Caixabank, S.A. – €2,000,000 Fine (Spain, 2024)

On 7 December 2022, a data subject filed a complaint with the AEPD against Caixabank (the controller). The controller required new clients to sign a contract for provision of services, which included a clause stating that data subjects consent to their data being requested from the General Treasury of Social Security. For existing clients, the same clause was included in a declaration or modification contract. The provision cited Law 10/2010, a Spanish law on the prevention of money laundering and terrorist financing, stating that it required the collection of such data. For both new and existing clients, the contract did not give an option to refuse consent – instead, consent was pre-established by the clause. 3,026,247 new clients signed the contract, and 3,401,052 existing clients signed the modification contract. The data subject claimed that, after they expressed their disagreement, the controller stated that failure to sign the form with these clauses would result in the bank account being blocked. On 30 January 2023, the AEPD informed the controller of the complaint. In its defense brief, the controller stated that it is required by [https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737 Law 10/2010]. In particular, it pointed to Article 11, which obliges financial institutions to guarantee that they are engaging with professional or business activities of the client. The controller interpreted this to mean that the identification of the client was necessary, as well as the collection of information concerning the client’s professional or business activities. The AEPD concluded that consent was improperly obtained in this case and the controller thus lacked a legal basis for processing. The AEPD proposed a fine of €2,000,000. The controller acknowledged responsibility of the violations and paid a portion of proposed fine; thus, the fine was reduced 40% to €1,200,000. The AEPD acknowledged that [https://www.boe.es/buscar/act.php?id=BOE-A-2010-6737 Law 10/2