Fine for lack of explicit consent to profiling for commercial purposes

Company: CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.
Possible data protection breach: lack of explicit and informed consent to profile users for commercial purposes.
Authority: AEPD (Agencia Española de Protección de Datos).
Amount of fine: 3.000.000 Euro The focus of this violation is the following company: CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.. The procedure was initiated after several indications arised that automated profiling and decision-making – by the controller in the course of its commercial activities – might be an unlawful practice.

The identified data protection breach
The activity of the financial and payment institution is to distribute credit or debit cards, credit accounts and loans through three channels: directly through Caixabank Payments, through an agent (La Caixa) and through prescribers (points of sale such as IKEA).

Caixabank creates profiles for their commercial activities for the following purposes:

  • Analysis of the risk of default when applying for a product.
  • Analysis of the risk of default during the application for a product.
  • Selection of the target audience. 

Consent is obtained in various channels from prescribers and agents for study and profiling purposes. Consent is requested in the following form: “I authorise CaixaBank Group to use my data for study and profiling purposes”. 
In this case, the data subject only receives general information about the different profiling treatments. With this information, the data subject cannot know exactly which use he or she consents to. It was not considered that the data subject can make his/her choice on all the purposes for which the data are processed.

Decision of the Spanish Data Protection Authority
The AEPD subsequently imposed a fine of EUR 3,000,000 on CAIXABANK for failing to provide explicit and informed consent to profiling for commercial purposes. The AEPD ordered the controller to bring the processing operations into compliance with the provisions of the General Data Protection Regulation within six months of the decision.