Penalty for CaixaBank for breach of data protection legislation

Spanish supervisory authority, the Agencia Española de Protección de Datos (AEPD), has imposed a fine of €200,000 on CaixaBank Payments & Consumer E.F.C., E.P., S.A.U (CaixaBank) for breaching the GDPR.

The complainant, who was disputing a debt claimed by CaixaBank in court, was entered into a credit information agency’s database by the bank as insolvent. This decision by the bank resulted in the denial of credit access to the complainant, leading to a complaint being lodged with the AEPD.

The primary purpose of the credit information database is to provide data on creditworthiness. However, the inclusion of the complainant’s data in this database, while the dispute over the debt was still ongoing in court, was contrary to the database’s intended use. Consequently, the AEPD found that CaixaBank had violated Article 6 of the GDPR by processing the complainant’s data without a legal basis.

As a result of these findings, the AEPD imposed the aforementioned fine of €200,000 on CaixaBank.