be made to customers, which is
It is evident that they will be changing in terms of the type of offer and content, but that,
as it cannot be otherwise, they will always be related to the activity
CPC business. In this section, once again, the conclusion of the AEPD is
absolutely discretionary since it does not refer to the legal precept or to the
recommendation that allows you to conclude that the types of offers should be detailed ",
which will obviously be commercial offers regarding the products and services of
CPC, something that is so obvious to CPC clients that it causes a lot of
surprise that the AEPD cannot understand and chooses to ask for a detail that the only thing
What I would do would be to add changing and unnecessary information in the framework of a
Privacy Policy. A different question would be that, before a right of access or
even a consultation to CPC by their clients, at any time they can
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 67/133
provide more detailed information adapted to the reality of the moment in which
such request for information is made.
To all this it should be added that it is surprising that the AEPD has supported its analysis
exclusively in a paragraph of the aforementioned policy; maybe with a reading
comprehensive and systematic could improve your perception of the contents of the new
Policy of the CaixaBank Group, which undoubtedly complies with the requirements imposed by
data protection regulations on transparency and information.
Therefore, we cannot agree that, in the words of the AEPD, the new
Privacy Policy: "does not meet the requirements imposed by the regulations of
Data Protection "
We must state that, without prejudice to the negative assessment made by the AEPD of
the Privacy Policy based on the analysis of a single paragraph thereof, in addition
refers to the fact that such a policy is not enough to consider as corrected
the deficiencies observed in the Initiation Agreement, based on the fact that the
"GENERAL CONDITIONS OF THE CREDIT AGREEMENT APPLICATION" no
reflect such changes, ignoring the difficulties that such changes may pose
in complex organizations such as CPC, which must analyze and assess
meticulously the time and manner in which the appropriate
modifications, in particular when they affect the relationship with its clients, and that
have an impact on both information systems and operating procedures
of the organization, and even in compliance with other regulations that affect its
business activity. In this sense, it should be added that CPC is
designing the necessary adaptations derived from the new Privacy Policy
of the CaixaBank Group. In addition, the aggravating factor is that the AEPD forgets
complete that there is already a sanctioning procedure followed against CaixaBank, which
affects this particular treatment (to the extent that it has been alleged that there is a
violation of the non bis in idem principle) since it is carried out under the
co-responsibility, which implies that changes must be coordinated with all
the joint controllers since it is a data processing configured and determined by
jointly, in particular in terms of their ends and means.
Regarding the communication of data to the group companies,
We must point out that the AEPD should update the formulas it uses in its
writings, in particular those related to the resolutions since it affirms that such
communication of data to group companies, as it is a purpose in itself,
it says verbatim that "it requires a manifestation of the will of the interested party for the
that he consents that it can be carried out "; so that for the AEPD the
Consent is still the only basis of legality that covers a communication of
data to third parties when it is well known that the RGPD does not establish as the only basis
legal for the communication of data to third parties the consent of the interested party,
being able to use, as long as it is appropriate, any of the conditions of legality
provided in article 6 of the RGPD, therefore, not only through consent,
concurring, once again, the lack of rigor of the AEPD in this Procedure
Sanctioner when in this matter he is relying on the provisions of article
11.1 of Organic Law 15/1999, of December 13, on Data Protection of
Personal Character, which provided that: "The personal data object of the
treatment may only be communicated to a third party for the fulfillment of purposes
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 68/133
directly related to the legitimate functions of the transferor and the transferee with
the prior consent of the interested party '
Having said the foregoing, we reiterate what has already been alleged in that there is no communication of
data to third parties as long as there is a co-responsibility regime between various
CaixaBank Group companies, which is based precisely on factual elements
for those who are now taking formal measures; hence it is out of
place and irrelevant to refer to the fact that the co-responsibility agreement provided
It does not have a date and signature since it is a subsequent action to formalize a
factual situation, which is also linked to regulatory requirements, as already stated
has alleged.
Although it has been included in the Proposal for a Resolution, we also transfer here the
reminder of the 7/2020 Guidelines on data controller and processor
in the RGPD, while the CEPD considers that: "The evaluation of joint responsibility
should be carried out on the basis of a factual, rather than a formal, analysis of the
real influence on the purposes and means of the treatment. All provisions
Existing or planned should be verified taking into account the circumstances of
facts relating to the relationship between the parties to which he adds that a criterion merely
formal would not be enough. It is surprising that the first assessment of the AEPD for
to rule that there is no co-responsibility is to say "that the agreement of
co-responsibility provided lacks date and signature and, consequently, validity
some ", therefore, prioritizing the formal element for the AEPD, separating itself from the
opinion of the European data protection authorities, despite the fact that the AEPD
It is part of the CEPD.
Certainly the CEPD, for the sake of legal certainty and in order to guarantee the
transparency and accountability, since the GDPR does not specify the way in which
must take the co-responsibility agreement, recommends that such an agreement be
formalize by means of a binding instrument, which seems to us a good
recommendation (remember that the guidelines do not impose legal obligations); by
This is why the CaixaBank Group and, consequently, CPC as part of it, has
drawn up an agreement for this purpose, following such a recommendation that, in no case,
assumes that the co-responsibility regime does not exist due to the fact that it is not
signed, as stated by the AEPD.
Additionally, and taking into account that the existence of co-responsibility does not
depends on such a firm, as the CEPD believes, it is consistent with the situation
that has not yet been signed, while the existence of such a
co-responsibility is being questioned by the AEPD (although there is no
provided any evidence of this, rather than their opinion), as well as timely and legitimate
that the signature of the same depends on how it is finally resolved, now already on track
jurisdictional, the sanctioning procedure against CaixaBank that affects the same
processing of personal data object of the Proposed Resolution that is the origin
of this brief of allegations by CPC and that is carried out based on a
co-responsibility that, in the opinion of the AEPD, does not exist.
In the first part of this writing, allegations and statements have already been made in
in that the treatment object of the Proposal for Resolution is carried out
carried out under a co-responsibility regime, so the alleged communication of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 69/133
data to third parties that the AEPD raises does not exist; therefore, it cannot be declared
any infraction in this regard. As we said, we refer to the legations and
made in this and previous writings, showing that the AEPD has
limited to denying that such co-responsibility exists, without providing any element, or
factual or legal, that supports such a claim, reversing the burden of proof that
there is co-responsibility in CPC and in the CaixaBank Group, when it should be the
AEPD who provides evidence on the non-existence of such co-responsibility
Consequently, we cannot agree that the co-responsibility regime that
affects the treatment object of the Proposed Resolution does not exist for the mere fact
that it has not yet been signed. There are numerous factual elements presented,
both by CPC and CaixaBank, which show that the treatment of
Profiling of clients to direct commercial offers is carried out on a basis of
co-responsibility despite the fact that the AEPD issues an opinion to the contrary
well-founded. Therefore, it cannot be considered that there is a communication of data to
third parties in this case.
Regarding the statement of the AEPD that the consent given for the
profiling purposes is not in accordance with the provisions of article 4.7 of the RGPD,
We refer and reiterate the allegations already made to the Initiation Agreement,
recalling what has already been stated in this Writing as to the fact that there is no
multiplicity of purposes that have not been specified but one purpose
main and a set of complementary or instrumental operations to
reach the ultimate goal, operations that have been conveniently informed, of another
Thus, the AEPD would not have been aware of them, all this without prejudice to the
non-substantial errors that may have been made in the conditions and policies
whose correction is being designed by the CaixaBank Group, while
There is a regime of co-responsibility regarding the treatment object of the
Motion for a Resolution. Of course, we must insist on the consideration that they must
have the recommendations of the CEPD, insofar as they are an opinion, for
authorized assumption, which should not be confused with the obligations arising from
the data protection regulations, collected in general in the RGPD and, in
your case, in the LOPDGDD; so that the minimum information content
required by regulation are served by CPC, notwithstanding that this (CPC)
consider it of interest to attend, as it does, to the recommendations and good practices
proposed by the European data protection authorities, insofar as this is
in improving the information received by its clients in relation to the use of their data
personal information by CPC.
As already stated in our allegations, we do not agree with the
conclusion of the AEPD that the breach of article has been accredited
6.1 of the RGPD by CPC regarding the treatment object of the
Motion for a Resolution. In our opinion, the legal foundations developed
by the AEPD do not sufficiently prove such breach, or not to the extent that
intends to give you the AEPD; That is why, to guarantee the defense of the
interests of CPC, we consider it appropriate to refer to and analyze the factors
which, according to the AEPD, influence the determination of the amount of the fine
administrative proposal.
In the first place, we want to express some general questions that we
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 70/133
seem relevant with respect to the use of criteria for graduation of the sanction. On trial
From this part, there has been a clear separation from the administrative precedent
since article 35.1 c) of the LP ACAP establishes that the acts that are separated from the
criteria followed in previous actions must be motivated. This precept states
I manifest that the AEPD must expressly justify its changes of criteria put
that the principle of equality means that "the Administration must maintain in its
resolves an equal criterion when it comes to identical or similar cases ”(Sic.
STSJ of Catalonia, of January 15, 1999), this would affect a substantial change in
the amount of the administrative fines, which has not been sufficiently credited and
which has no basis, as will be seen, in the fact that the RGPD has modified
the amounts of the administrative fines.
In this sense, PS 0070/2019 serves as an example where facts are sanctioned
similar in relation to the obtaining and granularity of the consent of the
interested parties, in which a different application of the criteria that allow
graduate the sanction, being, in both cases, financial entities, but with different
volumes, both in number of interested parties and in business volume, among others.
Thus, while in the Proposal for Resolution the AEPD considers that the
following graduation criteria:
The nature, severity and duration of the offense, taking into account the nature,
scope or purpose of the processing operations in question.
The intentionality or negligence appreciated in the commission of the offense.
The high link of the activity of the offender with the performance of treatment of
personal information.
The condition of a large company of the responsible entity and its volume of business.
The high number of data and treatments that constitute the object of the file.
The high number of interested parties.
In PS 0070/2019, we insist, regarding very similar facts charged against
an important financial entity at the state level, surprisingly only
take into account two graduation criteria, compared to the 6 of the Proposal for
Resolution:
The nature, severity and duration of the offense, taking into account the nature,
scope or purpose of the processing operations in question;
The intentionality or negligence appreciated in the commission of the offense.
It is thus evident, in an evident and objective way, that a
unequal treatment when establishing the amount of the administrative fine.
Regarding the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operations in question,
affirms the AEPD that it is the result of the procedure designed by CPC for the
collection of consent in order to create profiles to direct offers
commercial to your customers, we once again remind you that the treatment is carried out in
co-responsibility regime and that, therefore, such procedure has been designed
jointly within the framework of the Caixa Bank Group.
The AEPD forgets to assess that, in any case, we start from a procedure
designed and implemented; that is, it has been the object of analysis and reflection
precisely to respond to the requirements of the regulations for the protection of
data. It would seem that having a procedure would represent a
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 71/133
aggravating, implying that the non-existence of such a procedure might have
led not to apply such aggravating factor, an incongruous situation in light of the principle of
proactive responsibility established by the GDPR.
In addition, the AEPD states that the aforementioned treatment "carries a significant risk
for the rights of the interested parties taking into account the character especially
intrusive of such data processing 'In this case, the AEPD does not argue in what
that "significant risk" consists of, he just states it and adds that it is especially
intrusive, also without any argumentation, which leads to the question that if the shipment
of commercial communications to clients is especially intrusive 'what
processing of personal data will not be particularly intrusive.
We insist that we are not facing an assumption in which CPC has dispensed with
radically from the obligations related to obtaining consents,
Notwithstanding the fact that the AEPD considers that certain
issues, which could lead to improvements in the way data are collected
consents. The evidence is that there is a procedure designed with the
Willingness to comply with data protection regulations. In this sense, it turns out
of interest what is expressed in the Guidelines on the application and setting of fines
administrative for the purposes of Regulation 2016/679 (WP 253) which indicates that "more than
be an obligation of result ", these provisions introduce an obligation of
media; that is, the data controller must carry out the evaluations
necessary and reach the appropriate conclusions. Therefore, the question to which the
supervisory authority must answer is to what extent the data controller
He "did what could be expected to do" in view of the nature, purpose or
the scope of the processing operation, in light of the obligations imposed by the
Regulation. "The AEPD has not assessed, at any time, whether they have
efforts to comply, everything and that it has been clear that indeed, from
Before the full requirement of the RGPD, both CPC and the CaixaBank Group have
dedicated human and material resources to adapt to the requirements of the regulations
of data protection.
Regarding the intentionality or negligence appreciated in the commission of the infraction, says the
AEPD that "the defects indicated in the procedure by which the
consent of their clients, given their evidence, should be warned and avoided
when designing said procedure by an entity with the characteristics of CAIXABANK
PAYMENTS & CONSUMER EFC, EP, S.A.U.
We cannot disagree more with the formulation made by the AEPD for the
application of this criterion, especially because it leaves in the air if the AEPD considers that
CPC's conduct is intentional or negligent, a very relevant difference as
We imagine that the AEPD will agree, to which we must add that, for
discounted, in no case has CPC considered intentionally breaching,
nor systematic, as the AEPD seems to suggest, with its obligations in terms of
personal data protection.
And, furthermore, in our opinion, CPC has acted diligently, establishing since
initiation of clear procedures in relation to the information made available to the
clients and the procedures for obtaining their consent. CPC
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 72/133
has a desire for continuous improvement and transparency, not concealment or generation of
confusion in their clients, a fact that is reflected in the evolution of the documents and
mechanisms used, and also in the improvement of the information contained in the
themselves.
Regarding the high link between the activity of the offender and the performance
processing of personal data, we do not agree that it results from
application to the case of CPC. The AEPD affirms a truism, as that "the operations
that constitute the business activity developed by CAIXABANK PAYMENTS &
CONSUMER EFC, EP, S.A. U. as an entity dedicated to the commercialization of
credit or debit cards, credit accounts and loans, involve operations
of personal data processing. "We do not understand what value such a statement has in
in relation to the application of this aggravating factor as applied by the AEPD because, in
Our opinion is separated from the intention of the legislator, which is directed to consider
aggravates the fact that the processing of personal data is the main activity
of a business nature, not an instrument; hence it refers to "high
linkage ", otherwise it would be concluded that the mere fact of trying
personal data would always be an aggravation. If the legislator had
claimed he would not have qualified that such a link should be "high
Hence, we affirm that, in no case, the main activity of CPC is the
processing of personal data of its customers, since data is used
personal in what is necessary for the development of their main activity of
business, and neither that it benefits directly or indirectly in terms
economic of the commercialization of the personal data of its clients; no
We believe that the fact that, as the AEPD argues, "among its activities
commercial communications is the sending of commercial communications to their clients
third party entities with which it has commercial agreements "is an element
definition to apply such criterion of aggravation of the amount of the administrative fine
. In summary, the AEPD does not substantiate that the aggravating high linkage of the activity
of the offender with the performance of personal data processing is applicable
to the course.
If the AEPD has assessed that it applies such criterion taking into account the volume of data
and interested parties included in their treatments, then I would be reiterating the application
aggravating factors since it also uses both the
high volume of data and treatments, such as the high number of interested parties;
As we have stated, the justification by the AEPD of the discharge
linking the activity of the offender with the performance of data processing
personal is insufficient, we do not know if the AEPD has taken into account the aforementioned
volume of data, treatments and interested parties at the time of applying such aggravation and if,
therefore, you would be applying the same aggravating factor more than once.
Regarding the criterion of aggravation due to the condition of a large company of the entity
responsible and its volume of business, we are surprised that the AEPD uses both the
CPC's turnover, and at the same time the turnover of the CaixaBank Group; no
we can agree that both business data are used as it implies
that twice the same turnover is taken into account since the volume of
CPC's business is, in turn, included in that of the CaixaBank Group. We are surprised that
Yes, in the opinion of the AEPD, there is no co-responsibility in the treatment object of the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 73/133
resolution proposal, the Group's turnover figure is taken into account
CaixaBank; therefore, we consider that the graduation criteria would be poorly applied.
We want to state that we radically disagree that the AEPD does not
has identified any mitigating factor in relation to the alleged infringement that it attributes to
CPC; for which we proceed to identify, reiterating what has already been alleged in the brief of
response to the Initiation Agreement, some of the facts and circumstances that should
attenuate the graduation of the administrative fine proposed by the AEPD.
CPC has made a significant effort in recent years - and especially
since the entry into application of the RGPD and the merger carried out on July 11, 2019—
to provide its clients with relevant information about the treatment of their
personal data appropriately. The clearest example of this initiative is
constitutes n the different versions of the policies and privacy clauses, fact
which reaffirms the proactivity and spirit of continuous improvement of CPC.
This behavior demonstrates a clear exercise of transparency and loyalty, as well as
proactive and diligent activity by CPC in relation to compliance
of the data protection regulations, in addition to demonstrating their desire to repair
potential errors, if any.
The degree of cooperation with the supervisory authority is not assessed either, since CPC has
shown, at all times, their willingness to collaborate with the Agency in order to improve
those aspects of the treatments that are susceptible to improvement. As has been
revealed in this Brief, CPC has launched a series of
measures aimed at this improvement in the collection of consents. That is how you are
Circumstances must be assessed by the Agency as extenuating.
Finally, it should be remembered that both CPC and its data protection delegate
have been available to cooperate, despite the dates on which the AEPD has
proceeded to notify the most significant administrative acts of this Procedure
Sanctioner (end of December 2020 and beginning of August 2021) and at
operational difficulties derived from the still active pandemic situation, having
been proactive and diligent in responding to any requirements of the
Agency. Nor has such an effort deserved to be considered as a mitigating factor.
