AEPD (Spain) - EXP202300944: Difference between revisions
From GDPRhub
mNo edit summary |
mNo edit summary |
||
| (5 intermediate revisions by the same user not shown) | |||
| Line 67: | Line 67: | ||
}} | }} | ||
The DPA fined a bank | The DPA fined a bank €2,000,000 for improperly obtaining data subjects' consent to process their personal data. The controller acknowledged its fault and paid a reduced fine of €1,200,000 in accordance with national law. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 7 December 2022, a data subject filed a complaint with the AEPD against Caixabank (the controller). The controller required new clients to sign a contract for provision of services, which included a | On 7 December 2022, a data subject filed a complaint with the AEPD against Caixabank (the controller). The controller required new clients to sign a contract for provision of services, which included a clause stating that data subjects consent to their data being requested from the General Treasury of Social Security. For existing clients, the same clause was included in a declaration or modification contract. The provision cited Law 10/2010, a Spanish law on the prevention of money laundering and terrorist financing, stating that it required the collection of such data. For both new and existing clients, the contract did not give an option to refuse consent – instead, consent was pre-established by the clause. 3,026,247 new clients signed the contract, and 3,401,052 existing clients signed the modification contract. | ||
The data subject claimed that, after they expressed their disagreement, the controller stated that failure to sign the form with these clauses would result in the bank account being blocked. | The data subject claimed that, after they expressed their disagreement, the controller stated that failure to sign the form with these clauses would result in the bank account being blocked. | ||
On 30 January 2023, the AEPD informed the controller of the complaint. In its defense brief, the controller stated that it is required by Law 10/2010. In particular, it pointed to Article 11, which obliges financial institutions to guarantee that they are engaging with professional or business activities of the client. The controller interpreted this to mean that the identification of the client was necessary, as well as the collection of information concerning the client’s professional or business activities. | On 30 January 2023, the AEPD informed the controller of the complaint. In its defense brief, the controller stated that it is required by [https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737 Law 10/2010]. In particular, it pointed to Article 11, which obliges financial institutions to guarantee that they are engaging with professional or business activities of the client. The controller interpreted this to mean that the identification of the client was necessary, as well as the collection of information concerning the client’s professional or business activities. | ||
=== Holding === | === Holding === | ||
The AEPD | The AEPD concluded that consent was improperly obtained in this case and the controller thus lacked a legal basis for processing. The AEPD proposed a fine of €2,000,000. The controller acknowledged responsibility of the violations and paid a portion of proposed fine; thus, the fine was reduced 40% to €1,200,000. | ||
The AEPD acknowledged that [https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737 Law 10/2010] requires banks to verify professional and business activities of its clients. However, it noted that the law does not specify how a bank is to assess this data; instead, the controller decides on the form of verification, and it should do so in a way that complies with data protection regulations. The [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2018-5203 Convention] established between the General Treasury for Social Security and the Spanish Association of Financial Entities, which guides financial institutions on compliance with Law 10/2010, also does not establish an obligation to verify personal data with the General Treasury of Social Security. | |||
There was thus no legal obligation requiring the controller to collect its clients’ personal data from the General Treasury of Social Security. However, insofar as this was the method chosen by a controller to comply with Law 10/2010, the AEPD noted that the [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2018-5203 sixth clause of Annex III of the Convention] explicitly requires data subject consent in order for the controller to verify their personal data with the General Treasury of Social Security. | |||
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 2,000,000. | The AEPD found that consent was not properly obtained in this case. As a result, the controller lacked a legal basis for processing pursuant to [[Article 6 GDPR#1|Article 6(1) GDPR]]. The AEPD emphasized that consent is not free when the data subject cannot refuse consent without suffering any damage, or when the fulfillment of a contract or provision of service is dependent on consent even when it is not necessary for the service. In this case, consent was not free because it was included as a non-negotiable aspect of the controller’s contract. Additionally, the controller failed to obtain specific consent in each case where data was being processed for different purposes -- instead, it combined consent to processing for the provision of banking services with consent to processing of the data subject’s data from the General Treasury of Social Security. Finally, consent was not informed because it was presented as a requirement rather than an option within the contract, and because the clause falsely stated that the controller was obligated to process the personal data under national law. | ||
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 2,000,000. | |||
Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €1,200,000. | |||
== Comment == | == Comment == | ||
' | [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, permits a controller to acknowledge responsibility for an alleged violation or to pay a fine proposed by the AEPD in its investigation stage in exchange for a 20% reduction in the fine amount. These actions permit the reduction to stack -- thus, if a controller both acknowledges responsibility and pays the fine prior to the AEPD's final sanction proceedings, then the fine amount is reduced 40%. | ||
== Further Resources == | == Further Resources == | ||
Latest revision as of 09:28, 24 April 2024
| AEPD - EXP202300944 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 4(11) GDPR Article 6(1) GDPR Ley 10/2010, de 28 de abril, de prevención del blanqueo de capitales y de la financiación del terrorismo Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 07.12.2022 |
| Decided: | 07.03.2024 |
| Published: | |
| Fine: | 2,000,000 |
| Parties: | Caixabank, S.A. |
| National Case Number/Name: | EXP202300944 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA fined a bank €2,000,000 for improperly obtaining data subjects' consent to process their personal data. The controller acknowledged its fault and paid a reduced fine of €1,200,000 in accordance with national law.
English Summary
Facts
On 7 December 2022, a data subject filed a complaint with the AEPD against Caixabank (the controller). The controller required new clients to sign a contract for provision of services, which included a clause stating that data subjects consent to their data being requested from the General Treasury of Social Security. For existing clients, the same clause was included in a declaration or modification contract. The provision cited Law 10/2010, a Spanish law on the prevention of money laundering and terrorist financing, stating that it required the collection of such data. For both new and existing clients, the contract did not give an option to refuse consent – instead, consent was pre-established by the clause. 3,026,247 new clients signed the contract, and 3,401,052 existing clients signed the modification contract.
The data subject claimed that, after they expressed their disagreement, the controller stated that failure to sign the form with these clauses would result in the bank account being blocked.
On 30 January 2023, the AEPD informed the controller of the complaint. In its defense brief, the controller stated that it is required by Law 10/2010. In particular, it pointed to Article 11, which obliges financial institutions to guarantee that they are engaging with professional or business activities of the client. The controller interpreted this to mean that the identification of the client was necessary, as well as the collection of information concerning the client’s professional or business activities.
Holding
The AEPD concluded that consent was improperly obtained in this case and the controller thus lacked a legal basis for processing. The AEPD proposed a fine of €2,000,000. The controller acknowledged responsibility of the violations and paid a portion of proposed fine; thus, the fine was reduced 40% to €1,200,000.
