The Spanish Data Protection Agency (“Agency”) recently imposed a fine of 70,000 euros on a bank for violating the provisions of Articles 5(1)(b), 32, and 5(1)(f) of the General Data Protection Regulation (“GDPR”). The reason for the penalty was the disclosure of the private address of a lawyer, who was also a client of the bank, during communication with another client represented by the mentioned lawyer.

Case Background

Specifically, the individual whose data was unlawfully disclosed, acting as a lawyer and representative of another individual, submitted a written complaint to the bank in which he himself was a client. However, in response to the complaint, the bank indicated the lawyer’s private address it had in its system, i.e., database. In this way, the bank revealed the home address of its client to a third party.

Agency’s Position

In relation to this, the Agency took the position that processing the personal data of the mentioned individual, specifically his address, in the context of handling the complaint submitted by him in the capacity of a lawyer for another client of the bank, constitutes a violation of the principle of purpose limitation prescribed by Article 5(1)(b) of the GDPR. Namely, the personal data were processed in a manner inconsistent with the purpose for which they were originally collected (the data controller obtained the data to open the personal bank account of the individual concerned).

Furthermore, the Agency noted a violation of the provisions of Article 32 of the GDPR, considering that the unauthorized access to the client’s personal data by a third party indicates that the data controller did not implement appropriate or effective organizational and technical measures to prevent such an incident.

In conclusion, the Agency determined that the data controller also violated Article 5(1)(f) of the GDPR, which sets out the principle of integrity and confidentiality. In other words, disclosing the client’s address to a third party without legal basis constitutes a breach of due care and confidentiality obligations, despite bank’s claim that the incident was a one-time lapse.

This article is to be considered as exclusively informative, with no intention to provide legal advice. If you should need additional information, please contact us directly.