Spanish Bank Fined $6 Million Euros For Violating GDPR

The Spanish privacy regulator AEPD has fined the Spanish CaixaBank a total of 6 million euros for violating the General Data Protection Regulation (GDPR). It is the highest fine ever imposed by the Spanish data protection authority ( PDF ).

According to the privacy supervisor, the bank made the mistake of unlawfully processing customer data and insufficiently informing customers about the processing of personal data. Customers were forced to accept a new privacy policy whereby their personal data was shared with all CaixaBank Group companies. Customers could not simply unsubscribe from this, but had to write separately to all companies that are part of the banking group. According to the regulator, this was a disproportionate measure.

It also turned out that the information in the privacy policy was inadequate and made insufficiently clear which personal data was processed and in what way. The information collected by the bank turned out to be used for more purposes than originally stated. By sharing customer data with other companies within the banking group, this happened without the required consent and was therefore unlawful.

The bank violated a total of three articles of the GDPR, the data protection authority concluded. Given the size of the bank and the seriousness of the violations, the regulator considered a fine of 6 million euros to be appropriate. The Spanish privacy regulator has handed out about 180 GDPR fines in recent years. Most fines are less than 100,000 euros. Last December, the Banco Bilbao was imposed the highest fine until then, namely 5 million euros.

Previous Post Next Post