GDPR: CaixaBank in Spain is fined €6M for consent failure
On 13 January 2021, the Spanish data protection authority issued the largest penalty under the GDPR because valid consent is not obtained before processing personal data.
The Spanish data protection authority ('AEPD') fines CaixaBank S.A. €6 million for violating Articles 6, 13, and 14 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') on 13 January 2021.
The resolution highlights that CaixaBank did not provide sufficient justification for the legal basis for the processing of personal data, especially in relation to the data processed on the basis of legitimate interest.
CaixaBank did not comply with the requirements for obtaining valid consent, namely, to be specific, unequivocal, and informed.
The resolution further outlines that deficiencies were identified in the processes to obtain the consent of the clients for the processing of their personal data.
The resolution rules the transfer of personal data to companies within the CaixaBank Group was unlawful.
The fine is the largest financial penalty issued under the GDPR by the AEPD to date.
Reference (Spanish): https://www.aepd.es/es/documento/ps-00477-2019.pdf
#Global data privacy laws in 2021
- EU: General Data Protection Regulation (GDPR)
- South African: Protection of Personal Information Act (POPIA)
- US California: California Consumer Privacy Act (CCPA)
- US: Children’s Online Privacy Protection Act (COPPA)
- Thailand: General Data Protection (PDPA)
- Brazil: The Personal Data Protection Act (LGPD)
- Turkey: Personal Data Protection Law (KVKK)
Consent Management Platform Resources
Italy Garante: Guidelines on Cookies & Tracking Technologies takes effect on 9th Jan 2022
Austrian DPA: Google Analytics violates "Schrems II" decision by CJEU
How to Setup Consent Manager: Add a Privacy Settings Link or Privacy Badge on Your Website
Google's Limited Ads and TCF 2.0 Consent
Avoid GDPR Dark Patterns with UniConsent CMP
What to Know About the Recent IAB changes to CCPA compliance