PROVEN FACTS
FIRST: On November 6, 2018, you entered this Agency in writing
of D.A.A.A., denouncing that the entity CAIXABANK, CONSUMER FINANCE, EFC
had requested COMPANY.1 information about the inscriptions related to his
person in the COMPANY.2 file, without being a client of said entity, since the relationship
with the same it had been formally extinguished in 2014. Transferred the claim to the
Data Protection Officer of the person in charge, a response is received in which
admits a human and punctual error, since although the claimant was a client
In the past, at the date of the claim it had ceased to be, however its
data was included by mistake in a campaign of pre-granted credits.
The claim was inadmissible for processing on February 6, 2019, without prejudice,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 74/133
as stated in the Resolution itself, that the AEPD, applying the powers
investigation and corrective measures that it holds, could carry out subsequent
Actions related to the data processing referred to in the claim.
The decision of inadmissibility for processing was appealed by the claimant, alleging that there was no
Being a client of the entity, it has used the financial solvency files with
The purpose of creating a profile and offering you a financial service, without requesting your
consent, estimating said resource.
SECOND: It consists in the information provided by CAIXABANK PAYMENTS &
CONSUMER, that there has been a merger by absorption between
CaixaBank Payments, E.F.C., E.P., S.A.U., absorbed company, and CaixaBank
Consumer Finance, E.F.C., S.A.U., absorbing company, remaining, as
As a result of this operation, CaixaBank Consumer Finance, E.F.C., S.A.
subrogated by universal succession in all rights and obligations, acquired and
assumed, by CaixaBank Payments, E.F.C., E.P., S.A.U., modifying its
company name to the current CaixaBank Payments & Consumer, E.F.C., E.P., S.A. "
It also appears in said information that "the main activity of CAIXABANK
PAYMENTS & CONSUMER consists of the commercialization of credit cards or
debit (hereinafter referred to as "Cards"), credit accounts with or without a card (in
hereinafter, called “Credit Accounts”) and loans (hereinafter, called
“Loans”), (all of them individually named “Product” and jointly,
"Products"), directly or through third parties - whether they are agents or
Prescribers-, with whom you have signed the corresponding agency contracts
or collaborative. Specifically: - Directly, CPC markets some of the
mentioned Products. - Indirectly, CPC markets through Prescribers
and agents.
By "Prescriber" or "Prescribers", those entities with which CPC
has signed a collaboration agreement, based on which they undertake to
offer its clients the possibility of contracting CPC Products to,
mainly, finance the purchase price of products and / or services
marketed by them (Prescribers) in their points of sale, either in person
or online (for example, establishments such as *** ESTABLISHMENT. 1 or
*** ESTABLISHMENT.2 and *** ESTABLISHMENT.3). In particular, the Products of
CPCs marketed through Prescribers are the Cards, the Accounts of
Credit and Loans.
Agent is understood to be CaixaBank, S.A. (hereinafter, interchangeably the "Agent" or
“CaixaBank”), entity with which CPC has an agency agreement, by virtue of the
which, CaixaBank promotes and concludes, through its channels, the CPC Cards,
as well as, where appropriate, refinancing loans for the debt derived from these
Cards.
It also appears that the personal data processing activities that in the
development of its commercial operations involve the elaboration of profiles, according to the
definition set forth in article 4.4 of the RGPD, in particular with regard to the
economic situation of the interested parties, are the following:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 75/133
I. "Analysis of the repayment capacity or risk of non-payment of a
interested in your Request for a Product: It consists of the evaluation by
CPC part of a Product Request (Card, Credit Account or
Loan, hereinafter the "Request") received from an interested party (in
hereinafter, "Applicant" or "Applicants"). This evaluation involves a
processing of personal data that is specified in the necessary assessment
repayment capacity or solvency of the Applicant (probability of
risk of default). Said assessment is carried out, within the framework of the Request
received, in order to comply with the provisions of the regulations that, in
quality of financial credit establishment and payment institution,
It is applicable to CPC (Prudential and Solvency Regulations and
Responsible Loan). "
II. "Analysis of the capacity for repayment or risk of non-payment in the management
of credit risk granted to customers: It consists of monitoring
continuous capacity of repayment or risk of default of customers to
who CAIXABANK PAYMENTS & CONSUMER has granted
financing and, therefore, with which it maintains a credit risk with two
purposes:
- the management of the credit risk granted to them in compliance
of certain legal obligations (specifically, the Regulations
Prudential and Solvency and Responsible Loan,);
- commercial management in accordance with the consents obtained from
the owners of the data (clients) with the subsequent purpose of
offer them products and services tailored to their needs, which
may include the assignment of "pre-granted" credit limits
(pre-granting of a loan based on the information available to the
Entity)."
I. "Analysis and selection of target audience: It consists of the analysis and selection,
prior to a certain commercial impact, of a target audience
(made up of those clients of CAIXABANK PAYMENTS &
CONSUMER that meet, where appropriate, the requirements designed to be
impacted by a potential campaign in order to offer you
Products). Said treatment is carried out in accordance with the
consents obtained from the owners of the data (clients). "
Affirms regarding the categories of data holders that are treated in the execution
of the detailed treatments, which "deals only with data from interested parties who are
Clients of the Entity or applicants for its Products. Does not perform data processing
about interested parties that could be called “potential clients”, understood as
These, data holders who have no current relationship with CPC or who previously did not
have requested a Product through any of the established channels. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 76/133
THIRD: The following is stated regarding the activity called “analysis of the
repayment capacity or default risk for credit risk management
granted to clients during the contractual relationship ”:
1. Regarding the purposes and bases of legitimation of the treatment. It is stated that
has two purposes:
I. "The management of the credit risk granted, in compliance with
certain legal obligations of the Prudential Regulations and of
Solvency and Responsible Loan, applicable when the Product is
a credit account since by allowing the availability of credit
consistently granted, this (Product) must adapt
constantly to the updated solvency capacity of the interested party.
As stated, the enabling title to carry out this purpose, give
compliance with regulatory requirements, is the legal obligation, of
in accordance with article 6.1 c) of the RGPD.
II. Commercial management in the event that you have the consent of the
data owner. Said treatment provides, among others, to be able to label the
client in order to grant him a “pre-grant” (grant of a
credit based solely on the information available to the Entity).
In this case, only the data of those customers who have
given your consent for profiling. "
2. Regarding the logic applied in profiling and the expected consequences of
said treatment for the interested party, affirms that it uses a logic that has been
defined in the Entity's financibility process. (…).
3. Regarding the personal data being processed, it is stated that they are the
following:
- Identification: DNI / NIE / Passport and date of birth.
- Financial: CPC internal data obtained or derived from the relationship
existing contract between it and its client and consult solvency files and
the Risk Information Center (CIR) of the Banco del Banco de España.
- Sociodemographic: postal code, country of birth and nationality, type of
housing and seniority and marital status.
- Socioeconomic: income and pay, employment status and profession, seniority
bank and domiciled entity.
- Others: risk score.
4. Details the following origins regarding the personal data object of
treatment indicated in the previous section:
- Data provided by the Applicant in the Product Application itself.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 77/133
- CPC data in relation to the Applicant in the event that it is already
customer and provided that CPC has data on their payment behavior.
- Data from external sources: in accordance with the regulations that result from
application to CPC as a financial credit institution and payment institution,
It also incorporates the following information:
Information on the consolidated Group of Group entities
CaixaBank
Result of consulting credit information systems.
Result of the query to the Risk Information Center
(CIR) of the Bank of Spain.
- (…).
5. Regarding the means used to collect consent in case
that the processing activity is covered by article 6.1.a of the RGPD, affirms
that the channels through which it collects consents for commercial purposes from
their clients are listed below:
a) Through the Prescribers.
b) Through its CaixaBank Agent.
a) “Through the Prescribers.
In this channel there are three (3) different forms of capture:
The first is through the employees of the Prescribers themselves,
which, at the time of the formalization of the financing contracts
with clients who want to contract the Products offered by CAIXABANK
PAYMENTS & CONSUMER, they ask them about each of the
consents, and then translate the response given on your part to
each of them in the Particular Conditions of the financing contract
subscribed for this purpose.
The three (3) tools provided by CAIXABANK PAYMENTS &
CONSUMER to the Prescribers' sellers so that they can carry out the
capturing the information necessary to process the operations of
financing and, therefore, also to collect the aforementioned
consents, are the Web "*** WEB.1", the app of capture (its use is
performed through a tablet carried by the Prescribers' sellers
that are constantly moving through the store) and the “Web Auto” (…), which are
the software provided by CAIXABANK PAYMENTS & CONSUMER to
the Prescribers, connected with the systems of that (CAIXABANK
PAYMENTS & CONSUMER), so that their sellers process the
financing operations by entering personal data and
economic data of the clients and the contractual data of the operations (TIN,
APR, amortization months, etc.), as well as collect the consents, which
later they will be reflected in the Particular Conditions of the contracts
financing to be formalized and delivered to customers. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 78/133
There are three screen prints in the file that correspond
with these three tools. In them it is observed that the
consent for the following purposes, being able to choose yes or no in each
modality:
- “I authorize the CaixaBank Group to use my data for study purposes
and profiling "
- "I authorize the sending of advertising and commercial offers from the Group
CaixaBank by the following means ”, which in turn allows consent or not for
each of the following sections):
- Telemarketing
- Electronic means such as SMS, email and others
- Post mail
- Commercial contacts through any channel of my manager
- "I authorize the transfer of my data to third parties with whom the CaixaBank Group has
agreements "
- “I authorize the CaixaBank Group to use my biometric data (image, fingerprint
fingerprint, etc.) in order to verify my identity and signature. This authorization
It will be complemented with the registration of biometric data to be used in each
moment"
There is also a screenshot of the tool in the file
AUTO website in which more details can be consulted. According to printing
Obrante in the file the detail consists of the following:
"Consents and protection of personal data
Authorizations you lend now or have lent previously may
be revoked at any time through www.caixabankpc.com/ejerciciode
Rights.
If you grant authorization (1), the offers that are sent to you will be adapted to
your profile
Authorizations (2) (3) (4) and (5) refer to the channels through which
You agree to be contacted by the CaixaBank group either by phone, by means of
electronically, by post and / or in person.
If you do not authorize a channel, the CaixaBank group will not be able to contact you to
offer you products of your interest.
If you provide the authorization (6) at the time the data is transferred, you will be
will inform which third party is the recipient of your data and if you do not agree
You can revoke that authorization.
The authorization (7) is to be able to verify your identity / signature since in the group
CaixaBank use biometric recognition methods as systems
facial recognition, fingerprint reading and the like. "
The second form of recruitment within this group is through the
CAIXABANK PAYMENTS & CONSUMER web portal enabled to process
the financing operation by the client himself, which will have been redirected
by clicking on a link incorporated in the Prescriber's website that
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 79/133
try. Thus, for example, the interested party who decides to apply for the card (…) will initiate
the request in the Prescriber's own portal (…) and it will immediately be
redirected to the web portal enabled for this purpose by and from CAIXABANK PAYMENTS &
CONSUMER where the entire contracting procedure will be carried out.
In this case, it is the client himself, through his computer / tablet, who marks
the response for each of the planned treatments, which afterwards
They will be transcribed in the Particular Conditions of the financing contract
formalized.
It appears in the document sent to this Agency as ANNEX No. 13, the
screen that the client views and in which consent is obtained
that coincide with those described above in the point relative to the channel
prescribers.
In the document submitted as ANNEX 14 shows an example of how
reflect the consents granted by the client in the Conditions
Individuals of the financing contract. This document is called
APPLICATION-CREDIT CONTRACT and is structured in various sections
relating to personal data of the owner and co-owner, to the purchase, to the plan of
financing, etc.
The SUMMARY OF TREATMENTS section of said document contains the
Next information:
"The processing of your data with respect to which you can facilitate your
authorization in the terms established in this contract are the
following:
"COMMERCIAL PURPOSES:
A. Data processing by Caixabank Payments
& Consumer and the CaixaBank Group companies with
study and profiling purposes to inform you of the products
that are tailored to your interests / needs, as well as to the
monitoring of the contracted services and products, carrying out
surveys and design of new services and products.
B. Data processing by Caixabank Payments
& Consumer and the CaixaBank Group companies with the
purpose of communicating offers of products, services and
promotions marketed by them, their own or third parties whose
activities are included between banking, services of
investment and insurance companies, shareholding, venture capital,
real estate, road, sale and distribution of goods or services,
consulting, leisure and charity-social services.
C. Transfer of data by Caixabank Payments &
Consumer and CaixaBank Group companies to third parties with the
purpose that they can send you commercial communications.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 80/133
Said third parties will be dedicated to banking activities,
investment and insurance services, holding of shares, capital
risk, real estate, roads, sale and distribution of goods and
services, consulting services, leisure and charity-social.
OTHER PURPOSES
Processing of biometric data provided by Caixabank
Payments & Consumer and GrupoCaixabank companies, such as
facial image, voice, fingerprints, graphs, etc., in order to
verify your identity and signature with the help of
biometric recognition. "
In the AUTHORIZATIONS FOR DATA PROCESSING section
There are a series of sections in each of which, both for the holder
As for the co-owner, two boxes appear, one to mark yes and the other to
mark no, the various authorizations to carry out data processing.
These authorizations are the following:
A. "I authorize the processing of my data for the purpose of study
and analysis by Caixabank Payments & Consumer and the
Caixabank group companies. "
B. "I consent to the processing of my data by Caixabank
Payments & Consumer and the Caixabank group companies with the
purpose for these to communicate offers of products, services and
promotions through the channels I authorize. " In this case, the boxes
yes / no are broken down for each of the following channels:
Telemarketing, Electronic media such as SMS, email and others, Mail
Postcard. Commercial contacts through any channel of my manager
C. “I authorize Caixabank Payments & Consumer and the
Caixabank group companies give my data to third parties. "
The third way is through the telephone call in which
the sellers of the Prescribers and the managers of CAIXABANK interact
PAYMENTS & CONSUMER. In this case, the Prescriber's seller provides
by phone to the CAIXABANK PAYMENTS & CONSUMER manager all
the customer data necessary to formalize the financing operation and
he processes it. Once the contract is approved, the client, through the
Particular Conditions of the contract that must be signed, defines the
granting their consents by handwriting their
option on the boxes enabled for this purpose. Such particular conditions are
contained in the document sent as annex 14 described in point
previous.
a) Through its CaixaBank Agent.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 81/133
Affirms that, additionally, CPC is the beneficiary of the consents
granted, where appropriate, by customers to CaixaBank. It states that the collection of
Consents in the CaixaBank branches are carried out by interacting with the
own client with the device that the employee gives him (Tablet), pointing
your preferences in relation to data processing.
In the screen printing that he incorporates in his writing, it is appreciated that
request various authorizations for each of which there is the option of
mark yes or no in their respective box. The authorizations refer, as in the
previous cases:
- To the use of the data for study and profiling purposes,
clarifying that if the offers sent to you are authorized, they will be
adapted to the profile of the interested party.
- To receive advertising and commercial offers. At this point it is also allowed
choose the channels to receive advertising by checking the respective box.
- To transfer the data to third parties with whom the Caixabank group has
agreements.
- To the use of biometric data in order to verify my identity and
firm.
6. Regarding the procedure followed to comply with the duty of
information to the interested party (articles 13 and 14 of the RGPD) it is stated that “Attached,
as ANNEX DOCUMENT No. 12, a copy of the general conditions provided
to the interested party in the framework of the contracting of a product and in which it is informed
of the provisions of article 13; not resulting from application, therefore, what was foreseen
in article 14 of the RGPD. "
The document contained in annex 12 called "CONDITIONS
GENERAL APPLICATION-CREDIT AGREEMENT ”contains various
sections, referring section number 26 to the “Treatment of data from
personal character based on the execution of contracts, legal obligations and
legitimate interest and privacy policy ”. This point is structured in turn in 10
sections. The following information is included in points 26.1 and 26.4
"26.1 Processing of personal data in order to manage
Commercial Relations.
The personal data of the Holder, both those that he himself provides, as well as
those derived from commercial, business and contractual relationships
that are established between the Holder and CaixaBank Payments & Consumer either in
the commercialization of its own products and services, either in its capacity as
mediator in the commercialization of third-party products and services (in
hereinafter all referred to as Commercial Relations), or the
Commercial Relations of CaixaBank Payments & Consumer and the companies
of the CaixaBank Group with third parties and those made from them,
will be incorporated into files owned by CaixaBank Payments & Consumer and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 82/133
the CaixaBank Group companies that are holders of the Commercial Relations,
to be treated in order to comply with and maintain them,
verify the correctness of the operation and the commercial purposes that the Holder
accept in this contract.
These treatments include the digitization and registration of documents
identification and signature of the Holder, and their making available to the internal network
of CaixaBank Payments & Consumer, to verify the identity of the
Owner in the management of their Commercial Relations.
The treatments indicated, except those for commercial purposes whose
Acceptance is voluntary for the Holder, they are necessary for the
establishment and maintenance of Commercial Relations, and
They will necessarily be understood as valid while said Relationships
Commercials continue in force. Consequently, at the time of
cancellation by the Holder of all Commercial Relations with CaixaBank
Payments & Consumer and / or with the CaixaBank Group companies, the
aforementioned data processing will cease, your data will be canceled
in accordance with the provisions of the applicable regulations, keeping them
CaixaBank duly limited its use until the
actions derived from it. "
"26.4. Treatment and transfer of data for commercial purposes by
CaixaBank and the CaixaBank Group companies based on the
consent.
In the Particular Conditions of this contract it will be collected, under the heading
authorizations for data processing, the authorizations that you
grant or revoke us in relation to:
(i) Data analysis and study treatments for commercial purposes by
CaixaBank Payments & Consumer and companies of the CaixaBank Group.
(ii) The treatments for the commercial offer of products and services by
CaixaBank Payments & Consumer and the companies of the CaixaBank Group.
(iii) The transfer of data to third parties.
In order to put at your disposal a global offer of products and
services, your authorization to (i) data analysis and study treatments, and
(ii) for the commercial offer of products and services, if granted,
It will include CaixaBank Payments & Consumer and the Group companies
CaixaBank detailed in www.caixabank.es/empresasgrupo (the “companies of the
Grupo CaixaBank ”) who may share and use them for the purposes
indicated.
