AEPD (Spain) - EXP202213437
From GDPRhub
| AEPD - EXP202213437 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 5(1)(f) GDPR Article 25 GDPR Article 32 GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 19.10.2023 |
| Decided: | 17.03.2025 |
| Published: | 21.03.2025 |
| Fine: | 3500000 EUR |
| Parties: | Caixabank SA |
| National Case Number/Name: | EXP202213437 |
| European Case Law Identifier: | n/a |
| Appeal: | Unknown |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | cwa |
A bank was fined €3,500,000 for failing to implement appropriate technical and organisational measures after customers were given access to accounts they were not authorised to access.
English Summary
Facts
Two data subjects held accounts with Caixabank (data controller). Data subject one held two accounts in their own name with their mother being an authorised account holder. Data subject one and two also shared a third account, with no other authorised account holder.
Due to an error in the controller’s systems, data subject one was prohibited from performing any actions on the third account via online banking without the signature of their mother (who was not an authorised account holder in respect of that account). Furthermore, data subject one’s mother was able to see card information relating to the third account.
In January 2021, the data subjects attempts to resolve the issue through the Controller’s customer service department to no avail.
In February 2021, the data subjects file a formal complaint with the controller. The controller’s legal representative offers a settlement of €150 in exchange for the withdrawal of the complaint, which the data subject rejects as the matter remains unsolved.
On 19th October 2023, the data subjects filed a complaint with the AEPD (Spanish DPA).
Holding
The DPA was critical of the failure of the controller’s system to prevent unauthorised access to bank account information, despite the repeated requests from the data subjects. Accordingly, the DPA ruled that the controller violated Article 5(1)(f) GDPR.
The DPA also found that the unauthorised access was attributable to a failure on the controller’s part to implement appropriate technical and organizational security measures. The DPA held that the controller thus also violated Article 32 GDPR.
Furthermore, the DPA attributed the unauthorised access to the poor design of the bank’s online banking system. The DPA rejected the argument from the controller that the issue was attributable to the data subject’s configuration of the display of their account, finding that an appropriate banking application should not allow access to anyone who is not the account holder or authorized person. The DPA thus found the design of the online banking system to be deficient, thus violating Article 25 GDPR.
The DPA imposed a fine of €3,500,000 on the controller for these infringements. The controller was also required to implement the appropriate technical and organisational measures necessary to ensure the confidentiality of customer’s banking data through their online banking platform.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/89
File No.: EXP202213437
SANCTIONING PROCEDURE RESOLUTION
From the procedure initiated by the Spanish Data Protection Agency and based on the following
BACKGROUND:.......................................................................................................4
FIRST:......................................................................................................................4
SECOND:......................................................................................................................6
THIRD:......................................................................................................................6
FOURTH:......................................................................................................................6
FIFTH:......................................................................................................................20
SIXTH:......................................................................................................................20
SEVENTH:......................................................................................................................20
EIGHTH:......................................................................................................................36
NINTH:......................................................................................................................36
TENTH:..................................................................................................................37
PROVEN FACTS.......................................................................................................58
FIRST:.......................................................................................................................58
SECOND:................................................................................................................58
THIRD:...................................................................................................................60
FOURTH:...................................................................................................................60
FIFTH:...................................................................................................................61
SIXTH:...................................................................................................................61
SEVENTH:...................................................................................................................61
EIGHTH:...................................................................................................................61
NINTH:...................................................................................................................61
TENTH:...................................................................................................................62
ELEVENTH:...................................................................................................62
TWELFTH:...................................................................................................63
TENTH THIRD:.................................................................................................64
28001 – Madrid 6 sedeagpd.gob.es 2/89
FOURTEENTH:.................................................................................................64
FIFTEENTH:........................................................................................................65
SIXTEENTH:.......................................................................................................65
SEVENTEENTH:...................................................................................................66
LEGAL BASIS...............................................................................................67
I Jurisdiction............................................................................................................67
II Preliminary questions........................................................................................67
III Response to the allegations in the initiation agreement...............................................68
IV Response to the allegations in the proposed resolution...............................................71
V Article 5.1.f) of the GDPR....................................................................................83
VI Classification of the infringement of Article 5.1.f) of the GDPR GDPR.................................................84
VII Penalty for violation of Article 5.1 f) of the GDPR...........................................85
VIII Article 32 of the GDPR........................................................................................88
XI Article 25 of the GDPR........................................................................................94
XII Classification of the violation of Article 25 of the GDPR........................................97
XIII Penalty under Article 25 of the GDPR.....................................................................97
XIV Liability......................................................................................................100
XV Measures........................................................................................................101
RESOLVES:...............................................................................................................101
BACKGROUND
FIRST:
On October 19, 2022, A.A.A., on behalf of B.B.B. and C.C.C. (hereinafter, Claimant 1 and Claimant 2, respectively) filed a complaint with the
Spanish Data Protection Agency.
The complaint is filed against CAIXABANK, S.A. with Tax Identification Number (NIF) A08663619 (hereinafter,
the respondent).
The grounds for the complaint are as follows:
The claimants' representative states that her clients are clients of
the respondent. Claimant 1 has three accounts with said entity,
listing her as the account holder on two of them and her mother as the authorized party. The third account (ending in ***REFERENCE.1, hereinafter joint account) lists
28001 – Madrid 6 sedeagpd.gob.es 3/89
Claimant 1 and Claimant 2 as joint account holders, with no other person listed as either
the account holder or the authorized party.
She states that, when Claimant 1 attempts to carry out any transaction with her accounts
through online banking, the signature of the authorized person is required not only if she does so from one of the two accounts for which she is authorized, but also if she wants to carry out a transaction on the account of which Claimant 2 is a co-holder (the one ending in ***REFERENCE.1) and for which Claimant 1's mother is not listed as authorized.
Furthermore, when the authorized person on two of the accounts for which Claimant 1 is the holder accesses the personal area through "CaixaBankNow," she can view not only the information regarding the accounts and products linked to them for which she is listed as authorized, but also the information regarding the cards linked to the third account (ending in ***REFERENCE.1), over which she has no authority, either as owner or as authorized person.
Following the incident, she filed numerous complaints with the respondent, as well as a complaint with the Bank of Spain, without resolving the incident.
The complaint states that "The initial response given to Complainant 1 is that at some point in 2009 she signed a "futures contract," without specifying which one or providing the alleged document signed by B.B.B. and D.D.D., by which the latter would have access to all this information."
Relevant documentation provided by the complainant:
-Thread of emails between Complainant 1 and her CaixaBank manager (from January 14 to February 17, 2021).
-Copy of Claimant 1's complaint, bearing the respondent's receipt stamp dated February 17, 2021.
-Response dated March 23, 2021, confirming receipt of the complaint.
-Email exchanges between Claimant 1 and the respondent's Data Protection Department (on February 19 and 21, 2021).
- Documentation regarding the procedure followed before the Bank of Spain (claim filed on ***DATE.1), including the following:
o Caixabank's friendly settlement proposal (***DATE.2) offering financial compensation and the signing of a withdrawal agreement
of the claim, with the respondent adding the following:
"It appears that there was a technical issue with the users of
claimant 1 and her mother, and that it should be resolved by providing
new passwords with correct access to claimant 1 and her mother."
o Letter from claimant 1 to the Bank of Spain in which she communicates
that the issue has not been resolved, rejects the friendly settlement proposal, and requests that the processing of the claim be continued.
28001 – Madrid 6 sedeagpd.gob.es 4/89
below.
or Report from the Bank of Spain (dated ***DATE.3) indicating that the respondent's
actions could have violated transparency regulations, in addition to failing to diligently correct the incident or
error. Among the arguments in said report (section 1, general criteria) is the following:
Authorized parties are persons who, with the express consent
of the account holders, may generally dispose of
the balance in the account. They are not authorized to modify the terms of the contract, cancel the account, or make withdrawals from the account after the
death of the account holder. Authorized party status is obtained by express authorization of the account holder(s) and is
usually in writing. It is banking custom and practice to collect the signatures of both the holders and
authorized persons at that time.
In section 2 (study of the specific circumstances at hand)
the following is stated:
The entity, in its two written allegations, acknowledges the
incident or error and reports that it has resolved it. As
documentation attached to her allegations, she only provides the email she sent to the claimant on July 8, 2021, in which her lawyers stated that, as discussed over the phone, they wished to convey to the claimant CaixaBank's willingness to find an amicable solution to the situation and that, since there had been a technical incident with users, the branch would initiate the procedures to verify that the passwords were issued correctly before summoning them to deliver them. To compensate her for the delay in resolving the case, they would offer her compensation of €150.
- A copy of the claim filed by Claimant 2 with the Respondent (on October 5, 2021).
- A copy of the Respondent's response to this letter filed by Claimant 2 (dated October 27, 2021), indicating that the matter is being resolved. before the Bank of Spain.
28001 – Madrid 6 sedeagpd.gob.es 5/89
SECOND:
In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), on February 21, 2022, this complaint was forwarded to the respondent so that it could analyze it and inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.
On February 10, 2023, the respondent submitted a written response to the transfer, stating the following:
"In light of the complaint submitted by this Agency, CaixaBank has reviewed the operations and authorizations enabled in the complainant's Online Banking service (CaixaBank NOW). This review has not verified the allegations in her complaint regarding the visibility of her products by other authorized users in her Online Banking service and the need for these authorized users to sign when the complainant carries out transactions on the products she intends to operate.
For all these reasons, we have requested that the complainant hold a personal interview with the specialized technical team at CaixaBank NOW, as well as the client's usual manager, in order to restore and reconfigure the authorizations for her products according to her instructions and clarifications. Attached is a communication sent to the email address provided by the client, to which we await a response by reply to this writing. Annex I."
The communication referred to in Annex I of the response to the transfer is an email sent from: DATA PROTECTION OFFICER to the email address of complainant 1 on February 9, 2023.
THIRD:
On January 19, 2023, in accordance with Article 65 of the LOPDGDD (General Data Protection Act), the complaint filed by the complainant was admitted for processing.
FOURTH:
The Subdirectorate General for Data Inspection carried out preliminary investigative actions to clarify the facts in question, pursuant to the functions assigned to supervisory authorities in Article 57.1 and the powers granted in Article 58.1 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Article 65 of the LOPDGDD (General Data Protection Act). Title VII, Chapter I, Section Two, of the LOPDGDD, having knowledge of the following:
Complainant 1 informed the respondent of the facts contained
in the complaint filed with the AEPD:
Thus, she provided several emails dated January 11, 2021, and January 14, 2021, between herself and
atencion.clientes@contactcenter.caixabank.com, which included screenshots of the digital piggy bank and included the following messages: "You have correctly prepared
28001 – Madrid 6 sedeagpd.gob.es 6/89
the transaction and have sent it to the required signatories for signature,"
with claimant 1 listed as the signatories and her mother as the signatory, and "Your request for multi-signatures has been successfully processed, but we have not been able to notify all the signatories. The transaction will be finalized when all the necessary signatories have confirmed it, although it is not clear which account is associated with the digital piggy bank.
She also provides several emails exchanged with her personal manager at CAIXABANK,
between February 10, 2021, and February 17, 2021, in which Claimant 1 again states that her mother has access to view her accounts, both those of which she is the sole owner and those of which she is a joint owner with Claimant 2. She can view these accounts as well as the cards associated with them, the mortgage, the PIAS, etc.
She also provides a written complaint regarding the transfer of data to third parties addressed to the
Customer Ombudsman or Customer Service, dated February 16, 2021, in which she states the following facts:
1. That in order to carry out "piggy bank creation" type transactions in any of her accounts, whether Exclusive or shared ownership with Claimant 2, Claimant 1 requires both her signature and that of her mother.
2.- Data transfer by La Caixa to a third party without authorization:
- All cards linked to the account ending in ***REFERENCE.1 (there are 3 cards) are viewed by a person who is neither the owner nor authorized for said account.
- Everything linked to accounts ***REFERENCE.2 and ***REFERENCE.3, mortgages, life insurance, home insurance, PIAS cards, etc., is viewed by the authorized person on those accounts.
- These facts have already been repeatedly reported to your branch,
without these incidents having been corrected as of the date of this writing.
Request that the appropriate instructions be issued for:
- That La Caixa correct the signature error.
- That the futures contract be sent.
- Solutions to the enormous problem of transferring the data of both Claimant 1 and Claimant 2 to a person without prior authorization.
- Cancellation of the alleged future contract.
It also provides the response dated March 23, 2021, from CaixaBank's Customer Service Department, stating that the complaint has been received and that they will try to resolve it as soon as possible.
28001 – Madrid 6 sedeagpd.gob.es 7/89
It also provides the communications sent to the email address
delegado.proteccion.datos@caixabank.com between February 19, 2021, and February 21, 2021, informing you of the facts of the complaint.
And, it provides the communications sent to caixabank@fyrlegal.com. In these communications, acting as attorneys for CAIXABANK, a settlement proposal is sent to the claim filed by Claimant 1, indicating that the incidents in the claim have been resolved and that in exchange for waiving any further claims, the claimant will be compensated with €150. In
these communications, Claimant 1 expresses her disagreement with the resolution of the claim and at no point accepts the proposed compensation.
The respondent was aware of the facts in question since they were brought to her attention through various email threads.
In the Report of the Bank of Spain's Institutional Conduct Department regarding the complaint filed by B.B.B. against CAIXABANK, S.A., dated December 23, after focusing the object of the complaint filed with the Bank of Spain on the fact that "the complainant (1) states that she has three accounts and
her mother is authorized to hold two of them, and on another (number ending in ***REFERENCE.1) she shares ownership with another person, C.C.C.. She expresses her disagreement because, she says, her mother has access to information about the third account and associated cards, as well as to the products associated with the first two accounts (insurance, mortgage, loans, etc.), for which she did not grant her authorization. She accuses the bank of thus violating her rights and those of the other co-holder.
She states that she reported this fact to the entity in January 2021 and subsequently filed a complaint, but the entity did not provide a response.
It also includes the defendant's allegations, stating that she "requests the dismissal of the case again due to trespass and states that she has made the appropriate adjustments to her control marks (replacing the "representative" mark with the "authorized" mark), the source of the administrative error, which automatically updates and corrects the viewing rights of the claimant's mother. It states that on that date, the claimant's mother could make inquiries, through the CaixaBankNow online digital banking service, only regarding the products for which she is authorized: current account numbers ...***REFERENCE.2 and ...***REFERENCE.3:"
And the claimant's allegations regarding the above statements by the respondent in the following terms: "She states that, although the documentation provided by CAIXABANK indicates that everything is resolved, as of that date (02/09/2021), this is a lie and she provides demonstration videos."
Then she expresses the "Opinion of the Department" where, after establishing the following "General Criteria": "Authorized persons are persons who, with the express consent of the account holders, may generally access the balance in the account (...)". "(...) Authorized persons are obtained by express authorization of the account holder(s) and usually by written,
28001 – Madrid 6 sedeagpd.gob.es 8/89
it being banking custom and practice to collect at that time the signatures of both the account holders and the authorized persons."
And that "This Department has reiterated that, in general, the authorized person's powers of action will depend on the signed authorization document."
Stating in the "Study of the particular circumstances that concur here" that:
"In this case, the claimant (1) is the holder of three accounts and states that she has authorized her mother on only two of them. She provides videos that show that her mother, using her online username, has access to information about all of her (the claimant's) products, including an account and products for which she was not authorized. The entity, in its two written statements, acknowledges the incident or error and reports that it has been resolved." And that "The complainant (1), however, in her various communications, the most recent of which was dated September 2, 2021, indicates that the problem remained unresolved and provides demonstrative videos."
Concluding in its report that "This Department considers that the entity's actions could have violated transparency and customer protection regulations, (...) to the extent that, having expressed the account holder's disagreement with the authorized account holder's access to information about her products, she did not respond to the complaint in a timely manner, nor did she demonstrate that she diligently corrected the incident or error."
On May 24, 2023, the respondent was sent a request for information to clarify the facts contained in the complaint filed by the complainant, in the following terms:
1. The provision of technical reports or recommendations prepared by the Data Protection Officer or the security officer, regardless of their format, regarding the processing for which information is requested, as well as any subsequent actions taken, or lack thereof, arising from the aforementioned technical reports or recommendations.
2. The decision adopted in connection with this complaint.
3. A report on the causes that led to the incident that gave rise to the complaint.
4. A report on the measures adopted to prevent similar incidents from occurring, their implementation dates, and controls carried out to verify their effectiveness.
5. Any other information deemed relevant. In addition, information must be provided regarding:
6. The data CAIXABANK has regarding the account holders and authorized users of the three accounts referred to in the claim, and regarding the products linked to them. The contracts under which this data is held must be provided.
28001 – Madrid 6 sedeagpd.gob.es 9/89
7. If B.B.B. and her mother signed a "futures contract" in 2009, a copy of said contract must be provided.
8. What procedure does CAIXABANK follow to allow its customers to operate through online banking if there are account holders and authorized users on the same account? Specifically, the transactions for the three accounts for which the signature of a D.D.D. has been requested must be provided, from January 2021 to the date of this request.
9.- In relation to Caixabank's online banking application (Caixabank Now),
What protocols does CAIXABANK have in place for account holders and authorized users to access the accounts and the services associated with them through said application? Specifically, what access or authorizations has CAIXABANK had in relation to the three accounts subject to the DDD claim, from January 2021 until the date of this request through said application?
10.- What security measures, related to data protection, have been established in Caixabank's online banking application (Caixabank Now) to ensure that only authorized users can access it?
11.- What security measures does CAIXABANK have in place to prevent potential technical incidents and prevent events such as those described in this claim from occurring?
12.- What involvement has the Data Protection Officer had in relation to the measures adopted? Any technical reports or recommendations made in this regard must be provided.
On June 16, 2023, the respondent filed a written response to the request in which it stated, among other things, that in relation to the aforementioned request, it was submitting the following information/documentation:
Regarding point 1 of the request, the respondent states that "The Data Protection Officer has coordinated, together with the Entity's security officers, the analysis of B.B.B.'s complaint and, given the impossibility of reproducing the incidents described by the Complainant (1), proposed holding a meeting with her in which, accompanied by specialists in the Entity's online banking applications, an attempt would be made to reproduce the alleged errors and, if it was determined that there was no technical incident but rather an incorrect display configuration by the user, she would be assisted in configuring the accesses according to her requirements. This suggestion was adopted and forwarded to the Complainant (1) and the AEPD.
In compliance with the DPO's recommendation, CaixaBank attempted to hold an in-person appointment with the Complainant (1) at its managing office in order to
configure, according to her preferences, the rights to operate and view her products for the authorized users designated in her Online Banking contract.
28001 – Madrid 6 sedeagpd.gob.es 10/89
The Complainant (1) has declined on several occasions through her manager to hold this in-person appointment to review her viewing and operating preferences for her authorized users. Therefore, it has been impossible for CaixaBank to determine whether the current configuration of the Complainant's (1) Online Banking contract meets her preferences.
In turn, CaixaBank has reviewed the various viewing options and operating powers regarding the Claimant's (1) Online Banking contract (CaixaBankNOW) since D.D.D. was registered therein, not detecting any incidents and confirming the following aspects: (screenshots of each authorization are attached)
i. On February 3, 2021, Claimant (1), B.B.B., signed up for Online Banking (CaixaBankNOW contract). In the registration process for this Online Banking contract, Claimant (1) included her mother, D.D.D. as authorized in this contract, with a level of "All allowed," which, as stated in the contract signed by the Claimant (1), authorizes this agent to operate on the products for which viewing is permitted, specifically the accounts ending in ***REFERENCE.2 and ***REFERENCE.3 and the products linked to these accounts. The CaixaBank NOW contract signed by the Claimant is attached as Annex I.
ii. On August 4, 2021, at the request of the Claimant (1), a modification was made to the options described in the previous point regarding the viewing and management established in the registration for DDD, changing the viewing level from "All allowed" to "Custom" and expanding visibility into the Claimant's accounts. Specifically, the accounts ending in ***REFERENCE.2, ***REFERENCE.3, ***REFERENCE.1 were allowed to be viewed.
iii. On August 10, 2021, at the request of the Complainant (1), the managing office excluded other products from the authorized account's view. As can be seen in the attached image, the authorized account cannot be viewed on this date.
iv. On August 11, 2021, the Claimant (1) made another modification to the authorized viewing options in her Online Banking contract at her managing office, the status of which is as of the date of this claim. According to this modification by the Claimant, the authorized viewing option, D.D.D., was once again authorized to view the Claimant's card contracts and all of her accounts.
For all these reasons, and as of the date of receipt of this complaint, we understand that the operation and display of the authorized access rights of the Complainant (1) in her Online Banking contract are correct and correspond to the examples she provides in her complaints, as the display of the products permitted by the Complainant is in her CaixaBankNOW contract, as detailed in the explanations attached in point 3 below.
28001 – Madrid 6 sedeagpd.gob.es 11/89
In relation to point 2 of the request, the respondent states that "as this Agency was informed and reiterated in this document, after reviewing the viewing permissions of those authorized in the CaixaBankNOW contract of the Complainant (1), no incident was found. For this reason, an attempt was made to hold a personal interview with the Complainant so that she could personally inform us of her preferences regarding the viewing and management options. of the person authorized in her CaixaBankNOW contract. As of the date of this letter, the Complainant has declined this proposal for a personal interview. No further action has been taken as she has no further instructions from the Complainant.”
Regarding point 3 of the request, the respondent states that “CaixaBank has not detected any incident in the operations of the Complainant’s (1) Online Banking, and the complaints regarding the functionality of the Complainant’s (1) online banking are due to her own choices in the configuration of the displays. A detailed analysis of the video provided by B.B.B. as alleged evidence of an incident, and the allegations in her complaint, which indicate that the person authorized in her Online Banking can view transactions for cards that are not associated with B.B.B. but rather to C.C.C., we can confirm that the transaction depicted in the video is correct, for the following reasons:
• The video, dated September 1, 2021, shows that D.D.D. (authorized party) can view card contract No. (...) ***REFERENCE 5, owned by B.B.B.. The viewing was correct as the authorized party was allowed to view these products on that date.
• In this card contract, owned by the Claimant (1), there are several linked cards (beneficiaries), three of them in the name of C.C.C. (details of the card contract and the video are attached). This point is especially relevant to clarify some of the Claimant's (1) claims: the contracts for these cards are not owned by C.C.C., but rather by the Claimant (1), B.B.B., who has requested that the cards be issued to a third party (C.C.C.). Therefore, the Claimant (1), as the contract holder, has access to all transactions, and therefore, so do the persons authorized by the holder. In this case, D.D.D. does not access a C.C.C. contract. She accesses a contract for the Claimant (1), B.B.B., who has requested cards in the name of a beneficiary, C.C.C..
