The Spanish Data Protection Authority (hereinafter – the Authority) imposed a total fine of EUR 6 000 000 on CAIXABANK (hereinafter – the bank) for failure to ensure proper compliance with the GDPR.
One of the infringements was specified inadequate implementation of Article 13 and 14 of the GDPR i.e. The Bank improperly provided its customers with information about what personal data is being processed, on what legal basis. In particular, the Authority drew attention to the legal basis for the processing of personal data of legitimate interest, i. e. the Bank has not properly implemented the requirements for the use of this legal basis. The processing of personal data on the basis of a legitimate interest was not sufficiently justified. As a result of these infringements, the Bank was fined EUR 2 000 000. The Authority referred to the nature, gravity and duration of the infringement, the fact that the company is large and has a high turnover, as factors aggravating the Company’s liability.
Moreover, the Authority found that the Bank had not properly implemented the requirements for collecting and obtaining data consent. It was found that the data subject’s consent did not meet all the required elements of consent. The Authority concluded that this was a breach of Article 6 of the GDPR and an administrative fine of EUR 4 000 000 was imposed on the Bank.
In addition to the administrative fine, the highest ever imposed in Spain, the Authority ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months.
This practical example only demonstrates the importance of properly assessing the legal basis on which personal data are processed. In cases where personal data are processed on the basis of a legitimate interest, a balance of interests test must be carried out between the company and the data subject, the result of which must determine whether the legitimate interests of the controller (not)exceed those of the data subject. The right of the data subject to object to the processing of his or her personal data on the basis of a legitimate interest must also be guaranteed.
ECOVIS ProventusLaw recommends:
- To review the documents related to the processing of personal data and assess whether the legal basis for the processing of personal data of the legitimate interest of the company is appropriate in the specified case;
- To evaluate, if it is not possible to base the processing on another legal basis;
- To evaluate, if there is a balance of interests test between the company and the data subject in all cases;
- To evaluate, if you are you prepared to exercise the right of the data subject to object to the processing of his/her personal data when your legitimate interests are the legal basis for the processing of personal data;
- To evaluate, if you are prepared to prove your compliance with the GDPR in the event of an inspection if your legitimate interests are the legal basis for the processing of personal data.
Prepared by assistant attorney at law Brigida Bacienė and junior associate Nojus A. Bendoraitis