CAIXABANK, S.A. – €5,000,000 Fine (Spain, 2023)

€5,000,000Agencia Española de Protección de Datos26 October 2023Spain
final
Fine

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

CAIXABANK, S.A. was fined €5 million for failing to protect customer data after a document containing sensitive information was accessed by a customer. This is significant because it shows that banks must take strong measures to secure personal data and prevent unauthorized access. Other companies should review their data protection practices to avoid similar penalties.

What happened

CAIXABANK failed to secure a document that contained personal data of a third party, leading to unauthorized access.

Who was affected

Customers whose personal information was included in the document accessed by another customer.

What the authority found

The Spanish DPA determined that CAIXABANK did not implement adequate security measures to protect personal data, violating GDPR requirements.

Why this matters

This ruling highlights the critical need for financial institutions to proactively secure personal data. It sets a precedent for accountability in data protection, urging all companies to strengthen their security practices.

GDPR Articles Cited

AI-verified

Art. 25 GDPR
Art. 32 GDPR
Art. 5(1)(f) GDPR
View original scraped data
Art. 5(1)(f) GDPR
Art. 25 GDPR
Art. 32 GDPR

Original data from scraper before AI verification against source document.

Source verified 5 March 2026
articles corrected
Spain enforcementAgencia Española de Protección de Datos actionsAll CAIXABANK, S.A. actions
Full Legal Summary
Detailed

The Spanish DPA has imposed a fine of EUR 5 million on CAIXABANK, S.A.. A customer had filed a complaint about having access to a document containing information on a transfer from a third party. The document contained personal data of the third party, such as the name and bank details of the data subject. During its investigation, the DPA found that the controller had failed to implement appropriate technical and organizational measures to protect personal data and prevent such incidents. The DPA also found that the controller had failed to comply with the principle of data protection by design and by default, as it acted reactively rather than proactively in handling the complaint.

Related Enforcement Actions (1)

Other enforcement actions involving CAIXABANK, S.A. in ES

Current
Oct 2023

Fine

€5.0M

Fine
Dec 2024· Agencia Española de Protección de Datos

The Spanish DPA has imposed a fine of EUR 3.5 million on CAIXABANK, S.A. Following a complaint from customers, it was found that the mother of an acco...

€3.5M

Details

Fine Date

26 October 2023

Authority

Agencia Española de Protección de Datos

Fine Amount

€5,000,000

Enforcement Tracker ID

ETid-2216

Sources

About this data

Data: CMS GDPR Enforcement Tracker
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. CAIXABANK, S.A. - Spain (2023). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: