MADRID, 18 Abr. (EUROPA PRESS) -
The Official State Gazette (BOE) publishes this Thursday the fine that the Data Protection Agency has imposed on CaixaBank in the amount of 5 million euros for violating several articles of the General Data Protection Regulation (RGPD), a mandatory law. for all companies operating in the European Union.
Specifically, the entity has received three sanctions, one of 2 million euros and two of 1.5 million euros, for failing to comply with three articles of the aforementioned Regulation.
The first of the fines, of 2 million euros, is based on CaixaBank's failure to comply with article 5.1.f of the GDPR, which requires confidentiality and integrity in the processing of personal data.
Likewise, the Agency has imposed a fine of 1.5 million on the bank for violating article 25 of the Regulation, in which the data controller is obliged to apply, both at the time of determining the means of processing and in the time of the processing itself, appropriate technical and organizational measures, such as pseudonymization, to effectively apply data protection principles and protect the rights of data subjects.
Said article also requires the data controller to guarantee that only the personal data that is necessary for each of the specific purposes are processed, as well as that the personal data are not accessible, without the intervention of the person, to an indeterminate number of natural persons.
The third of the fines to CaixaBank, also in the amount of 1.5 million euros, is due to non-compliance with article 32 of the RGPD, in which the person responsible and in charge of data processing is obliged to apply appropriate technical and organizational measures to guarantee a level of security appropriate to the risk, which, where appropriate, includes, among others, the pseudonymization and encryption of personal data, the ability to guarantee the confidentiality, integrity, availability and permanent resilience of the processing systems and services, and the capacity to quickly restore availability and access to personal data in the event of a physical or technical incident.
By law, the Data Protection Agency is obliged to publish in the BOE sanctions on legal entities exceeding one million euros.
