The Spanish Agency for Data Protection (AEPD) has imposed two fines on CaixaBank of four and two million for a very serious infringement and another minor for the illicit treatment of its customers' data.
The Agency has rejected a third sanction related to the automated processing of customer profiles.
CaixaBank sources assured that they do not agree with the sanction and that they will appeal it to the bodies they deem appropriate.
A few weeks ago, the Agency made public the five million dollar penalty to BBVA for sending commercial communications without express consent and the inability of customers to select and access a platform to determine what data they give -or not- to the bank.
The sanction report, to which EL PAÍS has had access, is a lengthy 177-page document that includes the numerous appeals filed by CaixaBank throughout this long process.
It all started on January 24, 2018, three years ago, when a client sent a letter to the Agency denouncing the entity “for imposing on it the obligation to accept the new conditions regarding the protection of personal data, specifically that relating to the transfer of your personal data to all group companies ”.
Another complaint from Facua
The client added that to cancel said assignment it was necessary to "write a letter to each of the companies", which he described as "disproportionate considering that the assignment is accepted in a single act".
The Agency carried out numerous checks, according to the report, and noted the large amount of data obtained from customers.
Among them are identification, tax and contact information, socio-economic and work activity data, data on experience, financial situation and investment objectives, as well as the collection of authorizations for the use of the data for commercial purposes.
Before concluding the report, on March 29, 2019, “a letter from the Facua-Consumidores en Acción association had entered this Agency, in which it made a claim against CaixaBank in relation to the
Framework Agreement
signed by the clients of this entity , through which your personal data is collected ”.
Specifically, Facua denounces that it is an adhesion contract, "whose content cannot be negotiated by the consumer, who is required to consent to the processing of their personal data and the transfer of them to third companies with which they could not having a relationship ”.
Impossibility of not receiving communications
“It is detected”, says the Agency, “that although it has been selected not to receive commercial communications in a generic way, by being able to mark one of the media, the receipt of communications by that means is accepted and the granting is reflected in the document that signs the client".
For this reason, Data Protection considers that articles 13 and 14 of the General Data Protection Regulation (RGPD) were violated.
The first refers to the “information that must be provided when the personal data is obtained from the interested party” and the 14th refers to the “information that must be provided when the personal data has not been obtained from the interested party”.
The Agency considers that the entity led by Gonzalo Gortázar uses "imprecise terminology to define the privacy policy, as well as insufficient information on the category of personal data that will be processed."
He believes that there has been "non-compliance with the obligation to inform about the purpose of the treatment", as well as insufficient information "about the type of profiles that are going to be made, the specific uses to which they are going to be put."
Without valid consent
But the very serious infringement has been that of article 6 of the RGPD, which refers to the conditions that the information must have for its treatment to be lawful.
The Agency assures that "the requirements established for the provision of valid consent have been breached", since there must be a "specific, unequivocal and informed expression of will".
It also considers that there were "deficiencies in the processes enabled to obtain the consent of customers for the processing of their personal data" who were forced to an "illegal transfer of personal data to companies of the CaixaBank Group".
The document contains the numerous allegations made by CaixaBank, but most of them are rejected.
It is also said that the entity, "in January 2021, improves the information and usability, providing examples and ensuring that the authorization process is always in the possession of the client."
The Agency does not consider that this exempts it from responsibility, since "new treatments that require consent have simply been provided in the entity."
The bank also says that it will make a massive communication to clients informing of the changes to publicize all the previous modifications, informing about the new Privacy Policy.
Allegations without evidence
The Agency considers that CaixaBank, “in its allegations at the opening of the procedure, limits itself to qualify the arguments as subjective assessments, without evidence to demonstrate what the clients understand or not, adding that external work has been carried out to verify that the contractual documents they can be understood without difficulty by an average client, which does not contribute ”.
In the opinion of the Agency, the lack of clarity of those formulas or expressions is evident and objective.
The amount of the sanctions is related to the seriousness of the infringement, as well as the high volume of data affected, since "the infringements affect all the processing carried out by the bank." Also due to the large number of interested parties: all natural person clients of the entity, 15.7 million. Therefore, although one of the infractions is slight, the fine is two million. For the grave it is four million.
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/4N3PH4ENIIHT3JOWUNLFYIAHMU.jpg)
/cloudfront-eu-central-1.images.arcpublishing.com/prisa/N6RCKQB3T5EU3NIO4BUJ4QOGOM.jpg)