Continuing through the video, it can be seen how the authorized party, in accordance with the viewing options established by the Claimant, can access this card contract No. (...) ***REFERENCE.5, and the transactions of the cards associated with it, as it is owned by B.B.B. (details of the card contract transactions and the video are attached).
Based on all the information presented in this section and throughout this document, it is concluded that the transaction viewed by the authorized party is correct, since the card transactions viewed by the authorized party are correct. September 1, 2021 (date of the video provided) are the
associated with all beneficiary cards of card contract No. (…)
***REFERENCE.5 owned by the Complainant (1), B.B.B., and configured by her the card display option since August 11, 2021. Therefore, at CaixaBank, upon receiving the complaint submitted by the Agency, we verified the
28001 – Madrid 6 sedeagpd.gob.es 12/89
correct functioning of the Complainant's online banking contract and found no
inconvenience, and we have insisted that the Complainant, and we have thus informed this
Agency, hold a personal interview between her and the Entity's technicians, to
make the modifications it deems appropriate so that its authorized personnel can view
the products according to their preferences."
Regarding point 4 of the request, the respondent states that "no additional measures have been adopted beyond those already implemented for the development and security of its applications, as no impact has been detected in this claim."
Regarding point 6 of the claim, the respondent indicates that "The claim submitted by this Agency refers to three accounts owned by the Complainant, specifically:
i. Account ending in ***REFERENCE.1
This account is listed as holders: B.B.B. and C.C.C.
The following products are linked to this account:
Card Contract No. (…) ***REFERENCE.5: Owned by B.B.B.. Associated with this card contract are three cards: C.C.C.
CaixaBank NOW Contract (…) ***REFERENCE.7: Owned by C.C.C.
ii. Account ending in ***REFERENCE.2. This account is listed as holder: B.B.B.
and the recognized signatures are D.D.D. and E.E.E.
This account is linked to The following product: CaixaBank NOW Contract (..)
***REFERENCE.6. Owned by B.B.B., with D.D.D. listed as authorized.
This contract, signed by the account holder, is attached to this document as Annex I.
iii. Account ending in ***REFERENCE.3. This account is listed as the account holder by B.B.B.
and as the authorized signature by D.D.D.
"The following products are linked to this account": 5 card contracts with various cards associated with them, all owned by the respondent party 1; 1 mortgage loan, with the respondent party 1 listed as the account holder and two other guarantors; 3 insurance contracts owned by the claimant party 1; 1 pension plan, also owned by the claimant 1.
Regarding point 7 of the request, the respondent states that: "The "futures contract" referred to has not been identified. Unless there is an error, there is no contract with that name in the entity's product portfolio, and no contract belonging to the Claimant and her mother has been located in the aforementioned year that could bear that name."
Regarding point 8 of the information request, the respondent states that its clients "may allow authorized third parties to access their digital banking services; consequently, when a person is listed as authorized by the principal client (the case at hand), this person, in their capacity as authorized third party (in this case, the mother of the Claimant (1)), has the corresponding access to the information of the authorizing principal client (the Claimant (1)). This operation of those authorized in the Online Banking contract is described in the contract signed by the clients and, in the specific case at hand, signed by the Claimant (1) and is attached to this document as Annex I.
This contract expressly states:
"1.2. Additionally, you can designate other people to use your CaixaBankNOW account:
➢ Authorized users:
➢ Custom users: according to the following levels:
• Basic
• Inquiry
• Inquiry and
• All allowed.
• Detailed."
In turn, all customers can view the details of their CaixaBankNOW contract at any time in their online banking.
In their personal settings, they have the option "Check my CaixaBankNOW digital banking contract," which displays all contract details, authorized users, and access level. A sample screen is attached.
And not only is the inquiry process available to all CaixaBankNOW contract holders, they can also make display changes to their authorized users' products according to their preferences.
And that, "After reviewing the transactions carried out by the Claimant (1) in her online banking, as well as by her authorized representative, D.D.D., no transactions were found where the authorized representative's signature was required for the execution of transactions initiated by the Claimant."
Regarding CaixaBank's online banking application (CaixaBankNOW) referred to in point 9, the respondent states that:
"The access protocols for account holders and authorized users to the accounts and services are those described in section 8 of this document, which are defined by compliance with the requirements established by the PSD2 (Payment Services Directive) regulation.
(…)
28001 – Madrid 6 sedeagpd.gob.es 14/89
Specifically, what access or authorizations have you had in relation to the three accounts subject to the DDD complaint from January 2021 to the date of this request through the application?
Details of DDD's access and authorizations to the three accounts subject to the complaint are attached as Annex IV.
The last access to the Complainant's products through Online Banking recorded in our systems by D.D.D. is from September 2021."
Regarding point 10 of the request, the appellant states that "it has implemented mandatory internal regulations, pursuant to the CaixaBank Group's Information Security Policy, which include the security requirements for all types of banking carried out electronically, which guarantee the application of the minimum security requirements in this area.
Regarding the security measures relating to CaixaBank customer access to online banking, in addition to the additional measures implemented by the entity, the current regulations applicable to CaixaBank in this area, as a payment institution, known as PSD2 (Payment Services Directive), specifically:
• Commission Delegated Regulation (EU) 2018/389 of 27 November supplementing Directive (EU) 2015/2633 of the European Parliament and of the Council with regard to regulatory technical standards for enhanced authentication,
• Royal Decree-Law 19/2018 of 23 November on payment services and other urgent measures in financial matters,
This requires CaixaBank to establish security controls relating to customer access to their online accounts and, among other things, requires that customers access their accounts using enhanced authentication.
(…)
Specifically, for the development and operation of electronic banking
(CaixaBankNOW), the following general and specific security measures are implemented to guarantee, at all times, both secure access by electronic banking contract holders and the certainty or guarantee of access only by persons authorized to access the information.
(…)
And a series of “SPECIFIC SECURITY REQUIREMENTS (…).
Regarding point 11 of the request, the document states that “no additional security measures will be established beyond those already implemented for the development and operation of its Online Banking, as no technical incident has been detected that would make the implementation of new measures necessary.”
28001 – Madrid 6 sedeagpd.gob.es 15/89
Regarding point 12 of the request, it states that:
“The CaixaBank Data Protection Officer participates and intervenes in the initial design phase of all personal data processing carried out by the entity as an advisor and supervisor of compliance with privacy regulations, participating appropriately and in a timely manner in all data protection matters.
As required by data protection regulations, CaixaBank has implemented both the necessary methodology to conduct impact assessments for all processing operations the entity will carry out and a dedicated Committee, specifically the Risk Management and Impact Assessments Committee: a delegated committee of the Privacy Committee, responsible for analyzing and approving any New Processing Operations, where the DPO is involved at all times. This document contains the analyses carried out by both the Data Protection Officer and the Information Security Department of CaixaBank regarding the security measures implemented for access to and management of electronic banking by customers, which guarantee the protection of the personal data of customers and users of electronic service channels.
From the foregoing, the Inspection Services highlight the following aspects:
The terms under which the question underlying the complaint is raised consist of determining whether the respondent's procedure, which includes the operation for access to financial product information by third parties other than the account holders, allowed the mother of Claimant 1 access to the accounts held solely by Claimant 1 and the account held jointly by Claimant 1 and Claimant 2, as well as the products associated with such accounts and their transactions; and whether the signature of the claimant's mother was also required to carry out certain transactions in the claimants' accounts.
1.
From the written response to the request and the documentation attached to it, the following points can be observed:
The respondent states that it has a procedure that includes the operations for accessing information on financial products by third parties other than the account holders, which describes the authorization system, the types of permissions available, and their scope, noting that:
"These operations by those authorized in the Online Banking contract are described in the contract signed by the clients (...)".
The general terms and conditions of the contract signed by Claimant 1 expressly state:
28001 – Madrid 6 sedeagpd.gob.es 16/89
"1.2. Additionally, you may designate other persons to use your CaixaBankNOW account:
➢ Authorized users: You authorize these persons to access your CaixaBankNOW account at the Basic Access, Consultation, or Consultation and Preparation levels (see the following point), unless you indicate otherwise.
This authorization expires when the period for which you authorized it expires, or if you inform us that you no longer wish the person to be authorized.
➢ Personalized users: You can decide the level of access you grant to these persons, according to the following levels:
• Basic: allows the user to submit documents to carry out various transactions, such as direct debits, transfers, etc., which require the signature of the account holder or a user with full authority.
The purpose is for the user to prepare transactions so that you, as the account holder, can subsequently consent to them.
• Consultation: allows the user to consult the contracted services, as well as their specific transaction.
• Consultation and preparation: this is the sum of the two previous levels.
• All allowed: the user can access all the services offered by CaixaBankNOW.
• Detailed: the user can have different access levels, depending on the type of service: checking account, investment fund, insurance, etc.
At the same time, all customers can view the details of their CaixaBankNOW contract at any time in their online banking.
In their personal settings, they have the option "View my CaixaBankNOW digital banking contract," which displays all contract details, authorized users, and access levels.
And not only is the consultation process available to all CaixaBankNOW contract holders, they can also make display changes to their authorized users' products according to their preferences.
The respondent provides a copy of CaixaBankNOW contract no. (...)
***REFERENCE.6 of claimant 1, in which she appears as the first and sole account holder, dated 02/03/2021, associated with the account ending in ***REFERENCE.2. In the "AUTHORIZED USERS" section of this contract, the mother of claimant 1 appears as the person who can access her CaixaBankNow account, and has been assigned a user number ending in ***REFERENCE.8 and Operational Level.
28001 – Madrid 6 sedeagpd.gob.es 17/89
It also provides a copy of the CaixaBankNOW contract no. (…) ***REFERENCE.7 of claimant 2, in which he appears as the primary account holder, dated 01/18/2021, associated with the account ending in ***REFERENCE.1, and in which no authorized user appears.
Application to the particular case of the claimants
Claimant 1 is the sole owner of the following products:
i. Account ending in ***REFERENCE.2. This account is listed as the account holder:
B.B.B. and the recognized signatures are D.D.D. and E.E.E.
The following product is linked to this account: CaixaBank NOW Contract
(…) ***REFERENCE.6. B.B.B. is the owner, and D.D.D. is listed as the authorized user.
i. Checking account ending in ***REFERENCE.3. This account is listed as holder B.B.B. and as authorized signature D.D.D.
"The following products are linked to this account": 5 card contracts with various cards associated with them, all owned by Respondent 1; 1 mortgage loan, with Respondent 1 listed as holder and two other guarantors; 3 insurance contracts owned by Claimant 1; and 1 pension plan, also owned by Claimant 1.
Claimant 1 and Claimant 2 are joint holders of the following product:
i. Account ending in ***REFERENCE.1.
The following products belonging to the complainant are linked to this account:
- Card contract No. (…) ***REFERENCE 5: Owned by B.B.B.
According to the respondent's statement, the beneficiary and holder of three C.C.C. cards associated with this card contract are listed.
Regarding the information provided, it should be noted that although a copy of the contract for card No. (…) ***REFERENCE 5, owned by complainant 1, is attached, said contract does not list any beneficiary/holder of other cards associated with this contract; However, a section appears that reads "Additional card maintenance (beneficiary) 48 euros per year per card."
And in the screenshot submitted as supporting documentation that Complainant 2 is the beneficiary/holder of three cards requested by Complainant 1, the query was made under "Contract cards," where
four cards appear. One of them lists Claimant 1 as the cardholder, and the other three show Claimant 2 as the cardholder. Two of these cards appear in the "Type" field, "Apple Pay - Smart Phone." While in the remaining screenshots referring to
28001 – Madrid 6 sedeagpd.gob.es 18/89
the other accounts, the query to display the associated cards is under "Related persons."
- CaixaBankNOW Contract (…) ***REFERENCE 7: Ownership of CCC.
The defendant maintains in its response to the request for information that if the claimant's mother had access to the financial products of claimants 1 and 2, it was because she had the appropriate viewing permissions to view them, as she was authorized in the CaixaBankNOW contract of claimant 1. It was claimant 1 who requested that the respondent make the modifications so that her mother could view the products she accessed on each date.
In this regard, it should be noted that although the defendant provides screenshots of the modifications to which she refers, indicating that they were made at the request of claimant 1, it does not provide any evidence of the existence of claimant 1's request or that the claimant personally made the modifications.
Furthermore, it should be noted that in its supplementary written allegations submitted to the Bank of Spain's Institutional Conduct Department in response to the written submission sent by that Department dated ***DATE.4, the respondent, after stating in its sole allegation "That CaixaBank has proceeded to make the appropriate adjustments to its control marks (replacing the "representative" mark with the "authorized mark"), the source of the administrative error, which automatically updates and corrects the viewing rights that the complainant's mother has over her products. As a result, it is currently established that, through the CaixaBankNow online digital banking service, the complainant's mother can only make inquiries regarding the products for which she is authorized, which are currently current current account numbers (...) ***REFERENCE.2
and (...) ***REFERENCE.3" states that it justifies "the adjustments made in this regard, both with respect to the accounts and of limiting card transactions," providing two screenshots, dated ***DATE.4. The first is the same screenshot presented in the response to the request for information. Access to accounts ending in ***REFERENCE.3 and ***REFERENCE.2 is marked with a green verification click, and accounts ending in ***REFERENCE.4 and ***REFERENCE.1 are marked with a red cross. This same screenshot also appears after another screenshot in which the modification date is 03/02/2021, with the subject of the modification: the user; the action performed: registration; the user number: ending in 01; the username: that of the appellant's mother 1; and the value after the modification: All allowed.
And the second is the same screenshot as the one included in the response to the request for information, which states that "On August 10, 2021,
the managing office, at the Complainant's request, excluded other products from the authorized party's visibility. As can be seen in the attached image, the authorized party cannot view the cards associated with the Online Banking contract on this date."
28001 – Madrid 6 sedeagpd.gob.es 19/89
Regarding D.D.D. access and authorizations. Regarding the three accounts subject to the claim provided by the respondent as Annex IV, it should be noted that this Annex IV is an Excel spreadsheet with three tabs: "CaixabankNOW Access," which shows access between February 4, 2021, and August 3, 2021. During this period, Claimant 1's mother accessed the accounts with two different profiles: one ending in 01, accessing with the attorney profile; and between August 10, 2021, accessing with the authorized profile as a user ending in 02. "CaixabankNOW Account Inquiries," which shows that, as user 02, you checked the transactions in the three accounts subject to the claim filed on the dates indicated above and that, on August 10, 2021, as user 02, you made 15 inquiries to the account ending in ***REFERENCE.1 between 3:07 PM and 3:48 PM; and "Signed Transactions," which shows two transactions made as user 01 between March and July 2021.
FIFTH:
CAIXABANK, S.A. It has a turnover of 964.711 billion euros, according to the data indicated on page 11 of the presentation of results published by the entity itself in October 2023.
SIXTH:
On January 16, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against the respondent, in accordance with the provisions of Articles 63 and 64 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), for the alleged violation of Article 25 of the GDPR and Article 32 of the GDPR, as defined in Article 83.4 of the GDPR, and Article 5.1.f) of the GDPR, as defined in Article 83.5 of the GDPR.
SEVENTH:
After notification of the aforementioned initiation agreement in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), the respondent submitted a written statement of allegations in which, in summary, it sets forth two allegations:
The sanctioning procedure should be closed due to the lack of legal grounds, supporting its assertion on the following:
The exercise of rights through third parties.
D.D.D. was authorized by B.B.B. to view the information related to the Shared Account, validly acting as a substitute in the exercise of its right.
Exercise of Informational Autonomy
And as a second allegation, it states that it acted based on a coherent, historical, and consolidated interpretation of the law in accordance with the Civil Code.
28001 – Madrid 6 sedeagpd.gob.es 20/89
The allegations presented by the respondent entity were supported by the following statements:
“The sanctioning procedure must be closed due to the lack of legal grounds.
Access to the joint account by the co-owner's representative was
consented to by the C.C.C.: the joint account is subject to the joint and several regime.
The shared account is joint and several in nature, so any of its co-owners is authorized to individually consult the account information.
It is irrelevant whether this right is exercised by the co-owner or by a third party authorized by them.
The joint ownership of a legal situation requires determining the regime to which the exercise of rights by the subjects that form part of that joint ownership must be subject.
The exercise of rights by the holders of a shared legal status can be organized in two ways: through "joint and several" or through "joint and several."
Joint and several ownership implies that each of the joint holders can exercise all of the rights related to the shared legal status individually and independently of the others, such that each of the joint holders has the "right to demand... the entirety of the things covered by the same" (Article 1.137 of the Civil Code), as if they were a single holder. On the contrary, joint and several ownership (arg. Article 1.139 of the Civil Code) requires the simultaneous participation of all holders for the legal act to be validly produced. The rights must be exercised "in common hands" by all the joint holders, who cannot exercise the rights individually, as is typical of joint and several ownership. In this sense, the difference between a bank account being jointly or severally held is that in the former case, the co-holders may exercise the rights granted to them by the contract with the bank independently and without requiring the participation of the other co-holder. However, if the bank account is subject to joint ownership, the consent of all co-holders will be required to exercise any right provided for in the current account contract. The foregoing is expressly stated in clause 1 of the general terms and conditions of the Current Account Agreement, which establishes the following:
“1.3. You may be the sole account holder (individual account holder) or share joint account holders
with other persons. If you share joint account holders with other persons, you may do so
under the “joint and several” liability modality or the “joint and several” liability modality.
1.4. Joint and several liability is the one we will apply unless you tell us otherwise;
it means that each account holder may act alone and exercise all
the rights of the contract, including canceling it, unless a law provides otherwise.
1.5. Joint and several liability will apply only if you expressly request it, and it is stated in the specific terms and conditions.
This means that the signature and acceptance of all or several account holders will be
required to carry out any transaction.”
Well, in the case at hand, the parties to the Current Account Agreement
agreed that each of the holders of the Joint Account could validly exercise their rights in relation to that account independently of the other, without the participation of the other holder. This follows from the fourth section of the specific conditions in the following terms:
4. DECISIONS REGARDING THE CONTRACT
Joint and Joint Mode (if you have any questions, please refer to clause 1 of the general conditions)
Thus, each of the joint holders had the "right to request" (Article 1,137 of the Civil Code) whatever proceeds from the Joint Account, such that both B.B.B. and C.C.C. could act independently, without the need for the participation of the other joint holder to operate and exercise the rights provided for in the Agreement. The foregoing expressly results from clause 1.4 of the general conditions of the Contract, whose literal wording establishes the following:
1.4. Joint liability is the one we will apply unless otherwise stated;
it means that each of the holders may operate alone and (…), unless
a law provides otherwise.
Well, one of the rights recognized in the general terms and conditions of the
Contract is precisely access to the account and, in particular, to check the balance and transactions. The digital banking platform is established as a possible channel for exercising this right. Thus, clause 2.1 of the general terms and conditions of the
Contract establishes the following:
"You can [...] access the rest of the payment services and check the balance and transactions [...] through CaixaBank Now."
Pursuant to the joint liability regime established by the parties to the Contract,
any of the joint account holders is authorized to check the balance and transactions of that account independently and without requiring the participation of the other joint account holder. This is what joint liability entails.
The exercise of rights through third parties.
The individual exercise of a right inherently includes the decision of
its holder on how they wish to exercise that right, either on their own behalf or through an authorized third party who, acting as a sort of alter ego of the represented party, acts in their place. In particular, within the scope of their autonomy of will, the holder of the right may decide to exercise it themselves or through a third party authorized for this purpose, through a power of attorney.
This regime is the same as that established, without conditions, in Article 12 of the LOPD. The right of access (recognized in Article 15 of the GDPR) may be exercised directly or through a legal or voluntary representative.
28001 – Madrid 6 sedeagpd.gob.es 22/89
This decision regarding the manner of exercising the right (on one's own behalf or through a third party) falls within the scope of the holder's autonomy of will, as the Provincial Court of A Coruña illustratively points out in its judgment no. 396/2008 of September 22 (AC 2008/1960) in the
following terms:
“The basis of all power of attorney and representation lies in the will of the dominus who, under the free autonomy of will arising from art.
1255 of the Civil Code, confers his representation to another person, the attorney-in-fact, to act on his behalf in legal transactions, thereby generating the so-called representative hetero-efficacy. The will to confer such representation is
expressed through a legal transaction: the power of attorney. With few exceptions
(power of attorney to contract marriage or the general power of attorney for litigation, without prejudice to its
execution apud acta before the Court Clerk), the principle of
freedom of form governs the matter [...].”
Similarly, the "Guidelines 01/2022 on data subject rights - Right of access. Version 2.0. Adopted on 28 March 2023" issued by the European Data Protection Board recall that the form and scope of the power of attorney is an issue that falls outside the scope of data protection, establishing that "national laws regulating representation (for example, powers of attorney) [...] must be taken into account, since the GDPR does not regulate this issue." In the Spanish legal system, as explained, the legal transaction of the power of attorney is not subject to any formality.
Applying the above to situations of joint and several ownership, each of the holders may exercise their rights independently of the other joint holder, either by themselves or through a third party representative.
This is a necessary consequence of the legal regime of joint and several ownership: the holder of the right may exercise it as they see fit.
Therefore, at the time it was agreed that the Shared Account would be subject
to the "joint and several arrangement" (clause 4 of the specific terms and conditions of the Current Account Agreement), both Joint Owners agreed that each of them could exercise their rights individually, thereby consenting that, within the framework of individual exercise and under the protection of the autonomy of the will of each joint owner, the rights would be exercised on their own behalf or by a third party authorized by them.
Thus, and at the time the joint owners (B.B.B. and C.C.C.)
agreed that the Current Account would be subject to the joint and several arrangement,
they accepted as a necessary consequence that each of them could independently exercise the rights related to that Account (in particular
the right to access the Account information) in the manner they deemed appropriate: either by themselves or by authorizing a duly authorized third party
to exercise that right. This is precisely what happened in our case, in which B.B.B. (one of the joint account holders) could access the Joint Account data either by herself or by authorizing a third party. Based on the above, B.B.B. authorized her mother (D.D.D.) to access the Joint Account data on her behalf. This is a concrete manifestation of the joint and several liability regime that the joint account holders agreed to with CaixaBank (and which CaixaBank was required to respect in compliance with the contractual documentation).
(…)
Representation is defined in general terms as the legal entity by virtue of which one person (representative) is granted the power to act legally on behalf of and in the interest of another person (the person represented).
