Spain
CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
GDPR enforcement action by Spanish Data Protection Authority (aepd) on 2021-10-21.
Case details
- Authority
- Spanish Data Protection Authority (aepd)
- Date
- 2021-10-21
- Controller / Processor
- CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
- Sector
- Finance, Insurance and Consulting
- Quoted Articles
- Art. 6 (1) GDPR
- Type of violation
- Insufficient legal basis for data processing
Summary
The Spanish DPA (AEPD) has imposed a fine of EUR 3,000,000 on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. An individual had filed a complaint against the controller. The reason was that Caixabank had requested information about him from a company although, the latter has not been a customer of Caixabank since 2014 and that he was included in an advertising campaign to offer him a pre-grant credit.
Caixabank had used individuals' data to assess their creditworthiness without their consent. This was used to create financial profiles of the data subjects and to advertise certain financial services (e.g. credit cards or loans) to them on this basis.
In doing so, the DPA found that the controller had not obtained effective consent from the data subjects. It is true that the data subjects had at one point given consent for their data to be processed by the entire CaixaBank Group. However, the controller had not adequately informed the data subjects about the data processing, including profiling. For example, the controller had only provided data subjects with general information about the various profiling processing operations, so data subjects could not know exactly what the processing they had consented to consisted of.
Related fines