The detail of the uses of the data that will be carried out in accordance with their
authorizations is as follows:
(i) Detail of the analysis, study and monitoring treatments for the offer
and design of products and services tailored to the customer profile. Granting your
consent to the purposes detailed here, you authorize us to:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 83/133
a) Proactively carry out risk analysis and apply on your data
statistical and customer segmentation techniques, with a triple purpose:
1) Study products or services that can be adjusted to your
profile and specific business or credit situation, all to
make commercial offers tailored to your needs and
preferences,
2) Track the products and services contracted,
3) Adjust recovery measures on defaults and incidents
derived from the products and services contracted.
a) Associate your data with those of other clients or companies with which you have
some type of bond, both family or social, as well as their property relationship
and administration, in order to analyze possible interdependencies
economic in the study of service offers, risk requests and
contracting of products.
b) Carry out studies and automatic controls of fraud, defaults and incidents
derived from the products and services contracted.
c) Conduct satisfaction surveys by telephone or electronic channel
with the aim of evaluating the services received.
d) Design new products or services, or improve the design and usability of
existing, as well as define or improve user experiences in their
relationship with CaixaBank Payments & Consumer and the Group companies
CaixaBank.
The treatments indicated in this point (i) may be carried out in a
automated and entail the elaboration of profiles, with the purposes already
indicated. For this purpose, we inform you of your right to obtain the
human intervention in the treatments, to express their point of view, to
get an explanation about the treatment decision
automated, and to challenge said decision.
(ii) Details of the treatments for the commercial offer of products and services
of CaixaBank Payments & Consumer and the companies of the CaixaBank Group.
By granting your consent to the purposes detailed here, you
authorizes:
Send commercial communications both on paper and by means
electronic or telematic, related to the products and services that, in each
moment: a) commercializes CaixaBank Payments & Consumer or any of
the CaixaBank Group companies b) sell other companies
owned by CaixaBank Payments & Consumer and third parties whose
activities are included between banking, investment services and
insurer, shareholding, venture capital, real estate, road, de
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 84/133
sale and distribution of goods and services, consulting services, leisure and
charitable-social.
The Holder may choose at any time the different channels or media by
those who wish or not to receive the indicated commercial communications through
of your internet banking, through the exercise of your rights, or through your
management in the CaixaBank branch network.
The data that will be processed for the purposes of (i) data analysis and study,
and (ii) for the commercial offer of products and services, they will be:
a) All those provided in the establishment or maintenance of
commercial or business relationships.
b) All those generated in the contracting and operations of
products and services with CaixaBank Payments & Consumer, with
CaixaBank Group companies or with third parties, such as,
account or card movements, direct debit details,
direct debits of payroll, claims derived from insurance policies
insurance, claims, etc.
c) All those that CaixaBank Payments & Consumer or the companies
of the CaixaBank Group obtain from the provision of services to
third parties, when the service is intended for the Owner, such
such as the management of transfers or receipts.
d) Whether or not you are a CaixaBank shareholder as stated in the
records of this, or of the entities that according to the
regulations governing the securities market must carry the
records of the values represented by annotations in
bill.
e) Those obtained from the social networks that the Owner authorizes
Consult.
f) Those obtained from third parties as a result of requests
of data aggregation requested by the Holder.
g) Those obtained from the Owner's navigations through the service of the
CaixaBank Payments & Consumer website and other websites of this and / or
CaixaBank Group companies or mobile phone application
of CaixaBank Payments & Consumer and / or of the Group companies
CaixaBank, in which it operates properly identified. These dates
they can include information related to geolocation.
h) Those obtained from chats, walls, videoconferences or any other
means of communication established between the parties.
The data of the Holder may be supplemented and enriched by data
obtained from companies that provide commercial information, by data
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 85/133
obtained from public sources, as well as statistical data,
socioeconomic (hereinafter, "Additional Information") always verifying
that they comply with the requirements established in the current regulations
on data protection. "
7. In the information provided by CaixaBank Payments & Consumer, E.F.C.,
E.P., S.A. it is stated that “the number of interested parties (clients) whose data
were treated in the development of the profiling activity associated with the
Proactive Scoring activity for commercial purposes amounts to (…). "
FOURTH: The information provided contains the following regarding the third
activity carried out called "Analysis and selection of target audience":
"1. Regarding the definition of the logic applied in the profiling and the
anticipated consequences of said treatment for the interested party, states that “The
treatment activity called Commercial Profiling responds to the
CPC's need to analyze, select and extract, prior to its impact
commercial, the target audience to which commercial communications will be directed
associated with a potential campaign.
For this purpose, CPC selects and extracts the information of the clients to whom
Potentially they will be sent the commercial communications of the campaign in
question.
For this, personal data from internal CPC sources are processed
(Host, DataPool and DataWareHouse) of those of their clients who have authorized
expressly commercial profiling treatment and subsequently have not
revoked. About the aforementioned repositories (Host, DataPool and DataWareHouse),
a list of clients is taken based on the result obtained once carried out
carry out the treatment based on the client's consent, detailed in the section
above (“II. Analysis of the repayment capacity or risk of non-payment for the
management of credit risk granted to customers ”) and on said list of
clients, selection filters are applied based on identifying data such as
age ranges, language of communication, sex, location or address, with the
objective of proceeding with the extraction of the target audience to which the
Bell. Ultimately, the system generates a file with the selection of the
Target audience that meets the conditions set once the filters have been applied.
It should be noted, however, that the selection criteria that, in essence,
they constitute the logic applied to profiling, they do not become standardized parameters
rather, they are segments that vary and are adjusted to the needs of the
Product or characteristics associated with the commercial or promotional initiative
of which its launch is intended, as well as the type or volume of the
data that CAIXABANK PAYMENTS & CONSUMER has regarding
each of the interested parties.
For its part, the consequence that the profiling activity carried out by
CAIXABANK PAYMENTS & CONSUMER generates on the client, it remains
circumscribed to the fact that it will, or not, become part of a list that may
potentially be employed in the framework of a commercial campaign. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 86/133
2. Regarding the description of the purpose of the treatment and detail of the base of
legitimation of article 6.1 of the RGPD on which it is based, states that
"CAIXABANK PAYMENTS & CONSUMER treats the personal data of
the interested parties associated with the Commercial Profiling activity in order to
know if they meet the necessary conditions for their inclusion in
a potential commercial campaign and improve the impact of your campaigns
commercial. In short, although expressed in different terms, the process of
profiling linked to this treatment activity is carried out with the aim of
generate the list with the target audience that, in subsequent moments, may be
exploited to impact customers through content communications
commercial. For its part, regarding the qualifying title, it is the one provided for in art. 6.1.a)
of the RGPD (consent).
3. Regarding the procedure followed to comply with the duty of information to the
interested party (articles 13 and 14 of the RGPD) and the means used for the collection
of consent when the treatment activity is covered by the article
6.1.a of the RGPD, refers to what is stated in the treatment activity “Analysis of the
repayment capacity or default risk for credit risk management
granted to clients ”in which reference was made to annexed document nº12.
4. Regarding the categories of interested parties and personal data object of
treatment states the following:
“The category of interested parties that are the object of the treatment called Profiling
Commercial is that of clients with a current contract with CPC. The category of
Potential clients are in no case the object of this treatment activity "
"The personal data subject to treatment are the following:
- Identifiers: customer identifier, NIF / NIE / Passport, name and surname,
date of birth, gender, postal address, email, telephone (landline or
mobile) and communication language.
Financial: products and services contracted and condition of
owner / beneficiary / attorney-in-fact and the label resulting from the treatment described in the
previous section II). "
5. Regarding the origin of the personal data being processed (with
indication of the basis of legitimation that sustains, states that “The origin of the
personal data subject to treatment is the interested party and the
internal sources of CAIXABANK PAYMENTS & CONSUMER, already described
in point 1 of this section (III. Treatment: "Commercial Profiling"), as well as
the labels detailed in the previous section (Analysis of the capacity of
return or default risk for the management of credit risk granted to
customers). In this case, the basis of legitimation is the consent of the interested party.
(art. 6.1.a RGPD). "
6. Regarding the number of interested parties whose personal data have been processed
in the development of the profiling activity by category (client, potential client)
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 87/133
and year (2018 and 2019), points out that “First of all, it must be indicated that the numbers
reflected below refer only to the category of
clients, since this profiling activity does not process data from
potential clients, in accordance with the provisions of point b) of the
Preliminary Considerations. (…). "
FIFTH: It consists of the information obtained on the volume of sales of the
entity that the result of the turnover during the year 2019 is
€ 872,976,000. The share capital amounts to € 135,155,574
SIXTH: It appears in the file that CAIXABANK PAYMENTS & CONSUMER
EFC, EP, S.A.U. has modified the privacy policy on its website.
It is established that point 6 of said privacy policy under the title "What
treatments we carry out with your data ”, indicates the following:
"The treatments that we will carry out with your data are diverse, and respond to
different purposes and legal bases:
> Treatments based on consent
> Necessary treatments for the execution of the Contractual Relations
> Necessary treatments to comply with regulatory obligations
> Treatments based on the legitimate interest of CaixaBank Payments &
Consumer "
Section 6.1 of said privacy policy contemplates the following treatments
based on consent:
A. Analysis of your data for the elaboration of profiles that help us to
offer you products that we think may interest you.
B. Commercial offer of products and services through the selected channels.
C. Transfer of data to companies that are not part of the CaixaBank Group.
D. Identification of clients and signature of documentation through the use of biometrics.
In point 6.1 of the aforementioned privacy policy, the following is stated:
"TREATMENTS BASED ON CONSENT.
These treatments are legally based on your consent, as established in the
art. 6.1.a) of the RGPD.
We may have requested that consent through different channels, for example,
through our electronic channels or in any of the Group companies
CaixaBank. If for any reason, we have never asked for your
consent, these treatments will not apply to you.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 88/133
You can check the authorizations that you have consented to or denied us, and
modify your decision at any time and for free on the website of
CaixaBank Payments & Consumer (www.caixabankpc.com) and in each of the
CaixaBank Group companies, or in their private area of the website or mobile applications of
CaixaBank Payments & Consumer and at the CaixaBank offices.
The treatments based on your consent are indicated below ordered from the
(A) to (D). We will indicate for each of them: the description of the purpose (Purpose),
whether or not they are treatments carried out under a co-responsibility regime with other companies
of the CaixaBank Group (Joint Controllers / Data Controller), and the categories of
data used (Categories of data processed). "
Below is the following information regarding the content in letter A.
“Analysis of your data for the elaboration of profiles that help us to
offer you products that we think may interest you "
Purpose: The purpose of this data processing is to use the categories of
data that we indicate below, to create profiles that allow us
identify you with customer segments with similar characteristics to yours and
suggest products and services that we think may interest you, as well as
establish the periodicity with which we interact with you.
Through this treatment we will analyze your data to try to deduce your
preferences or needs and thus be able to make commercial offers that we create
that may be of more interest than generic offers.
When the offers that we want to transmit to you consist of products that involve
payment of installments or financing, we will carry out a pre-assessment of solvency
to calculate the appropriate credit limit to offer you, in accordance with the
principles of responsibility in the offer of financing products required by
the Bank of Spain.
It is important that you know that this treatment, including the pre-evaluation of
solvency in products with risk, is limited to the indicated purpose of suggesting
products and services that we believe may be of interest to you, and are not used, in
no case, for denial of any product or service or credit limit.
You always have at your disposal our complete catalog of products and
services, and this treatment does not prejudge, limit or condition your access to
themselves, which, if requested, will be evaluated with you in accordance with
the ordinary procedures of CaixaBank Payments & Consumer.
We will only carry out this treatment of your data if you have given us your
consent to it. Your consent will remain in effect for as long as
you do not remove it.
If you cancel all your products or services with the Group companies
CaixaBank, but you forget to withdraw your consent, we will
automatically.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 89/133
Categories of data processed: The categories of data that we will process for this
purpose, whose content is detailed in section 5, are:
> data that you have provided us
> data observed in the maintenance of products and services, with
sensitive data exception
> data inferred or deduced by CaixaBank Payments & Consumer.
> data that you have not provided us directly.
Co-responsible for the treatment: The treatment of your data of the categories
indicated, with the purpose of analysis for the elaboration of profiles that we
help to offer you products that we think you may be interested in, they do it in
co-responsibility regime the following companies of the CaixaBank Group:
> CaixaBank, S.A.
> CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U.
> CaixaBank Electronic Money, EDE, S.L.
> VidaCaixa, S.A.U., insurance and reinsurance
> Nuevo Micro Bank, S.A.U.
> CaixaBank Equipment Finance, S.A.U.
> Promo Caixa, S.A.U,
> Comercia Global Payments, E.P. S.L.
> Buildingcenter, S.A.U.
> Imagintech S.A.
You will find the list of companies that process your data, as well as the aspects
essential of the treatment agreements in co-responsibility in:
www.caixabank.es/empresasgrupo. "
It is clear that the information provided regarding joint responsibility
accessing said link is the following:
“In order to carry out the treatments indicated below, CaixaBank and
The CaixaBank Group companies will process your data jointly, deciding
jointly the objectives (“what is the data used for”) and the means
used ("how the data is used") being, therefore, jointly responsible for those
treatments (Co-Responsible Entities).
The treatments for which CaixaBank and the companies of the CaixaBank Group
will process your data together, they are the following (you can see the detail of the
Caixabank Group companies that make up the perimeter of each of the
treatments that are carried out in co-responsibility by clicking on each of the
following links):
Carry out the commercial activities of: (i) analysis of your personal data
for the elaboration of profiles that help us to offer you products that
We think they may interest you; (ii) commercial offer of products and services
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 90/133
through the selected channels, and (iii) transfer of data to companies that do not
they are part of the CaixaBank Group;
Comply with the following regulations applicable to Group companies
CaixaBank: (i) the regulations on the prevention of money laundering and
financing of terrorism; (ii) regulations on tax matters; (iii) the
Obligations derived from the policies of sanctions and countermeasures
international financial institutions, as well as (iv) concession obligations and
management of credit operations and the consultation and communication of risks to the
Risk Information Center of the Bank of Spain (CIRBE).
Carry out the analysis of the solvency and repayment capacity of the
applicants for products that involve financing.
In accordance with the provisions of the applicable regulations, the Entities
Co-responsible parties have signed a co-responsibility agreement for
certain treatments, the essential elements of which are the following:
(i) That, for certain treatments identified in the Privacy Policy,
The Co-Responsible Entities will act in a coordinated or joint manner.
(ii) That they have proceeded to determine the security, technical and
organizational, appropriate to ensure a level of security appropriate to the risk
inherent to the processing of personal data that is the object of joint responsibility.
(iii) That they have a single window mechanism for the exercise of the
rights of the interested parties, assuming the commitment of the duty of collaboration
and assistance in those cases where it is appropriate.
(iv) That they comply with the obligation to respect the duty of secrecy and keep the due
confidentiality of personal data that are processed within the framework of the
reported data processing activities.
(v) Regardless of the terms of the joint responsibility agreement, the
Interested parties may exercise their rights in terms of data protection against
to each of those responsible. "
It is established that point 5 of the privacy policy, entitled categories of data,
reports the following:
"5. Data categories
At CaixaBank Payments & Consumer we will process different personal data
to be able to manage the Contractual Relationships that you establish with us,
to carry out the rest of the data processing that derives from your condition
client and, if you have given us your consent, to also carry out the treatment
of your data for the activities detailed in section 6.1.
To facilitate your understanding, we have arranged the data that we process in the
categories that we detail below.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 91/133
Not all categories of data that we detail are used for all
data processing. In section 6, where we detail the treatments of
data that we carry out, you can consult specifically for each treatment
specify the categories of data that are used, thus counting on the information
necessary to allow you to exercise, if you wish, your rights recognized by the
RGPD, especially those of opposition and revocation of consent.
The categories of data used by the different treatments exposed in the
Section 6 are as follows:
> Data that you have provided us when registering your contracts or during your
relationship with us. These data are:
identification and contact data: your identification document, name and
surname, gender, postal, telephone and electronic contact information,
residence address, nationality and date of birth, and language of
communication.
Socio-economic data: detail of professional or work activity, income or
salaries, family unit or circle, educational level, assets, data
fiscal and tax data.
financial data: products and services contracted, relationship with the product
(condition of owner, authorized or representative), MiFID category.
biometric data: facial pattern, voice biometrics or fingerprint pattern.
> Data observed in the maintenance of products and services. These dates
are:
financial data: the information of the notes and movements that are made
in current accounts, including the type of operation, the issuer, the amount, and
the concept, information on investments made and their evolution,
information on financing, statements of operations with credit cards
debit and credit, contracted products and payment history.
It is important that you know that we will not process data observed in maintenance
of the products and services that may contain information that reveals their origin
ethnic or racial, your political views, your religious or philosophical convictions, your
union membership, the processing of genetic data, biometric data aimed at
uniquely identify you, data related to health or data related to your
life or sexual orientation ("Sensitive Data").
whether or not you are a CaixaBank shareholder.
digital data: the data obtained from the communications that we have
established between you and us in chats, walls, videoconferences,
telephone calls or equivalent means and the data obtained from their
navigating our web pages or mobile applications and the
navigation that you carry out in them (device ID, advertising ID, address
IP and browsing history), in the event that you have accepted the use of
cookies and similar technologies on your browsing devices.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 92/133
geographic data: the geolocation data of your mobile device
provided by the installation and / or use of our mobile applications,
when you have authorized it in the configuration of the application itself.
> Data inferred or deduced by CaixaBank Payments & Consumer from the analysis and
treatment of the rest of the data categories. These data are:
groupings of customers into categories and segments based on their age,
equity and estimated income, operations, consumption habits, preferences or
propensities to purchase products, demographics and relationship with others
clients or categorization according to the regulations on Instrument Markets
Financial ("MiFID").
scoring scores that assign probabilities of payment or non-payment or
risk limits.