Depending on its basis, representation may be voluntary (if it arises from an act of private autonomy of the representative) or legal (if the representation is mandatory due to a legal provision). Regarding the difference
between voluntary representation and legal representation, the ruling of the Civil Division of the Supreme Court of June 22, 1979 (RJ 1979/2908) is particularly illustrative, establishing the following:
“[...] it should be noted that there is clearly a clear and precise distinction
between legal representation and voluntary representation, insofar as the former is strictly based on the Law, and therefore outside the scope of private autonomy, the latter is based on the fact that the
representative voluntarily grants his representation to the attorney-in-fact, consequently originating in said private autonomy and finding in it the
reason for its effectiveness, ultimately revealing that in the Spanish legal system,
while voluntary representation is a mere grant of legitimacy to a representative, legal representation emanates from a power of
representation that rests immediately on a legal provision [...].”
Therefore, unlike legal representation, voluntary representation is
configured as a manifestation of the private autonomy of the holder of individual rights, who freely decides that a third party will replace them in the exercise of such rights under the terms entrusted to them.
The legal transaction through which the representative relationship materializes for external purposes is the power of attorney, which is precisely the legal act by virtue of which one person voluntarily grants another a power of representation with the specific scope determined.
It should be noted that the essence of the power of attorney lies in the fact that the representative carries out an action on behalf of the represented party that has effects in the represented party's legal sphere. Therefore, representation is the institution by which one subject (representative) replaces another (the represented party) in the performance of legal activity.
Consistent with the above, and insofar as representation determines the
substitution of the principal by the representative in legal transactions, the basis of the
representative relationship is trust and loyalty between the representative and the
principal, thus establishing itself as a personal relationship.
It should be remembered that the legal transaction of power of attorney, based on a
relationship of trust and loyalty, is subject to the same legal framework as the
mandate and, therefore, is not subject to any formality, and may even be
tacit, as established in Article 1710 of the Civil Code in the following terms:
"The mandate may be express or tacit.
28001 – Madrid 6 sedeagpd.gob.es 24/89
The express mandate may be given by public or private instrument, and even verbally. The
acceptance may also be express or tacit, the latter being deduced from the acts
of the agent."
Consequently, the general rule is the freedom of form in the declaration of the principal's will, which has been confirmed by case law. For example, the Civil Division of the Supreme Court, in its ruling 133/1994 of February 25 (RJ 1994/1263), recalled the following: "[...] it is established by case law that the power of attorney is not subject to the formal "ad solemnitatem" form, as established in Article 1710, paragraph 2, of the Civil Code, and may even arise from a tacit declaration of will without being opposed by the formal requirement indicated in paragraph 5 [...]."
Analyzing the specific case, it is important to highlight that
CaixaBank Now allows its users to "name other people to use their CaixaBank Now," and can grant different "levels of access"
to authorized third parties. Thus, the power of attorney granted based
on the CaixaBank Now system is legally complete and, of course, binding on CaixaBank.
In particular, and as stated in clause 1.2 of the general terms and conditions of the CaixaBank Now Contract, the following "levels of access" are differentiated that may be granted to authorized third parties, the specific choice of which will determine the scope of the authorization:
"Basic: allows the user to present documents to carry out various transactions, such as direct debits, transfers, etc., which require the signature of the cardholder or a user with full authority.
The purpose is for the user to prepare the transactions so that you, as the cardholder, can subsequently consent to them.
(...)
Therefore, in accordance with the contractual documentation, the CaixaBank Now contract holder may authorize third parties to access the services of the digital platform, and may determine the scope of the authorization granted in each case (choosing the "level of access" granted in each case).
The above demonstrates that CaixaBank allows customers to define the scope of the power of attorney granted on a case-by-case basis. And this power of attorney (with the specific
scope in which it has been granted) must be respected by CaixaBank, such that if it does not allow access to the platform, the authorized third party would incur a
breach of the CaixaBank Now Contract.
Thus, the power of attorney system offered by CaixaBank Now is
configured as a true digital power of attorney system, allowing
the holders of the corresponding contracts to authorize third parties to
act on their behalf under the terms under which they have been expressly
authorized in the scope of access to the digital platform.
This is a very useful tool: the current account holder can access
it through CaixaBank Now and, in addition, can authorize, for example,
tax advisors, managers, administrators, or, in general, any third party
28001 – Madrid 6 sedeagpd.gob.es 25/89
to access the account holder's accounts. The traditional documentary power of attorney
is being replaced by virtual power of attorney through CaixaBank Now.
Well, in the present case, and pursuant to the CaixaBank Now Contract, B.B.B.
authorized her mother (D.D.D.) to access the information in the accounts she holds. Thus, based on her independent will, she authorized her mother to access the digital platform on her own account.
This is a legally complete power of attorney.
In this regard, it is important to note that the scope of the power of attorney granted in favor of B.B.B.
included viewing the data in the Shared Account. Thus,
and having been able to limit the scope of the authorization to the data in the accounts in her sole ownership, B.B.B. freely and unilaterally decided that the authorization
granted in favor of D.D.D. understood the data of the Shared Account, so CaixaBank had to allow D.D.D. to access the data of the Shared Account.
Exercise of Informational Autonomy
It is very important to highlight that the scope of the authorization was expressly
decided by B.B.B., protected by its autonomy of will. Indeed, the
CaixaBank Now system allows users to expressly select the
viewing options granted to authorized third parties, without in
any case CaixaBank imposing a default system of which the user is unaware.
The voluntary representation system developed by CaixaBank is
fully respectful of the informational autonomy of users. It allows
the user to decide with absolute precision whether to authorize the representative or authorized party either
to consult (i.e., view) or to operate (i.e., dispose of), and within the scope of
consultation, also to delimit the specific products.
CaixaBank is the recipient of the scope of the authorization granted by the
client. If the customer grants authorization to a third party, CaixaBank must comply with the scope of the authorization granted. Therefore, it must allow authorized access and, where appropriate, provide any data that the authorized third party may request, which is included within the scope of the authorization.
The relevant time milestones that indicate that, indeed, the scope of the authorization granted to B.B.B.
included access to the Shared Account are set out below. In particular:
On February 3, 2021, B.B.B. signed the CaixaBank Now Contract and, in the
registration process for that Contract, included D.D.D. as authorized, as shown in the screenshots provided with CaixaBank's June 15 letter responding to the AEPD request (reproduced below for convenience). In this initial configuration, B.B.B. limited D.D.D.'s
access. to the accounts of which B.B.B. was the sole owner, excluding
the possibility of accessing information related to the Shared Account. This
means that D.D.D. did not include visibility of the Shared Account (which
ends in 462), as it had been expressly excluded by B.B.B., the holder of the CaixaBank Now Contract.
However, the configuration regarding account visibility was expressly modified by B.B.B.
28001 – Madrid 6 sedeagpd.gob.es 26/89
Specifically, on August 4, 2021, the initial display configuration was modified, allowing D.D.D. to view the specific operations of the Shared Account. Specifically, as a result of this configuration change
(which was made at B.B.B.'s request), D.D.D. Not only was she authorized to view the Accounts held solely by B.B.B., but she was also authorized to view Account 462 (which is the Shared Account).
Thus, as of August 4, 2021, B.B.B. expressly authorized D.D.D. to access information from the Shared Account through the digital banking platform, so that the scope of the power of attorney now also included access to the Shared Account.
On August 10, 2021, a further modification was made to the authorization granted to D.D.D., thus modifying its scope and excluding from such authorization the viewing of the cards associated with the CaixaBank Now Contract.
Therefore, as a result of the aforementioned modification, the authorization granted to D.D.D. was limited, excluding from her powers the viewing of transactions made with the cards associated with the different accounts. On August 11, 2021, B.B.B. again modified the scope of the authorization
granted to D.D.D., restoring the authority to consult the transactions of the cards associated with the accounts held by B.B.B.. This is reflected in the
following screenshot: (…)
Thus, the scope of the power of attorney in favor of D.D.D. under the terms
modified on August 11, 2021, includes consulting the transactions of the
Shared Account, as well as the transactions of the cards associated with those
accounts. It should be noted that this was the scope of the power of attorney at the
time the claim giving rise to the Initiation Agreement was filed.
And this was precisely the scope that CaixaBank was required to respect in compliance with the CaixaBank Now Contract.
Based on all of the above, it must be concluded that the scope of the power of attorney in favor of D.D.D. under the terms expressly granted by B.B.B. It includes access
to the digital banking platform for all B.B.B. accounts (including the Joint Account), as well as access to information linked
to the cards associated with those accounts. This is the scope of the power of attorney that
B.B.B. freely and unilaterally granted, and therefore, this is the power of attorney
that CaixaBank had to respect.
The foregoing, as stated above, has very significant consequences, both from
a civil contractual perspective and in terms of data protection. In particular, if, in relation to the data of a joint account, CaixaBank does not allow access to a third party authorized by one of the joint account holders, it will be in breach of the contract, as well as the power of attorney granted
by the latter.
Indeed, and in this specific case, if CaixaBank (the counterparty to the Current Account Contract) had prevented the exercise of the rights that corresponded
jointly to B.B.B. through a third party (D.D.D.) would have clearly breached the Current Account Agreement, as well as the CaixaBank Now Agreement.
Indeed, B.B.B. had the "right to demand" (Article 1,137 of the Civil Code) what is derived from the Current Account Agreement, either directly or through any third party, and
28001 – Madrid 6 sedeagpd.gob.es 27/89
CaixaBank (Articles 1,090, 1,254, and 1,258 of the Civil Code) should have allowed the counterparty to exercise its rights to which it was bound by the Current Account Agreement, regardless of whether the party exercising them was
one of the holders of the Shared Account or a duly authorized third party
through the CaixaBank Now system.
In this regard, it is important to highlight that the form and scope of the power of attorney is
a matter that falls outside the scope of data protection, as recalled by
the "Guidelines 01/2022 on data subject rights - Right of access. Version 2.0.
Adopted on 28 March 2023" which expressly establish the following:
In this regard, national laws regulating representation (for
example, powers of attorney) [...] must be taken into account, since the GDPR does not
regulate this issue.
In accordance with the principle of accountability, as well as the other
data protection principles, data controllers must be able
to demonstrate the existence of the relevant authorization to [...] receive the requested
information, unless national legislation differs (for example, if national
law contains specific rules regarding the reliability of data controllers).
In the Spanish legal system, as explained, the legal transaction of the
power of attorney is not subject to any formalities, so the
power of attorney for access to the Shared Account executed based on the
CaixaBank Now Contract is legally complete and, of course, binding on CaixaBank. At this point, it would be appropriate to ask the
following rhetorical question:
If D.D.D. had approached CaixaBank with a power of attorney that protected her
to request the right to access B.B.B.'s data, should CaixaBank have
only provided her with the information relating to the contracts in which B.B.B.
was the sole holder, since she did not provide authorization from the joint holders of the remaining
contracts?
And if we generalize, when an attorney (the legal or voluntary representative indicated in Article 12 of the LOPD) requests an exercise of the right of access, should data controllers deny access to data for products with joint owners until the joint owners' authorization is provided?
Clearly, the answer, based on current practice and the instructions and resolutions of the AEPD itself, is that the full right of access must be respected, even if it is exercised through a representative, unless the AEPD intends to change the criteria through this resolution. It should be noted that customers typically have a variety of products, with a variety of joint owners (family members, partners, etc.), and this modification of the criteria would have a profound impact on the ability to exercise the right of access (or others) through a representative.
And having said all of the above, what is the difference between exercising the right of access and consulting information through an online banking service?
Furthermore, D.D.D.'s access to the Shared Account data is legally consistent with the joint and several nature of the Shared Account. Indeed, at the time C.C.C. consented to the Shared Account being joint and several (as it did when it signed the Current Account Agreement), it consented to B.B.B. exercising its rights as a joint owner individually and, therefore, consented to B.B.B., relying on its private autonomy, exercising such rights in any manner it deemed appropriate, either on its own behalf or through an authorized third party. And if the joint account holder freely decides to exercise their right through a third party and authorizes them to do so through the system offered by CaixaBank Now (which is configured as a legally complete system considering the freedom of formality of the power of attorney business), CaixaBank must respect this and, therefore, must allow access to the authorized third party.
In short, at the time C.C.C. consented to the account being jointly held, they consented to B.B.B. accessing the account information through CaixaBank Now and, therefore, consented to such access being carried out either by B.B.B. on their own behalf, or by a third party authorized by B.B.B. for this purpose (as indeed happened when they authorized D.D.D.).
The foregoing determines that D.D.D., relying on the authorization granted by B.B.B., could, on the one hand, access the data of the Joint Account (as such data was included in the scope of the power of attorney granted to him) and, on the other hand, require CaixaBank to provide him with said data. If CaixaBank had not allowed access or had refused to provide the requested data, CaixaBank would have breached the CaixaBank Now Agreement and the Joint Account Agreement. As a result of the foregoing, the sanctioning procedure must be closed due to the lack of legal grounds. Indeed, access to the Joint Account by the co-owner's representative was consented to by C.C.C..
As a result of the foregoing, the sanctioning procedure must be closed due to the lack of legal grounds. Indeed, access to the Shared Account by the representative of the joint account holder was consented to by C.C.C.
The Initiation Agreement improperly considers, with due respect, that CaixaBank allegedly committed certain violations classified as GDPR. In particular, the violations the Initiation Agreement seeks to uphold are the following:
i) Alleged violation of Article 5.1.f) of the GDPR, which establishes the principle of data confidentiality.
In particular, the Initiation Agreement considers that this principle was violated since, in its understanding (improper, with due respect), C.C.C. "has not authorized the mother of [B.B.B.] to access the card data associated with the account held by both claimants." The Initiation Agreement classifies the alleged violation of the confidentiality principle as a very serious breach under Article 72 of the GDPR.
i) Alleged violation of Article 32 of the GDPR, which establishes the obligation of data controllers to implement "appropriate technical and organizational measures to ensure a level of security appropriate to the risk."
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 29/89
In particular, the Initiation Agreement considers that CaixaBank does not have adequate security measures in place, since "the claimant's mother has continued to have access to the account that the claimants hold jointly, despite the fact that the mother of claimant 1 is neither the owner nor authorized to access said account." The Initiation Agreement classifies the alleged lack of adequate security measures as a serious breach under Article 73 of the GDPR.
ii) Alleged breach of Article 25 of the GDPR for allegedly having violated data protection "by design" of the computer application.
In particular, the Initiation Agreement considers that CaixaBank has violated data protection "by design," insofar as, according to the Spanish Data Protection Agency (AEPD), "online banking should never allow a person to access personal data held in accounts for which they are neither the owner nor an authorized person."
The Initiation Agreement classifies the alleged breach of data protection "by design" as a serious breach under Article 73 of the GDPR.
It should be noted immediately that the basis on which the Initiation Agreement seeks to sustain the commission of the indicated violations is the alleged lack of consent by C.C.C. to B.B.B.'s access to the information in the Joint Account. This is illustrative of the following paragraph of the Initiation Agreement:
"However, based on the facts established, it appears that the respondent entity's online banking does not require the consent of all account holders; rather, it is sufficient to have the consent of one of the account holders to allow third parties access. This violates the data protection of account holders who, being part of a joint account, have not given their consent or authorization for third parties to access the transactions in an account held by them when said account is shared with other account holders."
Indeed, based on this alleged lack of consent by C.C.C. (which is denied in any case) the Initiation Agreement builds on the alleged
violation of the confidentiality principle, the alleged lack of adequate measures
to protect personal data, and the alleged poor design of the digital banking platform.
However, the approach of the Initiation Agreement ignores an element of utmost importance: The Joint Account is subject to the joint and several liability regime (and not joint and several liability). Indeed, as stated, the Joint Account is joint and several, so that at the time of signing the Joint Account Agreement, C.C.C. consented to B.B.B. accessing the account information through CaixaBank Now and, therefore, consented to such access being carried out either by B.B.B. on its own behalf or through a third party authorized by B.B.B. for this purpose (in this case, D.D.D.). The decision to exercise the rights lies within the scope of the holder's autonomy of will, and it is irrelevant whether the holder exercises them on his or her own behalf or through a third party by means of a power of attorney.
And if the joint holder freely decides to exercise his or her right through a third party and authorizes him or her to do so through the system offered by CaixaBank Now (which is configured as a legally complete system based on the freedom of the power of attorney), CaixaBank must respect this and, therefore, must allow access to the authorized third party. Otherwise, CaixaBank would incur a breach of the CaixaBank Now Contract.
It follows from the above that the approach of the Initiation Agreement would only be correct if the Shared Account were joint. In that case, B.B.B. should request C.C.C.'s consent. to exercise the right of access to the account. However, this approach does not correspond to the reality of the facts.
Ultimately, D.D.D.'s access was consented to by C.C.C., while the Joint Account was subject, by express consent of the parties, to the "joint and several" modality.
Based on the above premise, the types of infringement on which the Initiation Agreement seeks to base the sanctioning procedure are void. Indeed:
i) The principle of confidentiality was not violated (since C.C.C. consented to B.B.B. exercising his right of access individually, which includes empowering a third party to exercise it).
ii) CaixaBank has adequate security measures, and it is not required to establish security measures to prevent third parties authorized by a joint account holder from accessing information on shared accounts. If the account is jointly and severally liable (as it is in this case), any of the joint account holders may authorize a third party to exercise their right to access the accounts, taking into account that such authorization is granted at the time the account is subject to the "joint and several liability regime." In fact, to interpret otherwise would violate the joint and several liability regime agreed upon by the parties contractually. iii) The digital banking platform does not suffer from a design defect, and it is not required to require the consent of all joint account holders for third parties authorized by one of them to access the account information, provided that the account has been subject to the joint and several liability regime and, therefore, provided that the joint account holders can exercise their rights as they deem appropriate. The foregoing would be equivalent to ignoring the joint and several liability regime of the Shared Account, which was expressly consented to by the joint account holders and which must be respected by CaixaBank Now. Furthermore, in no case could a poor platform design be justified, considering that, as we have seen, it allows account holders to configure third-party access options. Indeed, and in accordance with clause 1.2 of the general terms and conditions of the Agreement,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 31/89
CaixaBank Now, the "levels of access" that can be granted to authorized third parties are as follows:
Basic: allows the user to present documents to carry out various transactions, such as direct debits, transfers, etc., which require the signature of the account holder or a user with full authority.
The purpose is for the user to prepare transactions so that you, as the account holder, can subsequently consent to them.
Consult: allows the user to consult the contracted services as well as their specific operations.
Consult and preparation: this is the sum of the two previous levels.
All allowed: the user can access all the services offered by CaixaBank Now.
Detailed: the user can have different levels of access, depending on the type of service: checking account, investment fund, insurance, etc.
Thus, there is no poor design, as the digital banking platform allows account holders to configure third-party access as they see fit, even allowing this access to be configured in a personalized way at "different access levels, depending on the type of service: checking account, investment fund, insurance, etc.
" In short, D.D.D.'s access to the Joint Account data in
place of B.B.B. and under the protection of an authorization expressly granted
by the latter was consented to by C.C.C., who, by consenting to the Joint Account being jointly held, consented to B.B.B. being able to exercise his individual rights
in any manner he deemed appropriate.
Thus, CaixaBank's action in allowing B.B.B. access is
atypical, since such access was covered by the contractual
documentation signed by the joint account holders. In fact,
requiring C.C.C.'s consent would have violated the terms of the
Shared Account Contract, since it would have meant applying the
joint liability regime to an account whose joint account holders
expressly agreed to be jointly held.
In this regard, it should be remembered that both the Current Account Contract and
the power of attorney in favor of D.D.D. are valid legal transactions that were entered into in accordance with the Civil Code, and from which it follows, precisely, that B.B.B., in the independent exercise of his right, could freely authorize D.D.D. to exercise it on his own behalf (it being absurd to require the express consent of C.C.C. for this purpose).
The AEPD cannot seek to alter, beyond its jurisdiction, the legal regime of a validly entered into contract in order to derive consequences inappropriate to the civil legal regime of that contract. In this sense, the Guidelines are illustrative in expressly establishing that "national laws regulating representation (for example, powers of attorney) [...] must be taken into account, since the GDPR does not regulate this issue." Indeed, the GDPR does not regulate how powers of attorney granted to third parties should be granted. This is a civil matter over which
the AEPD has no jurisdiction.
For all the above reasons, this proceeding must be closed due to the lack of criminality. Indeed, and as has been seen, access to the Shared Account by the co-owner's representative was consented to by C.C.C. by consenting to the Shared Account being jointly and severally liable, which implies that the types of infringement on which the Initiation Agreement seeks to base the sanctioning procedure are void.
(…)
Even if it could be considered that CaixaBank committed the aforementioned violations of the GDPR (quod non), the accusation made by the Initiation Agreement would still be inadmissible. And this is because, in any case, the subjective element of culpability essential to exercising the sanctioning power is not present, as expressly stated in Article 28 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (hereinafter, "Law 40/2015"), which establishes that "only natural and legal persons [...] who are found responsible for them due to intent or negligence may be sanctioned for acts constituting an administrative infraction." This is what the Court of Justice of the European Union recalled in its judgment
of December 5, 2023 (Case C-807/2021), which, in relation to the
attribution of violations of data protection regulations, established the
following:
"Consequently, it must be declared that Article 83 of the GDPR does not allow
the imposition of an administrative fine for an infringement referred to in its
paragraphs 4 to 6 without proving that said infringement was committed intentionally or negligently by the data controller and that, therefore, culpability in committing the infringement constitutes a requirement for
the imposition of the fine.
[...]
In light of the foregoing considerations, the answer to the second question is that Article 83 of the GDPR must be interpreted as meaning that an administrative fine may only be imposed under that provision if it is proven that the data controller, which is both a legal person and a company, committed, intentionally or negligently, an infringement referred to in paragraphs 4 to 6 of that article.
Therefore, in any case, the subjective element must be present to sanction conduct that is considered typical. In this regard, it should be noted that established case law of the Third Chamber of the Supreme Court has ruled on numerous occasions on the exemption from liability in the area of sanctions as a result of the reasonable application of the rules, in this case the historical, consolidated, and, until now, unquestioned interpretation of the operation of joint and several powers. Among many others, the Judgments of this Honorable Chamber of July 6, 1995 (RJ 5796), January 12, 2002 (RJ 549), June 30, 2003 (RJ 5754), and December 9, 1997 (RJ 485) may be cited. According to the latter:
28001 – Madrid 6 sedeagpd.gob.es 33/89
“For a legal discrepancy to dispel culpability for an objectively proven regulatory breach, it must be reasonably justified. This, in turn, requires specifying the
contentious points that give rise to this discrepancy, the alternative interpretation that is based on these points against the sanctioning administrative body, and the legal arguments used to defend this differentiated interpretation.”
Well, in the case at hand, all the conditions are met to apply
this doctrine and to consider that the subjective element in CaixaBank's conduct that would allow the intended sanction to be imposed cannot be appreciated and that, therefore, the
attribution of the infringement made in the Initiation Agreement is
inappropriate.
In particular, CaixaBank's interpretation of the GDPR leads it
reasonably to conclude that D.D.D.'s access to the Shared Account is correct,
to the extent that it is consistent with the joint and several regime to which the aforementioned
Account was subject.
In this sense, the requirement for C.C.C.'s consent for D.D.D. (replacing B.B.B.) to access information loses all meaning
when contextualized with the rest of the legal system and, in particular, with
the provisions of the Civil Code, which contemplates joint and several relationships, as well as
the concept of mandate, for which complete freedom of form is permitted. To understand otherwise would distort the dynamics of joint and several relationships (which allow for the independent exercise of rights in any manner deemed appropriate), as well as distort the power of attorney, which allows for the independent exercise of rights through a third party (who acts as a sort of alter ego in legal transactions).
So much so that requiring consent under the terms intended by the
AEPD would have constituted a breach of the Current Account Contract, to the extent that this Contract allows its co-holders to exercise their rights independently (regardless of the form of exercise) and without requiring the concurrence of the other holder.
On the other hand, it should be noted that CaixaBank's actions were diligent insofar as my client allowed D.D.D. access under the terms expressly authorized by B.B.B. at all times (thus respecting the joint nature of the Shared Account and the authorization granted in favor of D.D.D.). Indeed, the access D.D.D. had to the accounts held by B.B.B. (individually or jointly) was adjusted to the viewing configuration freely chosen by B.B.B., with CaixaBank making itself available to B.B.B. to modify it according to B.B.B.'s preferences.
Furthermore, in no case can CaixaBank's conduct be considered culpable, since CaixaBank attempted to collaborate with B.B.B. by offering to arrange a face-to-face meeting so that B.B.B. could configure the scope of the authorization granted to D.D.D. (and, in particular, to configure the viewing options available to him). However, B.B.B. declined CaixaBank's proposal, as explained in the letter of June 15 submitted to the AEPD by my client:
28001 – Madrid 6 sedeagpd.gob.es 34/89
"The Data Protection Officer has coordinated, together with the Entity's security officers, the analysis of B.B.B.'s complaint and, given the impossibility of reproducing the incidents described by the Complainant (1), proposed holding a meeting with her in which, accompanied by specialists in the Entity's online banking applications, an attempt would be made to reproduce the alleged errors. If it was determined that there was no technical incident but rather an incorrect display configuration by the user, she would be assisted in configuring the accesses according to her requirements. This suggestion was adopted and forwarded to the Complainant (1) and the AEPD.
In compliance with the DPO's recommendation, CaixaBank attempted to arrange an in-person meeting with the Complainant (1) at its administrative office in order to configure, according to her preferences, the operating and viewing powers of her products for the authorized users designated in her Online Banking contract. The Claimant (1) has declined on several occasions through her manager to hold this in-person appointment to review her viewing preferences and the operations of her authorized representatives, so it has been impossible for CaixaBank to determine whether the current configuration of the Claimant's (1) Online Banking contract meets her preferences.
Thus, in no case can CaixaBank's conduct be considered culpable, since the access D.D.D. had was in accordance with the viewing configuration freely chosen by B.B.B., and CaixaBank tried to collaborate with B.B.B. so that she could configure the scope of the authorization granted, despite her refusal to meet with my client. Indeed, CaixaBank maintained diligent conduct at all times and offered to hold a personal appointment, which never took place due to B.B.B.'s refusal.
For all the above reasons, even in the hypothetical and denied case of Considering that the
alleged facts are typical (quod non), it would not be appropriate to sanction CaixaBank
for the alleged and denied violations identified in the Initiation Agreement, since its conduct was motivated by a reasonable interpretation of the applicable regulations and its actions were diligent at all times,
such that the subjective element necessary for a sanction is not present."
EIGHTH:
On March 6, 2024, the investigating judge agreed to reproduce for evidentiary purposes the claim filed by B.B.B. and C.C.C., its documentation, the documents obtained and generated during the claim admission phase, and the report of the preliminary investigation actions that form part of the procedure.
Likewise, the allegations to the agreement initiating the aforementioned sanctioning procedure, submitted by CAIXABANK, S.A., and the accompanying documentation, are hereby reproduced for evidentiary purposes.
28001 – Madrid 6 sedeagpd.gob.es 35/89
NINTH:
On October 28, 2024, a proposed resolution was notified, proposing:
That the Director of the Spanish Data Protection Agency sanction CAIXABANK, S.A., with NIF A08663619, for the following violations:
Article 5.1. f) GDPR, defined in art. 83.5 a) classified as very serious for the purposes of the statute of limitations in Article 72.1 a) of the LOPDGDD, with a fine of 500,000 euros (five hundred thousand euros).
Article 32 of the GDPR, classified in Article 83.4 a) of the GDPR, classified as serious for the purposes of the statute of limitations in Article 73 f) of the LOPDGDD, with a fine of 300,000 euros (three hundred thousand euros).
Article 25 of the GDPR, classified in Article 83.4 a) of the GDPR and classified as serious for the purposes of the statute of limitations in Article 73 d) of the LOPDGDD, with a fine of 3,000,000 euros (three million euros).
The sum of the proposed fines totals €3,800,000 million.
That the Director of the Spanish Data Protection Agency order
CAIXABANK, S.A., with Tax Identification Number A08663619, pursuant to Article 58.2.d) of the GDPR, to prove, within three months of the enforcement of the resolution issued, that the responsible entity has adopted the measures to ensure that its processing of personal data complies with the provisions of the GDPR, specifically regarding guarantees of confidentiality of the data processed and the adoption of appropriate technical and organizational security measures based on the risk arising from the processing.
In relation to the violation of Article 25 of the GDPR, the corrective measures consist of notifying, within nine months of the resolution terminating this sanctioning procedure becoming enforceable, the adoption of technical and organizational security measures, both by design and by default, that guarantee that the online banking application of the respondent entity protects personal data in general for all of the respondent entity's customers.
TENTH:
On November 19, 2024, the respondent entity submitted allegations to the proposed resolution, stating the following allegations:
(…)
As set out in the written arguments against the Initiation Agreement, to which we refer in full, the imputation of blame to CaixaBank is meaningless, since my client's actions were neither typical nor culpable. The
above should necessarily have led to the dismissal of this sanctioning procedure.
In particular:
i) B.B.B. and C.C.C. entered into a current account agreement with CaixaBank, under which they became joint holders of a shared current account (hereinafter, the "Shared Account" and the "Current Account Agreement"). According to the Current Account Agreement, as it is a "joint and several" current account, each of the holders of the Shared Account could validly exercise their rights in relation to that account independently of the other, without the involvement of the other holder.
ii) According to the Current Account Agreement and the Civil Code, the
exercise of the rights arising from the Shared Account may be
carried out personally by the account holders or through a
representative authorized for this purpose, who thus replaces the account holder in
the exercise of their rights.
iii) C.C.C., by signing the Current Account Agreement, consented to the exercise of
all of the rights arising therefrom by B.B.B., both
personally by B.B.B. and by any representative that B.B.B. may designate, and to the extent that B.B.B. deems appropriate.
iv) B.B.B. authorized his mother, D.D.D., through the "CaixaBank Now" platform to access the current accounts held by her (including the Joint Account) in execution of the "CaixaBank Now" service contract signed on February 3, 2021 (the "CaixaBank Now Contract"). In particular, the scope of the power of attorney (which included the Joint Account) and, therefore, the scope to which the authorized representative (D.D.D.) could access was freely and unilaterally determined by B.B.B., in the exercise of her independent will. Indeed, the CaixaBank Now system allows users to expressly select the display options for the accounts that customers grant to authorized third parties, without CaixaBank imposing a default ("bulk") system of which the user is unaware. When D.D.D. She was authorized to view the Joint Account,
and she could view it when she wasn't. This was proven by the screenshots attached to the response to the request for information issued by the AEPD (see pages 402 et seq.
of the file) and has not been refuted in the Resolution Proposal.
v) In the event that CaixaBank were to oppose access to a shared account by a representative with sufficient authority to view account transactions, it would be in breach of the Current Account Agreement (which allows full access to the account, either by each joint account holder individually or by a person individually authorized by either of them), as well as the data protection regulations. In particular:
• If CaixaBank does not allow access to the data of a joint account to
a third party authorized by one of the joint account holders, it will be in breach of the current account contract (by violating the joint and several arrangements
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 37/89
expressly agreed upon), as well as the power of attorney granted by
the former.
• If, on the other hand, CaixaBank does not provide the data relating to jointly-held accounts that, hypothetically, a third party, legal or voluntary representative, requests within the framework of a request for a right of access, CaixaBank will be in breach of data protection regulations, as it will be preventing the exercise of the right of access provided for in Article 15 of the GDPR, the exercise of which corresponds not only to the account holder but also to that third-party representative, as expressly established in Article 12 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, the "LOPD").
vi) Ultimately, D.D.D.'s access to the data of the Joint Account in
replacement of B.B.B. and under the protection of an authorization expressly granted by the former through the CaixaBank Now platform (and whose scope included viewing the Shared Account), it was consented to by C.C.C., insofar as it consented to the Shared Account being joint and several and, therefore, consented to B.B.B. being able to exercise its individual rights in any manner it deemed appropriate (i.e., by itself or through a third party).
Thus, CaixaBank's action in allowing B.B.B. access is atypical, since such access was covered by the Current Account Agreement. Furthermore, CaixaBank acted diligently and based on a reasonable interpretation of the law in accordance with the Civil Code. This should necessarily have led to the dismissal of the sanctioning procedure due to the lack of criminal liability or, alternatively, due to the lack of culpability.
2. Summary of the reasons for opposing the Proposed Resolution
2.1.1 The sanctioning procedure should be closed: CaixaBank did not incur in any typical acts. Lack of typicality.
(…)
With all due respect, in this case, there is no "possible collision between the Civil Code and current data protection regulations." The Civil Code regulates the regime of joint and several liability, as well as the power of attorney regime. These are issues not regulated in the GDPR and must be addressed by the Spanish Data Protection Agency (AEPD) when analyzing compliance with data protection regulations.
Indeed, the legal framework and requirements for exercising data subject rights through a representative are not harmonized by the GDPR, as
recorded in the "Guidelines 01/2022 on data subject rights - Right of access. Version 2.0. Adopted on 28 March 2023" issued by the European Data Protection Board,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 38/89
which is the coordinating organization that brings together national data protection authorities, as well as the European Data Protection Supervisor (hereinafter the EDPB Right of Access Guide). In particular, the Guide establishes
that "national laws regulating representation (e.g., powers of attorney) [...] must be taken into account, as the GDPR does not regulate this issue."
In line with the above, the recent ruling
of the Contentious-Administrative Division of the National Court of October 3, 2024, is particularly illustrative. It expressly established that the AEPD must comply with civil law in order to analyze whether a data protection violation has been committed (hereinafter, the "National Court Judgment").
Indeed, the AEPD cannot ignore the regime applicable to the account and the
power of attorney granted to D.D.D., but rather, following its previous approach and
taking into account the National Court Judgment, it must analyze whether a violation of data protection regulations occurred based on the regime applicable to
the legal relationship between the parties.
This analysis must necessarily lead the AEPD to conclude that D.D.D. could indeed access the Joint Account, given the joint nature of the Account and the authorization granted in his favor through the CaixaBank Now system. Indeed, the AEPD cannot seek to alter, beyond its jurisdiction, the legal regime of a validly entered into contract to derive consequences inappropriate to the civil legal regime of that contract.
It should be noted that requiring the joint account holder to expressly authorize access to the
representative's account by the other joint account holder, as the Resolution Proposal intends, would not only place CaixaBank in a situation of breach of contract and data protection regulations (which expressly provide for the right of access of third-party representatives), (...).
Thus, and by way of example, implementing what the Resolution Proposal proposes would be equivalent to denying access to joint accounts to those who were authorized for this purpose by a joint account holder (even through a power of attorney) until authorization from the other joint account holders was provided. This situation could lead to the absurdity of the attorney for one of the joint account holders being able to access the funds in the joint account without the express consent of the other joint account holder (in application of the joint account regime) but, conversely, being unable to access the information in that account without the prior express consent of the other joint account holder.
On the other hand, the Draft Resolution suggests that CaixaBank acknowledged
that the "viewing of personal data [...] by an unauthorized third party is an incident" in the response provided to the Bank of Spain.
With all due respect, the fact that the aforementioned document described the "viewing of personal data" as a technical incident does not imply in any way that CaixaBank was acknowledging liability of any kind (much less liability for an alleged and denied data protection violation). In fact, in the response to the request submitted to the AEPD, CaixaBank stated that "the
28001 – Madrid 6 sedeagpd.gob.es 39/89
operation viewed by the authorized party is correct" because it responds to the authorization expressly granted to D.D.D. (p. 406 of the administrative file).
In any case, the classification used in the proceedings before the Bank of Spain when presenting the facts is irrelevant for the purposes of determining CaixaBank's liability in this proceeding. CaixaBank may only be liable for acts that constitute an infringing offense. And in this case, the element of criminality is not present, as set forth in the arguments against the Initiation Agreement, to which we refer in full.
Furthermore, it should be noted that the approach of the Resolution Proposal is based on an erroneous premise, confusing the role of the representative of a bank account with the role of the authorized representative in digital banking. (…) This approach is
incorrect insofar as it is not necessary to be the representative of a specific account (and, therefore, to have powers that could even include closing the account) to access information related to that account through the digital banking platform if authorized by the CaixaBank Now contract holder,
a circumstance that was established in the Allegations against the Initiation Agreement.
It follows from the above that CaixaBank did not incur any typical act: C.C.C.
consented that the representative of the joint account holder of the Joint Account could
access information about that Account at the time she consented to the Joint Account being jointly and severally held.
Furthermore, even if it were considered that CaixaBank committed the violations attributed to it in the Resolution Proposal, in no case could the violations related to the alleged lack of adequate measures and the alleged deficiencies in the design be attributed to the statute of limitations. Indeed, the statute of limitations for both violations (classified as serious) is two years. The events leading to the attribution of both violations occurred in 2021, so both violations expired in 2023. That is, before the notification of the Initiation Agreement (of January 18, 2024).
2.1.1 Furthermore, the sanctioning procedure should be closed, since CaixaBank's actions were not culpable.
Beyond the lack of criminality and the statute of limitations for two of the offenses,
it should be noted that in no case could CaixaBank be held liable, as there is no element of culpability.
Indeed, as set forth in the Arguments against the Initiation Agreement, CaixaBank's actions were consistent with a contextualized interpretation of the data protection regulations with the rest of the legal system and,
in particular, with the provisions of the Civil Code applicable to the Current Account Agreement, which contemplates joint and several relationships, as well as the concept of power of attorney, for which complete freedom of form is permitted.
28001 – Madrid 6 sedeagpd.gob.es 40/89
2.1.2 Without prejudice to the foregoing, as a subsidiary matter and in the
hypothetical and denied case that the closing of the
proceedings is not agreed, the proposed sanction should be reduced.
(…), in the hypothetical and denied case of considering that CaixaBank engaged in typical and culpable conduct (quod non), the medial insolvency regime provided for in Article 29.5 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (hereinafter, “Law 40/2015”) must be applied, which limits the imposition of a single sanction in the event of violations that necessarily result from others. Furthermore, and in the hypothetical and denied case of not applying the rules of medial insolvency, in no case would it be possible to apply two sanctions for the alleged violation of Articles 5 and 32 of the GDPR, since such an accusation is based on the same facts. Therefore, hypothetically, only the sanction associated with one of the violations could be applied, but not both.
In any case, and without prejudice to the foregoing, the proposed sanctions (totaling €3,800,000) are disproportionate and lack the necessary justification. In particular, the sanctions do not comply with the principle of proportionality, taking into account that the access, even if hypothetically unlawful (quod non), could in no case have caused real and effective harm to C.C.C.
* * *
In light of the foregoing, my client's claims are for a resolution to be issued by which (i) the present sanctioning procedure is closed and (ii) subsidiarily, and if it is not closed, the sanction is reduced, in accordance with the principles of non bis in idem and proportionality.
FIRST. THE SANCTIONING PROCEDURE MUST BE CLOSED DUE TO LACK OF LEGAL CHARACTER. ACCESS TO THE JOINT ACCOUNT BY THE
REPRESENTATIVE OF THE JOINT OWNER WAS CONSENTED BY THE C.C.C.: THE
JOINT ACCOUNT IS SUBJECT
TO THE SOLIDARITY REGIME. IN ANY CASE, THE VIOLATIONS
RELATED TO THE ALLEGED LACK OF TECHNICAL MEASURES AND THE
ALLEGED BREACH OF DATA PROTECTION BY DESIGN HAVE STATED THE STATUTE OF TIME LIMITS.
1. The sanctioning procedure must be closed due to the lack of legal grounds. The
AEPD must observe the regime applicable to the legal relationship between the
parties and cannot ignore it based on the principle of specialization.
CaixaBank under no circumstances acknowledged its liability.
Indeed, and as set forth in the Allegations against the Initiation Agreement (to which we refer in full), the Joint Account is jointly and severally liable, so that
C.C.C., at the time of signing the Joint Account Agreement, consented to B.B.B. accessing the account information through CaixaBank Now and, therefore, consented to such access being carried out either by B.B.B. on its own behalf or through a third party authorized by B.B.B. for this purpose (in this case, D.D.D.).
28001 – Madrid 6 sedeagpd.gob.es 41/89
(…) it is not necessary to be the representative of a specific account (and, therefore, to have powers that could even include closing the account) to access
information related to that account through the digital banking platform if this has been authorized by the holder of the CaixaBank Now contract, a circumstance that was proven in the Objections against the Initiation Agreement.
Furthermore, the sole reason for the Resolution Proposal to challenge the substantive arguments put forward by CaixaBank is that, supposedly, in a
case such as the one raised, the joint and several provisions of the law nor the power of attorney provided for in civil law based on the principle of regulatory specialty do not apply, and data protection regulations should prevail in this case.
With all due respect, this approach is incorrect for the following reasons:
− The principle of specialty requires that special law be applied in preference to general law when a factual situation more closely matches the fact regulated by the special law. On the contrary, general law will apply in all matters not covered by the special law.
− The joint and several regime of power of attorney is not provided for in the GDPR and,
therefore, their analysis must be subject to civil law (which is the only one that regulates these matters). This is evident if we look at the EDPB's Right of Access Guide, which expressly states that civil law issues related to power of attorney are not regulated by the GDPR, but by national law (in our case, the Civil Code). This circumstance, which is of utmost relevance to resolving this procedure, has been ignored in the Draft Resolution. In particular, the aforementioned Guide to the Right of Access establishes the following:
“In this regard, national laws that regulate representation (for example, powers of attorney) [...] must be taken into account, since the GDPR does not regulate this issue.
In accordance with the principle of accountability, as well as the
other data protection principles, data controllers
must be able to demonstrate the existence of the relevant authorization to
[...] receive the requested information, unless national legislation differs
(for example, if national legislation contains specific rules
regarding the reliability of data controllers).
− In line with the above, the ruling of
the National Court, which expressly established that the AEPD must
consider the civil law underlying the relationship between the parties to
analyze the occurrence of data protection violations, is particularly illustrative.
− In particular, in this case, a third party (the claimant's father) opened an
account on behalf of his daughter based on a power of attorney granted in his favor.
The claimant considered that this power of attorney did not authorize her father to open an account in her name, since, although the power of attorney authorized him to open accounts, his powers were limited to certain assets other than the account opened in her name. The National Court
28001 – Madrid 6 sedeagpd.gob.es 42/89
analyzed the scope of the power granted to the claimant's father and concluded that, in this case, the power of attorney did not cover the opening of the account in question.
It therefore considered that Bankia, S.A. (later succeeded by CaixaBank) had violated Article 6 of the GDPR.
− In relation to the above, in response to the argument of the AEPD's lack of jurisdiction, the National Court concluded that the AEPD "does not assess or examine the validity of the contracts signed with the banking institution," limiting itself to "examining only whether or not there is lawful consent." And for the purposes of conducting such an examination, the National Court established that the AEPD "has jurisdiction to suppress conduct that affects the scope of data protection, including violations of the principles of consent... And if these principles require that a person's data be processed by a third party with their consent, the Agency, for the sole purpose of determining whether or not a violation of the aforementioned principles has occurred, may assess whether or not the consent to the processing of the data...is covered by the contracting of said services..." − Considering this approach, the AEPD and subsequently the National Court analyzed the scope of the power granted to the claimant's father and concluded that its terms did not authorize him to open an account on behalf of his daughter. In this case, the AEPD must perform the same exercise and analyze whether, on the one hand, B.B.B. could exercise her rights individually (given the joint and several nature of the Joint Account) and, on the other hand, whether D.D.D. was authorized to access the information in the Shared Account (given the authorization granted to her through the CaixaBank Now system).
− Thus, following its previous approach and considering the ruling of the National Court, the AEPD must analyze whether there was a violation of the data protection regulations based on the regime applicable to the legal relationship between the parties.
− This analysis must necessarily lead the AEPD to conclude that
D.D.D. could indeed access the Joint Account, given the
joint and several nature of the Account and the authorization granted in his favor through
the CaixaBank Now system.
− Indeed, the AEPD cannot seek to alter, beyond its jurisdiction, the
legal regime of a validly entered into contract to derive
improper consequences from the civil legal regime of that contract.
− It should be noted that the approach followed in the Draft Resolution
is not only legally inadmissible for the reasons stated above, (…).
− (…)
28001 – Madrid 6 sedeagpd.gob.es 43/89
-
− It would be completely illogical to allow the attorney-in-fact
to access the funds without the prior authorization of the other co-owners and,
on the other hand, to deny access to the accounts for not having
the prior authorization of the co-owners. Applying this
approach (which is the one advocated by the Draft Resolution) would lead
to an absurd situation in which the attorney-in-fact could access all the funds without the express authorization of the other co-owners and,
yet, be unable to know, for example, the balance of the account in
question.
− Furthermore, applying the approach proposed in the Resolution Proposal would not only generate practical problems such as the one raised, but would also place CaixaBank in a situation of breach of contract (it would prevent joint account holders from exercising their rights on behalf of a third party within the framework of a joint and several contract), as well as a breach of data protection regulations. In particular, if the approach suggested in the Resolution Proposal were to be applied, CaixaBank would be forced to violate the authorized third party's right of access in relation to joint and several accounts, in violation of Article 12 of the LOPD (Spanish Data Protection Act), which expressly recognizes that "The rights recognized in Articles 15 to 22 of Regulation (EU) 2016/679 [which includes the right of access] may be exercised directly or through a legal or voluntary representative." This article does not provide that, if the right is exercised by a representative, additional consent must be obtained from the co-owners.
