AEPD (Spain) - PS/00477/2019

From GDPRhub
Revision as of 19:54, 18 January 2021 by Paolaleon (talk | contribs) (Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS-00...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)
AEPD - PS-00477-2019
LogoES.jpg
Authority: AEPD (Spain)
Jurisdiction: Spain
Relevant Law: Article 6 GDPR
Article 13 GDPR
Article 14 GDPR
Type: Complaint
Outcome: Upheld
Started:
Decided:
Published: 13.01.2021
Fine: 6000000 EUR
Parties: n/a
National Case Number/Name: PS-00477-2019
European Case Law Identifier: n/a
Appeal: n/a
Original Language(s): Spanish
Original Source: AEPD (Spain) (in ES)
Initial Contributor: Paola L.

The Spanish DPA (AEPD) initiated a sanctioning procedure against CaixaBank S.A following a complaint received by a customer of the bank in 2018 and a complaint received by the non-profit organization ‘FACUA’ in 2019. The sanctioning procedure concluded with a fine of €6 million imposed to CaixaBank for infringing Articles 6, 13, and 14 of the GDPR.

English Summary

Facts

On 24/01/2018, an individual (the first complainant) who was a customer of CaixaBank (the defendant) filed a complaint with the AEPD alleging that the defendant forced them to accept the new conditions regarding the protection of personal data, specifically that regarding the transfer of their personal data to all the companies of the CaixaBank group, and that if they wanted to withdraw their consent, the claimant had to correspond individually with each company of the group. The complainant alleged that this is disproportionate considering that the consent for this purpose was given in one single act.

The AEPD proceeded to transfer the complaint to the defendant to which it responded by explaining the processing activities that were based on consent, why they were based on consent, and the mechanisms in place to obtain consent as well as the options available to customers to withdraw their consent whether it was in person, via the website or mobile app. On 02/01/2019, the AEPD closed this investigation as expired, as twelve months had elapsed since the complaint was filed (24/01/2018).

On 29/03/2019, a second complaint was received against the defendant, this time from the Association of Consumers and Users in Action – ‘FACUA’ (the second complainant), who filed a complaint in relation to the "Framework Agreement" signed by the customers of this entity, through which their personal data is collected. Essentially, FACUA indicated that this was a boilerplate contract, as customers did not have the option to negotiate its terms and were obliged to consent to the processing of their personal data, including for the purpose of sharing it with third parties.

On 28/05/2019 the AEPD admitted the second complaint and launched an investigation into the matter. The AEPD requested to the CaixaBank to provide evidence of the "Framework Agreement" in its current version and previous versions, channels, and methodology for its acceptance and granularity for obtaining consents; as well as the procedures that were enabled for the provision of information in accordance with Article 13 and 14 of the GDPR and the mechanisms to obtain its acceptance. In addition, the AEPD requested evidence of Article 30 record of processing activities, data protection impact assessments, and record of legitimate interest assessments.


Dispute

Was the information that CaixaBank provided to its customers in relation to data protection compliant with the requirements of Articles 13 and 14 of the GDPR?

Holding

In relation to Article 13 and 14 of the GDPR, the AEPD held that the information CaixaBank provided in relation to data protection, was imprecise, vague, and was not uniform, it noted that not even the terminology is offered with the same breadth to all customers and in all situations (in some cases the “Framework Agreement” is used, in others the “Consent Agreement” and for other clients only the “Privacy Policy”), and it was not updated in the same way in each case. The AEPD also pointed out that the information provided in relation to the legal basis relied upon, the categories of personal data processed, the purpose of the processing, retention periods, the exercise of rights, and profiles of users and their uses was insufficient.

In relation to Article 6 of the GDPR, The AEPD found that Caixabank did not provide sufficient justification of the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest, and did not comply with the requirements for obtaining valid consent, "consent, in this case, is considered an affirmative act, but it could not be considered to be freely, specific, informed, and unequivocal". It is further noted that CaixaBank does not inform about any legal basis that enables the transfer of data to the companies of the CaixaBank Group, therefore the transfer of personal data within the CaixaBank group was unlawful.

In consequence, the AEPD imposed a fine of €2 million for the violation of Articles 13 and 14 of the GDPR, and a fine of €4 million for a violation of Article 6 of the GDPR, and ordered CaixaBank, to conduct a review of the company's process and procedures and bring them into compliance with data protection regulations within six months.


Comment

Share your comments here!

Further Resources

Share blogs or news articles here!

English Machine Translation of the Decision

The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Retrieved from "https://gdprhub.eu/index.php?title=AEPD_(Spain)_-_PS/00477/2019&oldid=13331"
Creative Commons Attribution-NonCommercial-ShareAlike
Powered by MediaWiki