AEPD (Spain) - PS/00226/2020

From GDPRhub
AEPD (Spain) - PS/00226/2020
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 7(4) GDPR
Type: Investigation
Outcome: Violation Found
Started: 21.02.2019
Decided:
Published:
Fine: 2,000,000 EUR
Parties: Caixabank
National Case Number/Name: PS/00226/2020
European Case Law Identifier: n/a
Appeal: Unknown
Original Language(s): Spanish
Original Source: AEPD (in ES)
Initial Contributor: gauravpathak

The Spanish DPA fined Caixabank €2,100,000 for a violation of Articles 6 and 7(4) GDPR by conditioning the waiver of bank fees to the data subject's consent for processing personal data which were not necessary for the performance of a contract, and requesting this consent using pre-ticked boxes.

English Summary

Facts

Caixabank, a Spanish bank, is the controller in this case. In 2019, some of the bank's customers complained to the Spanish DPA (AEPD) stating that the bank was asking them to accept the consent terms for processing personal data through pre-ticked boxes. If the data subjects did not accept the terms, the bank would charge them a fee of €5 per month for the bank account's maintenance.

The AEPD opened an investigation and sought details from the bank regarding its privacy policy and advertising carried out for certain categories of bank accounts. The AEPD also physically inspected the bank for further investigation.

In their defense the bank stated that the fee is not a charge, just a necessary fare for the providing of banking services to its customers and is, therefore, an essential element of the contract. The bank added that the exemption from the fees was a benefit given to interested parties, and also an essential element of the contract.

According to the bank, Article 7(4) GDPR is not applicable to this case, since the terms of the contract do not mandate a condition, and consent for the processing of personal is not a must-have for signing the contract with the bank. It argued that a customer not consenting to the processing of personal data gets the same services that are being offered to a customer who has given their consent for the processing, and that customers were free to choose other banking products offered by the bank which were exempt from fees.

Holding

The AEPD established that during a certain period, for new customers who chose a particular type of bank account, the consent acceptance fields were pre-ticked, In the AEPD's view, linking an exemption from fees to the provision of obtaining consent for the processing of personal data would mean that the consent was not given freely, since not giving consent entailed the payment of maintenance fees, which were detrimental to the data subject.

In addition, the AEPD held that these charges cannot be considered an inherent element of the contract, and were at odds with the national law regarding payments for bank services (Real Decreto-ley 19/2017 de cuentas de pago básicas, traslado de cuentas de pago y comparabilidad de comisiones), which establishes that fees for basic bank accounts need to be freely agreed upon between the customer and the bank. The AEPD found that in this case, because consent could not be considered as being freely given, then the fees could also not be considered as freely agreed upon by both parties.

The AEPD also noted that the bank's arguments related to the offering of different banking products were not relevant in this case, since these other products had different requirements based on, inter alia, customer's economic conditions, minimum purchases per month, insurance contributions and holdings into investment funds. The AEPD also established that linking processing of personal data with a waiver of fees could not be considered analogous to loyalty program.

The AEPD held that in this case, the two legal bases for the lawful processing of personal data (ie. consent and performance of a contract), were merged or blurred, in violation of Article 7(4) GDPR. Based on these considerations, the AEPD issued a €2,000,000 fine against Caixabank for infringing Article 6 GDPR in relation to Article 7(4) GDPR by imposing conditions based on obtaining consent for the processing of personal data, for purposes that were not necessary for the performance of a contract. It also fined Caixabank an additional €100,000 for requesting this consent through pre-ticked boxes, in violatoin of Article 6(1) GDPR.

Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.

                                                                               1/117










     File No.: PS/00226/2020


               RESOLUTION OF PUNISHMENT PROCEDURE

Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following


                                  BACKGROUND

Of the actions carried out by the Spanish Data Protection Agency before
the entity, BANKIA S.A., currently CAIXABANK, S.A. (hereinafter entity
claimed), due to the analysis carried out by the Audit Unit of the

Subdirectorate General for Data Inspection and claims filed by,
D.A.A.A. (claimant 1); by D.B.B.B. (claimant 2); D. C.C.C. (claimant 3), D.
DDD (claimant 4); by Dª E.E.E. (claimant 5) by D.F.F.F. (claimant 6), and D.
GGG (claimant 7), and based on the following:

                                      ACTS


FIRST: On 02/13/19, you had a written entry to this Agency, submitted by
claimant 1 (E/03825/2019), in which he states the following: “As a client of
Bankia, from the ON account, requires me to accept all the consents for processing
processing of personal data, which appear already pre-marked or accepted. Furthermore, if

I choose not to transfer my data to third companies, for example, they impose a
rate of 5 euros per month to continue maintaining my account”.

SECOND: On 02/21/19, the Director of the Spanish Agency for the Protection of
Data, taking into account the analysis carried out by the Audit Unit of the

Subdirectorate General for Data Inspection, relating to the marketing of a
new current account (ACCOUNT ON), agrees to initiate investigation actions to
in order to prove the existence of a possible violation of the protection regulations
of data regarding the collection of the consent of the entity's clients
BANKIA, S.A.


THIRD: On 02/26/19, by the Subdirectorate General for Inspection
of Data is required to the claimed entity, so that it sends to this Agency informa-
tion about its privacy policy; documents generated and publicity made
regarding the following current accounts and cards associated with them:


       a) ON Account and ON Debit Card
       b) ON Payroll account; ON Debit Card and INE Consumer Credit Card
           Credit ON Payroll and
       c) Count One & Two.


FOURTH: On 03/19/19, Bankia sends this Agency a letter accompanied by
documentation, in response to the request referred to in the previous point.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 2/117








    1. In said writing, it is stated regarding the privacy policy
    the next:


“The Privacy Policy that is applicable to the Entity, regarding the treatment
processing of the data, is collected in the two documents that are listed below-
tion and that are provided as evidence of this first point to this writing:

- The document called "Processing of personal data" (TDP), which is generated
and signature in the registration process of each client and that contains all the required information

by the regulations in relation to the processing of data derived from the relationship
contract that exists at all times between the client and the Entity. The TDP is edited
both in the registration of clients in branches and in the registration of clients through the channels
at a distance available to the Entity (Bankia Online and App).



- Bankia's "Privacy Policy" available at ***URL.1. This page contains the
legally required information regarding the processing of personal data.
obtained through the websites and web tools owned by Bankia, not
being applicable for those collected in the contracts that the user can formalize
with the Entity, even if they are linked or related to the "channels"

Bankia's communication data", since the provisions of this document will be applicable to said data.
established in the TDP as explained in the previous point.”

    2. TDP model is attached that is generated in the remote channels and model
    of TDP that is signed in the office, (documents 1 and 2)


In the TDP document, regarding the information on the conditions for the treatment
processing of personal data are collected, under the title "personal data", data relating to
vos to customer identification, contact information, marital status, number of children, fe-
date and province of birth, nationality and professional data. In said document

The interested party is informed that the personal data requested by BANKIA will be
treated in accordance with the basic data protection information that describes
then, urging the interested party to read and understand it, before signing the
document that collects the request for consent for the treatment of
your data.


Said basic information states that the controller is BANKIA, S.A.,
briefly describe the purposes of data processing, the legitimacy
In general, for such treatments, the recipients of the information,
makes a brief reference to the rights that the interested party can exercise, and a re-
mission to additional information that you can access through a link to a page

web page

Next, the consent of the interested party is requested for different purposes,
for each one of them must be marked yes or no:


    o -In a first block, consent is requested to send communications-
        commercial transactions in the following terms:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 3/117








         In point 1.1 it refers to the sending of “personalized commercial communications”.
            completed through any channel (paper, electronic means, telematics).
            cos, digital, etc.) about products, services, promotions or discounts
            of the financial sectors (banking, investment and insurance), real estate,
            culture, travel, consumption and leisure based on your profile, drawn up from

            your personal data, the products you have contracted, as well as part-
            from the operations, movements or transactions associated with its pro-
            ducts."

             In point 1.1.1 consent is requested “for the sending of communications
                personalized commercial messages on products, services, pro-

                promotions or discounts of the referenced sectors based on their
                fil, made from your personal data and the products you have
                contracted."
             In point 1.1.2 it refers to “the sending of commercial communications
                personalized about products, services, promotions or discounts

                of the referenced sectors based on their profile, drawn up from
                operations, movements and transactions associated with its products
                cough".

             In point 1.1.3, the following options are differentiated for sending
                commercial communications to which, one by one, you can consent:

            ‐ Physical correspondence
            ‐ Electronic correspondence (email, ATMs, etc.)
            ‐ Mobile devices (instant messaging, push notifications, SMS,
                etc.)

            ‐ Telemarketing platforms
            -   Social media
            ‐ Bankia and third party websites

         Point 1.2 refers to the consent for “the consultation of your data, for

            part of Bankia in the asset and/or credit solvency files, as well as
            as other similar sources of information, with the aim of offering you
            customized financing products.”

         In point 1.3, consent is requested to participate in programs
            loyalty, raffles, contests, surveys and social action programs

            or similar actions, as well as receive news and/or communications about the
            themselves through any channel (paper, electronic media, telematics).
            cos, digital, etc.) In points 1.3.1 to 1.3.3, 3 different so-
            applications: to participate in loyalty programs, to participate in
            sweepstakes, contests and surveys and to participate in action programs
            social or similar actions


    o -In another block, consent is requested for the transfer of data to third parties.
        Point 2 requests consent for the transfer of your personal data
        for commercial purposes, based on your profile, to companies and participating companies
        das of the Bankia group or collaborators, whose composition can be consulted

        updated way in a certain link that is indicated.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 4/117








             In point 2.1, the transfer of your data to collaborators is requested.
            to carry out commercial actions that fit their needs,
            based on your personal data, the products you have contracted, as well

            as from the operations, movements or transactions associated with
            their products.

             In point 2.2, the transfer of your data to companies or individuals is requested.
            cipated by the Bankia Group to carry out commercial actions that are
            fit your needs, based on your personal data, the products

            that you have contracted, as well as from the operations, movements or
            transactions associated with its products.

        You are informed about the possibility of revoking and modifying at any time
        the consents given and oppose the treatments based on the in-

        legitimate interest and the exercise of the rights of access, rectification, deletion,
        opposition and limitation to the treatment and portability of the data.

3- The specific pre-contractual information of the “ON” account is attached; of the card
associated ON debit card, from the “ON NOMINA” account, from the “ON NOMINA” card, from the
“UN & DOS” account and associated “UN & DOS” card. (documents 8, 9, 10 and 11) In the

pre-contractual information on each of them, the product is described and the
ca that the administration and maintenance fees of the account, as well as the
associated card fees, transfers in euros, national and EU subject to
regulation 260/2012, carried out by non-face-to-face channel and check deposits in eu-
payments payable in the national market will be free as long as all holders

Lares maintain a digital profile.

The Digital Profile will be held when, among other stipulations, it is fulfilled that:

    - All holders have provided Bankia with their mobile phone number and co-

        electronic mail.

    - All holders have authorized Bankia, by subscribing the do-
        Document of Processing of Personal Data, equivalent document or con-
        corresponding treatment, the treatment of your personal data for the sending of
        commercial communications through any enabled communication channel,

        including email and mobile phone.

    - All holders have authorized Bankia, by subscribing the do-
        Document of Processing of Personal Data, equivalent document or con-
        corresponding treatment, the transfer of your personal data to companies of your

        group for the analysis of your profile for commercial purposes.”

Said pre-contractual information details the commissions applicable to the different
these accounts, being the established commissions, coincident for all the accounts,
the following:


    - Maintenance fee X EUR. Free if account holders have
        digital profile.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 5/117








    - Administration commission (per note) X,XX EUR. Free if holders of
        the account has a digital profile


With regard to the commissions of the different debit cards associated with the
aforementioned accounts, are the following, according to said pre-contracted information:
tual:

    - Registration fee XX € (free if all customers meet the digital profile).


    - For maintenance XX € (free if all customers meet the digital profile).

Likewise, the specific pre-contractual information of the ON credit card includes
indicates that it will accrue the following commissions: “XX € main card, in the event that
the holders of the associated account do not maintain the digital profile and the first holder of the

account keep the payroll or direct debit pension.”

The ON Account contract model (document 12) contains the following conditions:
commission exemptions ON Account and ON Debit cards associated with it.
me:


 “The account maintenance and administration commissions, the credit card fee,
ON Debit fees associated with it (maximum one card per holder), and the commissions
income from checks in euros payable in the domestic market and those from trans-
Conferences in euros, national and EU, subject to regulation 260/2012, made by
non-face-to-face channel and for any amount, will be exempt, and will not apply

provided that all account holders meet the following requirements:

        (…)

    - They have authorized Bankia, by signing the document of Trafficking-

        processing of personal data, equivalent document or corresponding contract
        te, the processing of your personal data for sending communications with
        commercials through any communication channel enabled, including email
        email and mobile phone, as well as the transfer of your personal data to companies
        dams of your group for the analysis of your profile commercial effects.
    - (…)


Bankia will periodically control compliance with the requirements indicated above-
mind and, in case of detecting that any of them is not fulfilled, it will be applied
automatically, both to the account and to the associated debit cards, the con-
particular standard conditions of the same collected in this contract.”


In the contract model Account ONE & TWO (document 14) there are identical conditions
tions for exemption from commissions Account UN & DOS and Debit cards ONE & DOS associated
attached to it. Likewise, in the ON PAYROLL Account Contract model, cards
Debit ON and Credit cards ON Payroll associated with it, (document 13) are

require in the same terms the requirements previously transcribed, as well as their
periodic control and the consequences of non-compliance.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 6/117








FIFTH: In addition to the initial claim, the following were filed with this Agency:
following claims:


 On 02/26/19, it had entry into this Agency in writing, presented by the
    Claimant 2 (E/03826/2019 processed under reference E/3825/2019), in the
    which exposes the following:

    “My claim is based on the violation of the right not to consent to the sending of
    commercial communications and the penalty applied for it. in entity

    Bankia bank has applied a charge for "collection of services" on the 1st of February
    I open my checking account. Telephone contact with the entity
    to see the reason for the charge, I'm told that my account type is Account
    ON and that I meet all the characteristics of the digital profile except one, that "all
    two holders have authorized Bankia, by signing the document

    Processing of Personal Data, equivalent document or corresponding contract
    tooth, the processing of your personal data for sending communications
    commercials through any enabled communication channel, including email.
    tronic and mobile phone".

    I understand that no charge can be applied to me for the exercise of said rights.

    chos, especially when the consent for the commercial use of my data must
    be expressly consented. Formulated these allegations to the Delegate of Pro-
    Protection of Bankia Data, tells me that, by not accepting to receive commercial advertising
    by all means, I do not comply with what they consider a "digital profile" and, therefore,
    Therefore, I must assume commissions and expenses that, in case of accepting to receive publicity

    commercial, I would not have.”

     With the date of entry into this Agency 02/28/19, it is presented in writing by the
    Claimant 3 (E/04093/2019, processed under reference E/3825/2019), in the
    which reveals, among other extremes, the following: “After years as a client

    bank entity mentioned, began to charge commissions from
    November 2018 in concept of "CHARGE FOR SERVICES COLLECTION". To the
    ask the entity about these concepts, its response was that, (...)- in
    in relation to the claim that you have made for the collection of commissions in your account.
    ta On, we indicate that what is generating this charge is that you have to modify
    car that SI was similar: "The clients of the ON Account must accept the reception

    advertising and the transfer of your personal data to third parties or, otherwise,
    will receive a monthly commission of five euros".

     On 04/08/19, it had entry into this Agency in writing, submitted by
    claimant 4, (E/05449/2019), stating that: “Bankia demands the complete transfer of

    full of my personal data so as not to charge me a monthly commission of 5 eu-
    ros, so the RGPD is violated. One of the conditions of your ON Account to
    not having to charge commissions is to have accepted the entirety of the consent of
    data transfer. When I was asked about that on your website, I rejected the
    sending advertising and commercial messages to my email and my phone,

    and at no time did I receive information that I would be charged commissions from
    maintenance not accept. I feel that they extort me to keep my
    data and thus be able to send spam and unwanted commercial mail to my accounts”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 7/117








     On 06/19/19, it had entry into this Agency in writing, submitted by
    claimant 5, (E/06961/2019), in which she states the following: “I opened an account
    call: "ACCOUNT ON", in which following certain guidelines on

    on the use of e-mail and mobile phones for communications and correspondence
    dence, you are exempt from paying commissions for the maintenance of the account.

    A few months ago I decided to withdraw the data processing consent to:
    1."receive personalized information about discounts, promotions, products,
    services of the financial sector or others, through any channel based on my preferences.

    personal relations"

    2. "That Bankia consult my data in the asset solvency files and/or
    credit, as well as other similar sources of information with the aim of offering-
    personalized financing products"


    3. "I agree to participate in loyalty programs, sweepstakes, contests, surveys and
    social action programs or similar actions, as well as receive news and/or co-
    communications on them through any channel (paper, electronic means)
    unique, telematic, digital, etc.)."


    And consent to data transfer: 4. "Share my personal data with so-
    investee companies and companies or collaborators of the Bankia group so that they can
    offer me your products or services"

     As a consequence of this, Bankia has begun to charge me for collection

    of account maintenance services of 5 euros per month”.

     On 08/07/19, it had entry into this Agency in writing, submitted by
    claimant 6 (E/07830/2019), in which it states that: “Bankia has changed the
    conditions of the checking account I have with them. They force me to accept

    I can advertise for them and their partners if they don't charge me 5 euros a month for maintenance.
    niment

SIXTH: Dated 05/09/19, 06/26/2019, 07/16/2019 and 08/14/2019, in view of the
facts set forth in the claims and documents provided by the claimants,
the Subdirectorate General for Data Inspection proceeded, in accordance with the

seen in article 65.4 of Organic Law 3/2018, of December 5, on Protection
of Personal Data and guarantee of digital rights, to give transfer of the claims
information received from the Data Protection delegate of the claimed entity, the
effects provided for in article 37 of the aforementioned regulation.


SEVENTH: On 06/11/19, the entity claimed, files a written answer-
tion to the transfer of the first, second and third claims, in which it is indicated
what is transcribed below regarding the claims filed, on
the causes that have motivated the incidents and the measures adopted and information
About the clients who have contracted the ON accounts:


Regarding the claimant 1.-



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 8/117








After analyzing the products associated with claimant 1, it has been verified that the claimant
mante is currently an ON account holder. In relation to said client,
It is clear that you have exercised any right before the Entity in relation to

with your data, nor that the consents that were provided have been modified
dated January 19, 2018, regarding the processing of your data for sending
commercial communications not consenting to the possibility of transferring the data to
Bankia Group companies.

Attached is the contract formalized by the in which the consents provided are recorded.

two in the indicated direction. Likewise, it has been verified that there is no claim
any initiated against Bankia by this client or through its management office.
ra, nor before the Customer Service (“SAC”), nor before the Office of the Delegate
Data Protection (“DPO Office”). Consequently, we have no evidence of
that no incident has been generated with this client, associated with their ON account.


Regarding the claimant 2.-

In relation to (complainant 2), it has been verified in the same way that said client
You have been the holder of an On account, although it is currently cancelled.
lada.


Regarding the consents given, it must be indicated that as stated in
our database the processing of your data for commercial purposes was not
initially consented in October 2017, and later this non-consent was maintained.
sentiment through the signing of the corresponding TDP dated August 18,

2018 through Bankia Online (BOL); all this according to documents nº2 and nº3 that
accompany.

Regarding the claims presented by this client, he addressed both
to protecciondedatos@bankia.com, email address that appears in the contracts and

in which the interested parties can exercise their rights in relation to their data,
and to the Office of the Data Protection Officer on February 6 and 7,
2019 respectively, requesting in both cases the retrocession of the charges for
collections of commissions that had been made in your ON account on February 1,
ro of 2019.


The answer to his claim was made from the office of the Protection Delegate.
tion of Data, dated February 22, 2019, informing you that the collection of the charges
missions was due to the fact that, as established in his contract, at the date of commission
of the same, the requirements of the profile were not being fulfilled by the holders
therefore, in that period it was not appropriate to apply the bonus of certain

commissions of the ON account contractually foreseen, among others the commission of
maintenance and management of the account and the associated ON debit card fee
attached to it.

In this sense, the client was offered the possibility of canceling said product and

take another of those that Bankia has available in its catalog and in those that do not apply the
conditions of the digital profile.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 9/117








Attached as documents No. 4 and No. 5 are the emails sent by the claimant and the
replies to them sent from the Office of the DPD.


Subsequently, on May 22, 2019, the claimant proceeded to cancel
tion of the ON account in his office, and filed a claim with the SAC reiterating
the retrocession request of the commissions generated and showing their disagreement.
with the conditions of the aforementioned digital profile. As a result of said claim, with
Date May 24, 2019 Bankia proceeded to pay the amounts claimed.
Attached as documents No. 6 and No. 7 claim received at the SAC and answer-

tion to said claim sent to (claimant 2).

Regarding the claimant 3.-

It has been verified that you have contracted an ON account and you have submitted several claims.

tions in relation to it, as detailed below.

Regarding the consents given, it should be noted that as stated in
our database the processing of data for commercial purposes is found
lent in November 2018, partially modifying these consents
through the signing of the corresponding document "Modification of Treatment

Authorizations” (“MTA”) on both February 23, 2019 and February 28, 2019;
all this according to documents nº8, nº9 and nº10 attached.

Regarding the claims presented by this client, two complaints have been located.
claims filed with the SAC in the months of November and December

2018, claiming the collection of commissions in the ON account for the respective months.
As a result of this claim, said commissions were regularized, being
the cause that gave rise to the regularization applied by the SAC the fact of not having
located the contract signed with the client. Attached as documents No. 11,
No. 12, No. 13 and No. 14 complaints received at the SAC and their response



Regarding the incidents and the measures adopted:

The requirement itself transfers the facts that motivate the claims of the
clients, which in extract are the following: “Obligation to accept as clients of the

"Account ON" consent to the processing of your personal data, which appears
as pre-marked or accepted and specifically, "the reception of advertising and the transfer
of your personal data to third parties” to avoid charging commissions for the maintenance
lie of said account.”


Based on what was transferred and once said extract was analyzed, as well as the func-
maintenance of the ON account in all its modalities and the process of collecting
feelings, the following conclusions have been reached:



    - There is no obligation to accept any consent on the treatment of
        personal data in the process of contracting the ON account, having
        proven that any client can hire it without the provision of
        that consent prevents their hiring.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 10/117









    - Something different is that the client complies with the conditions of the so-called
       "digital profile", which may mean that in certain products the Entity
       can apply a payment exemption, that is, an exclusion from the payment of
       finished commissions of the contracted products that have this type of

       profile and as long as the client maintains the same, as already explained. It
       which is justified based on the digital profile of the relationship between the client
       and the Entity, and the advantage of making it more efficient by using
       tion of digital media in commercial communications.

    - The process of managing consents by customers, which allows

       not only lend them freely and through any of the Entity's channels.
       but also modify them at any time and as many times as the
       client wants in an agile and simple way, guarantees that said consent is
       lend freely.


Indicates that it has been sent on June 11, 2019, communication to
customers about this request for information in relation to claims
We are transferred. A copy of these is attached as documents nº17, nº18 and nº19.

Information about clients who have contracted the ON accounts:


Bankia is requested by this Agency to provide the following information: Number of
customers who have contracted with Bankia S.A. the accounts “Account On”, “Account On Nó-
mine” and “Account One&Dos”, indicating the number of clients of each account and
customers who accepted "the receipt of advertising and the transfer of their personal data
nals to third parties” and those who do not.


             As of May 31, 2019: Product ON Total Clients
                                               ON Payroll Account 27,700
                                                  Count One & Two 1,178
                                                       Account ON 1,168,122

Regarding the consent given by the holders of the On informative accounts,

given, the status of said consents as of May 31 is also provided
of 2019:

    account Number of clients Advertising Cession of Advertising Cession of

                                   (YES) Data (YES) (NO) Data (NO)
 ON Payroll 27700 26896 26896 804 804
 One & Two 1178 1134 1119 44 59
 ON 1168122 937942 924662 23180 243460



EIGHTH: On 07/25/19, 08/06/2019 and 09/12/2019, the entity claimed, pre-
files written responses to the transfers of claims, fourth, fifth and
sixth, respectively. In these writings the following is stated:


Regarding claimant 4

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 11/117








“The claim is based on its non-compliance with the requirements for the
fulfillment of the digital profile in relation to the ON Account.


The complainant alleges that Bankia requires him to comply, among other requirements, with the assignment
full of your personal data to be entitled to the commission bonus
monthly fee of 5 euros contractually agreed.

After receiving the aforementioned request, from the Office of the Protection Delegate
Data collection, we proceeded to verify whether prior to addressing the AEPD, the claim

mantemente has initiated any claim for this fact before the Entity, either through
your management office or by contacting the Data Protection and Privacy Delegate
or to Customer Service. Once said verification has been carried out, there are no claims
any claim initiated against Bankia by this client.


As recorded in the Bankia systems, on July 20, 2018 (claims
mante) granted their consent through Bankia Online by signing the document
“Processing of Personal Data” (hereinafter, “TDP”). Copy of said document
is attached as document No. 1.

These consents were partially modified, dated April 8, 2019,

by the claimant through the same channel, proceeding in this case to the signature of the
document “Modification of Treatment Authorizations” (hereinafter, “MTA”). It ad-
Board a copy of said document as document No. 2, in which they are granted
positively all the consents and thus continue to the date of issuance of the pre-
feel report.


Regarding the claimant's assertion regarding the requirement of complete assignment of
personal data for the exemption from the collection of the maintenance commission, there is
to indicate that it has been verified that the fact that Bankia is consented or not
processes your data for certain commercial purposes has not conditioned, in any

In any case, contracting the ON Account or any other product of the Entity
by the claimant.

Another thing is that it meets the conditions of the so-called "digital profile", which
which means that Bankia can apply an exemption from payment of commissions, that is to say
an exclusion from the payment of certain commissions for those clients who have

that type of profile and as long as it stays the same.


Regarding claimant 5


 “According to the Bankia systems, on June 16, 2015 the claim-
gave you their consent in a positive sense in an office of the Entity, for which
which signed the document "Personal Data Processing" ("TDP"). A copy is attached
of said TDP as document nº1.


These consents were modified by the claimant on January 22,
2019, through Bankia Online (BOL) by signing a new TDP document
in which all the consents were negatively granted. Attached
copy of said TDP as document nº2.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 12/117









Subsequently, these consents have been modified again and in a
part by the claimant on June 19 (twice at 6:33 p.m. and 7:13 p.m.),

June 30 and July 11, 2019 through Bankia Online, proceeding to the signing of
the corresponding documents of "Modification of Treatment Authorizations"
(“MTA”). A copy of the corresponding MTA is attached as documents nº 3, 4, 5 and
6.

Regarding the alleged violation of the right of opposition of the claimant to receive

bir personalized information on discounts, promotions and financial products,
as well as the transfer of your personal data to group companies or collaborators,
It should be noted that the fact that the claimant has consented or not to both treatments
tions has not conditioned, in any case, the contracting process of the Account
On or the exercise of their rights as an interested party.


Bankia has fully complied with its right to object, insofar as it has
been able to modify and can do so again through any of the channels of the entity.
ity, their consents (in the case of the claimant, on up to five occasions).

A different thing is that the claimant complies with the conditions of the so-called "profile

digital”, which means that Bankia can apply an exemption from payment of commissions,
that is, an exclusion from the payment of certain contractually agreed commissions.
mind for those customers who meet that type of profile and for as long as they are
keep the same.


Regarding claimant 6:

“The claimant contracted an On Account and on that same date, positively granted
their consents by signing the corresponding document "Treatment of
Personal Data” (hereinafter, “TDP”). A copy of the Account contract is attached

On as document no. 1 and a copy of the formalized TDP as document no. 2.

These consents were subsequently updated and revoked by the claimant.
dated May 25, 2019, through Bankia Online, by signing
a new TPD. A copy of said TDP is attached as document no. 3. Later,
the claimant partially modified his consents on July 3 and 8,

2019, proceeding in these cases to the signing of the document "Modification of Treatment-
Authorizations” (hereinafter, “MTA”). A copy of both documents is attached.
as document nº4 and document nº5 respectively.

Likewise, said brief concludes that “The conditions that the claimant must meet-

you as the holder of an On Account to have a digital profile are those that appear in the
contract signed by the claimant on November 21, 2016, without having been
modified by Bankia at any time contrary to what is stated in the claim.
mation.


Likewise, there is no obligation to accept any consent on the treatment
of personal data in the process of contracting the On Account.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 13/117








A different thing is that the client complies with the conditions of the so-called “digital profile”.
such”, which may mean that in certain products the Entity may apply
a payment exemption, that is, an exclusion from the payment of certain commissions

of the contracted products that have this type of profile and provided that the client
keep the same, as already exposed. What is justified on the basis of one's own
digital profile of the relationship between the client and the Entity, and the advantage of making
aware of it through the use of digital media in commercial communications.
mercials.


And in this sense, the claimant has been answered, providing a copy of said communication.
nification as document no. 6”.

-The 3 briefs substantially reiterate the conclusions set forth in the brief of
06/11/19, and which are reflected in the previous point in the section “on the incidents and

measures taken"


NINTH: All claims to file E/02026/2019 are accumulated.

TENTH: Dated 12/12/2109, under the investigative powers granted

to the control authorities in article 57.1 of the RGPD, an inspection visit is carried out
in the Bankia establishment, in which, as stated in the corresponding minutes,
tooth, the representatives of said entity state, to questions from the inspectors
yes, the following:


     Regarding the so-called digital profile

As indicated, by maintaining the digital profile, the customer of ON products from
BANKIA benefits from a series of commission bonuses.


As stated in the specific informative documents (IPE – Contrac-
Current Specific) of the ON products, such as the ON ACCOUNT and CARD
DEBIT ON, the digital profile is held when:

- “All operations carried out with the account and the card are carried out through
of the remote channels available to Bankia at any given time (Bankia Online).

ne, APP Bankia, Telephone Office, ATMs, …).
- All holders have registered the Bankia Correspondence Service
Online, not receiving communications from Bankia on paper.
- All cardholders have provided Bankia with their mobile phone number and email
electronic.

- They have accepted and activated the PUSH messaging service through the App
Bankia.”

The fourth condition to hold the digital profile, related to the messaging service
PUSH, has been added since 12/15/2019 for new pro-professional hires.

ducts ON, while the following conditions are eliminated:

- “All holders have authorized Bankia, by signing the document
Personal Data Processing Agreement, equivalent document or corresponding contract

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 14/117








client, the processing of their personal data for sending communications with
commercials by any communication channel enabled, including email
and mobile phone.


- All holders have authorized Bankia, by signing the document
Personal Data Processing Agreement, equivalent document or corresponding contract
tooth, the transfer of your personal data to companies in your group for the analysis of
your profile for commercial purposes.”


For customers who already had an ON product, the new conditions applied
will start on February 16, that is, after two months have elapsed since they were
communicates this contractual modification, having sent the communications last
su December 15.


Indicates that the two indicated conditions have been eliminated in new hires.
and although they would be contractually provided for pre-existing customers until
that the mentioned modifications communicated are effective on February 16,
BANKIA does not take these two conditions into account in order to discount or not the meals
sessions since last October 16.


     Regarding consent

BANKIA, for those treatments whose legal basis is consent, has
of a system that allows the collection, modification and management of these consents.
as well as the traceability of the modifications made, called Module

General of Consents.

This Module also registers the exercises of rights of the clients and allows to take
its centralized management.


The list of consents is structured in three main blocks with the following:
You have associated purposes:

    - Sending commercial communications
    - Participation in loyalty programs, raffles, social action and other si-
        thousands.

    - Transfer of data to third parties.

The consents thus constitute a numbered multilevel list in such a way that the
more general consents are at a higher numbering level and
specific ones at a lower level. In this way, consent is granted or not.

in a general way, for example, to send commercial communications, and in a
specific to each channel through which communications can be received.

The consents are recorded in a document called Treatments
of Personal Data (TDP) that includes customer data protection information.

This document is always signed by the client during the registration process, prior to
contracting any product, both through online banking (with signature code) or
in person at the office, on a Tablet that is provided (digital tablet that


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 15/117








It is also used to collect the signing of contracts and transaction operations.
tions executed by any client).
When the consents are modified, they are recorded in a document

similarly called Modification Treatment Authorizations (MTA). This document
It is also signed by the client.

BANKIA reformed and updated the list of consents on the occasion of the entry into
force of the RGPD in May 2018 and sent a communication to all clients in-
forming the entry into force of the new Regulation, initiating a new process of

consent collection.

When the new list of consents was put into operation due to an in-
incident in the online channel that required adaptations to the systems (affected
only to ON account customers contracted through the online channel) between July 8 and

On August 15, 2018, the consents were shown pre-marked, in a state of
acceptance (“consent”), for new customers. That is, when a new customer
was registered through the online channel, the consents were pre-marked
during the registration process, not occurring in office registrations.

Also, for pre-existing clients, during this period, new consents

ments (which did not exist previously about which therefore the client had not been
expressed) were marked with acceptance status, but the pre-existing consents
on which they had already expressed their authorization or refusal,
contraban in the state that the client had decided.


It must be taken into account that, as a result of the integration of 7 Savings Banks in favor of
BANKIA in 2011, and the merger of Bankia with BMN in 2017 (BMN in turn became
formed with 4 savings banks) was based on consent obtained from different
forms for each group of clients of each one of the eleven integrated boxes, with
a total of about eight million customers, so we started from a situation

plex.

By unifying the consents and creating a single, common list for all
BANKIA customers, regardless of their Savings Bank of origin, remained
situations in which some clients originating from some Savings Banks could have
consents already authorized or denied, and others not. All this was taken into account

to the
premark the consents, not overwriting the state in those in which the
client had already expressed.

As of August 16, 2018, pre-marked consents in a state of

acceptance or "consent" (green color in the application) are shown to "not consent"
sorry” (red color), and finally passed to the status of “not collected” (gray color) on fe-
bre of 2019.