− In short, invoking the principle of specialty to try to displace the application of civil law is incorrect because it is legally inadmissible. Furthermore, applying the proposed approach would entail a change in the AEPD's criteria, which would generate numerous practical problems and negatively impact the exercise of rights by representatives, which would be unjustifiably limited and in violation of Article 12 of the LOPD.
(…) Without prejudice to the foregoing, and for the sake of completeness, it should be noted that the Draft Resolution is inadmissible in attempting to attribute the infringements to CaixaBank based on a supposed "acknowledgment" of its liability in the context of the proceedings before the Bank of Spain. In particular:
− The fact that in the proceedings before the Bank of Spain, CaixaBank classified the "viewing of personal data" as a
technical incident does not imply in any way that CaixaBank was acknowledging liability of any kind (much less liability for
an alleged and denied data protection violation).
− CaixaBank does not dispute that D.D.D. had access to the data of the accounts
held by B.B.B., and that this access is not due to an error,
but rather to the normal operation of the bank's digital platform, since
28001 – Madrid 6 sedeagpd.gob.es 44/89
-
D.D.D. had access in accordance with the viewing permissions that B.B.B. had expressly granted him at all times, as duly stated in the response to the request filed with the AEPD (p.
406 of the administrative file).
− In any case, the classification used in the proceedings before the Bank of Spain when presenting the facts is irrelevant for the purposes of determining CaixaBank's liability in this proceeding. First, because the proceedings before the Bank of Spain had nothing to do with the attribution of data protection violations. And second, because, in any case, the hypothetical and denied recognition referred to in the Resolution Proposal is irrelevant for the purposes of resolving this proceeding.
− Indeed, CaixaBank can only be held liable for acts that constitute an infringing offense. And in this case, the element of typicality does not apply, as duly set forth in the Objections against the Initiation Agreement to which we refer.
Thus, when D.D.D. was authorized to view the Shared Account,
she could view it, and when she wasn't, she couldn't. This was proven by the
screenshots that were attached to the response to the request for information
made by the AEPD. Indeed, there is not a single video or screenshot that
proves that D.D.D. could access the joint account when her daughter had
withdrawn it. Therefore, the commission of the violations that they are seeking to impute has not been proven. And they have not been proven because (as has been
evidenced) D.D.D. could only view the Shared Account when she was
expressly authorized to do so.
In short, D.D.D.'s access was consented to by C.C.C., while the Joint Account was subject, by express consent of the parties, to the "joint and several modality," so that the joint account holders could exercise their rights individually, either by themselves or through third parties. Based on the above, all the types of infringements claimed are dismissed:
− The principle of confidentiality was not violated (since C.C.C. consented to B.B.B. exercising his right of access individually, which includes authorizing a third party to exercise it).
− CaixaBank has adequate security measures in place; it is not required to establish security measures to prevent third parties authorized by a joint account holder from accessing information on shared accounts. If the account is jointly and severally owned (as it is in this case), any of the joint account holders may authorize a third party to exercise their right to access the accounts, taking into account that such authorization is granted at the time the account is subject to the "joint and several arrangement." In fact, to interpret otherwise would violate the joint and several arrangements agreed upon by the parties.
28001 – Madrid 6 sedeagpd.gob.es 45/89
− The digital banking platform does not suffer from a design defect, and it is not mandatory that it require the consent of all joint account holders for third parties authorized by one of them to access the account information, provided that the account has been subject to the joint and several arrangements and, therefore, provided that the joint account holders can exercise their rights as they deem appropriate. The foregoing would be equivalent to ignoring the joint liability regime of the Joint Account, which was expressly agreed to by the joint owners and which must be respected by CaixaBank Now.
All of the above must necessarily lead to the dismissal of this proceeding due to the lack of legal grounds. Indeed, as has been seen, access to the Joint Account by the joint owner's representative was consented to by CCC by consenting to the Joint Account being jointly held, which implies that the types of infringements that the Draft Resolution proposes to impute are void.
2. Alternatively, it is inappropriate to attempt to impute the serious infringements associated with the violation of Articles 32 and 25 of the GDPR, since they have expired.
(…)
These violations cannot be attributed to CaixaBank since, as stated in the previous section, my client has not committed any violations. However, in addition, and in the hypothetical and denied case in which CaixaBank were deemed to have committed such violations, the Draft Resolution would still be incorrect because the violations provided for in sections f) and d) of Article 73 of the LOPD have expired.
Indeed, in accordance with Article 73 of the LOPD, serious violations
“shall expire after two years,” with the dies a quo being “the day on which the violation was committed,” as stated in Article 30.2 of Law 40/2015, of October 1,
on the Legal Regime of the Public Sector.
In this case, the acts considered typical would have already been committed at the time B.B.B. filed its complaint with the AEPD (i.e., on January 27, 2021, according to Proven Fact Three of the Draft Resolution). Therefore, at that time, the acts considered typical would have already been committed. From the above, it follows that even considering that date as the dies a quo, at the time the Initiation Agreement was issued, the violations had already prescribed, as more than two years had already passed since the alleged violation occurred.
The AEPD had two years (i.e., until January 27, 2023) to initiate the sanctioning procedure to allege the serious violations that it now improperly seeks to allege. However, it did not notify the Initiation Agreement until January 18, 2024 (almost three years after the disputed events occurred).
It follows from the above that, even in the hypothetical and denied case of considering that CaixaBank committed the violations provided for in sections f) and d) of Article 73
28001 – Madrid 6 sedeagpd.gob.es 46/89
of the LOPD, such violations could not be attributed under any circumstances, as they had already expired at the time the Initiation Agreement was issued. The foregoing
must necessarily lead, in the alternative, to the non-attribution of such violations
and, therefore, to the imposition of the penalties associated with their commission in the Proposed Resolution (€300,000 for the violation provided for in Article 73.f) of the LOPD and €3,000,000 for the violation provided for in Article
73.d) of the LOPD).
SECOND.- IN THE ADDITION, THE PENALTY PROCEDURE
MUST BE DISMISSED DUE TO ABSENCE OF GUILT. CAIXABANK ACTED
BASED ON A CONSISTENT INTERPRETATION OF THE RULE IN ACCORDANCE WITH THE CIVIL CODE.
Even if it could be understood that CaixaBank committed the GDPR violations indicated (quod non), the charge proposed in the Draft Resolution would still be inadmissible. This is because, in any case, the subjective element of culpability essential for exercising the sanctioning power is not present, as expressly stated in Article 28 of Law 40/2015, which establishes that "only natural and legal persons [...] who are responsible for them due to intent or negligence may be sanctioned for acts constituting an administrative offense." This is what the Court of Justice of the European Union reiterated regarding data protection in its judgment of December 5, 2023 (Case C-807/2021).
Therefore, in any case, the subjective element must be present to sanction conduct that is considered typical. In this regard, as set forth in the Arguments against the Initiation Agreement, it should be noted that consolidated jurisprudence of the Third Chamber of the Supreme Court has ruled on numerous occasions regarding the exemption from liability in the area of sanctions as a result of the reasonable application of the rules. Among many others, the judgments of this Honorable Chamber of July 6, 1995 (RJ 5796), January 12, 2002 (RJ 549), June 30, 2003 (RJ 5754), and December 9, 1997 (RJ 485) can be cited. According to the latter:
"For a legal discrepancy to dispel culpability for an objectively proven regulatory breach, it must be reasonably justified. And the latter, in turn, requires specifying the contentious points that give rise to this discrepancy, the alternative interpretation that is based on these points against the sanctioning administrative body, and the legal arguments used to defend this differentiated interpretation."
In this sense, the requirement for C.C.C.'s consent for D.D.D. (replacing B.B.B.) to access information loses all meaning when contextualized with the rest of the legal system and, in particular, with the provisions of the Civil Code, which contemplates joint and several relationships, as well as the concept of a mandate, for which complete freedom of form is permitted. To understand otherwise would distort the dynamics of joint and several relationships (which allow for the independent exercise of rights in any manner deemed appropriate), as well as distort the power of attorney, which allows for the independent exercise of rights through a third party (who acts as a sort of alter ego in legal transactions).
On the other hand, it should be noted that CaixaBank's actions were diligent insofar as my client allowed D.D.D. access under the terms expressly authorized by B.B.B. at all times. Indeed, the access that D.D.D. had to the accounts held by B.B.B. The owner (individually or jointly) adjusted to the display configuration freely chosen by B.B.B., and CaixaBank was available to modify it according to B.B.B.'s preferences. This has not been refuted in the Resolution Proposal.
Furthermore, in no case can CaixaBank's conduct be considered culpable, as CaixaBank tried to collaborate with B.B.B. from the outset. B.B.B. contacted CaixaBank's Customer Service Department, and the Data Protection Officer's department made a call to B.B.B., where, upon confirming that there was no incident but rather a configuration that B.B.B. did not like, the customer service department was again contacted to address B.B.B.'s display needs.
Subsequently, the Data Protection Officer offered to arrange a face-to-face meeting so that she could configure the scope of the authorization granted to D.D.D. (and, in particular, to configure the viewing options available to her). However, B.B.B. declined CaixaBank's proposal, as explained in the letter of June 15 submitted to the AEPD.
In this sense, therefore, under no circumstances can it be argued that CaixaBank does not have an adequate data protection complaint handling procedure from data subjects. Since there was no data protection violation, it assisted D.D.D. so that she could change the viewing options she herself had configured.
Thus, under no circumstances can CaixaBank's conduct be considered culpable, since D.D.D.'s access to the data was not a legitimate matter. It conformed to the display configuration that B.B.B. had freely chosen, and CaixaBank attempted to collaborate with B.B.B. so that it could determine the scope of the authorization granted, despite its refusal to meet with my client. Indeed, CaixaBank maintained diligent conduct at all times and offered to hold a personal meeting, which never took place due to B.B.B.'s refusal.
THIRD.- WITHOUT PREJUDICE TO THE FOREGOING, IN THE
SUBSIDIARY CHARACTER AND IN THE HYPOTHETICAL AND DENIED CASE OF NOT FILING THE PROCEEDINGS, THE APPLICABLE PENALTY MUST BE REDUCED. THE PENALTIES PROPOSED IN THE DRAFT RESOLUTION VIOLATE THE PRINCIPLE OF NON BIS IN IDEM AND DO NOT COMPLY WITH THE PRINCIPLE OF PROPORTIONALITY.
28001 – Madrid 6 sedeagpd.gob.es 48/89
1. The sanctions proposed by the Resolution Proposal are contrary to the principle of non bis in idem. The rules of the medial competition must be applied.
32. The violations that the Resolution Proposal seeks to impose (i.e., alleged violation of the confidentiality principle, alleged lack of adequate security measures, and alleged poor design of the digital banking platform) are caused by a single fact: the alleged lack of consent of the C.C.C., which supposedly reveals an error in the design (which is denied in any case). The foregoing is unlawful because it violates the principle of non bis in idem, which implies the manifest impossibility of imposing two or more administrative sanctions for the same act. In particular:
(i) Violation of the principle of non bis in idem: The Resolution Proposal seeks to impose three sanctions without applying the rules of the medial competition. The
application of the rules of medial competition should lead to only the imposition of the sanction associated with the violation of Article 5.1.f) of the GDPR.
If it is considered that CaixaBank engaged in typical and culpable conduct (quod non), the medial competition regime provided for in Article 29.5 of Law 40/2015 should be applied, the literal wording of which states the following:
(…)
The National Court considered the appropriateness of finding the concurrence of violations based on a medial competition between the violations contemplated
in the data protection regulations, when the commission of one necessarily requires the commission of the other.
This is precisely what happens in the present case. Hypothetically, the fact that Article 25 of the GDPR was violated (design error) would have resulted in the impossibility of applying appropriate measures and, ultimately, a violation of the principle of confidentiality. Therefore, the alleged commission of one of the violations has led to the rest.
It follows from the above that, applying the ruling of the National Court to the case at hand, only one violation could be charged (and a sanction applied), but not three.
Of the three violations sought to be charged, the most serious is the one provided for in Article 5.1.f) of the GDPR (which is classified as very serious). Thus, in accordance with Article 29.5 of Law 40/2015, hypothetically, only that violation could be charged, but not the rest.
(ii) Furthermore, and in the hypothetical and denied case of not applying the rules of the medial competition, in no case would it be possible to apply two sanctions for the alleged violation of Articles 5 and 32 of the GDPR, since such an accusation is based on the same facts.
(…)
28001 – Madrid 6 sedeagpd.gob.es 49/89
(…) the facts on which the accusation of both violations is based are the same and basically correspond to D.D.D.'s access to the transactions in the Shared Account.
The Proposed Resolution does not reveal the specific elements of violation of either article that, hypothetically, would justify the accusation of two different violations.
Thus, and by virtue of the principle of non bis in idem (which prevents the same act from being sanctioned more than once), it is inappropriate to attempt to impose two sanctions for the same acts, so hypothetically only one of the sanctions could be applied, but not both.
2. In any case, and without prejudice to the foregoing, the proposed sanctions are disproportionate and lack the necessary justification, leaving CaixaBank defenseless.
(…) It should be noted that the sanctions indicated in the Draft Resolution are clearly contrary to the principle of proportionality, which the AEPD must necessarily adhere to, as expressly stated in Article 29.3 of Law 40/2015, whose literal wording establishes the following: "3. In determining the regulatory sanctioning regime, as well as in the imposition of sanctions by Public Administrations, the appropriateness and necessity of the sanction to be imposed and its adequacy to the seriousness of the act constituting the infraction must be observed [...]."
In this regard, the ruling of the Administrative Litigation Chamber of the National High Court of November 18, 2022, is particularly illustrative, establishing the following:
“According to the Supreme Court's repeated jurisprudence, such as the Ruling
of April 12, 2012 - Appeal No. 5,149/2009 -, among others, there must be
a due balance between the seriousness of the act constituting the
infraction and the sanction imposed, as provided in Article 29.3 of Law
40/2015, of October 1.
This principle cannot be excluded from judicial review, since the margin
of appreciation granted to the Administration in imposing sanctions
within the legally established limits must be developed
by weighing, in all cases, the concurrent circumstances, in order to
achieve the necessary and due proportion between the facts defendants and the required liability, given that any sanction must be determined in accordance with the magnitude of the violation committed and according to a criterion of proportionality in relation to the circumstances of the incident. Therefore, proportionality constitutes a normative principle imposed on the Administration and reduces the scope of its sanctioning powers. Well, in this case, it is clear beyond any doubt that the sanctions contemplated in the Draft Resolution are entirely disproportionate considering the circumstances underlying the sanctioning procedure. In particular:
28001 – Madrid 6 sedeagpd.gob.es 50/89
− There is only one complaint related to viewing permissions, that is, it is not a widespread case but rather a completely isolated one. The above demonstrates that there is no structural design problem, but rather, at most, a specific situation (which in no case violates data protection regulations). This circumstance must be taken into account when establishing the amount of the sanction under Article 83.2.a) of the GDPR.
− Although D.D.D. was able to access information about the Shared Account
could not access the funds exclusively owned by the CCC. Therefore,
therefore, the access, even if hypothetically unlawful, could in no case have caused actual and effective harm to the CCC.
- CaixaBank tried to collaborate with BBB by offering to arrange a
face-to-face meeting so that it could determine the scope of the
authorization granted to DDD (and, in particular, to configure the viewing options available to it). However,
BBB declined CaixaBank's proposal, as explained in the letter submitted to the AEPD on June 15. This circumstance must be taken into account when establishing the amount of the penalty under Article 83.2.c) and f) of the GDPR.
Furthermore, it is inappropriate for the Draft Resolution to apply Article 83.2.b), which establishes the aggravating factor consisting of "intentionality or negligence in the violation," to calculate the penalty. Indeed, and as the National Court's ruling recalls, "With regard to section b) on intentionality or negligence, this Court has on numerous occasions ruled that this circumstance is not applicable as an aggravating factor because, in and of itself, it forms part of the offense itself and, except in those cases where it is justified and proven that there was an additional degree of intentionality, it is not a circumstance that should be used to aggravate the conduct." Thus, in the hypothetical and unlikely event of considering that an infraction had been committed, the existence of an "additional degree of intentionality" would in no case have been proven, which means that under no circumstances could the application of this aggravating factor be considered.
Furthermore, it should be noted that the Draft Resolution is contrary to the duty to provide reasons to which all Administrations are subject (in accordance with Article 35 of Law 39/2015), since at no point does it justify the calculation of the sanctions considered. In this sense, the violation of the duty to provide reasons places my client in a defenseless situation, as it is unaware of the specific reasons why the AEPD considers that the first violation should carry a penalty of €500,000, the second €300,000, and the third €3,000,000. This defenseless situation is further aggravated if one takes into account the high amount of the penalties considered in the Draft Resolution. (…)
28001 – Madrid 6 sedeagpd.gob.es 51/89
From the actions taken in this proceeding and from the documentation
in the file, the following have been established:
PROVEN FACTS
FIRST:
Claimant 1, B.B.B., holds three bank accounts at CAIXABANK, S.A.,
specifically, the following:
***REFERENCE.1.
***REFERENCE.2
***REFERENCE.3
Claimant 2 appears as co-holder in the first of the accounts indicated, and D.D.D., the mother of Claimant 1, appears as authorized person in the last two accounts indicated.
SECOND:
The details of the products associated with each account are as follows:
1. ***REFERENCE.1.
The account holders listed on this account are:
B.B.B. and C.C.C.
The following product is linked to this account:
No. ***REFERENCE 5: Ownership of B.B.B.
The beneficiary and holder of three C.C.C. cards are associated with this card contract.
***REFERENCE 7: Ownership of C.C.C.
1. ***REFERENCE 2
This account holder is listed as B.B.B. and the recognized signatures are D.D.D. and E.E.E.
For collection purposes, the following product is linked to this account:
***REFERENCE 6: Ownership of B.B.B. and where D.D.D. is listed as authorized.
2. ***REFERENCE 3
28001 – Madrid 6 sedeagpd.gob.es 52/89
This account is registered as B.B.B. and has the recognized signature D.D.D.
The following products are linked to this account:
***REFERENCE 8: Owned by B.B.B. and with one associated card.
***REFERENCE 9: Owned by B.B.B. and with one associated card.
***REFERENCE 10: Owned by B.B.B. and with two associated cards.
***REFERENCE 11: Owned by B.B.B. and with one associated card.
***REFERENCE 12: Owned by B.B.B. and with one associated card.
***REFERENCE 13: Owned by B.B.B. and with two guarantors: E.E.E. and D.D.D.
***REFERENCE 14 owned by B.B.B.
***REFERENCE 15 owned by B.B.B.
***REFERENCE 16 owned by B.B.B.
***REFERENCE 17 owned by B.B.B.
THIRD:
On January 11, 2021, Claimant 1 notified the Respondent of an incident with reference number ***REFERENCE 18 regarding certain transactions in the accounts of which he is the owner.
According to the file, the incident is identified in the following terms:
Your multi-signature request has been successfully processed, but we have not been able to notify all signatories. Date: January 11, 2021. Time: 4:59:39 PM.
On January 27, 2021, Claimant 1 informed the Respondent of an incident related to the fact that her mother has access, through her Caixabank online banking application (Caixabank Now), to all financial information not only about herself but also about the account she shares with Claimant 2.
FOURTH:
On February 3, 2021, Claimant 1 signed a CaixaBank Now contract (Contract No. (...)
***REFERENCE.6) referring to account ***REFERENCE.2, which allows for electronic transactions related to the account.
Section 2 of said contract - authorized users - lists the following: Persons
who can access their CaixaBankNow DDD, with DNI ***NIF.1, User Number ***REFERENCE.19, and Operational level.
28001 – Madrid 6 sedeagpd.gob.es 53/89
According to page 9 of the aforementioned contract, section 1.2:
Additionally, you can designate other people to use your CaixaBankNow:
> Authorized users: You authorize these people to access your CaixaBankNow at the Basic Access, Consultation, or Consultation and Preparation levels (see the next point), unless you tell us otherwise.
This authorization expires when the period for which you authorized it expires, or if you inform us that you no longer want the person to be authorized.
> Personalized users: You can decide the level of access you grant these people, according to the following levels:
> Basic: Allows the user to submit documents to perform various transactions, such as direct debits, transfers, etc., that require the signature of the cardholder or a user with full authority. The purpose is for the user to prepare the transactions so that you, as the account holder, can subsequently consent to them.
> Query: allows the user to consult the contracted services as well as their specific transaction history.
> Query and preparation: this is the sum of the two previous levels. > All
allowed: the user can access all the services offered by CaixaBankNow.
> Detailed: the user may have different access levels, depending on the type of service: checking account, investment fund, insurance, etc.
There is no definition of what is understood as an authorized user at the operational level.
In the letter of June 16, 2023, the respondent states that,
…CaixaBank has not detected any incident in the operations of
the Complainant's Online Banking (1), and the complaints regarding the
Complainant's online banking functionalities (1) are due to her own choices in the display configuration. (emphasis added)
FIFTH:
On January 18, 2021, Claimant 2 signed CaixaBankNOW contract no. (…)
***REFERENCE.7, in which he appears as the first account holder, dated January 18, 2021, associated with the account ending in ***REFERENCE.1, and in which no authorized user appears.
SIXTH:
On February 10, 2021, Claimant 1 again informed the respondent that her mother could also view the products and transactions associated with the account ending in ***REFERENCE.1, an account for which she was not registered as an authorized person.
28001 – Madrid 6 sedeagpd.gob.es 54/89
SEVENTH:
On February 11, 2021, Claimant 1 informed the Respondent that her mother could view the various products (including mortgage loans, insurance, and bank cards) associated with the accounts held by Claimant 1, including the one she co-owns with Claimant 2.
EIGHTH:
On February 17, 2021, Claimant 1 filed a complaint with the Respondent, outlining all the facts she had been alleging and requesting the termination of what she describes as an unauthorized transfer of data to third parties. Acknowledgment of receipt of said claim dated March 23, 2021, is recorded.
In said document, she expresses her intention regarding her mother's role as authorized party on the checking accounts of which she is the owner and co-owner, stating that,
Therefore, as of this writing, I repeal all "future contracts" in the name of
B.B.B. that I hold according to my branch (I am still awaiting initial documentation),
leaving only D.D.D. as authorized party for the accounts ending in
***REFERENCE.2 and ***REFERENCE.3, as she always was and has always been. (emphasis added).
NINTH:
On March 23, 2021, the respondent responded to claimant 1, indicating that they are processing her claim and will respond as soon as possible and within a maximum of one month.
TENTH:
Between February 19 and 21, 2021, Complainant 1 contacted the respondent's data protection officer regarding the events that occurred.
Complainant 1, in her email of February 21, 2021, expressly states that:
1. I attach the complaint sent to my office number 2409, where I explain everything that has been happening, and I believe it summarizes quite well everything that has been happening to me. This complaint was signed on February 16, 2021. I indicate, as you can read in the complaint, that the first incident in which I became aware of errors was on January 11, 2021, and from then on, it only got worse. I attach my ID.
2. The parties involved are C.C.C., D.D.D. and B.B.B.
3. Inability to perform certain transactions on all my accounts, due to the third party's signature requirement, in accounts where nothing is involved. I believe this is explained in the claim.
4. Transfer of data to a third party. Although everything is explained in the claim, I attach a video where this third party can see bank details that they shouldn't be able to see, and which they have NEVER seen until the beginning of the year.
28001 – Madrid 6 sedeagpd.gob.es 55/89
5. Please indicate that my branch has been aware of everything from the very beginning, including the solutions and explanations (my branch has provided them to me, but they are instructions given by the La Caixa contact center or wherever). All of this
documentation, plus photos, and the errors from the very beginning are also in her hands. (emphasis added)
The only response to these communications is the response from the Data Protection Officer to the email dated February 9, 2023 (two years after the complaint was filed with the officer and dated one day before the respondent responded on February 10, 2023, to the request for information requested by the AEPD as a result of the complaint being filed), in which the following is communicated:
We are contacting you regarding your complaint about the
functioning and visibility of products in your online banking contract (CaixaBank NOW). Since in the last few interactions we have had, we have not been able to configure the operation and viewing capabilities of your products to your satisfaction for the designated authorized users, we would like to schedule an appointment with you at your office. We will attend with the support of the Entity's technical departments. Following the instructions and clarifications you provide, we will restore and reconfigure the authorizations for all your products. We hope that in this way, we will be able to test all the configurations you indicate, with your intervention, until they are fully operational.
ELEVENTH:
On June 22, 2021, Claimant 1 filed a claim with the Bank of Spain - File Ref: ***REFERENCE.20.
TWELFTH:
On ***DATE.2, Claimant 1 received an email from the defendant's attorneys with an attached settlement proposal, arising from the claim filed by Claimant 1 with the Bank of Spain.
The email states that,
As discussed by telephone, we contacted you as attorneys for
CaixaBank, regarding the claim filed with the Bank of Spain with the reference number referenced in the subject line of the email.
As we have discussed, we wish to convey CaixaBank's willingness to find an amicable solution to the situation you have raised, regarding the possibility of a third party being able to check the positions of your products, despite not being authorized to access them, but only two current accounts.
In this regard, and as we have indicated, it appears that there was a technical issue with your and your mother's users, and that it should be resolved by issuing new passwords with the correct access to you and your mother.
28001 – Madrid 6 sedeagpd.gob.es 56/89
mother. In this regard, we will contact the branch to initiate the procedures to verify that these passwords are issued correctly, before summoning them to deliver them to you. (emphasis added)
Subsequently, on July 21, 2021, the defendant's attorneys sent an email to Claimant 1 stating that this was a technical incident.
They indicated that,
I am writing again to inform you that we are aware that the office staff and you have tested your new CaixaBankNow user credentials and that one of the problems you described in your complaint has now been resolved.
Now, all that remains is for your mother to perform the corresponding test to verify that, with her username, she can only access your products for which she is listed as authorized. (emphasis added).
After that, on August 10, 2021, the defendant's attorneys sent an email to Claimant 1 stating that from then on, your mother can only view the products for which she is authorized.
They inform you that,
I am writing again to inform you that the appropriate changes have been made so that your mother can only access CaixaBankNow products for which she is your authorized representative.
On August 10, Claimant 1 replied to the defendant's attorneys that the issue has not yet been resolved.
Finally, on August 13, 2021, an email sent by the defendant's attorneys to Claimant 1 showed that the issue, despite the defendant's previous statements, had not been resolved.
I apologize for the inconvenience. Unless I am mistaken, your mother can now only access the accounts for which she is your authorized representative (numbers ***REFERENCE 2 and ***REFERENCE 3) and cannot access card transactions.
THIRTEENTH:
In response to the complaint filed with the Bank of Spain, and in order to argue that the complainant's claims were being met, CaixaBank stated the following on July 21, 2021: Given these statements, CaixaBank has carried out the appropriate verifications and has detected a technical issue affecting the digital banking users of the complainant and her mother as the authorized representative.
28001 – Madrid 6 sedeagpd.gob.es 57/89
FOURTEENTH:
On July 26, 2021, the Bank of Spain sent Complainant 1 a document informing her that this Department of Conduct of Institutions has received a letter from CAIXABANK, S.A., in which it communicates, in relation to the complaint filed on ***DATE.1, that they have rectified the situation that is the subject of the discrepancy, having been notified by the entity itself. Therefore, we consider that her complaint has been satisfied, in accordance with the provisions of Article 14 of Order ECC/2502/2012, of November 16, which regulates the procedure for submitting complaints to the complaints services of the Bank of Spain, the National Securities Market Commission, and the Directorate General. General Insurance and Pension Funds. You are informed that the claim will be archived as of that date.
Claimant 1 files allegations with the Bank of Spain, signed on July 26, 2021, stating that she opposes the archive, expressly stating that the incident has not been resolved.
She states that,
Since January, and through all known means (the only one who was concerned was my manager, and not even he received a response), I have tried to resolve things amicably, but I have NEVER received a solution or even a response. A formal complaint was filed on February 17, to which NEVER was given a solution or response (until the call on July 8), when they are required to respond within a month. Let it be clear that the current situation we find ourselves in is solely and exclusively due to CaixaBank, and their lack of response from the beginning. Due to
this, I feel ignored as a customer, since the only response has been received
following the complaint to the BDE.
On the other hand, the current status of the issue in this complaint remains the same, and I obviously won't stop anything that isn't resolved. Furthermore, they have only
contacted me when there are more people involved.
(emphasis added).
FIFTEENTH:
On August 19, 2021, the complainant's attorneys sent the Bank of Spain a letter regarding the complaint filed by Complainant 1
with said institution (since, following Complainant 1's allegations, the complaint filed by the latter was not filed).
They indicate that,
SOLE.- CaixaBank has proceeded to make the appropriate adjustments
to its control marks (replacing the "representative" mark with the "authorized" mark), the source of the administrative error, thereby automatically updating
and correcting the viewing rights that the claimant's mother has over her products. Thanks to this, it is currently established that, through the CaixaBankNow online digital banking service, the claimant's mother can only make inquiries about the products for which she is authorized, which are currently current current account numbers
***REFERENCE.2 and ***REFERENCE.3.
…In this regard, we justify the adjustments made in this regard, both with respect to the accounts and the limitation of card transactions:
…this entity requests that this case be closed,
considering the entity as having been acquitted and requesting that the doctrine established by this Department regarding administrative errors be applied,
and consequently, that there be a declaration of no action contrary to good banking practices. (emphasis added).
SIXTEENTH:
Complainant 2 filed a complaint with the respondent on October 4, 2021, reporting the same facts as Complainant 1.
It states that,
Transfer of data by La Caixa to a third party without authorization.
All cards linked to account ***REFERENCE.1 are viewed by
D.D.D.. This has been occurring for more than 9 months, without you providing a
solution to the problem. This woman has nothing to do with my accounts, and even less with my cards. My rights are being violated by disclosing data for months and months.
Therefore, I request that you issue the appropriate instructions so that this can be corrected immediately. (emphasis added).
The respondent responded on October 27th, stating that the facts cannot be admitted for processing since they are being substantiated before the Bank of Spain.
SEVENTEENTH:
By Report of ***DATE.3, the Bank of Spain resolves the claim filed by Claimant 1, indicating that,
In this case, months passed between the date (February 17th) when the bank received the prior claim letter and the date the bank's lawyers contacted the claimant in writing (via email) (July 8th). There is no record of a response from customer service to the claim other than an acknowledgment of receipt. And although we do not have the document or the details of the authorization that the claimant granted to her mother, in any case, since February 2021, the claimant has expressed to the entity her disagreement with the information that she had or that her mother had access to, which she authorized, and reiterated time and again—providing demonstrative videos—that the incident remained unresolved as of that date. (emphasis added).
Furthermore, the report indicates that following the submission of allegations by the respondent 1 regarding the dismissal of the claim filed with the Bank of Spain,
28001 – Madrid 6 sedeagpd.gob.es 59/89
The bank submitted a new statement of allegations dated August 19, 2021, in which it again requests the dismissal of the case due to trespass and states that it has made the appropriate adjustments to its control marks (replacing the "representative" mark with the "authorized" mark), the source of the administrative error, thereby automatically updating and correcting the viewing rights of the claimant's mother.
She states that on that date, the claimant's mother could make inquiries,
through the CaixaBankNow online digital banking service, only
on the products for which she is authorized: current account numbers...
***REFERENCE.2 and... ***REFERENCE.3:
The claimant filed a written statement on September 2, 2021, to once again oppose the search and archiving of the file, stating that
indeed, on August 8 and 13, a lawyer informed her that
everything was settled, but it was not, and her mother could see the credit cards, as well as all her mortgage, life insurance, etc. information. She states that, although the documentation provided by CAIXABANK indicates that everything is
resolved, as of that date (09/02/2021), this is a lie and she provides demonstrative videos. They clarify that the documentation provided by CAIXABANK consists of
screenshots of their computers, and from the outset, their manager
verified that this was correct, and although they saw this on the screen, it was not
true.
...The entity, in its two statements of allegations, acknowledges the incident or
error and reports that it has been resolved. As documentation attached to its
statements, it only provides the email it sent to the complainant on July 8, 2021... The complainant, however, in its various statements, the
most recent of September 2, 2021, indicates that the problem remained unresolved and provides demonstrative videos. Furthermore, he complains of the bank's lack of response to his complaint, which he first filed at the bank branch on February 17, 2021, and which customer service acknowledged on March 23, 2021.
...At this point, we must point out that the banks' failure to comply with their obligation to address and resolve complaints and claims submitted by their customers in a timely manner, which reveals deficient customer service and a lack of attention to financial service users, could constitute a violation of transparency regulations (emphasis added).
LEGAL BASIS
I. Jurisdiction
28001 – Madrid 6 sedeagpd.gob.es 60/89
In accordance with the powers granted to each supervisory authority by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and the Guarantee of Digital Rights (hereinafter LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
Likewise, Article 63.2 of the LOPDGDD establishes that: "The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development and, insofar as they do not contradict them, in a subsidiary manner, by the general rules on administrative procedures."
II Preliminary Questions
It should be noted at the outset that, in accordance with Article 4.1 of the GDPR, "personal data" means any information relating to an identified or identifiable natural person ("the data subject"); An identifiable natural person shall be considered any person
whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier, or one or more elements specific to that person's physical, physiological, genetic, mental, economic, cultural, or social identity;
Having established the above, it should be recalled that bank transactions in a bank account contain data concerning its holder and, therefore, must be considered personal data in the sense indicated in the preceding section. Similarly, transactions on credit or debit cards are also considered personal data.
For its part, Article 4.2. The GDPR defines processing as "any operation or set of operations which is performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction."
Finally, it should be noted that, according to paragraph 7 of this provision, the controller is considered to be the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of processing; if the purposes and means of processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be laid down by Union or Member State law;
In light of the foregoing, as indicated in the preceding sections, the
claim is filed due to the access granted to the three accounts opened by the respondent, two of which are held exclusively by Claimant 1 (including all associated products) and the other by joint holder with Claimant 2.
28001 – Madrid 6 sedeagpd.gob.es 61/89
Claimant 2, by the person (Claimant 1's mother) who is authorized in only two of the accounts, specifically those ending in ***REFERENCE.2 and ***REFERENCE.3.
Therefore, we are faced with the processing of personal data of Claimant 1 and Claimant 2 for which the respondent is responsible.
III Response to the allegations in the initiation agreement
In response to the agreement to initiate this sanctioning procedure, the respondent entity has submitted various statements (indicated in the preceding sections), stating that this sanctioning procedure should be closed due to a lack of legality, since D.D.D. (mother of claimant 1) is authorized by B.B.B. (claimant 1) to view the information related to account ***REFERENCE.1, held by claimant 1 and claimant 2. Therefore, it considers its actions to be in accordance with the law, as they comply with the regulations governed by the Civil Code.
In this regard, we must remember that, although the respondent initially acknowledges that this viewing of Complainant 1's personal data by an unauthorized third party constitutes an incident—as stated, for example, in the response provided to the Bank of Spain in the context of the complaint filed by Complainant 1 before said Agency—in the allegations made to the agreement initiating this sanctioning procedure, it asserts that said viewing constitutes an autonomous decision by the complainant as a result of (i) the joint and several nature of the account she shares with Complainant 2 and (ii) her decision to recognize her mother as authorized on the accounts she holds—and, therefore, also on the one she shares with Complainant 2.
That is, it was only when the procedure was initiated before this Data Protection Agency that, despite having acknowledged since February 2021 that the facts for which the complaint is filed constitute a An incident attributable to the entity being sued, and in an argument that appears to evade its responsibility, it alleges that the events that occurred stem from a decision made by the claimant itself. It is striking that this incident or error has been acknowledged by the respondent itself in its response to the Bank of Spain, whose report, dated ***DATE.3, as we recall, states the following: The entity, in its two written allegations, acknowledges the incident or error and communicates that it has resolved it, and that it will only attempt to shift responsibility to the claimant itself when a sanctioning procedure is initiated for an alleged violation of personal data protection regulations.
Furthermore, the "error" has also been acknowledged to claimant 1 on multiple occasions by the respondent, as evidenced by the proven facts. Thus, for example, in email ***DATE.2 sent to Claimant 1 by the defendant's attorneys in relation to an attempted settlement arising from the claim filed by Claimant 1 with the Bank of Spain, they expressly confirm that, as we have discussed, we wish to convey to you CaixaBank's willingness to find an amicable solution to the situation you have raised, regarding the possibility of a third party being able to check the positions of your products, despite not being authorized to access them, but only two current accounts. In this regard, and as we have indicated, it appears that there was a technical issue with your and your mother's usernames, and that it should be resolved by providing you and your mother with new passwords with the correct access. In this regard, we will contact the office to begin the process to verify that these keys are being issued correctly before summoning you to deliver them. (emphasis added).
At this point, for the sake of interest, let us recall that the Bank of Spain, in the aforementioned report of
***DATE.3 regarding the status of authorized person in a bank account, states the following (emphasis added):
Authorized persons are persons who, with the express consent of the account holders, may generally dispose of the balance in the account. They are not authorized to modify the terms of the contract, nor to cancel the account, nor to make any withdrawals from the account after the death of the account holder. Authorized person status is obtained through express authorization of the account holder(s), usually in writing. It is banking custom and practice to collect the signatures of both the account holders and the authorized persons at that time.
In this regard, let us note that authorization, as indicated by the Bank of Spain itself, refers to a power of disposal over the funds deposited in the bank account. A different matter, it must be understood, is the visualization of the transactions related to all the products associated with it; this circumstance is what occurred in the case at hand, as reflected in the terms of the claim.
On the other hand, the Bank of Spain states that the authorized person status is obtained by express authorization of the account holder(s). Applying this statement to the case at hand, and since the account ending in ***REFERENCE.21 is a shared account between both claimants, the authorized person status of a third party would require the express authorization of both co-holders. Since the respondent asserts that, once Claimant 1 designates her mother as authorized person, she acquires such status with respect to all accounts owned by her (including the one shared with Claimant 2), it cannot be understood that this practice would be contrary to what the Bank of Spain itself asserts.
The respondent, regarding the need for consent from Claimant 2, stated the following in its written pleadings:
“The requirement for the consent of the CCC for DDD (replacing BBB) to access information loses all meaning when contextualized with the rest of the legal system and, in particular, with the provisions of the Civil Code, which contemplates joint and several relationships, as well as the concept of the mandate, for which complete freedom of form is permitted. Understanding this would distort the dynamics of joint and several relationships (which allow the independent exercise of rights in any manner deemed appropriate), as well as distort the power of attorney, which allows the independent exercise of rights through a third party (acting as a kind of alter ego in legal transactions). So much so that requiring consent under the terms intended by the AEPD would have constituted a breach of the Current Account Contract, to the extent that this Contract allows its co-holders to exercise their rights independently (regardless of the method of exercise) and without requiring the presence of the other holder. “
In this regard, it should be noted that, if the respondent were raising a
possible collision between the Civil Code and current regulations on personal data protection, it should be noted that in these cases the principle of specialty applies, according to which the law with a direct and specific regulation of the subject matter in question prevails over any other.
Jurisprudential interpretation denies the suppletory nature of general law in matters directly regulated by special law. The principle of specialty resolves the problem of concurrent laws or their apparent conflict by applying the special law first.
This is without prejudice to the fact that the respondent itself, in the document sent on August 19, 2021, to the Bank of Spain in relation to the claim filed by complainant 1 before said entity, indicates that:
SOLE.- That CaixaBank has proceeded to carry out the regularizations. appropriate
of their control marks (replacing the "representative" with the "authorized"), the source of the administrative error... (emphasis added).
Thus, the case at hand aims to determine whether access to the current account data, as well as card No. ***REFERENCE.5, associated with account
***REFERENCE.1, owned by both Claimant 1 and Claimant 2, constitutes a violation of personal data protection regulations.
Since the matter at hand concerns the protection of personal data, in accordance with the principle of specialization, the GDPR and the LOPDGDD are preferentially applicable due to their specialization in the matter.
Therefore, it is absolutely essential, in addition to what the Bank of Spain itself indicates in its report of ***DATE.3, to have the consent of both claimants in order to access the data on card No. ***REFERENCE.5, associated with account ***REFERENCE.1.
This is so because said account is owned by both claimants, not just by claimant 1, so both have the right to have their personal data lawfully processed. This necessarily implies that the consent of both owners, in this case, has been granted, all in accordance with Article 6.1 a) of the GDPR.
28001 – Madrid 6 sedeagpd.gob.es 64/89
Having clarified this point, please note that the respondent is therefore considered the data controller, given that it determines the purposes and means of such activity, pursuant to the aforementioned Article 4.7 of the GDPR:
Article 4, section 12 of the GDPR broadly defines “personal data security breaches” (hereinafter, security breaches) as “any breach of security that results in the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed.”
Thus, it should be noted that allowing a third party, in this case
the mother of Claimant 1, access to the account transactions and associated products
in which she is not listed as an authorized person, constitutes a personal data breach, categorized as a confidentiality breach.
According to the WP29, a "Breach of Confidentiality" occurs when there is
an unauthorized or accidental disclosure of, or access to, personal data.
Among the processing principles set forth in Article 5 of the GDPR, the
integrity and confidentiality of personal data are guaranteed in Section 1.f) of Article 5 of the GDPR.
Furthermore, Article 32 of the GDPR establishes the obligation to adopt organizational and security measures adapted to the risk of the processing.
Finally, data protection by design and default, that is, the technical and organizational measures that must be adopted as a minimum in general terms in all personal data processing, are regulated in Article 25 of the GDPR.
IV Response to the allegations regarding the proposed resolution
In response to the proposed resolution of this sanctioning procedure, the respondent entity has submitted allegations (transcribed in the tenth paragraph), essentially referring to the absence of the principle of criminalization, the absence of culpability, and the lack of proportionality of the amount of the proposed sanction.
First, regarding the absence of the principle of typicality, the respondent entity indicates that since the account shared by the claimants is a joint account, the authorization granted by one of the co-holders to a third party allows viewing of all the products held by said co-holder, including those related to the joint account. The entity points out that in the present case, data protection regulations do not apply, but rather civil law should be used. For this purpose, they cite a ruling by the National Court of October 2023 on authorization by power of attorney regarding consent as a basis for legitimation. 28001 – Madrid 6 sedeagpd.gob.es 65/89
First, we must highlight the conditions under which Claimant 1's mother was authorized, which are reflected in the fourth proven fact in the following terms:
On 3/02/2021, Claimant 1 signed a CaixaBank Now contract (Contract No. (...)
***REFERENCE.6) referring to account ***REFERENCE.2, which allows the transaction related to the account to be carried out electronically.
Section 2 of said contract—authorized users—represents the following:
Persons who can access their CaixaBankNow DDD, with ***NIF.1,
User number ***REFERENCE.19, and Operational level.
According to page 9 of the aforementioned contract, section 1.2:
Additionally, you may designate other persons to use your CaixaBankNow:
> Authorized Users: You authorize these persons to access your CaixaBankNow at the Basic Access, Consultation, or Consultation and Preparation levels (see the following point), unless you instruct us otherwise.This authorization expires when the period for which you authorized it expires, or if you inform us that you no longer wish for the person to be authorized.
> Custom users: You can decide the level of access you grant to these individuals, according to the following levels:
> Basic: Allows the user to present documents to carry out various transactions, such as direct debits, transfers, etc., which require the signature of the account holder or a user with full authority. The purpose is for the user to prepare transactions so that you, as the account holder, can subsequently consent to them.
> Consultation: Allows the user to consult the contracted services as well as their specific operations.
> Consultation and preparation: This is the sum of the two previous levels. > All allowed: The user can access all the services offered by CaixaBankNow.
> Detailed: The user can have different levels of access, depending on the type of service: checking account, investment fund, insurance, etc.
There is no definition of what is meant by an authorized user at the operational level. (…)
In this regard, we must insist that, contrary to what the respondent claims, the user authorization level of her mother for which Claimant 1 gave her consent does not even correspond to the options proposed in the contract that the respondent submitted to Claimant 1 for signature. Therefore, the consent allegedly granted and on which the respondent focuses its allegations is not such, as the document signed by Claimant 1 does not even state what is meant by an authorized user at the "operational level."
28001 – Madrid 6 sedeagpd.gob.es 66/89
Furthermore, even if that consent had been considered valid, from the moment the complainant actively and passively expressed, in an
continuous manner (to the point that she filed complaints with the entity, its data protection officer, the Bank of Spain, and the Spanish Data Protection Agency) her opposition to the access by the person allegedly authorized by her to the account shared with complainant 2 and the products associated with it, for the purposes of data protection, and even in civil matters, it can be understood that she revoked her consent. Therefore, from that moment on, this processing of personal data would have no legal basis, and the respondent would have had to resolve the problem raised by complainant 1 immediately. On the contrary, the clear wishes of Complainant 1, expressed, as we say, repeatedly, were not respected by the Respondent, in an attitude that cannot but be described as highly negligent. As an example, we recall that the communications from Complainant 1 of February 19 and 21, 2021, addressed to the Respondent's Data Protection Officer were responded to on February 9, 2023, two years later and just one day before the Respondent responded to the request for information requested by the AEPD on February 10, 2023, after the complaint had been filed with this Authority.
These circumstances demonstrate undue attention by the Respondent to the Respondent's repeated statements of its willingness to object to the access to its personal information that was taking place.