> Data that you have not provided us directly, obtained from sources
accessible to the public, public records or external sources. These data are:
data on financial solvency and credit obtained from the Asnef files and
Badexcug.
data on risks maintained in the financial system obtained from the database
of data from the Risk Information Center of the Bank of Spain
(CIRBE).
data of persons or entities that are included in laws, regulations,
guidelines, resolutions, programs or restrictive measures regarding
international economic-financial sanctions imposed by the Nations
United States, the European Union, the Kingdom of Spain, the United Kingdom and / or the U. S.
Department of the Treasury’s Office of Foreign Assets Control (OFAC).
cadastral or statistical data obtained from companies that facilitate studies
Socioeconomic and demographic statistics associated with geographic areas or
ZIP codes, not specific people.
digital data obtained from your browsing through third-party web pages (ID
device, advertising ID, IP address, browsing history), in the case of
that you have accepted the use of cookies and similar technologies in your
navigation devices.
data from social networks or the internet, that you have made public or that we
authorize to consult. "
CaixaBank Payments & Consumer, E.F.C., E.P., S.A.U. states that the date of
publication of the new privacy policy is on January 18, 2021 and that said
privacy policy replaces the previous one, which had been in force since 21
July 2019 through January 17, 2021.
SEVENTH; It also affirms in its response to the request of
information made during the test period that the information is provided
provided to carry out treatments for commercial purposes, previously
provided in the response to the Request for information received on June 6,
February 2020. It also states that “Although they have been planned, they have not yet
made modifications to the aforementioned information since its contribution in the
response to the Request for information, pending the resolution of the request
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 93/133
of application of precautionary measures related to the Penalty Procedure to
CAIXABANK, which could affect the modifications of the aforementioned
documentation, planned at this time. "
It is established that said information is provided in the document called CONDITIONS
GENERAL OF THE APPLICATION-CREDIT AGREEMENT, in which header
The entity CaixaBank Payments & Consumer appears and the date April 10, 2020.
The content of said document coincides with the one sent after the request of the
Data Inspection carried out on February 6, 2020 as annex 12.
This document is structured in various sections, of which number 26
contemplates in different sections various aspects of data processing such
such as the different treatments according to their basis of legitimacy, the exercise of rights
by the interested parties or the period of conservation of the data among others
issues. Thus, section 26.1 refers to the Processing of character data
personnel in order to manage Business Relationships; section 26.3 a
processing of personal data for regulatory purposes, this
This section in turn is divided into various subsections such as those relating to
Treatments for the adoption of due diligence measures in the prevention of
money laundering and financing of terrorism (26.3.1), treatment for the
compliance with the sanctions management policy and financial countermeasures
International (26.3.2), communication with credit information systems (26.3.3.),
communication of data to the Risk Information Center of the Bank of Spain
(26.3.4), etc. Section 26.4 refers to the Treatment and transfer of data with
commercial purposes by CaixaBank and the companies of the CaixaBank Group based
in consent. Sections 26.1 and 26.4 are transcribed in point
6 of the third proven fact.
EIGHTH: It appears that it is attached to the brief in response to the request for
information made during the trial period a document called
Framework Agreement whose heading appears “CaixaBank”, and in which section 4.1
indicates that "the person responsible for the processing of your personal data in their relationships
contractual and business is CaixaBank, S.A. with NIF A08663619 and address at
Pintor Sorolla street, 2-4 Valencia. Adding the following:
“Co-responsible for treatment: In addition, for certain treatments that are
report in detail in the aforementioned policy, CaixaBank and the companies of the Group
CaixaBank will jointly process your data, jointly deciding the
objectives (“what the data is used for”) and the means used (“how data are used
data ”) being, therefore, jointly responsible for these treatments. Treatments for
which CaixaBank and the CaixaBank Group companies will treat jointly
your data is as follows:> carry out the commercial activities of: (i) analysis of
your personal data for the elaboration of profiles that help us to offer you
products that we think may interest you; (ii) commercial offer of products and
services through the selected channels, and (iii) transfer of data to companies that do not
they are part of the CaixaBank Group; (…)
You will find the list of companies that process your data, as well as the aspects
essential of the treatment agreements in co-responsibility in:
www.caixabank.es/empresasgrupo. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 94/133
On the point. 4.5 of said document under the title "What treatments do we carry out with
your data, indicates regarding the treatments based on consent the
following purposes:
“- Analysis of your data for the elaboration of profiles that help us to offer you
products that we think may interest you.
- Make our commercial offer of products and services available to you through
selected channels.
- Transfer of data to companies that are not part of the CaixaBank Group so that they can
make commercial offers of products they sell.
- Identification of clients and signature of documentation through the use of biometrics.
- Application of personal conditions in jointly owned contracts. "
This document is not dated. It is stated in the reply to the
information request made during the trial period that has been
included among the documentation sent “the information provided to the
interested parties to obtain their consent to carry out treatments
for commercial purposes, when consent is collected from the banking channel
(CAIXABANK). This documentation, previously provided in the course of the
Sanctioning Procedure to CAIXABANK, was modified in March 2021, in the
framework of the aforementioned actions aimed at the implementation of the new policy
Of privacy."
NINTH: It is established that during the trial period the following
documents:
Screenshots in which the consent of the clients is obtained:
A screenshot on the prescribing channel, which exactly matches the
the one described for said channel in point 5 of the third proven fact of the
present motion for a resolution.
Screenshot of new client office registration (face-to-face onboarding, in the
which states the following: “delivers the tablet to the client so that he can fill out
himself the consents ”and screenshots added to the new client Portal
Web (digital onboarding). In both modalities, information is provided
basic for the client on the processing of personal data indicating that the
responsible for the treatment is: “Caixabank, with NIF A08663619 and address at
Pintor Sorolla street, 2-4 Valencia. Co-responsible for the treatment “For
certain activities Caixabank, S.A. and the Group companies
Caixabank will process your data together. You will find the list of
companies that process your data, as well as the essential aspects of the
treatment agreements in co-responsibility in
www.caixabank.es/empresasgrupo. "
Regarding consents, it is indicated in both modalities that
“You authorize the companies of the CaixaBank group to:
Analyze your data to create profiles to help us offer you
products that we think may interest you. If we have your consent,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 95/133
we will configure or design an offer of adjusted products and services
to your characteristics as a client, by analyzing your data and
profiling with your information. "
Below are two boxes in which you can check yes or no. On
other sections consent is requested to communicate the commercial offer
of products and services through the channels that are selected and to transfer the data
to companies that are not part of the Caixabank Group with which they have
agreements.
Regarding the analysis treatments for profiling, it is provided
also in both modalities the following information: These treatments
have your consent as a legal basis, as established in article
6.1.a of the General Data Protection Regulation. It is reiterated to
below the information offered in the privacy policy related to this
type of treatments regarding the purpose, categories of data processed and
joint controllers of the treatment. However, when it comes to data
treaties indicates: "the categories of data that we will treat for this purpose
whose content is detailed in section 5 of our Privacy Policy
(www.Caixabank.es/privacy policy) are: data that you will give us
provided, data observed in the maintenance of products and services
With the exception of sensitive data, data inferred or deduced by Caixabank,
data that you have not provided us directly. " It does not appear in any of
the screens the description of this data.
Co-responsibility agreement.
Said Agreement is neither dated nor signed. Number 4 of said agreement,
Regarding the duration, it states that “This Agreement shall enter into force on the date
of your signature and will remain in force indefinitely, without prejudice to the review
and necessary modifications of its terms and content for its adaptation in its
case, to the current regulations that are applicable at all times ... "
This agreement contains the following definition: “Co-responsible for the Treatment or
Co-responsible: Means those responsible who jointly determine the
objectives, purposes and means of the Treatment detailed in Annex 1. " At
The aforementioned annex mentions the following treatments that are the object of co-responsibility
regarding "commercial activities":
a) analysis of personal data for the elaboration of profiles that we
help to offer products that we think may be of interest to the customer F
Purpose: The purpose of this data processing is to use the categories of
data indicated in the CaixaBank Privacy Policy
(www.caixabank.com/politicaprivacidad) to create profiles that allow
Co-responsible identify the customer with customer segments of similar
characteristics to be able to offer you products and services that may interest you,
as well as, to establish the periodicity with which the Joint Controllers
relate to him.
Legitimating base: The legitimizing base of this treatment is consent
granted by the interested parties.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 96/133
b) Commercial offer of products and services through the selected channels.
Purpose: The purpose of this data processing is to make available to the
client communications of commercial offers related to products and services
own or third parties marketed by CaixaBank and / or the Group's entities
CaixaBank. These communications will only be sent to the client by the
channels that it has previously authorized us to give its consent.
Legitimating base: The legitimizing base of this treatment is consent
granted by the interested parties.
c) transfer of data to entities that are not part of the CaixaBank Group
Purpose: The purpose of this treatment is to transfer the data of the interested parties to
entities that are not part of the CaixaBank Group with which the
Co-responsible parties have agreements, with the purpose that they make them
commercial offers of the products they sell.
Legitimating base: The legitimizing base of this treatment is consent
granted by the interested parties. "
Then list the co-managers who would be the following:
CAIXABANK, S.A
CAIXABANK PAYMENTS & CONSUMER, E.F.C., E.P., S.A.U.
CAIXABANK ELECTRONIC MONEY, EDE, S.L
VIDACAIXA, S.A.U., DE SEGUROS Y REINSUROS
NUEVO MICRO BANK, S.A.U
CAIXABANK EQUIPMENT FINANCE, S.A.U
PROMO CAIXA, S.A.U.
COMERCIA GLOBAL PAYMENTS, E.P. S.L.
BUILDINGCENTER, S.A.U.
IMAGINTECH, S.A.
In successive annexes other treatments subject to
co-responsibility, whose legitimizing basis is in compliance with
legal obligations or the execution of contractual relationships.
Contract signed with the entity *** EMPRESA.3 for the risk score activity.
As indicated in said contract, dated June 2, 2020, the
contract signed on May 2, 2017, extended in turn on May 2,
May 2019 to incorporate the services outlined in Annex I (which are not
Attached). CAIXABANK and CAIXABANK PAYMENTS are parties to said contract
& CONSUMER and the entities (…), designating the latter two
jointly as a SUPPLIER.
This document contains two clauses:
The first clause of said contract relating to the modifying novation does not
extinction of clause 15 of the contract, replaces the aforementioned clause with effect
retroactive to May 25, 2018, with new elements related to the person in charge
treatment, in order to adapt the risk score services to the obligations
regulations contained in the LOPDGDD and the RGPD.
In the second of the clauses, it is agreed to incorporate annex I (annex of
services) a clause relating to specific aspects of the data processing of
personal nature of the risk score service. Said clause refers to the
description of the treatment, indicating that for the sole purposes of providing the
CAIXABANK AND CAIXABANK PAYMENTS & CONSUMER “risk score” service
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 97/133
make the following information available to the provider "(...)." They are drawn to
then the following treatments by the provider: exploitation,
consultation and destruction; the type of data (DNI (NIE / Passport) and categories
of affected stakeholders (clients, non-client participants). Refering to
purpose of the treatment it is indicated that the provider will use the data of character
personal object of treatment solely and exclusively for the fulfillment of the
ANNEX I, not being able to use them, in any case, for their own purposes. Said annex
not attached.
TENTH: In the written reply to the request for information made
During the trial period it is stated that the Group's turnover or
CAIXABANK as of December 31, 2020 is estimated at twelve thousand one hundred seventy-two
millions of euros.
FOUNDATIONS OF LAW
I
By virtue of the powers that article 58.2 of Regulation (EU) 2016/679,
of the European Parliament and of the Council, of 04/27/2016, regarding the Protection of
Individuals with regard to the Processing of Personal and Free Data
Circulation of this Data (General Data Protection Regulation, hereinafter
RGPD) recognizes each Control Authority, and as established in the articles
47, 48, 64.2 and 68.1 of Organic Law 3/2018, of December 5, on the Protection of
Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the
Director of the Spanish Data Protection Agency is competent to initiate and
solve this procedure.
Article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in their development and, as long as they do not contradict them, in a
subsidiary, by the general rules on administrative procedures. "
II
Beforehand, it is considered convenient to analyze the allegations made by
CAIXABANK PAYMENTS & CONSUMER, E.F.C., E.P., S.A.U. (hereinafter CPC) at
basis on which it requests the declaration of nullity of the proceedings.
1. The first one alleges insufficient motivation for the initiation agreement.
It is alleged by CPC that there is no direct connection between the content of the claim
inadmissible and the beginning of previous actions.
This Agency cannot share such allegation, the connection between a
claim in which a consultation treatment is alleged to a system of
credit information and a commercial offer of a product, for which it has been
carry out a profiling, all without consent of the claimant, and the initiation of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 98/133
Investigation actions of the AEPD on the procedures for obtaining the
consent to profiling procedures carried out by CPC when
that constitutes the legal basis that legitimizes said treatments.
Regarding the fact that relevant information for the defense has been omitted, since in the
initiation agreement, no reference was made to the fact that the interested party filed an appeal
of replacement to the inadmissibility of his claim and that it was upheld by the
AEPD, it should be noted that in the initiation agreement no reference was made to such fact,
that the relevance given by CPC is not attributed, since the resolution itself
of inadmissibility of the claim, of which communication is given to the defendant, warns
that without prejudice to this result “the Agency, applying the powers of investigation and
corrective measures that it holds, can carry out subsequent actions related to the
data processing referred to in the claim ”.
Notwithstanding the foregoing, said information was included in the proposed resolution
for greater clarity of the antecedents that led to the initiation of proceedings
research, so that CPC has been aware of it in the framework
of the procedure being able to allege how much it has considered convenient.
2. The second refers to the alleged breach of article 55.1 of the
LPACAP, in connection with article 53 of the LOPDGDD, considering that the
inspection of data has been exceeded, without this being its function, by expanding the scope
of the preliminary investigation actions defined by the head of the body
administrative. This allegation is based on the fact that the scope of the investigation
determined by the Director of the AEPD refers to clients, while the written
for which information is required from CPC refers to "potential customers". It states
CPC that although the Agency acknowledges that there has been a transcription error and that
there are no such treatments, the fact that there are no such treatments does not decrease the
initially raised excess, since although he does not know what would have happened if
such treatments would have existed, “it is reasonable to think that the research
carried out outside the scope specified by the Director of the AEPD "
Again this Agency cannot share such reasoning. This Agency has
acknowledged in the motion for a resolution that there has been an error in
transcription in the requirement of the Subdirectorate of Inspection by which
requested information from CPC, by referring not only to clients, but also
also to "potential clients". However, no action has been taken on
data processing not included in the scope of research set by the Director
of the AEPD, the CPC itself has stated, in the information provided on the occasion of
such requirement, that such treatments are not carried out with "potential clients" and
consequently, it has not provided any information in this regard. On the other hand,
CPC's claim that although it does not know what would have happened if such treatments
would have existed, but “it is reasonable to think that the investigation would have been carried out
out of the scope specified by the Director ”, lacks the most absolute
basis. In the opinion of this Agency, in no way can it be admitted that a
unfounded assumption constitutes a cause for annulment of the procedure.
3. The third of the allegations refers to an alleged violation of the
non bis in idem principle, considering that the same collection of consents
for the elaboration of profiles was investigated and sanctioned in the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 99/133
sanctioning procedure against CAIXABANK, S.A, number PS / 00477/2019.
Understand that there is identity of subject, fact and foundation, since CPC forms
part of the CaixaBank group, which means that many treatments are carried out in
co-responsibility regime, in particular treatment based on the
consent, described as "Analysis of your data for profiling
to help us offer you products that we think may interest you ”, which
appears in letter 6.1.A of the privacy policy of Caixabank, S.A.
This Agency cannot accept such an allegation either. The resolution of PS / 00477/2019,
limits its action to certain actions of the entity CAIXABANK, S.A.,
expressly excluding "the action that may be carried out by companies that
make up the so-called “CaixaBank Group” for compliance with the principle of
transparency or the specific procedures that have been enabled to collect the
consent of their clients for the processing of personal data that they carry or
intend to carry out, or in relation to the other aspects outlined. "
To this must be added that the co-responsibility regime referred to
not only is it not accredited but, in the opinion of this Agency, it is not even
admissible its existence in the present case, as will be seen later. In this
In this sense, it cannot be accepted that the Agency has reversed the burden of proof as
CPC alleges, it is CPC who affirms the existence of joint responsibility to exonerate itself
of her responsibility, and therefore it is up to her to accredit her
existence.
On the other hand, even in the event that there was co-responsibility in the
treatment, which in the opinion of this Agency does not happen in the present case such and
As indicated in the previous paragraph, the sanction for each of those responsible for the
It itself would not imply an infringement of the principle non bis in idem. The regime of
Stewardship does not determine that all liability applies to a single
subject, but each co-controller will be responsible for the part of the treatment that carries
finished. In this sense, the provisions of the CJEU in the
Judgment of June 5, 2018, in case C-210/16. (Wirtschaftsakademie)
“… The existence of a joint responsibility does not necessarily translate into
an equivalent responsibility of the various agents involved in a
processing of personal data. On the contrary, these agents may present a
involvement in different stages of that treatment and to different degrees, so that
the level of responsibility of each of them must be evaluated taking into account
all the pertinent circumstances of the specific case. "
4. Fourth, an arbitrary action by the AEPD is alleged, proscribed by the
Article 9.3 of the Spanish Constitution. CPC affirms that it is a performance
arbitrary that does not objectively pursue the general interest, also evidencing a
discriminatory treatment with other companies.
It states that CAIXABANK, S.A. shared with the AEPD aspects for which it is now
intends to sanction CPC, requesting a meeting or contacts in order to obtain and
adopt criteria and recommendations that the AEPD would have liked to transfer to the
In this regard, efforts that were unsuccessful despite the insistence of
CAIXABANK, S.A., For which it understands that this group adopted a diligent attitude and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 100/133
preventive, the effect being that the AEPD has adopted an exclusively
punitive with the CAIXABANK group.
