EconPapers    
Economics at your fingertips  

EconPapers Home
About EconPapers

Working Papers
Journal Articles
Books and Chapters
Software Components

Authors

JEL codes
New Economics Papers

Advanced Search


EconPapers FAQ
Archive maintainers FAQ
Cookies at EconPapers

Format for printing

The RePEc blog
The RePEc plagiarism page

 

GDPR Glasnost: Spain’s AEPD raises the transparency bar and sanctions two banks

Philipp Fischer and Julien Levis
Additional contact information
Philipp Fischer: Partner in the Banking & Finance/Data Protection Department, Oberson Abels, Switzerland
Julien Levis: Head of Data Privacy at an International Group

Journal of Data Protection & Privacy, 2021, vol. 5, issue 1, 89-96

Abstract: This paper is a commentary on two recent decisions issued by the Spanish data protection authority (DPA): the AEPD (Agencia Española de Protección de Datos). Both decisions — issued one month apart — developed similar motives and grievances primarily arising from the alleged lack of clarity in the two banks’ privacy notifications to their clients as well as in the consent-collection process and in the formulation of their legitimate interest in processing personal data. These two decisions combined with one issued just a couple of months earlier by the French DPA (CNIL [Commission Nationale de l’Informatique et des Libertés]) appear to draw a new trend: one towards a heightened scrutiny on the details of the data protection documentation set forth by data controllers. Sanctions issued over General Data Protection Regulation’s (GDPR) first two years of implementation had largely focused on penalising manifest disregard for GDPR (primarily in the form of a lack of appropriate technical and organisational measures or the absence of a lawful basis for personal data processing). In each of the three decisions, the data controller was a bank (Banco Bilbao Vizcaya Argentaria, SA [BBVA] and CaixaBank in the two AEPD decisions under review, Carrefour Banque in the CNIL decision previously commented by the co-authors). In the two Spanish decisions, the fines issued were, respectively, for €5m and €6m against BBVA and CaixaBank. Privacy professionals in the banking sector will need to factor in these regulatory developments and reassess the formulation of their privacy notifications. The industry has thus been invited to reassess its duty of privacy information from a new, more rigorous perspective. What degree of detail regarding the specifics of the data processing do regulators expect in a privacy notice? How should data controllers structure the collection of data subject consent to ensure it may constitute a legitimate basis for data processing? What are the elements they need to demonstrate to validly invoke a legitimate interest in the data processing? The two recent AEPD decisions under review set a high bar. While the two decisions are primarily remarkable in their substantive motivation (I), we will also highlight some particularly interesting procedural developments (II).

Keywords: GDPR; duty of information; consent; legitimate interest; impartiality; due process (search for similar items in EconPapers)
JEL-codes: K2 (search for similar items in EconPapers)
Date: 2021
References: Add references at CitEc
Citations:

Downloads: (external link)
https://hstalks.com/article/6817/download/ (application/pdf)
https://hstalks.com/article/6817/ (text/html)
Requires a paid subscription for full access.

Related works:
This item may be available elsewhere in EconPapers: Search for items with the same title.

Export reference: BibTeX RIS (EndNote, ProCite, RefMan) HTML/Text

Persistent link: https://EconPapers.repec.org/RePEc:aza:jdpp00:y:2021:v:5:i:1:p:89-96

Access Statistics for this article

More articles in Journal of Data Protection & Privacy from Henry Stewart Publications
Bibliographic data for series maintained by Henry Stewart Talks ().

 
Share

RePEc
This site is part of RePEc and all the data displayed here is part of the RePEc data set.

Is your work missing from RePEc? Here is how to contribute.

Questions or problems? Check the EconPapers FAQ or send mail to .

Örebro UniversityEconPapers is hosted by the School of Business at Örebro University.

Page updated 2025-03-19
Handle: RePEc:aza:jdpp00:y:2021:v:5:i:1:p:89-96