The AEPD acknowledged that Law 10/2010 requires banks to verify professional and business activities of its clients. However, it noted that the law does not specify how a bank is to assess this data; instead, the controller decides on the form of verification, and it should do so in a way that complies with data protection regulations. The Convention established between the General Treasury for Social Security and the Spanish Association of Financial Entities, which guides financial institutions on compliance with Law 10/2010, also does not establish an obligation to verify personal data with the General Treasury of Social Security.
There was thus no legal obligation requiring the controller to collect its clients’ personal data from the General Treasury of Social Security. However, insofar as this was the method chosen by a controller to comply with Law 10/2010, the AEPD noted that the sixth clause of Annex III of the Convention explicitly requires data subject consent in order for the controller to verify their personal data with the General Treasury of Social Security.
The AEPD found that consent was not properly obtained in this case. As a result, the controller lacked a legal basis for processing pursuant to Article 6(1) GDPR. The AEPD emphasized that consent is not free when the data subject cannot refuse consent without suffering any damage, or when the fulfillment of a contract or provision of service is dependent on consent even when it is not necessary for the service. In this case, consent was not free because it was included as a non-negotiable aspect of the controller’s contract. Additionally, the controller failed to obtain specific consent in each case where data was being processed for different purposes -- instead, it combined consent to processing for the provision of banking services with consent to processing of the data subject’s data from the General Treasury of Social Security. Finally, consent was not informed because it was presented as a requirement rather than an option within the contract, and because the clause falsely stated that the controller was obligated to process the personal data under national law.
Given these violations, the AEPD resolved to initiate sanction proceedings against the controller and recommended a sanction of € 2,000,000.
Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €1,200,000.
Comment
Law 39/2015, a Spanish law concerning administrative proceedings, permits a controller to acknowledge responsibility for an alleged violation or to pay a fine proposed by the AEPD in its investigation stage in exchange for a 20% reduction in the fine amount. These actions permit the reduction to stack -- thus, if a controller both acknowledges responsibility and pays the fine prior to the AEPD's final sanction proceedings, then the fine amount is reduced 40%.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26
File No.: EXP202300944
RESOLUTION OF TERMINATION OF THE PAYMENT PROCEDURE
VOLUNTEER
From the procedure instructed by the Spanish Data Protection Agency and based
to the following
BACKGROUND
FIRST: On March 7, 2024, the Director of the Spanish Agency for
Data Protection agreed to initiate sanctioning proceedings against CAIXABANK, S.A.
(hereinafter, the claimed party), through the Agreement transcribed:
<<
File No.: EXP202300944
AGREEMENT TO START SANCTIONING PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following:
FACTS
FIRST: D. A.A.A. (hereinafter, the complaining party) dated December 7,
2022 filed a claim with the Spanish Data Protection Agency. The
claim is directed against CAIXABANK, S.A. with NIF A08663619 (hereinafter,
CAIXABANK). The reasons on which the claim is based are the following:
The complaining party states that CAIXABANK has requested a series of data,
in accordance with the provisions of Law 10/2010, of April 28, on the prevention of
money laundering and terrorist financing.
He adds that the information collected is reflected in a document called
"Declaration/Modification of data for the business relationship (Form 5433)", but
before signing the form (which contains your personal and financial data),
verify that, in the wording of one of its clauses, it is indicated that
You expressly consent to CAIXABANK requesting your data from the General Treasury
of Social Security, without being given the option to express their refusal to this
respect, so consent is already pre-established.
Thus, it indicates that after showing its disagreement in this regard, CAIXABANK
reports that the process followed by it was a routine process that was applied
to all clients equally and that, if they did not sign with those conditions, they would proceed
to block your bank account.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/26
And, provide the following relevant documentation:
Screenshot of your personal area, showing that the document
“Model 5433 Active. Economic” is pending signature.
Copy of the aforementioned document (Form 5433) which, among others, indicates what
following:
“6. The declarant states that he has been informed by CaixaBank that the legislation
current law on the prevention of money laundering obliges banking entities to
obtain information about their economic activity from their clients and carry out a
verification of the same. For this exclusive purpose of verifying the information
provided, you give your express consent to CaixaBank so that on your behalf
may request such information from the General Treasury of Social Security. The
data obtained from the General Treasury of Social Security will be used
exclusively for the management indicated above. In the event of non-compliance
of this obligation on the part of CaixaBank and/or the personnel who provide it
services, all the actions provided for in Organic Law 3/2018 will be carried out,
December 5, Protection of Personal Data and guarantee of rights
digital”.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to CAIXABANK, so that
proceed to its analysis and inform this Agency within a period of one month, of the
actions carried out to adapt to the requirements provided for in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the rules established in Law 39/2015, of
October 1, of the Common Administrative Procedure of Administrations
Public (hereinafter, LPACAP), was collected on January 30, 2023 as
It appears in the acknowledgment of receipt that is in the file.
On March 9, 2023, this Agency received a response letter
indicating:
1. That CAIXABANK is obliged to obtain information about the purpose and nature of
the business relationship and to continuously monitor said relationship according to the
Law 10/2010, of April 28, on the Prevention of money laundering and
financing of terrorism (hereinafter "LPBCFT"), and its Regulations (Regulation of
Law 10/2010, of April 28, on the prevention of money laundering and
financing of terrorism, hereinafter, "RLPBCFT").
And it refers to the following article:
"Article 11 RLPBCFT. Continuous monitoring of the business relationship.
1. The obligated subjects will carry out a scrutiny of the operations carried out during
throughout the business relationship in order to ensure that they coincide with the activity
professional or business of the client, and with its operational background […]”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/26
That in order to carry out said "scrutiny", the LPBCFT expressly obliges and enables
collect information from your clients in order to know the nature of their activity
professional or business and adopt measures that allow reasonable verification
the veracity of the information:
"Article 5 LPBCFT. Purpose and nature of the business relationship.
The obligated subjects will obtain information about the purpose and intended nature of the
business relationship. In particular, obligated subjects will collect from their clients
information in order to know the nature of your professional or business activity and
will adopt measures aimed at reasonably verifying the veracity of said
information. Such measures will consist of the establishment and application of
verification procedures for activities declared by clients. („,)"
2. That this mandate is the one reflected in document Model 5433
“Declaration/Modification of data for the business relationship” where they are collected
data, specifically the socioeconomic ones, and it is reported that CAIXABANK has the
obligation to verify the data provided.
3. That “As can be seen, the processing of the claimant's data by this
entity (collection of data necessary to monitor the relationship and
mandatory verification or verification) is carried out in strict compliance with the
regulations that apply to it.”
4. In relation to the blocking of accounts, it refers to, among other information, that:
to. According to article 7.3 LPBCFT: "the obligated subjects will not establish relations of
business, nor will they execute operations when they cannot apply the security measures.
due diligence provided for by law, ending the business relationship when it does not
can apply these measures".
While also determining:
"that the refusal of entities to establish business relationships or to execute
operations or the termination of the relationship due to not being able to apply the measures of
due diligence will not entail, unless there is unjust enrichment, any type
of responsibility for the entity".
b. That in section 4 of model 5433 it is stated that:
"4. The declarant declares that the data provided is his and complete and
acknowledges that the inaccuracy or lack of veracity of the same and/or in the documents
provided (accuracy or truthfulness that CaixaBank reserves the right to verify
by own means), as well as non-compliance with the commitments acquired in
virtue thereof may be sufficient cause for the denial by
CaixaBank and/or the companies of the CaixaBank group of the establishment of the relationship
of business or the contracting of any product or service and will empower
CaixaBank and/or any of the companies in the CaixaBank group to suspend and,
including ending the business relationship that, if applicable, has been established."
c. Manifest:
“As you can see, the eventual termination of the business relationship causes
of the client's inaction regarding the provision of that data legally
required and/or due to the lack of mandatory verification or verification thereof.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/26
In no case, contrary to what was stated by the claimant - without any
evidentiary activity that justifies such a statement -, the absence of the provision of
consent for the verification of the (necessary) data provided for the
knowledge of the business relationship, through consultation of the database of the
TGSS (as reported in section 6 of Form 5433), or its timely
revocation, implies or may imply the extinction of the business relationship with
CaixaBank, whose action in terms of money laundering prevention is limited
rigorously to the LPBCFT and the RLPBCFT.”
5. That there is no claim by the claimant in their systems.
That he understands that the claimant is exercising the right of revocation so
proceed to register said revocation in their systems and its effectiveness
immediate.
Provide a copy of the letter dated 03/08/2023 and addressed to the claimant where
informs that they have proceeded to revoke their consent for the consultation
of data to the TGSS>>.
THIRD: On March 7, 2023, in accordance with article 65 of the
LOPDGDD, the claim presented by the complaining party was admitted for processing.
FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
issue, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter GDPR), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following points:
1. The “Know Your Customer” process (hereinafter KYC) is the process by which
Caixabank complies with the established due diligence obligations
by the LPBCFT, obligations that imply the identification of the client and obtaining
information relating to your professional activity, including the obligation to verify
reasonably activity in the case of customers with higher than average risk,
as well as guarantee that in all cases the information remains updated through
review processes.
For all this, this process is carried out:
- At the time of registration of a client in the entity.
- Periodically, to update the information. In this case it can be
either periodically from 1 to 5 years depending on the risk or when the client communicates
variations in information.
2. There is a collaboration agreement between the General Security Treasury
Social (hereinafter, TGSS), the Spanish Banking Association, the Confederation
Spanish Savings Banks and the National Union of Credit Cooperatives on
transfer of information, whose sole objective is to allow financial entities
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/26
consult certain information about your clients in order to verify it and comply with
the due diligence measures established by the LPBCFT. To this agreement he adhered
Caixabank on April 28, 2021.
In its sixth clause (“Responsibility for the operation of the SVFI”) it is indicated:
“(…) Likewise, each Collaborating Financial Entity is obliged to guarantee, with respect to
to each request you make:
a) That the requests refer to natural persons who initiate business relationships
with the Financial Entity or to persons with respect to whom, after a period of time
reasonable, it is necessary to update your information.
b) That prior to the request for information by the Financial Entity
This collaborator has the corresponding express authorization, signed by the
interested, and agreed between the parties. (See Annex III).
c) That it undertakes to safeguard the authorizations for the clients. Because of
control or audit actions carried out by the TGSS as data owner
assigned, the Financial Entities are obliged to provide the documentation that
work in its possession within a period that may not exceed ten calendar days from its
application. This same period will also apply to requests that, where appropriate,
could be carried out by the Data Protection Agency.
(…)”
The content of Annex III of the aforementioned agreement has the following content:
3. In the processes of registering new clients, all personal data information
that he contributes is consolidated in the document “Framework Contract”, which must be signed by the
new client.
The registration process for new clients that CAIXABANK established after joining the
agreement on April 28, 2021 was modified on the following dates:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/26
- In office: In May 2023.
- In digital banking (CaixaBankNow) and mobile banking (app): In June
2023.
Therefore, in this process of registering new clients there are differences depending on the period.
time in which it has been carried out:
a) From CAIXABANK's accession to the agreement on April 28, 2021 until
the modifications to the new customer registration process carried out in 2023:
(i) The Framework Contract model contains the following:
“(…)
You state that you have been informed by Caixabank that the
Current legislation on the prevention of money laundering requires
banking entities to obtain from their clients the information of their
economic activity and to carry out a verification of it. With
This exclusive purpose of verifying the information provided, lends its
express consent to Caixabank so that on your behalf we can
request the General Treasury of Social Security said
information. The data obtained from the General Treasury of the
Social Security will be used exclusively for the management indicated
previously (…).
[…]
4.PROCESSING OF PERSONAL DATA
[…]
4.4 Processed data
[…]
>Data that you have provided us when registering your contracts or during
your relationship with us through interviews or forms. These are
data typologies and data details:
[…]
Data on your professional or work activity and socioeconomic: activity
professional or work, income or remuneration, family unit or circle,
educational level, assets, tax data and tax data.
[…]
>Data obtained from publicly accessible sources, public records or
external sources.
These are the types of data and the details of the data:
[…]
4.5 What treatments we carry out with your data.
The treatments that we will carry out with your data are diverse and
They respond to different purposes and legal bases:
>Treatments based on consent for the purposes of:
-Personalization of the commercial offer through other channels.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/26
-Transfer of data to other companies.
- Identification of clients and signing of documentation through the use of
biometrics.
-Application of personal conditions in joint ownership contracts
[…]
>Treatments necessary to comply with regulatory obligations,
mainly for the purpose of:
-Comply with regulations on the prevention of money laundering and
financing of terrorism.
-Comply with tax regulations.
-Comply with the obligations derived from the policies of
international financial sanctions and countermeasures.
-Handling complaints and claims.
[…]
(ii) In the registration processes for new clients, there is a process to
grant, or not, consents exclusively in relation to the following
treatments: “Personalization of the offer of products and services according to the
analysis of your data”, “Communication of the offer of products and services by
channels”, “Transfer of data to other companies”, “Apply personal conditions
in co-ownership contracts.”
(iii) The revocation of consents was done through a
form, in office.
