On January 13, 2021, the Spanish Data Protection Authority (AEPD) issued a €6 million fine to CaixaBank, S.A. for unlawful processing of personal data and for not providing sufficient information regarding the processing of personal data.
The fine was issued for two offenses for an infriction of Articles 13 and 14 and a serious infriction of Article 6.
The reason behind AEPD’s decision to issues such a huge fine was the lack of requirements for valid consent and deficiencies in the process of obtaining such consent.
On top of that, the information provided by CaixaBank in different documents was not uniformed and different terminology was used within the privacy policy, while information about data retention periods, the exercise of data subject rights the category of personal data, user profiles, and specific use of them were insufficient.
The AEPD also uncovered illicit transfer of personal data to group companies.