News

📜 Data Blocking and Deletion : Breach of Article 32 of the LOPDGDD

Source :PS-00176-2024  

The AEPD imposed a €20,000 fine (reduced to €16,000 for early payment) on a bank for violating Article 6(1) of the GDPR – processing without a legal basis.

🔍 Key Facts

• A customer requested deletion and blocking of their data after cancelling their credit card in 2022, in line with Article 32 of the LOPDGDD.
• In 2023, the same customer applied for a new card.
• The bank rejected a "new customer" offer based on previously blocked data.

❌ The Violation

➡️ The data should have been permanently blocked, with no further processing, except in very specific cases (e.g., legal or judicial obligations).
➡️ Using blocked data to determine ineligibility for a promotion is not a valid legal basis.

🔒 Violation of Article 6(1) GDPR: no valid legal basis for processing.
📜 Qualification: very serious infringement under Article 72.1(b) of the LOPDGDD.

⚖️ Sanction

• 💶 Initial fine: €20,000
• 💰 Reduced to €16,000 for early payment
• ✅ No appeal filed by the Bank

📣 Key Takeaways for DPOs

• Blocking ≠ archiving without reuse
• Any data reactivation requires a clear legal basis
• Post-deletion commercial use = non-compliant
• ⚠️ Higher GDPR risks for companies processing large volumes of customer data