(iv) That in the temporary period from the date 12/7/2021 until
dates indicated above when the processes of
registration of new clients in 2023, have completed the KYC registration process,
signing the framework contract, a total of 3,026,247 people for the different
channels.
b) Since the modifications to the new client registration process carried out
in the year 2023:
(i) The Framework Contract model contains the following:
5. PROCESSING OF PERSONAL DATA.
[…]
5.4 Processed data
[…]
〉 Data that you have provided us when registering your contracts or during
your relationship with us through interviews or forms. These are
the typologies and details of the data:
[…]
• Data on your professional or work activity and socioeconomic:
professional or work activity, income or remuneration, unit or circle
family, educational level, assets, fiscal data and tax data.
[…]
〉 Data obtained from publicly accessible sources, public records or
external sources. These are the typologies and details of the data:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/26
[…]
• Data from the General Treasury of Social Security: data
identification and contact details of the payer, professional activity data
or labor (CNAE, self-employed worker and/or employed person, group
of the worker's contribution).
[…]
5.5 What treatments we carry out with your data.
The treatments that we will carry out with your data are diverse and
They respond to different purposes and legal bases:
〉 Treatments based on consent, with the purposes of:
− Personalization of the offer of products and services according to the
analysis of your data.
− Communication of the commercial offer through other channels.
− Transfer of data to other companies for the submission of offers
commercial.
− Verification of economic activity to comply with the
regulations for the prevention of money laundering and financing
of terrorism.
[…]
〉 Treatments necessary to comply with regulatory obligations,
mainly for the purpose of:
− Comply with money laundering prevention regulations
and the financing of terrorism.
− Comply with tax regulations.
− Comply with the obligations derived from the policies
of sanctions and international financial countermeasures.
− Address complaints and claims.
[…]”
(ii) In the KYC procedures for registering new clients, it is stated that
may or may not grant consent for data verification
with the TGSS both in the office and on the website www.caixabank.es, as
in the entity's mobile application. It is also stated that the
consent through the three channels mentioned above.
4. In the processes of updating the client's personal data information
already existing, what you have to sign is form 5433 (Declaration/Modification of
data for the business relationship).
The process of updating customer personal data information is already
existing ones that CAIXABANK established after its accession to the agreement on April 28,
2021 was modified on the following dates:
- In office: In February 2023.
- In digital banking (CaixaBankNow): In May 2023
- In mobile banking (app): In June 2023.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/26
Therefore, in such a process of updating the information on the personal data of
existing clients, there are differences depending on the time period in which the
done:
a) From CAIXABANK's accession to the agreement on April 28, 2021 until
modifications to the data information updating process
personal data from existing clients carried out in 2023:
(i) In the "Declaration/Modification of data for the business relationship
(Form 5433)", contain the following clauses that, indicated by CAIXABANK in
His letter of November 30, 2023, is “The information in relation to the
data treatment":
"5. Processing of personal data The person responsible for the
treatment is CaixaBank, S.A., with NIF A-08663619 Contact information
of the Data Protection Officer:
www.CaixaBank.com/degadoprotecciondedatos The data requested
are necessary for the management and execution of the service and/or contracting
requested, and will be processed for that purpose; Likewise, they will be
treaties to comply with required regulatory obligations. These
Data may be communicated to authorities and public bodies,
for compliance with a required legal obligation, as well as
service providers and third parties necessary for the management and
execution of relationships derived from the service and/or contractual. The
Data will be processed while the relationships remain in force.
derived from the service and/or contractual established, and will be
preserved (during the limitation period of the actions
derived from said relationships) for the sole purpose of complying with the
required legal obligations, and for the formulation, exercise or
defense of claims. Exercise of rights and claims before
the Data Protection Authority. The data owner may exercise
the rights in relation to your personal data according to
with current regulations, in the CaixaBank offices, in the
POST OFFICE BOX 209-46080 VALÈNCIA or at
www.CaixaBank.com/ejerciciodederechos.
6. The declarant states that he has been informed by CaixaBank of
that the current legislation on the prevention of money laundering
obliges banking entities to obtain from their clients the
information on your economic activity and to carry out a verification
Of the same. For this exclusive purpose of verifying the information
provided, you give your express consent to CaixaBank so that in
your name can request the General Treasury of Social Security
such information. The data obtained from the General Treasury of the
Social security will be used exclusively for the management
noted above. In the event of non-compliance with this
obligation on the part of CaixaBank and/or the personnel who provide it
services, all actions provided for in the Law will be carried out
Organic 3/2018, of December 5, on Data Protection
Personal and guarantee of digital rights.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/26
(ii) The revocation of said consent was done through a
form, in office.
(iii) That in the temporary period from the date 12/07/2021 until
dates indicated above when the processes were launched
KYC of the year 2023, they have completed the KYC process of updating
personal data information, signing document 5433, a total of
3,401,052 people through different channels.
b) Since the modifications to the information updating process
the personal data of existing clients carried out in 2023:
(i) CAIXABANK, in its letter of October 31, 2023, indicates:
- That the client must give again all the information that he already
declared at discharge.
- “Once all the fields have been verified, you will be shown a
summary of the data to the client and must sign the updated information or
modified, which is consolidated in document KYC 5433, which the client signs (…).”
In that "Declaration/Modification of data for the relationship of
business (Form 5433)", contain the same clauses that,
CAIXABANK indicated in its letter of November 30, 2023, to
exception to clause 6.
“- If the client has not given consent to the verification
of their economic activity, the client will be asked if they wish to lend their
consent to the processing of your data for this purpose, (…)”
(ii) Consent can be revoked both in the office and at the
website www.caixabank.es, as well as in the entity's mobile application.
FIFTH: According to the report collected from the AXESOR tool, the entity
CAIXABANK, S.A. is a large company established in 1980, and with a volume
of business of 1,310,563,000 euros in 2022.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of the RGPD grants to each authority of
control and as established in articles 47, 48.1, 64.2 and 68.1 of the LOPDGDD,
The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/26
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Previous issues
In accordance with the provisions of article 4.2 of the GDPR, "processing" means:
any operation or set of operations performed on personal data or
sets of personal data, whether by automated procedures or not, such as
the collection, registration, organization, structuring, conservation, adaptation or
modification, extraction, consultation, use, communication by transmission, dissemination or
any other form of access enablement, collation or interconnection, limitation,
deletion or destruction;
In the present case, in accordance with the provisions of article 4.2 of the RGPD,
CAIXABANK is the one who processes the personal data of its clients,
collecting your personal data and consulting it with the TGSS.
To this end, it establishes a procedure for obtaining information with data
personal data of clients and collection of consent to verify said data
personal data before the TGSS, through a form called “framework contract”,
for cases of registration of new clients, and “form 5433 (Declaration/Modification
of data for the business relationship)”, for cases of updating the data
personal data of existing clients. Documents, both, mandatory subscription.