Statistics: The consents of some 5,842,000 clients of the

8,281,000 that the entity has at the moment. Customers missing by answering
tar constitute 29%, correspond to inactive clients, and their consents
ments are unmarked. However, for any treatment these con-
Feelings are considered to be in the "no" state to prevent their use.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 16/117









Of those who have answered, 89% have accepted all the consents, 7.5%
They answered partially accepting, and 3.2% answered all "I do not agree".

I feel".

The number of customers who passed the registration process in the period between
on 07/08/2018 and 08/15/2018 (ON products through the online channel), are a total of
2,562 (of which 2,192 are still active and 270 have been cancelled). of the clients who
are still active 38 have subsequently modified consents.


For all these reasons, there are 2,154 active clients who provided pre-married consent.
and have not subsequently modified them, accounting for 0.16% of the total con-
sentiments provided by online banking and 0.03% of the total number of consents
Data from the total number of clients that appear in the BANKIA database.


Highlight that customers can modify their consents online at any
moment, as many times as they wish to modify them and through any of the channels
enabled (BANKIA Online, BANKIA App or branch) regardless of the channel through which
that they have borrowed.


Currently, and since before 05/25/2018, when a new client registers
at BANKIA, both online and at the branch, you must fill out the consents generated
using the aforementioned document called Personal Data Processing
(TDP), who signs. It is not possible to continue registering the client without signing said document.
ment. The consents are unmarked (in gray), having to mark

the client his decision to consent or not.

All BANKIA employees can check customer consent
on-line, as well as the changes that the clients have made and the documents of con-
signed sentiments.


There is also traceability of the consents prior to the RGPD.

Agency inspectors request access to the Consent Management Module.
ments by performing the following checks:


- It is accessed by means of a BANKIA employee user code and password to the
data of the consents provided by one of the people present in the room,
client of the entity, verifying that the Transcript document has been signed.
Processing of Personal Data (TPD) dated May 21, 2018. It is also accessed
also to the modifications made later on the consents (documents

MTA ments) as well as the current status of consents.

     Regarding data transfers

Although the consent of customers has been requested, BANKIA has not transferred its data

personal rights neither to the companies of the group nor to other collaborating entities taking
Based on these general consents of the TDP, there is no provision for it.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 17/117








The consents for assignments were requested as a general measure. In case of rea-
If an assignment were to be made, specific consent would again be requested from the clients involved.
profited. Attached to the inspection record is a copy of the specific consent regarding

tendered for the UNI&DOS account for the entity ***ENTIDAD.1 (for the preparation of
wedding list).

This specific consent does not constitute a legal necessity since it is counted
with the general consent obtained. However, BANKIA has considered recasting
bar a specific consent for ethical commitment with its clients.


In addition, in the event of a transfer in the future, the project would become informative.
commissioned by the Office of the DPO, which would study and apply both the compliance criteria
normative as well as ethical, taking the appropriate measures to the specific case
to be raised.


There is no link or published document that contains the list of companies co-
companies since there is none to which data is transferred based on consent.
General information collected through the TDP.

The assignments that are made are carried out by means of ad hoc consent of the

clients involved.

ELEVENTH: On February 21, 2020, the declaration of the
file of the previous actions E/2026/2019, because the period of 12
months from the beginning of these, in accordance with the provisions of article 67 of the Law

Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights. Likewise, under the provisions of article 95.3 of the Law
Law 39/2015, of October 1, of the Common Administrative Procedure of the
Public Administrations order the opening of new actions of
investigation, incorporating to these new actions the documentation that integrates

previous actions that are declared expired.

TWELFTH: Within the framework of the new previous actions E/01904/2020,
On 03/12/2020, a request for information was issued to BANKIA, SA (in
hereinafter BANKIA) requesting information regarding customers who passed the
process of registering ON products through the online channel in the period covered

between 07/08/2018 and 08/15/2018 (the 2,562 clients who found the consents
pre-marked facilities, according to the information contained in the report of inspection of
reference E/2026/2019/I-01). Information is also requested in relation to all
customers of ON products and on the total annual global turnover of
BANKIA.S.A.


THIRTEENTH: On March 26, 2020, you have an entry in this Agency
request for an extension of the term to respond to the request. Granted the
The same response is received dated June 18, 2020, in which it is indicated that at
period of extension of the term to answer, the suspension of deadlines must be added

provided for in the Third Additional Provision of Royal Decree 463/2020 of March 14-
zo. Regarding the requested information, it states the following:



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 18/117








“1 Regarding the customers who went through the process of registering ON products through
of online channel in the period between 07/08/2018 and 08/15/2018 (the
2,562 clients who found the pre-marked consents, according to the information

tion that appears in the reference inspection report E/2026/2019/I-01):

 Number of these people who have not modified their consent or have caused
do leave the entity until the date of the response to the request. Of the 2,562
customers who registered an On account through Bankia Online in the indicated period
As of June 9, 2020, a total of

2,171 clients. The remaining 391 clients have ceased to have active positions with
Bankia, and therefore they are no longer clients of the entity. Likewise, of these 2,171 clients,
1,359 clients have modified their consents at least once with post-date
prior to 08/15/2018 and the remaining 812 clients have not modified it on any occasion
since they were lent at the time of registration of the On account.


These 812 customers represent 0.06% of the total number of On account holders and the
0.009% of all Bankia customers. These are clients with whom an attempt has been made
unsuccessfully contacted by their managers, and that there is no evidence that they have had
reactions in recent months with the entity through any of the channels, since
have interacted either in person at your office or through channels not

face-to-face (even in consultation mode), the consents would have been obtained again.
ments as explained later.

In fact, these are On accounts with no movement or significant activity in
the last few months or, in many cases, with negative balances to be regularized, having

contact with the holders has been attempted on several occasions without success.
guido.

Notwithstanding the foregoing, all of them (as well as the rest of Bankia's customers) are
communicated to them in December 2019, informing them of the modification of

the conditions for the fulfillment of the digital profile by which as of February
2020 ceased to be a condition to meet said profile, and therefore to benefit
of the exemption of commissions, those related to having authorized Bankia, through the
subscription of the Personal Data Processing document, document equivalent to
lens or corresponding contract, the processing of your personal data for sending
of commercial communications through any enabled communication channel, including

two email and mobile phone and have authorized Bankia, through the sub-
Cryptation of the Personal Data Processing document, equivalent document or
corresponding contract, the transfer of your personal data to companies in your group
for the analysis of your profile for commercial purposes.


Notwithstanding the foregoing, due to a commercial decision of the Entity that anticipated the
change in Bankia's commercial positioning policy that was communicated to the
customers in December 2019, as of September 16, 2019 it was not considered
the authorization for the transfer of data to group companies as a necessary requirement
to comply with the digital profile for the purposes of the exemption or collection of commissions.”


"two. Of these clients, how many have been the object of advertising campaigns by
BANKIA from 08/15/2018 to date. Dates of advertising campaigns
issued. The 812 clients who have not modified their consents or caused

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 19/117








leave the entity, have been the object of some commercial action through electronic mail.
tronic or SMS. These actions have been developed in the period between
August 2018 (registration date) and April 2020 (in May the contact process began).

new collection of consents from these clients, which is explained in the following
section, marking their consent as denied until it is collected.
sen again).

3. Information on whether BANKIA has carried out or is going to carry out any action with said
group to obtain their consents without pre-selected options. the management of

consents regarding personal data by customers
can be done at any time and as many times as you want, well presented
especially at any Bankia branch or through any of the channels
non-face-to-face sessions available to the Entity (Bankia Online or App Bankia). Once
provided and regardless of the channel through which they have been provided, the client

You can modify said consents again whenever you wish by anyone.
of the available channels. As for the concrete actions carried out with the co-
school of clients who provided consent with a pre-selected option through
of Bankia Online and in the indicated period (between 07/08/2019 and 08/15/2019),
have adopted the following:


  The consents have been requested again from the clients who did not
have modified, taking advantage of the first interaction with the entity by any of
the enabled channels (branch, Bankia Online or Bankia App). This obtaining of
new consents, from a neutral position to the option of acceptance or not
acceptance that in each case is chosen by the interested party for each of

the requested consents, has been configured as a necessary step to be able to
continue the operation through any of the channels.

 Those clients who have not passed this process have been considered as
customers who have not given their consent to the entity regardless of the

meaning of the consents they provided in the registration process of the On account, and
have been marked in systems as having denied all consents.

 All On account holders were informed, in December 2019, of the change
of conditions of the digital profile, and the elimination of the requirements of having authorized
the sending of commercial communications and the transfer of data for the purposes of collection or

fee waiver.

  Contact has been made by telephone (through the corresponding managers) with
customers who have not modified consents; in the case of the 812 clients
who have not yet gone through the process, although several attempts have been made to contact them.

Several times, the result has been unsuccessful.

  The process of canceling those inactive accounts without activity has begun.
given in recent months.


 4. Total number of customers with ON products as of the date of this request. TO
date June 9, 2020, they are holders/co-holders in Bankia of an On account a total
of 1,256,352 clients (653,463 accounts).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 20/117








POINT 5. Estimate of the total commissions charged during the year 2019 to these
customers both for monthly fees and for commissions for notes or individual operations.
viduals, by not complying or failing to comply with the conditions of the digital profile.


 The total amount of commissions charged during 2019 to holders of On accounts that
have not met any of the conditions of the digital profile has been €2,367,954.32
according to the following breakdown:

Administration fee: €27,074.59.

 Maintenance / Inactivity: €297,633.91.
Maintenance commission: €2,043,245.91.
Total: €2,367,954.32.

Of the total commissions collected during 2019 for not meeting any of the requirements

of the digital profile, which accrue monthly if these requirements have not been met
During the previous month, commission has only been accrued in the case of 2 clients.
of the 812 reported in point 1 and in a single month, the global annual amount being
bal charged for this concept to each of the two clients of five (5) euros. There are
It should be noted that the collection could have been due to non-compliance, in the period
monthly settlement, of any of the conditions of the digital profile, sufficing

that one of them is breached so that the exemption from the commissions does not proceed, for
example, use the physical office channel, request to receive communications on paper,
etc.…

 6. Estimate of bonus commissions during the year 2019 (not collected, or de-

left to charge, for the fulfillment of digital profiles) of these clients. the amount
total bonus commissions (not collected) in 2019 to holders of On ha accounts
been €32,110,990 according to the following breakdown:
Accounts opened before 2019: €22,101,900.
Accounts opened in 2019: €10,009,090.

Total: €32,110,990.

7. Average annual or monthly income declared by the clients of the pro-
ducts ON. Compliance with the conditions of the digital profile that gives rise to the
On accounts to the application of the commission exemption, it is not linked to the need
to have a certain amount of annual or monthly income. Therefore

Next, On account holders do not have to declare certain income
to open the account or to fulfill the conditions of the digital profile.

8. Information on BANKIA's total global annual turnover for the year
financial year 2019. For these purposes, the information contained in the Annual Report is provided

results 2019, published on the Entity's website, according to which the net margin
before provisions of 1,428 million euros.


FOURTEENTH: Dated 12/14/2020, entered this Agency

brief, submitted by claimant 7 (E/00869/2021), in which he states that it is
holder of an On account and that, from the opening date of said account, it has been
been charging a monthly maintenance fee of 5 euros (from
August to December 2019). It states that consultation with the entity

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 21/117








claimed on November 7, was answered that the commission was charged for not
comply with the digital profile.


 The AEPD proceeded to transfer the claim received to the Protection delegate
Data of the claimed entity, in accordance with the provisions of article 65.4
of Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights.

On 03/04/2021, a response was received from the entity claimed, contributing between

other documents the contract of the interested party in which it is stated that he had not given his
consent to the conditions required for the exemption from commissions, and a
letter from said entity to the interested party in which it is communicated that "as stated
in your contract, the bonus of certain commissions of the ON Account, among
others, the maintenance and administration commission, is subject to the fact that all holders

res maintain a digital profile.

However, if any of the conditions of said profile are not met, your
ON Account remains fully operational and you can continue to enjoy all the
services associated with it, with the economic conditions and commissions and expenses
applicable under the contract.


Also, inform you that as was informed by the Customer Service
in the letter that was sent to him on January 8, 2020, in order to strengthen his
relationship with the Entity, despite not complying with the conditions of the digital profile, Bankia
has proceeded to pay the amounts collected for this reason.”


FIFTEENTH: The BANKIA website is accessed, where you can read what
following:

“The user of this website is informed that the merger by absorption has taken place

of Bankia, S.A. by CaixaBank, S.A., the second entity succeeding the first,
universal form in all rights and obligations. According to the above, it
has modified the ownership of this website, as well as the addresses for sending
complaints and claims and the exercise of data protection rights.
For more information, click here."


The Mercantile Registry is accessed, appearing among the data related to the entity
BANKIA, S.A, the following observation “Extinction”. It is also stated that “on 18
September 2020, on the corporate website of BANKIA, S.A.
www.bankia.com has been included in the common merger project between the companies
CaixaBank, S.A. -absorbing- and BANKIA, S.A.-absorbed-.”


SIXTEENTH: On May 7, 2021, the Director of the Spanish Agency
of Data Protection agreed to initiate a sanctioning procedure against the entity BANKIA,
S.A., currently CAIXABANK, S.A., in accordance with the provisions of article
58.2 of Regulation (EU) 2016/679, of the European Parliament and of the Council, of

04/27/2016, regarding the Protection of Natural Persons with regard to the
Treatment of Personal Data and the Free Circulation of these Data (Regulation
General Data Protection, hereinafter RGPD), for the alleged infringement of the
article 7 of the RGPD, typified in article 83.5.a) of the aforementioned Regulation; and for the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 22/117








alleged infringement of article 6 of the RGPD, typified in article 83.5.a) of the aforementioned
Regulation, determining that the sanction that could correspond would amount to one
total of 2,100,000 euros without prejudice to what resulted from the investigation.


The initiation agreement is notified to the respondent by electronic means on the 7th of
May 2021. The notification is accepted by the addressee on May 10, 2021.

SEVENTEENTH: Dated May 18, 2021, it has an entry in this Agency
letter from the data protection delegate of CAIXABANK, S.A. in which he states

act in the name and on behalf of the same by virtue of its capacity as delegate
of data protection, requesting extension of the term to formulate allegations to the
agreement to initiate the sanctioning procedure and delivery of a copy of the procedure
administrative. On May 24, 2021, accreditation from the
representation held within 3 days from receipt of said

request. Dated May 26, 2021, you have entry in this Agency written
accompanied by a notarized power of attorney accrediting said representation.

On May 26, 2021, it was agreed to extend the deadline for allegations until
legal maximum allowed and a copy of the administrative file is sent to CAIXABANK,
S.A. The notification of the brief and the delivery of the copy of the file were carried out

carried out by postal courier as long as the volume of the file did not allow
delivery by electronic means. The documents were received by said
entity on May 26, 2021. Work in the supporting procedure of the
courier company that proves receipt of the documentation on that date.


EIGHTEENTH: On May 31, 2021, CAIXABANK, S.A. filed a written
of allegations in which he requests that a resolution be issued declaring the nullity of
full right of the procedure for the reasons that it exposes in its allegations
first and second or, failing that, agree to file it or, failing that, the imposition
of a warning or reprimand or a significant reduction in the amount

established in the startup agreement.

The aforementioned entity bases its requests on the allegations that, in summary, are
set forth below:

First.- Of the helplessness caused to CAIXABANK as a consequence of the fixation

of the amount of the penalty in the initiation agreement.

Setting the amount of the penalty in the agreement to initiate the procedure, which is
justifies in the Basis of Law IV, produces helplessness to the interested party that vitiates
of nullity the same. It understands that determining in said act the sanctioning reproach,

evaluating even the mitigating and aggravating concurrent without motivating them
minimally, about which he has not had occasion to express himself, affects the
application of the fundamental principles of criminal law, applicable with certain
clarifications to the sanctioning administrative procedure, as has been
consistent jurisprudence manifest.


Considers that the initiation agreement exceeds the content legally provided, for
how much it should only incorporate the limits of the possible sanction that could
be imposed, and not determine a specific amount that implies the summary assessment

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 23/117








of the concurrent circumstances. The agreement dictated goes beyond what was admitted in the
Article 68.1 of Organic Law 3/2018, of December 5, on Data Protection
Personal and Guarantee of Digital Rights (hereinafter LOPDGDD).

This advance and unmotivated assessment of the responsibility of

CAIXABANK, even indicating mitigating and aggravating circumstances, even if it is for their mere
mention, and even when it is intended to leave aside what is finally appropriate based on
of the investigation, in the opinion of that entity, an unprecedented part is carried out, without any allegation
of the accused that would allow the sanctioning body to assess the circumstances
assessed in light of said allegations, leaving the party defenseless.


It also produces defenselessness the fact that the amount comes from the mere
enumeration of circumstances, without stating how they affect the
responsibility.

The fact that the Sanctioning Body establishes in the Start Agreement the amount

of the sanction that, in his opinion, should be imposed on CAIXABANK affects the
impartiality of the investigating body designated in the same agreement to initiate
procedure, which knows before starting the procedure the criterion of the organ to
which will finally raise the file, on which it depends hierarchically. This supposes
a breach of the principle of separation between the instruction phase and the sanction phase (article
63.1 of Law 39/2015, of October 1, of the Common Administrative Procedure of

Public Administrations -hereinafter LPACAP), depriving the instructor of a
objective knowledge of the facts and the possibility of making an assessment of
the circumstances arising from the instruction.

It alleges that article 64 of the LPACAP, invoked in the Initiation Agreement, does not imply
an important innovation of the legal system regarding the sanctioning regime

previously in force, all the regulations governing the procedure
administrative since the original Law of 1975 have imposed whenever it is determined
the amount of the sanction that could proceed. It understands that the mere entry into force
of a provision that does not affect the regime previously in force can enable the
sanctioning body in a procedure to be assessed, a priori, and without having processed the
procedure, mitigating and aggravating circumstances in their conduct,

expressly establishing without any instruction the amount of a penalty and
influencing the decision of the examining body.

Likewise, article 85.1 of the LPACAP does not require this prior determination of the
amount, since it does not refer to a pre-established sanction, but to the imposition of
the appropriate sanction. This rule, applicable "beginning of the procedure", provides that the

acknowledgment of responsibility may determine the imposition of the sanction “that
appropriate”, so that this fixation seems to be foreseen after the actual
acknowledgment of responsibility.

In addition, in section 3, the same article provides that the reductions must

adopted on the "proposed" sanction, which requires that it has actually been
determined in the procedure what that amount is, which leads to the conclusion
that the resolution proposal will be the ideal moment for determining
of the aforementioned amount, given that only then will the defendant already have been able to be heard and
his arguments taken into consideration in the motion for a resolution, which also

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 24/117








will have been able to be freely adopted by the competent body for the investigation without
any influence of the sanctioning body on the investigative action.


Second.- Of the helplessness caused to CAIXABANK in the processing of this
process.

It alleges, first of all, that the file has only been transferred to
CAIXABANK on May 27, 2021, when there were only two days left
skillful for the formulation of allegations, without even agreeing on the aforementioned

date the extension of the term for its formulation by five days from the
receipt of the file, given that on the same date it was clarified that the deadline for
requested extension began to be computed on May 24, that is, 3 days
prior to receipt of the file. Considers that in practice, the issuance of
allegations has been reduced to a period of two business days, which generates a

completely helpless situation.

Secondly, it points out that apart from the transfers of the different
claims and the action of the AEPD has been limited to an initial request for
information, an inspection visit nine months after the start of the
investigative actions and the realization of a request for information

when those had already expired and had not been "replaced by others", no
agreeing to open the procedure until almost eleven months have elapsed since
response to that request.

It understands that given the sequence of events that emerges from the agreement of

beginning, the AEPD had decided to admit for processing the first of the claims in
date February 21, 2019, given that it agreed to initiate the
preliminary investigative actions. So consider that even though with the seven
claims made against your entity indicate that they were based
in the provisions of article 65.4 of the LOPDGDD, such legal basis lacks reality

of the content of said norm, since it is applied only in the
assumptions in which the transfer is carried out in order to decide on the admission to
procedure and always with the aim of determining what will be the decision on this
issue has to be taken. However, the AEPD had decided to investigate the
facts on which the complaints were based by initiating
investigative actions on February 21, 2019.


What has just been indicated, together with the completely identical nature of the
claims made, it does nothing but highlight the manifest inactivity
incurred by the AEPD throughout the processing of this procedure, in
prejudice to the rights and guarantees of CAIXABANK, being that, in addition,

the AEPD has agreed to prolong in a completely artificial way the duration of
such actions to the point of doubling their duration compared to the legally
established in article 67 of the LOPDGDD on the sole basis of the declaration of
expiration of said actions to proceed with the opening on the same date of
other different ones about identical facts and alleged infractions of the regulations of

personal data protection.

It understands that against this it cannot be argued that during those more than nine months
carried out successive transfers of information to their entity, and the AEPD must be

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 25/117








the response given to them by the former, given that, as has already been
indicated, the purpose of the transfers is to decide on the admission for processing of the
claims, being so in this case said actions, related to the

facts object of the claims, were admitted for processing from the
agreement to initiate investigative actions.

In this way, carrying out only two specific actions of
investigation over more than twenty-four months would evidence the existence of a
situation that could constitute fraud of law in the use, to the detriment of the

investigated entity, of the power granted by article 95.3 of the LPACAP to
completely artificially lengthen the duration of the actions of
investigation, by archiving those initially carried out and opening (or,
allow us, “reopening”) to the detriment of CAIXABANK.


It alleges that in this sense it is applicable to the present case, mutatis mutandis, the
doctrine established by the National High Court in its judgment of October 17, 2007
(appeal 180/2006), in which the illegality of the extension
inadequate or unfounded, and based exclusively on its inactivity of the
preliminary investigative actions. Consider CAIXABANK that can be seen
in the performance of the AEPD, the concurrence of the elements required by article

6.4 of the Civil Code to appreciate the concurrence in the same of fraud of law, which
should lead to the nullity of this sanctioning procedure.

Third.- On the freedom of consent given by customers at the time
to subscribe the ON account and the non-existence of violation of article 7 of the RGPD.


1. The content of the Home Agreement.

CAIXABANK understands that the reasoning of the AEPD in which it comes to consider
that the collection of commissions as a result of contracting the products to

referred to in the Start Agreement to those who do not meet the requirements
established so that it could be considered that the client maintained the so-called
“digital profile”, implies a negative consequence for it, supposes a
Ignorance of the nature of the contracts to which it has been making
reference and the objective elements that are part of them, which, in its
turn, gives rise to an incorrect interpretation of the consent requirement

related to its “free” character.

 The application to the client of a commission cannot in any way be considered as
a “negative consequence” of entering into a checking account contract
banking, but as the consideration that the client has to satisfy as

consequence of the service contracted with the financial entity. In this way, do not
should never refer to the existence of a burden, encumbrance or "consequence
refusal” imposed on those who do not give their consent to the processing of their data
within the framework of the delimitation of the so-called "digital profile", but of the
Obtaining a benefit to whoever does give that consent, consisting of the

reduction or exemption from the payment of its consideration in the aforementioned contract.

Considers that the action of the entity that could derive in a limitation of the
requirement of freedom of consent given to the processing of your data

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 26/117








personal cannot be the demand for the payment of the consideration that
definition is part of the content of the contract, but the imposition of a levy or
additional charge to said consideration. In this sense, they pronounce their own

EDPB Guidelines, which in the example mentioned in the Startup Agreement do not
consider limitation to the freedom of consent the requirement of payment of
commissions, but the "increase" of them.

 On the contrary, nothing in the RGPD or in its development in Spanish law by the
LOPDGDD, comes to determine that the consent ceases to be free due to the fact of

that the person who facilitates it be granted some type of benefit, advantage or incentive (since the
exemption from the payment of a commission meets these characteristics) on the conditions
that, according to the clauses of the contract, should be fulfilled in general. AND
This is, and not the one indicated in the Start Agreement, the situation that occurs in the
present course.


Indicates, regarding the legal nature and elements of the current account contract
banking, which is a bilateral or synallagmatic and onerous contract in which the
services provided by the bank and that are complementary to the
mere delivery of funds and conservation by the client are not limited to the payment, in
your case, of the corresponding interest, but also to the provision of services that,

According to the very nature of the commercial commission contract, they will have
also a remunerated character.

This implies that the commissions are not constituted as a levy imposed on the
client, but as the consideration for the services provided to it by the entity

of credit, thus configuring itself as a necessary objective element of the contract of
bank current account, which must incorporate the same except in those
exceptional cases in which, due to the very nature of the contract entered into,
is blurred in the development of the contract the activity that is typical of the
commercial commission.


In short, the commissions are an essential part of the contract, since they represent the
consideration that the interested client must satisfy for the services that the
banking entity carries out on behalf of the person who orders the same
making payments and deposits, as well as for the rest
activities of a complementary nature that constitute the essence of the account

mercantile stream.
It also states that commissions are an essential element of the contract according to the
domestic law and the European Union. Article 2.15 of Directive 2014/92/EU of the
European Parliament and of the Council of July 23, 2014 on the comparability of
commissions related to payment accounts, the transfer of payment accounts and the

access to basic payment accounts (hereinafter, the “Policy”) defines the commissions
as “all expenses and penalties that, where appropriate, must be paid by the consumer
to the provider of payment services for services linked to a payment account or in
relationship with them”, taking into account that, in accordance with article 1.6 of the
legal text payment accounts must at least allow consumers to make,

at a minimum, operations consisting of “depositing funds in a payment account”,
“withdraw cash from a payment account” and “make payments to third parties and receive
third party payments, including transfers”.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 27/117








In Spain, the transposition of the Directive was carried out by means of Royal Decree-
Law 19/2017, of November 24, on basic payment accounts, transfer of payment accounts
payment and comparability of commissions (hereinafter, the "RDL 19/2017"), whose article 9

establishes, in its section 1 that "the commissions received for the services provided
by credit institutions in relation to basic payment accounts will be those that
are freely agreed between said entities and the clients”, without prejudice to the possible
setting by the Government of maximum commissions in accordance with the criteria established in the
section 3 of the precept (power embodied in Order ECE/228/2019, of 28
February). Likewise, it is established that "regulations may establish

different regimes of more advantageous conditions in terms of commissions in
depending on the special situation of vulnerability or risk of financial exclusion of
potential clients”, this being the only case in which there is a limitation
express legal or an exemption from the payment of commissions.


Likewise, for the purposes of guaranteeing comparability in commissions
incorporated into payment account contracts, article 15 of RDL 19/2017
establishes in its article 15.1 that "the Bank of Spain will publish and maintain
updated the list of the most representative services associated with an account
payment, incorporating the standardized terminology contained in the delegated act to which
refers to article 3.4 of Directive 2014/92/EU of the European Parliament and

of the Council, of July 23, 2014”

This list is included in the Annex to Circular 2/2019, of March 29, of the Bank of
Spain, on the requirements of the Informative Document of the Commissions and of the
Commission Statement, and payment account comparison websites, which

amends Circular 5/2012, of June 27, to credit institutions and providers of
payment services, on transparency of banking services and responsibility in
the granting of loans, which includes the most representative services associated with
payment accounts that, consequently, will imply the requirement by the entity
payment of the subsequent commission in consideration for its performance

as follows: Account maintenance; issuance and maintenance of a
Debit; issuance and maintenance of a credit card; discovered
express; tacit discovered; transfer; standing order; cash withdrawal to
debit by card at ATMs; cash withdrawal on credit
ATM card; alert service (SMS, e-mail or similar); negotiation
and check clearing; check return.


Finally, Royal Decree 164/2019, of March 22, which establishes a
free system of basic payment accounts for the benefit of people in a situation of
vulnerability or at risk of financial exclusion, prohibits in its article 2.1 the
credit institutions require the payment of commissions “when all the holders and

Authorized users of a basic payment account are in the special situation of
vulnerability or risk of financial exclusion indicated in article 3 and it has been
recognized in accordance with the provisions of this royal decree”, establishing the
requirements for the recognition of this right.


It concludes that:
• Commissions are an essential element of the contracts associated with the
called payment accounts and the current bank account contract, and are intended to


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 28/117








purpose the remuneration of the services provided by the banking entities for the
performance of the different services associated with the contract.
• The parties may freely set the commissions to be paid as

remuneration for said services, and it cannot be considered that they come from
unilaterally imposed as a lien on the contract, always respecting the
maximum limits that, where appropriate, are approved by the Government.
• They will only be exempt from the general system of commissions that has just been
describe the cases in which the nature of the services contracted with the
bank entity is not assimilable to that of a payment account because it implies

"more limited functions" than its own.
• Only the chargeability of commissions will be excluded from the holders and
Authorized users of a basic payment account are in the special situation of
vulnerability or risk of financial exclusion.


Starting from everything that has been indicated, under no circumstances would it be possible
classify the commissions as an encumbrance, charge or damage caused to the client
of a credit institution, being simply an element of a payment account for the
that the interested party pays the banking entity for the services that have just been
detail, necessarily appearing in the contract and proceeding, in terms of its
fixation, of the free autonomy of the will of the parties, always within the

maximum limits that may be established.

For this reason, the exemption from commissions for customers who maintain a profile
digital will be configured as an advantage or benefit for the client who operates as
exception to the collection of commissions, which is consubstantial to the celebration of the

contract, proceeding said exemption from the free acceptance of the conditions that the
determine.
It will not exist, consequently, and in terms that are diametrically opposed to what
reasoned by the Home Agreement, a lien subject to the non-provision of a
certain consent linked to the processing of personal data, but a

benefit derived from said provision.

2. It also alleges that there is no damage, encumbrance or charge whatsoever derived from the
failure of customers to consent to the processing of their data
personal.
As has been indicated so far, the fact that the client of an entity

bank is obliged to pay commissions associated with the management of an account
of payment cannot be considered at all a detriment to it, since the
commissions are an integral element of the contract, so that the products
banking, in any case, are associated with the payment of said commissions.


 The logical consequence of the foregoing is that it cannot be considered that in a case
such as the one that is the subject of this sanctioning procedure can be seen
as, erroneously considers that AEPD, that the exemption from the payment of certain
commissions suppose an element that conditions the freedom of consent
freely provided by the interested party for the conclusion of the contract or that the

consent for the processing of your data has not been freely granted.

The Initiation Agreement refers in its reasoning to recital (42) of the
RGPD that indicates that “consent should not be considered freely given

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 29/117








when the interested party does not enjoy a true or free choice or cannot refuse or
withdraw your consent without suffering any prejudice”. What derives, according to said
reasoning, in the repeated reference that he makes to article 7.4 of the RGPD, to

whose tenor "when evaluating whether the consent has been given freely, will be taken into account
to the greatest extent possible whether, among other things, the execution of a
contract, including the provision of a service, is subject to the consent of the
processing of personal data that is not necessary for the execution of said
contract".


Understands that what is established in considering (42) previously reproduced does not
It is applicable to the case analyzed or to the processing of personal data carried out.
carried out by CAIXABANK, and this to the extent that none of the
premises contained in it.


 Thus, in the first place, it understands that in the present case the client enjoys
true and absolute freedom to decide whether or not to grant the different consents
that are requested, both at the moment in which he acquires the condition of client
through the registration process in the entity, the opening of the corresponding account and the
conclusion of the contract, as at any later time when it may
modify the consents given without any limitation.


In this sense, as stated in the background of the initial and
has had the opportunity to verify that AEPD, in the client registration process, the
to the will of the interested party the completion of a series of boxes, referring to the
controversial treatments in the sanctioning procedure, informing you, in a

explicit, clear, simple and concise, as imposed by article 12.1 of the RGPD, of the
purposes for which the client would grant, in case of providing it, each of the
different consents that are subject to your decision. And how will it be analyzed?
subsequently, the marking or not marking of the aforementioned boxes in any
mode will influence the conclusion of the contract, which will take place in the event that the

The interested party signs the terms thereof with absolute independence from the fact that
whether or not they have consented to the treatments submitted to their decision.

In the same way, as is also proven in the records of the Agreement
of Home, and it was revealed to the AEPD inspectors during the visit
on December 12, 2019, the client may, throughout his relationship with

CAIXABANK and as many times as it deems convenient, modify its
consents, both online, by accessing your personal area, and by any of the
the other channels made available to them (telephone, app, office, etc.) and this, in
in any case, regardless of the channel used to provide or deny
initially your consent to the processing of your personal data for the

purposes for which it is required. Likewise, it was brought to the attention of
the AEPD that CAIXABANK (then BANKIA) had established procedures for
guarantee the traceability of all the consents granted by the interested parties and
their status at any given time. Thus, as stated in the
Home Agreement, during the inspection carried out by the inspectors of that

AEPD records the performance of the following diligence:

“Access is gained through a BANKIA employee user code and password to the
data of the consents provided by one of the people present in the room,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 30/117








client of the entity, verifying that the document of
Treatment of Personal Data (TPD) dated May 21, 2018. It is accessed
also to the modifications made later on the consents

(MTA documents) as well as the current status of consents.”

That is to say, the interested party enjoys absolute freedom to, whenever he considers it
relevant, provide your consent or revoke any of the consents
previously provided in a simple way and capable of being fully
accredited, without conditioning, let alone undermining, in any case, the freedom of

their election nor is the tenor of the same linked to the continuity of the service provided
to the client by CAIXABANK.

Consequently, in the event that the client does not want to grant their consent
during the contracting process, or consider it opportune to revoke at a moment

after the consent previously given, it can be carried out in a
entirely free and without the imposition of any difficulty on it, without this preventing
nor in any way the formalization of the contract or its formalization in
conditions of a less beneficial nature than those others that
consent for any or all of the intended purposes.


