Legal development

Sanction to Caixabank with €2,000,000 for consulting the General Treasury of the Social Security personal data of an individual without consent

13 May 2024

Share Share
Triangular Colorbond profiles
Share

    From Data Bytes 46 summarising updates from April 2024

    On 18 April, the AEPD has published a new sanction of €1,200,000 against Caixabank S.A. for consulting the data of the General Treasury of the Social Security (TGSS) of an individual, without obtaining due consent.

    The bank argued that the data processing was lawful, since it was based on the obligation to verify the activity of customers established by Law 10/2010, of 28 April, on the prevention of money laundering and the financing of terrorism. The AEPD points out that the regulations do not establish the obligation to verify personal data information with the TGSS. It clarifies that said information must be provided by the customer and, subsequently, depending on the different level of risk, there is a general obligation to establish and apply procedures to verify the activities declared by customers.

    Caixabank, as the data controller, established a compulsory subscription procedure for the collection of information with personal data of customers and the collection of consent in order to verify such personal data before the TGSS, by means of a form called "framework contract".

    The AEPD considers that the information provided by Caixabank did not comply with the obligations of data subject's consent (Article 4. 11 of the GDPR) which establishes that consent is "any freely given specific, informed and unambiguous indication of his or her free, specific and unambiguous agreement by the data subject to the processing of personal data relating to him or her, either by a statement or by a clear affirmative action".

    Particularly, the AEPD considers that the framework contract did not allow express consent as it established a model clause to which adherence was mandatory. Furthermore, the clauses only referred to the legal obligations regarding the prevention of money laundering and terrorist financing.

    To the sanction of €1,200,000, two reductions are applied as a result of the acknowledgement of liability and voluntary payment before the end of the time limit for allegations.

    Authors: Carmen Gordillo, Associate; Cristina Grande, Counsel

    The information provided is not intended to be a comprehensive review of all developments in the law and practice, or to cover all aspects of those referred to.
    Readers should take legal advice before applying it to specific issues or transactions.

    Key Contacts

    image

    Stay ahead with our business insights, updates and podcasts

    Sign-up to select your areas of interest

    Sign-up