News

Spanish DPA shakes the privacy status quo in Spain – highest fines yet on personal data

11 March 2021

The Spanish Data Protection Agency (“Spanish DPA”) decided to start 2021 the same way it ended 2020: by imposing the highest fines to date (EUR 5,000,000 and 6,000,000) to two large Spanish financial entities. However, the interesting part is not the high amount of the fines, but the reasons for their imposition as they establish new and (almost) unachievable standards giving rise to uncertainty and (in some cases) panic that has spread among businesses.

Both sanctioning decisions share several things in common: the type of sanctioned entity (large companies); the infringements (transparency, and lack of legal basis), and the timing.

Is this a mere coincidence or should companies (banks or not) brace themselves for the upcoming storm?

Background

At the end of 2020, the Spanish DPA imposed its highest ever fine under the GDPR (see here, in Spanish). At the beginning of 2021, the Spanish DPA outdid itself and issued another even higher fine under the GDPR (see here, in Spanish). To get a sense of perspective, in just two months two sanctioning decisions (the “Sanctioning Decisions”) were issued, imposing fines 20x higher than the previous top 3 fines under the GDPR in Spain to date.

The sanctioning proceedings do not only share the same timing. Both focus on the same points: information provided to individuals (i.e. transparency and information duties under the GDPR) and the strength / validity of consent designed by both entities (they even share main aggravating circumstances that made the fines skyrocket). What is remarkable in both Sanctioning Decisions is how the Spanish DPA’s interpretation of GDPR obligations set an unprecedented level of strictness.

Transparency (Arts. 13 and 14 GDPR): EUR 2,000,000 per Sanctioning Decision

The Spanish DPA uses very similar arguments to establish that the information provided by the companies did not comply with the transparency principle and, therefore, with the minimum and mandatory information companies must make available to individuals under Arts. 13 and 14 GDPR. These arguments (summarized below) have shocked several companies in Spain (and abroad) given the (very) strict approach taken by the Spanish DPA which leads to punish behaviors which, far from being obvious infringements of the GDPR, are common practice.

The use of terminology the Spanish DPA considers to be imprecise and vague: The Spanish DPA considers that the following common wording and expressions (used by a many companies in their privacy policies) are vague and imprecise, and do not provide the data subject with a clear understanding of the purpose and the processing activities involved:

“Know you better and improve your experience”; “Offer you products and services... personalized for you”; “Improve the quality of products and services”; “Your data are yours and you control them”; “make your experience more personalized”; “Products and prices that are more tailored to you”; “I DO NOT want XXX to process my data to offer me products and services ... personalized for me”; “I DO NOT want XXX to communicate my data to Group companies so that they can offer personalized products and services for me”; “I DO NOT want XXX to process my data to improve the quality of new and existing products and services ”; “To properly manage the products and services you request and contract from us"; “To follow the relationship we have with you and your financial development”; “At XXX we process your personal data in order to provide you with the same level of quality at all times, so that we can offer you better treatment and service in accordance with your status as a client”; “If you want to streamline the application process, we will need.."; “At XXX we want your experience as a client to be as satisfactory as possible, through a personalized relationship that is best adapted to your client profile and your needs. To make it we have to get to know you better…”; “Thanks to this analysis we will be able to get to know you better, assess new functionalities for you… as well as personalized offers with prices that are better suited to you”; “We would like to keep you up to date on new XXX products and services, as well as give you tips and recommendations to better manage your financial situation. We can also send you information about XXX products and services with prices that are better suited to your profile, informing you about what may be of interest to you as a client”; “If you want the XXX Group companies… to offer you products and services customized in features and price, we need you to authorize us to communicate data related to your client profile ... This information will be processed to try to improve the characteristics and prices of the supply of products and services"; “…so that from XXX we can better meet your expectations and we can increase your grade of satisfaction"; “…To be a bank close to you as a client and to be able to accompany you during our contractual relationship, we could congratulate you on your anniversary, wish you a good day or happy holidays”; “At XXX we believe that, as a client, you have a reasonable expectation that your data so that we can improve products and services and you can enjoy a better experience as a client”; "In addition, we believe that you also have a reasonable expectation to receive congratulations on the occasion of your anniversary. wish you a good day or happy holidays”; “in order to provide you with an adequate service and manage the relationship that we maintain with you as a client …”; “personalized your experience”; “produce our business models”; “analyzing the use of the company’s products, services and channels”; “applying statistical and classification methods to adjusts your profile correctly; “undertaking statistics, surveys, actuarial calculations, averages and/or market studies of the company’s or third party’s interest”; “Commercial offers tailored to your needs and preferences”; “improve the design and usability of the products”; “Information generated from the products themselves"; "analysis and study"; “study products and services"; “design products and services"; “for our own management"; “give you a better service"; “communicate your data to third parties with whom we have an agreement"; “expectation reasonable to receive”; “management needs”; “analysis, study and follow-up for the offer and design of products and services adjusted to the profile”.

