The Law Today

Spanish Data Protection Agency fines bank 6 million euros for infringement of the General Data Protection Regulation.

25 Ene 2021


In an interesting resolution, dated January 13, 2021, the Spanish Data Protection Agency or AEPD fined the entity Caixabank S.A. (hereinafter CaixaBank) with 6 million euros for infringement of the General Data Protection Regulation (GDPR), in particular for accrediting the violation of Articles 6, 12, 13 and 14 of the above mentioned legal body (procedure No. PS/00477/2019).

Regarding the infringements detected by the AEPD in the contractual changes implemented by CaixaBank to adapt its privacy policies to the RGPD, the agency fined 2 million euros for minor infringements (in relation to the violation of the principle of transparency regarding the information to be provided to users) and 4 million euros for a serious infringement (given the imprecision regarding the bases of legitimacy of the processing and, also, because the presentation of consent did not comply with the applicable regulations).

The sanctioning procedure took place as a result of the fact that, in 2018, a bank user filed a complaint with the AEPD, claiming that CaixaBank imposed on him the obligation to accept the new conditions regarding the protection of personal data, and in particular, regarding the transfer of his personal data to all the companies of the entity’s group. Furthermore, it argued that in order to cancel this transfer, it had to send a letter to each of the companies in the group, which it reported as excessive.

Although this resolution is not applicable in Chile, and its legal basis is the RGPD, it is of interest to know it, because in our country there is a bill that seeks to increase the standards of protection of personal data to a level similar to the European (bulletin 11144-07); matter that is currently regulated in Law No. 19.628 of 1999, on the Protection of Private Life.

The resolution under discussion contains interesting legal grounds that may be useful when the bill is enacted. It is especially relevant with respect to valid consent, the bases of legitimacy or lawfulness of data processing and the application of fines.

Regarding this last point, the bill so far provides for the classification of infringements as minor, serious and very serious. Minor offenses would be punishable with a written warning or a fine of 1 to 100 UTM, serious offenses with a fine of 101 to 5,000 UTM and very serious offenses with a fine of 5,001 to 10,000 UTM.

It should be noted that the bill is currently being discussed in the Senate, in the first Constitutional procedure.


Should you require additional information on this matter, please contact Jorge Tisné (