On October 22, 2024, the Spanish data protection authority (AEPD) published its decision in Proceeding No. PS/00380/2024, in which it imposed a fine of €300,000, subsequently reduced to €180,000, on Ibercaja Banco, S.A. for violating the General Data Protection Regulation (GDPR) following a complaint.

Background to the decision

The AEPD outlined that in the present case, the complainant stated that they had a contractual relationship with Ibercaja regarding a mortgage contract, which ended on February 23, 2024, with a settlement agreement. However, the complainant claimed that Ibercaja proceeded to access their file on up to 47 occasions from March 2022 to January 2023.  

Findings of the AEPD

The AEPD clarified that in the context of processing personal data in credit information systems, Article 20(1)(e) of the Organic Law 3/2018, of 5 December 2018, on the Protection of Personal Data and Guarantee of Digital Rights (LOPDGDD) presumes lawful processing of the personal data of an individual, when the financial solvency file is consulted by someone who maintains a contractual relationship with the affected party, implying the payment of a monetary amount or resulting from the conclusion of a contract that involves financing, deferred payment, or periodic billing.

Following this, the AEPD found that Ibercaja violated Article 6(1) of the GDPR by consulting the claimant's personal data in the solvency file without there being a valid contractual relationship or any other legitimate cause justifying such access.

Outcomes

As a result of the above, the AEPD imposed a fine of €300,000 on Ibercaja. Considering that Ibercaja proceeded to voluntarily pay the fine and admit its liability, the total amount of the fine was reduced to €180,000.

You can read the decision, only available in Spanish, here.