The Agencia Española de Proteción de Datos (AEPD) found that CaixaBank did not obtain consent before using an individual’s personal data for marketing purposes. The customer was not made aware that their data may be used for marketing purposes or to determine their creditworthiness. CaixaBank also failed to mention their personal data would be disclosed to third parties.
The former customer complained to AEPD that their personal data had been passed to a credit scoring company. This was despite the fact that the customer had ended their relationship with the Bank in 2014.
CaixaBank argued that the data was passed on for profiling purposes to determine creditworthiness. They claimed that the legal bases for these processing activities were:
- Insolvency and credit legislation
They stated that all the data that was used was provided by the data subject themselves and by other credit scoring entities and the Bank’s own risk information centre. Therefore they believed they acted legally.
This type of data processing is called profiling and is specifically mentioned in GDPR. Profiling is defined as any form of automated processing of personal data. This consists of use of personal data to evaluate certain aspects of a data subject, such as creditworthiness. It also covers analysis or prediction of a data subject’s behaviour. It’s stated in GDPR that this type of processing is only lawful if it is done with consent of the data subject. This means that data controllers must demonstrate that the data subject has consented to the specific processing of their data. This request for consent must be clearly distinguishable from other matters and phrased in an easily accessible way using clear and plain language.
The AEPD decided to fine CaixaBank €3,000,000 (USD $3,386,820). This took into account:
- How invasiveness profiling is to data subjects
- The link between the processing and the Bank’s business activities
- Size of the Bank
- High amount of personal data the bank processes
- The high number of affected data subjects
GDPR has been around for a while now but that doesn’t mean that it’s become any easier to navigate. As a company it can be difficult to understand exactly what you can and can’t do and getting caught out is costly. Value Privacy can provide expert advice and insight to make sure your company is operating correctly. Contact us to find out how we can help you.