The Spanish Data Protection Authority (AEPD) imposed a total fine of 6.000.000 EUR on CAIXABANK for unlawfully processing clients’ personal data (4.000.000 EUR) and not providing sufficient information regarding the processing of personal data (2.000.000 EUR). The AEPD considered that the document designed to comply with the information did not include enough information regarding the categories of personal data concerned, nor information about the purposes of the processing for which the personal data are intended as well as the legal basis for the processing, especially regarding those processing activities based on the company’s legitimate interest. Consequently, the AEPD concluded that CAIXABANK had violated Articles 13 and 14 of the GDPR. Following Article 83 (5) b of the GDPR, a fine of 2.000.000 EUR was imposed. They did not provide with any mechanism to collect the data subject’s consent; that the data subject’s consent did not meet with all the elements of valid consent, and that the processing activities based on the company’s legitimate interest were not sufficiently justified.