Such allegations are not admissible. The GDPR introduces the principle of
proactive responsibility as a fundamental element of compliance with its
provisions, with said obligation incumbent on the person in charge. As established by the
Article 24 of said rule, corresponds to the data controller to apply the
appropriate technical and organizational measures in order to guarantee that the treatment is
in accordance with the RGPD, or, in the terms of recital 74 of the same standard:
“In particular, the person responsible must be obliged to apply appropriate measures and
effective and must be able to demonstrate compliance of treatment activities with
this Regulation, including the effectiveness of the measures ”. This is not required
Agency to issue any opinion or assessment on compliance with the regulations of
data protection of the treatments carried out by a person in charge at the request of
this, except in the case of prior consultation provided for in article 36, case before
the one that we are not in the present proceeding. On the other hand, although this
The Agency has various channels so that those responsible can raise their
doubts, the reports that could be issued through such channels lack
binding, so it cannot be justified in the absence of an opinion of the
AEPD on the treatments of the person in charge, the breach of the obligations of
this.
The allegations relating to the alleged unequal treatment between
entities of one sector and another that focuses on the ex officio plan on hiring
distance in telecommunications operators and energy marketers. What
the name of the plan itself indicates, its objective is distance contracting and not
only in the telecommunications sector, but also in the energy sector in the
that this type of contracting is also used. The realization of said plan
actions does not derive from the percentage of claims received during a year
specific in one sector or another, but its realization was included in the
2015-2019 strategic plan of the AEPD, in view of the problems that this type of
contracting raises, in particular in aspects such as identity theft or the
fraudulent hiring, as the plan itself states. It is a
general problem, which justifies an ex officio action by this Agency and not by a
specific breach of data protection regulations by a
entity, as in the present case. On the other hand, the fact that
carrying out an ex officio plan by the AEPD does not imply that the entities of the sector
object thereof are not sanctioned in the event that a claim is received
that determines the origin of investigation actions and, where appropriate
sanctioning. In this sense, it should be remembered that this Agency has the obligation
to publish their resolutions, just look at the ones that appear on their website,
to verify that it does not limit its punitive action to certain sectors of activity.
CPC also bases the alleged discrimination of treatment with respect to other interested parties
in the affirmation that the procedural resolutions are repeated
sanctioners of the AEPD in which the person responsible for the treatment is sanctioned for
infringement of article 6 RGPD (see PPSS 00235/2019, 00182/2019, 00415/2019) and
that, taking into account the condition of a large company and volume of business, between
others, the sanctions are not even close to the economic level of the proposed
sanction contained in the Initiation Agreement, since they are sanctions that have ranged
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 101/133
between € 60,000 and € 120,000. He also states that it is not understood what it is based on
the Agency to modulate economic sanctions since the Initiation Agreement does not
motivates or minimally explains the application of the graduation criteria of the
sanction, nor the fact of deviating from them in the proposed sanction, in the case of
of very similar facts. It alleges that the motion for a resolution has not been
value these specific examples.
Nor can these assertions be accepted. To determine the sanction to be imposed on
In each case, this Agency takes into account the elements established in Article 83
of the RGPD, as well as those established in article 76.2 of the LOPDGDD, said
elements, as is known, not only refer to the offending type, the condition of
large company or turnover, so CPC's claim that others
procedures in which these three elements coincide and the sanction is less,
carried out without greater precision to justify the alleged discrimination in treatment
with respect to other interested parties, it cannot be taken into account as a cause that
Determine the voidability of a procedure. However, it should be added that such
elements are the only thing these procedures have in common with the one now
processed, since the other elements of graduation of the sanction that have been
considered to determine the sanction in this procedure and the contents
in the resolutions referred to by CPC are not comparable, nor by the
nature and seriousness of the offense, nor by the number of affected (only the
claimant in the aforementioned cases), to mention only some of the
aggravating factors taken into account in this proceeding and which did not occur in the
assumptions to which CPC refers.
Regarding what was stated by CPC regarding the agreement to initiate this
procedure, it should be remembered that the initiation agreement itself lists the
circumstances that could influence the determination of the sanction. In this sense,
the agreement to initiate the procedure is in accordance with the provisions of article
64.2.b of the LPACAP, according to which the initiation agreement must contain at least:
b) “the facts that motivate the initiation of the procedure, its possible classification and the
sanctions that may correspond, without prejudice to what results from the instruction. "
In this sense, article 68 of the LOPDGDD is also expressed, according to which
it will be enough that the agreement to initiate the procedure specifies the facts that
motivate the opening, identify the person or entity against whom the
procedure, the infraction that could have been committed and its possible sanction. At
present assumption the initiation agreement goes even further by mentioning the possible
circumstances that could influence the determination of the sanction, always without
detriment to what results from the instruction, which is why they are not
developed in the aforementioned agreement, although they are indicated for the sake of a better possibility of
defense by the entity against which the procedure is directed and, where appropriate,
to make use of the provisions of article 85 of the LPACAP, paying
voluntarily and obtaining the reductions of the sanction established by said precept.
5. Fifth, the defenselessness produced to CPC by violating its presumption is alleged
of innocence, which is based on the following way “we are before the beginning of
a sanctioning procedure, preceded by a request for prior information
of February 6, 2020. Well, before the administrative period expired
mandatory to respond to said requirement, specifically, on March 3,
in an act of ISMS Forum held in Madrid, as already described in
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 102/133
detail above, the Director of the AEPD, the highest authority of the institution, and
competent person to resolve this file, publicly pointed out about
the existence of two or three high-impact sanctioning procedures that were going to
have a lot of media coverage in relation to the financial sector. " Reiterates in
another paragraph, after considering that in accordance with articles 24.2, 103. 1
and 3 CE –and art. 6.1 of the European Convention on Human Rights-, any action
of the Public Administration must obey the principles of objectivity and
impartiality; “However, in this case, without having yet assessed the response to the
Information request, since it was presented on June 2, 2020
(almost three months after the Director's aforementioned statements), the
person who has to resolve, and who, in addition, as the highest authority, depend
hierarchically inspectors and instructors of the AEPD, far from keeping any
appearance of justice decided (publicly) that there would be sanction, and this without
having agreed to initiate the sanctioning procedure. "
In this regard, it should first be noted that CPC's assertion that
there was a decision already taken before the procedure itself
sanctioner lacks the slightest factual support. Such an interpretation cannot be admitted,
the Director's statements made in the framework of statements on the
significance of the sanctioning proceedings in progress due to the amount of
fines, nor did it predetermine the decision to be taken in said procedures, nor much
least it could refer to an entity such as CPC, with respect to which not only
had initiated a sanctioning procedure, but had not even presented
still the documentation that later justified the opening of this
process.
It should be remembered here that, in the sanctioning administrative sphere, impartiality
of the adjudicatory body is linked to the right of the interested party to a process with all
the guarantees. It is guaranteed with the reasons for abstention or challenge and with the due
separation between the investigation and resolution phases of the procedure
sanctioner, separation between phases that is scrupulously respected in all
procedures of this nature followed in the AEPD.
For the sake of legal certainty, the reasons for abstention or disqualification have been
regulated by an exhaustive list of circumstances that respond to reasons
objective, thus avoiding that the interested parties can appreciate causes of
abstention or objection based on own or particular criteria. In our
administrative order, the appearance of partiality is estimated by the
objectively justified concurrence of the reasons regulated in articles 23 and
24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP):
“Article 23. Abstention.
1. The authorities and personnel at the service of the Administrations in which they
some of the circumstances indicated in the following section will refrain from
intervene in the procedure and communicate it to their immediate superior, who
will resolve what is appropriate.
2. The following are reasons for abstention:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 103/133
a) Have personal interest in the matter in question or in another in whose resolution
that of the former could influence; be an administrator of a company or interested entity, or have
pending litigation issue with an interested party.
b) Have a marital bond or assimilable de facto situation and the kinship of
consanguinity within the fourth degree or affinity within the second, with
any of the interested parties, with the administrators of entities or companies
interested parties and also with the advisors, legal representatives or agents who
intervene in the procedure, as well as share a professional office or be
associated with these for advice, representation or mandate.
c) Having an intimate friendship or manifest enmity with any of the people
mentioned in the previous section.
d) To have intervened as an expert or as a witness in the procedure in question.
e) Have a service relationship with a natural or legal person directly interested in
the matter, or having provided professional services in the last two years
any type and in any circumstance or place. "
"Article 24. Challenge.
1. In the cases provided for in the preceding article, a challenge may be filed by the
interested parties at any time during the processing of the procedure.
2. The challenge will be raised in writing in which the cause or causes in
that is founded ”.
Ultimately, it is about the person making the decision not having any
personal interest in the matter and has not intervened in the procedure as an expert or
witness, so that he can resolve according to the general interest, without any type of
influence unrelated to that interest that may lead you to decide in a certain way.
On the other hand, in accordance with the doctrine of our Constitutional Court,
that is claimed from public servants is not personal and procedural impartiality
that is required of judicial bodies, but rather that they act with objectivity and submission
to the right.
Thus, in STC 174/2005, of July 4, the following is declared: “In this regard,
remember that although this Court has reiterated that, in principle, the requirements
derived from the right to a process with all the guarantees apply to the
sanctioning administrative procedure, however, has also been made special
incidence in which said application must be carried out with the required modulations
to the extent necessary to preserve the essential values found in the
basis of art. 24.2 CE and the legal security guaranteed by art. 9.3 CE, as long as they are
compatible with their own nature (by all, STC 197/2004, of November 15,
FJ 2). More specifically, and with regard specifically to the guarantee of
impartiality, it has been pointed out that it is one of the cases in which it is necessary
modulate its projection in the administrative sanctioning procedure, since
said guarantee “cannot be predicated of the sanctioning Administration in the same
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 104/133
meaning that with respect to judicial bodies ”(STC 2/2003, of January 16, FJ 10),
therefore, “without prejudice to the prohibition of any arbitrariness and the subsequent review
judicial sanction, the strict impartiality and independence of the organs of the
judicial power is not, in essence, predicable to the same extent of an organ
administrative law ”(STC 14/1999, of February 22, FJ 4), concluding that the
independence and impartiality of the judge, as a requirement of the right to a trial
With all guarantees, it is a characteristic guarantee of the judicial process that is not
It extends without further ado to the administrative sanctioning procedure (STC 74/2004, of 22
April, FJ 5) ".
And STC 14/1999, of February 22, states the following: "An erroneous understanding
of the content of the constitutional requirements of judicial impartiality and its
alleged transfer in totum to whoever intervenes in the administrative procedure
sanctioner as Instructor, leads the appellant to affirm the injury of his
right to a process with all the guarantees. (…) It should be reiterated here again, as
we did in STC 22/1990 (4th legal basis), that "without prejudice to the
interdiction of all arbitrariness and subsequent judicial review of the sanction, the
strict impartiality and independence of the organs of the judiciary is not,
essence, predicable to the same extent of an administrative body. "
Instructor can be claimed, ex arts. 24 and 103 C.E., it is not that he acts in the situation of
personal and procedural impartiality that is constitutionally required of the organs
judicial when they exercise jurisdiction, but act objectively, in the sense
that we have given to this concept in SSTC 234/1991, 172/1996 and 73/1997, is
that is, performing their duties in the procedure with personal disinterest. TO
This purpose addresses the possibility of challenge established by art. 39 of the Law
Organic 12/1985, of the Disciplinary Regime of the Armed Forces (hereinafter
L.O.R.D.F.A.) which refers to art. 53 of the Military Procedural Law, whose catalog of
causes bears, in this area, evident similarity, with that provided for in the Organic Law
of the Judicial Power, although those listed in both obey, according to
exposed, to different foundations. (…) None of the reasons given can be
attended, not only because, in general, and as stated before, no
the doctrine can be transferred without more to the administrative sanctioning area
constitutional law elaborated on the impartiality of judicial bodies, but
because in the present case, and in view of the configuration of the legal causes of
challenge, it is not possible to appreciate the concurrence of any element that the
Instructor withdrawal due to loss of the necessary objectivity. It is not observed in
the Instructor questioned, nor has the interested party provided any justified data to the
Regarding, the presence of direct or indirect personal interest in the resolution of the
sanctioning file (…) ”.
In this regard, it must be taken into account that, to declare the nullity of the
actions for the reasons alleged, it is necessary to fully demonstrate the
concurrence of one of those reasons that may have been able to influence effectively
in the decision adopted through the present resolution.
It is considered appropriate to record in this act the non-attendance of any
of the causes of abstention or recusal established in the transcribed precepts,
That allows to conclude that the alleged lack of impartiality does not exist. Has no interest
personnel in the object of the procedure; no bond, friendship or enmity with him
interested; nor has he intervened as an expert or witness in the procedure.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 105/133
In the present case, although CPC alleges lack of impartiality of the body
resolutory, has not formally raised the challenge of the Director of the AEPD,
acknowledging in his allegations that "he already valued at the time that there were no
the cases of abstention of article 23.2 of Law 40/2015, and, consequently,
it was not proposed to request the challenge suggested in the Proposal for Resolution ”.
On the other hand, this resolution is adopted in accordance with the Law, according to criteria
objectives, and without the adjudicatory body having prejudged the matter in question
through prior formal actions or through your intervention in previous phases
of the procedure. This intervention has not taken place in any way, beyond the
adoption of the agreement to open the procedure as established by the regulations
applicable procedural.
Neither the statements of the Director of the AEPD referred to by CPC, nor
no other circumstance has broken the impartiality of the investigating body, which has
disposed of all the powers conferred by the regulations in question and full
freedom to dictate your resolution proposal.
On the other hand, the instruction of the procedure has been in accordance with the regulations
procedural, without being able to appreciate any irregularity in the processing of the
procedure, in which, in addition, all the guarantees of the
interested party, including the presumption of innocence.
The intervention of the Director in the event held on 03/03/2020 is related,
with the adoption of the agreements to open the procedures referred to
CPC in their allegations, both from the financial sector. The reference to these agreements
as having a broad impact for the affected sectors and with media relevance has
to do with the news regulated in the RGPD and, in particular, those related to
new model of compliance and supervision. In relation to the latter, they stand out
the important amounts contemplated in the Regulation in order to what, how
This rule is intended, may have a dissuasive character.
6. Sixthly, it is stated that there is a breach of the principle of legitimate expectations
in administrative action, which is based on the fact that as a result of the complaint that
refers to the first factual antecedent of the initiation agreement, the AEPD gave
transfer of the same on November 29, 2018 to the Delegate for the Protection of
Data, and that on February 7, 2019, it agreed to the inadmissibility for processing of the
claim presented fact that generated on CPC the legitimate confidence of its
acting in accordance with the law; months later, preliminary actions of
investigation, allegedly based on the Claim, resulting in the
Initiation Agreement.
In this regard, as stated in the first factual background, the
The claim presented constitutes a fact that gives rise to the action of
investigation of the inspection, not on the specific fact denounced, but on the
way in which said entity carries out the profiling treatment in its treatments
based on consent. The inadmissibility decision itself reveals
that the AEPD can carry out other actions with respect to the treatments object
of complaint. Thus, it is stated in said resolution that “This without prejudice to the fact that the Agency,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 106/133
applying the investigative and corrective powers that it holds, can carry out
subsequent actions related to the data processing referred to in the claim. "
On the other hand, CPC forgets that the decision of inadmissibility can be appealed by the
claimant, as happened in the present case and be upheld. To this it should be added that
at no time did this Agency state that the treatments carried out by
CPC were in accordance with the provisions of the data protection regulations,
limiting itself to initially accepting the allegation that it was a specific error,
Notwithstanding that the Director of the AEPD, in view of the claim, ordered
an investigation into the way in which CPC carried out the treatments of
outlined when its legitimizing basis is consent.
7. The last of the allegations refers to an alleged artificial extension of
the previous actions stating that “The previous investigative actions
agreed by the AEPD supplanted the instructional activity, having been
prolonged to near expiration. " And that the "The Startup Agreement rests,
practically in its entirety, in charge elements collected during the
previous actions. "
As stated in the judgment of the Supreme Court of May 6, 2015
brought up by CPC “Article 69.2 prescribes, by regulating the procedures
initiated ex officio, that "prior to the initiation agreement, the body may
competent to open a period of prior information in order to know the
circumstances of the specific case and whether or not to initiate the procedure. "
meager regulation of said period highlights that the legal purpose is limited to
frame an administrative verification activity without setting a specific deadline
of duration and without regulating or limiting the actions that the
Administration in said period. In pureness, the only meaning of declaring open
a period of prior information is to legally frame a performance
administrative that in any case could be carried out by the Administration under its
powers of control or supervision in the field in question. This is the
Administration can initiate procedures of a very diverse nature ex officio, including
those that are destined to verify the fulfillment of requirements
-as in the present case- or the sanctioners, and prior to the initiation of one
of such files can carry out verifications whose scope will depend on the
existing material regulation in this field, that is, of the obligations to which
the individual and the specific powers of control attributed
to the Administration in this matter in order to check if there are indications that
may lead to the convenience of initiating a formal file of non-compliance,
sanctioning, or of another nature. Well, if said checking activity
initial is possible under the protection of the powers of inspection or control held by the
Administration in various material areas, all the more you will be able to do it if
formally opens a period of prior information whose only meaning would be, as
It has been indicated before, to frame said verification action within a legal framework
explicit."
It should be noted here that although article 69.2 of Law 39/2015 referred to in the
judgment, does not set a specific term for such actions, article 67.2 of the
LOPDGDD does, setting it at 12 months from the date of the agreement by
the one who decides its initiation; no consequence has to be made by the Administration
use of all the time available to carry out such actions as long as there is no
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 107/133
exceeds the same, assuming that the expiration of the actions of
investigation.