Therefore, in this procedure the established procedure will be analyzed
by CAIXABANK for the provision of consent to CAIXABANK clients
so that it can consult their personal data to verify the
obtained in response to the LPBCFT before the TGSS.
III
Article 6.1 of the GDPR
According to article 6 of the GDPR “Legitimacy of processing:
1. Treatment will only be legal if at least one of the following is met
conditions:
a) the interested party gave his consent for the processing of his personal data
for one or more specific purposes;
b) the processing is necessary for the execution of a contract in which the interested party
is part of or for the application at his request of pre-contractual measures;
c) the processing is necessary for compliance with a legal obligation applicable to the
responsible for the treatment;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/26
d) the processing is necessary to protect vital interests of the interested party or another
Physical person;
e) the processing is necessary for the fulfillment of a mission carried out in the interest
public or in the exercise of public powers conferred on the controller;
f) the processing is necessary for the satisfaction of legitimate interests pursued
by the person responsible for the treatment or by a third party, provided that regarding said
interests do not prevail over the interests or fundamental rights and freedoms of the
interested party requiring the protection of personal data, in particular when the
interested is a child. The provisions of letter f) of the first paragraph will not be
application to the processing carried out by public authorities in the exercise of their
functions.”
In this case, CAIXABANK states that the verification of the personal data of its
clients before the TGSS, obtained in compliance with the obligations imposed by the
LPBCFT, is a consequence of the legal obligation imposed by Law 10/2010, of 28
April, prevention of money laundering and terrorist financing
(LPBCFT), which includes in its article 2, the obligated subjects in the Prevention of
Money Laundering: Financial Entities (banks, savings banks, cooperatives
credit, etc.), Insurance Companies, Credit Institutions, etc.
In this sense, this same law regulates in its article 5, that “the obligated subjects
They will collect information from their clients in order to know the nature of their activity
professional or business and will adopt measures aimed at reasonably verifying
the veracity of said information.
Such measures will consist of the establishment and application of procedures for
verification of activities declared by clients. These procedures
will take into account the different level of risk and will be based on obtaining the
clients of documents that are related to the declared activity or in the
obtaining information about it that is not related to the client himself.” (emphasis added)
Adding in its article 6 that “The obligated subjects will apply security measures
continuous monitoring of the business relationship, including scrutiny of the
operations carried out throughout said relationship in order to guarantee that they coincide
with the knowledge that the obligated subject has of the client and his business profile
and risk, including the origin of funds and ensuring that documents, data and
information available are up to date.”
For its part, RD 304/2014, of May 5, which approves the Regulation of
Law 10/2010, of April 28, on the prevention of money laundering and
financing of terrorism, which is developed by the LPBCFT, establishes:
“Article 10. Purpose and nature of the business relationship.
1. The obligated subjects will collect information from their clients in order to know the
nature of your professional or business activity. The activity declared by the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/26
client will be registered by the obligated subject prior to the beginning of the relationship
of business.
2. The obligated subjects will verify the activities declared by the clients in
the following assumptions:
a) When the client or the business relationship presents risks greater than the
average, by regulatory provision or because it appears from the risk analysis
of the obligated subject.
b) When the monitoring of the business relationship shows that the operations
active or passive assets of the client do not correspond to their declared activity or their
operational background.
3. Actions to verify the declared professional or business activity
They will be graduated based on risk and will be carried out through documentation provided
by the client, or by obtaining information from reliable sources
independent. Likewise, obligated subjects will be able to verify the activity
professional or business of clients through in-person visits to the offices,
warehouses or premises declared by the client as places where they carry out their activity
commercial, leaving a written record of the result of said visit.
(…)
Article 11. Continuous monitoring of the business relationship.
1. The obligated subjects will carry out a scrutiny of the operations carried out during
throughout the business relationship in order to ensure that they coincide with the activity
professional or business of the client and with its operational background. The subjects
obligated will increase monitoring when they appreciate risks higher than the
average by regulatory provision or because it appears from the risk analysis
of the obligated subject.
(…)
2. The obligated subjects will periodically carry out review processes in order to
ensure that the documents, data and information obtained as a consequence
of the application of due diligence measures are kept up to date and
find current.
(…)” (emphasis added)
In accordance with the aforementioned regulations, the treatment carried out by the entity
banking consists of, on the one hand, collecting information from clients in the terms
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/26
made explicit in the LPBCFT and, on the other hand, adopt measures aimed at verifying
reasonably the veracity of said information.
Thus, it is true that sector regulations determine the obligation to verify the
professional and business activities of the subjects with whom you are going to do
business. Not anticipating, however, that this should be done in a manner
determined, and must be the person responsible for the processing of personal data (in the
present case, CAIXABANK) who must decide such verification procedure, the
which must comply with the regulations on data protection
staff.
The Agreement signed with the TGSS on the transfer of information, to which it has adhered
CAIXABANK on April 28, 2021, in order to facilitate credit institutions the
compliance with anti-money laundering regulations, through a
mechanized computer procedure that allows establishing a daily process of
request for data by financial entities and transmission of
information from the TGSS, it could be an appropriate mechanism for the
fulfillment of its obligations but not necessarily unique.
In the sixth clause and in Annex III of the Agreement between the General Treasury of the
Social Security, the Spanish Banking Association, the Spanish Confederation of
Savings Banks and the National Union of Credit Cooperatives, on transfer of
information, to which CAIXABANK alludes in its writings, is evident
that the interested party must consent so that the banking entity can verify the
personal data before the TGSS and is effectively collected, the clause by which
can give express consent to verify the information.
But although this is the way in which the agreement considers that this
consent for the purposes of allowing verification in the TGSS systems,
This is not the only way to verify personal data, in the terms
aforementioned of the LPCBCFT and its implementing regulations.
The regulations do not establish the obligation to verify personal data information
before the TGSS, but is provided by the client and subsequently, taking into account the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/26
different level of risk, there is a general obligation to establish and apply
verification procedures for activities declared by clients.
Therefore, in order to consult personal data with the TGSS, given that the Law does not
does not impose this route on banking entities nor does it constitute a legal obligation
consultation with the TGSS, for the purposes of verification of data information
personal information provided by the claimant, it would be necessary to obtain the consent of the
interested party, not to impose the use of said mechanism, and always conditioned to the
specific cases in which the standard requires such verification.
In this sense, article 4.11 of the GDPR establishes that the “consent of the
interested party” is “any manifestation of free, specific, informed and
unequivocal statement by which the interested party accepts, either through a declaration or a
clear affirmative action, the processing of personal data that concerns you”
Consent is understood as a clear affirmative act that reflects a
manifestation of free, specific, informed and unequivocal will of the interested party
accept the processing of personal data that concerns you, provided with
sufficient guarantees to prove that the interested party is aware of the fact that
you give your consent and to the extent to which you do so.
