KUTXABANK S.A. – Complaint Upheld (Spain, 2019)

Complaint Upheld
Agencia Española de Protección de Datos4 November 2019Spain
final
Complaint Upheld

General GDPR enforcement action

This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.

Spain's data protection authority ordered KUTXABANK to let a client access their personal data, even though the client's account was blocked due to debts. The bank had claimed it no longer processed the data, but the authority found that the bank still held the data and must comply with access requests. This case highlights the importance of fulfilling data access rights, even if an account is inactive.

What happened

KUTXABANK refused a client's request to access their personal data, claiming the account was blocked and data was no longer processed.

Who was affected

The client of KUTXABANK whose account was blocked and who was denied access to their personal data.

What the authority found

The Spanish data protection authority decided that the bank must fulfill the client's request for access to their data, as required by Article 15 GDPR.

Why this matters

This decision emphasizes that companies must honor data access requests even if an account is blocked, reinforcing the importance of transparency and user rights under GDPR.

GDPR Articles Cited

Art. 15 GDPR
Spain enforcementAgencia Española de Protección de Datos actionsAll KUTXABANK S.A. actions
Full Legal Summary
Detailed

A bank's client complained that they could not exercise their right to access after the bank had blocked his account due to debts. The bank refused to fulfill the request, claiming that it does not process personal data anymore since the account was blocked. Could the controller refuse to answer to a request for access because the requested data is part of a "blocked" account? The AEPD found that as there is an ongoing relationship, the bank still holds personal data. The DPA ordered the bank to fulfill the data subject’s request within the ten working days following the decision. It further ordered the company to inform the AEPD during the same time period on its compliance with the decision. Lastly, it decided that the fact that the controller blocked the account cannot is irrelevant and the controller must comply with the request of access, as required by Article 15 GDPR.

Outcome

Complaint Upheld

A data subject complaint that was upheld by the DPA.

Related Enforcement Actions (0)

No other enforcement actions found for KUTXABANK S.A. in ES

This is the only recorded action for this entity in this jurisdiction.

Details

Decision Date

4 November 2019

Authority

Agencia Española de Protección de Datos

GDPRhub ID

gdprhub-221

Sources

About this data

Data: GDPRhub (noyb.eu)
Licensed under CC BY-NC-SA 4.0
AI-verified and classified

Cite as: Cookie Fines. KUTXABANK S.A. - Spain (2019). Retrieved from cookiefines.eu

Report Inaccuracy

Last updated: