Caixabank S.A. – €2,000,000 Fine (Spain, 2021)

The Spanish DPA (AEPD) fined Caixabank S.A. EUR 6,000,000 for violations of Art. 6 GDPR, Art. 13 GDPR and Art. 14 GDPR. Customers of the bank were supposed to accept new privacy policies allowing the controller to transfer the customers' personal data to all companies within the CaixaBank Group. At the same time, the data subjects were not given the option of specifically not consenting to this transfer. Instead, if they wished to disagree with the transfer of their data, they were required to send a letter of disagreement to each individual company in the group. The DPA concluded that the bank had violated its information obligations as set out in Art. 13 GDPR and Art. 14 GDPR, as the information provided to customers under the privacy policy was not consistent, contained imprecise terminology, and did not provide sufficient information on the type of personal data processed and the nature of the processing. Also, the information on the rights of the data subjects as well as the contact information of the controller were not provided in a consistent manner. Furthermore, the DPA notes that the controller had processed its customers' data beyond its legitimate interests, partly without a legal basis, and that the consent it obtained from customers did not meet the requirements of an effective consent. In addition, deficiencies in the company's procedures allowed it to obtain the consent of customers to process their personal data. The DPA further concludes that, as a result, the data was unlawfully transferred to the companies of the CaixaBank Group. This constitutes a violation of Art. 6 GDPR. Appendix: The Spanish National Court reduced the toal fine from EUR 6,000,000 to a total fine of EUR 2,000,000 with its decisions from the 8th of May 2025 - SAN 2166/2025.