AEPD (Spain) - PS-00143-2025

Summary

Spain's AEPD (Autoridad de Protección de Datos) fined CaixaBank €400,000 for violating Article 25 GDPR by failing to implement adequate data protection by design and by default measures in its Customer Service Department. The bank wrongly sent customer complaint documents containing sensitive banking and financial data to third parties due to human error and inadequate technical controls. The DPA rejected CaixaBank's argument that banking sector compliance was sufficient, holding that GDPR compliance is independent and mandatory.

Full text

Help AEPD (Spain) - PS-00143-2025: Difference between revisions From GDPRhub Jump to:navigation, search Newer edit →VisualWikitext Revision as of 08:49, 3 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators64 edits Tag: submission [1.0] Revision as of 08:51, 3 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators64 editsTag: Visual editNewer edit → Line 23: Line 23: |Date_Started=04.03.2026|Date_Started=04.03.2026 |Date_Decided=|Date_Decided= |Date_Published=|Date_Published=29.05.2026 |Year=|Year= |Fine=400,000|Fine=400,000 Line 63: Line 63: }}}} The AEPD fined CaixaBank €400,000 after wrongly sending customer complaint documents to third parties and failing to implement [[Article 25 GDPR|Article 25 GDPR]] measures.The AEPD fined CaixaBank €400,000 after wrongly sending customer complaint documents to third parties and failing to implement [[Article 25 GDPR]] measures. == English Summary ==== English Summary == Line 75: Line 75: === Holding ====== Holding === The DPA held that the controller infringed [[Article 25 GDPR|Article 25 GDPR]] by failing to implement adequate data protection by design and by default measures in its Customer Service Department.The DPA held that the controller infringed [[Article 25 GDPR]] by failing to implement adequate data protection by design and by default measures in its Customer Service Department. The DPA considered that the matter was not limited to two isolated personal data breaches. The processing operation involved a significant volume of personal data in a banking context, including identity data, contact details, bank account information and financial information. Since the controller itself acknowledged that the complaint-handling process was exposed to human error, the DPA held that the controller had to implement technical and organisational measures capable of preventing, detecting and mitigating such errors.The DPA considered that the matter was not limited to two isolated personal data breaches. The processing operation involved a significant volume of personal data in a banking context, including identity data, contact details, bank account information and financial information. Since the controller itself acknowledged that the complaint-handling process was exposed to human error, the DPA held that the controller had to implement technical and organisational measures capable of preventing, detecting and mitigating such errors. Line 81: Line 81: The DPA rejected the controller’s argument that compliance with banking-sector rules and supervision by the Bank of Spain was sufficient. It held that banking compliance does not automatically ensure compliance with the GDPR or the LOPDGDD. The controller had to assess the risks to data subjects and integrate data protection safeguards into the design and operation of the complaint-handling process.The DPA rejected the controller’s argument that compliance with banking-sector rules and supervision by the Bank of Spain was sufficient. It held that banking compliance does not automatically ensure compliance with the GDPR or the LOPDGDD. The controller had to assess the risks to data subjects and integrate data protection safeguards into the design and operation of the complaint-handling process. The DPA found that the lack of adequate measures affected not only confidentiality, but also other GDPR principles, including data minimisation and accuracy. In particular, the controller’s systems wrongly linked complaints, representatives and customer data, and failed to ensure that documents were sent only to the correct recipients. The DPA therefore considered [[Article 25 GDPR|Article 25 GDPR]] to be the more specific legal basis for the infringement and dismissed the alleged infringement of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]].The DPA found that the lack of adequate measures affected not only confidentiality, but also other GDPR principles, including data minimisation and accuracy. In particular, the controller’s systems wrongly linked complaints, representatives and customer data, and failed to ensure that documents were sent only to the correct recipients. The DPA therefore considered [[Article 25 GDPR]] to be the more specific legal basis for the infringement and dismissed the alleged infringement of [[Article 5 GDPR#1f|Article 5(1)(f) GDPR]]. The DPA initially proposed a fine of €500,000 for the infringement of [[Article 25 GDPR|Article 25 GDPR]]. The controller made a voluntary payment without acknowledging liability, which reduced the fine by 20% under the Spanish Administrative Law (39/2015). The final fine was therefore €400,000.The DPA initially proposed a fine of €500,000 for the infringement of [[Article 25 GDPR]]. The controller made a voluntary payment without acknowledging liability, which reduced the fine by 20% under the Spanish Administrative Law (39/2015). The final fine was therefore €400,000. The DPA also ordered the controller to adopt corrective measures. Within nine months from the date on which the decision became final and enforceable, the controller had to prove that it had reviewed the operation of its Customer Service Department, prepared a report with additional measures to ensure full compliance with Article 25(1) and (2) GDPR, and submitted the report to the competent internal body for approval.The DPA also ordered the controller to adopt corrective measures. Within nine months from the date on which the decision became final and enforceable, the controller had to prove that it had reviewed the operation of its Customer Service Department, prepared a report with additional measures to ensure full compliance with Article 25(1) and (2) GDPR, and submitted the report to the competent internal body for approval. Revision as of 08:51, 3 June 2026 AEPD - PS-00143-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 25 GDPR Type: Complaint Outcome: Partly Upheld Started: 04.03.2026 Decided: Published: 29.05.2026 Fine: 400,000 EUR Parties: Caixabank National Case Number/Name: PS-00143-2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The AEPD fined CaixaBank €400,000 after wrongly sending customer complaint documents to third parties and failing to implement Article 25 GDPR measures. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA initiated proceedings against CaixaBank, S.A., the controller, after receiving two complaints concerning the disclosure of personal data to third parties in the context of the controller’s Customer Service Department. In the first complaint, the data subject, received an email from the controller containing a response to a complaint that he had not filed. The response was addressed to a third party and included personal data relating to that third party. During the investigation, it was also established that the third party had received a communication disclosing the data subject’s personal data, including his name and ID number. In the second complaint, the data subject, received documents relating to other customers of the controller. In particular, the controller sent him a response to another customer’s complaint, which contained information about an overdraft situation, bank charges and bank account data. The data subject also received a document prepared for signature by another customer in relation to banking measures for mortgage debtors. Holding The DPA held that the controller infringed Article 25 GDPR by failing to implement adequate data protection by design and by default measures in its Customer Service Department. The DPA considered that the matter was not limited to two isolated personal data breaches. The processing operation involve

Entities