In January 2021, the Spanish Data Protection Agency issued its largest fine under GDPR to date.  Spanish bank, CaixaBank, was fined six million euros for various infringements of GDPR transparency standards.

CaixaBank issued new privacy policies to their customers for acceptance, to allow the bank to transfer their personal data to all companies within the CaixaBank Group.  The privacy policies, provided via different channels and in different documents, varied in content, the terminology used was imprecise and they did not provide sufficient information on type of personal data nor the nature of the processing.

There were also issues relating to the stated legal grounds for processing and some of the processing was deemed to be beyond the bank’s legitimate interests.  Where consent was required, the data subjects were not given the option to specifically not consent to the transfer. As the standard to meet a valid consent was not met, the Data Protection Authority concluded that the data sharing between CaixaBank Group companies was unlawful.

This case illustrates the key role privacy notices play in indicating an organisation’s data protection compliance and in particular the corporate attitude to the rights of an organisation’s data subjects.  It is not enough simply to have a privacy notice, you need to make sure it is of the standard expected by the Regulator.

Issues to check:

  • Are your organisation’s privacy policies consistent when provided through different channels and media?
  • Have the privacy policies been checked independently of whoever wrote them to ensure that all the required content is included?
  • Has the overall effect of each privacy policy been checked to ensure that information is delivered clearly and comprehensively?
  • Have the organisation’s legal grounds for processing been checked and correctly attributed to processing purposes?
  • Are consent clauses compliant with the GDPR standard for obtaining valid consent?

There are some useful tips on how to review your privacy notices on the ICO website.

At Data Protection Consulting we carry out regular checks on our clients privacy policies as well as other key areas of data protection compliance helping them to put in place an accountability framework.  If you would like to find out more contact us.