It is almost impossible to identify a single privacy policy not containing one of the expressions above.

The use of the privacy policy in a way the Spanish DPA considers to be a “marketing tool”: According to the Spanish DPA, some of the expressions in the table above present the privacy policy as a benefit for the data subject implying that its non-acceptance will result in any kind of loss for him/her. It is one thing to use “amicable” and customer friendly language, but it is another to use wording to try to increase the number of clients.
Information the Spanish DPA considers insufficient, with regard to the categories of personal data to be processed and the categories of data used for a specific purpose: In the Spanish DPA’s opinion, the categories of personal data processed used by the companies sanctioned are so broad and open that could encapsulate almost every kind of personal data (including sensitive data). These are expressions one can easily find in most privacy policies. For example, processing data related to “products, services and channels of the company”; “account transactions”, using expressions such as “for instance”, “etc.”, “among others”; inferred data or related to “income” is construed by the Spanish DPA as not specific. According to the Spanish DPA, this is particularly serious when the processing activities are based on data subjects´ consent.
Information on legal bases the Spanish DPA considers unclear: Data subjects must clearly understand the legal basis that justify a data processing activity, its specific purpose, and the categories of data involved. These three elements operate together and must be perceived as such by the individual. From the perspective of the Spanish DPA, this is particularly relevant when the controller relies on both the consent and legitimate interest grounds in order to process data for marketing purposes. The Spanish DPA stresses that companies must clearly separate marketing activities based on legitimate interests from marketing activities based on the consent. The Spanish regulator concludes that only if these are duly separated a client would be able to freely and unambiguously consent to them.

The following are some examples of the information provided by the entities that Spanish DPA considers may cause confusion, to an average citizen, about the legal basis that justifies the processing in the sense described above, since the purposes mentioned for both legal bases are very similar:

Purposes based on legitimate interest

Purposes based on consent

“Get to know you better and personalize your experience”; “To make your experience as satisfying as possible”; “To know you better by analyzing your financial evolution... the uses of products, services and channels”; “To assess new functionalities..., products and services.”; “Evaluate... personalized offers with prices that are better suited to you”; “To better meet your expectations and we can increase your customer satisfaction”; “Improve the quality of products and services”; “To carry out statistics, surveys or market studies that may be of interest”.

“To offer you products and services from XXX, the Group and others, personalized for you”; “To give you advice and recommendations to better manage your financial situation”; “Improve the quality of products and services”; “Increase your satisfaction as a customer”; “..to meet your expectations”; “Improve the quality of existing products and services”; “Develop new products and services”; “Carry out statistics, surveys, actuarial calculations, averages and/or market studies that may be of interest to XXX or third parties”; “Such information is obtained from the use of XXX products, services and channels”.

Information on legitimate interest regarded as incomplete by the Spanish DPA: The Spanish DPA refers to the distinction that must be made between the purpose of the processing and the legitimate interest pursued by the controller, stating that “the interest goes beyond the purpose”. In this regard, it concludes that both companies do not detail their legitimate interest when referring to the data processing activities relying on that legal basis. It is highlighted that processing activities relying on the legitimate interest ground must be foreseeable by the clients themselves (without the company clarifying it to the client).
Insufficient information on profiling according to the Spanish DPA: The Spanish DPA considers that the entities sanctioned do not provide information on the type of profiling carried out, the specific uses of the individual profiles, or the possibility for the data subject to exercise the right to object (ex. Art. 21.2 GDPR), where profiling is related to direct marketing activities.

The level of detail required by the Spanish DPA to fully comply with the requirements mentioned above risks increasing significantly the volume of the average privacy policy (something that has been fiercely criticised by the data protection authorities as it causes “privacy policies fatigue”). However, the Sanctioning Decisions are already causing many companies to review their privacy policies, as the level of detail required has been considerably increased. Under this new scenario, the balance between a “fully compliant privacy policy” and a “customer friendly privacy policy” has become harder to achieve.

