Ook voor banken gelden de databeschermingsregels van de AVG

Hoewel ik soms de indruk krijg dat banken veronderstellen dat de verplichtingen van de Algemene Verordening Gegevensbescherming (AVG) niet voor hen gelden, is dat wel degelijk het geval.

In Spanje werd dat door de privacy-toezichthouder (Agencia Española de Protección de Datos ) aan de Caixabank duidelijk gemaakt door van een boete van 6 miljoen euro. Europese privacy toezichthouder EDPB schrijft:

Spanish Data Protection Authority (AEPD) imposes fine of 6.000.000 EUR on CAIXABANK, S.A.
The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK, S.A., for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR).

The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 of the GDPR. Following Article 83 (5) b of the GDPR, a fine of 2.000.000 EUR was imposed. When deciding on the amount of the administrative fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.

On the other hand, the AEPD found that CAIXABANK did not provide with any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified; especially the relationship between the company’s activity and the processing of personal data. The AEPD concluded that this constituted a breach of Article 6 of the GDPR, and according to Article 83 (5) a of the GDPR, an administrative fine of 4.000.000 EUR was imposed. In deciding on the amount of the fine, the AEPD took into account, as aggravating factors, among others, the nature, gravity and duration of the infringement; the negligent character of the infringement; the degree of responsibility of the controller taking into account technical and organisational measures implemented pursuant to Articles 25 and 32 of the GDPR; the benefits gained from the infringement; the categories of personal data affected by the infringement; the relationship between the company’s activity and the processing of personal data; and the fact that the company is a large enterprise and its turnover.

In addition to the administrative fine, the highest ever imposed by the Spanish DPA, the AEPD ordered CAIXABANK to bring its processing operations into compliance with Articles 6, 13 and 14 of the GDPR within the next six months.

To read the full decision in Spanish, click here.
For further information, please contact the Spanish DPA: prensa@aepd.es

Is dit een voorbode van wat Nederlandse banken te wachten staat?

Over Ellen Timmer, advocaat ondernemingsrecht @Pellicaan

Verbonden aan Pellicaan Advocaten, http://www.pellicaan.nl/, kantoor Rotterdam, telefoon 088-6272287, fax 088-6272280, e-mail ellen.timmer@pellicaan.nl ||| Weblogs: algemeen: https://ellentimmer.com/ || modernisering ondernemingsrecht: http://flexbv.wordpress.com/ ||| Motto: goede bedoelingen rechtvaardigen geen slechte regels
Dit bericht werd geplaatst in Financieel recht, onder meer Wft, Wtt, Fraude, witwasbestrijding, Wwft, ICT, privacy, e-commerce en getagged met , , . Maak dit favoriet permalink.

Geef een reactie

Vul je gegevens in of klik op een icoon om in te loggen.

WordPress.com logo

Je reageert onder je WordPress.com account. Log uit /  Bijwerken )

Google photo

Je reageert onder je Google account. Log uit /  Bijwerken )

Twitter-afbeelding

Je reageert onder je Twitter account. Log uit /  Bijwerken )

Facebook foto

Je reageert onder je Facebook account. Log uit /  Bijwerken )

Verbinden met %s