Caixabank – €400,000 Fine (Spain, 2026)

The DPA initiated proceedings against CaixaBank, S.A., the controller, after receiving two complaints concerning the disclosure of personal data to third parties in the context of the controller’s Customer Service Department. In the first complaint, the data subject received an email from the controller containing a response to a complaint that he had not filed. The response was addressed to a third party and included personal data relating to that third party. During the investigation, it was also established that the third party had received a communication disclosing the data subject’s personal data, including his name and ID number. In the second complaint, the data subject, received documents relating to other customers of the controller. In particular, the controller sent him a response to another customer’s complaint, which contained information about an overdraft situation, bank charges and bank account data. The data subject also received a document prepared for signature by another customer in relation to banking measures for mortgage debtors. The DPA held that the controller infringed Article 25 GDPR by failing to implement adequate data protection by design and by default measures in its Customer Service Department. The DPA considered that the matter was not limited to two isolated personal data breaches. The processing operation involved a significant volume of personal data in a banking context, including identity data, contact details, bank account information and financial information. Since the controller itself acknowledged that the complaint-handling process was exposed to human error, the DPA held that the controller had to implement technical and organisational measures capable of preventing, detecting and mitigating such errors. The DPA rejected the controller’s argument that compliance with banking-sector rules and supervision by the Bank of Spain was sufficient. It held that banking compliance does not automatically ensure compliance with t