Regarding the fact that the previous investigative actions supplanted the activity
The instructor does not explain CPC what specific procedure carried out within the framework of the
preliminary investigation actions is actually an administrative procedure that
should have been held within the sanctioning procedure, nor what procedure or procedures
specific measures of the sanctioning procedure have been supplanted by the actions
previous procedures, nor which procedures of the procedure have been avoided due to
previous actions carried out.
On the contrary, preliminary investigative actions were carried out perfectly
justified, in order to achieve a better determination of the facts and
circumstances (article 67 LOPDGDD), during which information was collected
necessary for the determination of the facts, without carrying out during the course of
the same procedures, some of the sanctioning procedure, which began in
based on the evidence obtained and with the sole purpose of applying the regulatory provisions
established.
During the investigation phase, an information request was sent to CPC
requesting a list of the personal data processing carried out in
development of their commercial activity that involve profiling,
providing the following information regarding each treatment: definition of the
logic applied to profiling and the expected consequences of such processing for the
interested; description of the purpose of the treatment and basis of legitimacy on which it is
sustains; procedure followed to comply with the duty of information to
interested; means used to collect consent in the event that the
treatment activity is covered by article 6.1.a of the RGPD; categories of
interested parties and personal data subject to treatment; origin of personal data
object of treatment; where appropriate, list of managers who participate in the activity
treatment and copy of the contracts that govern the order; description of the
technical and organizational security measures applied by virtue of article 32 of the
GDPR to profiling activity; where appropriate, a copy of the impact assessment of
protection of personal data and the number of data subjects whose personal data
have been treated in the development of the profiling activity by category (customer,
potential client) and year (2018 and 2019).
It cannot be said, in view of the foregoing, that in this case the previous actions
were not necessary or were not carried out to gather data and evidence on the
facts committed and those responsible.
III
The actions outlined in the antecedents of this resolution have as
object to analyze the procedure for obtaining consent in the
profiling procedures carried out by CaixaBank Payments & Consumer,
E.F.C., E.P., S.A (CPC) when that constitutes the legal basis that legitimizes said
treatments.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 108/133
Consequently, the conclusions that could be derived from the present proceeding
will not imply any pronouncement on other aspects related to said
treatment, such as the intervention of caregivers, the adequacy of
impact evaluations provided to the provisions of the RGPD or the measures of
established security regarding said treatment, nor about other treatments of
outlined whose legal basis, according to CPC, is to comply with
regulatory requirements.
IV
Article 4.4 of the RGPD defines “profiling” as “any form of
automated processing of personal data consisting of using personal data
to evaluate certain personal aspects of a natural person, in particular
to analyze or predict aspects related to professional performance, situation
economic, health, personal preferences, interests, reliability, behavior,
location or movements of said natural person "
As all data processing must comply with the principles established in the
Article 5 of the RGPD. Said article provides that “1. The personal data will be: a)
treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness,
loyalty and transparency ”);
In accordance with the provisions of letter a) of said precept, personal data
they must be treated in a lawful manner. The aforementioned is taken into account in this regard
in recital 40 of the RGPD, according to which: “For the treatment to be lawful, the
Personal data must be processed with the consent of the interested party or on
any other legitimate basis established in accordance with Law, either in the present
Regulation or by virtue of another law of the Union or of the Member States to which
referred to in this Regulation, including the need to comply with the legal obligation
applicable to the controller or the need to perform a contract in the
that the interested party is a party or in order to take measures at the request of the interested party
prior to the conclusion of a contract. "
The provisions of the Guidelines on individual decisions are taken into account
automated and profiling for the purposes of Regulation 2016/679,
adopted by the Working Group on Data Protection of article 29 on 3
October 2017, last revised and adopted on February 6, 2018 and
approved by the European Data Protection Committee at its first meeting
plenary session, which by referring to consent as the legal basis for the treatment
recalls that “Profiling can be opaque and is often based on
in data derived or inferred from other data, rather than in information provided
directly by the interested party. Those responsible for the treatment who intend
rely on consent as the basis for profiling should
demonstrate that stakeholders understand exactly what they are consenting to, and
They should remember that consent is not always an adequate basis for
treatment. In all cases, stakeholders must have sufficient
information on the use and the intended consequences of the treatment to ensure
that any consent they give constitutes an informed choice. "
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 109/133
The number 11 of article 4 of the RGPD defines consent as “All
manifestation of free, specific, informed and unequivocal will by which the
interested party accepts, either through a statement or a clear affirmative action, the
processing of personal data concerning you "
For their part, articles 6 and 7 of the RGPD refer, respectively, to the “Legality
of the treatment ”and the“ Conditions for consent ”:
Article 6 of the RGPD.
"1. The treatment will only be lawful if at least one of the following is met
terms:
a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
responsible for the treatment;
d) the treatment is necessary to protect vital interests of the interested party or another
Physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party who require the protection of personal data, in particular when the
interested is a child.
The provisions of letter f) of the first paragraph will not apply to the treatment
carried out by public authorities in the exercise of their functions.
2. Member States may maintain or introduce more specific provisions
in order to adapt the application of the rules of this Regulation with respect to the
treatment in compliance with section 1, letters c) and e), setting moreover
specifies specific treatment requirements and other measures that ensure a
lawful and equitable treatment, including other specific situations of
treatment according to chapter IX.
3. The basis of the treatment indicated in section 1, letters c) and e), must be
established by:
a) Union law, or
b) the law of the Member States that applies to the controller.
The purpose of the treatment must be determined in said legal basis or, as
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 110/133
relating to the treatment referred to in paragraph 1, letter e), will be necessary for the
fulfillment of a mission carried out in the public interest or in the exercise of powers
public conferred to the person in charge of the treatment. Said legal basis may contain
specific provisions to adapt the application of the rules of this
Regulation, among others: the general conditions that govern the legality of the treatment
by the person in charge; the types of data being processed; the interested
affected; the entities to which personal data may be communicated and the purposes
of such communication; the limitation of the purpose; the terms of conservation of the
data, as well as operations and treatment procedures, including
measures to guarantee a lawful and equitable treatment, such as those related to other
specific treatment situations in accordance with Chapter IX. Union law
or Member States will meet a public interest objective and will be proportional
to the legitimate end pursued.
4. When the treatment for a purpose other than that for which the data were collected
personal data is not based on the consent of the interested party or on the Law
of the Union or of the Member States that constitutes a necessary measure and
proportional in a democratic society to safeguard the stated objectives
in article 23, paragraph 1, the data controller, in order to determine
if the treatment for another purpose is compatible with the purpose for which they were collected
initially personal data, will take into account, among other things:
a) any relationship between the purposes for which the data was collected
personal and the purposes of the planned further processing;
b) the context in which the personal data was collected, in particular for what
Regarding the relationship between the interested parties and the person responsible for the treatment;
c) the nature of the personal data, specifically when categories are processed
special personal data, in accordance with article 9, or personal data
relating to convictions and criminal offenses, in accordance with article 10;
d) the possible consequences for the data subjects of the planned further processing;
e) the existence of adequate guarantees, which may include encryption or
pseudonymisation ”.
Article 7 of the RGPD.
"1. When the treatment is based on the consent of the interested party, the person in charge
must be able to demonstrate that he consented to the processing of his data
personal.
2. If the consent of the interested party is given in the context of a written statement
that also refers to other matters, the request for consent will be submitted
such that it is clearly distinguishable from other subjects, intelligibly and clearly
easy access and using clear and simple language. No part will be binding
of the declaration that constitutes an infringement of these Regulations.
3. The interested party will have the right to withdraw their consent at any time. The
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 111/133
Withdrawal of consent will not affect the legality of the treatment based on the
consent prior to its withdrawal. Before giving consent, the interested party
you will be informed of it. It will be as easy to withdraw consent as it is to give it.
4. When evaluating whether consent has been freely given, it will be taken into account in the
as much as possible the fact whether, among other things, the performance of a contract,
including the provision of a service, is subject to consent to the treatment of
personal data that are not necessary for the execution of said contract ”.
It takes into account what is expressed in recitals 32, 40 to 44 and 47 of the RGPD in
relationship with the provisions of articles 6 and 7 above. From what is expressed in
these recitals, the following should be noted:
(32) Consent must be given by a clear affirmative act that reflects a
manifestation of free, specific, informed, and unequivocal will of the interested party
accept the processing of personal data concerning you, as a
written statement, including by electronic means, or an oral statement.
This could include checking a box on a website on the internet, choosing parameters
technicians for the use of information society services, or any
other statement or conduct that clearly indicates in this context that the data subject
accepts the proposal for the treatment of your personal data. Therefore, the silence, the
Check boxes or inaction should not constitute consent. The
Consent must be given for all processing activities carried out with the
same or the same ends. When the treatment has several purposes, the
consent for all of them. If the consent of the interested party has to be given to
following a request by electronic means, the request must be clear, concise and not
unnecessarily disturbing the use of the service for which it is provided.
(42) When the treatment is carried out with the consent of the interested party, the
responsible for the treatment must be able to demonstrate that he has given his
consent to the treatment operation. In particular in the context of a
written statement made on another matter, there must be assurances that the
interested party is aware of the fact that he gives his consent and of the extent to which
that makes. In accordance with Council Directive 93/13 / EEC, the
a model declaration of consent previously prepared by the
responsible for the treatment with an intelligible and easily accessible formulation that
use clear and simple language, and do not contain abusive clauses. So that
consent is informed, the interested party must know at least the
identity of the person responsible for the treatment and the purposes of the treatment to which they are
intended personal data. Consent should not be considered freely
provided when the interested party does not have a true or free choice or cannot
deny or withdraw your consent without suffering any harm.
(43) (…) It is presumed that consent has not been freely given when it is not
allow the separate authorization of the different data processing operations
personal despite being appropriate in the specific case, or when compliance with a
contract, including the provision of a service, is dependent on consent,
even when this is not necessary for such compliance.
It is necessary to take into account, also what is established in article 6 of the LOPDGDD:
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 112/133
"Article 6. Treatment based on the consent of the affected party
1. In accordance with the provisions of article 4.11 of Regulation (EU) 2016/679,
The consent of the affected party is understood to be any manifestation of free will,
specific, informed and unequivocal for which it accepts, either through a
declaration or a clear affirmative action, the processing of personal data that
concern.
2. When it is intended to base the treatment of the data on the consent of the
affected for a plurality of purposes, it will be necessary to record in a
specific and unequivocal that said consent is granted for all of them.
3. The execution of the contract may not be subject to the consent of the affected party
processing of personal data for purposes that are not related to the
maintenance, development or control of the contractual relationship ”.
The provisions of the European Data Protection Committee are also taken into account
in the document ““ Guidelines 05/2020 on consent under the
Regulation 2016/679 ”approved on May 4, 2020, which updates the Guidelines
on consent under Regulation 2016/679, adopted by the Group
of Article 29 and that were approved by the European Committee of
Data Protection in its first plenary meeting. From what is stated in said
document, here it is interesting to highlight some of the criteria related to the validity
of consent, specifically on the "specific" and "informed" elements:
“3.2. Specific manifestation of will
“Article 6, paragraph 1, letter a), confirms that the consent of the interested party to
the processing of your data must be given "for one or more specific purposes" and that a
The interested party can choose with respect to each of said purposes. The requirement that the
Consent must be 'specific' is intended to ensure a level of control and
transparency for the interested party. This requirement has not been modified by the GDPR and
remains closely linked to the consent requirement
"informed". At the same time, it must be interpreted in line with the requirement of
"Dissociation" to obtain "free" consent. In short, to meet the
character of "specific" the data controller must apply:
i. the specification of the purpose as a guarantee against deviation of use,
ii. disassociation in consent requests, and
iii. a clear separation between the information related to obtaining the
consent to data and information processing activities
relating to other matters.
Ad. i): In accordance with article 5, section 1, letter b), of the RGPD, the obtaining
valid consent is always preceded by the determination of an end
specific, explicit and legitimate for the planned processing activity. The need
of specific consent in combination with the notion of limitation of the
purpose contained in article 5, paragraph 1, letter b), functions as a guarantee against
to the gradual expansion or blurring of the purposes for which the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 113/133
data processing once an interested party has given their authorization to the
initial data collection. This phenomenon, also known as deviation of the
use, poses a risk to data subjects as it may lead to use
unforeseen personal data by the person responsible for the treatment or
third parties and the loss of control by the interested party.
If the data controller relies on article 6, paragraph 1, letter a), the
interested parties must always give their consent for a specific purpose for the
data processing. In line with the concept of purpose limitation,
with article 5, paragraph 1, letter b), and with recital 32, the consent
can cover different operations, provided that these operations have a
same end. Needless to say, specific consent can only be obtained
when the interested parties are expressly informed about the purposes envisaged for the
use of the data concerning them.
Without prejudice to the provisions on the compatibility of purposes, the
consent must be specific to each purpose. Those interested will give their
consent understanding that they have control over their data and that these will only be
treated for such specific purposes. If a controller processes data based on the
consent and, in addition, you wish to process said data for another purpose, you must obtain the
consent for that other purpose, unless there is another legal basis that reflects
better the situation.
(…)
Ad. ii) Consent mechanisms should not only be separated in order to
comply with the requirement of 'free' consent, but must also comply with
that of "specific" consent. This means that a controller
seeking consent for several different purposes should facilitate the possibility of
opt for each purpose, so that users can give specific consent
for specific purposes.
Ad. iii) Finally, those responsible for the treatment must provide, with each request
separate consent form, specific information about the data to be processed
for each purpose, in order that the interested parties know the repercussion of the
different options they have. In this way, interested parties are allowed to give a
specific consent. This issue overlaps with the requirement that
responsible provide clear information, as previously stated in
section 3.3 ”.
3.3 Informed manifestation of will.
“The GDPR reinforces the requirement that consent must be informed. From
In accordance with article 5 of the GDPR, the requirement of transparency is one of the
fundamental principles, closely related to the principles of loyalty and
legality. Providing information to the interested parties before obtaining their consent is
essential for them to make informed decisions, understand what it is that
are authorizing and, for example, exercising their right to withdraw their consent. If he
responsible does not provide accessible information, user control will be illusory and
consent will not constitute a valid basis for data processing.
If the requirements for informed consent are not met, the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 114/133
Consent will not be valid and the person responsible may be in breach of article 6
of RGPD.
3.3.1 Minimum content requirements for consent to be "informed"
In order for consent to be informed, it is necessary to inform the interested party
certain elements that are crucial to be able to choose. Therefore, the CEPD is of the opinion that
At least the following information is required to obtain valid consent:
i. the identity of the data controller,
ii. the end of each of the processing operations for which the
request consent,
iii. what (type of) data is to be collected and used,
iv. the existence of the right to withdraw consent,
v. information on the use of data for automated decisions
in accordance with Article 22 (2) (c), where relevant,
and
saw. information on the possible risks of data transfer
due to the absence of an adequacy decision and guarantees
adequate, as described in article 46. "
1. In the present case, CPC requests consent in the various channels of
prescribers and agents for study and profiling purposes. So consent
it is requested in the following terms: "I authorize the CaixaBank Group to use my data
for study and profiling purposes ”. Regarding the information on the
purposes of said treatment, the documentation provided is that contained in the
Screenshots sent and the document provided as annex 12
called "GENERAL CONDITIONS OF THE APPLICATION-CONTRACT OF
CREDIT ”whose content in this point has already been transcribed in the proven facts
of the present resolution of the sanctioning procedure, and that, as stated,
facilitates the interested party within the framework of contracting a product.
As expressed in said document, the details of the uses of the data that are
will be carried out in accordance with your authorizations is the following:
(i) “Detail of the analysis, study and monitoring treatments for the offer and
design of products and services tailored to the customer profile. Granting your
consent to the purposes detailed here, you authorize us to:
a) Proactively carry out risk analysis and apply on their technical data
statistics and customer segmentation, with a triple purpose:
1) Study products or services that can be adjusted to your profile and
specific commercial or credit situation, all this to make offers
commercial tailored to your needs and preferences,
2) Track the products and services contracted,
3) Adjust recovery measures on defaults and incidents derived from
the products and services contracted.
b) Associate your data with those of other clients or companies with which you have any
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 115/133
type of bond, both family or social, as well as due to its property relationship and
administration, in order to analyze possible economic interdependencies in the
study of service offers, risk requests and product contracting.
c) Carry out studies and automatic controls of fraud, defaults and incidents
derived from the products and services contracted.
d) Carry out satisfaction surveys by telephone or electronically with the
objective of evaluating the services received.
e) Design new products or services, or improve the design and usability of
existing, as well as define or improve the experiences of users in their relationship
with CaixaBank Payments & Consumer and the companies of the CaixaBank Group. "
In the opinion of this Agency the information contained in the document CONDITIONS
GENERAL APPLICATION-CREDIT AGREEMENT, above transcribed no
provides the interested party with enough information so that he can know the
scope of the profiling treatments carried out.
In this regard it should be remembered that the Guidelines on individual decisions
automated systems and profiling for the purposes of Regulation 2016/67, by
Analyze the relevant legal bases for profiling points out what
following regarding the provisions of Article 6, paragraph 1, letter a) - Consent
"Those responsible for the treatment that intend to be based on consent as
Basis for profiling should demonstrate that stakeholders understand
exactly what they are consenting to, and they should remember that consent is not
always a suitable basis for treatment. In all cases, the interested parties
should have sufficient information on the intended use and consequences of the
treatment to ensure that any consent they give constitutes a
informed choice. "
Also the same document when referring to the rights of the interested parties,
first mention:
"1. Articles 13 and 14 - Right to be informed
Taking into account the basic principle of transparency that underpins the GDPR, the
data controllers must ensure that they explain to people in a manner
clear and simple operation of profiling or decisions
automated. "
However, in the present case, only one information is provided to the interested party.
generic information on the different profiling treatments. So the first of them does
reference to the “study of products or services that can be adjusted to your profile and
specific commercial situation, to make commercial offers adjusted to your
needs and preferences ”. With this information the interested party cannot know
exactly what the treatment you are consenting to consists of. Of such information
It cannot be deduced that the products to be offered are exclusively those of CPC,
as said entity alleges, so it could include offers from other entities of the
group or other types of products or services not related to the activity of said
entity. Nor does it follow from such information that the offer of products and
services may even include the assignment of “pre-granted” credit limits, such and
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 116/133
as stated in the information provided by CPC to the AEPD on the occasion of the
Information request made by the Inspection. Nor, as it is analyzed
later on, you are adequately informed of the data that will be used to
carry out the profiling treatment. With the information provided, the interested party does not
You can know the scope of the treatment you are consenting to or the level of detail of the
profile to be elaborated nor its exhaustiveness. The same information gaps
that is provided to the interested party are observed in other profiling treatments
listed in the above transcribed information provided in said document.
CPC alleges that the CaixaBank Group has proactively verified this understanding
through studies that have involved clients, however it does not prove it.
Secondly, as the mechanism for the provision of the
consent, it is not foreseen that the interested party expresses his option on all the
purposes for which the data is processed, It is discussed in section (i) of treatments for
"The offer and design of products and services adjusted to the client's profile", assuming that
in itself it already comprises three different ends:
1. Study products or services that can be adjusted to your profile and situation
commercial or specific credit, all this to make you adjusted commercial offers
to your needs and preferences,
2) Track the products and services contracted,
3) Adjust recovery measures on defaults and incidents derived from the
contracted products and services.
To this are added other purposes such as “analyzing possible interdependencies
economic in risk requests and product contracting ”,“ assess the services
received "or" design new products or services, or improve the design and usability of
existing ones, as well as define or improve user experiences in their
relationship with CaixaBank Payments & Consumer and the companies of the CaixaBank Group ”.
The enumeration of the treatments that the aforementioned entity carries out, actually supposes
an extension of the purposes, which in some cases are not even identified, so
the consent given cannot be considered specific as it has not been dissociated
consent requests sufficiently.
It is alleged by CPC that this confusion is due to a slight error in the clause
informative, to list treatment operations that are not carried out based on the
consent obtained for profiling; points out that this incidence, after being
detected, has been corrected by the CaixaBank Group and, therefore, also by CPC,
by means of the elaboration of a new Privacy Policy in which they are detailed
correctly and precisely the treatments carried out for the analysis and study
for commercial purposes.
However, this privacy policy, regardless of whether it is
adjusted or not to the provisions of the data protection regulations, on which this
Agency does not pronounce on this procedure, it has been in force since
on January 18, 2021 without any other information documents having been modified
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 117/133
to the interested party, as CPC informs in its response to the request for information
of this Agency during the trial period, in particular the CONDITIONS
GENERAL OF THE APPLICATION-CREDIT AGREEMENT, which has been done before
reference and that constitute the mechanism to provide information to the interested parties.
2. In the various documents in which consent is requested, it is requested
for “the CaixaBank group”, which constitutes a communication of data to the
group companies, communication that constitutes a specific purpose in itself
considered, which requires a manifestation of the will of the interested party by which
he agrees that it can be carried out.
It is alleged by CPC that no data communication occurs since there is
a co-responsibility regime between the companies of the CaixaBank Group, for
there is an agreement to jointly determine the objectives and means of the
treatment object of this procedure, as provided in article 26 of the
GDPR. It is also alleged that such co-responsibility is also due to
regulatory needs. In this sense, he cites articles 29.1 of Law 2/2011, of 4
March, Sustainable Economy. and 14 of Law 16/2011, of June 24, of
consumer credit contracts.
In this regard, it should be recalled that the 7/2020 Guidelines on responsible and
data controller in the RGPD, adopted on July 7, 2021, state that
Article 26 of the GDPR, which reflects the definition of Article 4.7 of the GDPR,
provides that “When two or more managers jointly determine the
objectives and means of treatment, will be jointly responsible for the treatment ”.
Generally speaking, there is co-responsibility with respect to an activity of
specific treatment when different parties jointly determine the
purpose and means of this processing activity. Therefore, evaluate the
existence of joint controllers requires examining whether the determination of the purposes and
means that characterize a person in charge is decided by more than one party. "Together"
must be interpreted in the sense of "together with" or "not alone", in different ways and
combinations, as explained below.
The assessment of co-responsibility should be carried out on the basis of a
factual, rather than formal, analysis of the real influence on the ends and means of the
treatment. All existing or planned provisions must be verified taking into account
take into account the factual circumstances relating to the relationship between the parties. A
A mere formal criterion would not be sufficient for at least two reasons: In some
cases, the formal appointment of a co-responsible, for example, provided by law
or in a contract, he would be absent; In other cases, it may be that the appointment
formally does not reflect the reality of the arrangements, by formally entrusting the role of
liable to an entity that is not really in a position to "determine" the
purposes and means of treatment.
Not all treatments in which several entities participate give rise to
co-responsibility. The general criterion for co-responsibility is the
joint participation of two or more entities in determining the purposes and
means of a treatment. More specifically, co-responsibility should include the
determination of the objectives, on the one hand, and the determination of the means,
other. If each of these elements is determined by all entities
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 118/133
interested parties, should be considered jointly responsible for the treatment in question. "
In the present case, the co-responsibility agreement provided lacks date and
signature and, consequently, of any validity. In this sense, the agreement itself, in its
number 6 regarding its duration indicates that “This Agreement shall enter into force in the
date of its signature ”. In this sense, the aforementioned Guidelines 7/2020 indicate that “The
GDPR does not specify the legal form of the agreement between joint controllers. On
for the sake of legal certainty, and in order to guarantee transparency and accountability
accounts, the European Data Protection Committee recommends that said agreement
is in the form of a binding document, such as a contract or other legal act
binding in accordance with EU or Member State law when
that the controllers are submitted. " It should also be added that there is no excuse
the absence of signing the agreement in the supposed wait for the Agency to make a
pronouncement on the measures to be adopted in the framework of another procedure
sanctioning against another entity (CaixaBank) in case it should be modified, such as
pointed out in the allegations to the initial agreement or, as it now points out in the
allegations to the proposed resolution, that said signature is made dependent on
resolve the same sanctioning procedure against CaixaBank through the courts.
Neither is any factual element provided that would allow it to be considered that
jointly by all the group companies the purposes and means of the treatment
specific to which this procedure refers, that is, the operations of
profiling for the offer to CPC customers of certain products, which
are part of its commercial activity, as indicated by said entity in the
information provided.
Nor is it admissible that such co-responsibility is due to reasons
regulatory. Article 29 1, of Law 2/2011, of March 4, on the Economy
Sustainable, provides that "Credit institutions, before the contract is signed
credit or loan, should evaluate the solvency of the potential borrower, on the
basis of sufficient information. For this purpose, said information may include the
provided by the applicant, as well as the result of consulting files
automated data, in accordance with current legislation, especially in
matter of protection of personal data. " Article 14 of Law 16/2011,
of June 24, of consumer credit agreements It establishes that “1. The lender,
Before the credit agreement is executed, you must evaluate the solvency of the
consumer, on the basis of sufficient information obtained by the media
suitable for this purpose, including the information provided by the consumer, upon request
of the lender or intermediary in granting credit. For the same purpose, you may
consult the files of patrimonial solvency and credit, to which the article refers
29 of Organic Law 15/1999, of December 13, on Data Protection of
Personal nature, under the terms and with the requirements and guarantees provided in said
Organic Law and its implementing regulations.
In the case of credit institutions, for the evaluation of the solvency of the
consumer will also take into account the specific rules on the management of
risks and internal control that are applicable to them according to their specific legislation. "
From the literal wording of both precepts it is evident that such obligations refer to
at the time a credit or loan agreement is entered into, not the activity
by which an entity offers such credits or loans to its clients,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 119/133
products that they, moreover, have not requested. Much less can it be accepted
that such regulatory obligations justify a communication of data to all
group companies, from the moment the interested party consents to such
profiling treatment regardless of whether it is subsequently carried out or not.
On the other hand, as has already been pointed out previously, this Agency has not invested the
burden of proof as claimed by CPC, it is said entity that has alleged the existence
of co-responsibility in the treatment corresponding to said entity to prove it,
the mere allegation of its existence and the presentation of a document is not enough
lacking validity to prove that there is co-responsibility. This Agency has
sufficiently clarified the reasons why it considers that there is no
co-responsibility in the previous paragraphs, so it is not a mere
unsubstantiated contrary opinion.
3. Among the crucial elements for the consent to be valid, the aforementioned
Guidelines on consent under Regulation 2016/679 make
reference to the information to the interested party about what types of data are to be collected and
be used.
In the information that CPC has provided to this Agency, specifically in the
GENERAL CONDITIONS OF THE APPLICATION-CREDIT AGREEMENT,
indicates that the personal data being processed are the following:
"The data that will be processed for the purposes of (i) data analysis and study, and (ii)
for the commercial offer of products and services will be:
a) All those provided in the establishment or maintenance of relationships
commercial or business.
b) All those generated in the contracting and operations of products and services
with CaixaBank Payments & Consumer, with the CaixaBank Group companies or with
third parties, such as, account or card movements, receipt details
direct debits, payroll direct debits, claims derived from insurance policies,
claims, etc.
c) All those that CaixaBank Payments & Consumer or the companies of the Group
CaixaBank obtain from the provision of services to third parties, when the service has
as a recipient to the Holder, such as the management of transfers or receipts.
d) Whether or not you are a CaixaBank shareholder as recorded in the records of
this, or of the entities that according to the regulations of the market of
values must keep records of the values represented by means of
book entries.
e) Those obtained from the social networks that the Owner authorizes to consult.
f) Those obtained from third parties as a result of requests for aggregation of
data requested by the Owner.
g) Those obtained from the Owner's navigations through the service of the website of
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 120/133
CaixaBank Payments & Consumer and other websites of this and / or the Group companies
CaixaBank or mobile phone application of CaixaBank Payments & Consumer and / or of
the companies of the CaixaBank Group, in which it operates, duly identified. These
Data may include information regarding geolocation.
h) Those obtained from chats, walls, videoconferences or any other means of
communication established between the parties. The Owner's data may be
complemented and enriched by data obtained from companies that supply
commercial information, by data obtained from public sources, as well as by data
statistical, socioeconomic (hereinafter, "Additional Information") always
verifying that they comply with the requirements established in the current regulations
on data protection. "
From this information it follows that the interested party cannot know the data that
will be processed for profiling, the information provided includes data that,
in accordance with the information provided about the data to be used for the treatment
of profiling and its origin, will not be subject to such treatment and, however, will not
You are informed of the processing of other data that will be the object of the same, such as the
consultation of solvency files and the Central Bank of Risk Information of the Bank of
Spain or the so-called Risk score.
CPC's claims cannot be shared when it claims compliance
adequately with the duty to inform the interested parties in relation to the data
that are treated for profiling, noting, firstly, that the categories of data
object of treatment are not among the minimum information described in the
Article 13 of the RGPD so that consent is informed.
In this regard, the provisions of the European Protection Committee must be reiterated here.
of Data in the document ““ Guidelines 05/2020 on consent under the
Regulation 2016/679 ”, to which reference has been previously made, in particular not
it is possible but to reproduce again what was indicated in point Ad. iii) according to which
“Finally, those responsible for the treatment must facilitate, with each request for
separate consent, specific information about the data that will be processed for
each purpose, in order that the interested parties know the repercussion of the
different options they have. In this way, interested parties are allowed to give a
specific consent. This issue overlaps with the requirement that
responsible provide clear information, as previously stated in
section 3.3 ”. The aforementioned point 3.3, which is also transcribed above
points out that “the requirement of transparency is one of the fundamental principles,
closely related to the principles of fairness and lawfulness. Supply information
to the interested parties before obtaining their consent is essential so that they can
make informed decisions, understand what they are authorizing, and therefore
For example, exercise your right to withdraw your consent ”, in point 3.1.1. lists
the minimum content requirements for consent to be 'informed',
one of them being the one relating to “what (type of) data is going to be collected and used”.
Nor can the allegation that the information provided allows
interested parties to know the data that will be processed for profiling, since the
fragment transcribed by the AEPD corresponds to point 26.4. (ii) of
general conditioning, but the rest of the conditioning has not been taken into account.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 121/133
It indicates that in section 26.3 of the general conditions (prior to 26.4.ii transcribed in
the Initiation Agreement) specifies in greater detail what data will be processed for the
establishment or maintenance of commercial relationships.
CPC points out that point 26.3 informs that “CaixaBank Payments & Consumer and,
where applicable, the CaixaBank Group companies are bound by different
regulations and agreements to carry out certain processing of people's data
with which it maintains Commercial Relations, as indicated in the sections
following this clause (hereinafter, “Treatments with Purpose
Regulatory ”). These treatments are necessary for the establishment and
maintenance of Commercial Relations with CaixaBank Payments & Consumer
and / or with the CaixaBank Group companies, and the Holder's opposition to them
would necessarily entail the cessation (or non-establishment, where appropriate) of these
relations. In any case, Treatments with Regulatory Purposes will be limited
exclusively for the stated purpose, without prejudice to other purposes or uses that
The Holder authorizes according to the provisions of clause 26.4. of this document. "
CPC adds that point 26.3.3 informs about consulting files of
credit information (among which are those necessary to obtain the “Risk
Score ”, as will be explained later) and point 26.3.4. informs about the
consult the Risk Information Center of the Bank of Spain, transcribing
both of them:
“26.3.3 Communication with credit information systems.
The Holder is informed that CaixaBank Payments & Consumer, in the study of the
establishment of Commercial Relations, you can consult information on
credit information systems. Likewise, in the event of non-payment of any of the
Obligations derived from Commercial Relations, data related to non-payment
may be communicated to these systems.
26.3.4. Communication of data to the Risk Information Center of the Bank of
Spain
The Holder of the right who assists CaixaBank Payments & Consumer is informed to
Obtain reports from the Bank of Spain's Risk Information Center (CIR)
on the risks that could be registered in the study of the establishment of
Business relationships. […] "
In this regard, it should be noted that the first of the fragments mentioned by
CPC in its allegations, this is point 26.3 of the general conditions refers
as it mentions in its title to the processing of character data
personnel for regulatory purposes, being clear also in its content that it is
refers to them and not to commercial purposes, for which the information
It is offered in number 26.4. In the same way, points 26.3.3 and related to the
communication with credit information systems, and 26.3.4, referring to the
communication to the Risk Information Center of the Bank of Spain,
included within the general section relating to processing for purposes
regulatory, without making any reference to that such data may be
object of treatment within the framework of treatments for commercial purposes
based on consent.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 122/133
Point 26.4 is entitled precisely "Treatment and transfer of data for purposes
commercial by Caixabank and the Caixabank Group companies based on the
consent ”, and from that point on, the information related to such
treatments. Thus, in point ii of the aforementioned point 26.4, it is expressly stated “The
data that will be processed for the purposes of (i) data analysis and study, and (ii) for the
commercial offer of products and services will be:
a) All those provided in the establishment or maintenance of relationships
commercial or business.
b) All those generated in the contracting and operations of products and services
with CaixaBank Payments & Consumer, with the CaixaBank Group companies or with
third parties, such as, account or card movements, receipt details
direct debits, payroll direct debits, claims derived from insurance policies,
claims, etc.
c) All those that CaixaBank Payments & Consumer or the companies of the Group
CaixaBank obtain from the provision of services to third parties, when the service has
as a recipient to the Holder, such as the management of transfers or receipts.
d) Whether or not you are a CaixaBank shareholder as recorded in the records of
this, or of the entities that according to the regulations of the market of
values must keep records of the values represented by means of
book entries.
e) Those obtained from the social networks that the Owner authorizes to consult.
f) Those obtained from third parties as a result of requests for aggregation of
data requested by the Owner.
g) Those obtained from the Owner's navigations through the service of the website of
CaixaBank Payments & Consumer and other websites of this and / or the Group companies
CaixaBank or mobile phone application of CaixaBank Payments & Consumer and / or of
the companies of the CaixaBank Group, in which it operates, duly identified. These
Data may include information regarding geolocation.
h) Those obtained from chats, walls, videoconferences or any other means of
communication established between the parties. The Owner's data may be
complemented and enriched by data obtained from companies that supply
commercial information, by data obtained from public sources, as well as by data
statistical, socioeconomic (hereinafter, "Additional Information") always
verifying that they comply with the requirements established in the current regulations
on data protection. "
Consequently, CPC's allegations cannot be accepted in any way, they are not
adequately informs about the data that may be processed in the
framework of business activities based on consent, information
provided by the person in charge expressly lists the alleged data that may
be used for said treatment for commercial purposes based on the
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 123/133
consent, without making any reference to data as relevant as the query to
solvency files and the treatment called risk score. The information must
be provided as stated in article 12 of the RGPD in a concise, transparent way,
intelligible and easily accessible. It is inadmissible that the interested party should interpret the
information that is provided to you, to know what data will be processed for a
operation based on your consent by accessing information related to other
types of processing whose basis is not consent.
The allegations indicate that the legitimizing basis for the treatment of these two
data, the consultation of solvency files and the risk score, is in the
consent of the interested party. CPC claims that the fact that certain treatments
are carried out based on the consent of the interested party does not exclude that they must comply with the
legal obligations established in the Prudential and Solvency Regulations and
Responsible Loan given that the products sold are accounts of
credit and loans. Therefore, even when the treatment is carried out based on the
consent of the interested party, CPC must comply with the legal obligations established
in the Prudential and Solvency Regulations and Responsible Loan; so, at
make a personalized offer to an interested party, CPC must assess their capacity
of return and solvency, consulting the data contained in systems of
credit information.
