AEPD (Spain) - PS-00143-2025

Summary

Spain's data protection authority (AEPD) fined CaixaBank €400,000 for wrongfully disclosing customer complaint documents to third parties and failing to implement adequate data protection by design and by default measures under GDPR Article 25. The violations involved multiple incidents where personal data including names, ID numbers, bank account information, and financial details were sent to incorrect recipients due to systemic failures in the complaint-handling process. The DPA rejected CaixaBank's argument that banking sector compliance and supervision were sufficient, requiring the organization to implement technical and organizational controls to prevent, detect, and mitigate such errors.

Full text

Help AEPD (Spain) - PS-00143-2025: Difference between revisions From GDPRhub Jump to:navigation, search ← Older editVisualWikitext Revision as of 08:51, 3 June 2026 view sourceBms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators64 editsTag: Visual edit← Older edit Latest revision as of 08:52, 3 June 2026 view source Bms (talk | contribs)Bureaucrats, Interface administrators, noContributionReport, Administrators64 editsTag: Visual edit Line 22: Line 22: |Outcome=Partly Upheld|Outcome=Partly Upheld |Date_Started=04.03.2026|Date_Started=04.03.2026 |Date_Decided=|Date_Decided=29.05.2026 |Date_Published=29.05.2026|Date_Published= |Year=|Year= |Fine=400,000|Fine=400,000 Latest revision as of 08:52, 3 June 2026 AEPD - PS-00143-2025 Authority: AEPD (Spain) Jurisdiction: Spain Relevant Law: Article 5(1)(f) GDPR Article 25 GDPR Type: Complaint Outcome: Partly Upheld Started: 04.03.2026 Decided: 29.05.2026 Published: Fine: 400,000 EUR Parties: Caixabank National Case Number/Name: PS-00143-2025 European Case Law Identifier: n/a Appeal: Unknown Original Language(s): Spanish Original Source: AEPD (in ES) Initial Contributor: bms The AEPD fined CaixaBank €400,000 after wrongly sending customer complaint documents to third parties and failing to implement Article 25 GDPR measures. Contents 1 English Summary 1.1 Facts 1.2 Holding 2 Comment 3 Further Resources 4 English Machine Translation of the Decision English Summary Facts The DPA initiated proceedings against CaixaBank, S.A., the controller, after receiving two complaints concerning the disclosure of personal data to third parties in the context of the controller’s Customer Service Department. In the first complaint, the data subject, received an email from the controller containing a response to a complaint that he had not filed. The response was addressed to a third party and included personal data relating to that third party. During the investigation, it was also established that the third party had received a communication disclosing the data subject’s personal data, including his name and ID number. In the second complaint, the data subject, received documents relating to other customers of the controller. In particular, the controller sent him a response to another customer’s complaint, which contained information about an overdraft situation, bank charges and bank account data. The data subject also received a document prepared for signature by another customer in relation to banking measures for mortgage debtors. Holding The DPA held that the controller infringed Article 25 GDPR by failing to implement adequate data protection by design and by default measures in its Customer Service Department. The DPA considered that the matter was not limited to two isolated personal data breaches. The processing operation involved a significant volume of personal data in a banking context, including identity data, contact details, bank account information and financial information. Since the controller itself acknowledged that the complaint-handling process was exposed to human error, the DPA held that the controller had to implement technical and organisational measures capable of preventing, detecting and mitigating such errors. The DPA rejected the controller’s argument that compliance with banking-sector rules and supervision by the Bank of Spain was sufficient. It held that banking compliance does not automatically ensure compliance with the GDPR or the LOPDGDD. The controller had to assess the risks to data subjects and integrate data protection safeguards into the design and operation of the complaint-handling process. The DPA found that the lack of adequate measures affected not only confidentiality, but also other GDPR principles, including data minimisation and accuracy. In particular, the controller’s systems wrongly linked complaints, representatives and customer data, and failed to ensure that documents were sent only to the correct recipients. The DPA therefore considered Article 25 GDPR to be the more specific legal basis for the infringement and dismissed the alleged infringement of Article 5(1)(f) GDPR. The DPA initially proposed a fine of €500,000 for the infringement of Article 25 GDPR. The controller made a voluntary payment without acknowledging liability, which reduced the fine by 20% under the Spanish Administrative Law (39/2015). The final fine was therefore €400,000. The DPA also ordered the controller to adopt corrective measures. Within nine months from the date on which the decision became final and enforceable, the controller had to prove that it had reviewed the operation of its Customer Service Department, prepared a report with additional measures to ensure full compliance with Article 25(1) and (2) GDPR, and submitted the report to the competent internal body for approval. Comment Share your comments here! Further Resources Share blogs or news articles here! English Machine Translation of the Decision The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details. 1/59 • File No.: EXP202312854 RESOLUTION OF TERMINATION OF PROCEEDINGS DUE TO VOLUNTARY PAYMENT From the proceedings initiated by the Spanish Data Protection Agency and based on the following BACKGROUND FIRST: On April 16, 2025, the Presidency of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against CAIXABANK, S.A. (hereinafter, CAIXABANK). Having been notified of the initiation agreement and after analyzing the allegations presented, on March 4, 2026, the following proposed resolution was issued: << File No.: EXP202312854 PROPOSED RESOLUTION OF SANCTIONING PROCEEDINGS From the proceedings initiated by the Spanish Data Protection Agency and based on the following: BACKGROUND Contents FIRST: Complaint 1.........................................................................................3 SECOND: Complaint 2........................................................................................3 THIRD: Preliminary investigative actions......................................................4 FOURTH: Agreement to initiate sanctioning proceedings:......................................4 FIFTH: Allegations against the initiation agreement:................................................................5 1. Context in which the processing of personal data affected by the Personal data breaches......................................................5 2. Article 5.1 f) of the GDPR......................................................................................5 3. Article 25 of the GDPR..........................................................................................6 4. Lack of proportionality...................................................................................6 5. Existence of a medial concurrence.......................................................................6 SIXTH: Trial period:.....................................................................7 SEVENTH: List of documents included in the proceedings:........................7 PROVEN FACTS..................................................................................................7 C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeaepd.gob.es 2/59 INDEX OF PROVEN FACTS:...........................................................................7 FIRST:.................................................................................................................8 SECOND:................................................................................................................9 THIRD:...............................................................................................................10 FOURTH:.................................................................................................................11 FIFTH:..................................................................................

Entities