Second, the non-provision of consent or the revocation of the
consent previously given does not imply in any case the production of a
prejudice to the interested party or the imposition of any type of burden or
encumbrance, given that the contract will continue to govern CAIXABANK's relationship with its
customers under the same clauses, without being affected in any way the provision

of customer service. And it is that, as it has been indicated previously, in no
moment the provision of the service is conditioned to the provision by the interested party of
your consent, a sine qua non condition for the application of article 7.4 of the RGPD
invoked by the Home Agreement, since the provision of consent does not
does not affect the way the service is provided or the content of the relationship, nor does it imply

nor any additional tax for the interested party. On the contrary: the provision of
consent implies a benefit for the client, to the extent that he is exempt
of the payment of some commissions that, as indicated above, are a
integral element of the contractual relationship that links CAIXABANK with its
client. In short, the client does not suffer any damage as a result of not
having given their consent, given that in no case does this imply a

aggravation of the general conditions that govern the contract, but simply the
no exemption from the payment of commissions associated with the services provided that
they appear in any case associated with it.

In this regard, it is also worth recalling the analysis carried out by the EDPB in its

Guidelines on the concept of “harm”. Thus, the EDPB points out in the aforementioned
Guidelines (§13) that consent will not be truly free if the data subject “is
feel compelled to give consent or suffer negative consequences if they do not give it”
adding later (§14; emphasis added) that the consent
“will be invalidated by any improper influence or pressure exerted on the

interested (which can manifest itself in very different ways) that prevents this
exercise your free will."



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 31/117








And, in particular (§24): “[…] consent can only be valid if the interested party
can really choose and there is no risk of deception, intimidation, coercion or
significant negative consequences (for example, substantial additional costs) if

does not give his consent”.

Well then, the application of these criteria makes it difficult to assume and defend the
thesis supported in the Initiation Agreement, from which it would be inferred that the entity
claimed would condition or exercise improper influence over its clients by
subjecting them to "significant negative consequences" for the mere

fact of not granting them a benefit to which, in general, they would not be entitled
any.

And it is that even, in line with what has just been exposed, attention must be paid to what
pointed out in example 6 of the EDPB Guidelines, to which the Agreement of

Beginning and that, nevertheless, describes a supposition that in no case bears relation
with which it is the subject of this sanctioning procedure. Indeed, in the aforementioned
For example, the EDPB states the following (emphasis added):

“A bank asks its customers for consent so that third parties can use
your payment details for direct marketing purposes. This processing activity

is not necessary for the execution of the contract with the client and the provision of the
usual bank account services. If the client's refusal to give his
consent to said treatment gave rise to the refusal on the part of the bank of
provide their services, at the closing of the bank account or, depending on the case, to a
increased commissions, consent could not be freely given.”


In this way, the EDPB indicates that the consent could be considered not to have been
freely granted in those cases in which the bank (i) does not proceed to the
opening of a bank account to the client due to the fact of not having lent his
consent (thus conditioning the signing of the contract to the provision of a

consent that does not refer to the object of the same, but to "other matters", in
terminology of article 7.2 of the RGPD); or (ii) there is an increase in the
commissions that said client must pay in relation to the contracted products
(that is, imposing a lien on him for the non-provision of consent).

But even in this second case, which, as has been indicated, does not concur in this

case, it should not be forgotten that not even the EDPB establishes an unconditional rule,
rather, it points out that it could be appreciated that the consent would not be free “if the refusal
of the client to give his consent to such treatment would give rise […] depending
of the case, to an increase of the commissions”.


Well, aside from what is indicated in relation to the concept and nature of the
commissions in the cases of payment accounts, it is evident that in this case there is no
None of the assumptions described in the cited example concurs, to the extent that
the client can, in any case, contract a certain banking product without
need to give your consent and in no case is there an increase in

commissions associated with the service provided, since they appear
expressly provided for in the contract. There is definitely no increase in
said commissions, but the non-application of an exemption.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 32/117








 And it should not be considered that what has been argued so far can be refuted
considering that the non-granting of an exemption in the payment of commissions implies
the generation of damage, given that both situations are incompatible: in the

In the first case, the status quo would be the payment of commissions, which is discounted in
if consent is given.

On the contrary, the imposition of a levy would mean that the commissions would be
increased as a result of the non-provision of consent, which does not
happens in this case.


In this way, an interpretation similar to the one maintained in the initial agreement
would lead, for example, to consider that the loss of the requirements that allow
a taxpayer enjoying a tax exemption or deduction supposes the generation of
a loss, consisting of the payment of the tax, to which it has always been subject.


Reference should also be made to the "European Legislation Manual on
data protection”, adopted by the Agency for Fundamental Rights of the
European Union and the Council of Europe, in collaboration with the European Court of
Human Rights and the European Data Protection Supervisor, where
states, in relation to the free nature of consent, the following:


“This does not mean, however, that consent can never be valid in
circumstances in which the lack of consent would have some consequences
negative. For example, if the consequence of not consenting to have
a customer card of a supermarket is only that they will not be received

small discounts on the prices of some products, consent could
be a valid legal basis for processing the personal data of those customers who
give their consent to have said card. There is no subordination between
company and the client, and the consequences of the lack of consent are not what
serious enough to limit the data subject's freedom of choice

(as long as the price reduction is small enough not to
affect such freedom of choice).

From what has just been reproduced it is clear that, if the provision of the
consent supposes the establishment by a person in charge of the treatment of
discounts on the prices of their products, which would not be obtained if the

consent to treatment, this consequence would not have any relevance
that would make the aforementioned consent lose the condition of free, because it would not fit
assess the existence of a detriment to the interested party.

And this case is similar in all points to the one analyzed by the Initiation Agreement in that,

necessary is to reiterate it again, there is no reduction of the
rights of CAIXABANK customers for not having provided the
consent to the processing of your personal data, but simply
will produce the application, in that case, of the ordinary conditions of the contract.


In short, in the alleged object of this proceeding there is no
type of damage to the interested party as a result of the refusal to lend their
consent for the processing of your personal data that may affect
negatively in its configuration of "free consent", since the only thing that

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 33/117








foreseen in the conditions of the contract is to obtain a profit on the basis of
these general conditions in case that consent is given. No
it is therefore possible to equate, as the initial agreement intends to do, obtaining a

benefit with the imposition of a tax on those who freely choose not to avail themselves of
to that one.

3. Inexistence of conditionality to the consent of the interested party for the hiring
of services.


 As previously indicated, the Start Agreement considers that in the
In this case, there has been an alleged violation of article 7.4 of the
RGPD referred, as already anticipated, to the fact that “the execution of a
contract, including the provision of a service, is subject to the consent of the
processing of personal data that is not necessary for the execution of said

contract".

In relation to the application of this rule, the Initiation Agreement takes into account
consideration for the interpretation of the precept indicated by the recital (43)
of the RGPD, which indicates that "it is presumed that the consent has not been given
freely when […] the performance of a contract, including the provision of a

service, is dependent on consent, even if consent is not necessary to
such compliance”

But it is that the presumption that is included in this precept, and that in any case does not
could be considered iuris et de iure, as the AEPD seems to understand, by not justifying in

In any way, the application to the case of the aforementioned recital of the RGPD, would not be
in any way applicable to the assumption that is being analyzed here, given that in the
itself there is no conditionality as described in article 7.4 of the
RGPD (with which the aforementioned recital 42 of the RGPD is related), since the
provision of consent is not a sine qua non condition for signing the

contract, with the client being able to contract the services of CAIXABANK without the need to
proceed to the provision of consent and without being in any way affected
the services that will be provided to it, which will be the same in one case or another, to the
completely regardless of the provision or not of the aforementioned consent.

Indeed, we are not faced with a case in which the non-provision of the

consent conditions the contracting of services, as in the case of
first of the examples incorporated into the EDPB Guidelines, and reproduced by the
Home Agreement, since it refers to a situation in which there is no
allows users to make use of a certain service when the interested parties
do not give their consent for a treatment not directly related to the

itself, something that under no circumstances happens in the case at hand since, as
has been indicated, customers can freely contract the services of
CAIXABANK without the need to grant consent to the processing of your data
personal. Let us remember that according to the cited example, the use of a
mobile application for photo editing to which the interested party lends his

consent to the activation of your GPS location for the use of its services,
in such a way that if it is not carried out, it is not possible to use
the application.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 34/117








And at this point, what is indicated by the EDPB in §
37 of its Guidelines, which states the following: "The data controller
could argue that your organization offers stakeholders a real choice if

they could choose between a service that includes consent for the use of
personal data for additional purposes, and an equivalent service offered by the same
responsible that does not imply giving consent for the use of data for purposes
additional. Whenever there is a possibility that said person in charge of the
treatment execute the contract or provide the contracted services without the consent
for the other use or the additional use of the data in question, it will mean that there is no longer

service conditionality. However, both services must be
really equivalent.”

Well, it is not only offered to those who have not given their consent for the
processing of data as part of the so-called "digital profile" a service

equivalent or similar to the one provided to those who have agreed to the provision of said
consent, but simply and simply offers them the same service that
the one that lends to its clients with a “digital profile”. That is, the financial product that
one and the other will be able to contract will be the same and not simply an equivalent one, and the
services provided will be exactly the same in both cases. In this way
would be fully applicable to CAIXABANK what is indicated in the transcribed text of the

Guidelines, since there is no conditionality for hiring the
customers of the services related to the controversial products to the provision
consent to the processing of your personal data.

And it is that, in no way is it possible to consider, as seems to emerge from the tenor

of the Home Agreement, that there is no full identity between the contracted services
by those who give consent by holding a "digital profile" with respect to those who
do not provide the same, because the services offered, associated with the
accounts that are cited in the Initiation Agreement, are exactly the same and also
The elements that will integrate the contracts in which the contracts are formalized will be the same.

aforementioned services, including commissions, even when in the event that the user
holds the so-called "digital profile" these commissions will be discounted in
the full amount as long as the "digital profile" is maintained.

 The interpretation of the concept of equivalence contained in the guidelines of the
EDPB cannot be as forced as the one that seems to derive from the Start Agreement,

in which said concept becomes synonymous with “complete identity”, so that
the simple fact of setting a bonus in the amount of the benefit to
satisfied by the client may lead to the consideration that the subsidized service
and the non-reduced are not "equivalent" because they are not "completely identical".


In such a case, it understands that it would incur in the manifest contradiction that
would be considered by the AEPD that the same supplier would simultaneously offer two
identical products or services by the sole fact that the same product or service
was offered with and without any bonus as a result of the fact that the
interested party gives his consent. This would inevitably contain an evident

sophism that would empty of content any offer or promotion that could apply
a private entity if it is related to the consent given, given that in
In the opinion of the AEPD there would not be a bonus, but rather the offer of a different product,
even if the content of the services were to the full extent identical.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 35/117









And it should be noted that even the EDPB rejects such an interpretation, for
since, as will be pointed out later, it does not consider it contrary to article 7.4 of the

RGPD the possibility that the person in charge of the treatment can offer its
clients incentives or additional benefits in case the treatment is authorized
of your personal data, which implicitly implies accepting that there is no
difference between the provision of the incentivized and non-incentivized service, therefore, even
to a lesser extent, both services may be considered non-equivalent.


But it is that even, and even if it were not considered that there is an absolute
identity in the provision of the service regardless of whether the interested party grants
or not consent to the processing of your data, it should also be remembered that
they are not the only ones that make up the catalog of products or services
consisting of payment accounts, in the legal concept of said term.

This is recognized by the Home Agreement itself when it states that it sells through
of its digital platform the three financial products referred to in the
procedure within the general offer of other similar products, equally
marketed by the entity. Thus, the Agreement indicates that "the entity claimed,
has marketed, through its digital platform (www.bankia.es), among others, three
financial products: ON Account; ON Payroll Account and UN&DOS Account, along with

their associated debit cards. It also sells a credit card (Card
Credit ON), which must be associated with an open ON Account”.

By way of example, he points out that it makes it easier for potential clients to
contract, if they so wish, other financial products such as the Easy Account, the

Youth or the Basic Payment Account.

As has already been said, the rule indicated by the EDPB would be applicable even
when the services share purposes and substantial characteristics, even
when it is not possible to determine their absolute identity.


In this sense, and from the perspective of economic theory, also applicable to the
competition law, it should be remembered that substitutability between two
products and services concurs in the cases in which a consumer can access
immediately, in the event of a change in the current price of the original product,
to its substitute product. This substitutive character of the product in no case supposes

a perfect and total coincidence of all the characteristics of the products or
services, but its possible indistinct use by the consumer.

 Thus, the characteristics of the aforementioned financial products, although they are not
identical to those that would concur in the three products analyzed in the Home Agreement,

they can be considered without any kind of doubt similar or equivalent to
these. And the fact is that the equivalence lies in the fact that they provide the interested party with the possibility
to passively capitalize the different amounts of money that you decide to deposit
in such financial products without depriving you of direct access to your funds,
developing all the services that participate in the nature of the

contracts related to the holding of payment accounts, in the terms
established by internal and European Union regulations, analyzed in detail in
section 2 of this allegation.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 36/117








It concludes that taking into account the very wording of article 7.4 and considering
42 of the RGPD, as well as the tenor and logic of the Opinion of the EDPB, considers that yes
provides a free choice to those interested in contracting their different

liability products and, in particular, to opt for contracting the accounts of
disputed payment in this file with absolute independence of the provision
of your consent to the processing of your personal data.

4. Additional considerations about the freedom of consent given
in accordance with the doctrine of the EDPB and that AEPD.


Starting from what has been argued so far and, consequently, taking into account that
the exemption from the payment of commissions cannot in any case be considered a
damage, burden or encumbrance for the interested party, without being conditioned in any way
the provision of the services that make up the controversial products to the

granting of consent by the interested party, it is necessary to indicate that neither the
personal data protection regulations or the interpretation of the same
performs the EDPB consider inadmissible or contrary to freedom in the provision of the
consent to the granting of benefits, promotions, incentives or improvements of the
services in case the interested party provides the same.


Thus the EDPB declares in its Guidelines (§ 48) that “the RGPD does not exclude incentives,
but it would be up to the data controller to demonstrate that the consent
has continued to give freely in any circumstance”.

  In this way, the EDPB considers perfectly admissible the connection of the

consent with the obtaining of an incentive as long as it is possible to prove the
concurrence of the note of freedom in the consent, something that as it has come
indicating up to this place does occur in this case.

 In this sense, it seems relevant to refer to the opposite sensu, to the example

incorporated as 8 by the EDPB in its Guidelines, which states the following (the
underlining is ours): Example 8: When downloading a style application from
life for mobile phone, the application asks for consent to access the
phone accelerometer. This is not required for the app to work, but
It is useful for the data controller who wishes to know more about the
movements and activity levels of its users. When later the user

you withdraw your consent, you discover that the application only works in a limited way.
This is an example of injury within the meaning of recital 42, i.e. that the
consent was not validly obtained […]” .

In this case, the incompatibility of the incentive offered with the RGPD would lie in the

fact that the entity offering the application limits the operation of the application itself
application.

 And this case is diametrically opposed to the one tried in this proceeding, for
when the free decision not to give consent in any way affects the provision

to the client by CAIXABANK of all the services that make up the
contract signed by the interested party. The only consequence of not paying the
consent to the processing of your data is the ordinary development of the contract in
Regarding the consideration that, as an element of the same, has been incorporated into

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 37/117








that, and which consists of the payment of the appropriate commissions, in the terms
established in domestic and European Union law.


Finally, and in line with what has just been indicated, it should be taken into account
that, as indicated by the AEPD itself in Report 0292/2010 of its
Legal Office, the attribute of "free" consent required implies that the
same “must have been obtained without the intervention of any vice of the
consent in the terms regulated by the Civil Code.


Thus, to presume, as the Initiation Agreement does, that the consent
provided in the present case has been subject to the existence of coercion in the
free will of the interested parties as a result of the mere circumstance of
grant a benefit as a result of its granting, such as the exemption
in the payment of commissions, would de facto imply that the AEPD, exceeding

completely of the powers granted by the regulations for the protection of
data, it would consider itself competent to assess for itself the possible invalidity of a
contract in which incentives or benefits are established, when appreciating the existence of a
vice in the consent given by the clients, thus entering to assess the validity
of a contract, an issue that only concerns the member bodies of the
civil jurisdiction.

Fourth.- On the consents obtained from the clients who contracted the
controversial products through the online channel between July 8 and December 15.
August 2018.

It alleges that CAIXABANK has never denied that, as a consequence of

adaptations carried out in BANKIA's information systems such as
consequence of the establishment of a new list of consents, in order to
unify those that had been obtained by the different entities that were finally
integrated in it, there was an incident in its systems, whose duration is the
specified in the Startup Agreement, by virtue of which the consents of the

Interested parties appeared pre-marked by default, so that if they were not
no action be carried out by the interested party who contracted the accounts
disputed in this file, the option that the
consent had actually been given. This incident was reported
knowledge of that AEPD on the occasion of the inspection visit made on the 12th of
December 2019 and analyzed in detail in the letter of the same dated June 18,

2020, in response to the request made by the AEPD.

However, in the first place, it alleges the inadmissibility of the sanction for application of the
“non bis in idem” principle. The AEPD considers in the Start Agreement that at
If the boxes marked by default are not found, a violation of the

Article 6 of the RGPD because, not being the consent lawfully obtained,
lacks a legal basis that supports the treatment in accordance with the aforementioned
precept.

 On the other hand, and recapitulating what was stated in the third allegation of this writing, the

AEPD has considered that all the consents given by the
customers who contracted the controversial products in their day have been collected
without complying with the requirement that said consent be free, appreciating the
Agency the existence of an alleged violation of article 7 of the RGPD, whose

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 38/117








non-existence CAIXABANK has already accredited in accordance with what was argued in the aforementioned
allegation.


Well, if the reasoning of the AEPD were followed in relation to the latter
infraction, the non-existence of a consent that fulfilled all the
requirements established in the personal data protection regulations (what this
party, it is obvious to reiterate, flatly denies) would lead to an alleged violation of the
Article 6 of the RGPD, since, in the opinion of the AEPD, the
consent obtained the processing of personal data would have been carried out

carried out without a legal basis for it. Thus, the AEPD considers, in relation to the
totality of the clients who contracted these products, that the treatment of their
personal data is contrary to the provisions of article 6 of the RGPD, by not
consider that the consent given by said clients may be a
valid consent for the purposes of the aforementioned regulations.


 For its part, in relation to the infringement that is now being referred to,
the AEPD considers that the consent of the clients who contracted these
products through the online channel on the dates between July 8 and December 15.
August 2018 is not valid because the boxes are pre-marked, but at
own time has already considered, in accordance with what was reasoned in the foundation of

second right of the Home Agreement, that this consent was not valid
(regardless of whether the boxes were pre-marked or not) by not being able to
considered, always in the opinion of that AEPD, that the consent given is free.

In this way, the AEPD would be doubly sanctioning the lack of a legal basis for

the treatment of the personal data of the clients who have contracted the
controversial products through the online channel on the dates between 8
July and August 15, 2018, given that, on the one hand, it affirms that the consent
granted is not valid because it is not free and, secondly, that said consent
It is not valid because the boxes are pre-marked.


In this way we would find ourselves before a situation in which the AEPD would proceed to
imposition of two sanctions for the violation of the same precept in relation to a
same consent given, understanding that this consent is, according to your
criterion, doubly violating the rules required for consent and, therefore,
doubly considered lacking sufficient legal basis.


 Consequently, they would be sanctioned twice for the commission of the same
facts (treatment without legal basis for it because, in the opinion of the AEPD, the
consent) in relation to the treatment of the data that they would have authorized
who contracted the products on the dates that have been reiterated in this

allegation, with the consequent and blatant breach of the non bis in idem principle.

And to this it is not possible to oppose the fact that the Initiation Agreement invokes as infringed,
respectively, articles 7 and 6 of the RGPD, since the alleged infringement of the
Article 7 of said legal text implies, ultimately, the same principle of protection of

data that the considered infringement of article 6, that is, the principle of legality of the
treatment, regulated in article 5.1 a) of the RGPD, since in both cases what
comes to sanction is the alleged absence of an adequate legal basis for the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 39/117








treatment of personal data, considering that the consent of the
interested has not been, always in the opinion of the AEPD validly provided.

In this way, if the AEPD, in view of what has been stated by this party, considers
concurrent in the treatment of the data of all the clients who contracted the

BANKIA products subject to the exemptions derived from the maintenance of a
“digital profile” the infringement referred to in the third allegation of
this writing, said infraction would subsume the one that is now being analyzed, for
application of the ne bis in idem principle, so it would not be possible to impose, with respect to
of the customers who contracted the products through the online channel between the 8th of
July and August 15, 2018, a double violation of the same principle of protection

of data, as intended by the Start Agreement.

Secondly, it alleges that incidence has produced a minimal repercussion on the
customers as an essential criterion to assess their responsibility.


It alleges that the incident affected a total of 2,562 customers, of which only 812 (one
0.009% of BANKIA's customers) would have been really affected by it,
as it is not materially possible, despite displaying an extreme level of diligence,
manage to contact them, as they are inactive clients who have not
interacted with the entity through the channels that it makes available
and that they have not made any movement or activity in their accounts since the

moment in which said entity, aware of the incidence produced, has tried to
repeatedly contact them.

He affirms that, as already revealed in the inspection carried out on the 12th of
December 2019 and also detailed in his letter addressed to that AEPD on 18
June 2020, all necessary actions have been taken towards the

resolution of the incident and to have only the consent of those who
effectively, freely, consciously and without any type of
conditioning, such as that the boxes appear pre-ticked by default, were
provided by their clients.

The Home Agreement itself lists in its thirteenth fact the aforementioned measures,

in the following terms: “The consents have been requested again
customers who have not modified them, taking advantage of the first interaction with the
entity through any of the authorized channels (branch, Bankia Online or App
Bankia). This obtaining of the new consents, from a neutral position to
the option of acceptance or non-acceptance that in each case is chosen by the
interested party for each of the requested consents, has been configured as

necessary step to be able to continue the operation through any of the channels.

Those clients who have not passed this process have been considered as
customers who have not given their consent to the entity regardless of the
meaning of the consents they provided in the registration process of the On account, and

have been marked in systems as having denied all consents.

All On account holders were informed, in December 2019, of the change
of conditions of the digital profile, and the elimination of the requirements of having authorized


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 40/117








the sending of commercial communications and the transfer of data for the purposes of collection or
fee waiver.


Contact has been made by telephone (through the corresponding managers) with the
clients who have not modified consents; in the case of the 812 clients who
have not yet passed the process, although attempts have been made to contact them on several
occasions, the result has been unsuccessful.

The cancellation process of those inactive and inactive accounts has begun

in the last few months.”

It is evident from the measures described that it was deployed in a
immediately how many actions were necessary to guarantee that the consents
lent were with absolute freedom and without any conditions, deciding

finally consider denied the consent of those who, after repeated
attempts carried out, they could not be contacted or interacted in any
moment with it.

This measure was definitively adopted in May 2020, as stated in the
Initiation Agreement, even though since October 16, 2019 it was removed from the

necessary conditions for the exemption of commissions in the products
controversial the provision of consent for the processing of data as
part of the so-called “digital profile”.

He acknowledges the incidence produced, but considers that the diligence with which he adopted

measures aimed at minimizing the effects of the infringement, should be grounds
enough for the AEPD to exempt him from guilt or, in the worst case,
warns his entity for the acts committed.

NINETEENTH. Access to the consolidated annual accounts of the group

Caixabank, available at ***URL.2, on page 249 of which it states that the volume of
group business in 2020 is 12,172 million.

TWENTIETH: On December 20, 2021, a resolution proposal was issued in
the following meaning:


FIRST: That the Director of the Spanish Data Protection Agency
sanction CAIXABANK, S.A., with CIF A08663619, for an infraction of article 6 in
in relation to 7 of the RGPD, typified in article 83.5.a of the RGPD, with a fine of
2,000,000 euros (two million euros).


 SECOND: That the Director of the Spanish Data Protection Agency
sanction CAIXABANK S.A., with CIF A08663619, for an infraction of article 6 of the
RGPD, typified in article 83.5.a of the RGPD, with a fine of 100,000 euros (one hundred
a thousand euros).


TWENTY-FIRST: Electronically notified to the entity CAIXABANK S.A. the
mentioned resolution proposal and accepted the notification by said entity dated
December 22, 2021, dated December 23, 2021 had entry in this
Agency letter in which an extension of the term to formulate allegations was requested.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 41/117








Once the extension of the term was granted, on January 13, 2022, the
this Agency written of allegations, in which it is requested again that it be declared
the nullity of full right of the procedure for the reasons described in its

first allegation, subsidiarily that its file be agreed and subsidiarily to the
file that the sanction of warning enshrined in article 58.2.b) is imposed)
of the RGPD or, failing that, a significant reduction in the amounts established in
the proposed resolution in response to what is stated in the fourth allegation.

It reiterates all of its allegations to the initial agreement and formulates the

considerations that, in summary, are set out below:

FIRST. CONCURRENT VICES OF NULLITY IN THE PRESENT
PROCESS.


1. On the radical nullity of the procedure as a consequence of the fixing of the
amount of the penalty in the startup agreement.

He points out that he already made clear in his allegations to the Initiation Agreement the
manifest helplessness that had been caused to him as a consequence of the fixation
in the same of the amount of the sanction that, in the opinion of that AEPD, proceeded to impose

in this proceeding, and this on two fundamental bases:

 • The AEPD has proceeded to assess the degree of guilt of CAIXABANK and
of the circumstances that affect him, and this assessment has been made in audit
party, without having had the opportunity to make any statement or make the most

minimal evidence in defense of their right, thus being deprived of their right to
defending.

• This assessment is carried out by the competent body itself to resolve the
this procedure, that is, the Director of the AEPD, who in her Start Agreement

specifically indicates to the instructor of the procedure what is the reproach that, in his opinion,
judgment, will have to appreciate in the conduct of CAIXABANK and what are the
circumstances that affect his guilt, which supposes a manifest interference
of the sanctioning body in the inspection action and a dilution of the phases of
instruction and resolution of this sanctioning procedure, with the consequent
damage to that entity.


Considers that it is evident that, once the existence of an obvious
defenselessness, by dispensing with the guarantees granted by the regulations governing the
sanctioning procedure, with the consequent breach of their right to guardianship
effective legal action, applicable, mutatis mutandis, as has been manifestly reiterated by the

jurisprudence of our Constitutional Court, to the administrative procedure
sanctioning, it is becoming clear that the vice of nullity has been incurred
enshrined in article 47.1 a) of the LPACAP, since they have resulted
injured the rights and freedoms subject to constitutional protection, something that
Even though it is obvious, the Proposal considers that it is not sufficiently

clarified, so it reiterates

Based on the foregoing, the Motion for a Resolution states, first of all, that the
in audit evaluation part of the concurrent circumstances in the case and, in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 42/117








Consequently, the determination by the competent body to sanction the amount
of the sanction proceeding prior to the investigation of the matter derived directly
and immediately of what is established in article 64 of Law 39/2015, of 1

October, of Common Administrative Procedure of the Public Administrations (in
hereinafter, "LPACAP"), not without sinning, however, of a manifest contradiction, when
be indicated, as is done in the Resolution that the action of the AEPD "goes further"
than provided in the standard.

And it is that, indeed, the AEPD indicates in the Proposal that the setting of the amount of

the sanction that would proceed to impose the defendant is a requirement of the provisions of the
Law, but at the same time considers that it is not, since it seems to indicate that,
a completely ex gratia and beneficial way for the defendant, the AEPD has
decided to "go beyond" what is established in the norm, granting a kind of benefit
to the company, even when this is at the cost of undermining the rights

enshrined in article 24 of the Constitution.

The Resolution Proposal also considers that the determination of the amount
of the sanction, and the consequent evaluation of the concurrent circumstances in the
case comes from the option, granted to the defendant by the LPACAP to proceed with the payment
anticipation of the sanction and the acknowledgment of concurrent guilt in their conduct,

established in article 85 of the LPACAP, with the consequent reduction of the amount
of the sanction.

The literalness of this rule does not imply, in CAIXABANK's opinion, an authorization to the
sanctioning body to prejudge the case by proposing ab initio the amount of a

sanction, given that this violates the most elementary principles of
sanctioning procedure with the consequent breach of the rights of the defendant
in said procedure. Indeed, article 85.1 of the LPACAP does not require prior
determination of the sanction, given that nowhere does it refer to a sanction
pre-established (what would happen in case of its fixation at the time of initiation

of the procedure), but to the imposition of the sanction that proceeds. That is, the norm
that in any case is applicable "initiated the procedure", provides for the possible
acknowledgment of responsibility that may determine the imposition of the sanction
“proceed”, in such a way that this fixation seems to be foreseen after the actual
acknowledgment of responsibility.


But in addition, article 85.3 provides that the reductions must be adopted on the
“proposed” sanction, which requires that it has actually been determined within the
of the procedure, after hearing the administrator, what is that amount, what
literally leads to the conclusion that it will be the motion for a resolution, for
Regardless of what is stated otherwise in the Motion for a Resolution, the right time

for the determination of the aforementioned amount, since the Start Agreement is not the
ideal place to "propose" the imposition of a sanction, but to simply
initiate the processing of the procedure.

The AEPD tries to justify in the Resolution that it is not the resolution proposal but

the home agreement the appropriate place for fixing the amount of the penalty. Without
However, the AEPD forgets that there is a substantial difference between both moments
of the procedure, given that the defendant will already have been able to be heard and his arguments
taken into consideration in the motion for a resolution and that, furthermore, said

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 43/117








proposal will have been able to be freely adopted by the competent body for the
instruction, thus not producing any influence of the sanctioning body on the
instructor performance.


Indeed, the interested party does not have, prior to the Start Agreement, the right
enshrined in article 53.1 e) of the LPACAP, which may only be exercised after
that moment, and this circumstance, far from being interpreted in the sense that
contained in the Resolution Proposal (considering for that reason lawful the fixation
in audit part of the amount of the “proposed” penalty), what it reveals is the

manifest and blatant defenselessness caused to CAIXABANK, given that the amount of
the “proposed” sanction is given prior to the processing of the
procedure and the possibility of alleging what his right agrees in it to
in order to be taken into account in the assessment of the concurrent circumstances in
the case


And it is that, contrary to what the appealed Resolution indicates, in that it seems
assert that fixing the amount of the infringement is a benefit granted to
CAIXABANK, by going “beyond” what is established in the LPACAP, the determination
in audit part of the amount of the sanction and the determination by the AEPD of the
concurrent circumstances in the case without the defendant having had the most

minimal opportunity to argue what is appropriate to his right, could never be
considered as such a benefit, given that in no way can it be considered that
a violation of CAIXABANK's right to defense may in no case
be considered nothing less than a benefit.


In this way, the contradiction is incurred in considering that the non-
CAIXABANK having made use of the alleged benefit that was generated, in
application of article 85 of the LPACAP becomes a reason for not being able to invoke
the violation of their rights derived from the erroneous interpretation that the AEPD
makes the aforementioned standard. Thus, the violation of the presumption of innocence in which

the Initiation Agreement incurs would be remedied as a consequence of the fact that
CAIXABANK has not paid the penalty in advance, incurring the
paradox that to enjoy the benefit granted by article 85 of the LPACAP the
defendant must bear the bankruptcy of such a fundamental right.

Indeed, the defenselessness caused to CAIXABANK by the actions of the AEPD in this

case could not be considered corrected by the fact that it could have
make objections to the initial agreement. And this is so because the mere fact of his
formulation implies an increase in the amount that would be forced to pay, for
as the AEPD does not recognize the defendant the possibility of exercising the option contained
in article 85.1 of the LPACAP (that is, to admit their guilt at any time

of the procedure) in case it has issued arguments to the initial agreement.

Point out the difference between the initial agreement and the resolution proposal
since in the first the acknowledgment of responsibility is allowed within the
term to exercise allegations, which entails a reduction of 20% of the

sanction and is instructed that at any time prior to the resolution of the
procedure, may carry out the voluntary payment of the proposed sanction,
in accordance with the provisions of article 85.2 of the LPACAP, which will mean a
reduction of 20% of its amount. You are also told that the reduction for the payment

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 44/117








voluntary of the sanction is cumulative to the one that corresponds to apply for the
acknowledgment of responsibility, provided that this acknowledgment of
responsibility is revealed within the period granted to formulate

arguments at the opening of the procedure. It states that, however,
proposed resolution establishes only that "in accordance with the
established in article 85.2 of the LPACAP, you are hereby informed that you may, at any
prior to the resolution of this procedure, carry out the payment
voluntary of the proposed sanction, which will mean a reduction of 20% of the
amount thereof”.


He considers that the defendant sees himself in the position of (i) either admitting his guilt to
limit to achieve a reduction in the amount of a sanction set in audita parte; or
either (ii) exercise the rights granted by the Constitution and the laws, although this
will entail a cost, in your case, of 420,000 euros, as you can no longer enjoy the first

of the benefits granted by article 85 of the LPACAP. That is, for the AEPD
the mere fact of exercising the right of defence, which would allow the Administration
acting to really know, in view of what could be contributed by the defendant,
the concurrent circumstances in the case and properly determine the amount of
The sanction that could proceed to impose, must carry an economic cost,
certainly excessive (420,000 euros), for the accused, which, obviously,

It supposes a radical violation of the rights that attend it.

The consequence of all the above is that there is a radical defect in the processing of
this sanctioning file, derived from an interpretation contrary to the
Constitution of articles 64 and 85 of the LPACAP, which affects the nullity of the

procedure, having violated the fundamental rights of CAIXABANK, as
and as established in article 47.1 a) of the LPACAP.

2. Regarding the defenselessness caused to CAIXABANK as a consequence of the
Fraudulent prolongation of the investigative actions.


It alleges that it already revealed in the allegations to the Initiation Agreement the
concurrence in the investigation phase of this proceeding of an accumulation of
irregularities that necessarily led to the generation of a
blatant defenselessness, and a fraudulent use by the AEPD of the faculty
attributed to it by article 94.5 of the LRJPAC, to the detriment of the rights

CAIXABANK.

