Ibercaja Banco – €180,000 Fine (Spain, 2024)

On the 17 September 2023, the data subject lodged a complaint with the Spanish DPA (AEPD) against Ibercaja Banco. The data subject claimed that although his contractual relationship with the bank had ended on the 23 February 2022, the bank accessed his file up to 47 times between March 2022 and January 2023. The data subject had entered into a contractual relationship with the bank in order to pay off a mortgage. On the 23 February 2022, the debt was paid off by transferring the property to a company in which the bank had an interest. In the credit information system, the data subject was able to see a list of instances when the bank accessed his data from March 2022 until January 2023 after the end of the contractual relationship. The data subject alerted the bank of this breach on the 29 March 2023 to which he received a response on the 29 May 2023 stating that the bank had initiated measures to block access to the data. The bank had recorded the full conclusion of the contract in May 2022 as the last month in which risk derived from the contract. The bank argued that it was justified in accessing the data as it had made a partial write-off of the debt and as it continued to finalise the loan payments. The AEPD found that the bank had breached Article 6(1) GDPR by failing to demonstrate a legal basis for the data processing after the contract had ended. It detailed that within a period of six months pending the termination of the contractual relationship, measures must be taken to ensure that the processing of personal data is justified through Article 6(1) GDPR. The AEPD set the initial fine at €300,000 based on the bank’s annual turnover. Pursuant to [https://www.boe.es/buscar/act.php?id=BOE-A-2015-10565 Law 39/2015], a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. Th