Spanish DPA fines bank with EUR 6M for lack of valid consent and transparency failures


On 13 January 2021, the Spanish data protection authority (“AEPD”) issued a resolution fining a bank with EUR 6M for failure to provide uniform information in different documents and channels, for using imprecise terminology in privacy policy and for providing insufficient information about the category of personal data processed, profiles made of users and specific uses of the same, as well as the exercise of rights and data retention periods.

Moreover, the resolution outlines that the bank did not provide sufficient justification of the legal basis for the processing of personal data, especially of the legitimate interest, and did not comply with the requirements for obtaining valid consent, namely, to be specific, unequivocal, and informed. Deficiencies were identified in the processes enabled to obtain the consent of the clients for the processing of their personal data, while the transfer of personal data to companies within the bank turned out to be unlawful.

The full resolution is available here (only in Spanish).