CAIXABANK S.A. – €200,000 Fine (Spain, 2025)

A data subject filed a complaint with the DPA against CAIXABANK S.A. (a bank, the controller) on 16 January 2023. According to the data subject, the controller contacted them to inform them of changes to their privacy policy, and that they would receive further correspondence requesting consent to send them personalised advertising. This was done despite the fact that the data subject was not a client. The data subject requested access to their personal data and asked the controller how it obtained their data. The data subject then learned that the controller had obtained the data from a previous mortgage contract they had with the bank, who had continued to process this data. The DPA initially dismissed the complaint on the grounds that the data subject was a client, as their data was in the controller’s database. The data subject filed an internal appeal, arguing that they were no longer a client, and that their contract with the controller had terminated in 2008. The DPA upheld the appeal on 20 March 2024, and began sanctioning proceedings on 7 June 2024. The controller argued that it did not violate the principle of storage limitation, as the contract with the data subject allowed the controller to retain the data until 2030. Therefore, processing the data was lawful under Article 6(1)(b) GDPR. The DPA found a violation of Article 5(1)(e) GDPR. The data subject terminated their mortgage contract with the controller in 2008, meaning the controller had retained their data for almost 16 years. The DPA considered that the controller had stored the data for an excessive period, and therefore violated the principle of storage limitation. The DPA fined the controller €200,000. The DPA considered it a serious violation, due to the long storage period as well as the four previous fines the DPA had imposed on the controller for other GDPR violations.