Data Protection fines CaixaBank with 2 million to collect in exchange for not collecting personal data

According to the AEPD in its sanction file resolution, this implies a violation of data protection regulations regarding the collection of consent from Bankia customers. The investigation began as a result of a first claim that was received by the Agency in February 2019. A client of Bankia’s ‘ON’ account informed the AEPD that the entity required him to accept all the consents for personal data processing that appeared already pre-marked or accepted and that, if you chose not to transfer your data to third parties, the bank charged you a fee of 5 euros per month to maintain your account.

The Subdirectorate General for Data Inspection requested information from Bankia on the privacy and publicity policy of the ‘ON’, ‘ON Nómina’ and ‘Un & Dos’ accounts and cards, from which it emerged that Bankia exempted the payment of commissions of administration and maintenance of the account and associated cards if the clients maintained a “digital profile”.

To display this “digital profile”, customers had to, among other conditions, have provided Bankia with their mobile phone number and email address and have authorized the bank to process their personal data to send commercial communications through any channel already enabled. the transfer of your personal data to companies in your group for the analysis of your profile for commercial purposes.

This meant that Bankia customers who had not accepted the sending of commercial communications by any channel or had refused to transfer their personal data to group companies had to pay commissions for it, as the entity considered that they did not comply with the “digital profile” precisely because of this refusal. In addition to the first claimant, up to six more users went to the Spanish Agency for Data Protection to report this collection of commissions.

Bankia argued before the AEPD that customers were not required to accept any consent regarding the processing of personal data in the process of contracting the ‘ON’ account, but in the event that they did so and complied with the rest of the conditions of the ” digital profile” they could be exempted from paying commissions for certain products. “The process of managing consents by customers, which allows not only to lend them freely and through any of the entity’s channels, but also to modify them at any time and as many times as the customer wants in an agile and simple way, guarantees that said consent be given freely”, defended Bankia.

The bank eliminated the conditions of accepting the receipt of advertising and the transfer of your data to third parties on December 15, 2019 and added one related to having accepted and activated the ‘push’ messaging service through the Bankia app. The new conditions began to apply to pre-existing customers two months later.

Consent cannot be considered freely given

The Data Protection Agency recalls that article 4.11 of the General Data Protection Regulation (RGPD) defines the consent of the interested party for the processing of their personal data as “any manifestation of free, specific, informed and unequivocal will by which the The interested party accepts, either by means of a declaration or a clear affirmative action, the processing of personal data that concerns him”.

In his opinion, by linking the exemption from banking commissions to the provision of consent for the sending of commercial communications and the transfer of personal data to the entities of the Bankia group, “it cannot be considered that the consent is freely granted, inasmuch as, If such processing is not accepted or the consent thus obtained is subsequently revoked, negative consequences occur for the interested party who is subject, in such a case, to the payment of the commissions set by the bank.

CaixaBank, successor to Bankia, argued that the commissions do not constitute a levy, but the consideration for the services provided by the bank, configuring itself as an element that must be incorporated into the current account contract whose purpose is the remuneration of the services provided, a reasoning that the AEPD does not share.

“This Agency considers that, effectively, the commissions can form part of the current account contract remunerating the services provided by the banking entity, but understands that the link of the exemption from their collection to the provision of consent for other data processing other than those of the contract determines that the consent is not given in conditions of freedom”, he ruled.

For all these reasons, the director of the Spanish Data Protection Agency, Mar España Martí, has decided to impose a fine of 2 million euros on CaixaBank for an infringement of the RGPD, in relation to obtaining consent for purposes other than its own. of the contract conditioning its obtaining to the exemption of bank commissions and a penalty of 100,000 euros in relation to obtaining consent through pre-marked boxes.

Against the resolution, CaixaBank may file an appeal for reversal before the director of the Spanish Agency for Data Protection within a month or directly a contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court.