Affirms that, as indicated in the Motion for a Resolution, the transfer to the delegate of
data protection, for the purposes of deciding on the admission to processing of the
claim “although it is optional for the AEPD, it comes to suppose a

guarantee for the claimed party, who is given the opportunity to present the reasons for
its action against the claim made and, where appropriate, the corrective measures
taken in order to put an end to a possible non-compliance with the legislation of
data protection, prior to its admission or not for processing”


In other words, the aforementioned transfer aims to guarantee the rights of CAIXABANK in this
case, so that the AEPD can determine whether or not to proceed with the
procedure, agreeing, in accordance with article 65.1, that prosecution in relation to
the facts denounced and the possible violation of the rights of the interested parties in

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 45/117








regarding the protection of your personal data, either by carrying out
of inspection actions aimed at clarifying either, in the event of
find the same sufficiently accredited, by opening the

corresponding sanctioning procedure (article 64.2 of the LOPDGDD).

However, in the present case we find two situations that seem
contradict what was argued by the AEPD in its proposal:

• In the first place, the admissions for processing do not appear anywhere in the file.

of the claims made by Claimants 1, 2 and 3, stating only
those referring to Claimants 4 (on August 14, 2019, folio 405 of the
file), 5 (on August 14, 2019, folio 411 of the file). 6 (on the 19th of
September 2019, folio 472 of the file) and 7 (on April 28, 2021, folio 785
of the file). • Secondly, the facts about which the seven

claims made against my principal were already subject to
inspection actions, initiated on the initiative of the AEPD (as indicated
the Motion for a Resolution) on February 21, 2019 (folios 5 and 6 of the file).

That is, on the dates on which the claims were admitted for processing.
with respect to which this agreement existed (which are not those presented in the first place,

but only the last four of those presented), the transfer made by the
AEPD to CAIXABANK made absolutely no sense, since whatever it was
the response that it offered in relation to the aforementioned claims, the facts
to which they referred were already being investigated by
of the AEPD.


Consequently, even when the AEPD states that they intended to reinforce the
rights of CAIXABANK in order to decide whether or not to proceed with the
procedure referring to the claims made, the truth is that the decision already
had been adopted by means of the agreement of February 21, 2019. Therefore, the transfer

of the claim became a merely bureaucratic process whose decision was already
had been previously adopted, since in case of inadmissibility of the
claim, the AEPD would be going against its own acts, consisting of the start
of the investigation on February 21, 2019.

This is also helped by the fact that the AEPD denies any relevance to the

mentioned admission agreements for processing, which do not display any effect on the
terms provided for in article 64 of the LOPDGDD. Indeed, these agreements do not
determine neither the carrying out of investigative actions nor the opening of
any sanctioning procedure, for the mere fact that these actions,
with respect to which the AEPD considers admission to be so relevant, it is already

were in progress, limiting themselves to agreeing, as recorded in the records
facts of the Initiation Agreement and the Resolution Proposal, their accumulation to those
investigative actions (even though the file does not even show the
agreement by which such accumulation took place). Proof of this is that the very
AEPD is aware that the dies ad quem for the completion of the maximum period of

duration of the investigative actions is none other than February 21, 2020,
in which the term of one year has elapsed since its opening.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 46/117








Second, the Motion for a Resolution limits itself to invoking article 95.4 of the
LRJPAC, indicating that it attributes the power to carry out a kind of
of reopening the investigative actions in case it deems it pertinent,

no matter how much the LOPDGDD establishes a maximum term of duration of the
investigative actions.

Certainly, the aforementioned precept establishes that “[t]he expiration will not produce by itself
the prescription of the actions of the individual or of the Administration, but the
expired procedures will not interrupt the statute of limitations”, adding that

“[i]n the cases in which it is possible to initiate a new proceeding for not
prescription has occurred, the acts and procedures may be incorporated into it.
whose content would have remained the same had the expiration not occurred. On
In any case, in the new procedure, the formalities of
allegations, proposition of evidence and audience with the interested party”.


For its part, article 67.1 of the LOPDGDD is clear in indicating that “[b]efore the
adoption of the agreement to initiate the procedure, and once the application has been admitted for processing,
claim, if any, the Spanish Agency for Data Protection may carry out
carry out preliminary investigation actions in order to achieve a better determination of the
the facts and circumstances that justify the processing of the procedure,

adding exhaustively its section 2 that said actions "may not have
a duration of more than twelve months from the date of the admission agreement
pending or from the date of the agreement by which its initiation is decided when the
Spanish Agency for Data Protection acts on its own initiative. Well, if the
special rule applicable to the performance of the AEPD establishes

completely emphatic that the investigative actions “may not have a
duration greater than twelve months”, this rule must be the only one applicable to the
this procedure since the LOPDGDD itself establishes that the application
of the regulations governing the common administrative procedure is only
subsidiary application to the procedures processed by the AEPD. I mean, I don't know

it is only that the LRJPAC is not applicable as a consequence of the fact that
be the LOPDGDD the special rule regulating the procedure; is that its own
LOPDGDD states in its article 63.2 that “[t]he procedures processed by the
Spanish Agency for Data Protection will be governed by the provisions of the
Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures”

And this does nothing but highlight the contradiction in which the Proposal
of Resolution when at the same time it indicates that the special legislation that results
of application to the procedure establishes a maximum term of duration of the

inspection actions, but at the same time considers that said term
strictly established must be interpreted in the sense that the duration may
always be superior, under penalty of preventing the application of article 95.3 of the LRJPAC
which, as a rule of subsidiary application to the case, results, precisely because of that
reason, inapplicable.


Thirdly, it affirms that the AEPD considers the application of the doctrine to be erroneous.
supported by the National High Court in its judgment of October 17, 2007
(appeal 180/2006). In the opinion of the AEPD, said doctrine is not applicable to the case

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 47/117








for two essential reasons: (i) it was revoked by the Chamber itself from its judgment
of November 19, 2008 (appeal 90/2008); and (ii) predates the establishment of
a maximum period of duration of the investigative actions.


Well, with respect to the first of the aforementioned reasons, it must be remembered that the
judgment of November 19, 2008 was not founded, to modify the criterion of the
Chamber, in the fact of considering erroneous the doctrine supported by the previous
sentence, but based its doctrine on the documentation provided by the legal
representative of the AEPD together with his answer to the demand.


In effect, according to the aforementioned judgment: “[…] however, in the present
supposed a series of specific circumstances that have to be put of
manifest. Thus, the State Attorney notes in the answer to the lawsuit that
the delay produced in the processing of the preliminary actions is in the case

clearly justified. And this because of the study of the documentation provided by
It is clear, unequivocally, the very important increase in cases
processed before the AEPD, not accompanied by the same proportional increase in
personal resources and resources. Documentation that evidences that among the
years 2003 and 2007 have increased the procedures initiated by 108.33% and the
resolutions issued by 105.67%, so the delays in said processing, and

logically in the previous actions (which increased by 120.03% in the
referred period), have not been due to the fraudulent intention of avoiding the expiration
of the sanctioning file, but to said significant increase in the work to be carried out
by the different departments of the AEPD, which clearly justify the aforementioned
delay. Faced with said argumentation of the defense of the Administration, this Chamber

considers that such attached documentation effectively evidences the significant
increase in the number of cases processed in the AEPD in the last four or five
years, which logically has had to imply the consequent extension of the time
of duration of processing of the same and, therefore, of its preliminary phase or of
preliminary proceedings.”


In other words, the doctrine of the judgment invoked by CAIXABANK in its allegations to the
Start Agreement is not erroneous nor has it been revoked by the National High Court, but
which was nuanced by the same in attention to the very peculiar circumstances
derived from the documentary that worked in cars. Precisely, and in order to avoid this
anomalous situation for the rights of the investigated, article 122.4 of the Regulation

of development of the Organic Law 15/1999, of December 13, established a term
exhaustive duration of the investigative actions, which could not exceed
a maximum period of twelve months “counting from the date on which the complaint or
The reasoned request referred to in section 2 would have been entered in the
Spanish Agency for Data Protection or, if there are none, since

the Director of the Agency agrees to carry out said actions”, adding
that “[t]he expiration of the term without having been issued and notified of an agreement to initiate
sanctioning procedure will produce the expiration of the previous actions.

 That is to say, the successive declaration of expiration and subsequent

reopening of the investigative actions followed on its own initiative in a
specific case, since this is in flagrant contradiction with the principle of
legal certainty and with the guarantees that the legal system grants to the
administered, which must not be subject to the perpetual uncertainty derived from the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 48/117








fact that the AEPD may, at the time it deems appropriate, reopen
investigation actions for the same facts or directly initiate the
penalty procedure.


And this is what the LOPDGDD establishes, and nothing else: once a claim has been made,
The AEPD has established deadlines for the investigation of the facts,
form that after the maximum period set by the legislator in the rule that results
of application to the procedure processed by the AEPD, the latter may only agree
the expiration of the procedure and not proceed with its reopening, as it is not applicable

Article 95.3 of the LRJPAC, as it is a general rule and of subsidiary application to the
procedures processed by the AEPD, which establish a strict and limited term of
duration of investigation activities.

And it is precisely the application of article 95.3 of the LRJPAC that determines what

fraudulent action of the AEPD in this procedure in accordance with the doctrine
supported by the ruling of the National High Court of October 17, 2007,
must prevent the proper application of article 67.2 of the LOPDGDD, which is
to avoid, in the terms established by article 6.4 of the Civil Code, through the
invocation of a norm that is not applicable.


SECOND. ON THE VALIDITY OF THE CONSENT GIVEN BY THE
CLIENTS IN THE PRESENT CASE.

 Declares fully reproduced the allegations made to the Initiation Agreement
of this proceeding and affirms that the Resolution Proposal is limited to denying

the origin of what is stated in the cited allegations on the mere basis of their
simple assessment, incurring throughout his reasoning in obvious
contradictions, supporting his criteria in his simple assertion, without carrying out
any reasoning to found that one, and contradicting not only the very nature
of the current account contract, but even the interpretations themselves

made by the EDPB in the documents in which, apparently, it intends to found
its sanction resolution.

He points out that the AEPD affirms that “this Agency considers that, effectively, the
Commissions can form part of the current account contract, remunerating the
services provided by the banking entity, as already indicated in the Agreement of

Initiation of this procedure”, understanding that in the face of such an affirmation,
we can only reiterate that the commissions "can not be part" of the contract, but
which are one of the consubstantial objective elements to it, in such a way that in
In case of not concurring, the contract may have the nature that you want, but we do not
we will find ourselves before a current bank account contract, given that its nature is

bilateral and onerous, so that it is not possible to consider that the same "can" exist
free of charge or without consideration by the client of the entity, understanding
that this conclusion means that the reasoning subsequently followed by the AEPD
must necessarily decline: there is no harm in maintaining the
conditions of the contract, but only an exemption or benefit derived from the

provision of the consents to which reference is being made in this
penalty procedure.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 49/117








And it is this circumstance that the EDPB highlights in its "Guidelines 5/2020
on consent in the sense of Regulation (EU) 2016/679” (hereinafter,
interchangeably, the “EDPB Guidelines” or the “EDPB Guidelines on the
consent"), when in the sixth of the examples he mentions, he points out the
following: “A bank asks its customers for their consent so that third parties

may use your payment details for direct marketing purposes. This activity
of treatment is not necessary for the execution of the contract with the client and the
provision of the usual services of the bank account. If the client's refusal to
giving your consent to said treatment would give rise to the refusal on the part of the bank
to provide their services, at the closing of the bank account or, depending on the case, at a
increased commissions, consent could not be freely given.”


In this way, the EDPB indicates that the consent could be considered not to have been
freely granted in those cases in which the bank:

i. Does not proceed to open a bank account for the client due to the fact that

having given their consent (thus conditioning the signing of the contract to the
provision of consent that does not refer to the object thereof, but to "other
matters”, in the terminology of article 7.2 of the RGPD), in a way that would condition the
conclusion of the contract to the provision of consent;
ii. It is agreed to close the account as a result of the non-provision of the
consent, in the terms already mentioned, which would mean a

conditioning of the same nature, since the revocation or non-provision of the
consent would imply the termination of the contract; or
iii. There will be an increase in the commissions that said client must pay in
relation to the contracted products, that is, by imposing a tax on the
non-provision of consent.


Even when the example is extremely clear and exhaustive, the AEPD is limited, in the face of all
what has been stated up to that moment, to deny it validity, pointing out the following: "This
Agency understands that, regardless of the fact that the EDPB mentions only
some examples of what constitutes a detriment, without pretending to contemplate all
the possible assumptions, the reference to the "increase in commissions" cannot
be interpreted in the literal sense that CAIXABANK expresses in its allegations.

When the EDPB refers to an "increase in commissions" it is evident that
takes as its starting point the assumption that there are established commissions
that are charged in any case, hence, if the refusal to give consent gives
cause these to increase, consider that the consent is not given freely,
while this increase supposes a detriment for the interested party. This is the \ It \ him
consent is not free because its provision is conditioned to avoid a charge that

it was not being produced. And this example is equivalent to the one produced in the case
object of this procedure, in which the exemption from the collection of commissions
is linked to the provision of consent, so that the interested party does not provide
said consent freely, but conditioned by that circumstance.”


CAIXABANK understands that the argumentation of the AEPD is an interpretation
forced, since in the first place, the AEPD in its different resolutions raises up to the
source category of law the content of the various documents and guidelines
emanated from the EDPB, to the point of considering that the contravention of said
documents must be considered as a direct violation of the RGPD itself and

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 50/117








the LOPDGDD that adapts Spanish law to it. This offense is understood
produced even in the cases in which the EDPB is limited to carrying out
general considerations about the interpretation of a certain

precept, considering the AEPD that the RGPD is completed with the criteria
extra legem and sometimes contra legem included in such opinions. just remember
for this purpose, the resolutions issued in procedures PS/00070/2019,
PS/00477/2019 and PS/00500/2020 (the latter two directed respectively against
CAIXABANK and one of the companies of the Group in which it is integrated) to verify
how the legally required requirements for the validity of the information obligation

to those affected or the provision of consent are expanded beyond what
established in the norm as a consequence of the application, as if of a norm
legal, of the criteria supported by the EDPB.

However, in this Motion for a Resolution, and even having cited

again as if it were a legal norm the aforementioned Guidelines on the
consent, the AEPD makes a new interpretation of the criteria based on
by the EDPB, since if they are not consistent (when not diametrically
opposed) to the thesis that it intends to maintain, this can only be due to two
possible causes: (i) their intention not to be exhaustive, so that they have not
considered a case like the one analyzed by the Agency; or (ii) the effective contemplation

of said assumption, understanding that the interpretative opinion must be in turn
interpreted in the sense that the AEPD considers appropriate to defend.

The very content of the Motion for a Resolution reveals the obvious
contradiction of the reasoning of the AEPD.


Indeed, firstly, regarding the consideration that the content of the
Guidelines is not exhaustive, it should be noted that the example seems to do
reference to all the assumptions in which it could be considered that there would be a condition of the
principle of freedom of consent in a case like the one analyzed. How much

to the commissions at no time does it refer to the collection of the agreed commissions
in the contract or to the disappearance of an exemption from said payment, but only and
exclusively to an "increase" of the same as a consequence of the non-provision
of consent. And furthermore, this assumption, unlike the two cited by the
EDPB previously did not join unconditionally, but "depending on
of the case”, that is to say, of the circumstances that concurred in it, so that

there will be assumptions in which even such an increase would not determine an absence of
freedom of consent.

The AEPD itself reasons how this would be (and not the one analyzed in this procedure)
the assumption that could affect, it has already been said that conditionally, the freedom

of consent. For this, take into account that the AEPD itself indicates that the
EDPB's criterion is that “if refusal to consent results in
these [commissions] increase, consider that consent is not given
freely”, adding that this example is equivalent to the one analyzed in this
process. Well, such a statement can only be described as erroneous: in

In no case can it be considered that in the case analyzed the refusal to provide the
consent causes commissions to increase. The commissions are agreed in
the contract signed by the interested party and do not increase in a greater or lesser amount
as a consequence of the lack of provision of said consent. That is, and for

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 51/117








if it is not clear enough, the full effectiveness of the
contract and the enforceability of said commissions, already agreed with the interested party in the
time of signing the contract.


A different matter is that the provision of consent supposes a reduction or
exemption from the payment of said commissions. In this case, no lien is established.
for the refusal to give consent, but a reduction or exemption from the payment of the
consideration that corresponds to him to satisfy for the services rendered by his
client. In other words, the non-provision of consent does not imply any burden, but

the maintenance of the general conditions of the contract, which impose the payment of
A commission.

Finally, the AEPD, however, denies effectiveness for the defense of human rights
of CAIXABANK because it limits itself to considering that “[w]hen the EDPB refers to

to an "increase in commissions" it is evident that it takes as its starting point the
course in which there are some established commissions that are charged in any case”.
In relation to such a statement, that in a case in which the EDPB
clearly stated, it is not possible for the AEPD to expand (or rather limit) the
interpretation of the assumption to the one that he considers adjusted to his thesis, no matter how
It is evident that he intends to consider this fact. If the AEPD considers that it is “obvious”

the interpretation that it intends to carry out, should justify what it is based on to appreciate
that supposed evidence and not limit himself to incorporating into his reasoning so apodictic
conclusion.

And there is also an obvious contradiction in the reasoning supported by the

AEPD in its Resolution Proposal when, after reproducing the quote from the “Manual of
European legislation on data protection”, adopted by the Agency for
Fundamental Rights of the European Union and the Council of Europe, in
collaboration with the European Court of Human Rights and the European Supervisor
of Data Protection, which CAIXABANK made in its brief of allegations to the

Initiation Agreement, and after having insisted that in the controversial case there was no
any benefit derived from the provision of consent, but a manifest
prejudice in the event that the same was not granted concludes, certainly
succinctly, that from what is stated in the aforementioned Manual it can be deduced that "the benefit must
be small, this is not important enough to affect
freedom of choice”.


This part cannot for sure venture if it follows from such an affirmation that
Finally, and despite what has been reasoned up to that moment, the AEPD considers that in the
In this case, we would find ourselves before a benefit that, however, must be
rejected. What he does consider is that not even the reproduced statement is

supplemented with the slightest reasoning that justifies why he understands the
AEPD that the "benefit" is not "small" in this case. In this way, the
AEPD once again limits itself to refuting CAIXABANK's arguments regarding a
completely conclusive affirmation, lacking the slightest substratum of evidence that
allow CAIXABANK to refute it. In this way, the AEPD seems to consider that the

entity of the benefit obtained by the provision of consent must be
significant, but in no case does it provide the arguments that lead to such
conclusion, with the evident breach of the presumption of innocence of CAIXABANK,
which should, as seems to follow from the reasoning of the Motion for a Resolution,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 52/117








prove that the amount of the benefit is reduced to avoid the application of the rule
sanctioning


Well, it should be remembered that recital 9 of the RGPD indicates the following:
“Although the objectives and principles of Directive 95/46/EC remain valid, this
has not prevented data protection in the territory of the Union from being applied
fragmented manner, neither legal insecurity nor a generalized perception among the
public opinion that there are significant risks to the protection of people
physical, particularly in relation to online activities. The differences in

level of protection of the rights and freedoms of natural persons, in particular
of the right to the protection of personal data, with regard to the
processing of such data in the Member States may impede the free
circulation of personal data in the Union. These differences can
constitute, therefore, an obstacle to the exercise of economic activities at the

of the Union, distort competition and prevent the authorities from complying with the
functions incumbent on them under Union law. This difference in
levels of protection is due to the existence of divergences in the execution and
application of Directive 95/46/EC.” In the case analyzed, the benefit
would obtain as a result of the provision of consent is the exemption from
payment of a monthly commission of 5 euros, which the AEPD, even without justifying it in

no time, seems to consider excessive.

This criterion is contrary to that maintained by the Austrian Data Protection Authority.
Data (Datenschutzbehörde) in its resolution of November 30, 2018, which can
be consulted in its German version on the website ***URL.3.


In the case analyzed by the aforementioned resolution, the authority ruled on the
case of an Austrian website that gave its customers three options as to
to your access to the information published on the website:
to. Partial access to the website free of non-essential cookies.

b. Payment of a subscription in exchange for access to the website without non-essential cookies.
c. Access to the website in exchange for the installation of advertising cookies and third parties.

In view of this scenario, the resolution considers that it is possible to offer access
to the website in exchange for cookies being installed in the user's browser
given that the following preconditions are met:

to. The website is subscription based anyway.
b. The cookie policy is very clear regarding the type of cookies installed and the
third parties that have access to the data received.
c. Cookies are not installed before the client consents, or not, to their installation.
 d. Withholding consent does not have significant negative consequences for

the user.
In particular, the Austrian Authority understands that the consequences of denying the
consent are not significantly negative to the extent that the share of
subscription -of 6 euros per month without data processing- is reasonable for not
exercise sufficient coercive power over the interested party, which is not seen in the dilemma

to consent to the processing of your data or pay a subscription that is not affordable.
Well, in the present case (i) the amount of the commission whose payment would be
exempted the client for the provision of consent is lower than that collected
in the case just referred to; and (ii) commissions are part

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 53/117








part of the contract, so that these are an essential element of it, that is,
the contract is bilateral and onerous by nature. In this way, it would be possible to achieve
same conclusion reached by the aforementioned resolution, in the sense of considering that

there is no negative consequence for failure to provide consent.

CAIXABANK is aware that the resolution comes from a supervisory authority
different from the AEPD and that we are not faced with a criterion supported by the
EDPB (although it has already been demonstrated that it does not consider that there is a
levy in case of commission exemption). However, it is clear that if the

The purpose of the GDPR is to establish a uniform framework in the application of the
rules and principles that configure the fundamental right to data protection,
there is no doubt that the criterion supported in the aforementioned resolution (it must, for this purpose,
It should be remembered that the EDPB in its guidelines requires for consent to the
installation of cookies the same requirements established in article 4.11 of the

RGPD) must be taken into consideration as an element to take into account in the
interpretation of the requirements demanded of the consent of the interested parties by the
personal data protection regulations.

However, as already indicated, the AEPD in its Resolution Proposal indicates that
there is an “element of compulsion or pressure”, which “is determined, in the opinion of the

AEPD, for the collection of those commissions established in such a way that they suppose a cost
of sufficient entity to determine the clients of such accounts to accept the
consent to the processing of data for purposes other than those of the
contract". However, as already indicated, no reasoning makes the AEPD
to determine why the exemption from a commission of five euros per month should

be considered as an element of pressure or why it should be considered
of an entity sufficient to force the provision of consent, especially if
takes into account that, as evidenced by the figures included in the fact
sixth of the resolution, it was not provided by almost 250,000 clients of the
entity, which cannot be considered a trivial number.


 And, it is necessary to reiterate, the non-provision or revocation of consent does not carry
associated with any cost for the interested party, since it only implies the application
of the general conditions of the contract previously signed by the interested party. No
reference is being made to a free contract that, as a consequence of said
lack of provision or revocation, becomes onerous, since the contract has

this nature from the moment of its signature. Nor is it being done
reference to the modification of the general conditions of the contract by means of a
increase in its "price", that is, of the commissions, since they will be
those that appear in the contract signed by the interested party, without increasing in any
moment.


On the other hand, the AEPD affirms that in the present case the consent is not free,
but conditioned, since CAIXABANK does not offer its clients any service
equivalent to the one provided in the event that they do not give their consent to the
treatment or transfer of your personal data.


CAIXABANK has already made clear in its allegations to the Initiation Agreement the
inaccuracy of such a statement, since the product offered to those who
have not given the aforementioned consent is not "equivalent", but the same as

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 54/117








had contracted, even when not giving consent does not produce a
exemption in the payment of commissions. That is, the product, the ON Account, with its
general conditions and with the specifications established in the contract is the

same for all customers who sign the contract. There are no two contracts
different, subject to different general conditions, but a single contract that is
signed by each and every one of the clients of the ON Account. For this reason it
ignores the reason why the AEPD considers that the aforementioned does not exist
equivalence, when what exists is an absolute identity, being one and the same
contracted product.


 And it is that, as the EDPB Guidelines point out, the person in charge “could argue
that your organization offers stakeholders a real choice if they could
choose between a service that includes consent to the use of data
for additional purposes, and an equivalent service offered by the same

responsible that does not imply giving consent for the use of data for purposes
additional”, which happens in this case, in which the provision of the service is not conditioned
service, under the same conditions signed by the interested party, to the provision of the
consent to the processing of your personal data.

Even in the denied assumption that the aforementioned equivalence could not be appreciated,

CAIXABANK highlighted in its allegations that there were other products of
identical nature to the object of the present procedure for which the
Interested party without the need to consent to the processing or transfer of their data.
personal information. The AEPD limits itself to responding to this statement that CAIXABANK
“does not prove that it is an equivalent service”, adding that “[i]t is not possible to admit

that any current account is an equivalent service if the conditions in which it is
lends are different or are aimed at a certain group, so that
excludes that others can hire him”. Such a statement contradicts the
very nature of the current account contract, given that if we find ourselves before
participating contracts of the same nature, it must be concluded that the services

rendered are equivalent.

 In particular, reference should be made to the "Easy Account" which was already alluded to in the
brief of allegations to the Start Agreement. First of all, and as a starting point,
It is a bank current account contract, which determines the identity of
nature with the account ON. On the other hand, it is an account exempt from the payment of

commissions as long as certain requirements are met by the owner,
that in no case are conditioned neither to the establishment of a "digital profile" nor to the
provision of any consent for the treatment or transfer of your data
personal, issuing a debit card free of charge. Said conditions
consist of the existence of a payroll equal to or greater than 700 euros or benefit for

unemployment or pension equal to or greater than 200 euros, as well as one of the three
following:
• Make two purchases a month with a credit card
• Contribution of 135 euros in risk insurance premiums.
• Possession of more than 30,000 euros in investment funds, pension plans or

savings insurance (this requirement was also fulfilled in the case of holding
40,000 euros in investment products of the entity, being excluded from this
requirement for people under 26 years of age).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 55/117








 In short, CAIXABANK customers could freely opt not only for the
giving your consent to the processing of your personal data, but also
for the possibility of contracting another product of an identical nature, also exempt

of commission payments.

And it is that, as the Motion for a Resolution itself acknowledges, with the citation of the Manual of
data protection reproduced above, his reasoning would lead to
consider null the affirmation that is clearly contained in it and even the
statement in the Proposal that the benefit should not be significant or

should be minor. In this sense, if one follows ad pedem litterae the
establishment of a discount to those who have accepted their inclusion in a
loyalty program of any company, with the consequent acceptance of the
treatment of your data would be null, since the possibility of enjoying
of the same discount in case of not choosing to adhere to the program of

loyalty, which, obviously, respectfully contains a sophism in its
own terms.

A different matter is that the AEPD considers that it is necessary that the entities
financial institutions have a contract in which no commission is established by them
some for the contracting of a current account, as it seems to be derived from what

indicated in the motion for a resolution. In that case, and as we already indicated in
our allegations to the Initiation Agreement, the AEPD would be exceeding the limits in the
scope of the functions and powers attributed to it by the RGPD, imposing
conditions to credit institutions for contracting their products and
services, which would entail, as already indicated, a manifest excess in

those.

  The AEPD, in relation to this affirmation maintained by CAIXABANK in the
allegations to the Initiation Agreement, indicates that “[t]his Agency does not assess the validity of the
contract, but that of consent to carry out other treatments different from those

of the contract and that is conditioned by the exemption from the collection of
commissions, which in the opinion of this Agency is contrary to the provisions of article 7.4
of the GDPR”.

CAIXABANK disagrees with this statement: the AEPD in its reasoning is not only
affecting the freedom to provide consent for the treatment of personal data.

personal data of the interested party, but affirms that this consent, as
essential element of the current account contract, is affected as a consequence
of the fact that said entity exempts from the payment of commissions those who provide
your consent to the so-called “digital profile”, which not only affects the application
of the personal data protection regulations, but to the legality of the contract itself,

given that if the consent for the contracting of the financial product is null by
to be, in the opinion of the AEPD, subject to a kind of coercion, there would be a vice
invalidating the contract itself, as the contractual consent is affected.

Thus, the only conclusion that can be drawn from the motion for a resolution is

that no benefit should be granted for the provision of consent to
the treatment of the data, since in that case the contract would be vitiated in its
own signature, and this despite the fact that the AEPD itself recognizes in its reasoning the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 56/117








possibility of granting benefits, although, in their own terms, “not significant”
or “minor”.


Finally, the AEPD seems to consider that the consent given by the
CAIXABANK clients would not be informed, since it states “it is unknown at the time
to sign the contract who are such collaborating entities, and the individual must
go to the website of the entity to know at all times who has been
transferred their data”.


But at the same time, it should be remembered that article 11 of the LOPDGDD establishes the
How the interested party must be informed about the processing of their data
through what is called “layered information”. Said precept establishes in its
section 1 that “[w]hen the personal data is obtained from the affected party,
responsible for the treatment may comply with the duty of information

established in article 13 of Regulation (EU) 2016/679, facilitating the affected party
basic information referred to in the following section and indicating an address
electronically or by any other means that allows easy and immediate access to the
remaining information” and in its section 2 it does not include the recipients of the data
within the basic information mentioned, being perfectly possible that the
enumeration of the same is collected in the second informative layer by means of the

inclusion of a link in which the list of them appears.

But it is that, in addition, as it appears collected in the fourth fact of the
Proposal, said link does not exist for the simple reason that, as indicated, it does not
There has been no transfer of data to entities of the Group or collaborators. Thus, the

Proposal includes as proven what was indicated by the entity in the sense of indicating
that “[a]lthough the consent of customers has been requested, BANKIA has not given
your personal data neither to the companies of the group nor to other collaborating entities
based on these general consents of the TDP nor is there any provision for
this” and it is concluded that “[t]here is no link or published document that contains the

list of collaborating companies since there is none to which data is transferred
based on the general consent obtained through the TDP”.

In other words, the affirmation supported by the Motion for a Resolution on this point enters
in direct contradiction to what the Proposal itself has considered proven.


It concludes that the consent obtained by CAIXABANK in the supposed object of the
This procedure is completely in accordance with the requirements demanded by
Article 7 of the RGPD, because:
     CAIXABANK is able to demonstrate the effective provision of consent and
        carry out a traceability of the consents obtained (article 7.1), which

        which is proven in the Proposal.
     The consent requested from the interested party is presented “in such a way that it is
        clearly distinguishable from the other matters [of the contract], in an intelligible and
        easily accessible and using clear and simple language”, as recognized by the
        AEPD itself (article 7.2).


     The interested party can at any time, and with the same simplicity as
        gave their consent, revoke said consent (article 7.3), which in
        At no time does the AEPD deny it.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 57/117








     The execution of a contract, including the provision of the services that
       constitute the current account contract by my CAIXABANK, it is not
       subject to consent to the processing of personal data, given that the
       The interested party may freely give this consent or not, not
       producing no modification in the general conditions of the same

       (article 7.4).

Affirms that if the consent obtained by CAIXABANK meets the conditions
established in article 7 of the RGPD, it is obvious to conclude that it cannot be considered
in no case that the same has incurred in an infringement of the aforementioned precept in
connection with article 6.1 a) of the RGPD. And this should lead to the archive of the present

proceedings.

THIRD. ABOUT THE CONSENT COLLECTED FROM CUSTOMERS
WHO CONTRACTED THE CONTROVERSIAL PRODUCTS THROUGH THE
ON-LINE CHANNEL BETWEEN JULY 8 AND AUGUST 15, 2018


CAIXABANK considers the allegations to the Initiation Agreement reproduced and indicates that,
in what is argued in the resolution proposal, the AEPD forgets that throughout the
reasoning made in relation to the first of the accusations directed
against CAIXABANK has crossed out as null, as the element of freedom did not concur, the
consent given by the clients of said entity, and this, obviously, even

when CAIXABANK considers that the cause of nullity assessed by the AEPD does not
concurs in the event of the consents given by the clients of the
Account ON.

CAIXABANK points out that, as already indicated, it has not denied that a
anomaly in its systems that affected a very limited number of its customers

(only 812 out of a total, according to the Motion for a Resolution itself, of around
1,200,000 customers). What it does deny is that if it is considered that the
consent requested was not lawful, as it was not considered free, which again
denies, it can also be seen that this illegality is "reinforced" by the fact that
that the consent provision box is pre-marked. In this
sense, respectfully, we understand that the reasoning of the resolution should

to have been, precisely, the inverse to that sustained in the transcribed text, and that it seems
that has been incorporated with the sole purpose of increasing the sanctioning reproach
to CAIXABANK: if the requested consent is null because it is considered contrary to the
requirements established for its validity in article 4.11 of the RGPD, would result in all
irrelevant point that it had been requested by means of a box
pre-dialed, given that, as would happen for the remaining 1,199,188 clients)

that consent would in no case enjoy the validity required by the AEPD.

In other words, if the reasoning of the AEPD is followed, what this party denies in all
case, none of the consents given (whether or not the pre-marked
box) would be valid, so imposing an additional penalty for the fact that in

such an extremely small number of cases said box would be pre-marked
it is nothing but a contravention of the non bis idem principle. And this should match
immediately the subsumption of this alleged infringement in the collection by the AEPD
in the first place, in the event that it insists, despite what is alleged by
CAIXABANK, in the nullity of the consent granted.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 58/117









Only in the event that the infringement analyzed in the Second allegation was not observed.
of this writing, the appraisal of a sanctioning reproach against
CAIXABANK.


FOURTH: VIOLATION OF THE PRINCIPLE OF PROPORTIONALITY.
IMPROPER APPLICATION OF CONCURRENT CIRCUMSTANCES IN THE
PRESENT CASE


1. General consideration about the principle of proportionality


From what has been indicated, the origin of the fact that
the resolution that, in short, is issued in this procedure agrees on the
archive of the same, exonerating CAIXABANK from all responsibility.


However, for the hypothetical assumption that the AEPD does not
Appreciate the concurrence of the necessary requirements to agree on the aforementioned file,
should be particularly taken into consideration in determining the sanction that
could impose the application of the principle of proportionality.

