Bankia S.A. – €50,000 Fine (Spain, 2020)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
Bankia S.A. was fined €50,000 for keeping personal data of a former customer for years after they stopped being a client. This matters because businesses must only keep personal data for as long as it's needed for its original purpose. This case highlights the importance of respecting data retention limits.
What happened
Bankia S.A. stored personal data of a former customer for several years beyond the end of their business relationship.
Who was affected
Former customers of Bankia S.A. whose personal data was retained unnecessarily.
What the authority found
The Spanish Data Protection Authority found that Bankia violated the GDPR's principle of purpose limitation by keeping data longer than necessary.
Why this matters
This case serves as a reminder for businesses to regularly review their data retention policies and ensure they only keep personal data for as long as needed. It underscores the importance of compliance with GDPR's purpose limitation principle.
GDPR Articles Cited
The bank kept personal data of a data subject for several years, even after the data subject was no longer a customer. The data was also accessible to bank employees during this time. This constituted a violation of the principle of purpose limitation.
Related Enforcement Actions (0)
No other enforcement actions found for Bankia S.A. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
28 August 2020
Authority
Agencia Española de Protección de Datos
Fine Amount
€50,000
Enforcement Tracker ID
ETid-385
About this data
Cite as: Cookie Fines. Bankia S.A. - Spain (2020). Retrieved from cookiefines.eu
Last updated: