AEPD (Spain) - EXP202317282: Difference between revisions
From GDPRhub
m (→Facts) |
(→English Machine Translation of the Decision: reformatting machine translation. minor edits in the text.) |
||
| Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which was a lender, made numerous unsolicited charges on his bank between July and September 2022. | On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which was a lender, made numerous unsolicited charges on his bank account between July and September 2022. | ||
The data subject filed numerous complaints against the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party. | The data subject filed numerous complaints against the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party. | ||
| Line 74: | Line 74: | ||
One year later, in September 2023, the controller again charged the data subject with a new bill from the same unknown third party lender. The data subject complained about the charge, and the controller once again did the same thing in October 2023. | One year later, in September 2023, the controller again charged the data subject with a new bill from the same unknown third party lender. The data subject complained about the charge, and the controller once again did the same thing in October 2023. | ||
The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and subsequently in the controller’s database. It stated | The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and subsequently in the controller’s database. It stated that it deleted the data subject’s account information from its database after the first claim the data subject filed, but that it then sold the debt to a third party company in June 2023 and that the contract still contained the incorrect account number. | ||
=== Holding === | === Holding === | ||
The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request. | The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request. | ||
Since 2022, the controller | Since 2022, the controller has been erroneously processing the data subject’s bank account information in its debt contract with the third party debtor, in its databases, and in its transmission to a future debt buyer in June 2023. At no point during this period did the controller correct the issue. As a result, the controller was processing the data subject’s data without a legal basis in violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. The AEPD considered the processing in 2022 and 2023 (between which the data subject had made a deletion request) separately – thus, it found that two [[Article 6 GDPR#1|Article 6(1) GDPR]] violations occurred on the separate processing occasions. | ||
The AEPD also found that the controller violated [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023. | The AEPD also found that the controller violated [[Article 17 GDPR#1d|Article 17(1)(d) GDPR]] when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023. | ||
| Line 95: | Line 95: | ||
<pre> | <pre> | ||
RESOLUTION OF TERMINATION OF PROCEDURE BY VOLUNTARY PAYMENT | |||
From the procedure instructed by the Spanish Data Protection Agency and based on the following | |||
BACKGROUND | |||
FIRST: On May 21, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BANCO CETELEM, S.A. (hereinafter, the claimed party) through the Agreement transcribed below: | |||
FIRST: On May 21, 2024, the Director of the Spanish | |||
Data Protection agreed to initiate sanctioning proceedings against BANCO CETELEM, | |||
S.A. (hereinafter, the claimed party) | |||
<< | << | ||
File No.: EXP202317282 | File No.: EXP202317282 | ||
AGREEMENT TO INITIATE SANCTIONING PROCEDURE | |||
From the actions carried out by the Spanish Data Protection Agency and based on the following | |||
FACTS | |||
FIRST: A.A.A. (hereinafter, the claimant) filed a complaint with the Spanish Data Protection Agency on October 20, 2023. The complaint was directed against BANCO CETELEM, S.A. with NIF A78650348 (hereinafter, CETELEM). The reasons for the complaint are as follows: | |||
The claimant states that CETELEM charges his bank account for loan receipts of an unknown third party. He provides several extracts of these receipts, as well as several claims to CETELEM along with their responses, including a police report. There is an initial series of 8 receipts incorrectly charged to the claimant’s account no. ***ACCOUNT.1, between July and September 2022, at a rate of two receipts per month. | |||
On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data; he also demanded an explanation about how his data was obtained without a prior contractual relationship. He also criticized CETELEM for attributing his bank account to a third party without first requesting the pertinent bank ownership certificate. Additionally, the claimant requested and achieved the return of the amounts of the improperly charged receipts. | |||
Again, a year later, in September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23. | |||
CETELEM responded on 10/20/23, acknowledging receipt of the claim, and in its response on 10/23/23, justified its actions by stating that the claimant’s account number appeared in the contract. | |||
Simultaneously, the claimant also filed a report at the ***LOCALITY.1 police station on September 18, 2023. | |||
SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the claim was forwarded to the claimed party/ALIAS for analysis and to inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations. | |||
The forwarding, carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on December 4, 2023, as evidenced by the acknowledgment of receipt on file. | |||
SECOND: In accordance with | |||
hereinafter LOPDGDD), | |||
within one month | |||
The | |||
October 1, | |||
as | |||
THIRD: On December 22, 2023, CETELEM responded to the AEPD's request for information. | |||
CETELEM reported that it deleted the claimant’s account data from its database following the first claim but sold the debt to a third company in June 2023, and the claimant’s bank account number continued to erroneously appear in the contract. | |||
According to CETELEM, the responsibility for this new incident would lie with the new company; however, it assumed the efforts to resolve the new series of improper charges on the claimant’s account. Finally, it concluded that the improper charges in 2022 and 2023 on the claimant’s account were due to human errors. | |||
FOURTH: On December 29, 2023, in accordance with Article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. | |||
FIFTH: According to the report from the AXESOR tool, the entity BANCO CETELEM, S.A. is a company established in 1988 with a business volume of 64,855,216 euros in 2022. | |||
LEGAL GROUNDS | |||
I. Jurisdiction | |||
According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. | |||
Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures." | |||
II. Obligation Breached | |||
Initial Processing without Lawfulness - Article 6 | |||
Article 4.1 of the GDPR “Definitions” states: | |||
“For the purposes of this Regulation: | |||
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.” | |||
Article 6 Lawfulness of Processing | |||
Processing shall be lawful only if and to the extent that at least one of the following applies: | |||
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | |||
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; | |||
c) processing is necessary for compliance with a legal obligation to which the controller is subject; | |||
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person; | |||
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller; | |||
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child. | |||
The first subparagraph of point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.” | |||
CETELEM has the bank account number of the claimant. Through this identification number, the account holder is an identifiable natural person, making this data personal data according to Article 4 of the GDPR. CETELEM acknowledges in several of its writings that the claimant's bank account number appears in a debtor's contract and, therefore, also in CETELEM's database. For this reason, the debtor’s receipts are charged to the claimant's bank account. | |||
Although CETELEM seems to attribute the issue to initial transcription errors of the account number, the control digits of bank accounts almost eliminate the possibility of an "accidental" creation of a genuine account number. | |||
a | |||
This suggests, as the claimant indicates, that the error is due to CETELEM incorporating the claimant's bank account into the debtor’s contract without verifying the account’s ownership. | |||
CETELEM had the claimant's account number | Given the above, it appears clear that CETELEM initially had the claimant's full bank account number, but it does not satisfactorily explain how this information appeared in a CETELEM client’s contract, given that the claimant has no prior contractual relationship with this entity. | ||
Between July and September 2022, CETELEM improperly charged a series of 8 receipts to the claimant’s account no. ***ACCOUNT.1, at a rate of two receipts per month. On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data. | |||
In | In September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23. | ||
CETELEM had the claimant’s account number in its database and in the debt contract since 2022, and in 2023, the account number remained in the debtor’s contract without being corrected or deleted. CETELEM also transferred the claimant's account data to a third company in June 2023 with the sale of the debt. | |||
Thus, CETELEM processed the claimant's personal information without lawful basis, given that there was no consent, legal, or contractual obligation to justify its processing. As a result of this processing, the claimant endured various charges for a debt in his account over several months in 2022 and 2023, for a debt held by another person. | |||
III. Classification and Assessment of the Infraction | |||
Based on the evidence currently available, and without prejudice to what may result from the instruction and according to the known facts, the claimant is identifiable through his bank account number, in which CETELEM charges a series of receipts. | |||
The claimant is not the owner of the debts charged and has no prior contractual relationship with CETELEM. This means that CETELEM performs this processing without lawfulness, as it does not have the consent of the data subject. | |||
The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (Lawfulness of Processing), due to processing without a legitimate basis. | |||
This infraction of the GDPR article is classified in Article 83.5.a) as follows: | |||
“5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: | |||
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;” | |||
For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious: | |||
“b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679.” | |||
IV. Proposed Sanction | |||
This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. | |||
Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j). | |||
In | In the present case, it would be appropriate to apply section a) which states: | ||
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;” | |||
claimant | The nature and scope of the processing affect the claimant's property rights as CETELEM charges his bank account. | ||
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b): | |||
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered: | |||
b) The link between the infringer's activity and the processing of personal data.” | |||
CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing. | |||
In view of the foregoing, a fine of 100,000 EUR is proposed. | |||
V. Breach of Right to Erasure - Article 17(1)(d) of the GDPR | |||
Article 17 of the GDPR, relating to the right to erasure, states the following in section 1(d): | |||
" | "The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: | ||
have | |||
the | |||
of the following | |||
(…) | (…) | ||
d) the personal data have been processed | d) the personal data have been unlawfully processed; | ||
(…)” | (…)” | ||
In September and October 2023, according to the bank receipts provided by the claimant, CETELEM made new charges to his account. CETELEM acknowledges its breach of the right to erasure requested by stating that the rectification and erasure of the claimant’s account took place only in the database, but not in the contract, which was the legal basis of the debt. | |||
The obligation of the controller to proceed with the erasure of unlawfully processed data without undue delay is also reflected in Article 5.1(d) of the GDPR: | |||
The obligation | |||
GDPR: | |||
1. Personal data | "1. Personal data shall be: | ||
(…) | (…) | ||
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’); | |||
(…)” | |||
"2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).” | |||
In light of the described facts, it seems clear that CETELEM limited itself to erasing the claimant’s data only from the database, but not from the contract. More than a year after the claim, CETELEM has not taken all reasonable steps for the erasure and rectification without delay of the claimant’s data. | |||
VI. Classification and Assessment of the Infraction | |||
Based on the available evidence at present and without prejudice to the outcome of the proceedings, it is considered that CETELEM did not effectively erase the claimant's account number in September and October 2023. According to CETELEM's own statement, it only erased the data in the database, but not in the contract underlying the improper charges, despite the exercise of the right to erasure without the data subject’s consent on August 8, 2022. | |||
As a result of the improper processing, CETELEM again made unjustified charges to the claimant's account from another person. | |||
The known facts could constitute an infraction, attributable to CETELEM, of Article 17.1(d) of the GDPR, relating to the right to erasure, which states: | |||
"1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies: | |||
of the following | |||
(…) | (…) | ||
d) the personal data have been processed | d) the personal data have been unlawfully processed; | ||
(...)" | |||
This infraction of the GDPR article is classified in Article 83.5(b) as follows: | |||
"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: | |||
b) the rights of the data subjects pursuant to Articles 12 to 22;" | |||
