On 21 October 2021, the Spanish data protection authority (AEPD) issued a decision to fine Caixabank Payments & Consumer EFC, EP, S.A.U., €3 million for unlawful processing of personal data and violation of Article 6 of the General Data Protection Regulation (GDPR).
Following the complaint from the individual, AEPD conducted an investigation against Caixabank back in 2019.
The investigation uncovered that Cixabank requested information about the individual from the solvency file, even though the individual had no ongoing contracts with the bank.
The individual was also included in the bank’s marketing campaigns for a pre-granted credit, without proper consent and without providing adequate information about the data processing, including profiling, or the legal basis used to carry out such processing.
Moreover, all this happened even though the relationship with the former client was formally ended in 2014 with the termination of all existing contracts.
The Caixabank stated that the personal data of the individual was included in a campaign of pre-granted credits by mistake.
The AEPD concluded that there were some aggravating factors when deciding the value of the fine, including the volume of business of Caixabank, the status of a large entity, the demonstrated negligence, the nature, severity, and duration of the offense among other factors.
In addition to the steep €3 million fine, the AEPD also imposed a six-month compliance period on Caixabank to adapt their procedures for consent collection for commercial purposes.