Caixabank has received a historic fine from the Spanish Agency for Data Protection. The entity violated three of the articles of the current regulation, including one classified as very serious.
The Caixabank entity will have to face a fine of 6 million euros for having violated three GDPR regulations. The agency imposes a fine of 2 million, considered slight, for failing to comply with the regulations of article 13 and 14, while the remaining 4 million come from skipping article 6, an infraction classified as very serious by the regulations.
It all dates back to 2018, after conducting an investigation into a complaint by an individual and a subsequent one in 2019 led by the FACUA (Consumers Association) against the ‘Framework Agreement’ of privacy that all clients of said bank must sign. The ‘Framework Agreement’ is nothing more than an agreement between one or more buyers or suppliers, which establishes how the contracts will govern, in a certain period of time. The sentence document consists of 177 pages and details how the Caixabank entity infringed the articles and has not corrected what has been requested by the institution.
Among the failures mentioned by the GDPR, referring to the first 2 points, we find that the information offered in the different documents or channels is not uniform. Inaccurate terminology is used to define the privacy policy, we also found a lack of information on the category of personal data.
Regarding point 6, the Spanish Data Protection Agency affirms that La Caixa does not give a good justification of the legal basis for the processing of personal data, it fails to comply with the requirements established for the provision of a valid service. It also talks about some deficiencies in the processes enabled to obtain the consent of its clients and the procedure through which they go to give their consent for the collection and processing of their personal data.
In addition to the sanction imposed, the AEPD obliges the entity to adapt the personal data protection regulations within six months, the personal data processing operations carried out, the information offered to its clients and the procedure through which They must give their consent for the collection and processing of their personal data.
According to the agency, Caixabank has not had a very collaborative attitude on its part and the corrections that have been made by the company have not really been a true regularization of the irregular situation that we have been able to verify in the sanctioning procedure.