Legal Bases (Art. 6 GDPR): EUR 3,000,000 and EUR 4,000,000

The main legal bases used by the sanctioned entities and criticised by the Spanish DPA in the Sanctioning Decisions are the data subjects’ consent (Arts. 6.1(a) and 7 GDPR) and legitimate interests (Art. 6.1(f) GDPR). While the Sanctioning Decisions are not identical in this respect, the reasoning behind them is very similar:

Consent:
- The Spanish DPA states that the execution or acceptance of a contract, privacy notice or data collection form can neither be understood as valid consent for the specific data processing activities based on the same, nor be unambiguous. The Spanish regulator emphasises that “global consents” are generally not valid under the GDPR and that different purposes and / or processing activities cannot be grouped under one consent. While the above cannot be entirely regarded as a novelty, the fact that the regulator specifically highlights this issue and imposes such high fines as a result is a source of concern, at least in Spain.
- The Spanish DPA considers that sharing data within a group of companies requires a separate consent. In the eyes of the Spanish DPA, the common practice of seeking the consent of a client for a processing activity carried out by the controller and the group of companies is not deemed valid. The Spanish DPA takes the view that the sharing of data within the corporate group is an independent processing activity and purpose and, therefore, requires a separate consent.
Legitimate interests: In this regard, the Spanish DPA refers to the mixing of legal bases (e.g. with regard to the confusion between purposes based on legitimate interest or consent) and the abovementioned lack of due information (or vague and speculative information provided) to determine the misuse of this legal basis. In addition, the following is highlighted:
- According to the Spanish DPA, the legitimate interests pursued by one of the concerned entities consist in achieving economic benefits which are neither detailed nor sufficient, in its opinion, to prevail over the data subject’s fundamental right to data protection. Having an economic interest (as a business and private entity) does not, per se, prevails over individuals’ rights and freedoms. Carrying out a balancing test is necessary to assess whether such interest prevails (or not) over the individual’s interests and fundamental rights and freedoms.
- The fact that neither the balancing test nor the privacy impact assessment is made available to data subjects is criticised by the Spanish DPA. In addition, the Spanish DPA indicates that, apart from a generic reference to the right to object, a separate objection right should be indicated when personal data are processed on the basis of the legitimate interest (and particularly where processing data for profiling purposes).
- The processing activities of the company cannot be based on the client’s legitimate interests (understood as a third party’s legitimate interest as permitted in Arts. 6.1(f) GDPR), as this would mean accepting a posteriori legitimate interest of which the client is not aware and which does not meet the requirements under the GPDR. For instance, sending marketing in the client’s best and legitimate interest of being up to date with the company’s news.
- Likewise, data processing activities based on consent cannot later on be based on legitimate interests if such consent is not deemed valid (e.g. where such consent is not informed in the sense of Arts. 13 and 14 GDPR).

Fines are not the (main) issue

Apart from the economic sanctions referred to above, the Spanish DPA imposed in both cases an additional non-economic sanction which in practice amounts to the real sanction. The Sanctioning Decisions require both entities to align their privacy documents, procedures and practices to the GDPR within 6 months, and to prove it to the Spanish DPA within that deadline.

In practice, and as established in the Sanctioning Decisions, this may entail stopping data processing activities based on the legal bases and/or information declared invalid or insufficient by the Spanish DPA, and requesting group companies that have received concerned personal data to erase and stop processing such data.

What now?

Both entities have publicly announced their intention to appeal their respective Sanctioning Decisions.

Next steps

Given the high standards adopted by the Spanish DPA, it is certainly advisable to undertake a wholesale review of existing privacy policies to ensure that all legal requirements are met. Specifically, companies (not only financial entities) should focus on taking these key steps:

Sharpen the wording of the privacy notice. The aim should be to ensure that the language used is not only very clear but sufficiently comprehensive.
Design and present clear-cut consent mechanisms. It is essential to consider the most appropriate design of all consent mechanisms so there is no room for confusion. Companies must be particularly careful where consent relates to profiling activities, marketing activities, and the sharing of information with third parties (including member of the same corporate group).
Analyze and describe the legitimate interest in detail. Clear information must be provided on the actual, non-speculative and specific legitimate interests pursued by the controller (separately from the purposes of the processing) and a robust balancing test must be carried out taking into account the reasonable expectations of data subjects.

Authored by Gonzalo F. Gállego, Santiago de Ampuero and Graciela Martín.