Likewise, it must be given for all treatment activities carried out with the
same or same purposes, so that, when the processing has several purposes, it must
give consent for all of them specifically and unequivocally. To this
In this regard, the legality of the treatment requires that the interested party be informed about the
purposes for which the data are intended (informed consent).
Furthermore, consent must be given freely. It is understood that the
consent is not free when the interested party does not enjoy true or free choice
or you cannot deny or withdraw your consent without suffering any damage, or when the
fulfillment of a contract or provision of service is dependent on the
consent, even when this is not necessary for said compliance. This
occurs when consent is included as a non-negotiable part of the
general conditions.
Without these conditions, the consent given by the interested party would not determine a
control over your personal data and its destination.
On the other hand, the European Data Protection Committee in the document “Guidelines
05/2020 on consent under Regulation 2016/679”, which updates
the guidelines on consent adopted by the Article Working Group
29 on 11/28/2017, reviewed and approved on 04/10/2018 refers to this and indicates
that:
"3. In general, consent can only be an adequate legal basis if it is
offers the interested party control and a real capacity of choice regarding whether they want
accept or reject the conditions offered or reject them without suffering any damage.
When requesting consent, the data controller has the obligation to
evaluate whether said consent will meet all the requirements for obtaining a
valid consent. If obtained in full compliance with the GDPR, the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/26
Consent is a tool that gives data subjects control over whether the
personal data that concerns them will be processed or not. If not, the control
of the interested party will be merely illusory and consent will not be a legal basis
valid for the treatment, which will convert said treatment activity into a
illicit activity.
These guidelines go on to state:
“13. The term "free" implies real choice and control on the part of those concerned.
As a general rule, the GDPR establishes that, if the subject is not truly free to
choose, you feel obligated to give your consent or you will suffer negative consequences if
does not give it, then the consent cannot be considered valid. If the
consent is included as a non-negotiable part of the conditions
It is generally assumed that it has not been freely given. Consequently, it is not
consent will be considered to have been freely given if the interested party cannot
deny or withdraw consent without prejudice.”
They also indicate:
“62. The GDPR reinforces the requirement that consent must be informed. Of
Pursuant to Article 5 of the GDPR, the transparency requirement is one of the
fundamental principles, closely related to the principles of loyalty and
legality. Providing information to interested parties before obtaining their consent is
essential so that they can make informed decisions, understand what
are authorizing and, for example, exercise their right to withdraw their consent. If he
responsible does not provide accessible information, the user's control will be illusory and
Consent will not constitute a valid basis for data processing.
63. If the requirements regarding informed consent are not met, the
consent will not be valid and the person responsible may be in breach of article 6
of the GDPR
64. For consent to be informed, it is necessary to inform the interested party
certain elements that are crucial to be able to choose. Therefore, the EDPB is of the opinion that
At least the following information is required to obtain valid consent:
i the identity of the person responsible for the treatment.
ii the purpose of each of the processing operations for which the authorization is requested
consent.
iii what (type of) data is to be collected and used.
Iv the existence of the right to withdraw consent.
V information on the use of data for automated decision-making
in accordance with Article 22(2)(c) where applicable, and
I saw information about the possible risks of data transfer due to the
absence of a decision on the adequacy of adequate guarantees, as stated
described in article 46”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 17/26
In the present case, since CAIXABANK joined the agreement on April 28
from 2021 until the modifications of the procedure in 2023:
- Consent cannot be considered free because with the signing of the framework contract
or model 5433 is required for all clients to verify their data
personal data is carried out through consultation with the TGSS. This absolutely limits the
choice of such people to decide whether they want CAIXABANK to carry
carry out such verification of personal data through consultation with the TGSS, since
It is not mandatory, as stated.
- Likewise, consent must be given for all treatment activities
carried out for the same or same purposes, so that, when the treatment has
several purposes, consent must be given for all of them specifically and
unequivocal. But in the present case it cannot be considered specific and unambiguous
whenever the mechanisms for providing consent for clients of
CAIXABANK so that it can consult the personal data of its clients before
the TGSS, through the framework contract model and the model are already pre-established,
just as if it were a pre-checked box.
- Consent cannot be considered informed because:
a) The framework contract, which the new clients signed, indicated, for a
side, which “gives its express consent to Caixabank so that on its behalf
We can request said information from the General Treasury of Social Security” if
well, section 4.5 of such contract does not include such treatment within section
regarding “Treatments based on consent”.
b) Form 5433, which existing clients had to sign for the
update of his personal data, indicated that “The declarant states that he has
been informed by CaixaBank that the current legislation on prevention of
Money laundering forces banking entities to obtain from their clients the
information on your economic activity and to verify it.
For this exclusive purpose of verifying the information provided, lend your
express consent to CaixaBank so that on its behalf it can request the
General Treasury of Social Security said information.” Information that needs to be
add to what such people already had when they signed the aforementioned framework contract.
The information offered could cause confusion to an average citizen, because:
- It did not allow express consent, but consent was reflected in a
standard clause of the models to which it was obligatory to adhere.
- Such clause mentioned the legal obligations regarding LPBCFT.
- In the information that was given about the processing of personal data, as such
treatment was not expressly included in the treatments whose legal basis
was consent, it could be directly related to the treatments related to the
legal obligation on the LPBCFT, a rule referred to in the mod.los clause
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 18/26
Therefore, in accordance with the evidence available at this time
of agreement to initiate sanctioning proceedings, and without prejudice to what
results from the instruction, it is considered that the known facts could be
constituting an infraction, attributable to the claimed party, for violation of the
article 6.1 of the RGPD in relation to the procedure that had been established
CAIXABANK to obtain the consent of its clients to verify
certain personal data related to the LPBCFT before TGSS.
IV
Classification of the offense
The infringement attributed to CAIXABANK is classified in the article
83.5 a) of the RGPD, which considers that the violation of “the basic principles for the
processing, including the conditions for consent pursuant to articles 5,
6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article 83 of the
cited Regulation, “with administrative fines of a maximum of €20,000,000 or,
In the case of a company, an amount equivalent to a maximum of 4% of the
global total annual business volume of the previous financial year, opting for
the largest amount.”
The LOPDGDD in its article 71, Infractions, states that: “They constitute infractions
the acts and conduct referred to in sections 4, 5 and 6 of article 83 of the
Regulation (EU) 2016/679, as well as those that are contrary to this law
organic”.
And in its article 72, it considers for the purposes of prescription, which are: “Infringements
considered very serious:
1. Based on what is established in article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that involve
a substantial violation of the articles mentioned therein and, in particular, the
following:
(…)
b) The processing of personal data without any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.
