AEPD Spain Fines CaixaBank €3 Million for Unlawful Profiling

The Agencia Española de Proteción de Datos (AEPD) found that CaixaBank did not obtain consent before using an individual’s personal data for marketing purposes. The customer was not made aware that their data may be used for marketing purposes or to determine their creditworthiness. CaixaBank also failed to mention their personal data would be disclosed to third parties.


The former customer complained to AEPD that their personal data had been passed to a credit scoring company. This was despite the fact that the customer had ended their relationship with the Bank in 2014.

CaixaBank argued that the data was passed on for profiling purposes to determine creditworthiness. They claimed that the legal bases for these processing activities were:

  • Insolvency and credit legislation
  • Consent

They stated that all the data that was used was provided by the data subject themselves and by other credit scoring entities and the Bank’s own risk information centre. Therefore they believed they acted legally.


This type of data processing is called profiling and is specifically mentioned in GDPR. Profiling is defined as any form of automated processing of personal data. This consists of use of personal data to evaluate certain aspects of a data subject, such as creditworthiness. It also covers analysis or prediction of a data subject’s behaviour. It’s stated in GDPR that this type of processing is only lawful if it is done with consent of the data subject. This means that data controllers must demonstrate that the data subject has consented to the specific processing of their data. This request for consent must be clearly distinguishable from other matters and phrased in an easily accessible way using clear and plain language.

With regards to CaixaBank’s claim that the customer did give consent it was found that they did not provide enough information about profiling. All the information regarding this processing activity was placed inside the conditions of a credit contract. As well as not being easily accessible it was not made clear what data would be used and how detailed the profile would be. AEPD also found that the privacy policy was not accurate in detailing the kind of personal data that would be used. It was not made clear to the customer what the outcome of this processing would be. There was no mention that they might receive marketing from third party companies and unrelated products.

It was found that the customer could not consent to every purpose of processing individually. On top of this the Bank’s privacy policy did not disclose the total number of purposes for processing. Therefore it was found that the customer’s data was transferred without consent or a valid agreement.


The AEPD decided to fine CaixaBank €3,000,000 (USD $3,386,820). This took into account:

  • How invasiveness profiling is to data subjects
  • The link between the processing and the Bank’s business activities
  • Size of the Bank
  • High amount of personal data the bank processes
  • The high number of affected data subjects

GDPR has been around for a while now but that doesn’t mean that it’s become any easier to navigate. As a company it can be difficult to understand exactly what you can and can’t do and getting caught out is costly. Value Privacy can provide expert advice and insight to make sure your company is operating correctly. Contact us to find out how we can help you.

Previous Post

Google Cookie tracking showdown

Next Post

COVID-19: DPA Croatia Guidelines on Processing Personal Data

Related Posts