In this sense, it should be remembered, in the terms in which the

Supreme Court in its ruling of November 20, 2001 (Recourse of Cassation
no. 7686/1997):
“As the Supreme Court has already maintained in rulings of November 24,
1987, October 23, 1989 and May 14, 1990, the principle of proportionality
cannot escape jurisdictional control, because as specified in the judgments
of this Court of September 26 and October 30, 1990, the discretion that

is granted to the Administration must be developed weighing in any case the
concurrent circumstances in order to achieve the necessary and due
proportionality between the imputed facts and the demanded responsibility, according to the
judgments of November 24, 1987 and March 15, 1988, given that all
sanction must be determined in congruence with the entity of the infraction committed
and according to a criterion of proportionality attentive to the objective circumstances of the fact,

proportionality that constitutes a normative principle that is imposed as a
precept more to the Administration and that reduces to the scope of its powers
sanctions, since jurisdictional activity corresponds not only to the qualification
to subsume the conduct in the legal type, but also to adapt the sanction to the fact
committed, since in both cases the subject is the application of evaluative criteria
legal embodied in the written norm inferable from integrating principles of the

legal system, as they are in this sanctioning field, those of congruence and
proportionality between the infraction and the sanction.”

In this way, it is necessary for the sanctioning body to proceed to evaluate
meticulously the concurrent circumstances in the present assumption, with the

purpose of determining the amount of the punitive measure that may be appropriate
adopt against CAIXABANK in the denied event in which it is appropriate to do so.

2. The disproportionate nature of the sanctioning measure adopted by the AEPD
in relation to the second of the infractions attributed to CAIXABANK

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 59/117









As CAIXABANK already indicated in the allegations to the Initiation Agreement, which are
perfectly transferable to the Motion for a Resolution, there is an absolute

violation of the principle of proportionality with regard to the alleged infringement
the fact that the consent boxes were pre-marked during
the period between July 8 and August 15, 2018, given that it adopted,
with due diligence all measures aimed at correcting the
deficiency produced in its information systems, affecting the incidence
only to a total of 812 clients out of a total of 1,200,000.


 This issue was analyzed in detail in the arguments made by
CAIXABANK to the Initiation Agreement, which it already reproduced, as does the
Resolution Proposal, the measures adopted by said entity. Likewise, it
revealed that the 812 customers affected are inactive customers who have not

maintained any relationship with the entity from the time of the opening of the
account through any channel, being impossible for me said entity its
locating and establishing any contact with them. To this must be added
that there has been no complaint or claim against it by the aforementioned
interested parties as a result of an alleged violation of the fundamental right
to the protection of your personal data.


The control authorities enjoy, in accordance with the RGPD, a very wide margin of
discretion in the adoption of coercive or repressive measures. However
Such discretion cannot become a violation of the principle of
proportionality and the interdiction of the arbitrariness of public powers,

especially if one takes into account that, as this party has repeatedly recognized, in
In this case, there has only been an incident in the operation
of their systems, having adopted all the necessary corrective measures and
ultimately proceeding to consider the consents granted as not given
as a result of this incident.


Having made the foregoing consideration, CAIXABANK considers that in this case there is no
aggravating circumstances would be applicable that, unduly considers concurrent the
AEPD, also considering appropriate, in the denied assumption of appreciating the
responsibility of CAIXABANK, the imposition of the warning measure
established in article 58.2 b) of the RGPD.


The Motion for a Resolution is limited to citing the content of recital 148 of the
GDPR to conclude, certainly in a completely concise way that “[i]n this
case, considering the seriousness of the infractions found, the imposition
fine without being able to accept the request made by CAIXABANK for it to be

impose other corrective powers that would have allowed the correction of the
irregular situation, such as the warning, which is planned for natural persons
and when the sanction constitutes a disproportionate burden.” In this way,
CAIXABANK cannot know which are the elements that the AEPD considers to be
they “clearly” exclude the possibility of applying the measure that has just been indicated.


And it is that the Proposal seems to emphasize not in the concurrent circumstances in
the present assumption or those that are necessary for the appreciation of the
origin of replacing the economic sanction with the warning, but rather

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 60/117








focuses on the reference made by recital 148 of the RGPD to the
circumstances to be taken into consideration in determining the amount of the
economic fine as if they were determining elements of the

inadmissibility of adopting the warning, rushing immediately to
appreciate their concurrence in the assumption, even when they were not considered in the
Start Agreement, in order to reinforce the conclusion previously reached.

Recital 148 cited only refers, for the assessment of the
warning to the fact that we are faced with a "minor infraction" or a

fine “likely to be imposed would constitute a disproportionate burden
for a natural person. Not being applicable to CAIXABANK the second of the
assumptions must be analyzed if we are faced with an assumption that could
considered of little seriousness or "slight" in the present case. And it should be noted
Note that when the RGPD refers to a "minor infringement" it does not do so by

reference to the provisions of article 74 of the LOPDGDD, since, on the one hand,
said rule did not exist at the time of approval of the RGPD and, on the other hand, said text
The law does not differentiate between different degrees of severity of the sanction in its article 85.

When recital 148 of the RGPD refers to the seriousness or lightness of the
sanction refers to the cases in which there has been or has not been a commitment

particularly relevant to the fundamental right to data protection,
way that in case of not being the same tolerant and being manifest the violation does not
it would be possible to go to the warning as a response to non-compliance.

The Article 29 Working Group stated in this regard in its document

WP253 of “Guidelines on the application and setting of administrative fines to
effects of Regulation 2016/679”, ratified by the European Committee for the Protection of
Data in its constitutive session, when it indicates the following (the underlining is ours):

“In recital 148, the notion of “minor infringements” is presented. sayings

Violations may constitute violations of one or more provisions of the
Regulation cited in article 83, paragraphs 4 or 5. However, the evaluation of
the criteria provided for in Article 83, paragraph 2, may lead to the authority
of control considers, for example, that in the specific circumstances of the case the
violation does not entail a significant risk to the rights of the data subjects and does not
it affects the essence of the obligation in question. In such cases, the fine may be

replaced (although not always) by a warning.

Well, in the present case we are faced with a situation that has affected
only to 812 of a total of 1,200,000 clients, without there being any type of
claim on their part and without said affected parties having maintained, from the

at the time of the occurrence of any type of relationship with CAIXABANK,
dealing with inactive clients with respect to which, in addition, said entity appreciated as
not given consent, refraining from processing your data
and all this after having adopted extremely
diligent aimed at achieving contact with the aforementioned clients.


In this way, and without prejudice to the fact that it has already been warned that the imposition of this
sanction would imply a violation of the non bis in idem principle, in the denied assumption
in which the AEPD considers that CAIXABANK's conduct could constitute

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 61/117








of reproach, of which there would be no doubt about the absolute lightness of the
infraction allegedly committed, which should lead to the fact that, in the event that
appreciate against the criterion maintained by CAIXABANK the existence of reproach

sanctioning, this should at most consist of the adoption of the measure of
warning established in article 58.2 b) of the RGPD

3. On the circumstances assessed in relation to the first of the infractions
included in the Resolution Proposal.


a) Of the alleged concurrence of the aggravating circumstance provided for in article 83.2.a) RGPD,
that assesses the nature, seriousness and duration of the infraction. The AEPD considers the
appropriateness of applying this aggravating circumstance to CAIXABANK because “[t]he
It is an isolated offending conduct. It is about the design of a financial product
with the purpose of conditioning the clients of the entity that contract the same,

through the exemption of the collection of commissions of the contract, to lend its
consent for purposes other than those of said contract.

However, CAIXABANK understands that the circumstance mentioned, as well as the
remaining that are cited in this section should not be considered aggravating their
behavior, since they integrate the typical behavior on which the AEPD applies its

sanctioning power.

Indeed, as indicated in the Motion for a Resolution, it is considered that the conduct
infringer consists of the alleged conditioning of their consent for the
processing of your personal data by having established an exemption from the payment of

The commissions. In this way, if said conduct integrates the type of infraction
hardly appreciated, it can also be considered a circumstance
that aggravates the responsibility.

On the other hand, the citation of the figures mentioned in the Motion for a Resolution

shows how consent was not conditioned in any way
automatically as a result of CAIXABANK's conduct, given that nearly
250,000 customers, which cannot be considered under any circumstances as a
merely residual figure, they decided not to provide all the consents established
by CAIXABANK in order to be considered users with a “digital profile”.


Finally, the AEPD indicates in its Resolution Proposal that "it is carried out
In addition, the treatment of a large volume of data of the interested parties who consent
that the profiling is carried out with the data that is qualified in the TDP as
personal and include data relating to customer identification, contact details,
marital status, number of children, date and province of birth, nationality and data

professionals; with the data obtained from the contracted products and with the
obtained from the operations, movements or transactions associated with their
products". It should be remembered that, as indicated in the proven facts, the
outlined to which the Motion for a Resolution refers would have a character prior to the
transfer of personal data of customers who have provided their

consent for this to the companies of the Group or collaborators of said entity.

However, the Proposal itself states as a proven fact that the aforementioned transfer did not
did not take place in any case, indicating that “[a]lthough consent has been requested from

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 62/117








customers, BANKIA has not transferred their personal data to the group companies or
to other collaborating entities based on these general consents
of the TDP and there is no provision for it” and it is concluded that “[n]ot there is no link or

published document that contains the list of collaborating companies since it does not
there is none to which data is transferred based on the general consent obtained
through the TDP. Thus, if the treatment did not take place according to one's own
Resolution Proposal, it will hardly be admissible to indicate that said treatment “is
carried out”, being that either the facts declared proven in the Proposal or
Well this statement is contrary to reality. Thus it is hardly possible

apply as an aggravating circumstance that in no way has occurred in this
case according to the factual account of the Motion for a Resolution.

All this concludes in the non-application of the aforementioned aggravating circumstance, given that,
On the one hand, it implies aggravating the sanction based on an element of the offending type and, on the other hand,

another conflicts with the list of facts that the Proposal declares
tested.

b) Of the alleged concurrence of the aggravating circumstance provided for in article 83.2.b)

 The proposed Resolution states at this point that “[t]his is a conduct

intentional in relation to the violation of data protection regulations
personal, being aware the claimed entity that the exemption from the payment of
commissions would result in most customers of such accounts
consent to the processing of advertising data and transfer of data to companies
of the group".


 The very text of the proposal on this point shows to what extent the
reasoning contained in its foundation of law III contradicts reality
of the facts, given that, as it indicates, at this point there has been no
encumbrance or damage to the interested parties who have not provided their

consent to the processing of your personal data, but only the exemption
payment of commissions, which is purely and simply a benefit.

CAIXABANK understands that, in any case, it is not possible for the AEPD to assess
aggravating circumstance which is nothing but a mere business strategy and less
still prejudge the assessment that CAIXABANK could carry out about the number of

customers who could give their consent to the processing of their personal data,
given that it is difficult for the AEPD to know, and even less to prove, the realities or
facts of which said entity may or may not be aware.

In this way, the Proposal raises nothing less than to the degree of circumstance

aggravating liability which is nothing more than a mere conjecture or assessment
merely subjective about what CAIXABANK could or could not consider in the
moment of launching the product, also taking for granted the reality of that
guess.


Added to this is the fact that, as already indicated in the section
above, it has been proven that more than 20% of the clients who subscribed to the
Account ON chose not to give their consent to the treatment and transfer of their
data, thus not assuming the so-called "digital profile".

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 63/117









c) Of the alleged concurrence of the aggravating circumstance provided for in article 83.2.k) RGPD,
considering included in it as an aggravating circumstance the nature of a large company of

CAIXABANK.

CAIXABANK affirms that the Resolution Proposal, without further consideration,
considered aggravating, under the residual rule established in article 83.2 k)
of the RGPD, CAIXABANK's status as a large company. Consider that in relation
With this circumstance, it has not found in the regime of the RGPD nor in that of the

LOPDGDD no rule that considers the same as an aggravating factor of an infraction.
The most that the size of the company will contribute to is the quantification of the limit
maximum of the sanction that could correspond, depending on it, if it is higher
to the established limits, of the total annual worldwide business volume of the person in charge.
However, this consideration is already made by the AEPD when calculating the number of

business of CAIXABANK, so it seems that it is simply added, of
completely arbitrarily, to the catalog established in the current regulations, with the
consequent breach of the principle of legality.

d) Of the supposed continuous nature of the infraction.


CAIXABANK alleges that the AEPD appreciates the existence of a continuous character in the
offense committed, “in the sense interpreted by the National High Court as
permanent infringement. Well, so that an infraction can be cataloged
as permanent, in the cases in which the non-existence of the
consent of the interested party, it is necessary that it has been proven that the

treatment has actually taken place, even though the accredited facts
As proven in the Resolution Proposal, it is not clear that the execution of the
treatment and, what is even more relevant, that in no case was there
effectively the transfer of data with respect to which the consent of the
interested. Thus, the National Court in numerous sentences, for all the one of 21

October 2014, relapse in appeal 367/2013, recalls that: “[…] in this area
administrative penalty there are so-called permanent infractions (which do not
continued), which are characterized in that the conduct constituting a single offense is
maintained for a long period of time, which implies that the term of
prescription does not start until the situation of infringement pursued ceases
SSAN, September 21, 2001 (Rec. 95/2000), November 21, 2007 (Rec.117/2006);

April 23, 2008 (Rec. 274/2007), May 20, 2010 (Rec. 337/2009), October 14
2010 (Rec. 64/2010) etc. Thus, in the case of data processing without consent,
There is permanent damage to the legal right while the existence of the legal right is proven.
treatment without consent”.


In this way, and aside from the fact that, as indicated in the aforementioned judgment, the
circumstance of continued infraction, which is the one established in article 76.2 a) of
the LOPDGDD cannot be assimilated to that of permanent infraction, a similarity that, due to the
On the contrary, the AEPD does appreciate it, it must be taken into account that it does not appear as proven
in the Proposal that the treatment without consent (in the opinion of the AEPD) has

taken place, which would invalidate the application of this circumstance.

e) Of the alleged benefits obtained by CAIXABANK.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 64/117








  The AEPD considers in the Resolution Proposal that the
responsibility of CAIXABANK, given that “[i]t is taken into account that among its
commercial activities is the sending of commercial communications to

its clients from the following sectors: financial (banking, investment and insurance),
real estate, cultural, travel, consumption and leisure”. This part fails to understand why
what reason is considered that the realization of the aforementioned communications constitutes,
As the Resolution Proposal seems to indicate, the activity of CAIXABANK, which
As is well known, it is a bank entity.


Moreover, in any case, such a conclusion could at most imply the existence
of a link between the activity of said entity and the performance of processing
of data, but in no case does it imply obtaining a supposed benefit for the
same, unless it is considered that the realization of a shipment (fact that also
has not been proven, as has been repeatedly pointed out) intrinsically implies a

profit for CAIXABANK.

If the AEPD considers the alleged obtaining of a benefit to be applicable as an aggravating circumstance
should, at least, accredit it in the resolution. However, again, the
AEPD makes a completely apodictic statement in its proposal, lacking the
least evidentiary support that, in addition, is used as an aggravating circumstance to raise the

amount of the sanctioning reproach directed against CAIXABANK.

3. On the circumstances assessed in relation to the second of the infractions
collected in the Resolution Proposal


a) General consideration about the application of aggravating factors related to the
size of CAIXABANK, the ongoing nature of the infringement and the benefits
obtained.

 The AEPD considers concurrent in the second of the offenses imposed the

same aggravating circumstances appreciated with respect to the first, because, with
independence of its diction, together with those mentioned in the rubric of this
section, the Motion for a Resolution also refers to those included in the
sections a) and b) of article 83.2 of the RGPD.

Regarding the remaining circumstances, CAIXABANK wishes to consider reproduced what

indicated in sections c), d) and e) of the previous section, which is also seen
reinforced by the fact, which the Proposal ignores, that the behavior now analyzed
it only affected, as has been pointed out repeatedly, a total of 812 people
of a mass of clients of the ON account close to 1,200,000 people.


Nor has it been proven, with respect to said clients, or the continued nature of the
infringement nor the obtaining of any benefit by said entity, which would exclude the
application of these aggravating circumstances, since if the AEPD considers
from its application, this should only be based on the accreditation of the
concurrence of the necessary requirements for it to take place.


b) On the alleged concurrence of the remaining aggravating factors referred to in the
Resolution Proposal.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 65/117








 The AEPD considers that it is appropriate to aggravate the sanctioning reproach in this case given
that “[t]his is not an isolated event, but rather affects the collection procedure
consent for a period of time, during which the consents

They appeared pre-marked for those clients who contracted online”. Equally,
considers that there was negligence on the part of CAIXABANK, given that “[t]he defect that
constitutes the infraction, this is the existence of pre-marked consents, given
his evidence should have been warned and avoided by an entity with the characteristics of the
claimed entity.


First of all, it should be remembered that the impact of collecting the
consents mentioned in the Proposal was limited to a short period of time
(from July 8 to August 15, 2018) affecting, ultimately, as
It is accredited only to 812 clients, who also do not maintain any type of
active relationship with CAIXABANK.


But the fact is that, in addition, the defect was detected by CAIXABANK, which once
appreciated the error proceeded to correct it, so that as of August 15,
2018, that is, more than six months before the opening of the proceedings of
investigation, the aforementioned incidence was corrected.


In other words, as will be analyzed immediately, we are not faced with the reaction of
CAIXABANK in the face of a request or even some type of action by the AEPD,
but to the correction of the incidence that took place as a consequence of the process
of integration of various financial entities, and which was resolved with the greatest
speed by it, so that the appreciation of a supposed intentionality or

negligence in his action is contrary to the reality of the facts.

5. Regarding the actions of CAIXABANK, which would determine the application of the
circumstance established in letters c) and f) of article 83.2 of the RGPD.


Article 83.2 c) of the RGPD requires the control authorities to duly
into account when deciding the imposition of an administrative fine and its amount “any
measure taken by the person in charge or in charge of the treatment to mitigate the damages and
damages suffered by the interested parties. Likewise, it must be taken into account according to the
section f) of said precept “the degree of cooperation with the control authority with
in order to remedy the infringement and mitigate the possible adverse effects of the infringement.

infringement".

CAIXABANK has adopted all the necessary diligence measures to guarantee
adequately comply with the personal data protection regulations,
minimizing, if it had existed, what is in no way proven, the

alleged damage that could have been caused to its clients not only as
consequence of the incident that occurred between July 8 and August 15, 2018,
but by suppressing, once he became aware of the AEPD's actions, and in all
case prior to the inspection visit that took place on 12
December 2019, the link between the exemption from the payment of commissions by the

of the holders of the ON account in the event that they had acquired the
condition of "digital profile" and the consequent provision of consents
disputed in this proceeding.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 66/117








Indeed, firstly, as already anticipated in the previous section of this
allegation, the banking entity resolved the incident that occurred in its systems, and that
for the AEPD deserves the reproach analyzed in the foundation of law IV of the

Resolution Proposal, on August 15, 2018, that is, when there was no
any complaint or claim directed against it. In this way, warned
incidence, the pertinent measures were adopted for its disappearance. These measures
were complemented by carrying out different actions that the Proposal itself
of Resolution considers proven in the proven fact fourth of the same. Namely,
did not limit itself to eliminating the pre-marking of its clients' consents, but

that it adopted effective measures to guarantee that they effectively provided their
consent, or withdrew it, without any type of conditioning.

The result of such measures was that there has been no modification of the appropriate
provision of consent only by 812 clients, with respect to which the

Proposal itself recognizes as proven that, as said entity confirmed, it is
of “On accounts without movements or significant activity in the last months
or, in many cases, with negative balances to regularize, having attempted the
contact with the headlines on several occasions without it having been achieved”.

 Even with respect to these clients, the Proposal considers the performance of

by CAIXABANK of additional actions in order to obtain a
statement, affirmative or negative, about your consent to the treatment of
your personal information. Said measures, as indicated in fact five of the
Proposal consisted of the following:
“- The consents have been requested again from the clients who did not

have modified, taking advantage of the first interaction with the entity by any of
the enabled channels (branch, Bankia Online or Bankia App). This obtaining of
new consents, from a neutral position to the option of acceptance or not
acceptance that in each case is chosen by the interested party for each of
the requested consents, has been configured as a necessary step to be able to

continue the operation through any of the channels.
- Those clients who have not passed this process have been considered as
customers who have not given their consent to the entity regardless of the
meaning of the consents they provided in the registration process of the On account, and
have been marked in systems as having denied all consents.
- All On account holders were informed, in December 2019, of the change

of conditions of the digital profile, and the elimination of the requirements of having authorized
the sending of commercial communications and the transfer of data for the purposes of collection or
fee waiver.
- Contact has been made by telephone (through the corresponding managers) with
customers who have not modified consents; in the case of the 812 clients

who have not yet gone through the process, although attempts have been made to contact them at
several times, the result has been unsuccessful.
- The process of canceling those inactive and inactive accounts has begun
in the last few months.”


But CAIXABANK's proactive measures in this case have not only referred to the
second of the accusations made by the AEPD, but have determined the
Suppression of obtaining the consent of the interested parties for the
processing of your personal data as a requirement for holding the “profile

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 67/117








digital” and the consequent exemption from the payment of commissions, despite the fact that
CAIXABANK has always considered that these conditions were
perfectly respectful of the personal data protection regulations.

And this modification occurred before CAIXABANK had

knowledge of the existence of specific investigative actions against the
itself, which was not known until the moment in which the inspection was carried out, presence
of the AEPD in the facilities of my client. Until that date the only thing
said entity was the request by the AEPD for information on
relation to the processing of customer data of the ON Account, which was
responded to that on March 19, 2019 and the transfer of certain

claims, without knowing whether or not they had been admitted to
Procedure.

In this sense, it is established in the fourth proven fact that said entity, to the
The date on which said inspection was carried out had modified the conditions of the

ON account, disappearing the reference to consent to data processing
as necessary for the ostentation of the "digital profile".

Thus, the fourth proven fact of the Proposal indicates the following: “The fourth condition
to hold the digital profile, related to the PUSH messaging service, has been added
from 12/15/2019 for new ON product contracts, while

remove the following conditions:
- “All holders have authorized Bankia, by subscribing the
Personal data processing document, equivalent document or contract
corresponding, the treatment of your personal data for the sending of
commercial communications through any enabled communication channel, including
email and mobile phone.

- All holders have authorized Bankia, by subscribing to the
Personal data processing document, equivalent document or contract
corresponding, the transfer of your personal data to companies of its group for the
analysis of your profile for commercial purposes.”

For customers who already had a product ON the new conditions

applied from February 16, that is, two months after they were
communicates this contractual modification, having sent the communications on
last December 15. Indicates that the two indicated conditions have been removed in
new hires, and although they would be provided contractually for the
pre-existing clients until the aforementioned communicated modifications are
effective on February 16, BANKIA does not take these two conditions into account for

to discount or not the commissions since last October 16.”

In this way, since October 16, 2019 I did not operate for any client of my
CAIXABANK the exemption from the payment of the commissions of the ON account with respect to
those customers who have consented to the processing of data. Thus,

the conduct that the AEPD considers reprehensible had ceased to be taken to court.
practice even before said entity became aware of the
existence of inspection actions directed against it, having also
provided the AEPD with all its collaboration in the investigation of the facts and in the
minimization of the alleged damages caused to its clients.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 68/117









For all these reasons, and in relation to both accusations, it would operate, if the
sanctioning reproach of the AEPD, which CAIXABANK denies, the application of the

mitigating factors contained in letters c) and f) of article 83.2 of the RGPD.

Of the actions carried out in this procedure and the documentation
in the file, the following have been accredited:

                                PROVEN FACTS


FIRST: On 02/13/19, you had a written entry to this Agency, submitted by
claimant 1 (E/03825/2019), in which he states the following: “As a client of
Bankia, of the ON account, require me to accept all the consents of
processing of personal data, which appear already pre-marked or accepted.

In addition, if I choose not to transfer my data to third parties, for example, I
They impose a fee of 5 euros per month to continue maintaining my account”.

On 02/26/19, he had entry into this Agency in writing, presented by the
Claimant 2 (E/03826/2019 processed under reference E/3825/2019), in which
states the following: “My claim is based on the violation of the right not to

consent to the sending of commercial communications and the penalty that is applied for
it. In the Bankia banking entity a charge has been applied to me for "collection of
services" on February 1 in my checking account. Contacted
phone with the entity to consult the reason for the charge, I am told that the
type of my account is Account ON and that I meet all the characteristics of the digital profile

except for one, that "all holders have authorized Bankia, through the
subscription of the Personal Data Processing document, document
equivalent or corresponding contract, the processing of your personal data for the
sending commercial communications through any enabled communication channel,
including email and mobile phone".


With the date of entry in this Agency 02/28/19, it is presented in writing by the claimant
3 (E/04093/2019, processed under reference E/3825/2019), in which it highlights
manifest, among other extremes, the following: "After years as a client of the entity
bank mentioned, began charging commissions from November 2018
in concept of "CHARGE FOR SERVICES COLLECTION". When asking the institution

Regarding these concepts, their response was that, (...)- in relation to the claim
that you have put for the collection of commissions in your On account, we indicate that what
is generating this charge is that you have to modify that IF it was similar: "Clients
of the ON Account must accept the reception of publicity and the transfer of their data
to third parties or, otherwise, they will receive a monthly commission of five

euros".

On 04/08/19, he had entry into this Agency in writing, presented by the
claimant 4, (E/05449/2019), stating that: “Bankia demands the complete assignment of
my personal data so as not to charge me a monthly commission of X euros, so

GDPR is violated. One of the conditions of your ON Account to not have collection of
commissions is to have accepted the entirety of the data transfer consent.
When I was asked about this topic on your website, I refused to send advertising and
commercial messages to my email and my phone, and at no time

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 69/117








I received information that I would be charged maintenance fees of no
agree. I feel that they extort me to keep my data so that I can
send spam and commercial junk mail to my accounts.”


On 06/19/19, a written entry was received by this Agency, presented by the
claimant 5, (E/06961/2019), in which he states the following: “I opened an Account
called: "ACCOUNT ON", in which following certain guidelines on
use of email and mobile phones for communications and correspondence,
You are exempt from paying commissions for the maintenance of the account.

A few months ago I decided to withdraw the data processing consent to:
1."receive personalized information about discounts, promotions, products,
services of the financial sector or others, by any channel based on my preferences
personal"
2. "That Bankia consult my data in the asset solvency files and/or

credit, as well as other similar sources of information in order to offer me
personalized financing products",
 3. "I agree to participate in loyalty programs, sweepstakes, contests, surveys and
social action programs or similar actions, as well as receive news and/or
communications about them through any channel (paper, media
electronic, telematic, digital, etc.)."

And consent to data transfer: 4. "Share my personal data with
companies and investee companies or collaborators of the Bankia group so that
can offer me their products or services"
 As a result of this, Bankia has begun to charge me for collection of
account maintenance services of X euros per month”.


On 08/07/19, he had entry into this Agency in writing, presented by the
Complainant 6 (E/07830/2019), in which he states that: “Bankia has changed the
conditions of the checking account I have with them. I am forced to agree to receive
advertising of them and their partners if they do not charge me X euros per month of

maintenance.

 On 12/14/2020, it had entry into this Agency in writing, presented by the
Claimant 7 (E/00869/2021), in which he states that he is the holder of an On account and that,
from the date of opening of the aforementioned account, it has been charged
a monthly maintenance fee of 5 euros (from August to December

of 2019). It states that after consultation with the entity claimed on the 7th of
November, he was told that the commission was charged for not complying with the profile
digital.

SECOND: The claims are transferred to the data protection delegate of the

entity claimed, in accordance with the provisions of article 65.4 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and guarantee of
digital rights, the following answers are received:

Regarding the claimant 1.-


“After analyzing the products associated with claimant 1, it has been verified that the
claimant is currently an ON account holder. In relation to said client,
It is clear that you have exercised any right before the Entity in relation to

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 70/117








with your data, nor that the consents that were provided have been modified
dated January 19, 2018, regarding the processing of your data for sending
commercial communications not consenting to the possibility of transferring the data to

Bankia Group companies.

Attached is the contract formalized by the one in which the consents are recorded
provided in the indicated sense. Also, it has been found that there is no
any claim initiated against Bankia by this client or through its
management office, or before the Customer Service ("SAC"), or before the Office of the

Data Protection Officer (“DPO Office”). Consequently, we do not have
proof that no incident has been generated with this client, associated with
your account ON.”

 Regarding the claimant 2.-


“In relation to (complainant 2), it has been verified in the same way that said
client has been the holder of an On account although it is currently
cancelled.
Regarding the consents given, it must be indicated that as stated in
our database the processing of your data for commercial purposes was not

initially consented in October 2017, and later this no was maintained.
consent through the signature of the corresponding TDP dated August 18,
2018 through Bankia Online (BOL); all this according to documents nº2 and nº3 that
accompany.


 Regarding the claims presented by this client, he addressed both
to ***EMAIL.1, email address that appears in the contracts and in which the
Interested parties can exercise their rights in relation to their data, such as the
Office of the Data Protection Officer on February 6 and 7, 2019
respectively, requesting in both cases the retrocession of the charges for collections

of commissions that had been made in your ON account on February 1,
2019.
The answer to his claim was made from the office of the Delegate of
Data Protection, dated February 22, 2019, informing you that the collection of
commissions was due to the fact that, as established in his contract, on the date
of collection of the same were not being fulfilled by the holders the requirements of the

digital profile so in that period it was not appropriate to apply the bonus of
certain commissions of the ON account contractually foreseen, among others the
commission for maintenance and administration of the account and the credit card fee
ON debit associated with it.
In this sense, the client was offered the possibility of canceling said product and

contract another of those that Bankia has available in its catalog and those that are not
apply the conditions of the digital profile.

Attached as documents No. 4 and No. 5 are the emails sent by the claimant and the
replies to them sent from the Office of the DPD.


Subsequently, on May 22, 2019, the claimant proceeded to the
cancellation of the ON account at your branch, and filed a claim with the SAC
reiterating the request for retrocession of the commissions generated and showing their

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 71/117








disagreement with the conditions of the aforementioned digital profile. On the occasion of said
claim, dated May 24, 2019, Bankia proceeded to pay the
claimed amounts. Attached as documents No. 6 and No. 7 claim received

in the SAC and response to said claim sent to (claimant 2).”

Regarding the claimant 3.-

“It has been verified that you have an ON account and you have submitted several
claims in relation to it, as detailed below.


Regarding the consents given, it should be noted that as stated in
our database the processing of data for commercial purposes is
is on loan in November 2018, partially modifying these
consents through the signing of the corresponding document "Modification of

Treatment Authorizations” (“MTA”) on both February 23, 2019 and February 28,
February 2019; all this according to documents nº8, nº9 and nº10 attached.

Regarding the claims presented by this client, two
Claims filed with the SAC in the months of November and December
2018, claiming the collection of commissions in the ON account for the respective months.

As a result of this claim, said commissions were regularized, being
the cause that gave rise to the regularization applied by the SAC the fact of not having
located the contract signed with the client. Attached as documents No. 11,
No. 12, No. 13 and No. 14 complaints received at the SAC and their response.


The data protection delegate provides the following information about the
Incidents and measures taken:

The requirement itself transfers the facts that motivate the claims of the
clients, which in extract are the following: “Obligation to accept as clients of the

"Account ON" consent to the processing of your personal data, which appears
as pre-marked or accepted and specifically, "the reception of advertising and the transfer
of your personal data to third parties” to avoid charging commissions for the
maintenance of said account.

Based on what was transferred and once said extract had been analyzed, as well as the

operation of the ON account in all its modalities and the collection process
of consents, the following conclusions have been reached:

 There is no obligation to accept any consent on data processing
in the contracting process of the ON account, having verified

that any client can contract it without the provision of that consent
prevent your hiring.

    - Something different is that the client complies with the conditions of the so-called
       "digital profile", which may mean that in certain products the Entity

       can apply a payment exemption, that is, an exclusion from the payment of
       certain commissions of the contracted products that have this type of
       profile and as long as the client maintains the same, as already explained. It
       which is justified based on the digital profile of the relationship between the client

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 72/117








        and the Entity, and the advantage of making it more efficient through the
        use of digital media in commercial communications.


    - The process of managing consents by customers, which allows
        not only lend them freely and through any of the channels of the
        Entity, but also modify them at any time and as many times as
        the client wants in an agile and simple way, guarantees that said consent
        lend freely.”


    -
It indicates that it has been sent on June 11, 2019, communication to the
clients about this request for information in relation to claims
transferred. A copy of these is attached as documents nº17, nº18 and nº19.


Regarding claimant 4

“The claim is based on its non-compliance with the requirements for the
fulfillment of the digital profile in relation to the ON Account.

The complainant alleges that Bankia requires him to comply, among other requirements, with the assignment

full of your personal data to be entitled to the commission bonus
monthly fee of 5 euros contractually agreed.

After receiving the aforementioned request, from the Office of the Delegate of
Data Protection has proceeded to verify whether prior to contacting the AEPD,

the claimant has initiated a claim for this fact before the Entity, either through
through its management office or by contacting the Data Protection Delegate and
Privacy or Customer Service. Once this check has been carried out,
There is evidence of any claim initiated against Bankia by this client.


As recorded in Bankia's systems, on July 20, 2018 the
(claimant) gave their consent through Bankia Online by signing the
document "Processing of Personal Data" (hereinafter, "TDP"). Copy of said
document is attached as document nº1.

These consents were partially modified, dated April 8, 2019,

by the claimant through the same channel, proceeding in this case to the signature of the
document “Modification of Treatment Authorizations” (hereinafter, “MTA”). I know
I attach a copy of said document as document No. 2, in which they are granted
positively all the consents and thus continue to the date of issuance of the
present report.


Regarding the claimant's assertion regarding the requirement of complete assignment of
personal data for the exemption from the collection of the maintenance commission, there is
to indicate that it has been verified that the fact that Bankia is consented or not
processes your data for certain commercial purposes has not conditioned, in

In no case, contracting the ON Account or any other product of the Entity
by the claimant.
Another thing is that it meets the conditions of the so-called "digital profile", which
which means that Bankia can apply an exemption from payment of commissions, that is to say

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 73/117








an exclusion from the payment of certain commissions for those clients who have
that type of profile and as long as it stays the same.

Regarding claimant 5


 “According to the Bankia systems, on June 16, 2015 the
claimant gave his consents in a positive sense in an office of the
Entity, for which it signed the document "Personal Data Processing" ("TDP").
A copy of said TDP is attached as document No. 1.

These consents were modified by the claimant on January 22,

2019, through Bankia Online (BOL) by signing a new TDP document
in which all the consents were negatively granted. Attached
copy of said TDP as document nº2.

 Subsequently, these consents have been modified again and

partially by the claimant on June 19 (on two occasions at 6:33 p.m.
and 19:13), June 30 and July 11, 2019 through Bankia Online, proceeding to the
signature of the corresponding documents of “Modification of Treatment
Authorizations” (“MTA”). A copy of the corresponding MTA is attached as
documents nº 3, 4, 5 and 6.


Regarding the alleged violation of the claimant's right to object to
receive personalized information about discounts, promotions and products
financial, as well as the transfer of your personal data to companies of the group or
collaborators, it must be indicated that the fact that the claimant has consented or
no both treatments have not conditioned, in any case, the process of
contracting the On Account or the exercise of their rights as an interested party.


Bankia has fully complied with its right to object, insofar as it has
been able to modify and can do so again through any of the channels of the
entity, their consents (in the case of the claimant, in up to five
occasions).
A different thing is that the claimant complies with the conditions of the so-called "profile

digital”, which means that Bankia can apply an exemption from payment of commissions,
that is, an exclusion from the payment of certain agreed commissions
contractually for those customers who meet that type of profile and during the
long as it stays the same.”

Regarding claimant 6:

“The claimant contracted an On Account and on that same date, positively granted
your consent by signing the corresponding document "Treatment
of Personal Data” (hereinafter, “TDP”). A copy of the contract is attached.
Account On as document no. 1 and a copy of the formalized TDP as document no. 2.


These consents were subsequently updated and revoked by the
claimant dated May 25, 2019, through Bankia Online, through the
signature of a new TDP. A copy of said TDP is attached as document no. 3.
Subsequently, the claimant partially modified his consents on days 3 and
July 8, 2019, proceeding in these cases to the signing of the document "Modification

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 74/117








of Treatment Authorizations” (hereinafter, “MTA”). A copy of both is attached.
documents as document nº4 and document nº5 respectively.


Likewise, said brief concludes that “The conditions that must be fulfilled by the
claimant as the holder of an On Account to have a digital profile are those that appear
in the contract signed by the claimant on November 21, 2016, without
been modified by Bankia at any time contrary to what is stated in the
claim.


Likewise, there is no obligation to accept any consent on the treatment
of personal data in the process of contracting the On Account.

A different thing is that the client complies with the conditions of the so-called "profile
digital”, which may mean that in certain products the Entity may apply

a payment exemption, that is, an exclusion from the payment of certain commissions
of the contracted products that have this type of profile and provided that the client
keep the same, as already exposed. What is justified on the basis of one's own
digital profile of the relationship between the client and the Entity, and the advantage of doing more
efficiently through the use of digital media in communications
commercial.


And in this sense, the claimant has been answered, providing a copy of said
communication as document number 6”.

Regarding claimant 7 dated 03/04/2021, a response is received from the entity

claimed by providing, among other documents, the contract of the interested party in which
It is clear that he had not given his consent to the conditions required for the
exemption from commissions, and a letter from said entity to the interested party in which
communicates that "as stated in your contract, the bonus of certain
commissions of the ON Account, among others the commission of maintenance and

administration, is subject to all holders maintaining a digital profile. No
However, if any of the conditions of said profile are not met, your
ON Account remains fully operational and you can continue to enjoy all the
services associated with it, with the economic conditions and commissions and
expenses applicable according to the contract. Also, inform you that as it went
informed the Customer Service Department in the letter that was sent to him on the 8th of

January 2020, in order to strengthen its relationship with the Entity, despite not complying with
the conditions of the digital profile, Bankia has proceeded to pay the amounts
charged for this reason.”

THIRD: It is recorded in a letter from Bankia received by this Agency dated 03/19/19,

in response to the request made by the Data Inspection within the framework of the
investigative actions agreed upon by the Director of the Spanish Agency for
Data Protection, on March 21, 2019, the following regarding the
Privacy Policy:
“The Privacy Policy that is applicable to the Entity, regarding the

treatment of the data, is collected in the two documents that are related to
below and that are provided as evidence of this first point to the present
written:


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 75/117








- The document called "Processing of personal data" (TDP), which is generated
and signature in the registration process of each client and that contains all the required information
by the regulations in relation to the processing of data derived from the relationship
contract that exists at all times between the client and the Entity. The TDP is edited
both in the registration of clients in branches and in the registration of clients through the channels

at a distance available to the Entity (Bankia Online and App).
- Bankia's "Privacy Policy" available at
https://www.bankia.es/es/particulares/privacidad. This page contains the information
legally required regarding the processing of personal data
obtained through the websites and web tools owned by Bankia, not being
applicable for those collected in the contracts that the user can formalize with the

Entity, even if they are linked or related to the "channels of
communication from Bankia”, since the provisions of this document will be applicable to said data.
in the TDP as explained in the previous point.”

It appears in the TDP document regarding the information on the conditions for the

processing of personal data, provided by Bankia, both in the model that is
generated in remote channels such as the one signed in the office (documents 1 and
2), which are collected, under the title "personal data", data related to the identification of the
client, their contact information, marital status, number of children, date and province of
birth, nationality and professional data. This document informs the
interested party that the personal data requested by Bankia will be treated in

in accordance with the basic data protection information described below,
urging the interested party to read and understand it, before signing the document in
which collects the consent request for the processing of your data.

Said basic information states that the controller is BANKIA, S.A.,
briefly describe the purposes of data processing, the legitimacy

In general, for such treatments, the recipients of the information,
makes a brief reference to the rights that the interested party can exercise, and a
reference to additional information that you can access through a link to a
Web page.
Next, the consent of the interested party is requested for different purposes,
for each one of them must be marked yes or no:


    o -In a first block, consent is requested for the sending of
       commercial communications in the following terms:
        In point 1.1 refers to the sending of "commercial communications
           personalized through any channel (paper, electronic means,

           telematic, digital, etc.) about products, services, promotions or
           discounts from the financial sectors (banking, investment and insurance),
           real estate, cultural, travel, consumption and leisure based on your profile, drawn up
           from your personal data, the products you have contracted, as well
           as from the operations, movements or transactions associated with
           their products."

            In point 1.1.1 consent is requested “for the sending of
               personalized commercial communications about products, services,
               promotions or discounts of the sectors referenced based on their
               profile, prepared from your personal data and the products that
               He has contracts.”

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 76/117








            In point 1.1.2 it refers to “the sending of commercial communications
               personalized about products, services, promotions or discounts
               of the referenced sectors based on their profile, drawn up from
               the operations, movements and transactions associated with their
               products".

            In point 1.1.3, the following options are differentiated for sending
               commercial communications to which, one by one, you can consent:
           ‐ Physical correspondence
           ‐ Electronic correspondence (email, ATMs, etc.)

           ‐ Mobile devices (instant messaging, push notifications, SMS,
               etc.)
           ‐ Telemarketing platforms
           -   Social media
           ‐ Bankia and third party websites

         Point 1.2 refers to the consent for “the consultation of your data, for
           part of Bankia in the asset and/or credit solvency files, as well as
           as other similar sources of information, with the aim of offering you
           customized financing products.”
         In point 1.3, consent is requested to participate in programs
           loyalty, raffles, contests, surveys and social action programs

           or similar actions, as well as receive news and/or communications about the
           themselves through any channel (paper, electronic media,
           telematic, digital, etc.) Points 1.3.1 to 1.3.3 break down 3
           different requests: to participate in loyalty programs, to
           participate in sweepstakes, contests and surveys and to participate in programs

           of social action or similar actions.

    o -In another block, consent is requested for the transfer of data to third parties.
        Point 2 requests consent for the transfer of your personal data
        for commercial purposes, based on your profile, to companies and companies
        subsidiaries of the Bankia group or collaborators, whose composition may

        consult in an updated way in a certain link that is indicated.
     In point 2.1, the transfer of your data to collaborators is requested so that they
        carry out commercial actions that fit their needs, based on
        your personal data, the products you have contracted, as well as from
        the operations, movements or transactions associated with its products.
     In point 2.2, the transfer of your data to companies or investees of the

        Bankia Group so that they carry out commercial actions that are in line with their
        needs, based on your personal data, the products you have
        contracted, as well as from the operations, movements or transactions
        associated with their products.


You are informed about the possibility of revoking and modifying at any time the
consents given and oppose the treatments based on the interest
legitimate and to the exercise of the rights of access, rectification, deletion, opposition and
limitation to the treatment and portability of the data.
It is stated in the pre-contractual information of the “ON” account; of the debit card ON
associated, from the “ON NOMINA” account, from the “ON NOMINA” card, from the “UN &

DOS” and associated “UN & DOS” card (documents 8, 9, 10 and 11), in addition to the
description of each product the specification of the administration commissions and
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 77/117








maintenance of the account, as well as the associated card fees,
transfers in euros, national and EU subject to regulation 260/2012, made
by non-face-to-face channel and income from checks in euros payable on the market
national will be free as long as all holders maintain a profile
digital.

The Digital Profile will be held when, among other stipulations, it is fulfilled that:

    - All cardholders have provided Bankia with their mobile phone number and
        email.
    - All holders have authorized Bankia, by subscribing to the
        Personal data processing document, equivalent document or

        corresponding contract, the processing of your personal data for sending
        of commercial communications through any communication channel
        enabled, including email and mobile phone.
    - All holders have authorized Bankia, by subscribing to the
        Personal data processing document, equivalent document or

        corresponding contract, the transfer of your personal data to companies of your
        group for the analysis of your profile for commercial purposes.”

Said pre-contractual information details the commissions applicable to the
different accounts, being the established commissions, coincident for all the
accounts, the following:

    - Maintenance fee X EUR. Free if account holders have
        digital profile.
    - Administration commission (per note) X,XX EUR. Free if holders of
        The account has a digital profile.
    -
With regard to the commissions of the different debit cards associated with the

accounts mentioned above, are as follows, according to said information
pre-contractual:
    - Registration fee XX € (free if all customers meet the digital profile).
    - For maintenance XX € (free if all customers meet the digital profile).

Likewise, in the specific pre-contractual information of the ON credit card,

indicates that it will accrue the following commissions: "XX € main card, in case of
that the holders of the associated account do not maintain the digital profile and the first holder
of the account keep the payroll or direct debit pension.”

The ON Account contract model (document 12) contains the following
commission exemption conditions ON Account and ON Debit cards associated with

the same:

 “The commissions for maintenance and administration of the account, the fee for the
ON Debit cards associated with it (maximum one card per holder), and the
commissions on deposits of checks in euros payable in the national market and the

of transfers in euros, national and EU, subject to regulation 260/2012,
made by non-face-to-face channel and for any amount, will be exempt, and will not
will apply provided that all account holders comply with the
following requirements:
        (…)

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 78/117








       Have authorized Bankia, by signing the document of
Treatment of Personal data, equivalent document or corresponding contract,
the processing of your personal data for sending commercial communications

by any communication channel enabled, including email and telephone
mobile, as well as the transfer of your personal data to companies of its group for the
analysis of your profile for commercial purposes.
    - (…)
Bankia will periodically control compliance with the requirements indicated
above and, in case of detecting that any of them is not fulfilled, it will be

application automatically, both to the account and to the debit cards
associates, the particular standard conditions of the same collected in the
this contract.”

In the contract model Account ONE & TWO (document 14) they appear identical

Commission exemption conditions for the UN & DOS Account and UN Debit cards
&DOS associated with it. Likewise, in the ON Account Contract model
PAYROLL ON Debit cards and ON Payroll Credit cards associated with it,
(document 13) the above requirements are required in the same terms
transcribed, as well as its periodic control and the consequences of non-compliance.


FOURTH: It is recorded in the minutes of the Inspection visit carried out in the establishment
of Bankia dated 12/12/2109, which the representatives of said entity state,
to questions from the inspectors, the following:
     Regarding the so-called digital profile


As indicated, by maintaining the digital profile, the customer of ON products from
BANKIA benefits from a series of commission bonuses.

As stated in the specific informative documents (IPE – Information
Specific contractual) of the ON products, such as the ON ACCOUNT and

DEBIT CARD ON, the digital profile is displayed when:

- “All operations carried out with the account and the card are carried out through
of the remote channels available to Bankia at any given time (Bankia
Online, Bankia APP, Telephone Office, ATMs, …).
- All holders have registered the Bankia Correspondence Service

Online, not receiving communications from Bankia on paper.
- All cardholders have provided Bankia with their mobile phone number and email
electronic.
- They have accepted and activated the PUSH messaging service through the App
Bankia.”


The fourth condition to hold the digital profile, related to the messaging service
PUSH, has been added since 12/15/2019 for new hires of
products ON, while removing the following conditions:


- “All holders have authorized Bankia, by subscribing the
Personal data processing document, equivalent document or contract
corresponding, the treatment of your personal data for the sending of


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 79/117








commercial communications through any enabled communication channel, including
email and mobile phone.
- All holders have authorized Bankia, by subscribing to the

Personal data processing document, equivalent document or contract
corresponding, the transfer of your personal data to companies of its group for the
analysis of your profile for commercial purposes.”

For customers who already had a product ON the new conditions
will apply from February 16, that is, after two months have elapsed since they were

communicates this contractual modification, having sent the communications on
last December 15.

Indicates that the two indicated conditions have been removed in the new
contracts, and although they would be contractually provided for customers

pre-existing until the mentioned modifications communicated are effective
on February 16, BANKIA does not take these two conditions into account for the purposes of
discount or not commissions since last October 16.

     Regarding consent


BANKIA, for those treatments whose legal basis is consent, has
of a system that allows the collection, modification and management of these
consents, as well as the traceability of the modifications made,
called General Consent Module.


This Module also registers the exercises of rights of the clients and allows to take
its centralized management.

The list of consents is structured in three main blocks with the
following associated purposes:


    - Sending commercial communications
    - Participation in loyalty programs, raffles, social action and others
        Similar.
    - Transfer of data to third parties.


The consents thus constitute a numbered multilevel list in such a way that the
more general consents are at a higher numbering level and
specific ones at a lower level. In this way, consent is granted or not.
in a general way, for example, to send commercial communications, and in a
specific to each channel through which communications can be received.


The consents are recorded in a document called Treatments
of Personal Data (TDP) that includes customer data protection information.
This document is always signed by the client during the registration process, prior to
contracting any product, both through online banking (with signature code) or

in person at the office, on a Tablet that is provided (digital tablet that
It is also used to collect the signing of contracts and operations
transactions executed by any client).


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 80/117








When the consents are modified, they are recorded in a document
similarly called Modification Treatment Authorizations (MTA). This document
It is also signed by the client.


BANKIA reformed and updated the list of consents on the occasion of the entry into
force of the RGPD in May 2018 and sent a communication to all customers
reporting the entry into force of the new Regulation, initiating a new process
consent collection.


When the new list of consents was put into operation due to a
incident in the online channel that required adaptations to the systems (affected
only to ON account customers contracted through the online channel) between July 8 and
On August 15, 2018, the consents were shown pre-marked, in a state of
acceptance (“consent”), for new customers. That is, when a new customer

was registered through the online channel, the consents were pre-marked
during the registration process, not occurring in office registrations.

Also, for existing customers, during this period, new
consents (which did not exist previously on which therefore the client does not
had expressed) were marked with an acceptance status, but the consents

pre-existing ones on which they had already expressed their authorization or refusal
they were in the state that the client had decided.

As of August 16, 2018, pre-marked consents in a state of
acceptance or "consent" (green color in the application) are shown to "no

I consent” (red color), and finally passed to the status of “not collected” (gray color) in
February 2019.

Statistics: The consents of some 5,842,000 clients of the
8,281,000 that the entity has at the moment. The missing customers

answer constitute 29%, they correspond to inactive clients, and their
consents are unchecked. However, for any treatment
these consents are considered in a “no” state to prevent their use.

Of those who have answered, 89% have accepted all the consents, 7.5%
They answered partially accepting, and 3.2% answered “no” to all of them.

I consent”.

The number of customers who passed the registration process in the period between
on 07/08/2018 and 08/15/2018 (ON products through the online channel), are a total of
2,562 (of which 2,192 are still active and 270 have been cancelled). of the clients who

are still active 38 have subsequently modified consents.

For all these reasons, there are 2,154 active clients who gave their consent
pre-marked and have not subsequently modified them, accounting for 0.16% of the total number of
consents given by online banking and 0.03% of the total consents

collected from the total number of clients that appear in the BANKIA database.

Currently, and since before 05/25/2018, when a new client registers
at BANKIA, both online and at the branch, you must fill in the consents

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 81/117








generating the aforementioned document called Data Processing
Personal (TDP), who signs. It is not possible to continue the registration of the client without the signature of
said document. The consents are unmarked (in gray), having

to mark the client's decision to consent or not.

All BANKIA employees can check customer consent
on-line, as well as the changes that the clients have made and the documents of
signed consents.


There is also traceability of the consents prior to the RGPD.

It is recorded that the Agency's inspectors carried out the following checks
after requesting access to the Consent Management Module:
- It is accessed by means of a BANKIA employee user code and password to the

data of the consents provided by one of the people present in the room,
client of the entity, verifying that the document of
Treatment of Personal Data (TPD) dated May 21, 2018. It is accessed
also to the modifications made later on the consents
(MTA documents) as well as the current status of consents.


     Regarding data transfers.

Although the consent of customers has been requested, BANKIA has not transferred its
personal data neither to the companies of the group nor to other collaborating entities
based on these general consents of the TDP nor is there any provision for

it.

The consents for assignments were requested as a general measure. In case of
If an assignment is made, specific consent would again be requested from customers
involved. Attached to the inspection certificate is a copy of the specific consent

requested for the UNI&DOS account for the entity ***ENTITY.1 (for preparation
of wedding list).

This specific consent does not constitute a legal necessity since it is counted
with the general consent obtained. However, BANKIA has considered
obtain a specific consent for ethical commitment with its clients.


In addition, in the event of a transfer in the future, the project would become
informed by the Office of the DPO, which would study and apply both the criteria for
regulatory compliance such as ethics, taking the appropriate measures to the case
concrete that arises.


There is no link or published document that contains the list of companies
collaborators since there is none to which data is transferred based on the
general consent obtained through the TDP.


The assignments that are made are carried out by means of ad hoc consent of the
clients involved.



C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 82/117








FIFTH: Contained in the response received at this Agency on June 19, 2020,
in response to the request made by the Data Inspectorate regarding the
customers who completed the process of registering ON products through the online channel

in the period between 08(07/2018 and 08/15/2018, period during the
which the consents were pre-marked in said channel that, of the
2,562 customers who registered an On account through Bankia Online in the
indicated period, as of June 9, 2020, a
total of 2,171 clients. The remaining 391 clients have ceased to have positions
active with Bankia, and therefore are no longer clients of the entity. Also, of these

2,171 clients, 1,359 clients have modified their consents at least once
dated after 08/15/2018 and the remaining 812 clients have not modified it in
no occasion since they were lent at the time of registration of the On account.

It is also stated in the response to the request made by the Inspection that

following:

These 812 customers represent 0.06% of the total number of On account holders and the
0.009% of all Bankia customers. These are On accounts without movements or
any significant activity in recent months or, in many cases, with balances in
refusal to regularize, having tried to contact the holders in several

occasions without it having been achieved.

A communication was made to all of them in December 2019, informing them of the
modification of the conditions for the fulfillment of the digital profile by which
As of February 2020, they ceased to be a condition to meet said profile, and therefore

to benefit from the commission exemption, those related to having authorized
Bankia, by signing the Personal Data Processing document,
equivalent document or corresponding contract, the processing of your data
personal information for sending commercial communications through any communication channel.
communication enabled, including email and mobile phone and having

authorized to Bankia, by signing the Data Processing document
Personal, equivalent document or corresponding contract, the transfer of your data
to companies in your group for the analysis of your profile for commercial purposes.
However, due to a commercial decision of the Entity as of September 16,
2019 the authorization for the transfer of data to group companies was not considered
as a necessary requirement to fulfill the digital profile for the purposes of exemption or collection

of commissions.

The 812 clients who have not modified their consents or have withdrawn from the
entity, have been the object of any commercial action through email or
SMS. These actions have been developed in the period between August

2018 (registration date) and April 2020 (in May the contact process began and new
collection of consents from these clients that is explained in the following section,
marking their consents as denied until they are collected
again).


Regarding the actions to be carried out with said group to obtain their
consents without pre-selected options, the following have been adopted:
     Consent has been requested again from customers who do not
       have modified them, taking advantage of the first interaction with the entity by

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 83/117








       any of the enabled channels (branch, Bankia Online or Bankia App).
       This obtaining of the new consents, from a neutral position to the
       option of acceptance or non-acceptance that in each case is chosen by the
       interested party for each of the requested consents, it has been
       configured as a necessary step to be able to continue the operation by

       any of the channels.
     Those clients who have not passed this process have been considered as
       customers who have not given their consent to the entity
       regardless of the meaning of the consents they gave in the
       account registration process On, and have been marked in systems as if
       all consents were refused.

     All On account holders were informed, in December 2019, of the
       change of conditions of the digital profile, and the elimination of the requirements of
       have authorized the sending of commercial communications and the transfer of data
       for the purpose of charging or exempting commissions.
     Contact has been made by telephone (through the corresponding managers)

       with customers who have not modified consents; in the case of
       812 clients who have not yet gone through the process, although attempts have been made
       contacting them on several occasions, the result has been unsuccessful.
     The process of canceling those accounts that are inactive and without
       activity in recent months.


SIXTH: It is in writing with entry in this Agency on June 11, 2109 the
following information about clients who have contracted the ON accounts:

 As of May 31, 2019: Product ON Total Clients
 ON Payroll Account 27,700
 Count One & Two 1,178

 Account ON 1,168,122

Information on the consents given by the holders of the On a accounts
date May 31, 2019:
 account Number of clients Advertising Cession of Advertising Cession of

                             (YES) Data (YES) (NO) Data (NO)
 ON Payroll 27700 26896 26896 804 804
 One & Two 1178 1134 1119 44 59
 ON 1168122 937942 924662 23180 243460


It is stated in writing received by this Agency on June 19, 2020 that the
total number of customers with ON products as of June 9, 2020
(holders/co-holders) was 1,256,352 clients (653,463 accounts).

It is stated in the letter of June 19, 2020 that the total amount of commissions
collected during 2019 from On account holders who have not met any of the

conditions of the digital profile was €2,367,954.32 according to the following breakdown:
 Administration fee: €27,074.59.
 Maintenance / Inactivity: €297,633.91.
Maintenance commission: €2,043,245.91.
Total: €2,367,954.32.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 84/117








Regarding the 812 clients whose consents were pre-marked and not
have modified their consents or have withdrawn from the entity, only
commission has been accrued in the case of 2 clients being the global annual amount

charged for this concept to each of the two clients of five (5) euros. One has to
highlight that the collection could have been produced by the non-compliance, in the period
monthly settlement, of any of the conditions of the digital profile, sufficing
that one of them is breached so that the exemption from the commissions does not proceed, for
example, use the physical office channel, request to receive communications on paper,
etc.…


 It is stated in the same document that the total amount of discounted commissions (not
collected) in 2019 from On account holders was €32,110,990 in accordance with
following breakdown:
Accounts opened before 2019: €22,101,900.

Accounts opened in 2019: €10,009,090.
Total: €32,110,990.

It is also stated that compliance with the conditions of the digital profile that gives rise to
in the On accounts to the application of the commission exemption, it is not linked to the
need to have a certain amount of annual or monthly income.

Consequently, On account holders do not have to declare certain
income to open the account or to fulfill the conditions of the digital profile.

Regarding Bankia's total annual global turnover in the financial year
2019, it is stated in the document sent on June 19, 2020 that the net margin

before provisions is 1,428 million euros, according to the information collected in
the 2019 Annual Results Report published on the entity's website. the volume of
business of the Caixabank group in 2020, according to the information contained in the
annual accounts published on its website by said entity is 12,172 million
of euros.


SEVENTH: The BANKIA website informs the user of that website that
the merger by absorption of Bankia, S.A. has taken place. by CaixaBank, S.A.,
succeeding the second entity to the first, universally in all rights
and obligations.


It is recorded in the Mercantile Registry in the data relating to the entity BANKIA, S.A, the
following observation “Extinction”. It is also stated that “on September 18
2020, on the corporate website of BANKIA, S.A. www.bankia.com has been
insert the common merger project between the companies CaixaBank, S.A. -
absorbent- and BANKIA, S.A.-absorbed-.”


                           FOUNDATIONS OF LAW

                                            I


The Director of the Agency is competent to initiate and resolve this procedure.
Spanish Data Protection, in accordance with the provisions of art. 58.2 of the
of Regulation (EU) 2016/679, of the European Parliament and of the Council, of
04/27/2016, regarding the Protection of Natural Persons with regard to the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 85/117








Treatment of Personal Data and the Free Circulation of these Data (Regulation
General Data Protection, hereinafter RGPD) and in art. 47 and 48.1 of the Law
Organic 3/2018, of December 5, on the Protection of Personal Data and Guarantee of

Digital Rights (hereinafter LOPDGDD).

Likewise, article 63.2 of the LOPDGDD determines that: “The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a

subsidiary, by the general rules on administrative procedures.”


                                            II


Previously, it is considered appropriate to analyze the formal issues raised
by CAIXABANK S.A. (hereinafter CAIXABANK) in its pleadings brief.

In the first place, CAIXABANK considers that the start-up agreement is vitiated by
nullity due to the defenselessness produced by setting the amount of the sanction in the
opening agreement, instead of expressing only the limits of the possible

sanction, and without the aggravating circumstances having been motivated or the entity having
had an opportunity to speak out about it. For this same circumstance, consider
that the initial agreement exceeds the legally foreseen content, violating the article
68 of the LOPDGDD, and understands that the impartiality of the examining body has been affected,
knows before starting the procedure the criterion of the body to which it must raise the

file, in a clear breach of the principle of separation of the investigative phase and
sanction (article 63.1 of the LPACAP).

In this regard, CAIXABANK adds that article 85 of the LPACAP, which is invoked
in the operative part of the agreement to initiate the procedure to specify the

reductions that acknowledgment of responsibility entails, determines that the
amount of the pecuniary sanction may be determined “once the proceeding
sanctioning” and that is only applicable to cases that give rise to the imposition of a
fixed and objective fine.

This Agency does not share the position expressed by CAIXABANK in relation to the

content of the opening agreement of this sanctioning procedure. In the opinion of
this Agency, the start-up agreement issued is in accordance with the provisions of article 68 of the
LOPDGDD, according to which it will suffice that the agreement to initiate the procedure
specify the facts that motivate the opening, identify the person or entity against the
which the procedure is directed, the infraction that could have been committed and its possible

sanction (in this case, of the different corrective powers contemplated in article
58.2 of the RGPD, the Agency considered the imposition of a fine to be appropriate, without prejudice to
what may result from the instruction of the procedure).

In the same sense, article 64.2 of the LPACAP is expressed, which establishes

expressly the minimum content of initiation agreement. According to this precept,
among other details, it must contain “the facts that motivate the initiation of the
procedure, its possible legal qualification and the sanctions that could
correspond, without prejudice to what results from the investigation”.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 86/117









In this case, not only are the requirements mentioned amply fulfilled, but
that goes further by offering reasoning that justifies the possible qualification

of the facts valued at the beginning and, even, the circumstances are mentioned
that may influence the determination of the sanction.

In accordance with the above, it cannot be said that pointing out the possible sanction that
could correspond for the imputed infractions is determinant of defenselessness
or that supposes a rupture of the principle of separation of the phases of investigation and

resolution. On the contrary, this fulfills one of the requirements laid down
in the standards outlined.

Likewise, it cannot be forgotten that article 85 of the LPACAP contemplates the
possibility of applying reductions on the amount of the sanction in case the offender

acknowledges its responsibility and in case of voluntary payment of the penalty. East
This provision establishes the obligation to determine these reductions in the notification of
initiation of the procedure, which entails the need to set the amount of the
sanction corresponding to the imputed acts.

Contrary to what CAIXABANK pointed out, this article 85 of the LPACAP does not

establishes that the amount of the penalty is determined once the procedure has been initiated.
It is the acknowledgment of responsibility and the voluntary payment of the penalty that has
to occur after that time, and not the fixing of the amount of the
sanction, as stated by CAIXABANK.


Likewise, CAIXABANK understands, in accordance with the provisions of article 85.3 of the
LPACAP that reductions should be adopted on the proposed sanction. This
Agency cannot share this argument. It suffices to point out that the voluntary payment
can be done by the interested party at any time during the procedure prior to
the resolution and implies its termination. Thus, so that the interested party can make

Using this option, the amount of the penalty must be established at the beginning. Of the same
form, it will be difficult for said interested party to recognize his responsibility initiated a
sanctioning procedure if the agreement that determines that beginning does not indicate the scope
to be attributed to that acknowledgment of responsibility.

The provision contained in article 85 of the LPACAP is established by the legislator

in order to stimulate the acknowledgment of liability or voluntary payment.
sanction, thus quickly resolving the conflict with the Administration
tion and avoiding being subjected to a sanctioning procedure any longer. By
For this, it is essential that the amount of the sanction is perfectly
individualized already in the agreement to initiate the sanctioning procedure (articles 64 and

85.3 of the LPACAP), resulting, otherwise, its payment impossible until the proposal
decision, final action of the examining body, which may cause clear damage
ro to the claimed party.

The criterion of the AEPD has been endorsed by the National High Court, as well as the SAN of

03/22/2019, (rec. 625/2017) in its fourth foundation states:

“We must start from the fact that the object of this contentious-administrative appeal is a
resolution issued under art. 85 of Law 39/2015, of October 1, of the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 87/117








Common Administrative Procedure of Public Administrations, which provides:
"1. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the

compensation for damages caused by the commission of the infringement.

3.In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.

The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.

The reduction percentage provided for in this section may be increased
regulations".


 In accordance with the aforementioned precept, reductions in sanctions of at least
20%, as is the case at hand, must be determined in the
notification of initiation of the procedure, as stated in the resolution of 26
April 2017, outlined in the preceding Legal Basis. For him

appellant as a result of the resolution proposal, the amount of the sanctions was paid
with the reduction of 20%, urging in the request of the brief presented on October 3
of 2017, that the voluntary payment was considered made, in a timely manner, and
proceed to terminate the procedure.


On the other hand, in order to proceed with the 20% reduction of the sanctions that have been
carried out, it is conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.

Well, the voluntary payment by the appellant with the reduction of 20% of the amount
sanctions, implies the waiver of any action or resource in administrative

in relation to the imputed facts, and therefore, benefits from said reduction, since
that, otherwise, the procedure would have continued its course, having been able to
end with the imposition of the amount of the sanctions foreseen in the proposal of
resolution.


Consequently, it is appropriate to dismiss this contentious-administrative appeal,
without it being necessary to go into the grounds for objection adduced in the
lawsuit in relation to the imputed infractions.” (emphasis ours)

In this same sense, the SAN of 10/15/2019, (rec. 601/2017) in its foundation of

fourth right declares that "The challenged Resolution, by which the Director of the
Spanish Agency for Data Protection put an end to the sanctioning procedure
PS / 00370/2017, ends the procedure for voluntary payment of the sanctioned, in
application of article 85 of Law 39/2015, of October 1, whose application had

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 88/117








expressly requested by the plaintiff bank in a letter dated September 6
2017, after being notified of the agreement to initiate the procedure, and acknowledged its
responsibility in the facts that caused the opening of the procedure and desisted and

waived any administrative action or recourse against the sanction
imposed.

In this way, it benefited from the two reductions provided for in article 85 cited, that is,
that is, by acknowledgment of their responsibility and by voluntary payment within the term
legally provided, so that the penalty indicated in the initial agreement (20,000

euros) was set at 12,000 euros, which were paid by the bank.

Article 85 of Law 39/2015, provides that: "1. Initiated a procedure
sanctioning party, if the offender acknowledges his responsibility, the
procedure with the imposition of the appropriate sanction.


2. When the sanction is solely pecuniary in nature or it is possible to impose a
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the

compensation for damages caused by the commission of the infringement.

3.In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.

The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.
The reduction percentage provided for in this section may be increased
regulations".


In the judgment of this Chamber of March 19, 2019 (R. 625/2017), in a case
Similarly, it was considered that: "[...] In accordance with the aforementioned precept, the reductions
of the penalties of at least 20%, as is the case at hand, must
be determined in the notification of initiation of the procedure, as
It is recorded in the resolution of April 26, 2017, outlined in the Basis of

precedent law. By the appellant as a result of the resolution proposal, it was paid
the amount of the sanctions with the reduction of 20%, urging in the plea of the writing
presented on October 3, 2017, that the voluntary payment was considered made, in
time and form, and proceed to terminate the procedure.


 On the other hand, in order to proceed with the 20% reduction of the sanctions that have been
carried out, it is conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.

Well, the voluntary payment by the appellant with the reduction of 20% of the amount

sanctions, implies the waiver of any action or resource in administrative
in relation to the imputed facts, and therefore, benefits from said reduction, since
that, otherwise, the procedure would have continued its course, having been able to
end with the imposition of the amount of the sanctions foreseen in the proposal of

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 89/117








resolution. Consequently, the present contentious appeal must be dismissed.
administrative, without it being necessary to go into the reasons for challenging
adduced in the application in relation to the imputed infractions [...]».


