Treliant Takeaway…Europe to Banks – Delete Old Data
Enforcement Action: (Spanish-Only)
- Source: aepd.es/es
Treliant helps firms develop and mature archival procedures and data retention protocols, all in an effort to maintain compliance with GDPR, GLBA, CCPA, and other regulatory privacy guidance and expectations. In addition to our corporate governance and regulatory compliance expertise, our professionals can also perform enterprise-wise data mapping and data inventory exercises. Treliant’s combined capability to mature internal compliance regimes and complete robust data inventories, helps the institutions we support maintain consistency with ever-shifting regulatory expectations.
- On August 28, 2020, Spain’s Data Protection Authority (Agencia Española de Protección de Datos) announced it was fining Bankia S.A. for its failure to delete a previous customer’s personal data.
- The specific customer at issue had closed their account 16 years ago, but during the intervening years their client data continued to remain accessible to bank employees.
- The customer only discovered that their personal data was still maintained by the bank when he re-approached a Madrid-based branch to resolve an unrelated inheritance issue.
- Article 5(1)(b) of the GDPR requires that organization’s only collect and process personal data for a specified, explicit, and legitimate purpose (also known as the ‘purpose limitation’).
- The AEPD concluded Bankia S.A. had violated Article 5 of the GDPR because it was unable to explain why, without having contracted any product with the previous customer, including a debit/credit card, checking, savings, or securities account, Bankia S.A. still possessed the personal data of the previous customer.
- The AEPD fined Bankia S.A. €50,000 for this violation. The fine was subsequently reduced to €40,000 as a result of Bankia S.A.’s voluntary payment of the fine.