(…).
V
Sanction proposal
In order to establish the administrative fine that should be imposed, the following must be observed:
provisions contained in articles 83.1 and 83.2 of the RGPD, which indicate:
"1. Each supervisory authority will ensure that the imposition of fines
administrative sanctions under this article for violations of this
Regulations indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, as an additional or substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j).
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 19/26
When deciding the imposition of an administrative fine and its amount in each case
individual will be duly taken into account:
a) the nature, severity and duration of the infringement, taking into account the
nature, scope or purpose of the processing operation in question
such as the number of interested parties affected and the level of damages that
have suffered;
a) intentionality or negligence in the infringement;
b) any measure taken by the person responsible or in charge of the treatment to
alleviate the damages and losses suffered by the interested parties;
c) the degree of responsibility of the person responsible or in charge of the treatment,
taking into account the technical or organizational measures that have been applied in
under articles 25 and 32;
d) any previous infraction committed by the person responsible or in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to remedy the
infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular whether the controller or processor notified the infringement and, if so, in what
extent;
i) when the measures indicated in Article 58, paragraph 2, have been ordered
previously against the person responsible or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under Article 40 or to mechanisms of
certification approved in accordance with Article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, direct or
indirectly, through infringement.”
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its article 76,
“Sanctions and corrective measures” establishes that:
"2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuous nature of the infringement.
b) The linking of the offender's activity with the performance of medical treatments.
personal information.
c) The benefits obtained as a consequence of the commission of the infraction.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 20/26
d) The possibility that the conduct of the affected person could have induced the commission
of the infringement.
e) The existence of a merger by absorption process subsequent to the commission of the
infringement, which cannot be attributed to the absorbing entity.
f) The impact on the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) The submission by the person responsible or in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
"There are disputes between them and any interested party."
In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, for the purposes of setting the amount of the fine sanction
impose in the present case for the infringement classified in article 83.5 of the RGPD of
for which the defendant is held responsible, in an initial assessment, it is estimated
the following factors concurrently:
As aggravating circumstances:
- The nature, severity and duration of the infringement (article 83. 2.a) of the RGPD),
since the events revealed affected all of its clients from the
accession of CAIXABANK to the agreement with the TGSS on April 28, 2021 until
February 2023 Specifically, it affected, from December 7, 2021 to the dates
indicated above when the KYC processes of the year were launched
2023:
(i) To 3,026,247 people who signed the framework contract.
(ii) To 3,401,052 people who signed form 5433.
- The intention or negligence of the infringement (article 83.2. b) of the RGPD).
CAIXABANK joined the agreement with the TGSS on April 28, 2021, an agreement that
requires the financial entity, in its sixth clause, to have the corresponding
express authorization, signed by the interested party. However, they have demanded the
consent in an adhesion clause without real possibility of consent, being
fully aware of the requirements of the agreement signed with the TGSS.
In this sense, the SAN of October 17, 2007 (rec. 63/2006) is very illustrative,
which indicates that “…the Supreme Court has been understanding that there is imprudence
whenever a legal duty of care is neglected, that is, when the offender fails
behaves with the required diligence. And in assessing the degree of diligence it must
The professionalism or otherwise of the subject must be especially considered, and there is no doubt that,
In the case now examined, when the appellant's activity is constant and
abundant handling of personal data, emphasis must be placed on rigor and
“exquisite care to comply with the legal provisions in this regard”
- The circumstance of article 83.2.e) RGPD: “Any previous infraction committed by the
responsible or the person in charge of the treatment.”
Recital 148 of the GDPR states “In order to strengthen the application of the rules
of this Regulation [...]” and indicates in this regard that “It must, however,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 21/26
Special attention should be paid to the nature, severity and duration of the infringement, its
intentional character [...] or to any pertinent infraction [...]”.
Thus, in accordance with section e) of article 83.2. GDPR, in determining the
amount of the administrative fine sanction cannot fail to be valued all
those previous infractions of the person responsible or of the person in charge of treatment in
in order to gauge the illegality of the analyzed behavior or the guilt of the subject
offender.
Furthermore, a correct interpretation of the provision of article 83.2.e) RGPD does not
can ignore the purpose pursued by the rule: to decide the amount of the sanction of
administrative fine in the individual case raised, always taking into account that the
sanction is proportional, effective and dissuasive.
There are numerous sanctioning procedures processed by the AEPD in which
The person complained of has been sanctioned for violating article 6.1 of the RGPD:
Yo. PS/00477/2019. Resolution issued on January 5, 2021 in which a
penalty of 2,000,000 euros for articles 13 and 14 of the RGPD and 4,000,000 for the
Article 6 of the GDPR. The events concerned the transfer of data to companies in the
cluster.
ii. PS/00500/2020. Resolution issued on September 22, 2021 in which
imposed a penalty of 3,000,000 euros. The events dealt with the
procedures for obtaining consent to create profiles for
commercial.
iii. PS/00226/2020. Resolution issued on February 4, 2022 in which it was imposed
a penalty of 2,000,000 euros for article 6 in relation to article 7.4 of the
RGPD and 100,000 euros for article 6.1. The events dealt with the
consent collection procedure and the existence of consents
premarked.
iv.PS/00254/2023. Resolution issued on October 19, 2023 in which it was imposed
a fine of 200,000 euros. The events concerned the maintenance of data
personal information in the credit information file when the debt had been sold
to a third party. CAIXABANK took advantage of the two planned reductions.
- The activity of the allegedly infringing entity is linked to the processing
of data from both clients and third parties. In the activity of the claimed entity
The processing of personal data of your clients is essential, therefore
that, given its volume, the significance of this activity, the object of the
This claim is very high (article 76.2.b) of the LOPDGDD in relation to
with article 83.2.k).
Considering the exposed factors, in order to decide on the imposition of a
administrative fine and its amount, in accordance with the evidence that was
currently has an agreement to initiate the sanctioning procedure and
without prejudice to what results from the instruction, taking into account the circumstances
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 22/26
of the case and the criteria established by article 83.2 of the RGPD with respect to the
violation committed, allows for an initial fine of 2,000,000 euros.
SAW
Adoption of measures
If the violation is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…” The imposition of this measure is compatible with the sanction
consisting of an administrative fine, as provided in art. 83.2 of the GDPR.
In such case, in the resolution that is adopted, this Agency may require the
responsible so that within the period determined:
Adequately inform and obtain consent, under the terms of the GDPR, from the
clients of the entity that, since the accession of CAIXABANK on April 28, 2021 to
agreement with the TGSS and until the modifications of the process in 2023,
had signed a framework contract and/or a form 5433 (Declaration/Modification of
data for the business relationship) and that they had not been adequately informed
and/or your consent had not been obtained, in the terms set forth in this
initiation agreement, in relation to the verification of personal data before the TGSS in
the terms of the LPBCFT.