Such allegation is not admissible, the offer of such products constitutes an activity
exclusively commercial, without article 20 of the LOPDGDD, relative to the
credit information systems, enable the consultation of such systems without the
consent of the interested party more than in the supposed content in letter e) of his
first number, according to which the data referring to a specific debtor only
can be consulted when “whoever consults the system maintains a relationship
contract with the affected party that involves the payment of a pecuniary amount or this
had requested the conclusion of a contract that involves financing, payment
deferred or periodic billing, as happens, among other cases, in the
provided for in the legislation on consumer credit agreements and credit agreements
real estate. " This is not a request for such services, but an offer
that CPC makes of them, without the interested party having previously requested it.
Consequently, the absence of consent of the interested party for access to the
credit information systems determines illegitimate treatment. And in this sense
It should be remembered that consent must be informed, so that without due
information, including knowing the data to be processed, the
consent becomes invalid.
With regard to the data called “risk score”, from the information provided it seems
It can be inferred that this is another data profiling operation, carried out by a
in charge of the treatment, (…). This Agency considers that the
interested in this new profiling operation, nor on the legal basis that
allows its realization, nor on the data used to carry it out.
CPC alleges that the data called "Risk Score" is obtained from the analysis
carried out by the supplier *** EMPRESA.3, (…), noting that when informing the
interested in the processing of their data, there is no mention of obtaining this
concrete data since, even if it is obtained with the intervention of a manager
treatment, does not differ from the simple analysis and study of data carried out
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 124/133
both for regulatory and commercial purposes and that its base
legal, when carried out for commercial purposes, will be the consent of the
interested party, taking into account that in order to carry out the analysis and
study of data for commercial purposes it will also be necessary to observe the
prudential and solvency regulations. It is added that regarding the data used
to obtain the “Risk Score”, it is the workforce in information systems
credit.
This Agency does not share this allegation either, it cannot be considered that
duly informs the interested parties when said treatment operation is integrated
within the analysis and study of data carried out for commercial purposes. The
called risk score constitutes in itself a profiling operation, without
inform the interested parties of the data used for said operation or of its
result, which constitutes data to be used in other profiling operations
carried out by the person in charge for commercial purposes. Regarding the data
used to carry out the profiling operation called risk score, which
as indicated are those that work in credit information systems,
Neither is its treatment possible without the consent of the interested party, unless they concur
the circumstances provided for in article 20.1.e of the LOPDGDD, which has previously been
aforementioned, which does not happen in the present case in which its
use for profiling for commercial purposes. Consequently, said
treatment becomes invalid insofar as it lacks a legitimate basis by not requesting the
Informed consent of the interested party so that it can be carried out.
In this sense, the Guidelines on automated individual decisions and
Profiling for the purposes of Regulation 2016/679 indicates that “The
Transparency of treatment is a fundamental requirement of the GDPR.
The profiling process is usually invisible to the person concerned. It works
creating derived or inferred data about people ("new" personal data
that have not been directly provided by the interested parties themselves). People
have different levels of understanding and may find it difficult to understand
complex techniques of profiling and decision-making processes
automated.
According to article 12, paragraph 1, the data controller must provide the data
stakeholders concise, transparent, intelligible and easily accessible information about the
processing of your personal data.
With regard to the data obtained directly from the interested party, these must
be provided at the time they are obtained (article 13); regarding the data
Obtained indirectly, the information must be provided within the established deadlines
in article 14, paragraph 3 "
More specifically, it must be reiterated that the aforementioned guidelines, in the point relating to
the legal bases of the treatment, in particular that relating to consent, indicate
that “The WG29 guidelines on consent generally address the
consent as the basis of treatment. Explicit consent is one of the
exceptions to the prohibition on automated decisions or the preparation of
profiles defined in article 22, paragraph 1.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 125/133
Profiling can be opaque and is often data driven
derived or inferred from other data, rather than information provided directly
by the interested party.
Those responsible for the treatment that intend to be based on consent as
Basis for profiling should demonstrate that stakeholders understand
exactly what they are consenting to, and they should remember that consent is not
always a suitable basis for treatment. In all cases, the interested parties
should have sufficient information on the intended use and consequences of the
treatment to ensure that any consent they give constitutes a
informed choice. "
From all this it can be concluded that the consent given for the purposes of
profiling described in the facts of this agreement is not in accordance with the provisions
in article 4.7 GDPR. It is not specific, because it does not meet the requirement of
separation of the purposes and provision of consent for each of them, nor is it
duly informed. The absence of such requirements determines that it does not
is valid so that the treatments based on it lack legitimacy
thus contravening the provisions of article 6 of the RGPD.
Consequently, in accordance with the findings set forth, the aforementioned
facts could suppose a possible violation of article 6 of the RGPD, in relation to
with article 7 of the same legal text and article 6 of the LOPDGDD, which gives rise to the
application of the corrective powers that article 58 of the RGPD grants to the Agency
Spanish Data Protection.
V
In the event of an infringement of the provisions of the RGPD, between
the corrective powers available to the Spanish Agency for the Protection of
Data, as a control authority, article 58.2 of said Regulation contemplates the
following:
“2 Each supervisory authority shall have all the following corrective powers
listed below:
(…)
d) order the person in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,
in a certain way and within a specified time frame;
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of
the measures mentioned in this section, according to the circumstances of each
particular case;".
According to the provisions of article 83.2 of the RGPD, the measure provided for in the letter
d) above is compatible with the sanction consisting of an administrative fine.
SAW
In the present case, the breach of article 6.1 has been proven.
of the RGPD with the scope expressed in the previous Fundamentals of Law, as
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 126/133
that, supposes the commission of an infraction typified in article 83.5 of the same
rule that under the heading "General conditions for the imposition of fines
administrative ”provides the following:
5. "Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,
in the case of a company, an amount equivalent to a maximum of 4% of the
total annual global business volume of the previous financial year, opting for
the highest amount:
a) the basic principles for the treatment, including the conditions for the treatment
consent in accordance with articles 5, 6, 7 and 9 "
In this regard, the LOPDGDD, in its article 71 establishes that “They constitute
offenses the acts and conducts referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law ”.
For the purposes of the limitation period, article 72 of the LOPDGDD indicates:
Article 72. Violations considered very serious
"1. Based on what is established in article 83.5 of Regulation (EU) 2016/679
are considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
a) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the
Regulation (EU) 2016/679.
(…) "
In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, provisions that state:
"1. Each supervisory authority will guarantee that the imposition of fines
administrative regulations pursuant to this article for the infractions of this
Regulations indicated in paragraphs 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administrative and its amount in each individual case will be duly taken into account:
a) the nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operation in question as well
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 127/133
such as the number of interested parties affected and the level of damages that
have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to
mitigate the damages and losses suffered by the interested parties;
d) the degree of responsibility of the person in charge or the person in charge of the treatment,
taking into account the technical or organizational measures that have been applied by virtue of
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority learned of the infringement, in
in particular if the person in charge or the person in charge notified the infringement and, if so, in what
measure;
i) when the measures indicated in article 58, paragraph 2, have been ordered
previously against the person in charge or the person in charge in relation to the
same issue, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through the offense. "
For its part, article 76 "Sanctions and corrective measures" of the LOPDGDD
has:
"1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.
2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
The following may also be taken into account:
a) The continuing nature of the offense.
b) The linking of the activity of the offender with the performance of treatment of
personal information.
c) The benefits obtained as a result of the commission of the offense.
d) The possibility that the affected person's conduct could have induced the commission
of the offense.
e) The existence of a merger by absorption process after the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) Affecting the rights of minors.
g) Have, when not mandatory, a data protection officer.
h) The submission by the person in charge or in charge, on a voluntary basis, to
alternative dispute resolution mechanisms, in those cases in which
there are controversies between those and any interested party. "
In this case, considering the seriousness of the violation found, the
imposition of fine.
The request made by CAIXABANK PAYMENTS &
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 128/133
CONSUMER EFC, EP, S.A.U so that other corrective powers are imposed,
specifically, the warning, taking into account the provisions of recital
148 of the RGPD according to which “In order to reinforce the application of the rules of this
Regulation, any infraction of this must be punished with sanctions, including
administrative fines, in addition to adequate measures imposed by the
supervisory authority by virtue of this Regulation, or in substitution of these. On
case of a minor offense, or if the fine likely to be imposed constitutes
a disproportionate burden for a natural person, instead of a sanction by means of
fine may be imposed a warning. It must nevertheless be paid special
attention to the nature, severity and duration of the offense, its character
intentional, to the measures taken to alleviate the damages suffered, to the degree
liability or any prior relevant infringement, to the way in which the
control authority has had knowledge of the infringement, to the fulfillment of
measures ordered against the person in charge or in charge, adhering to codes of
conduct and any other aggravating or mitigating circumstance. "
For the same reasons, and considering the graduation criteria of the
sanctions that are indicated below, the petition for
imposition of a sanction in its minimum degree.
Nor is it possible to admit the allegation that, in the use of the criteria of
graduation of the sanction, this Agency is separated from the administrative precedent
must motivate the change of criteria according to article 35.1.c) of the LACAP. According
CPC serves as an example PS / 0070/2019 stating that an application is appreciated
different from the criteria that allow the sanction to be graduated, since, according to CPC
similar imputed facts only take into account two criteria of
graduation compared to those contained in the proposed resolution of this
process. This Agency, to determine the sanction to impose in each case,
takes into account the elements established in article 83 of the RGPD, as well as the
established in article 76.2 of the LOPDGDD, justifying the application of each one
of them depending on the circumstances of each specific case.
In accordance with the transcribed precepts, in order to set the amount of the
fine sanctions to be imposed in the present case on the defendant, as responsible for
offenses typified in article 83.5.a) and b) of the RGPD, the fine should be graduated
that would correspond to impose for the imputed infraction as follows:
Infringement for breach of the provisions of article 6 of the RGPD, in relation to
with article 7 of the same legal text and article 6 of the LOPDGDD, typified in the
article 83.5.a) and classified as very serious for the purposes of prescription in article
72.1.b) of the LOPDGDD:
It is estimated that the following factors concur as aggravating factors that
reveal greater unlawfulness and / or culpability in the conduct of the entity
CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U .:
- The nature, severity and duration of the offense, taking into account the
nature, scope or purpose of the processing operations in question;
the offense results from the procedure designed by said entity for the collection
of the consent to carry out profiles for commercial purposes to their clients,
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 129/133
that involves a significant risk to the rights of the data subjects taking into account
note the particularly intrusive nature of such data processing.
This entity alleges that “We are not facing a case in which CPC has
radically dispensed with the obligations related to obtaining
consents, without prejudice to the fact that the AEPD considers that it would be necessary to correct
certain issues, which could lead to improvements in the way in which
they collect the consents. " It also alleges that the Agency does not argue that
consists of this significant risk and the intrusive nature of the treatment, which leads to
wonder if sending commercial communications to customers is
particularly intrusive, which processing of personal data will not be
especially intrusive
This Agency considers that it is an infringement that affects the procedure
through which consent is obtained and which affects in particular two
essential elements of this, that is, that consent is specific and
informed. It is therefore not a question of mere improvements in the procedure, but rather that the
Failure to comply with these two requirements determines that the consent accrues
invalid. Nor is it a mere sending of commercial communications, but
of performing profiling treatments.
- The intentionality or negligence appreciated in the commission of the offense;
the defects indicated in the procedure by which the
consent of their clients, given their evidence they should be warned and
avoided when designing said procedure by an entity with the characteristics of
CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
- The high link between the activity of the offender and the performance of
processing of personal data. The operations that constitute the activity
business developed by CAIXABANK PAYMENTS & CONSUMER EFC, EP,
S.A.U. as an entity dedicated to the commercialization of credit cards or
debit, credit accounts and loans, involve operations of treatment of
personal information.
This entity affirms that in no case, its main activity is the treatment of
personal data of your customers beyond what is necessary
for the development of that main activity, nor does it benefit
financially from the processing of the personal data of its clients. To this
In this regard, it should be taken into account that among its commercial activities
find the one for sending commercial communications to your entity clients
third parties with which it has commercial agreements.
It also states that the AEPD departs from the intention of the legislator who is directed
to consider aggravating the fact that the processing of personal data is the
main activity of a business nature, not an instrument; hence
refers to "high linkage", otherwise it would be concluded that the
The mere fact of processing personal data would always be an aggravation. If he
The legislator would have intended it to do so and would not have qualified that such a link should
be "high
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 130/133
This Agency does not share such an interpretation. Article 76.2.b of the LOPDGG
establishes as a criterion for graduation of the offense “the linkage of the
activity of the offender with the performance of personal treatments ”. Saying
precept does not make any reference to its being high, as stated by CPC, but rather to the
fact that such a link exists, an element that this Agency has valued as
high for the reasons stated.
- The status of a large company of the responsible entity and its volume of
business. The volume of business of the entity according to the information obtained has
been € 872,976,000 during the year 2019. For information purposes you must also
It should be noted that the turnover of the CaixaBank Group as of December 31, 2020
it is estimated at twelve thousand one hundred seventy-two million euros.
This Agency does not share the allegation that they have been used to determine
tion of the fine, both CPC's turnover figure and that of the Group
CaixaBank, in which that one would already be included. The Group's turnover
CaixaBank is mentioned for informational purposes to highlight that the fine is pro-
proportional and dissuasive, as required by article 83.1 of the RGPD.
- High volume of data and treatments that constitutes the object of the
proceedings. It deals with a large volume of data and the following typologies: data
identifying, financial, sociodemographic and socioeconomic, which allow
carry out an exhaustive profile of the interested parties.
- High number of interested parties. The number of stakeholders (clients) whose
data were treated in the development of the profiling activity associated with the
Proactive Scoring activity for commercial purposes amounts to (…).
It requests that the effort made during the
recent years, especially since the entry into application of the RGPD, to
provide its clients with relevant information about the processing of their data
adequately and the implementation of a series of measures aimed at that improvement
in the collection of consents. It also alleges that CPC has been proactive and
diligent in responding to any requirements of the Agency.
In the opinion of this Agency to provide information to its clients, it is an obligation that
derives from the RGPD and that must be done in the manner required by it, therefore, the fact
to provide information to its clients, regarding the treatment object of the
this procedure, this Agency considers precisely that it is not appropriate, not
it can be considered as a mitigating factor. Regarding the measures adopted, these
focus on modifying the privacy policy on their website, without
However, the information provided to the client when obtaining consent is
found in the document called GENERAL CONDITIONS OF THE
APPLICATION-CREDIT AGREEMENT, document that has not been modified as the
CPC itself recognizes in its response to the request made during the period
evidence, so it cannot be considered that sufficient measures have been taken
to remedy the infringement or mitigate its possible adverse effects. For him
On the contrary, different information is provided in said document and in the
privacy, so that the information provided to the interested party is not uniform.
On the other hand, meeting the information requirements of the Administration does not
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 131/133
constitutes a mitigating factor contemplated in the data protection regulations.
Considering the exposed factors, the valuation of the fine for the
The offense charged is 3,000,000 euros.
VII
In accordance with the provisions of article 58.2.d) of the RGPD, each authority
control may “order the person in charge of the treatment that the
processing operations comply with the provisions of this Regulation,
where appropriate, in a certain way and within a specified period… ”.
In this case, considering the circumstances expressed in relation to the
appreciated breaches, it is necessary to require CAIXABANK PAYMENTS &
CONSUMER EFC, EP, S.A.U. so that, within the period indicated in the part
operative, adapt to the personal data protection regulations the
procedures by which consent is obtained to create profiles
for commercial purposes with the scope and in the sense expressed in the
Fundamentals of Law of this act.
It is noted that not meeting the requirements of this body may be
considered as a serious administrative offense by “not cooperating with the Authority
of control ”before the requirements made, being able to assess such conduct to the
time of the opening of an administrative procedure punishable by a fine
pecuniary.
Therefore, in accordance with the applicable legislation and assessed the criteria of
graduation of sanctions whose existence has been proven,
the Director of the Spanish Agency for Data Protection RESOLVES
FIRST: Impose on the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP,
S.A.U., with NIF A08980153, for an infringement of Article 6.1 of the RGPD, typified in
Article 83.5 of the RGPD, and classified as very serious for the purposes of prescription in the
Article 73 of the LOPDGDD, with a fine of 3,000,000 euros (three
millions of euros).
SECOND: Require the entity CAIXABANK PAYMENTS & CONSUMER EFC, EP,
S.A.U within 6 months adopt the necessary measures to adapt to the
personal data protection regulations the procedures through which
collects their clients' consent to create profiles for the purpose
commercial, with the scope expressed in Law Foundation VII. Within the term
indicated, CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U, must justify
before this Spanish Data Protection Agency the attention of this
request.
THIRD: NOTIFY this resolution to CAIXABANK PAYMENTS &
CONSUMER EFC, EP, S.A.U.
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 132/133
FOURTH: Warn the sanctioned person that the sanction imposed by a
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations (hereinafter LPACAP), within the payment period
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number
procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened in the name of the Agency
Spanish Data Protection in the banking entity CAIXABANK, S.A .. In case
Otherwise, it will be collected in the executive period.
Received the notification and once executive, if the date of execution is found
Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment
volunteer will be until the 20th of the following or immediately subsequent business month, and if
between the 16th and the last day of each month, both inclusive, the payment term
it will be until the 5th of the second following or immediately subsequent business month.
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the
Director of the Spanish Agency for Data Protection within a month to
counting from the day after the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National High Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-administrative jurisdiction, within two months from the
day following notification of this act, as provided in article 46.1 of the
referred Law.
Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,
may provisionally suspend the final resolution through administrative channels if the
interested party expresses his intention to file contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact through
writing addressed to the Spanish Agency for Data Protection, presenting it through
of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-
web /], or through any of the other records provided for in art. 16.4 of the
cited Law 39/2015, of October 1. You must also transfer to the Agency the
documentation that proves the effective filing of the contentious appeal-
administrative. If the Agency is not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the
notification of this resolution would terminate the precautionary suspension.
938-131120
Mar Spain Martí
Director of the Spanish Agency for Data Protection
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es 133/133
C / Jorge Juan, 6 www.aepd.es
28001 - Madrid sedeagpd.gob.es
