CaixaBank SA
Issued by Agencia Española de Protección de Datos (AEPD) on 2021-01-13
What happened
Spain's AEPD fined CaixaBank €6 million for processing customer personal data for commercial purposes without obtaining valid consent. The investigation found that CaixaBank's consent mechanisms were insufficient — the bank processed personal data for marketing and profiling purposes based on contract execution rather than specific consent. Customers were not given a clear, separate choice to consent to or refuse marketing processing. The AEPD found that 6 million of the bank's customers were affected by the lack of proper consent mechanisms. The fine comprised €4 million for Art. 6 violations (processing without legal basis) and €2 million for Art. 7 violations (conditions for consent).
Articles violated
Lessons learned
Financial institutions cannot use 'contract execution' as a legal basis for marketing activities — specific consent is required. Consent must be separate from the main service agreement and cannot be bundled. Banks should implement granular consent management systems that clearly distinguish between processing necessary for the banking relationship and optional marketing processing. The AEPD's approach of itemizing fines per article violated demonstrates how penalties can accumulate.
Source
View original decisionDisclaimer: This summary is for informational purposes only and does not constitute legal advice. Refer to the original decision for complete details.
Get enforcement alerts for Finance
We track GDPR fines across Europe. Enter your email to get notified about new enforcement actions.