It is warned that failure to comply with the possible order to adopt measures imposed by
This body in the sanctioning resolution may be considered as a
administrative offense in accordance with the provisions of the RGPD, classified as
infringement in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a
subsequent administrative sanctioning procedure.
Therefore, in accordance with the above, by the Director of the Agency
Spanish Data Protection,
HE REMEMBERS:
FIRST: START SANCTIONING PROCEDURE against CAIXABANK, S.A. with NIF
A08663619, for the alleged violation of article 6.1 of the RGPD, typified in the
article 83.5 of the GDPR.
SECOND: APPOINT D. R.R.R. as instructor. and, as secretary, Ms. S.S.S.,
indicating that they may be challenged, if applicable, in accordance with the provisions of the
articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Sector
Public (LRJSP).
THIRD: INCORPORATE into the sanctioning file, for evidentiary purposes, the
claim filed by the complaining party and its documentation, as well as the
documents obtained and generated by the General Subdirectorate of Inspection of
Data in the actions prior to the start of this sanctioning procedure.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 23/26
FOURTH: THAT for the purposes provided for in art. 64.2 b) of law 39/2015, of 1
October, of the Common Administrative Procedure of Public Administrations, the
sanction that could correspond would be, for the alleged violation of article 6.1 of the
RGPD, typified in article 83.5 of said regulation, administrative fine of amount
TWO MILLION EUROS (€2,000,000.00), without prejudice to what results from the
instruction.
FIFTH: NOTIFY this agreement to CAIXABANK, S.A. with NIF A08663619,
granting him a hearing period of ten business days to formulate the
allegations and present the evidence you consider appropriate. In his writing of
allegations must provide your NIF and the file number that appears in the
heading of this document.
If within the stipulated period you do not make allegations to this initial agreement, the same
may be considered a proposal for a resolution, as established in the article
64.2.f) of the LPACAP.
In accordance with the provisions of article 85 of the LPACAP, you may recognize your
responsibility within the period granted for the formulation of allegations to the
present initiation agreement; which will entail a 20% reduction in the
sanction that may be imposed in this procedure. With the application of this
reduction, the penalty would be established at ONE MILLION SIX HUNDRED THOUSAND
EUROS (€1,600,000.00), resolving the procedure with the imposition of this
sanction.
Likewise, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction, which
will mean a 20% reduction in the amount. With the application of this reduction,
The sanction would be established at ONE MILLION SIX HUNDRED THOUSAND EUROS
(€1,600,000.00) and its payment will imply the termination of the procedure, without prejudice to
the imposition of the corresponding measures.
The reduction for the voluntary payment of the penalty is cumulative with that corresponding
apply for recognition of responsibility, provided that this recognition
of the responsibility becomes evident within the period granted to formulate
allegations at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if both reductions were to be applied, the amount of the penalty would remain
established at ONE MILLION TWO HUNDRED THOUSAND EUROS (€1,200,000.00).
In any case, the effectiveness of any of the two mentioned reductions will be
conditioned upon the withdrawal or waiver of any action or appeal pending.
administrative against the sanction.
In the event that you choose to proceed with the voluntary payment of any of the amounts
indicated above (€1,600,000.00 or €1,200,000.00), you must make it effective
by depositing it into the IBAN account number: ES00-0000-0000-0000-0000-0000
(BIC/SWIFT Code: CAIXESBBXXX) opened in the name of the Spanish Agency of
Data Protection in the banking entity CAIXABANK, S.A., indicating in the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 24/26
concept the reference number of the procedure appearing in the heading
of this document and the reason for the reduction in the amount to which it applies.
Likewise, you must send proof of income to the General Subdirectorate of
Inspection to continue the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of twelve months from the date
of the initiation agreement. After that period has elapsed without it having been issued and notified
resolution will expire and, consequently, the proceedings will be archived;
in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is noted that in accordance with the provisions of article 112.1 of the LPACAP,
There is no administrative appeal against this act.
Sea Spain Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On March 28, 2024, the claimed party has proceeded to pay
of the penalty in the amount of 1200000 euros making use of the two reductions
provided for in the initiation Agreement transcribed above, which implies the
recognition of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
The opening of the procedure entails the waiver of any action or appeal pending.
administrative against sanction and recognition of responsibility in relation to
the facts referred to in the Initiation Agreement.
FOURTH: In the aforementioned Initiation Agreement transcribed above, it was stated that
If the infringement is confirmed, it could be agreed to impose on the person responsible the adoption of
appropriate measures to adjust its actions to the regulations mentioned in this
act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to the
which each control authority may “order the person responsible or in charge of the
treatment that the processing operations comply with the provisions of the
this Regulation, where appropriate, in a certain manner and within a
specified period…”
Having received a letter by which CAIXABANK, S.A. reports that it has
adopted the necessary measures to prevent the events from occurring again
determinants of the infraction committed, this Agency acknowledges receipt of the
same, without this statement implying any pronouncement on the regularity
or legality of the measures adopted.
Please note the provisions of article 5.2 of the GDPR, which establishes the principle
of proactive responsibility when it states that “The person responsible for the treatment will be
responsible for compliance with the provisions of section 1 and capable of
prove it.” This principle refers to the obligation that falls on the
responsible for the treatment not only for designing, implementing and observing the measures
legal, technical and organizational measures so that the data processing is
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 25/26
in accordance with the regulations, but to remain actively attentive throughout the entire
life cycle of the treatment so that this compliance is correct, being also
able to prove it.
FOUNDATIONS OF LAW
Yo
Competence
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Data Protection Agency will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations dictated in its development and, insofar as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Termination of the procedure
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common Public Administrations (hereinafter, LPACAP), under the heading
“Termination in sanctioning procedures” provides the following:
"1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility,
The procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction has only a pecuniary nature or a penalty can be imposed
pecuniary sanction and another of a non-pecuniary nature but the
inadmissibility of the second, the voluntary payment by the alleged responsible, in
Any time prior to the resolution, will imply the termination of the procedure,
except in relation to the restoration of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 26/26
3. In both cases, when the sanction has only a pecuniary nature, the
body competent to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed penalty, these being cumulative with each other.
The aforementioned reductions must be determined in the initiation notification.
of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of
any administrative action or appeal against the sanction.
The reduction percentage provided for in this section may be increased
“regularly.”
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: DECLARE the termination of procedure EXP202300944, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to CAIXABANK, S.A..
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of Public Administrations, interested parties may file an appeal
administrative litigation before the Administrative Litigation Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided for in article 46.1 of the
referred Law.
1219-21112023
Sea Spain Martí
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
