Background information
Date of final decision: 22/09/2021
National case
Controller: CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
Legal Reference: Lawfulness of processing (Article 6).
Decision: Infringement of the GDPR, order to comply.
Key words: non-lawfulness of processing.
Summary of the Decision
Origin of the case
An investigation was initiated following several indications that there might be an incorrect practice in relation to the automated profiling and decision-making of the controller in the context of its commercial activity (the controller is a financial establishment and payment institution).
Key Finding
This entity acts as a financial establishment and payment institution whose business consists of marketing credit or debit cards, credit accounts with or without a card, and loans through three channels: directly through it (i.e. Caixabank payments) ; through an agent (La Caixa); through prescribers (points of sale with whom you collaborate — for example, IKEA).
In the framework of its commercial activity, Caixabank makes profiles for the following purposes:
- Analyse the risk of default upon application for a product.
- Analyse the risk of default during the application for a product.
- Selection of target audience.
Consent is requested in the various channels of prescribers and agents for study and profiling purposes. Thus, consent is requested in the following terms: “I authorise the CaixaBank Group to use my data for study and profiling purposes”.
In the present case, the interested party is provided only with generic information on the different profiling treatments and with this information the interested party is not able to know exactly what the treatment is you are consenting to. Nor is there any provision for the person concerned to express his or her choice on all purposes for which the data are processed.
Decision
AEPD fine of EUR 3,000,000 to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. for lack of specific and informed consent regarding profiling for commercial purposes. The AEPD ordered the controller to bring processing operations into compliance with the provisions of the GDPR within six months of this decision.
For further information: https://www.aepd.es/es/documento/ps-00500-2020.pdf
The news published here does not constitute official EDPB communication, nor an EDPB endorsement. This news item was originally published by the national supervisory authority and was published here at the request of the SA for information purposes. Any questions regarding this news item should be directed to the supervisory authority concerned.