Caixabank SA – €3,500,000 Fine (Spain, 2025)

Two data subjects held accounts with Caixabank (data controller). Data subject one held two accounts in their own name with their mother being an authorised account holder. Data subject one and two also shared a third account, with no other authorised account holder. Due to an error in the controller’s systems, data subject one was prohibited from performing any actions on the third account via online banking without the signature of their mother (who was not an authorised account holder in respect of that account). Furthermore, data subject one’s mother was able to see card information relating to the third account. In January 2021, the data subjects attempts to resolve the issue through the Controller’s customer service department to no avail. In February 2021, the data subjects file a formal complaint with the controller. The controller’s legal representative offers a settlement of €150 in exchange for the withdrawal of the complaint, which the data subject rejects as the matter remains unsolved. On 19th October 2023, the data subjects filed a complaint with the AEPD (Spanish DPA). The DPA was critical of the failure of the controller’s system to prevent unauthorised access to bank account information, despite the repeated requests from the data subjects. Accordingly, the DPA ruled that the controller violated Article 5(1)(f) GDPR. The DPA also found that the unauthorised access was attributable to a failure on the controller’s part to implement appropriate technical and organizational security measures. The DPA held that the controller thus also violated Article 32 GDPR. Furthermore, the DPA attributed the unauthorised access to the poor design of the bank’s online banking system. The DPA rejected the argument from the controller that the issue was attributable to the data subject’s configuration of the display of their account, finding that an appropriate banking application should not allow access to anyone who is not the account holder or authorized per