For the purposes of the statute of limitations for infractions, since this is a specific failure to comply with the right to erasure, the imputed infraction prescribes in one year, in accordance with Article 74.1(c) of the LOPDGDD, which qualifies the following conduct as minor: | |||
"c) Failure to respond to requests to exercise the rights established in Articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions of Article 72.1.k) of this organic law apply." | |||
VII. Proposed Sanction | |||
This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. | |||
Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j). | |||
In the present case, it would be appropriate to apply sections a) and b) which state: | |||
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;” | |||
The effective erasure of the requested processing has exceeded the period of 1 year, which is considered an aggravating factor of responsibility. The failure to maintain data accuracy has forced the claimant to repeatedly request the erasure of his data, even leading him to file a police report for fraud. | |||
“b) | “b) the intentionality or negligence of the infringement.” | ||
The erasure of the claimant’s account number only in the database, but not in the contract, indicates negligent behavior by CETELEM. | |||
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b): | |||
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered: | |||
b) The link between the infringer's activity and the processing of personal data.” | |||
CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing. | |||
accuracy of | |||
In view of the | In view of the foregoing, a fine of 50,000 EUR is proposed. | ||
VIII. Obligation Breached | |||
Second Unlawful Processing - Article 6 | |||
Article 4.2 of the GDPR "Definitions" states: | |||
"For the purposes of this Regulation: | |||
2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;" | |||
In September and October 2023, two new charges were made to the claimant's account for the same debtor, indicating that CETELEM had not erased the claimant's data. CETELEM informed the AEAT in previous actions that it sold the debt to a third company along with the contract containing the erroneous claimant's data. CETELEM claims that as a result of the debt sale, the responsibility for data accuracy now lies with the new company and that it nonetheless has taken steps to resolve the new incident of improper charges to the claimant's account. | |||
By transferring the claimant's account number to a third party, CETELEM engaged in a new data processing operation ("disclosure by transmission," Article 4.2 of the GDPR), for which it is necessary to comply again with the lawfulness conditions set out in Article 6 of the GDPR: | |||
Processing shall be lawful only if at least one of the following applies: | |||
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes; | |||
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract; | |||
c) processing is necessary for compliance with a legal obligation to which the controller is subject; | |||
As of August 2022, CETELEM lacked the legal basis to process the claimant's account data; it did not have the data subject's consent, and the processing was not necessary for compliance with a legal or contractual obligation. | |||
This information should never have been in CETELEM's possession, and its erasure was requested by the data subject. Since the previous year, CETELEM has been aware of the unlawfulness of this processing because the claimant had already exercised his right to erasure due to the unlawful processing of his bank account number. | |||
CETELEM improperly retained the claimed information and, by selling the debt, engaged in a new processing activity by disclosing the claimant's account data to a third company without meeting the lawfulness conditions set out in Article 6.1(a) of the GDPR. | |||
IX. Classification and Assessment of the Infraction | |||
Based on the available evidence at present and without prejudice to the outcome of the proceedings, CETELEM acknowledges before the AEPD the transfer of the claimant's account number to a third company, which constitutes a new processing carried out with the express opposition of the data subject. | |||
The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (lawfulness of processing), for processing that involves the transfer of the data subject's information to third parties without the data subject's consent: | |||
This infraction of the GDPR article is classified in Article 83.5.a) as follows: | |||
"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher: | |||
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;" | |||
For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious: | |||
"b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679." | |||
X. Proposed Sanction | |||
This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher. | |||
Article 83.2 of the GDPR states that administrative fines will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j). Article 76 of the LOPDGDD, relating to sanctions and corrective measures, establishes that: | |||
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the graduation criteria established in section 2 of the cited article. | |||
2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered: | |||
b) The link between the infringer's activity and the processing of personal data." | |||
CETELEM is a banking entity, which means it has a qualified link in the processing of personal data, especially regarding the accuracy of its processing. This makes the acquisition of the claimant's bank account number, its retention despite the data subject's right to erasure, and finally its transfer to a third party without effective verification of the data's accuracy particularly serious. | |||
In view of the foregoing, a fine of 100,000 EUR is proposed. | |||
XI. Adoption of Measures | |||
If the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”. The imposition of this measure is compatible with the administrative fine sanction, as provided in Article 83.2 of the GDPR. | |||
Therefore, it could be decided to adopt appropriate organizational measures to avoid future errors like the one in this case within 3 months, as well as to communicate the erasure of the data processing to the company to which CETELEM transferred the claimant's data, due to the sale of the debt. | |||
with | It is warned that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution could be considered an administrative infraction under the GDPR, classified as an infraction in Articles 83.5 and 83.6, and such conduct could motivate the initiation of a subsequent administrative sanctioning procedure. | ||
Therefore, in view of the foregoing, the Director of the Spanish Data Protection Agency agrees: | |||
FIRST: TO INITIATE SANCTIONING PROCEDURE against BANCO CETELEM, S.A., with NIF A78650348, for two alleged infractions of Article 6 and one infraction of Article 17.1(d) of the GDPR, all of them classified in Article 83.5 of the GDPR. | |||
SECOND: TO APPOINT B.B.B. as instructor and C.C.C. as secretary, indicating that they may be challenged, if applicable, in accordance with Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). | |||
