Caixabank Payments & Consumer EFC, EP, S.A.U. – €70,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Caixabank Payments & Consumer was fined for processing a person's data without a legal basis after they were a victim of identity theft. The bank mistakenly linked the victim to a debt from a credit card they never applied for. This case shows the importance of verifying user identities before processing personal data.
What happened
Caixabank Payments & Consumer processed personal data without a valid legal basis after an identity theft incident.
Who was affected
A person whose identity was stolen and wrongly linked to a debt for an Ikea credit card.
What the authority found
The authority found that the bank violated GDPR by processing the victim's data without any legal basis.
Why this matters
This case highlights the need for companies to ensure they have valid reasons for processing personal data, especially in cases of identity theft. Businesses should implement stronger identity verification processes to avoid similar issues.
GDPR Articles Cited
View original scraped data
Original data from scraper before AI verification against source document.
National Law Articles
On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her. Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to €690.25. The debt was recorded with ASNEF, a credit default reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a debt portfolio, who later sold it to InvestCapital, Ltd. On 14 December 2023, the AEPD issued a decision finding that the controller violated Article 6(1) GDPR when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the controller's processing began with the fraudulent contracting of the Ikea credit card which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 20 LOPDGDD] (Spain’s national implementation of the GDPR), which articulates a presumption of legal bas
Related Enforcement Actions (0)
No other enforcement actions found for Caixabank Payments & Consumer EFC, EP, S.A.U. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
6 May 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€70,000
GDPRhub ID
gdprhub-7878About this data
Cite as: Cookie Fines. Caixabank Payments & Consumer EFC, EP, S.A.U. - Spain (2024). Retrieved from cookiefines.eu
Last updated: