Almost 10 years after its launch, about 200,000 people still use a Xiaomi Mi 2

Caixabank, fined 6 million euros by the Data Protection Agency for violating three articles of the RGPD

A few days after BBVA was sanctioned by the Spanish Data Protection Agency with 5 million euros for breach of the data protection law, Caixabank has been fined 6 million euros for violating the same legislation.

The public body in charge of ensuring compliance with data protection regulations has imposed this record fine to the bank for, explains the resolution of the sanctioning procedure, to violate articles 6, 13 and 14 of the General Data Protection Regulation of the European Union.

CaixaBank would have violated articles 6, 13 and 14 of the General Data Protection Regulation of the European Union

The transfer of personal data was forced

A CaixaBank application on a mobile phone.

The sanction of the Spanish agency is divided into a fine of 2 million euros for a minor offense of articles 13 and 14 of the GDPR and one of the remaining 4 million for a very serious offense of article 6 of the aforementioned community regulation.

On this last case, the AEPD ensures that Caixabank fails to comply with the requirements established for the provision of valid consent, does not sufficiently justify the legal basis for the processing of personal data, indicates deficiencies in the processes enabled to obtain the consent of customers for the processing of their personal data and, in addition, there is an illegal transfer of personal data to companies of the CaixaBank Group.

Among other reasons for the sanctions, the Spanish agency points out the illicit transfer of personal data to companies of the group to which CaixaBank belongs

All about the GDPR: how it affects us and why it matters

Regarding the violation of articles 13 and 14, the body bases the allegations on grounds such as that the information offered in different documents and channels is not uniform, the use of imprecise terminology to define the privacy policy, the lack of information on the category of personal data that will be subjected to treatment or the breach of the obligation to inform about the purpose of the treatment and legal basis that legitimizes it. In addition, they expose, "the information provided on the exercise of rights, the possibility of claiming before the Spanish Agency for Data Protection, existence of a Data Protection Delegate and their contact details, as well as the information regarding the retention periods of data is not uniform. "

The investigation that has led to this process and its respective sanctions It started in 2018 after a complaint from a private individual in relation to the new conditions on personal data protection and, for example, the need to send a letter to each of the companies of the Caixabank group to cancel the transfer of data. FACUA, in addition, also denounced the existence of the so-called framework contract.

From the bank they assure that they will appeal and present an appeal through the courts to try to cancel the sanction imposed by the AEPD, as pointed out to Engadget the sources consulted. They defend that their action was adequate and in accordance with Spanish legislation.