documents obtained and generated by the General | THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the complaint filed by the claimant and its documentation, as well as the documents obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the initiation of this sanctioning procedure. | ||
FOURTH: | FOURTH: FOR the purposes provided in Article 64.2(b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be two hundred and fifty thousand euros (€250,000), one hundred thousand euros (€100,000) for the initial infraction of Article 6, fifty thousand (€50,000) for the infraction of Article 17.1(d), and one hundred thousand euros (€100,000) for the second infraction of Article 6, without prejudice to the result of the instruction. | ||
sanction that could correspond would be two hundred and fifty thousand euros | |||
FIFTH: TO NOTIFY this agreement to BANCO CETELEM, S.A., with NIF A78650348, granting a hearing period of ten business days to make allegations and present evidence deemed appropriate. In the statement of allegations, the NIF and the file number in the heading of this document must be provided. | |||
If within the stipulated period no allegations are made to this initiation agreement, it may be considered a proposed resolution, as provided in Article 64.2(f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP). | |||
In accordance with Article 85 of the LPACAP, responsibility may be acknowledged within the period granted for making allegations to this initiation agreement; this will entail a 20% reduction in the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000), resolving the procedure with the imposition of this sanction. | |||
the | |||
Similarly, at any time before the resolution of this procedure, voluntary payment of the proposed sanction may be made, which will entail a 20% reduction of its amount. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. | |||
The reduction for voluntary payment of the sanction is cumulative to that applicable for acknowledgment of responsibility, provided that this acknowledgment of responsibility is expressed within the period granted for making allegations to the initiation of the procedure. Voluntary payment of the referred amount of two hundred thousand euros (€200,000), or one hundred and fifty thousand euros (€150,000) if both reductions are applied, must be made into the account IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure listed in the heading of this document and the reason for the reduction being applied. | |||
Additionally, proof of payment must be sent to the Subdirectorate General of Inspection to continue the procedure in accordance with the amount paid. | |||
The procedure will have a maximum duration of twelve months from the date of the initiation agreement. If this period elapses without a resolution being issued and notified, the procedure will expire, resulting in the archiving of actions; in accordance with Article 64 of the LOPDGDD. | |||
Finally, it is noted that in accordance with Article 112.1 of the LPACAP, no administrative appeal is possible against this act. | |||
Mar España Martí | |||
Director of the Spanish Data Protection Agency | Director of the Spanish Data Protection Agency | ||
>> | >> | ||
SECOND: On May 31, 2024, the claimed party | SECOND: On May 31, 2024, the claimed party proceeded to pay the sanction in the amount of 150,000 euros using the two reductions provided in the previously transcribed initiation agreement, which implies the acknowledgment of responsibility. | ||
THIRD: The payment made, within the period granted to submit allegations to the initiation of the procedure, entails the waiver of any action or appeal in administrative proceedings against the sanction and the acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. | |||
FOURTH: In the previously transcribed Initiation Agreement, it was stated that, if the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”. | |||
Having acknowledged responsibility for the infraction, it is appropriate to impose the measures included in the Initiation Agreement. | |||
LEGAL GROUNDS | |||
I. Jurisdiction | |||
According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure. | |||
Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures." | |||
II. Termination of the Procedure | |||
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination in sanctioning procedures," provides the following: | |||
“1. Once a sanctioning procedure has been initiated, if the offender acknowledges their responsibility, the procedure may be resolved with the imposition of the appropriate sanction. | |||
2. When the sanction is solely pecuniary or when both a pecuniary and a non-pecuniary sanction can be imposed but the latter is deemed inappropriate, voluntary payment by the alleged offender at any time prior to the resolution will result in the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infraction. | |||
3. In both cases, when the sanction is solely pecuniary, the competent body to resolve the procedure will apply reductions of at least 20% on the proposed sanction amount, which can be cumulative. These reductions must be determined in the initiation notification of the procedure, and their effectiveness will be conditional on the waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.” | |||
In accordance with the aforementioned, | |||
the Director of the Spanish Data Protection Agency RESOLVES: | the Director of the Spanish Data Protection Agency RESOLVES: | ||
FIRST: DECLARE the termination of procedure EXP202317282, | FIRST: TO DECLARE the termination of procedure EXP202317282, in accordance with Article 85 of the LPACAP. | ||
in accordance with | |||
SECOND: TO ORDER BANCO CETELEM, S.A. to, within 3 months from the date this resolution becomes final and enforceable, notify the Agency of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution. | |||
THIRD: TO NOTIFY this resolution to BANCO CETELEM, S.A. | |||
In accordance with Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. | |||
Against this resolution, which puts an end to the administrative process as stipulated in Article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the interested parties may file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, as provided in Article 46.1 of the aforementioned Law. | |||
Mar España Martí | |||
Director of the Spanish Data Protection Agency | Director of the Spanish Data Protection Agency | ||
</pre> | </pre> | ||
Revision as of 06:11, 10 July 2024
| AEPD - EXP202317282 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR Article 17(1)(d) GDPR |
| Type: | Complaint |
| Outcome: | Upheld |
| Started: | 10.10.2023 |
| Decided: | |
| Published: | 25.06.2024 |
| Fine: | 150,000 EUR |
| Parties: | Banco Cetelem, S.A. |
| National Case Number/Name: | EXP202317282 |
| European Case Law Identifier: | n/a |
| Appeal: | Not appealed |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | lm |
The DPA found that a lender lacked a legal basis when it erroneously charged debts on a bank account after it failed to verify that the account belonged to the debtor. It also did not comply with the data subject’s deletion request. The controller paid a reduced fine of €150,000 pursuant to national law.
English Summary
Facts
On 20 October 2023, a data subject filed a complaint with the Spanish DPA (AEPD) against Banco Cetelem, S.A. (the controller). It claimed that the controller, which was a lender, made numerous unsolicited charges on his bank account between July and September 2022.
The data subject filed numerous complaints against the controller as well as a police report concerning the charges. On 8 August 2022, the data subject requested the deletion of his account data from the controller’s systems, as well as the reimbursement of the amount expended due to the unduly charged bills. The data subject also reproached the controller for attributing his bank account to a third party without previously requesting the relevant certificate of bank ownership from the third party.
One year later, in September 2023, the controller again charged the data subject with a new bill from the same unknown third party lender. The data subject complained about the charge, and the controller once again did the same thing in October 2023.
The controller claimed that the charges occurred as a result of human error during the initial transcription of the bank account. It informed the AEPD that the data subject’s bank account number had been erroneously attributed to a debtor’s contract and subsequently in the controller’s database. It stated that it deleted the data subject’s account information from its database after the first claim the data subject filed, but that it then sold the debt to a third party company in June 2023 and that the contract still contained the incorrect account number.
Holding
The AEPD found that the controller infringed Articles 6(1) and 17 GDPR because it processed the data subject’s account number without a legal basis and failed to comply with the data subject’s deletion request.
Since 2022, the controller has been erroneously processing the data subject’s bank account information in its debt contract with the third party debtor, in its databases, and in its transmission to a future debt buyer in June 2023. At no point during this period did the controller correct the issue. As a result, the controller was processing the data subject’s data without a legal basis in violation of Article 6(1) GDPR. The AEPD considered the processing in 2022 and 2023 (between which the data subject had made a deletion request) separately – thus, it found that two Article 6(1) GDPR violations occurred on the separate processing occasions.
The AEPD also found that the controller violated Article 17(1)(d) GDPR when it failed to delete the data subject’s data pursuant to an erasure request. After it received the data subject’s deletion request and even though it alleged to have erased the data in 2022, the controller continued making charges on the data subject’s account in 2023.
The AEPD recommended a sanction of €250,000. Pursuant to Law 39/2015, a Spanish law concerning administrative proceedings, the AEPD informed the controller that it may acknowledge its responsibility for the alleged violations and/or pay the proposed fine. Each of these actions reduces the imposed fine by 20%. The controller opted to reduce the fine by 40%, both acknowledging its responsibility for the violations and paying the reduced sanction amount of €150,000.
Comment
The AEPD rejected the controller’s defense that human error resulted in an erroneous transcription of the bank account number, noting that it is extremely difficult to ‘accidentally’ create an authentic account number in error. Instead, the AEPD considered that the controller incorporated the data subject’s bank account information into the debtor’s contract without verifying that the debtor owned the account in question. Interestingly, though, security measures were not a substantive part of the AEPD's analysis or infringement findings.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
RESOLUTION OF TERMINATION OF PROCEDURE BY VOLUNTARY PAYMENT
From the procedure instructed by the Spanish Data Protection Agency and based on the following
BACKGROUND
FIRST: On May 21, 2024, the Director of the Spanish Data Protection Agency agreed to initiate sanctioning proceedings against BANCO CETELEM, S.A. (hereinafter, the claimed party) through the Agreement transcribed below:
<<
File No.: EXP202317282
AGREEMENT TO INITIATE SANCTIONING PROCEDURE
From the actions carried out by the Spanish Data Protection Agency and based on the following
FACTS
FIRST: A.A.A. (hereinafter, the claimant) filed a complaint with the Spanish Data Protection Agency on October 20, 2023. The complaint was directed against BANCO CETELEM, S.A. with NIF A78650348 (hereinafter, CETELEM). The reasons for the complaint are as follows:
The claimant states that CETELEM charges his bank account for loan receipts of an unknown third party. He provides several extracts of these receipts, as well as several claims to CETELEM along with their responses, including a police report. There is an initial series of 8 receipts incorrectly charged to the claimant’s account no. ***ACCOUNT.1, between July and September 2022, at a rate of two receipts per month.
On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data; he also demanded an explanation about how his data was obtained without a prior contractual relationship. He also criticized CETELEM for attributing his bank account to a third party without first requesting the pertinent bank ownership certificate. Additionally, the claimant requested and achieved the return of the amounts of the improperly charged receipts.
Again, a year later, in September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23.
CETELEM responded on 10/20/23, acknowledging receipt of the claim, and in its response on 10/23/23, justified its actions by stating that the claimant’s account number appeared in the contract.
Simultaneously, the claimant also filed a report at the ***LOCALITY.1 police station on September 18, 2023.
SECOND: In accordance with Article 65.4 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter LOPDGDD), the claim was forwarded to the claimed party/ALIAS for analysis and to inform this Agency within one month of the actions taken to comply with the requirements set forth in the data protection regulations.
The forwarding, carried out in accordance with the rules established in Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), was received on December 4, 2023, as evidenced by the acknowledgment of receipt on file.
THIRD: On December 22, 2023, CETELEM responded to the AEPD's request for information.
CETELEM reported that it deleted the claimant’s account data from its database following the first claim but sold the debt to a third company in June 2023, and the claimant’s bank account number continued to erroneously appear in the contract.
According to CETELEM, the responsibility for this new incident would lie with the new company; however, it assumed the efforts to resolve the new series of improper charges on the claimant’s account. Finally, it concluded that the improper charges in 2022 and 2023 on the claimant’s account were due to human errors.
FOURTH: On December 29, 2023, in accordance with Article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing.
FIFTH: According to the report from the AXESOR tool, the entity BANCO CETELEM, S.A. is a company established in 1988 with a business volume of 64,855,216 euros in 2022.
LEGAL GROUNDS
I. Jurisdiction
According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures."
II. Obligation Breached
Initial Processing without Lawfulness - Article 6
Article 4.1 of the GDPR “Definitions” states:
“For the purposes of this Regulation:
‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier, or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”
Article 6 Lawfulness of Processing
Processing shall be lawful only if and to the extent that at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
d) processing is necessary in order to protect the vital interests of the data subject or of another natural person;
e) processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller;
f) processing is necessary for the purposes of the legitimate interests pursued by the controller or by a third party, except where such interests are overridden by the interests or fundamental rights and freedoms of the data subject which require protection of personal data, in particular where the data subject is a child.
The first subparagraph of point (f) shall not apply to processing carried out by public authorities in the performance of their tasks.”
CETELEM has the bank account number of the claimant. Through this identification number, the account holder is an identifiable natural person, making this data personal data according to Article 4 of the GDPR. CETELEM acknowledges in several of its writings that the claimant's bank account number appears in a debtor's contract and, therefore, also in CETELEM's database. For this reason, the debtor’s receipts are charged to the claimant's bank account.
Although CETELEM seems to attribute the issue to initial transcription errors of the account number, the control digits of bank accounts almost eliminate the possibility of an "accidental" creation of a genuine account number.
This suggests, as the claimant indicates, that the error is due to CETELEM incorporating the claimant's bank account into the debtor’s contract without verifying the account’s ownership.
Given the above, it appears clear that CETELEM initially had the claimant's full bank account number, but it does not satisfactorily explain how this information appeared in a CETELEM client’s contract, given that the claimant has no prior contractual relationship with this entity.
Between July and September 2022, CETELEM improperly charged a series of 8 receipts to the claimant’s account no. ***ACCOUNT.1, at a rate of two receipts per month. On August 8, 2022, the claimant protested to CETELEM about the misuse of his bank account, requesting the deletion of his bank account data.
In September 2023, CETELEM charged a new receipt from the same debtor to the claimant’s account. The claimant filed a new claim with CETELEM on 09/21/23; however, CETELEM charged another new receipt on 10/02/23.
CETELEM had the claimant’s account number in its database and in the debt contract since 2022, and in 2023, the account number remained in the debtor’s contract without being corrected or deleted. CETELEM also transferred the claimant's account data to a third company in June 2023 with the sale of the debt.
Thus, CETELEM processed the claimant's personal information without lawful basis, given that there was no consent, legal, or contractual obligation to justify its processing. As a result of this processing, the claimant endured various charges for a debt in his account over several months in 2022 and 2023, for a debt held by another person.
III. Classification and Assessment of the Infraction
Based on the evidence currently available, and without prejudice to what may result from the instruction and according to the known facts, the claimant is identifiable through his bank account number, in which CETELEM charges a series of receipts.
The claimant is not the owner of the debts charged and has no prior contractual relationship with CETELEM. This means that CETELEM performs this processing without lawfulness, as it does not have the consent of the data subject.
The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (Lawfulness of Processing), due to processing without a legitimate basis.
This infraction of the GDPR article is classified in Article 83.5.a) as follows:
“5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;”
For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious:
“b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679.”
IV. Proposed Sanction
This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j).
In the present case, it would be appropriate to apply section a) which states:
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;”
The nature and scope of the processing affect the claimant's property rights as CETELEM charges his bank account.
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b):
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data.”
CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing.
In view of the foregoing, a fine of 100,000 EUR is proposed.
V. Breach of Right to Erasure - Article 17(1)(d) of the GDPR
Article 17 of the GDPR, relating to the right to erasure, states the following in section 1(d):
"The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(…)
d) the personal data have been unlawfully processed;
(…)”
In September and October 2023, according to the bank receipts provided by the claimant, CETELEM made new charges to his account. CETELEM acknowledges its breach of the right to erasure requested by stating that the rectification and erasure of the claimant’s account took place only in the database, but not in the contract, which was the legal basis of the debt.
The obligation of the controller to proceed with the erasure of unlawfully processed data without undue delay is also reflected in Article 5.1(d) of the GDPR:
"1. Personal data shall be:
(…)
d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(…)”
"2. The controller shall be responsible for, and be able to demonstrate compliance with, paragraph 1 (‘accountability’).”
In light of the described facts, it seems clear that CETELEM limited itself to erasing the claimant’s data only from the database, but not from the contract. More than a year after the claim, CETELEM has not taken all reasonable steps for the erasure and rectification without delay of the claimant’s data.
VI. Classification and Assessment of the Infraction
Based on the available evidence at present and without prejudice to the outcome of the proceedings, it is considered that CETELEM did not effectively erase the claimant's account number in September and October 2023. According to CETELEM's own statement, it only erased the data in the database, but not in the contract underlying the improper charges, despite the exercise of the right to erasure without the data subject’s consent on August 8, 2022.
As a result of the improper processing, CETELEM again made unjustified charges to the claimant's account from another person.
