Caixa Bank S.A. receives a combined fine for unlawfully processing customer’s personal data and not providing sufficient information regarding the processing of personal data. The decision and the large fine shows – amongst other things – that legitimate interest cannot be used indiscriminately.
The fine consisted of i) € 4 000 000 for unlawfully processing customer’s personal data and ii) € 2 000 000 for not providing sufficient information regarding the processing of personal data
i) The document designed to comply with the company’s obligation to ensure the registered individuals’ (the “data subjects”) right to information about the processing of personal data (art. 13 and 14) did not include the sufficient information regarding the categories of personal data. Nor did the document contain information concerning the purposes of processing including the legal basis. In particular, information and justification concerning the personal data processing activities based on legitimate interest (art 6.1 f) was lacking.
ii) The bank lacked a mechanism to collect the individual’s consent, and that the individual’s consent did not comply with the criteria of valid consent according to the GDPR (art. 4.11 and 7). What was considered an especially important factor, was that the personal data processing activities that the bank based on legitimate interest were not considered sufficiently justified (art. 6.1 f).
Concerning the failure to comply with the individual’s right to information, when estimating the size of the fine, the Spanish DPA took a range of aggravating circumstances into consideration. For instance, the DPA considered the infringement’s particular nature, severity, and duration. It also considered the negligent nature of the infringement, as well as the relationship between the bank’s business activities and the processing of the personal data in question.
In relation to the unlawful processing of personal data, the DPA took several aggravating aspects into consideration as well. Apart from the aggravating factors mentioned in relation to the failure to comply with the right to information, the DPA also took into account the controller’s responsibility to implement appropriate technical and organisational measures (art. 25 and 32), the categories of personal data affected by the infringement, and the benefits gained by the bank as a result of the infringement. Perhaps more surprisingly, the DPA also took the size of the undertaking into consideration, including the bank’s revenue.
The key takeaway from the decision is the great importance of carefully and comprehensively designing your organisation’s various purposes of processing personal data based on the organisation’s legitimate interests, as well as creating and presenting clear information aimed at the data subject, whose personal data the organisation is processing or planning to process, in accordance with the individual’s right to information.
The above information published by Norelid Advokatbyrå and/or its employees is only to be considered general information and does not constitute, nor should it be used as, professional legal advice. There is a risk that the information is not complete or not entirely updated. Any use of the information is at the risk of the user.
