Caixabank S.A. fined EUR 6 million

On 13/Jan/2021, Caixabank S.A. received a privacy fine of EUR 6,000,000. The enforcement authority (Spanish Data Protection Agency) has cited these legal provisions in imposing the fine on Caixabank S.A.: Article 13 GDPR/ Article 14 GDPR/ Article 6 GDPR/


Date of enforcement action:
Jurisdiction: Fine imposed:
Spain Flag for Spain, which is the jurisdiction taking enforcement action EUR 6,000,000 (US$7,100,000)
Defendant company or entity: Industry segment:
Caixabank S.A. Financial Services /

Case summary

CaixBank S.A. modified its privacy policies. The changes allowed the Bank to transfer customer data to all other companies within its corporate grouping. However, in doing so, the Bank failed to provide any appropriate mechanism by which data subjects could communicate that they did not consent to the new privacy policy and the transfers. The Bank did allow customers to send a letter indicating their disagreement with the policy. The AEPD concluded that the requirement of a letter was not appropriate, and that the privacy policy of the Bank did not meet the requirements of Articles 13 and 14 of the GDPR. The AEPD also concluded that any transfers taken under the amended privacy policy were unlawful. They cited Article 6 of the GDPR in this respect.


Applicable legal provisions

Enforcement information

Enforcement authority: Type of enforcement action:
Spanish Data Protection Agency Flag for Spain, which is the jurisdiction taking enforcement action Penalty notice
Subject to appeal?
Not known

File or case number


Cite this fine in your work

Data Privacy Fines Index. (2021-01-12 05:45) Caixabank S.A. fined EUR 6 million. Retrieved from

Entry last updated: 2021-02-05 06:03 GMT.