The known facts could constitute an infraction, attributable to CETELEM, of Article 17.1(d) of the GDPR, relating to the right to erasure, which states:
"1) The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay where one of the following grounds applies:
(…)
d) the personal data have been unlawfully processed;
(...)"
This infraction of the GDPR article is classified in Article 83.5(b) as follows:
"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
b) the rights of the data subjects pursuant to Articles 12 to 22;"
For the purposes of the statute of limitations for infractions, since this is a specific failure to comply with the right to erasure, the imputed infraction prescribes in one year, in accordance with Article 74.1(c) of the LOPDGDD, which qualifies the following conduct as minor:
"c) Failure to respond to requests to exercise the rights established in Articles 15 to 22 of Regulation (EU) 2016/679, unless the provisions of Article 72.1.k) of this organic law apply."
VII. Proposed Sanction
This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Article 83.2 of the GDPR on general conditions for imposing administrative fines states that they will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j).
In the present case, it would be appropriate to apply sections a) and b) which state:
“a) the nature, gravity, and duration of the infringement, taking into account the nature, scope or purpose of the processing operation concerned as well as the number of data subjects affected and the level of damage and harm they have suffered;”
The effective erasure of the requested processing has exceeded the period of 1 year, which is considered an aggravating factor of responsibility. The failure to maintain data accuracy has forced the claimant to repeatedly request the erasure of his data, even leading him to file a police report for fraud.
“b) the intentionality or negligence of the infringement.”
The erasure of the claimant’s account number only in the database, but not in the contract, indicates negligent behavior by CETELEM.
Article 76.2 of the LOPDGDD, relating to sanctions and corrective measures, states the following in letter b):
“2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data.”
CETELEM is a banking entity, so it has a qualified link in the processing of personal data, especially concerning the accuracy of its processing.
In view of the foregoing, a fine of 50,000 EUR is proposed.
VIII. Obligation Breached
Second Unlawful Processing - Article 6
Article 4.2 of the GDPR "Definitions" states:
"For the purposes of this Regulation:
2) ‘processing’ means any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction;"
In September and October 2023, two new charges were made to the claimant's account for the same debtor, indicating that CETELEM had not erased the claimant's data. CETELEM informed the AEAT in previous actions that it sold the debt to a third company along with the contract containing the erroneous claimant's data. CETELEM claims that as a result of the debt sale, the responsibility for data accuracy now lies with the new company and that it nonetheless has taken steps to resolve the new incident of improper charges to the claimant's account.
By transferring the claimant's account number to a third party, CETELEM engaged in a new data processing operation ("disclosure by transmission," Article 4.2 of the GDPR), for which it is necessary to comply again with the lawfulness conditions set out in Article 6 of the GDPR:
Processing shall be lawful only if at least one of the following applies:
a) the data subject has given consent to the processing of his or her personal data for one or more specific purposes;
b) processing is necessary for the performance of a contract to which the data subject is party or in order to take steps at the request of the data subject prior to entering into a contract;
c) processing is necessary for compliance with a legal obligation to which the controller is subject;
As of August 2022, CETELEM lacked the legal basis to process the claimant's account data; it did not have the data subject's consent, and the processing was not necessary for compliance with a legal or contractual obligation.
This information should never have been in CETELEM's possession, and its erasure was requested by the data subject. Since the previous year, CETELEM has been aware of the unlawfulness of this processing because the claimant had already exercised his right to erasure due to the unlawful processing of his bank account number.
CETELEM improperly retained the claimed information and, by selling the debt, engaged in a new processing activity by disclosing the claimant's account data to a third company without meeting the lawfulness conditions set out in Article 6.1(a) of the GDPR.
IX. Classification and Assessment of the Infraction
Based on the available evidence at present and without prejudice to the outcome of the proceedings, CETELEM acknowledges before the AEPD the transfer of the claimant's account number to a third company, which constitutes a new processing carried out with the express opposition of the data subject.
The known facts could constitute an infraction, attributable to CETELEM, of Article 6 of the GDPR (lawfulness of processing), for processing that involves the transfer of the data subject's information to third parties without the data subject's consent:
This infraction of the GDPR article is classified in Article 83.5.a) as follows:
"5. Infringements of the following provisions shall be subject to administrative fines up to 20,000,000 EUR, or in the case of an undertaking, up to 4 % of the total worldwide annual turnover of the preceding financial year, whichever is higher:
a) the basic principles for processing, including conditions for consent pursuant to Articles 5, 6, 7, and 9;"
For the purposes of the statute of limitations for infractions, the imputed infraction prescribes in three years, in accordance with Article 72.1.b of the LOPDGDD, which qualifies the following conduct as very serious:
"b) The processing of personal data without any of the conditions of lawfulness of processing established in Article 6 of Regulation (EU) 2016/679."
X. Proposed Sanction
This infraction can be sanctioned with an administrative fine of up to 20,000,000 EUR or, in the case of a company, an amount equivalent to a maximum of 4% of the total worldwide annual turnover of the preceding financial year, whichever is higher.
Article 83.2 of the GDPR states that administrative fines will be imposed, depending on the circumstances of each individual case, additionally or alternatively to the measures contemplated in Article 58, section 2, letters a) to h) and j). Article 76 of the LOPDGDD, relating to sanctions and corrective measures, establishes that:
"1. The sanctions provided for in sections 4, 5, and 6 of Article 83 of Regulation (EU) 2016/679 shall be applied taking into account the graduation criteria established in section 2 of the cited article.