It is now appropriate to resolve in the same direction since all the circumstances
required in article 85 cited, which contemplates a specific form of termination
of sanctioning procedures: determination of possible reductions in the
notification of the start of the procedure, acknowledgment of responsibility and payment
voluntary in term, as well as resignation of actions or resources in administrative

against the sanction. (the underlining is from the AEPD)

CAIXABANK alleges that the defenselessness that has been generated by the actions of the
AEPD in this case could not be considered corrected by the fact that the same
has been able to make objections to the initial agreement. And this is so because the mere

The fact of its formulation implies an increase in the amount that would be forced to
satisfy, since the AEPD does not recognize the defendant the possibility of exercising the
option contained in article 85.1 of the LPACAP (that is, to admit his fault in
any moment of the procedure) in the event that it has issued arguments to the
start agreement. Understands that the consequence of everything indicated is that there is a
radical defect in the processing of this sanctioning file, derived from a

interpretation contrary to the Constitution of articles 64 and 85 of the LPACAP, which
affects the nullity of the procedure, having violated the rights
of CAIXABANK, as established in article 47.1 a) of the LPACAP.

This Agency cannot share such an argument, the interpretation made by the AEPD

of the provisions of article 85 of Law 39/2015 is strictly adjusted to the provisions
in said norm and the jurisprudence applicable to it, without being able to cross out
said interpretation of unconstitutional. The fundamental right to freedom is not violated
effective judicial protection, which the interested party may exercise in any case, but said
provision provides for two reductions, one for acknowledgment of responsibility and another for

voluntary payment within the stipulated period. As long as there is no
acknowledgment of responsibility, defending the interested party the legality of his
action against the agreement to initiate the procedure, said reduction in
the motion for a resolution which, however, leaves open the possibility of a payment
voluntary. This is reflected in the judgment of the TS of 02/18/2021 precisely in a
cassation appeal, against the judgment of the National High Court regarding the resolution

issued by the Director of the AEPD regarding the termination procedure for payment
volunteer of a sanction for infraction of the LOPD by pointing out that: "In this way,
benefited from the two reductions provided for in article 85 cited, that is, for
acknowledgment of their responsibility and for voluntary payment within the stipulated term
legally,(…)"


On the other hand, and with regard to the violation of the principle of judicial protection
effective, there is no place here but to bring up what was stated in the Judgment of the Court
Supreme Court of February 18, 2021, previously partially transcribed. The Court declares
Supreme in its fourth foundation that “(…)

i) Rejected the previous allegation, must also be rejected the invocation that the
recurrent effect of the STC no. 76/1990 to justify that the Trial Chamber has
violated his right to effective judicial protection by refusing his contentious appeal-
administrative.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 90/117









As we have said, the Court of First Instance did not inadmit the appeal, but rather
dismissed But it is that, in addition, at this point we must specify that the STC no.

76/1990, which the appellant invokes in support of its claims, rejected that the
Article 89.2 of Law 10/1985, of April 26, partially modifying the Law
General Tributaria entail a violation of the right to effective judicial protection
for requiring, for the ex gratia forgiveness of tax debts, that the subjects
offenders or responsible expressly renounce the exercise of any action of
objection, establishing the following to that effect:


" B) With a text that does not substantially differ from the previous wording, art. 89.2
prescribes the waiver of the exercise of any challenge action in order to request the
ex gratia forgiveness of the tax penalty; With this, the legislator intends to speed up and
make the collection of tax debts more flexible, it being understood that the remission

it affects only the sanction and not the rest of the tax debt. But from the perspective
of the responsible subject, it is clear that this abstention in the exercise of challenges
does not imply a waiver of the right to effective judicial protection, which would in itself be
itself unconstitutional, given the inalienable and unavailable nature of this right
fundamental, but simply to the use of such right and the actions in which it is
manifested for a period of time and in relation to a specific administrative act.

And the reason for such renunciation is similar to that of the assumption previously examined, since
here it is also about obtaining a benefit to which one has no right - the
ex gratia remission of the sanction - for which purpose it is necessary to satisfy the
of the prior waiver to challenge the liquidation made. To the extent that such
sacrifice is not disproportionate, it is freely adopted by the interested party and with the

itself an ex-gratia benefit is obtained, which is the one that best suits the interests
of the petitioner for the remission, there is no violation of a fundamental right
any.

This Court has declared that, although fundamental rights are permanent

and imprescriptible, this is perfectly compatible with the establishment of limits
temporary within the legal system for the exercise of the corresponding actions
(STC 7/1983, legal basis 3rd). If the imprescriptibility of rights
fundamental is not an obstacle to the temporary nature of the actions for their
defense, the inalienability of such rights does not prevent the voluntary and
transitory renunciation of the exercise of actions in pursuit of ex-gratia benefits

whose eventual achievement is for the interested party more advantageous than the one that could result
of that exercise.

Secondly, it considers that CAIXABANK has been left defenseless in the
processing of the procedure, which determines its nullity.


It states in the allegations to the Agreement to Initiate the procedure that the file
It has only been transferred to CAIXABANK on May 27, 2021, when
There were only two working days left for the formulation of allegations, without even
even agree on the aforementioned date the extension of the term for its formulation

for five days from receipt of the file, given that on the same date
clarified that the requested extension period began to be computed on the 24th of
May, that is, 3 days before receipt of the file. Consider that in the


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 91/117








In practice, the issuance of pleadings has been reduced to a period of two working days, which
which creates a situation of absolute defenselessness.


It should be indicated here that the startup agreement is notified to CAIXABANK by means
emails on May 7, 2021, the notification dated May 10, 2021 being accepted
of May 2021 and that it is not until May 18 of the same month in which it has
entry into this Agency written by the protection delegate, stating to act in
name and representation of CAIXABANK by virtue of its capacity as Delegate of
Data Protection, in which you request a copy of the sanctioning file and

extension of the term to formulate allegations. Taking into account that the
appointment as a data protection delegate by an entity not
entails that of representative of the same and that was not accredited in the
file that CAIXABANK's data protection delegate held the
condition of representative of the same, it was required, on May 24, to said

entity, to accredit said representation, which it carried out on the 26th of
May 2021. On the same day, May 26, 2021, the submission of the
file, stating that it was received by CAISABANK the same day. In the same
date it was agreed to extend the deadline for allegations up to the maximum legal deadline
permitted in article 32 of the LPACAP.


In the opinion of this Agency, it cannot be understood here that CAIXABANK has been
produced any defenselessness, insofar as he was able to request an extension of the term and a copy of the
file from the same day of the notification of the same, however, I do not make
such requests until more than half of the period for
had for it. Likewise, when he made said requests, the

representation held by the person claiming to act on behalf of said
entity, which forced to correct said omission and delayed the delivery of the
documentation. On the other hand, the extension of the term was carried out in the terms
established by article 32 of the LPACAP, agreeing to extend the term
legal up to the maximum permitted in said precept. It must also be taken into account

account that nothing prevented him from making new allegations under the provisions of the
article 76 of the same Law, which it has not done.

In this regard, it should also be taken into account that the Judgment of the Court
Supreme of October 11, 2012 appeal no. 408/2010 states the following: “(…) No
defenselessness occurs for these purposes if the interested party has been able to allege and prove in the

file as much as it has considered appropriate in defense of its rights and position
assumed, as well as appeal for replacement, a doctrine that is based on article 24.1
CE, if it made the allegations it deemed appropriate within the file" (S.T.S. 27 of
February 1991), "if he exercised, finally, all the appropriate resources, both the
administrative as well as jurisdictional" (S.TS. of July 20, 1992). Therefore, "if the

interested in administrative or contentious-administrative appeals has had the
opportunity to defend themselves and assert their points of view, it can be understood that
the omission has been corrected and it becomes insignificant for the real interests of the
recurrent and for the objectivity of the control of the Administration, making compatible the
constitutional prohibition of defenselessness with the advantages of the principle of economy

process that complements the first without opposing it at all and that
excludes useless procedural actions for the purposes of the procedure" (SS.TS. of 6 of
July 1988 and June 17, 1991).”


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 92/117








In this same sense declares the STC 78/1999, of April 26, in its Foundation
Juridical 2: "Thus, according to reiterated constitutional doctrine that is synthesized in the
3rd legal basis of the STC 62/1998, "the estimation of an appeal for protection by
the existence of breaches of procedural rules 'does not simply result from the
assessment of the eventual violation of the right due to the existence of a defect

procedural more or less serious, but it is necessary to prove the effective concurrence
of a state of material or real defenselessness' (STC 126/1991, legal basis 5º;
STC 290/1993, legal basis 4º). So that a helplessness can be estimated
with constitutional relevance, which places the interested party outside any possibility of
claim and defend their rights in the process, a violation is not enough
merely formal, being necessary that a formal effect be derived from this formal infringement.

defenseless material, an effective and real impairment of the right of defense (STC
149/1998, legal basis 3), with the consequent real and effective damage to the
affected stakeholders (SSTC 155/1988, legal basis 4, and 112/1989,
2nd legal basis).


Regarding the alleged artificial extension of the investigation phase in the present
procedure, this Agency cannot share the allegations of
CAIXABANK. This Agency understands that contrary to what is indicated by
CAIXABANK has complied with the provisions of articles 64 and 65 of the
LOPDGDD, without being considered, as stated in the allegations to the
agreement to initiate this proceeding, that the claim filed on the date

February 13, 2019, has been admitted with the agreement to initiate an investigation of
date February 21. Said agreement, as it results from the actual documentation
in the file, does not take such claim into consideration but rather has its origin in
the analysis carried out by the audit unit of the General Subdirectorate of
Inspection having had knowledge of the characteristics of the ON account.


With regard to the various complaints that were received throughout
the processing of the file, it has proceeded in accordance with the provisions of article
65.3 of the LOPDGDD giving transfer to the data protection delegate, for the purposes of
resolve on the admission to processing of the claim, a procedure that although it has
optional character for the AEPD, comes to suppose a guarantee for the claimed, to the
that he is given the opportunity to present the reasons for his actions in the face of the

claim made and, where appropriate, the corrective measures adopted aimed at
to put an end to a possible breach of data protection legislation, with
character prior to admission or not for processing. The fact that the claims
deal with similar facts and that there was an ongoing investigation does not determine
that such claims "were admitted for processing from the agreement of
initiation of investigative actions” as stated by CAIXABANK.


The transfer of each of the claims received to the claimed party is not, in
consequently, a merely bureaucratic process, as CAIXABANK alleges,
ensuring that whatever your answer in relation to the aforementioned
claims, the facts to which they referred were already being

investigation by the AEPD. On the contrary, this Agency understands that such
actions were pertinent, allowing CAIXABANK to express the reality
or not of the claimed facts, so that your answer would come to determine the
incorporation or not of such claim to the initiated file.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 93/117








Said entity also affirms that the AEPD denies any relevance to the agreements of
admission for processing, since they do not display any effect in the terms provided in the
article 64 of the LOPDGDD, since they do not determine the performance of actions

investigators nor the opening of any sanctioning procedure. This allegation
cannot be admitted either, in this proceeding the initiation
of an initial agreement adopted on its own initiative, as provided for in article 64.2
LOPDGDD, with a successive series of claims, these having been dealt with
in accordance with the provisions of article 65, giving transfer to the claimed and incorporating
the same, once received a response that in the opinion of this Agency determined

its admission for processing, for reasons of procedural economy to another procedure in
course, avoiding the opening of successive procedures and the progressive accumulation
thereof.

Likewise, this Agency understands that it was necessary to carry out new actions

Regarding the facts known as a result of the inspection carried out, relating to the
absence of consent, which determined a new requirement to said entity
to determine the concurrent elements in such treatments.

On the alleged artificial extension of the procedure, Caixabank invokes the doctrine
seated by the National High Court (AN) in its Judgment of 10/17/2007 (appeal

180/2006), in which it highlighted the illegality of the inappropriate extension or
unfounded from previous investigative actions. This Judgment refers to a
course processed by the AEPD in which the previous investigation actions are
remained inactive for almost eleven months, when the entity in question had
responded to the request for information in the first two months of processing the

these actions. The National High Court concluded that there was a “[…]
Fraudulent use of the institution of preliminary investigations. we are in
consequence in the event of fraud of the Law contemplated in article 6.4 of the
Civil Code, since it is intended to circumvent the application of Art. 42.2 of the Law
30/1992 using the request for information to, with it, avoid the expiration of the

disciplinary record”.

It is necessary to specify that the National High Court modified this criterion based on the
Judgment of 11/19/2008 (appeal 90/2008). As stated in the proposal
of resolution the criterion of the judgment of 10/17/2007 alleged by CAIXABANK came
referring to investigative actions carried out at a time when there was no

a term fixed by any norm to carry out the same, while the Law
30/1992 in force at that time did not do so, as the current Law 39/2015 does not.
The Regulations for the development of Organic Law 15/1999, of December 13, of
protection of personal data, approved by Royal Decree 1720/2007, of
December 21, established in its article 122 a maximum duration of twelve months

to carry out the same, just as the current LOPDGDD does.

CAIXABANK's allegations that the Judgment of 11/19/2008 did not
modified the criteria of the judgment cited by said entity as it considered erroneous
said doctrine but in other reasons exposed in the same and that determine its

application, that is, that the delay produced in the processing of the actions
prior notices had not been due to fraudulent intent to prevent expiration of the
sanctioning file but to a significant increase in the work to be carried out by the
works of the AEPD that justified the same, omit that said Judgment indicated

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 94/117








also "Reasons that mean that the previous doctrine of the Chamber cannot be
appraised in the case, to which the maximum period of twelve
months of duration that article 122 of RD 1720/2007, of December 21, provides

at present for said "prior actions", taking into consideration that such
regulatory standard is only applicable to actions initiated after
its entry into force (that is, as of April 19, 2008).” (the underlining is from the
AEPD). This Agency thus considers that the doctrine established in the Judgment of
10/17/2007 has been passed, as there is a rule that sets the deadline during the
which the AEPD can carry out investigative actions.


On the other hand, the same judgment invoked by CAIXABANK refers to the
consequences that the paralysis of the file had and that supposedly
tried, in fraud of law to avoid, which are none other than the expiration of the
sanction file. In the same way, article 122.4 Regulation of

development of Organic Law 15/1999, of December 13, indicated the same
Consequently, the expiration of the previous actions once the term of
twelve months to carry them out without the agreement having been issued and notified
initiation of the sanctioning procedure. The requirements and effects of expiration
are established in article 95 of Law 39/2015, in its article 95, precept
that allows not only the initiation of a new procedure when there has been no

produced the prescription, but even makes it possible in its number four that the
The same is not applicable in the event that the issue raised affects the interest
general or it is convenient to substantiate it for its definition and clarification.

CAIXABANK alleges that the special rule applicable to the actions of the AEPD, this

is, the LOPDGDD provides in its article 67 that investigation actions "do not
may have a duration of more than 12 months” and that this rule is the only
applicable to the procedure, since not only Law 39/2015 is not applicable by
be only of subsidiary application, but article 63.2 provides that "the
procedures processed by the Spanish Data Protection Agency will be governed

by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions issued in its development and, insofar as they are not
contradict, on a subsidiary basis, by the general rules of procedures
administrative.”

In the opinion of this Agency, there is no contradiction between what is established in the

article 67 of the LOPDGDD and article 95 of Law 39/2015. The first indicates a
period of 12 months to carry out actions, the overcoming of which determines the
expiration of the procedure, being the effects of that expiration those foreseen in the
Law 39/2015, which is the one that regulates said institution. It cannot be deduced, how does
CAIXABANK, that expiration is excluded from application to procedures

sanctions governed by the LOPDGDD, nor does article 67 of the LOPDGDD provide for such
consequence, nor does it emerge from the alleged jurisprudence, that by the
On the contrary, it indicates precisely this effect.

 Consequently, this Agency cannot share CAIXABANK's interpretation

that the use of expiration is carried out in fraud of law invoking a
judgment of the National High Court that no reference is made to such an institution and whose
criterion was, not only modified already in 2008, but surpassed by the establishment
of a period to carry out preliminary actions. You also can't share the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 95/117








consideration that the non-application of the terms of the LOPDGDD
of article 95 of Law 39/2015, a precept that sets as the only limit that
has produced the prescription of the infraction, even allowing such limit to be

exceeds in certain cases, which has not occurred in the present case.

                                             III


 Article 6 of the RGPD refers to the legality of data processing, providing that:

"1. The treatment will only be lawful if at least one of the following is met
terms:
a) the interested party gave their consent for the processing of their personal data
for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the interested party

is part of or for the application at the request of the latter of pre-contractual measures;
c) the treatment is necessary for the fulfillment of a legal obligation applicable to the
data controller;
d) the treatment is necessary to protect the vital interests of the interested party or another
Physical person;
e) the treatment is necessary for the fulfillment of a mission carried out in the interest

public or in the exercise of public powers vested in the data controller;
f) the treatment is necessary for the satisfaction of legitimate interests pursued
by the person in charge of the treatment or by a third party, provided that on said
interests do not override the interests or fundamental rights and freedoms of the
interested party that require the protection of personal data, in particular when the

interested is a child.
The provisions of letter f) of the first paragraph shall not apply to the processing
carried out by public authorities in the exercise of their functions.”

Article 4.11 of the RGPD defines the "consent of the interested party for the treatment of

your personal data”, such as: any manifestation of free will, specific,
informed and unequivocal by which the interested party accepts, either through a
declaration or a clear affirmative action, the treatment of personal data that
concern”.

Article 7 of the RGPD refers to the conditions of consent

establishing that:

"1. When the treatment is based on the consent of the interested party, the person in charge
You must be able to demonstrate that you consented to the processing of your data
personal.

2. If the data subject's consent is given in the context of a written statement
that also refers to other matters, the request for consent will be presented in
in such a way that it is clearly distinguishable from other matters, in an intelligible and
easy access and using clear and simple language. No part will be binding
of the statement that constitutes an infringement of this Regulation.

3. The interested party shall have the right to withdraw their consent at any time. The
Withdrawal of consent will not affect the legality of the treatment based on the
consent prior to withdrawal. Before giving their consent, the interested party will be
informed of it. It will be as easy to withdraw consent as it is to give it.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 96/117








4. When assessing whether the consent has been freely given, it will be taken into account in the
greatest extent possible whether, among other things, the performance of a contract,
including the provision of a service, is subject to consent to the processing of

personal data that is not necessary for the execution of said contract”.

For its part, recital (32) of the RGPD specifies that: “Consent must
given through a clear affirmative act that reflects a manifestation of will
free, specific, informed, and unequivocal of the interested party to accept the treatment of
personal data concerning you, such as a written statement,

including by electronic means, or a verbal statement. This could include marking
a box on a website on the internet, choose technical parameters for use
of services of the information society, or any other statement or conduct
that clearly indicates in this context that the interested party accepts the proposal of
treatment of your personal data. Therefore, silence, boxes already checked or

inaction should not constitute consent. Consent must be given for
all treatment activities carried out for the same or the same purposes.
When the treatment has several purposes, consent must be given for all
they. If the data subject's consent is to be given following a request by
electronic means, the request must be clear, concise and not disturb
unnecessarily the use of the service for which it is provided.”


Recital (42) of the GDPR indicates that: “(...) In accordance with Directive 93/13/
Council EWC, a model declaration of consent must be provided
previously prepared by the data controller with an intelligent formulation
accessible and accessible, using clear and simple language, and containing no clauses.

abusive bullshit. In order for the consent to be informed, the interested party must know
at least the identity of the person responsible for the treatment and the purposes of the treatment to
which the personal data is intended. Consent should not be considered
borrow freely when the interested party does not enjoy a true or free choice
or you cannot withhold or withdraw your consent without prejudice.”


Recital (43) indicates that: “To ensure that consent has been given
freely, this should not constitute a valid legal basis for the treatment of
personal data in a specific case in which there is a clear imbalance
between the interested party and the data controller, in particular when said res-
responsible is a public authority and it is therefore unlikely that the consent

to have been given freely in all the circumstances of that particular situation.
Consent is presumed not to have been freely given when it does not allow authorization.
separate the different personal data processing operations despite
be appropriate in the particular case, or when the performance of a contract, including the
provision of a service, is dependent on consent, even when this does not

necessary for said fulfillment”.

 In turn, article 6 of the LOPDGDD, indicates, on the processing of personal data
based on the consent of the affected party that: “1. In accordance with the
established in article 4.11 of Regulation (EU) 2016/679, consent is understood

affected person, any manifestation of free, specific, informed and inappropriate will.
equivocal by which he accepts, either through a statement or a clear action
affirmative, the treatment of personal data that concerns you.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 97/117








 2. When it is intended to base the processing of the data on the consent of the
affected for a plurality of purposes, it will be necessary to state specifically
fica and unequivocal that said consent is granted for all of them.

3. The execution of the contract may not be subject to the affected party consenting to the treatment.
processing of personal data for purposes that are not related to the maintenance
maintenance, development or control of the contractual relationship.”

In the present case, it is stated in the documentation in the file that the
claimed entity, has marketed, through its digital platform, (www.-

bankia.es), among others, three financial products: ON account; ON Payroll account and
UN&DOS account, along with its associated debit cards. It also markets
a credit card (ON Credit Card), which must be associated with an Account
ON open.


In the information sent by Bankia dated March 19, 2019, it is observed that
the contracting of these products entails the collection of various commissions,
such as the administration and maintenance of the account, as well as the fee for the
Associated debit or credit cards, transfers in euros, national and EU subject to
regulation 260/2012, carried out by non-face-to-face channel and check deposits in eu-
ros payable in the domestic market. However, such commissions will be free

as long as all the holders maintain what the entity calls a “profile
digital".

In the information sent on March 19, 2019, it is stated that “El Perfil Di-
gital will be held when, among other stipulations, it is fulfilled that:

        - All holders have authorized Bankia, by subscribing to the
            Personal data processing document, equivalent document or
            corresponding contract, the processing of your personal data for the
            sending commercial communications through any communication channel
            enabled, including email and mobile phone.

        - All holders have authorized Bankia, by subscribing to the
            Personal data processing document, equivalent document or
            corresponding contract, the transfer of your personal data to companies of
            your group for the analysis of your profile for commercial purposes.”

Such conditions were in force until 12/15/2019, when they disappeared.

for new contracts for ON products, remaining for customers who
already had an ON product until February 16, 2020, although the en-
amount claimed indicates that they were not taken into account for the purpose of subsidizing or not
missions from October 16, 2019.


This Agency considers that the exemption of the co-
banking missions to the provision of consent for two different treatments
services: the sending of commercial communications and the transfer of personal data to the en-
entities of the Bankia Group, so it cannot be considered that the consent is
freely grants, while, if such treatments are not accepted or subsequently revoked

consent thus obtained, there are negative consequences for
the interested party who is subject, in such a case, to the payment of the commissions set by the
bank entity.


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 98/117








Caixabank alleges that the commissions do not constitute a levy but rather the consideration
tion of the services provided by the bank, configuring itself as an element that
must be incorporated into the current account contract, constituting an essential element

whose purpose is the remuneration of the services provided. states that the products
In any case, bank charges are associated with the payment of commissions and that the exemption from
the same, contrary to what is indicated by the AEPD, constitutes a benefit for the
interested party, who must not pay commissions that are consubstantial to the cele-
signing of the contract.


The reasoning followed by CAIXABANK cannot be shared. This Agency considers
It should be noted that, indeed, the commissions can be part of the account contract
paying the services provided by the banking entity, but in-
tends that the link of the exemption of its collection to the provision of consent
for other processing of personal data different from those of the contract determined

mine that consent is not given in conditions of freedom.

In this regard, in the guidelines on consent in the GDPR, approved
given by the Working Group of article 29, adopted, at the meeting of May 25
of 2018, by the European Committee for Data Protection, a body to which the RGPD attributes
the function of guaranteeing the coherent application of the same, is exposed, in the point

to 3.1 what you consider a manifestation of free will:

“The term 'free' implies real choice and control on the part of those concerned. What
general rule, the RGPD establishes that, if the subject is not really free to choose,
you feel compelled to give your consent or you will suffer negative consequences if you do not

given, then the consent cannot be considered valid. If consent is-
is included as a non-negotiable part of the general conditions it is assumed that
it has not been freely given. Consequently, the consent will not be considered
has been provided freely if the interested party cannot deny or withdraw their consent
notwithstanding. The notion of imbalance between the person responsible for the treatment and the

Resado is also taken into account in the GDPR.

When assessing whether consent has been freely given, they should be considered
also the specific situations in which consent is made conditional on execution.
tion of contracts or the provision of a service as described in the article
7, paragraph 4. Article 7, paragraph 4, has been drafted in a non-exhaustive manner

by the use of the expression "among other things", which means that there may be
other circumstances that fall within the scope of this provision. In ther-
Generally speaking, consent will be invalidated by any influence or bias
inappropriate pressure exerted on the data subject (which can manifest itself in very
different) that prevents him from exercising his free will. (The underlining is from the AEPD).


Likewise, in point 3.1.1. the same document refers to the imbalance
of power, noting “Power imbalances are not limited to public authorities.
cases and employers, but can also occur in other situations.
As WG29 has underlined in various opinions, consent can only

be valid if the interested party can really choose and there is no risk of deception, intimidation,
duress, coercion, or significant negative consequences (for example, additional costs)
substantial losses) if you do not consent. Consent will not be free in


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 99/117








those cases in which there is an element of compulsion, pressure or inability
to exercise free will. (The underlining is from the AEPD)


 This element of compulsion or pressure is determined, in the opinion of the AEPD, by the
collection of these commissions established in such a way that they suppose a cost of sufficient
entity so as to determine the clients of such accounts to accept the consent
ment for the processing of data for purposes other than those of the contract. No
it can thus be considered that consent is given freely at the time of
enter into the contract and is freely modified at any time, as alleged by CAI-

XABANK, since the non-provision of that consent for other purposes or its re-
vocation determine the collection of commissions imposed by the bank, which
which supposes, contrary to what CAIXABANK affirms, a clear damage to the in-
tersated.


In this sense, the working group points out in said guidelines regarding the damage
“The data controller must demonstrate that it is possible to deny or withdraw consent.
sentiment without suffering any prejudice (recital 42). For example, the person in charge
of the treatment must demonstrate that the withdrawal of consent will not entail any
some cost for the interested party and, therefore, no clear disadvantage for those who withdraw
give consent.” (the underlining is from the AEPD)


The working group continues by pointing out that “Other examples of harm are deception,
harm, intimidation, coercion, or significant negative consequences if a data subject
you do not give your consent. The data controller must be able to demonstrate
that the interested party was able to exercise a free or real choice when giving his or her consent.

and that it was possible for him to withdraw it without suffering any harm” (emphasis added).
AEPD).

CAIXABANK affirms that the EDPB in example 6 of said guidelines refers
to what constitutes a loss, considering that it is the increase in commissions not

their collection. This example indicates the following:

“A bank asks its customers for consent so that third parties can use
your payment details for direct marketing purposes. This processing activity
It is not necessary for the execution of the contract with the client and the provision of services.
habitual vices of the bank account. If the client's refusal to give consent

refusal to such treatment would give rise to the bank's refusal to lend its
services, to the closing of the bank account or, depending on the case, to an increase in
commissions, consent could not be given freely.”

This Agency understands that, regardless of the fact that the EDPB mentions only

some examples of what constitutes a detriment, without pretending to contemplate all
possible assumptions, the reference to the "increase in commissions" cannot intervene
be interpreted in the literal sense that CAIXABANK expresses in its allegations. When
the EDPB refers to an “increase in commissions” it is evident that it takes
As a starting point, the assumption in which there are established commissions that

are charged in any case, hence, if the refusal to give consent gives rise to
for these to increase, consider that consent is not given freely, in
Therefore, this increase supposes a loss for the interested party. That is, the consent
is not free because its provision is conditioned to avoid a charge that was not provided

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 100/117








driving. And this example is equivalent to the one that occurs in the case object of the pre-
this procedure, in which the exemption from the collection of commissions is linked to the
provision of consent, so that the interested party does not provide said consent.

thought freely, but conditioned by that circumstance.

Therefore, this Agency understands that when consent is not given or
its revocation implies a collection of commissions that would not occur under the
provision of such consent for further processing, such consent is not
free since said collection supposes a clear damage for the interested party.


On the other hand, in no case can it be considered that the exemption from commissions
constitutes a benefit for the interested party, on the contrary said exemption has as
compensation the limitation of their fundamental right to data protection, limiting
that can only be admissible when its acceptance is not conditional.

tioned Said limitation in the present case implies the reception of communications
of all the sectors referred to in the TDP, that is, financial sectors.
insurance (banking, investment and insurance), real estate, cultural, travel, consumption and leisure
and the transfer of your data not only to the companies of the group, but also to the
collaborators, since the TDP does not establish that difference in the acceptance of the contract
feeling. On the other hand, it is unknown at the time of signing the contract who are

such collaborating entities, and the individual must go to the web page of the entity
ability to know at all times to whom your data has been transferred.

CAIXABANK alleges that the argumentation of this Agency fails, while the commissions
These are consubstantial elements of the bank account contract and it is not possible

consider that the contract may exist free of charge or without consideration by the
te of the entity's client.

This Agency does not share the reasoning of CAIXABANK, the Royal Decree-Law
19/2017, of November 24, of basic payment accounts, transfer of accounts of

payment and comparability of commissions, establishes in its article 9.1 that "the commissions
received for the services provided by credit institutions in relation to
The basic payment accounts will be those that are freely agreed between said entities.
des and clients”, in this way, this Agency understands that it can be agreed with the
clients the exemption of its collection and that, if said exemption is linked to the provision of the
Consent for processing of personal data other than those of the consent.

treatment, said consent is not given in conditions of freedom.

CAIXABANK also alleges that this Agency elevates to the category of source of the right
the content of the documents and guidelines of the EDPB considering that their trans-
aggression is a direct violation of the GDPR.


In this regard, it is worth remembering that the EDPB is responsible under the RGPD for
guarantee the consistent application of the same (art. 70.1 RGPD), issuing, with respect to
any question relating to the application of the Regulations, guidelines, recommendations
tions and good practices in order to promote the consistent application of the same

(art.70.1.e), so the application of said rule by this Agency cannot
if not to adjust to the consolidated criteria that are expressed in such opinions. On
In this sense, declares the Supreme Court in Judgment 1,176/2020, of September 17.
December 2020) “The Working Group contemplated in article 29 of the Directive

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 101/117








95/46/EC, which has been succeeded by the so-called European Data Protection Committee
(CEDP), which dictates Directives 5/2019, is an independent consultative body whose
function in accordance with the provisions of article 30.3 of Directive 95/46 CE is to address

address issues related to privacy and personal data and issue guidelines
ces about such as the one considered in the judgment of the National High Court, which consists
in a guide for the implementation of the Judgment of the Costeja case C-131/12. The
The guidelines lack binding normative value, but they do include the analysis of the ex-
experts from the perspective of the protection of personal data of the criteria of
weighting collected in the Judgment of the CJEU of May 13, 2014 Coste-

ha, and with this indicative value they can be used by national authorities
competent to resolve issues related to the protection of personal data.
sound.” (the underlining is from the AEPD).

CAIXABANK also alleges that the AEPD makes a new interpretation of the cri-

EDPB, since in case of not being consistent with the theses that it intends to maintain,
having the AEPD can only be due to two reasons: (i) their desire not to be exhaustive
you, CAIXABANK understanding that the example seems to refer to all sub-
positions in which it could be considered that there would be an affectation of the principle of freedom of the
consent in a case such as the one analyzed, or (ii) understanding that the opinion
interpretation must in turn be interpreted in the sense that the AEPD considers appropriate.

assignor defend. It points out that the AEPD limits itself to considering that “[w]hen the EDPB
refers to an "increase in commissions" it is evident that he takes as a point
of departure the assumption in which there are some established commissions that are charged in
any case” and that in relation to such a statement, that in a case in which the
EDPB manifests itself with crystal clarity, it is not possible for the AEPD to broaden the interpretation

assumption to the one that he considers adjusted to his thesis, no matter how evident it may be.
attempt to consider this fact. If the AEPD considers that it is “obvious” the interpretation
it intends to carry out, it should justify what it is based on to appreciate that su-
put evidence.


This Agency cannot admit such allegations, the very fact that it is
An example shows that it cannot be exhaustive. On the other hand,
it is not conceivable that a literal interpretation of an example can justify a limitation.
tion of the right to data protection, based on the fact that it does not contemplate
precisely the specific assumption that gives rise to said limitation, as occurs in the
present procedure. In effect, CAIXABANK intends to justify that its actions

is not contrary to the provisions of the RGPD, based on an example of the EDPB that is
refers as a limitation of the principle of freedom of consent the increase in
commissions, understanding that to the extent that it only refers to the "increase"
there is no other situation that can fit the mentioned example. Respec-
to the fact that the evidence is not justified in the affirmation of this Agency when it points out

which “when the EDPB refers to an “increase in commissions” it is evident that
takes as its starting point the assumption that there are established commissions
that are charged in any case” this Agency considers that it is not necessary to justify a
evidence, it is obvious that there can be no increase in commissions if they are not
They are established and are being charged.


CAIXABANK also alleges in support of its argument, the criterion adopted by
another data protection authority, in a different case from the one that is the object of
examination, in which he seems to hold an opinion contrary to that of this Agency, which

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 102/117








considers that it should be taken into consideration on the basis that the purpose of the
RGPD is to establish a uniform framework in the application of rules and principles
pio configurators of the fundamental right to data protection, This Agency

does not consider that such a resolution should be taken into account for the sake of uniform application
form of the rules of the RGPD, the work of guaranteeing the consistent application of the
RGPD corresponds to the EDPB and that what is sustained in the alleged resolution is about
a criterion adopted in isolation by another data protection authority, in a sub-
different position and without the EDPB having supported such a criterion.


CAIXABANK also alleges that there is no violation of article 7.4 of the
RGPD, while there is no conditionality as described in said article.
article since the provision of consent is not a sine qua non condition for
the signing of the contract, the client being able to contract the services without the need for
consent, these being the same regardless of the provision or not of the ci-

given consent.

It considers that it offers an equivalent service both to those who have provided the consent
protection for the processing of your data as part of the so-called "digital profile"
and to those who have not provided it, since the services offered are exactly
the same and also the elements that will integrate the contracts in which they are formed.

malize the services including commissions, even if the user
holds the so-called digital profile, said commissions will be discounted in
its entire amount as long as the digital profile is maintained. He affirms that if the AEPD
considers that they are two different products for the sole fact that it is offered with and
without bonus, it would empty of content any offer or promotion that could apply

a private entity.

