The Spanish Data Protection Authority (AEPD) has imposed CaixaBank sanctions for about six millions euros for illicit personal data processing of their clients.
Last December another bank, Banco Bilbao Vizcaya Argentaria (BBVA), received a sanction of five million euros by the Spanish DPA for sending commercial communications without the express consent and the impossibility of clients to choose which data to provide to the bank and which not.
Sanctions amount to 11 millions euros which has affected the spanish bank world in less than a few weeks.
Talking about the CaixaBank case, all started three years ago, when a client has sent a letter to the AEPD by claiming the bank which “has imposed the obligation to accept the new personal data protection conditions, more specifically during personal data transfers to all the societies of the group”, by underlining that in order to stop those transfers it was necessary write a letter to each companies, which was totally disproportionate, since the acceptance of conditions took place in a single act.
The FACUA (Facua-Consumidores en Acción), an association of consumers which followed the story, has accused the bank to submit their clients to a contract which content can not be negotiated by the consumer, who was obliged to give the consent to personal data processing and to the transfer of those ones to third societies with which he could not have any relationship.
The Spanish DPA has noticed that CaixaBank has breached in an aggressive way the openness prescriptions required by the Regulation EU 2016/679 on personal data protection (the GDPR is applicable all over the Europe) about the personal data processing policy, because it has been already used “imprecise terminology to define the privacy policy, as well as insufficient information on the categories of personal data being processed”.
But the most serious breach according to the AEPD’s judgement is about the consent, because in order than the personal data processing is lawful, it should have an specific consent, unequivocal and informed by the data subject.
In addition, the Spanish DPA has objected to some “shortcomings in the processes of managing the obtaining of customers’ consent to the processing of their personal data” who were forced to “unlawfully transfer personal data to CaixaBank Group companies.
In the lengthy 177-page Judgement, the Spanish DPA specified that the amount of the sanctions imposed on CaixaBank is related to the seriousness of the infringements, the large volume of personal data, and the large number of data subjects, more than 15 million customers. The bank has announced its intention to consider an appeal.
SOURCE: FEDERPRIVACY