GDPR Glasnost: Spain’s AEPD raises the transparency bar and sanctions two banks

This paper is a commentary on two recent decisions issued by the Spanish data protection authority (DPA): the AEPD (Agencia Española de Protección de Datos). Both decisions — issued one month apart — developed similar motives and grievances primarily arising from the alleged lack of clarity in the two banks’ privacy notifications to their clients as well as in the consent-collection process and in the formulation of their legitimate interest in processing personal data. These two decisions combined with one issued just a couple of months earlier by the French DPA (CNIL [Commission Nationale de l’Informatique et des Libertés]) appear to draw a new trend: one towards a heightened scrutiny on the details of the data protection documentation set forth by data controllers. Sanctions issued over General Data Protection Regulation’s (GDPR) first two years of implementation had largely focused on penalising manifest disregard for GDPR (primarily in the form of a lack of appropriate technical and organisational measures or the absence of a lawful basis for personal data processing). In each of the three decisions, the data controller was a bank (Banco Bilbao Vizcaya Argentaria, SA [BBVA] and CaixaBank in the two AEPD decisions under review, Carrefour Banque in the CNIL decision previously commented by the co-authors). In the two Spanish decisions, the fines issued were, respectively, for €5m and €6m against BBVA and CaixaBank. Privacy professionals in the banking sector will need to factor in these regulatory developments and reassess the formulation of their privacy notifications. The industry has thus been invited to reassess its duty of privacy information from a new, more rigorous perspective. What degree of detail regarding the specifics of the data processing do regulators expect in a privacy notice? How should data controllers structure the collection of data subject consent to ensure it may constitute a legitimate basis for data processing? What are the elements they need to demonstrate to validly invoke a legitimate interest in the data processing? The two recent AEPD decisions under review set a high bar. While the two decisions are primarily remarkable in their substantive motivation (I), we will also highlight some particularly interesting procedural developments (II).