Nor does this Agency share CAIXABANK's interpretation of what is indicated.
side by the EDPB in the aforementioned guidelines on consent, in which this
states that “The data controller could argue that his organization

offers stakeholders a real choice if they could choose between a service
that includes consent to the use of personal data for additional purposes, and
an equivalent service offered by the same person in charge that does not imply providing the
consent to the use of data for additional purposes. As long as there is a
possibility that said person in charge of the treatment executes the contract or provides the services
vices contracted without the consent for the other use or the additional use of the data

in question, it will mean that there is no longer any conditionality with respect to the service. No
However, both services must be really equivalent.”

Contrary to what is alleged by CAIXABANK, this Agency understands that said affirmation
mation of the EDPB precisely reflects a situation in which there is no conditionality

any quality in the provision of consent, which does not occur in the present su-
since an element of the current account contract, commissions, is used
to condition the provision of consent for other uses of the data, therefore
that the services cannot be considered as equivalent.


CAIXABANK also alleges that the services covered by this file are not
the only ones that make up its catalog of products and services, mentioning others
such as the Easy Account, the Youth Account or the Basic Payment account. However, not
certifies that it is an equivalent service. It cannot be admitted that any account

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 103/117








current is an equivalent service if the conditions in which it is provided are different
or are directed to a certain group, so that it is excluded that others can
they hire him.


CAIXABANK in the allegations to the proposed resolution refers to the
“EASY ACCOUNT”, affirming that its clients can choose to contract another product of
identical nature also exempt from the payment of commissions. This Agency does not consider
It would seem that said product could be considered equivalent, since the conditions
in which it is provided are different, requiring economic conditions that are not

were required at the opening of the ON account (existence of a payroll equal to or greater than
greater than 700 euros or unemployment benefit or pension equal to or greater than 200 euros
and meet one of the following conditions:
• Make two purchases a month with a credit card
• Contribution of 135 euros in risk insurance premiums.

• Possession of more than 30,000 euros in investment funds, pension plans or se-
savings insurance (this requirement was also fulfilled in the case of holding 40,000
euros in investment products of the entity, being excluded from this requirement
persons under the age of 26).

CAIXABANK mentions what is stated in the European Legislation Manual on

of data protection, adopted by the Agency for Fundamental Rights of the
European Union and the Council of Europe, in collaboration with the European Court of
Human Rights and the European Data Protection Supervisor, in relation to
the free nature of consent, which states that:


 This does not mean, however, that consent can never be valid in circumstance.
circumstances in which the lack of consent had some negative consequences
you go. For example, if the consequence of not consenting to have a card-
customer from a supermarket is only that small discounts will not be received.
stories in the prices of some products, consent could be a basis

legal valid to treat the personal data of those clients who grant their
consent to have said card. There is no subordination between the company and the
client, and the consequences of the lack of consent are not sufficient
serious enough to limit the freedom of choice of the interested party (provided that the reduction
price difference is small enough not to affect that freedom
of choice)"


CAIXABANK alleges, citing said example, that the Agency's reasoning
leads us to consider that the establishment of a discount to those who would have
accepted its inclusion in a loyalty program of any company with the consent
following acceptance of the processing of your data would be null, since it is not established

the possibility of enjoying the same discount in case of not choosing to adhere to the
fidelazation program.

This Agency cannot share such an allegation either, we are not faced with a
loyalty program as in the example indicated, but in the event that,

as indicated in the 5/2020 Guidelines on consent, they are merged or blurred
the two legal bases for the lawful processing of personal data, the consent
and the contract, thus breaching article 7.4, which guarantees that the treatment of


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 104/117








the data for which consent has been requested does not become a
consideration of the contract.


CAIXABANK alleges that the EDPB does not consider it inadmissible or contrary to freedom
in the provision of consent the granting of an incentive or benefit, having
Note that the guidelines state that “the GDPR does not exclude incentives, but co-
It would be up to the data controller to demonstrate that the consent has been
continued to give freely in any circumstance.” This Agency, as it has come
pointing out repeatedly, understands that the fact that the exemption from payment of the

commissions is conditional on the provision of consent for purposes other than
those of the contract determines that it cannot be considered that the consent
lie has been given freely.

Lastly, the allegation that this Agency, considering that the

consent given has been subject to coercion in the free will of the in-
interested parties, is considered competent to assess the nullity of a contract in which
incentives or benefits are established. This Agency does not assess the validity of the contract,
but that of consent to carry out other treatments different from their own
of the contract and that is conditioned by the exemption from the collection of commissions, which
In the opinion of this Agency, it is contrary to the provisions of article 7.4 of the RGPD.


CAIXABANK affirms that the reasoning of the AEPD not only affects the freedom of
consent to the processing of personal data but states that such consent
sentiment as an essential element of the current account contract is affected
as a consequence of exempting from the payment of commissions those who provide the

feeling for the digital profile, which not only affects the application of the regulations
of personal data but to the legality of the contract itself, given that if the consent
to contract the financial product is null because there is a kind of coercion, there would be
an invalidating defect of the contract itself, as the contracted consent is affected.
tual.


 In this regard, it is only possible for this Agency to reiterate what was stated above.
Subsequently, this Agency is limited to the exercise of its powers, among which are
finds the assessment that the consent given to carry out treatment
Data transfers other than those of the contract between the parties violates article
7.4 of the RGPD, being the consequences indicated by CAIXABANK unrelated to its actions.

tion, without this Agency being competent to rule on them.

Consequently, in accordance with the findings set forth, the aforementioned
chos suppose a violation of article 6 of the RGPD, in relation to article 7
of the same legal text, which gives rise to the application of the corrective powers that the ar-

Article 58 of the RGPD grants the Spanish Data Protection Agency.

                                            IV

The record shows that during the period between July 8 and 15

August 2018, affecting ON account customers contracted through the online channel.
ne, the consents were pre-marked in the acceptance state (con-
sorry) for new customers. That is, when a new client was registered
through the online channel, the consents were pre-marked during the pro-

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 105/117








registration process, not occurring in office registrations. The number of customers who passed
the registration process in the period between 07/08/2018 and 08/15/2018 (pro-
ducts ON through the online channel), there are a total of 2,562 (of which 2,192 are still

active and 270 have been cancelled). It is known that with respect to the 812 clients who have not
modified their consents nor have they left the entity, they have been carried out
carry out commercial actions through email or SMS. These actions are
have developed in the period between August 2018 (registration date) and
April 2020.


The requirement that “consent must be given through
a clear affirmative act that reflects a manifestation of free, specific, independent will.
formed, and unequivocal of the interested party to accept the treatment of data of a character
that concern him", it being understood that "silence, the boxes already checked or
inaction should not constitute consent” (Recital 32).


The absence of such a requirement determines that it is not valid so that the
treatments based on it lack legitimacy, thus contravening the provisions of
Article 6 of the GDPR.

In this sense, they point out Guidelines 5/2020 on consent in the sense

of Regulation (EU) 2016/679, regarding the unequivocal expression of will:
“The GDPR clearly establishes that consent requires a declaration of the in-
concerned or a clear affirmative action, which means that consent must always be given.
feeling through an action or statement. It should be evident that the interest
sado has given its consent to a specific data processing operation.

(…)
A controller should also bear in mind that consent
cannot be obtained by the same action by which the user agrees to a
treatment or accept the general terms and conditions of a service. The global acceptance
bal of the general terms and conditions cannot be considered a clear action

affirmative intended to give consent to the use of personal data. The GDPR does not
allows data controllers to offer pre-ticked boxes
or voluntary exclusion mechanisms that require the intervention of the interested party
to avoid settlement (e.g. “opt-out boxes”)”

CAIXABANK alleges that the imposition of the sanction for such acts is inadmissible.

chos by application of the non bis in idem principle. Considers that the AEPD would be sanctioned
Doubly mentioning the lack of legal basis for the processing of personal data.
them of the customers who had contracted the controversial products through the channel
online on the dates between July 8 and August 15, given that by
one party affirms that the consent granted is not valid because it is not free and, secondly,

secondly, that said consent is not valid because the pre-selected boxes are found.
marked.

It affirms that if the reasoning of the AEPD is followed, none of the consents
provided (whether or not the box was pre-checked) would be valid, so imposing

an additional sanction for the fact that in such an extremely small number of
assumptions said box is pre-marked is nothing but a contravention of the principle
pio non bis idem. And this should immediately entail the subsumption of this subsumption.
infringement in the collection by the AEPD in the first place.

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 106/117









It is worth mentioning here the Judgment of the National High Court of July 23, 2021
(rec. 1/2017), in which it concludes that the non bis in idem principle has not been violated

because there is no coincidence in the imputed facts. Said Judgment states that
“(…) According to the legislation and jurisprudence exposed, the non bis in idem principle
prevents punishing the same subject twice for the same act based on the same
as a foundation, the latter being understood as the same legal interest protected by the
sanctioning rules in question. Indeed, when there is the triple identity of
object, fact and basis, the sum of sanctions creates a sanction outside the judgment of

proportionality carried out by the legislator and materializes the imposition of a sanction
not legally provided for, which also violates the principle of proportionality.

But in order to speak of "bis in idem" there must be a triple identity between
between the terms compared: objective (same facts), subjective (against the same

subjects) and causal (for the same reason or reason to punish):
 a) Subjective identity assumes that the affected subject must be the same, whatever
whatever the nature or judicial or administrative authority that prosecutes and independently
evidence of who is the accuser or specific body that has resolved, or that is prosecuted
cie alone or in concurrence with other affected.
b) The factual identity supposes that the prosecuted facts are the same, and rules out

the assumptions of real contest of infractions in which it is not before the same he-
cho unlawful but before several.
c) The identity of the basis or cause implies that the sanctioning measures do not
can concur if they respond to the same nature, that is, if they participate in a
same teleological foundation, what happens between penal and administrative

sanctions, but not between the punitive and the merely coercive.”

Based on these criteria, this Agency considers that in this procedure
This principle is not violated, since it does not penalize twice the same acts, but
that we are faced with different facts.


In effect, in the previous point the fact that the entity claimed was examined was
asked its clients for their consent for certain treatments, failing to comply
the requirements of article 7, which determined its invalidity. In the present it is done
reference to data processing carried out with respect to a group of clients that
when contracting said account in a certain period of time, the period between

on July 8 and August 15, the pre-ticked boxes were found, so that
they did not unequivocally give their consent. therefore cannot be subsumed
said infraction in the one indicated in the previous point, since we are not
before the infringement of the provisions of article 7 in relation to 6 of the RGPD, but in
the absence of any consent and, consequently, in the absence of a basis

legitimizing for the treatment, thus infringing article 6 of said norm.

This difference in conduct is clearly expressed in the LOPDGDD by pointing out,
for the purposes of prescription, in its article 72, relative to the infractions considered
very serious, the following:


1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose


C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 107/117








a substantial violation of the articles mentioned therein and, in particular, the
following:
(…)

b) The processing of personal data without the concurrence of any of the license conditions
treatment established in article 6 of Regulation (EU) 2016/679.
(…)
c) Failure to comply with the requirements of Article 7 of the Regulation (EU)
2016/679 for the validity of consent.”


Consequently, in accordance with the exposed evidence, the aforementioned facts
suppose a violation of article 6 of the RGPD, which gives rise to the application of the
corrective powers that article 58 of the aforementioned Regulation grants to the Agencia Es-
Data Protection panel.
                                           v


In the event that there is an infringement of the provisions of the RGPD, between the
corrective powers available to the Spanish Data Protection Agency,
as a control authority, article 58.2 of said Regulation contemplates the
following:


“2 Each supervisory authority shall have all of the following corrective powers
listed below:
(…)
b) send a warning to any person responsible or in charge of the treatment when the
treatment operations have violated the provisions of this Regulation.

(correction of errors in Regulation (EU) 2016/679, DOUE number 74, of 4
March 2021)
(...)
d) order the person in charge or in charge of the treatment that the operations of
treatment comply with the provisions of this Regulation, where appropriate,

in a certain way and within a specified period;
(…)
i) impose an administrative fine in accordance with article 83, in addition to or instead of the
measures mentioned in this section, according to the circumstances of each case
particular;"


According to the provisions of article 83.2 of the RGPD, the measure provided for in letter d)
above is compatible with the sanction consisting of an administrative fine.

                                           SAW


       In this case, non-compliance with article 7 has been proven.
in relation to article 6 of the RGPD and article 6 of the same regulation, with the
scope expressed in the previous Foundations of Law, which implies the
commission of the offenses typified in article 83.5 of the RGPD, which under the
heading "General conditions for the imposition of administrative fines" provides

the next:

5. Violations of the following provisions will be sanctioned, in accordance with the
paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 108/117








in the case of a company, an amount equivalent to a maximum of 4% of the
global total annual turnover of the previous financial year, opting for
the largest amount:


   a) The basic principles for the treatment, including the conditions for the
       consent under articles 5, 6, 7 and 9;

       In this regard, the LOPDGDD, in its article 71 establishes that "They constitute
infractions the acts and behaviors referred to in sections 4, 5 and 6 of the

Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.

       For the purposes of the limitation period, article 72 of the LOPDGDD indicates:


“Article 72. Infractions considered very serious.

1. Based on the provisions of article 83.5 of Regulation (EU) 2016/679,
considered very serious and will prescribe after three years the infractions that suppose
a substantial violation of the articles mentioned therein and, in particular, the
following:

(…)
b) The processing of personal data without the concurrence of any of the conditions of
legality of the treatment established in article 6 of Regulation (EU) 2016/679.
(…)
c) Failure to comply with the requirements of Article 7 of the Regulation (EU)

2016/679 for the validity of consent.”

        In order to determine the administrative fine to be imposed, the
provisions of articles 83.1 and 83.2 of the RGPD, precepts that indicate:


"1. Each control authority will guarantee that the imposition of fines
administrative actions under this article for violations of this
Regulation indicated in sections 4, 9 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the

Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question as well
such as the number of interested parties affected and the level of damages that

have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor to
alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or of the person in charge of the treatment,

taking into account the technical or organizational measures that they have applied under
of articles 25 and 32;
e) any previous infringement committed by the person in charge or the person in charge of the treatment;
 f) the degree of cooperation with the supervisory authority in order to remedy the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 109/117








infringement and mitigate the possible adverse effects of the infringement;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in

particular whether the person in charge or the person in charge notified the infringement and, if so, in what
measure;
i) when the measures indicated in article 58, section 2, have been ordered
previously against the person in charge or the person in charge in question in relation to the
same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or mechanisms of

certification approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the case,
such as financial benefits obtained or losses avoided, directly or
indirectly, through the infringement.”


      For its part, article 76 “Sanctions and corrective measures” of the LOPDGDD
has:

"1. The penalties provided for in sections 4, 5 and 6 of article 83 of the Regulation
(EU) 2016/679 will be applied taking into account the graduation criteria
established in section 2 of the aforementioned article.


2. In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679
may also be taken into account:
a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of treatment of

personal information.
c) The profits obtained as a result of committing the offence.
d) The possibility that the conduct of the affected party could have induced the commission
of the offence.
e) The existence of a merger by absorption process subsequent to the commission of the

infringement, which cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.
g) Have, when not mandatory, a data protection delegate.
h) Submission by the person in charge or person in charge, on a voluntary basis, to
alternative conflict resolution mechanisms, in those cases in which
there are controversies between them and any interested party.”


      In this case, considering the seriousness of the infractions found, it is appropriate
the imposition of a fine without being able to accept the request made by CAIXABANK
to impose other corrective powers that would have allowed the correction
of the irregular situation, such as the warning, provides in this sense the

recital 148 of the RGPD "In order to reinforce the application of the rules of the
this Regulation, any infraction of this must be punished with sanctions,
including administrative fines, in addition to appropriate measures
imposed by the supervisory authority by virtue of this Regulation, or in
replacement of these. In the case of a minor offence, or if the fine that is likely to be

imposed would constitute a disproportionate burden on a natural person, rather than
sanction by means of a fine, a warning may be imposed. must however
Special attention should be paid to the nature, seriousness and duration of the infringement, its
intentional nature, to the measures taken to alleviate the damages suffered,

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 110/117








the degree of liability or any relevant prior violation, the manner in which
that the control authority has been aware of the infraction, compliance
of measures ordered against the person responsible or in charge, adherence to codes of

conduct and any other aggravating or mitigating circumstance. The imposition of
sanctions, including administrative fines, must be subject to guarantees
sufficient procedural requirements in accordance with the general principles of Union Law and
of the Charter, including the right to effective judicial protection and to a process with all
guarantees.”


CAIXABANK alleges that it is appropriate with respect to the second of the infractions
the imposition of the warning measure established in article 58.2 RGPD,
taking into consideration what was stated by the Article 29 Working Group in
its document WP253 of “Guidelines on the application and fixing of fines
for the purposes of Regulation 2016/679”, when noting that: “In the

Recital 148 introduces the notion of "minor infringements". Said violations
may constitute violations of one or several provisions of the Regulation cited in
Article 83, paragraphs 4 or 5. However, the evaluation of the criteria provided for in
Article 83, paragraph 2, may lead the supervisory authority to consider, for
example, that in the specific circumstances of the case the violation does not entail a
significant risk to the rights of data subjects and does not affect the essence of the

obligation in question. In such cases, the fine may be substituted (although not
always) for a warning”.

It alleges that the assumption has only affected 812 of a total of 1,200,000 customers,
without there being any type of claim on your part and without said affected parties

have maintained, from the time the incident occurred, any type of
relationship with CAIXABANK, as they are inactive clients with respect to whom,
In addition, said entity considered that consent was not given, refraining from
proceed to the processing of your personal data, and all this after having
taken extremely diligent measures aimed at achieving contact with

the aforementioned clients.

In the opinion of this Agency there are no circumstances that may allow it
imposition of a warning regarding said infraction, since it is breached here
one of the essential obligations, the existence of legitimacy, so that the
data processing is in accordance with the provisions of its regulatory regulations and such

Non-compliance fully violates the rights of the interested parties. The
circumstances alleged by CAIXABANK cannot be considered because nothing
alter the fact that the consent of the interested parties has not been requested,
but the fact is that this Agency cannot accept what is alleged by CAIXABANK either: the
number of clients was not 812, but 2,562, of which 812 have not changed

the consents nor have they subsequently caused cancellation in said entity;
CAIXABANK has not refrained from processing personal data
of these 812 clients as stated, since regarding them have been
carried out commercial actions through email or SMS, such as
is accredited in the proven facts, being aware that he lacked

consent to process your data, carrying out such actions in the period
between August 2018 (registration date) and April 2020 Nor can
appreciate that it has acted with diligence when the events occurred in
2018 and it was not until May 2020 that actions aimed at

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 111/117








Obtain the consent of the clients.

       In accordance with the precepts transcribed, in order to set the amount of the

sanctions of a fine to be imposed in this case on the defendant, as responsible for
the infractions typified in article 83.5.a) of the RGPD, it is appropriate to graduate the fine
that should be imposed for the infraction imputed by each of the
offenses charged as follows:

1. Violation due to non-compliance with the provisions of article 6 in relation to the

article 7 of the RGPD, typified in article 83.5.a) and classified as very serious to
effects of prescription in article 72.1.c) of the LOPDGDD:

      It is estimated that the following factors concur as aggravating factors:
reveal greater unlawfulness and/or culpability in CAIXABANK's conduct:


    a) The circumstance described in article 83.2.a) RGPD, which values the nature,
       severity and duration of the offence. This is not infringing conduct.
       isolated. It is about the design of a financial product with the purpose of
       condition the clients of the entity that contract the same, through the
       exemption from the collection of contract commissions, to give their consent

       for purposes other than those of said contract. It also takes into account the
       high number of stakeholders affected: the number of customers as of May 31
       of 2019 that the ON Nomina, UN&DOS and ON accounts had contracted was
       1,197,000, of which they had given their consent to receive
       of advertising 965,972 and for the transfer of your data to group companies

       952,677 customers. It also carries out the treatment of a large volume of
       Data of the interested parties who consent to the profiling being carried out with
       the data that is qualified in the TDP as personal and includes data
       relating to customer identification, contact information, marital status, number
       of children, date and province of birth, nationality and professional data;

       with the data obtained from the contracted products and with those obtained from
       from the operations, movements or transactions associated with their
       products.

       Caixabank alleges that if the offending conduct is considered to consist of the
       alleged conditioning of the consent of its clients for the

       processing of your personal data as an exemption from the
       payment of commissions, insofar as said conduct integrates the type of infraction
       can hardly be considered a circumstance that aggravates the
       responsibility.


       However, this Agency understands that what is taken into account here is not
       the offending type, even if it is mentioned in the presentation of the argument. I know
       considers as aggravating the fact that it is not an isolated conduct,
       but it is the result of a commercial policy of said entity that affects
       a large number of stakeholders.


       It alleges that the Motion for a Resolution states that "there is
       In addition, the treatment of a large volume of data of the interested parties that
       consent that the profiling is carried out with the data that is qualified in the

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 112/117








       TDP as personal and include data related to customer identification, their
       contact information, marital status, number of children, date and province of
       birth, nationality and professional data; with the data obtained from the

       products contracted and with those obtained from the operations,
       movements or transactions associated with their products”. Notes that,
       As indicated in the proven facts, the profile referred to in the
       Resolution Proposal would have a character prior to the transfer of the data
       personal data of customers who have given their consent to do so
       the companies of the Group or collaborators of CAIXABANK. However, the

       The Proposal itself includes as a proven fact that the aforementioned transfer did not have
       place in any case, when indicating that “[a]lthough the
       consent to customers, BANKIA has not transferred their personal data or to
       companies of the group or other collaborating entities based on
       these general consents of the TDP nor is there any provision for it” In this

       Likewise, a circumstance that has not occurred cannot be applied as an aggravating circumstance.
       according to the factual account of the motion for a resolution.

       This Agency cannot share such an argument, we can only remind this
       respect that the exemption of commissions is linked to the provision of the
       consent for two different treatments: the transfer of data to the

       companies of the Group or collaborating entities of CAIXABANK and the sending of
       commercial communications. Regarding this second treatment, it is clear that
       in the TDP document that consent is requested for the sending of
       “personalized commercial communications through any channel
       (paper, electronic, telematic, digital media, etc.) on products,

       services, promotions or discounts in the financial sectors (banking,
       investment and insurance), real estate, cultural, travel, consumption and leisure based on your
       profile, prepared from your personal data, the products you have
       contracted, as well as from the operations, movements or transactions
       associated with their products. (the underlining is from the AEPD).


    b) The circumstance described in article 83.2.b) RGPD that values “the
       intentionality or negligence in the commission of the infraction”, It is a
       intentional conduct in relation to the violation of the rules of
       protection of personal data, being aware the claimed entity that
       the exemption of the payment of commissions would have the result that the majority of

       the clients of said accounts consent to the data processing of
       advertising and transfer of data to group companies.

       He alleges that it is not possible for the AEPD to assess as an aggravating circumstance what
       is nothing but a mere business strategy and that raises to the degree of

       aggravating circumstance what CAIXABANK could or could not consider in the
       time of launching the product, taking this conjecture as proven.

       In the opinion of this Agency, being a business strategy proves
       said intention. On the other hand, this behavior was maintained over time.

       Therefore, during the period in which the exemption from the collection of
       commissions to the provision of consent for the purposes of shipments
       advertising and assignment to other entities of the group and collaborators, CAIXABANK
       was able to assess the result of said strategy, deciding to maintain it until 16

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 113/117








       October 2019, so the entity was fully aware that the
       Most clients consented to such treatments to achieve
       fee waiver. This is also shown by the responses to the
       transfers to the CAIXABANK Data Protection Delegate of the
       claims made before this Agency.


    c) The circumstance described in article 83.2.k) RGPD, any other factor
       applicable to the circumstances of the case: The condition of large company of the
       responsible entity and its turnover. For these purposes, it is
       Note that Bankia's net margin before provisions in the year
       2019 financial year was 1,428 million euros.


       CAIXABANK alleges that it has found neither in the GDPR regime nor in the
       of the LOPDGDD no rule that considers this circumstance as
       aggravating circumstance of an offence. Consider that it is included
       completely arbitrary to the catalog established in the current regulations, with the

       consequent breach of the principle of legality.

       Such an allegation cannot be shared, article 83.1 of the RGPD provides that "Each
       control authority will guarantee that the imposition of administrative fines
       under this Article for infringements of this Regulation
       indicated in sections 4, 5 and 6 are in each individual case effective,

       proportionate and dissuasive.” Number 2 of said article establishes that
       decide the imposition of an administrative fine and its amount in each case
       will be duly taken into account: (...) k) any other factor
       aggravating or mitigating circumstance applicable to the circumstances of the case, such as
       financial benefits obtained or losses avoided, directly or
       indirectly, through the infringement.”


       For these purposes, as an aggravating factor, it is worth taking into account the
       of the entity as a large company which is linked between
       other aspects to your billing volume, to the extent that you have
       greater means to comply with the obligations imposed by the
       GDPR.


    d) The circumstance described in article 76.2.a) LOPDGDD: the character
       continuation of the offence.

       CAIXABANK alleges that aside from the fact that, as indicated in the aforementioned
       sentence, the circumstance of continued infringement, which is established in the

       Article 76.2 a) of the LOPDGDD cannot be assimilated to that of infraction
       permanent, a similarity that, on the contrary, the AEPD does appreciate, it is necessary to
       taking into account that it is not stated as proven in the Proposal that the treatment without
       consent) has taken place, stating that in no case was there
       effectively the transfer of data with respect to which the request was made

       consent of the interested party.

       In the opinion of this Agency, it should be remembered here that there are two purposes for
       which the consent of the entity's clients was requested, linked to
       the exemption of commissions, on the one hand the transfer of data to other entities

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 114/117








       of the group or collaborating entities and, on the other, the sending of communications
       commercial, being accredited in the file that they were carried out
       advertising campaigns via SMS or email from 2018 to 2020.


    e) The circumstance described in article 76.2.b) LOPDGDD: High connection
       of the offender's activity with the performance of data processing
       personal. The operations that constitute the business activity of the
       claimed entity involve personal data processing operations.


    f) The circumstance described in article 76.2.c) LOPDGDD: The benefits
       obtained as a result of committing the offence. It is held in
       account that among its commercial activities is the sending of
       commercial communications to its clients in the following sectors:
       financial (banking, investment and insurance), real estate, cultural, travel,

       consumption and leisure.

       CAIXABANK states that it does not understand why it is considered that the
       carrying out the aforementioned communications constitutes its activity when it is
       notice that it is a bank. Considers that at most it could imply
       the existence of a link between their activity and the performance of

       data processing, but in no case does it imply obtaining a
       supposed benefit for the same and that it is not accredited said
       benefit.

       It should be remembered here that the exemption from the collection of commissions is linked to the

       consent to carry out two different data treatments: the sending of
       advertising of the sectors mentioned in the TDP document and the transfer
       of your data to the group companies and collaborating entities. in what
       Regarding the advertising activities for which the
       consent, these may relate, on the one hand, to other products

       of the entity itself, seeking its contracting by its clients with the
       consequent economic benefit. On the other hand, it may be the
       realization of publicity for third parties that in the present case includes
       a wide variety of sectors, also obtaining an economic benefit
       of such activity based on commercial agreements with other entities to
       those who are going to carry out said advertising activities. like repeatedly

       has been pointed out, it is clear from the proven facts that they were carried out
       advertising campaigns via SMS or email from 2018 to 2020 that
       affected even customers who had not been requested to
       consent because the boxes are pre-ticked.


       It is estimated that the circumstance described in the
Article 76.2.e) of the LOPDGDD: The existence of a merger process by absorption
after the commission of the offence, which cannot be attributed to the entity
absorbent.


This Agency understands that CAIXABANK's request that it be
consider as extenuating circumstances those provided for in letters c) and f) of article
83.2 of the RGPD, alleging that the conditions for the exemption of the commissions do not
were taken into account from October 16, 2019, before said entity

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 115/117








was aware of the existence of inspection actions directed against the
itself, having also provided all its collaboration in the investigation of the
facts and in the minimization of damages.


Article 83.2 in its letters c and f provides the following:
 “Administrative fines will be imposed, depending on the circumstances of each
individual case, in addition to or as a substitute for the measures contemplated in the
Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:

(…)
c) any measure taken by the controller or processor to alleviate
the damages suffered by the interested parties;
(…)
f) the degree of cooperation with the supervisory authority in order to remedy the

infringement and mitigate the possible adverse effects of the infringement;”

In the opinion of this Agency, the cessation of the infringing action is not framed
in neither of the two mitigating factors, nor is collaboration in the
investigation of the facts that results in an obligatory action by the entity
object of inspection (article 52 of the LOPDGDD).


      Considering the exposed factors, the initial valuation that reaches the fine
for the imputed infringement is 2,000,000 euros.

2. Infraction due to non-compliance with the provisions of article 6 of the RGPD, typified

in article 83.5.a) and classified as very serious for the purposes of prescription in the
Article 72.1.b) of the LOPDGDD:

It is estimated that they concur as aggravating factors, in addition to the factors exposed
in relation to the previous infraction indicated in letters c), d), e) and f), the

following factors that reveal greater unlawfulness and/or culpability in the
CAIXABANK conduct:


        a) The circumstance described in article 83.2.a) RGPD, which values the
           nature, severity and duration of the offence. The nature, gravity and

           duration of the infraction. This is not an isolated incident, but rather affects
           to the consent collection procedure for a period of
           time, during which the consents appeared pre-marked for
           those customers who contracted online.


        b) The circumstance described in article 83.2.b) RGPD that values “the
           intentionality or negligence in the commission of the infraction”, The defect
           that constitutes the infraction, this is the existence of consents
           pre-marked, given its evidence it should have been warned and avoided by a
           entity of the characteristics of the claimed entity.



CAIXABANK points out that regarding the aggravating circumstances indicated in letters c, d, e and f)
of the previous section reproduces the allegations made to them in said

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 116/117








sections. This Agency believes that the considerations of this Agency in
relation to such allegations are fully applicable at this point.


CAIXABANK alleges, for purposes of determining liability for said
events, which resolved the incident that occurred in its systems on August 15, when
There was no complaint or claim directed against said entity.
immediately how many actions were necessary to ensure that the
consents given were with absolute freedom and without conditioning
some, finally deciding to consider these denied.


 This Agency cannot admit that it acted diligently every time that the
events occurred in 2018 and it was not until May 2020 that they began
actions aimed at obtaining the consent of the clients and that, during
said period, said entity being aware that it lacked the consent of

those affected, carried out commercial actions with respect to those clients.

 It is estimated that the circumstance described in the
Article 76.2.e) of the LOPDGDD: The existence of a merger process by absorption
after the commission of the offence, which cannot be attributed to the entity
absorbent.


 Considering the exposed factors, the initial valuation that reaches the fine for the
infringement charged is 100,000 euros.

Therefore, in accordance with the applicable legislation and having assessed the criteria for

graduation of sanctions whose existence has been proven,

the Director of the Spanish Data Protection Agency RESOLVES:

FIRST: IMPOSE the entity CAIXABANK S.A., with CIF A08663619, for a

infringement of article 6 in relation to 7.4 of the RGPD, typified in article 83.5.a
of the RGPD, a fine of 2,000,000 euros (two million euros), in relation to
Obtaining consent for purposes other than those of the contract
conditioning its obtaining to the exemption of banking commissions, as
indicated in this resolution.


SECOND: IMPOSE the entity CAIXABANK S.A., with CIF A08663619, for a
infringement of article 6.1 of the RGPD, typified in article 83.5.a of the RGPD, with a
fine of 100,000 euros (one hundred thousand euros), in relation to obtaining consent
through pre-marked boxes, as indicated in this resolution.


THIRD PARTIES: NOTIFY this resolution to CAIXABANK S.A.

FOURTH: Warn the sanctioned party that he must make the imposed sanction effective once
Once this resolution is enforceable, in accordance with the provisions of the
art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure

Common Public Administrations (hereinafter LPACAP), within the payment term
voluntary established in art. 68 of the General Collection Regulations, approved
by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003,
of December 17, through its entry, indicating the NIF of the sanctioned and the number

C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es, 117/117








of procedure that appears in the heading of this document, in the account
restricted number ES00 0000 0000 0000 0000 0000, opened on behalf of the Agency

Spanish Department of Data Protection in the banking entity CAIXABANK, S.A.. In case
Otherwise, it will be collected in the executive period.

Received the notification and once executed, if the date of execution is
between the 1st and 15th of each month, both inclusive, the term to make the payment

voluntary will be until the 20th day of the following month or immediately after, and if
between the 16th and last day of each month, both inclusive, the payment term
It will be until the 5th of the second following month or immediately after.

In accordance with the provisions of article 76.4 of the LOPDGDD and given that the

amount of the sanction imposed is greater than one million euros, it will be subject to
publication in the Official State Gazette of the information that identifies the offender, the
offense committed and the amount of the penalty.

In accordance with the provisions of article 50 of the LOPDGDD, this

Resolution will be made public once it has been notified to the interested parties.

Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the
LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the
Interested parties may optionally file an appeal for reconsideration before the

Director of the Spanish Agency for Data Protection within a month from
counting from the day following the notification of this resolution or directly
contentious-administrative appeal before the Contentious-Administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the

Contentious-administrative jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.

Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP,

may provisionally suspend the firm resolution in administrative proceedings if the
The interested party expresses his intention to file a contentious-administrative appeal.
If this is the case, the interested party must formally communicate this fact by
writing addressed to the Spanish Agency for Data Protection, presenting it through
Electronic Register of the Agency [https://sedeagpd.gob.es/sede-electronica-

web/], or through any of the other registers provided for in art. 16.4 of the
aforementioned Law 39/2015, of October 1. You must also transfer to the Agency the
documentation proving the effective filing of the contentious appeal-
administrative. If the Agency was not aware of the filing of the appeal
contentious-administrative within a period of two months from the day following the

notification of this resolution would end the precautionary suspension.


                                                                                  938-190122
Sea Spain Marti
Director of the Spanish Data Protection Agency




C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es