Share these talks and lectures with your colleagues
Invite colleaguesPractice paper
GDPR Glasnost: Spain’s AEPD raises the transparency bar and sanctions two banks
Journal of Data Protection & Privacy,
5
(1),
89-96
(2021)
Abstract
This paper is a commentary on two recent decisions issued by the Spanish data protection authority (DPA): the AEPD (Agencia Española de Protección de Datos). Both decisions — issued one month apart — developed similar motives and grievances primarily arising from the alleged lack of clarity in the two banks’ privacy notifications to their clients as well as in the consent-collection process and in the formulation of their legitimate interest in processing personal data. These two decisions combined with one issued just a couple of months earlier by the French DPA (CNIL [Commission Nationale de l’Informatique et des Libertés]) appear to draw a new trend: one towards a heightened scrutiny on the details of the data protection documentation set forth by data controllers. Sanctions issued over General Data Protection Regulation’s (GDPR) first two years of implementation had largely focused on penalising manifest disregard for GDPR (primarily in the form of a lack of appropriate technical and organisational measures or the absence of a lawful basis for personal data processing). In each of the three decisions, the data controller was a bank (Banco Bilbao Vizcaya Argentaria, SA [BBVA] and CaixaBank in the two AEPD decisions under review, Carrefour Banque in the CNIL decision previously commented by the co-authors). In the two Spanish decisions, the fines issued were, respectively, for €5m and €6m against BBVA and CaixaBank. Privacy professionals in the banking sector will need to factor in these regulatory developments and reassess the formulation of their privacy notifications. The industry has thus been invited to reassess its duty of privacy information from a new, more rigorous perspective. What degree of detail regarding the specifics of the data processing do regulators expect in a privacy notice? How should data controllers structure the collection of data subject consent to ensure it may constitute a legitimate basis for data processing? What are the elements they need to demonstrate to validly invoke a legitimate interest in the data processing? The two recent AEPD decisions under review set a high bar. While the two decisions are primarily remarkable in their substantive motivation (I), we will also highlight some particularly interesting procedural developments (II).
Keywords: GDPR; duty of information; consent; legitimate interest; impartiality; due process
The full article is available to subscribers to the journal.
Author's Biography
Philipp Fischer is a Partner in the Banking & Finance department of OBERSON ABELS Ltd. He graduated from the University of Geneva in 2004. He was admitted to the Geneva Bar in 2007. In 2009, he earned an LLM at Harvard Law School. After having worked in major law firms in New York, Zurich and Geneva (2010–2016), he cofounded the law firm OBERSON ABELS Ltd in 2016. He has been advising financial institutions (in particular banks, securities dealers, insurance companies, collective investment schemes and independent asset managers) on Swiss banking, financial and data protection regulations for over 13 years. He is a member of the Continued Legal Education Commission of the Geneva Bar Association and of the Geneva Bar Exam Commission. He is a member of the Executive Committee of the CAS Digital Finance Law (University of Geneva), in charge of the module on data protection. He also serves on the board of the Harvard Law School Association of Europe.
Julien Levis is a privacy practitioner (Head of Data Privacy at an international group). He was trained as a lawyer (La Sorbonne, Stanford Law School) and admitted to the New York and Paris Bar. He is CIPP/E and CIPM certified by the International Association of Privacy Professionals (IAPP). Previously an attorney, Julien’s prior activities also included consulting in the area of International Development (he was a World Bank/IFC staff for years) and banking. Recently, he has started publishing occasional notes on data protection. He also acts as a privacy mentor for companies and privacy professionals at EPFL’s Tech 4 Trust Accelerator and at Constructive Privacy.
