The Spanish Data Protection Regulator, the Agencia Española Proteccion Datos (AEPD) recently fined CaixaBank €6m for data protection failures. Whilst Spain has perhaps been the most active regulator under GDPR, the fine is somewhat unusual as historically (other than the €5m fine for BBVA in December 2020) fines in Spain have been low.
What was this case about?
In this case the AEPD looked at violations of GDPR Articles 6, 13 and 14 – effectively looking at the lawfulness of processing and the information provided to data subjects.
The AEPD felt that CaxiaBank did not provide sufficient justification for processing data particularly on the basis of legitimate interest. It also did not obtain valid consent.
What is the significance of this case?
CaxiaBank had previously been fined by the Spanish banking authorities for a lack of clarity in some of its documentation. The case shows the importance of being transparent with data subjects and explaining clearly to them how their data will be handled.
We have written before on the complexities of relying on legitimate interests under data protection law (see for example here https://www.corderycompliance.com/cj-interprets-dp-ligitimate-interests-re-cctv-video-surveillance/). In almost every case, it will be necessary to do a Legitimate Interests Assessment to make sure that you can properly rely on that as a basis to make processing lawful.
The CaxiaBank case, coupled with the BBVA case in December, may also show an increase in fines in Spain which would be consequential given the level of activity from the AEPD.
Issues like transparency and the validity of consent are also likely to come before the European Data Protection Board (EDPB) shortly after the Irish Data Protection Commission (DPC) circulated a draft decision as a result of its investigation into WhatsApp. This case could be controversial because of the disagreement at an EU level with the DPC’s investigation into Twitter in December (see www.bit.ly/twitterfined). WhatsApp has indicated that it believes that the fine it faces could be between €35m and €105m.
You can keep up to date with data protection news by joining Cordery GDPR Navigator. A subscription includes a call each month to go through the highlights of enforcement for that month. There are more details at www.bit.ly/gdprnav.
For more information please contact Jonathan Armstrong or André Bywater who are lawyers with Cordery in London where their focus is on compliance issues.
|Jonathan Armstrong, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH||André Bywater, Cordery, Lexis House, 30 Farringdon Street, London, EC4A 4HH|
|Office: +44 (0)207 075 1784||Office: +44 (0)207 075 1785|