The respondent refers to the judgment issued by the National Court, Administrative Litigation Chamber, Section 1, Judgment of October 3, 2024, Rec. 990/2022, in which, as clearly indicated in the written pleadings, a case is raised regarding the opening of a bank account by a third party without having a power of attorney authorizing them to do so. As clearly indicated by the respondent, the National Court concludes that the bank account opening contract entered into exceeded the limits of the power of attorney granted to the third party. However, the claimant fails to point out that, precisely, what is being elucidated in this ruling is the need to prove consent for the processing of the personal data of a data subject—in the present case, the daughter in whose name a bank account is opened based on a power of attorney granted to her father, exceeding the limits of the same and, in the case of this sanctioning procedure, allowing the mother of the former to view the account shared by claimants 1 and 2 without due authorization—and that, in the present case, such consent, informed, free, and unequivocal as required by data protection regulations, has not been granted. It is interesting to bring up part of the arguments contained in the aforementioned ruling to, once again, reiterate that the defendant did not act with due diligence since, as in the case at hand,
(...) There, the bank failed to act with the due diligence that should be required of it as such, since it included in the current account a person who was not sufficiently represented in the power of attorney used by Carlos Francisco to open it, and their inclusion was due solely to the generic position of a co-owner or member of a community of property.
28001 – Madrid 6 sedeagpd.gob.es 67/89
In the events that led to this sanctioning procedure, and in light of the persistent statements made by the complainants, due diligence was not exercised to stop the mother of complainant 1 from viewing the shared account and the associated products, as the respondent undoubtedly desired.
It is again interesting to recall the wording of the court ruling cited by the respondent, which recalls that the Data Protection Agency's jurisdiction falls within civil matters, such as contracting cases. In this regard, the National Court recalls that:
As the parties acknowledge, this issue has been resolved by the Chamber, and
we refer to the judgment of May 8, 2014 (appeal no. 1/142/2013): "...we will first analyze the alleged lack of jurisdiction of the Spanish Data Protection Agency, since in the present case the existence of a contract is raised, which is a civil matter, not a matter of personal data protection. This is an issue that [...] has been repeatedly dismissed by the Chamber as follows. The Spanish Data Protection Agency, pursuant to Article 37.a) of the LOPD, is responsible for ensuring compliance with data protection legislation and monitoring its application, as well as exercising its sanctioning power in the terms provided for in Title VII of the aforementioned Law (Article 37.g). It therefore has jurisdiction to: Repression of conduct that affects
the scope of data protection, including violations of
the principles of consent and data quality established by the contested administrative resolution and established in Articles 6.1 and 6.3 of the LOPD. And if
these principles require that a person's data processed by a third party be
done so with their consent and be truthful and accurate, the Spanish Data Protection Agency, for the sole purpose of determining whether or not a
violation of the aforementioned principles has occurred, may assess whether or not the data subject's
consent to the processing of their data in relation to certain services is covered by the contracting of said services and the accuracy and veracity of certain data, such as
the existence of a debt reported to a financial solvency file.
In the case at hand, this Data Protection Agency does precisely that: it ensures compliance with data protection regulations and, in this case, considers that the conduct for which the respondent is responsible has not respected the principles contained therein, which has resulted in a violation of the complainants' right to data protection.
Furthermore, it should be noted that the legal system is not made up of watertight regulatory sections and that data protection regulations are applicable across the board.
The alleged application of civil law alleged by the respondent does not completely exclude the application of the GDPR.
Furthermore, the respondent entity, in its allegations regarding the proposed resolution, describes as "irrelevant" the considerations made by the Bank of Spain in the report following the complaint filed by the complainants before said Authority.
28001 – Madrid 6 sedeagpd.gob.es 68/89
In this regard, it should be noted that the Bank of Spain is a supervisory and control authority, recognized by Law 13/1994, of June 1, on the Autonomy of the Bank of Spain. Article 7.6 of this law establishes the following among its functions:
"The Bank of Spain must supervise, in accordance with current provisions, the solvency, performance, and compliance with the specific regulations of credit institutions."
It is within the scope of their duties that the complainants went to the Bank of Spain,
on different dates, as evidenced by the proven facts. As a result of the procedure carried out by the Supervisory Authority, in its December 2021 report, it makes the statements reflected in the seventeenth proven fact, among which the following stand out:
(…) in any case, since February 2021, the complainant expressed to
the entity her disagreement with the information available to her or to which her mother had access, which she authorized, and reiterated time and again—providing
demonstrative videos—that the incident remained unresolved on that date. (emphasis added).
(…)
The bank submitted a new statement of allegations dated August 19, 2021, in which it again requests the case be closed due to trespass and states that it has made the appropriate adjustments to its control marks (replacing the "attorney" with the "authorized"), the source of the administrative error, thereby automatically updating and correcting the viewing rights of the claimant's mother.
(…)
…In its two statements of allegations, the bank acknowledges the incident or error and reports that it has resolved it. As documentation attached to its allegations, it only provides the email it sent to the claimant on July 8, 2021… However, in its various statements, the most recent of September 2, 2021, the claimant indicates that the problem remained unresolved and provides demonstrative videos. Furthermore, he complains of the bank's lack of response to his complaint, which he first filed at the bank branch on February 17, 2021, and which customer service acknowledged on March 23, 2021.
...At this point, we must point out that the banks' failure to comply with their obligation to address and resolve complaints and claims submitted by their customers in a timely manner, which reveals deficient customer service and a lack of attention to financial service users, could constitute a breach of transparency regulations (emphasis added).
These excerpts, in addition to reflecting the insistence and forcefulness with which the complainant expressed her desire for her mother to stop viewing information
28001 – Madrid 6 sedeagpd.gob.es 69/89
for which she did not wish to authorize it, also indicate how the respondent acted
with respect to what the complainant had stated—repeatedly and forcefully, we insist—by classifying the situation as an incident or error.
In light of the respondent's current allegations, one cannot help but question whether, if
what complainant 1 raised was classified within the framework of the investigation conducted by the Bank of Spain as an "incident or error," she now seeks to question the relevance of these allegations to argue her lack of culpability in the conduct that is the subject of this disciplinary procedure. Thus, this
inconsistency regarding the classification of the facts (before the banking supervisory authority, an incident or error, and before this AEPD, as an operation arising from the authorization granted by complainant 1) merely demonstrates, in our opinion, the respondent's responsibility for the events that occurred.
This, of course, is without prejudice to the fact that the respondent itself had consistently considered that the facts complained of were the result of an incident. This position, as has been proven, was only modified when this AEPD initiated sanctioning proceedings for violation of data protection regulations.
Furthermore, the AEPD must reiterate that the Bank of Spain, in its report of ***DATE.3 on the status of authorized person on a bank account, states that the status of authorized person is obtained by express authorization of the account holder(s).
Applying this statement to the case at hand, and considering that the account ending in
***REFERENCE.21 is a joint account between both claimants, the status of authorized party of a third party would require the express authorization of both joint holders. Since the respondent asserts that, once Claimant 1
designates her mother as authorized party, she acquires that status with respect to all accounts owned by her (including the one shared with Claimant 2), it cannot but be understood that this practice would be contrary to the statements of the Bank of Spain itself, which, we recall, is the supervisory and control authority for credit institutions and whose criteria credit institutions must adhere to.
The respondent entity also points out in its allegations to the proposed resolution
that the violations of Articles 32 and 25 of the GDPR—which respond to the alleged
absence of adequate measures and the alleged deficiencies in the design—have expired because the events occurred in 2021. In response to this statement, the
AEPD must indicate that both violations are not subject to the statute of limitations, since, as the respondent entity has not adopted measures to prevent the commission of both
violations, its non-compliance continues to occur. Thus, the obligation to adopt appropriate technical and organizational security measures to guarantee a
level of security appropriate to the risk arising from the processing of personal data
(Article 32 GDPR) and to establish procedures that take into account privacy by default and by design, arose with the entry into force of the GDPR in May 2018, and its non-compliance remains in effect until measures are taken in this regard. The events of 2021 merely demonstrate the level of compliance with these obligations.
28001 – Madrid 6 sedeagpd.gob.es 70/89
It should be remembered that a permanent violation is considered to exist, as stated by the Supreme Court in its ruling of November 20, 2007, (Recital No. 170/2003), in
"those unlawful conducts that persist over time and are not exhausted by a single act, determining the maintenance of the unlawful situation at the will of the perpetrator, such as the development of activities over time without the required authorizations and other similar cases."
Regarding the allegations regarding the absence of culpability, the defendant entity
insists on the consent given by the complainant, co-holder of the joint account, which allowed the authorized party (her mother) to view all the products.
The AEPD must emphasize once again that it is absolutely essential, as indicated by the Bank of Spain itself in its report of ***DATE.3, to have the consent of both claimants in order to access the shared account and its associated products.
This is so because the account is owned by both claimants, not just by Claimant 1, so both have the right to have their personal data lawfully processed, which necessarily implies that the consent of both has been granted in this case.
In this regard, the AEPD must emphasize the lack of information regarding the operational-level authorized user conditions and the deficiencies in the consent, since the mere fact that someone consents does not imply that the processing is lawful if such processing is contrary to personal data protection regulations. Furthermore, it must be taken into account that, in the event that initial consent could be considered to have been given, this has been revoked clearly and insistently, as can be seen from the various statements made by Claimant 1 to the Respondent for a period of almost two years.
The Respondent also alleges the existence of non bis in idem and medial concurrence, provided for in Article 29.5 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, which limits the imposition of a single sanction in the event of committing violations that necessarily result from others. All of this is based on the understanding that the alleged commission of both violations, of Article 5.1 f) and Article 32 of the GDPR, arise from a single act.
In response to this argument, we must point out that Article 29 of the LRJSP does not apply to the sanctioning regime imposed by the GDPR, given that the GDPR itself regulates the principle of proportionality.
The GDPR is a European standard directly applicable in the Member States, which contains a new, comprehensive, and global system designed to guarantee the protection of personal data uniformly throughout the European Union. This would not be achieved if each supervisory authority applied its national precepts in a manner that could be contrary to this harmonizing principle. This also applies to the sanctioning regime established in the GDPR. Its provisions apply, and must be understood, interpreted, and integrated completely and in their entirety, thus preserving its ultimate purpose, which is the effective and real guarantee of the fundamental right to the Protection of Personal Data. 28001 – Madrid 6 sedeagpd.gob.es 71/89
In fact, a specific example of the absence of loopholes in the GDPR system is Article 83 of the GDPR, which determines the circumstances that may operate as aggravating or mitigating factors in relation to an infringement (Article 83.2 of the GDPR)
or which specifies the existing rule regarding a possible medial competition (Article 83.3 of the GDPR). Unlike Article 29.5 of Law 40/2015, this rule does not consider that the penalty corresponding to the most serious infringement committed should be imposed "only." Rather, in the event of a violation of several provisions of the GDPR, "the total amount of the fine shall not exceed the amount provided for the most serious infringements." (that is, all violations are punishable, but the total amount cannot exceed that
stipulated in the GDPR for the most serious violations).
Article 63.2 of the LOPDGDD establishes not only the supplementary nature (which would serve to fill gaps, which do not exist, as we have seen), but the subsidiary (but not supplementary) nature of the general regulations on administrative procedures with respect to the rules governing the AEPD's procedures in matters of data protection.
Article 63.2 of the LOPDGDD states:
2. The procedures processed by the Spanish Data Protection Agency shall be governed by the provisions of Regulation (EU) 2016/679, by this Organic Law, by the regulatory provisions issued in its development, and, insofar as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures.
The Spanish legislator has therefore opted for the principle of subsidiarity, not suppletion, of the general rules of administrative procedure over the specific rules of the GDPR and LOPDGDD. This relationship between suppletorship and subsidiarity must be understood in the judgment of the National Court of October 23, 2001 (Recital No. 390/1999), which recalled that "the use of subsidiarity is a formula for regulatory collaboration in cases of conflicting regulations, that is, in cases where two or more of them are applicable to the same factual situation, such that the subsidiary gives way to the primary regulation, which, where appropriate, complements it." Unlike suppletorship, which aims to fill a gap "in such a way that when a given situation is not regulated by the initially applicable regulation, the supplementary regulation is adopted, provided, however, that such an operation does not, due to other circumstances, constitute a violation of the legal system."
In the present case, the primary regulation would be the GDPR, which expressly regulates in its
art. 83.3 The possible existence of more than one GDPR violation in the same processing operations or related-party transactions (express regulation of a
possible medial insolvency proceeding), with the regulation of medial insolvency proceeding provided for in Article 29.5 of Law 40/2015 not being applicable precisely because of its subsidiary nature.
Article 83.3 of the GDPR states:
3. If a controller or processor intentionally or negligently fails to comply with several provisions of this Regulation for the same processing operations or related-party transactions, the
total amount of the administrative fine shall not exceed the amount provided for
the most serious violations.
28001 – Madrid 6 sedeagpd.gob.es 72/89
Consequently, it is not possible to apply the subsidiary regulation that contains a
different regulation to the main regulation.
To the above, we must add that the GDPR does not allow the development or specification of its provisions by the legislators of the Member States, except for what the European legislator itself has specifically provided, delimiting it very specifically (for example, the provision of Article 83.7 of the GDPR). The LOPDGDD only develops or specifies some aspects of the GDPR to the extent permitted and to the extent permitted.
This is because the purpose intended by the European legislator is to implement a
uniform system throughout the European Union that guarantees the rights and freedoms of individuals, corrects behavior contrary to the GDPR, encourages compliance, and enables the free circulation of this data. In this regard, we cite, in particular, Recitals 2 and 13 of the GDPR.
Fines must be effective, proportionate, and dissuasive to achieve
the purpose intended by the GDPR.
For this system to function with all its guarantees, several elements must be fully and completely implemented.
The application of rules outside the GDPR regarding the determination of fines in each Member State applying their national law, whether due to aggravating or mitigating circumstances not provided for in the GDPR—or in the LOPDGDD (Organic Law on the Protection of Personal Data) in the Spanish case, as permitted by the GDPR itself—or due to the application of a medial competition with a consequence different from that provided for in the GDPR, would render the system ineffective, losing its meaning, its teleological purpose, and the legislator's intention. The result would be that the fines imposed for various violations would cease to be effective, proportionate, and dissuasive, and in any case, the legislator's intention to provide uniformity to the system throughout the European Union would be lost. In this way, data subjects would also be deprived of the effective guarantee of their rights and freedoms, weakening the uniform application of the GDPR. This would diminish the mechanisms for protecting citizens' rights and freedoms and would be contrary to the spirit of the GDPR.
The GDPR is endowed with its own principle of proportionality, which must be strictly applied. Just as the AEPD is not applying the aggravating and mitigating circumstances provided for in Article 29 of the LRJSP, since the GDPR establishes its own, and therefore there is no legal loophole or subsidiary application thereof, neither is the application of the intended regulation of the medial insolvency proceedings applicable for the same reasons.
Finally, the respondent entity makes a series of allegations related to the lack of proportionality of the sanction imposed.
First, in accordance with the general conditions for calculating administrative fines provided for in Article 83(5)(a)—regarding infringements of Article 5.1(f) of the GDPR—and Article 4(a)—regarding infringements of Articles 32 and 25 of the GDPR, the administrative fines contemplated in this case are in the lower bracket of possible sanctions. Therefore, compliance is observed with the provisions of Article 83(1) of the GDPR: “Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5, and 6 are, in each individual case, effective, proportionate, and dissuasive.”
On the other hand, the respondent also alleges that the proposed sanction is not properly reasoned because "it would have been appropriate to indicate the amount of the proposed sanction without such aggravating factors, as well as the impact of each of them."
Article 83.2 of the GDPR states that "administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58, paragraph 2, letters a) to h) and j). When deciding on the imposition of an administrative fine and its amount in each individual case, due account shall be taken of:" (emphasis added). That is, it provides for the assessment of the sanction as a whole, taking into account each and every one of the circumstances present in the specific case and provided for in the aforementioned provision.
Jurisprudence follows this same line when referring to the principle of proportionality, a "fundamental principle that governs and governs the process of graduating sanctions and implies, in legal terms, "their appropriateness to the seriousness of the act constituting the infraction," as provided in Article 29.3 of Law 40/2015, on the Legal Regime of the Public Sector, given that all sanctions must be determined in accordance with the seriousness of the infraction committed and according to a criterion of proportionality in relation to the circumstances of the act." (Supreme Court rulings of December 3, 2008 (rec. 6602/2004) and April 12, 2012 (rec. 5149/2009) and the National Court ruling of May 5, 2021 (rec. 1437/2020), among others).
Thus, the Judgment of the Third Chamber of the Supreme Court, dated May 27, 2003 (rec. 3725/1999), states that "Proportionality, which pertains specifically to the scope of sanctions, constitutes one of the principles governing Administrative Sanctioning Law and represents an instrument for controlling the exercise of the sanctioning power by the Administration, even within the limits that, in principle, the applicable law establishes for such exercise. It certainly represents a concept that is difficult to determine a priori, but which tends to adapt the sanction, by establishing its specific grading within the indicated possible limits, to the seriousness of the act constituting the infraction, both in terms of unlawfulness and culpability, weighing the objective and subjective circumstances that comprise the sanctionable fact (...)"
We can also cite the Judgment of the Supreme Court in this regard. 713/2019, of May 29 (rec. 1857/2018): "We will begin by pointing out that the proportionality of sanctions implies that they must be tempered to the specific severity of the offense in the context of subjective circumstances (which relate to the offender) and objective circumstances (which relate to the typical offense). In the field of administrative sanctioning law in general, and in the field of the stock market in particular, there are no dosimetry criteria similar to those set forth in Article 66 of the Criminal Code, and the modifying circumstances differ from those specific to criminal law. It should be noted that there is no automatic application, without any qualification, of the guiding principles of criminal law to the administrative sanctioning procedure (Supreme Court 6-10-2003 Rec. 772/1998)."
Therefore, Guidelines 04/2022 of the European Data Protection Board on the calculation of administrative fines under the GDPR, in their version of May 12, 2022, submitted for public consultation, indicate that "With regard to the evaluation of these elements, increases or decreases in a fine cannot be determined in advance through tables or percentages. It is reiterated that the actual amount of the fine will depend on all the elements collected during the investigation and other considerations, also related to the supervisory authority's previous experience with fines."
In short, since the circumstances taken into account for the provisional calculation of the overall fine were duly indicated and explained in this sanctioning procedure, it is duly reasoned.
Regarding the fact that only one claim has been filed—an argument that suggests that the respondent considers the impact of the infringement committed to be limited—it is necessary to refer to Judgment No. 1792/2024 of the Contentious-Administrative Division of the Third Section of the Supreme Court, issued on November 11, 2024, which states the following:
The Spanish Data Protection Agency, in the initiation, processing, and resolution of a sanctioning procedure, may address factual and legal issues related to or related to the facts and arguments contained in the claim that gave rise to the procedure. And, more specifically, in the course of a sanctioning procedure initiated as a result of one or more complaints regarding personal data protection, when it is established that the individual violations reported have their common origin in a document or instrument of general scope that defines the entity's data protection policy, the AEPD may, and even must, make that same document that contains the privacy policy of the responsible entity the subject of the sanctioning procedure, in order to examine it, detect any shortcomings or deficiencies, and consequently adopt any necessary measures within the sanctioning procedure itself; (…)
In this regard, the Supreme Court considers that the powers of the Data Protection Agency extend to examining the actions that, in general terms, an entity subject to data protection regulations may carry out that are contrary to them, regardless of the number of complaints filed that have allowed the AEPD to become aware of such circumstances.
V Article 5.1.f) of the GDPR
Article 5.1.f) of the GDPR establishes the following:
“Article 5 Principles relating to processing:
28001 – Madrid 6 sedeagpd.gob.es 75/89
1. Personal data shall be:
(…)
f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction, or damage, by applying appropriate technical or organizational measures (“integrity and confidentiality”).”
In relation to this principle, Recital 39 of the aforementioned GDPR states that:
“[…]Personal data shall be processed in a manner that ensures appropriate security and confidentiality of the personal data, including to prevent unauthorized access to or use of those data and of the equipment used for the processing.”
The documentation in the file provides clear evidence that the respondent violated Article 5.1 f) of the GDPR, principles relating to processing.
In the present case, the complainants allege that the mother of complainant 1 had access to the transactions of the products associated with account ***REFERENCE.1, held by the complainants, including those of card No. ***REFERENCE.5.
However, although Claimant 1's mother is authorized to access accounts
***REFERENCE.2 and ***REFERENCE.3, of which her daughter is the sole holder, Claimant 1 does not have the authorization of the two holders of account
***REFERENCE.1, so she should not have been able to access the transactions of the products associated with it, including card no.
***REFERENCE.22.
Despite this, Claimant 1 and the respondent entity itself have confirmed that Claimant 1's mother had access to the transactions of card no.
***REFERENCE.5, associated with account ***REFERENCE.1, that is, she had access to the transactions of an account held by her daughter, Claimant 1, but also by Claimant 2, who did not authorize D.D.D. Claimant 1's mother,
to access the transactions on card No. ***REFERENCE.5, associated with account ***REFERENCE.1, held by both claimants, not just Claimant 1.
It should be noted that Claimant 2 has not authorized Claimant 1's mother to access either the account data or the card data associated with the account held by both claimants.
Article 5.1 f) of the GDPR determines the means by which confidentiality and integrity must be maintained when it explicitly states "through the application of appropriate technical and organizational measures" of all kinds, which are not strictly security-related.
28001 – Madrid 6 sedeagpd.gob.es 76/89
In the present case, the respondent has not adopted the necessary measures to comply with the wishes of the complainants, who are its clients. Since February 17, 2021, Complainant 1 has expressed her irrevocable and clear wish that her mother not have access to the account and the products linked to it, of which she is a co-holder with Complainant 2. Complainant 2 also demonstrates the same unequivocal wish through the complaint of October 4, 2021, filed with the respondent. Access to the personal data of Complainant 1 and Complainant 2 is being granted by Complainant 1's mother without interruption due to the lack of measures by the data controller to prevent access not consented to by the complainants.
Therefore, the known facts are considered to constitute an infringement, attributable to the respondent, due to a violation of Article 5.1.f) of the GDPR.
VI. Classification of the violation of Article 5.1.f) of the GDPR
If confirmed, the aforementioned violation of Article 5.1.f) of the GDPR could lead to the commission of the violations classified in Article 83.5 of the GDPR, which, under the heading "General conditions for the imposition of administrative fines," provides:
"Violations of the following provisions shall be punished, in accordance with paragraph 2, with administrative fines of up to EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total global annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including the conditions for consent pursuant to Articles 5, 6, 7, and 9; (...)"
