Caixabank Payments & Consumer EFC, EP, S.A.U. – €70,000 Fine (Spain, 2024)
General GDPR enforcement action
This case relates to broader data protection obligations, not specifically to cookie or consent banner compliance. It is not included in cookie statistics or the Risk Calculator.
On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her. Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to €690.25. The debt was recorded with ASNEF, a credit default reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a debt portfolio, who later sold it to InvestCapital, Ltd. On 14 December 2023, the AEPD issued a decision finding that the controller violated Article 6(1) GDPR when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the controller's processing began with the fraudulent contracting of the Ikea credit card which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 20 LOPDGDD] (Spain’s national implementation of the GDPR), which articulates a presumption of legal bas
GDPR Articles Cited
National Law Articles
On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her. Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to €690.25. The debt was recorded with ASNEF, a credit default reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a debt portfolio, who later sold it to InvestCapital, Ltd. On 14 December 2023, the AEPD issued a decision finding that the controller violated Article 6(1) GDPR when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the controller's processing began with the fraudulent contracting of the Ikea credit card which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 20 LOPDGDD] (Spain’s national implementation of the GDPR), which articulates a presumption of legal bas
Related Enforcement Actions (0)
No other enforcement actions found for Caixabank Payments & Consumer EFC, EP, S.A.U. in ES
This is the only recorded action for this entity in this jurisdiction.
Details
Fine Date
6 May 2024
Authority
Agencia Española de Protección de Datos
Fine Amount
€70,000
Enforcement Tracker ID
ETid-1702
GDPRhub ID
gdprhub-7878About this data
Cite as: Cookie Fines. Caixabank Payments & Consumer EFC, EP, S.A.U. - Spain (2024). Retrieved from cookiefines.eu
Last updated: