D.A.A.A. & Ors v. Caixabank, S.A.

€2,000,000 in fines

Excerpt

Caixabank Bank was fined by the Spanish DPA for using pre-ticked boxes to request consent for processing personal data, and charging customers who did not accept the terms a monthly maintenance fee of €5.

Our analysis

Customers of Caixabank, complained to the Spanish Data Protection Agency (AEPD) that the bank was using a deceptive pattern application of preselection and forced action to obtain consent for processing personal data from its customers. Caixabank had asked customers to accept consent terms through pre-ticked boxes. If the customers did not accept the terms, the bank would charge them a fee of €5 per month for maintaining their bank account. This approach of preselecting the consent checkbox and then linking it to a mandatory fee for the bank account's maintenance forced the customers to provide their consent. The bank claimed that the fee was not a charge but a necessary fare for providing banking services and was an essential element of the contract. The AEPD established that during a certain period, for new customers who chose a particular type of bank account, the consent acceptance fields were pre-ticked. In the AEPD's view, linking an exemption from fees to the provision of obtaining consent for the processing of personal data would mean that the consent was not given freely, since not giving consent entailed the payment of maintenance fees, which were detrimental to the data subject.
The AEPD also noted that the bank's arguments related to the offering of different banking products were not relevant in this case, since these other products had different requirements based on, customer's economic conditions, minimum purchases per month, insurance contributions, and holdings into investment funds. The AEPD also established that linking processing of personal data with a waiver of fees could not be considered analogous to a loyalty program. The AEPD held that  the two legal bases for the lawful processing of personal data (ie. consent and performance of a contract), were merged or blurred, in violation of Article 7(4) GDPR. Overall, the AEPD found Caixabank's actions to be in violation of GDPR due to the deceptive pattern application of preselection and forced action used to obtain consent for processing personal data.

Outcome

The AEPD found that Caixabank had unlawfully merged two legal bases for processing personal data - consent and performance of a contract - which violated Article 7(4) GDPR. Consequently, the AEPD imposed a €2,000,000 fine against Caixabank for breaching Article 6 GDPR in connection with Article 7(4) GDPR. Caixabank had imposed conditions that required consent for the processing of personal data, for purposes that were not necessary for the performance of a contract. Additionally, Caixabank was fined €100,000 for using pre-ticked boxes to obtain this consent, which was in violation of Article 6(1) GDPR.

Parties

D.A.A.A. (claimant 1); by D.B.B.B. (claimant 2); D.C.C.C. (claimant 3), D.DDD (claimant 4); by D.E.E.E. (claimant 5) by D.F.F.F. (claimant 6), and D.GGG (claimant 7) and Caixabank, S.A.

Case number

PS/00226/2020

Related deceptive patterns

Related laws

Legal enforcement database by Leiser, Santos and Doshi

The information about laws and cases on this website is brought to you by the Leiser, Santos and Doshi enforcement database.

About us