In this regard, the LOPDGDD, in Article 71, "Infractions," establishes that
"The acts and conduct referred to in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law, constitute violations."
For the purposes of the statute of limitations, Article 72 "Very Serious Violations" of the LOPDGDD states:
"1. Pursuant to the provisions of Article 83.5 of Regulation (EU) 2016/679, violations that constitute a substantial violation of the articles mentioned therein, and in particular the following, are considered very serious and will be subject to a three-year statute of limitations:
a) The processing of personal data in violation of the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. (…)"
28001 – Madrid 6 sedeagpd.gob.es 77/89
VII Penalty for Violation of Article 5.1 f) of the GDPR
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed. provisions that state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5, and 6 are, in each individual case, effective, proportionate, and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures referred to in Article 58(2)(a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the processing operation concerned, as well as the number of data subjects affected and the level of damage they have suffered;
b) the intentionality or negligence involved in the infringement;
(c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
(d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
(e) any previous breaches committed by the controller or processor;
(f) the extent of cooperation with the supervisory authority to remedy the breach and mitigate the potential adverse effects of the breach;
(g) the categories of personal data affected by the breach;
(h) how the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent;
(i) where the measures indicated in Article 58(2) have been previously ordered against the controller or processor in question in relation to the same matter, compliance with such measures;
(j) adherence to codes of conduct pursuant to Article 40 or to certification mechanisms approved pursuant to Article 42;
(k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement."
28001 – Madrid 6 sedeagpd.gob.es 78/89
For its part, Article 76 "Sanctions and Corrective Measures" of the LOPDGDD (Organic Law on Data Protection) provides:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:
a) The ongoing nature of the infringement.
b) The connection between the infringer's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party's conduct could have led to the commission of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.
f) The impact on the rights of minors.
g) The availability of a data protection officer, where not mandatory.
h) Voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where there are disputes between them and any interested party.
In accordance with the transcribed provisions, for the purposes of setting the amount of each penalty for each violation, each fine is graded taking into account the following circumstances:
Article 83.2.b) GDPR: "negligence in the processing of data" since, despite being aware of the reported facts upon being informed by Claimant 1 in January 2021, the defendant has not adopted the necessary measures to prevent the violation from continuing. Therefore, it is considered that the defendant further emphasizes the culpability and unlawfulness of its conduct, since the Bank of Spain Report states that the defendant does not "demonstrate having diligently corrected the incident or error." It should be recalled that the Bank of Spain Report is dated ***DATE.3 and, in fact, there is no evidence to date that the incident reported by the claimants has been resolved.
Article 83. 2 e) any prior violation committed by the data controller or processor; It should also be taken into account that the respondent entity has previously been sanctioned by the AEPD (Spanish Data Protection Agency) through resolution PS/00183/2022 of 09/09/2022, for a malfunction of CAIXABANK's online banking system, due to its failure to properly exercise the right to rectification exercised through the respondent entity's online banking system. Through resolutions dated January 30, 2023, and November 19, 2023, corresponding to the sanctioning procedures, PS/00482/2022 and PS/000254/2023, CAIXABANK was sanctioned for unlawful data processing. The latter recognized the violation committed and proceeded with prompt payment of the imposed fine in accordance with Article 85 of the LPAC.
CAIXABANK has been sanctioned by resolution PS/00388/2022 under Article 32 of the GDPR, due to a security incident that occurred when the account details of a third party (the complainant's daughter) were provided by telephone without first verifying the identity of the person to whom the data was provided. Therefore, the respondent entity was sanctioned for a violation of Article 32.1 of the GDPR, classified as Article 83.4.a) of the GDPR, by resolution issued on May 22, 2023.
Recently, by resolution dated October 26, 2023, PS/00020/2023, CAIXABANK was sanctioned for several violations, one of which was a violation of Article 25 of the GDPR. It was also ordered that, pursuant to Article 58.2.d) of the
GDPR, within nine months, notify the Agency of the adoption of the necessary measures to correct the deficiencies noted.
Article 76.2 b) LOPDGDD: "The connection between the offender's activity and the processing of personal data." The activity of the respondent entity
requires continuous processing of personal data. Furthermore, the respondent entity
processes a high volume of personal data in the course of its activity.
Considering the circumstances outlined above, the initial assessment of the fine is €500,000 for violating the principle of confidentiality of the personal data processed in this specific case.
VIII Article 32 of the GDPR
Article 32 of the GDPR, security of processing, establishes the following:
“1. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for the rights and freedoms of natural persons, the controller and the processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, which, where appropriate, includes, among others:
a) the pseudonymization and encryption of personal data;
b) the ability to guarantee the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
28001 – Madrid 6 sedeagpd.gob.es 80/89
c) the ability to restore the availability of and access to personal data quickly in the event of a physical or technical incident;
(d) a process for regular verification, evaluation, and assessment of the effectiveness of the technical and organizational measures to ensure the security of processing.
2. When assessing the adequacy of the level of security, particular account shall be taken of the risks posed by data processing, in particular as a result of the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to personal data transmitted, stored, or otherwise processed.
3. Adherence to a code of conduct approved pursuant to Article 40 or a certification mechanism approved pursuant to Article 42 may serve as an element to demonstrate compliance with the requirements set out in paragraph 1 of this Article.
4. The controller and the processor shall take measures to ensure that
any person acting under the authority of the controller or the processor and
having access to personal data may only process such data following
the instructions of the controller, unless required to do so by Union or Member State law."
The facts revealed involve a lack of technical and
organizational security measures that, in the specific case at hand, have directly enabled access to the complainants' personal information by an unauthorized third party. In this specific case, therefore, having analyzed the
documentation contained in the file and the allegations made by the respondent, the technical and organizational security measures appropriate to the risk of processing and whose lack has been found have had a direct impact on the
loss of confidentiality of personal data that occurred, without there having been a violation, in the specific case, of Article 32 of the GDPR. The absence of other technical and organizational security measures independent of the personal data breach has been proven, which must lead to its archiving. XI Article 25 of the GDPR
Article 25 of the GDPR, in relation to data protection by design and by default, establishes the following:
“1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing, as well as the risks of varying likelihood and severity that the processing entails for the rights and freedoms of natural persons, the controller shall, both when determining the means of processing and at the time of processing, implement appropriate technical and organizational measures, such as pseudonymization, designed
28001 – Madrid 6 sedeagpd.gob.es 81/89
to effectively implement data protection principles, such as data minimization, and to integrate appropriate safeguards into the processing, in order to comply with the requirements of this Regulation and protect the rights of data subjects.
2. The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each of the specific purposes of the processing are processed. This obligation shall apply to the amount of personal data collected, the extent of their processing, their retention period, and their accessibility. Such measures shall, in particular, ensure that, by default, personal data are not accessible, without the intervention of the data subject, to an indeterminate number of natural persons.
3. A certification mechanism approved pursuant to Article 42 may be used as evidence of compliance with the obligations set out in paragraphs 1 and 2 of this Article.
The respondent entity states to the AEPD, in response to its request, that, in this specific case, complainant 1 has configured her account in such a way that her mother can see the data in all accounts. However, beyond these statements and as indicated in the preliminary investigations of this AEPD, the respondent has not been able to prove that this was the case.
Beyond this statement, it is clear that the proper protection of personal data has been violated by the design of the financial institution's computer application, since, according to the financial institution, it could allow its clients, any client, to grant access to their accounts to third parties through the online application without the express authorization of all account holders in the case of joint current accounts.
It should be noted, in relation to the aforementioned violations, that for this reason, the mother of Claimant 1 should not see the personal data of the claimants' joint account, as she is neither the owner nor authorized by either of them.
Specifically, this is evident in the specific case, which serves as an example
regarding privacy by design, as the respondent's response states: "On August 4, 2021, at the request of the Complainant (1), a modification was made to the options described in the previous point regarding the display and management established in the registration for DDD, changing the display level from "All allowed" to "Custom" and expanding visibility of the Complainant's accounts. Specifically, visibility was allowed for accounts ending in: ***REFERENCE.2, ***REFERENCE.4, ***REFERENCE.3,
***REFERENCE.1."
These circumstances exemplify a poor design established by the respondent in its application and for all customers. This is because, through online banking, a person should never be allowed to access personal data held in accounts for which they are neither the owner nor an authorized person.
28001 – Madrid 6 sedeagpd.gob.es 82/89
Furthermore, the financial institution continues by stating the following: "and the complaints regarding the Complainant's (1) online banking functionalities are due to their own choices in the display configuration."
Therefore, the AEPD considers that even if a customer has eventually modified their configuration, a proper online banking application should not, under any circumstances, allow anyone to view an account for which they are neither the owner nor authorized.
In addition to the aforementioned, it is considered that there is also sufficient evidence of a defect in the design of the software application that provides access to the online banking of the entity in question.
This is so because it has been found that the software application that provides access to online banking does not consider the possibility of accounts with more than one account holder, because it appears to disregard the requirement of requiring the consent of all account holders for accounts with more than one account holder.
It is logical to consider the need to have the consent of all account holders, and not just one of them, so that authorized third parties can access the transactions in these accounts with multiple account holders.
However, based on the established facts, it appears that the respondent entity's online banking application does not require the consent—expressed through express authorization—of all account holders. Rather, it only requires the consent of one of the account holders to allow access to third parties. This violates the data protection of account holders who, being part of a joint account, have not given their consent or authorization.
For this reason, it is considered that the respondent entity's online banking application has not established a special and appropriate procedure for accounts with more than one account holder, as it does not require the consent of all account holders prior to granting, where appropriate, access to account transactions by third parties who are not account holders but authorized by one of the account holders.
Furthermore, there is a lack of a procedure for handling data protection complaints from data subjects.
And this is evident in this specific case, given the absolute lack of response from the data protection officer, who responded to complainant 1 two years after the complaint was filed (from February 2021 to February 2023), and just the day before the respondent provided the AEPD with the information requested in the communication for the complaint filed. Likewise, from February 17, 2021, to July 8, 2021, no response or solution was provided to the complaint filed by Complainant 1.
28001 – Madrid 6 sedeagpd.gob.es 83/89
Nor was the complaint filed by Complainant 2 substantively addressed, under the pretext that the complaint filed by Complainant 1 was being resolved at the Bank of Spain.
It should also be noted that until the complainants contacted the AEPD, they were repeatedly told by the respondent, as well as by the Bank of Spain, that it was a technical incident. It is entirely surprising that the AEPD was told that there was no incident or error, but rather that it was an action derived from the complainant's decision to grant a certain profile,
holding it responsible for the situation that occurred.
If there were a procedure, it would have been adequately addressed and the problems experienced by the complainants resolved.
Based on the available evidence, it is considered that there is a defect in the design of the computer application that provides access to the online banking of the respondent entity, and, therefore, the known facts constitute an infringement, attributable to the respondent party, for violation of Article 25 of the GDPR.
XII Classification of the Violation of Article 25 of the GDPR
If confirmed, the aforementioned violation of Article 25 of the GDPR could lead to the commission of the violations classified in Article 83.4 of the GDPR, which, under the heading "General conditions for the imposition of administrative fines," provides:
"Violations of the following provisions shall be sanctioned, in accordance with paragraph 2, with administrative fines of up to EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total global annual turnover of the preceding financial year, whichever is higher:
a) the obligations of the controller and the processor under Articles 8, 11, 25 to 39, 42, and 43; (...)"
In this regard, the LOPDGDD, in its article Article 71 "Infractions" establishes that
"Infractions are the acts and conduct referred to in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to this Organic Law."
For the purposes of the statute of limitations, Article 73 "Infractions Considered Serious" of the LOPDGDD states:
"In accordance with the provisions of Article 83.4 of Regulation (EU) 2016/679, infringements that constitute a substantial violation of the articles mentioned therein, and in particular the following, are considered serious and will be subject to a two-year statute of limitations:
d) The failure to adopt appropriate technical and organizational measures to effectively guarantee the principles of data protection
28001 – Madrid 6 sedeagpd.gob.es 84/89
from the outset, as well as the failure to integrate the necessary safeguards into the processing, in accordance with the terms required by Article 25 of Regulation (EU) 2016/679."
XIII Penalty of Article 25 of the GDPR
In order to determine the administrative fine to be imposed, the provisions of Articles 83.1 and 83.2 of the GDPR must be observed, which state:
“1. Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this Article for infringements of this Regulation referred to in paragraphs 4, 5, and 6 are, in each individual case, effective, proportionate, and dissuasive.
2. Administrative fines shall be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures provided for in Article 58(2)(a) to (h) and (j). When deciding whether to impose an administrative fine and its amount in each individual case, due account shall be taken of:
a) the nature, gravity, and duration of the infringement, taking into account the nature, scope, or purpose of the infringement; the processing operation concerned, as well as the number of data subjects affected and the level of damage suffered by them;
b) the intentionality or negligence of the breach;
c) any measures taken by the controller or processor to mitigate the damage suffered by data subjects;
d) the degree of responsibility of the controller or processor, taking into account the technical or organizational measures they have implemented pursuant to Articles 25 and 32;
e) any previous breaches committed by the controller or processor;
f) the degree of cooperation with the supervisory authority to remedy the breach and mitigate any adverse effects of the breach;
g) the categories of personal data affected by the breach;
h) how the supervisory authority became aware of the breach, in particular whether the controller or processor notified the breach and, if so, to what extent;
(i) where the measures indicated in Article 58(2) have been previously ordered against the controller or processor in question in relation to the same matter, compliance with such measures;
(j) adherence to codes of conduct pursuant to Article 40 or certification mechanisms approved pursuant to Article 42;
(k) any other aggravating or mitigating factors applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or indirectly, through the infringement.
For its part, Article 76 "Sanctions and Corrective Measures" of the LOPDGDD (Organic Law on the Protection of Personal Data) provides:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the grading criteria established in section 2 of the aforementioned article.
2. In accordance with the provisions of Article 83.2.k) of Regulation (EU) 2016/679,
the following may also be taken into account:
a) The ongoing nature of the infringement.
b) The connection between the infringer's activity and the processing of personal data.
c) The benefits obtained as a result of committing the infringement.
d) The possibility that the affected party's conduct could have led to the commission of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the infringement, which cannot be attributed to the acquiring entity.
f) The impact on the rights of minors.
g) The availability of a data protection officer, where not mandatory.
h) Voluntary submission by the controller or processor to alternative dispute resolution mechanisms in cases where there are disputes between them and any interested party.
In accordance with the transcribed provisions, in order to determine the amount of each penalty for each violation, each fine is graded taking into account the following circumstances:
Article 83.2.b) GDPR: "negligence in the processing of data" since the data controller is engaged in banking activities and must process the personal data of its clients and third parties for such purposes. The failure to request data protection consent from its clients when necessary by an agent specialized in financial and banking activities constitutes a very serious breach of due diligence. Thus, in the application designed by the defendant, it appears that the entity's online banking does not require the consent—manifested through express authorization—of all data subjects, but rather it is sufficient to obtain the consent of one of the data subjects. account holders to allow access to third parties, which violates the data protection of account holders who, being part of a joint account, have not given their consent or authorization.
Article 83.2 e) any prior violation committed by the controller or processor; It should also be taken into account that the respondent entity has been previously sanctioned by the AEPD (Spanish Data Protection Agency) through resolution PS/00183/2022 of 09/09/2022, for a malfunction of CAIXABANK's online banking, due to its failure to properly exercise the right to rectification exercised through the respondent entity's online banking.
Through resolutions dated January 30, 2023, and November 19, 2023, corresponding to the sanctioning procedures, PS/00482/2022 and PS/000254/2023, CAIXABANK was sanctioned for unlawful data processing. The latter recognized the violation committed and proceeded with prompt payment of the imposed fine in accordance with Article 85 of the LPAC.
CAIXABANK has been sanctioned by resolution PS/00388/2022 under Article 32 of the GDPR, due to a security incident that occurred when the account details of a third party (the complainant's daughter) were provided by telephone without first verifying the identity of the person to whom the data was provided. Therefore, the respondent entity was sanctioned for a violation of Article 32.1 of the GDPR, classified as Article 83.4.a) of the GDPR, by resolution issued on May 22, 2023.
Recently, by resolution dated October 26, 2023, PS/00020/2023, CAIXABANK was sanctioned for several violations, one of which was a violation of Article 25 of the GDPR. It was also ordered that, pursuant to Article 58.2.d) of the GDPR, within nine months, notify the Agency of the adoption of the necessary measures to correct the deficiencies noted.
Article 76.2 b) LOPDGDD: "The connection between the offender's activity and the processing of personal data." The activity of the respondent entity requires continuous processing of personal data. Furthermore, the respondent entity carries out a high volume of personal data processing in the course of its activity.
Considering the circumstances set out, the initial assessment of the fine is €3,000,000 for the violation of Article 25 of the aforementioned GDPR, for violating personal data protection by design, generally for all customers of the respondent entity who are users of said entity's online banking service.
XIV Liability
Law 40/2015, of October 1, on the Legal Regime of the Public Sector, establishes, in Chapter III regarding the "Principles of Sanctioning Power," in Article 28, under the heading "Liability," the following:
28001 – Madrid 6 sedeagpd.gob.es 87/89
"1. Only natural and legal persons may be sanctioned for acts constituting an administrative infraction, as well as, when a law recognizes their capacity to act, groups of affected parties, unions and entities without legal personality, and independent or autonomous assets that are found liable for such acts due to intent or negligence."
The lack of diligence on the part of the defendant is clear, as has been clearly demonstrated throughout the proceedings.
XV Measures
As a consequence of each of the indicated violations, it could be agreed that the controller may be required to adopt appropriate measures to bring its actions into compliance with the regulations mentioned in this act, in accordance with the provisions of the aforementioned Article 58.2 d) of the GDPR, according to which each supervisory authority may "order the controller or processor to ensure that processing operations comply with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...". The imposition of this measure is compatible with the sanction of an administrative fine, as provided for in Article 83.2 of the GDPR.
Specifically, in this case, the measures consist of informing the responsible entity, within three months of the decision being issued, of the measures adopted by the responsible entity to ensure that its processing of personal data complies with the provisions of the GDPR, specifically regarding the confidentiality guarantees for the data processed and the adoption of appropriate technical and organizational measures of all kinds.
Regarding the violation of Article 25 of the GDPR, the measures consist of notifying the responsible entity, within nine months of the decision ending this sanctioning procedure becoming enforceable, of the adoption of technical and organizational security measures, both by design and by default, to ensure that the online banking application of the respondent entity protects personal data in general for all of its customers.
Please be advised that failure to comply with the requirements of this body may be considered an administrative offense under the provisions of the GDPR, classified as an offense in Articles 83.5 and 83.6. Such conduct may lead to the opening of a subsequent administrative sanctioning procedure.
Therefore, in accordance with applicable legislation and having assessed the criteria for graduating the sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency,
RESOLVES:
FIRST: TO IMPOSE a fine on CAIXABANK, S.A., with NIF A08663619, for the following offenses:
28001 – Madrid 6 sedeagpd.gob.es 88/89
Of Article 5.1. f) of the GDPR, classified in Art. 83.5 a) classified as very serious for the purposes of the statute of limitations in Article 72.1 a) of the LOPDGDD, a fine of 500,000 euros (five hundred thousand euros).
Under Article 25 of the GDPR, classified in Article 83.4 a) of the GDPR and classified as serious for the purposes of the statute of limitations in Article 73 d) of the LOPDGDD, a fine of 3,000,000 (three million euros).
The sum of the proposed fines totals 3,500,000 million euros.
SECOND: DISMISS the violation of Article 32 of the GDPR.
THIRD: ORDER CAIXABANK, S.A., with NIF A08663619, pursuant to
Article 58.2.d) of the GDPR, within three months of the enforcement of the resolution issued, to adopt the measures adopted by the controller to ensure that its processing of personal data complies with the provisions of the GDPR, specifically with regard to guarantees of confidentiality of the data processed and the adoption of appropriate technical and organizational measures of all kinds.
Regarding the violation of Article 25 of the GDPR, the measures consist of notifying, within nine months of the decision terminating this sanctioning procedure becoming enforceable, the adoption of technical and organizational security measures, both by design and by default, to ensure that the online banking application of the respondent entity protects personal data in general for all customers of the respondent entity.
FOURTH: This decision will become enforceable once the deadline for filing the optional appeal for reconsideration expires (one month from the day following notification of this decision) without the interested party having exercised this right.
The sanctioned party is hereby notified that they must pay the imposed sanction once this resolution becomes enforceable, in accordance with the provisions of Article 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter LPACAP), within the voluntary payment period established in Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to Article 68 of the General Collection Regulations. 62 of Law 58/2003, of December 17, by depositing the fine, indicating the sanctioned party's NIF (Tax Identification Number) and the procedure number shown in the heading of this document, into the restricted account IBAN: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened in the name of the Spanish Data Protection Agency at CAIXABANK, S.A. Otherwise, collection will be carried out during the enforcement period.
Once the notification has been received and enforced, if the enforcement date is between the 1st and 15th of each month, inclusive, the deadline for making the voluntary payment will be the 20th of the following month or the next business day after, and if it is between the 16th and last day of each month, inclusive, the payment deadline will be the 5th of the second following month or the next business day after.
28001 – Madrid 6 sedeagpd.gob.es 89/89
In accordance with the provisions of Article 76.4 of the LOPDGDD (Spanish Organic Law on the Protection of Personal Data) and given that the amount of the fine imposed exceeds one million euros, the information identifying the offender, the offense committed, and the amount of the fine will be published in the Official State Gazette.
In accordance with the provisions of Article 50 of the LOPDGDD (Organic Law on the Protection of Personal Data), this Resolution will be made public once it has been notified to the interested parties.
This resolution, which terminates the administrative process pursuant to Art. 48.6 of the LOPDGDD, and in accordance with the provisions of Article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within one month from the day following notification of this resolution, or directly file an administrative appeal before the Administrative Litigation Division of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Administrative Litigation Jurisdiction, within two months from the day following notification of this decision, as provided for in Article 46.1 of the aforementioned Law.
Finally, it is noted that pursuant to the provisions of Art. 90.3 a) of the LPACAP (Spanish Data Protection Act), a final administrative decision may be provisionally suspended if the interested party expresses their intention to file an administrative appeal.
If this is the case, the interested party must formally notify this fact in writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the other registries provided for in Article 16.4 of the aforementioned Law 39/2015, of October 1. They must also submit to the Agency the documentation proving the effective filing of the administrative appeal. If the Agency does not become aware of the filing of the administrative appeal within two months from the day following notification of this resolution, it will terminate the provisional suspension.
938-16012024
Mar España Martí
Director of the Spanish Data Protection Agency
28001 – Madrid 6 sedeagpd.gob.es