2. According to the provisions of Article 83.2.k) of Regulation (EU) 2016/679, the following may also be considered:
b) The link between the infringer's activity and the processing of personal data."
CETELEM is a banking entity, which means it has a qualified link in the processing of personal data, especially regarding the accuracy of its processing. This makes the acquisition of the claimant's bank account number, its retention despite the data subject's right to erasure, and finally its transfer to a third party without effective verification of the data's accuracy particularly serious.
In view of the foregoing, a fine of 100,000 EUR is proposed.
XI. Adoption of Measures
If the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”. The imposition of this measure is compatible with the administrative fine sanction, as provided in Article 83.2 of the GDPR.
Therefore, it could be decided to adopt appropriate organizational measures to avoid future errors like the one in this case within 3 months, as well as to communicate the erasure of the data processing to the company to which CETELEM transferred the claimant's data, due to the sale of the debt.
It is warned that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution could be considered an administrative infraction under the GDPR, classified as an infraction in Articles 83.5 and 83.6, and such conduct could motivate the initiation of a subsequent administrative sanctioning procedure.
Therefore, in view of the foregoing, the Director of the Spanish Data Protection Agency agrees:
FIRST: TO INITIATE SANCTIONING PROCEDURE against BANCO CETELEM, S.A., with NIF A78650348, for two alleged infractions of Article 6 and one infraction of Article 17.1(d) of the GDPR, all of them classified in Article 83.5 of the GDPR.
SECOND: TO APPOINT B.B.B. as instructor and C.C.C. as secretary, indicating that they may be challenged, if applicable, in accordance with Articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP).
THIRD: TO INCORPORATE into the sanctioning file, for evidentiary purposes, the complaint filed by the claimant and its documentation, as well as the documents obtained and generated by the Subdirectorate General of Data Inspection in the actions prior to the initiation of this sanctioning procedure.
FOURTH: FOR the purposes provided in Article 64.2(b) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the sanction that could correspond would be two hundred and fifty thousand euros (€250,000), one hundred thousand euros (€100,000) for the initial infraction of Article 6, fifty thousand (€50,000) for the infraction of Article 17.1(d), and one hundred thousand euros (€100,000) for the second infraction of Article 6, without prejudice to the result of the instruction.
FIFTH: TO NOTIFY this agreement to BANCO CETELEM, S.A., with NIF A78650348, granting a hearing period of ten business days to make allegations and present evidence deemed appropriate. In the statement of allegations, the NIF and the file number in the heading of this document must be provided.
If within the stipulated period no allegations are made to this initiation agreement, it may be considered a proposed resolution, as provided in Article 64.2(f) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP).
In accordance with Article 85 of the LPACAP, responsibility may be acknowledged within the period granted for making allegations to this initiation agreement; this will entail a 20% reduction in the sanction to be imposed in this procedure. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000), resolving the procedure with the imposition of this sanction.
Similarly, at any time before the resolution of this procedure, voluntary payment of the proposed sanction may be made, which will entail a 20% reduction of its amount. With the application of this reduction, the sanction would be set at two hundred thousand euros (€200,000) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures.
The reduction for voluntary payment of the sanction is cumulative to that applicable for acknowledgment of responsibility, provided that this acknowledgment of responsibility is expressed within the period granted for making allegations to the initiation of the procedure. Voluntary payment of the referred amount of two hundred thousand euros (€200,000), or one hundred and fifty thousand euros (€150,000) if both reductions are applied, must be made into the account IBAN: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXX) opened in the name of the Spanish Data Protection Agency at the bank CAIXABANK, S.A., indicating in the concept the reference number of the procedure listed in the heading of this document and the reason for the reduction being applied.
Additionally, proof of payment must be sent to the Subdirectorate General of Inspection to continue the procedure in accordance with the amount paid.
The procedure will have a maximum duration of twelve months from the date of the initiation agreement. If this period elapses without a resolution being issued and notified, the procedure will expire, resulting in the archiving of actions; in accordance with Article 64 of the LOPDGDD.
Finally, it is noted that in accordance with Article 112.1 of the LPACAP, no administrative appeal is possible against this act.
Mar España Martí
Director of the Spanish Data Protection Agency
>>
SECOND: On May 31, 2024, the claimed party proceeded to pay the sanction in the amount of 150,000 euros using the two reductions provided in the previously transcribed initiation agreement, which implies the acknowledgment of responsibility.
THIRD: The payment made, within the period granted to submit allegations to the initiation of the procedure, entails the waiver of any action or appeal in administrative proceedings against the sanction and the acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement.
FOURTH: In the previously transcribed Initiation Agreement, it was stated that, if the infraction is confirmed, it could be decided to impose on the controller the adoption of appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with Article 58.2(d) of the GDPR, which states that each supervisory authority may “order the controller or processor to bring processing operations into compliance with the provisions of this Regulation, where appropriate, in a specified manner and within a specified period...”.
Having acknowledged responsibility for the infraction, it is appropriate to impose the measures included in the Initiation Agreement.
LEGAL GROUNDS
I. Jurisdiction
According to the powers granted by Article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), to each supervisory authority, and as established in Articles 47, 48.1, 64.2, and 68.1 of Organic Law 3/2018, of December 5, on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, LOPDGDD), the Director of the Spanish Data Protection Agency is competent to initiate and resolve this procedure.
Furthermore, Article 63.2 of the LOPDGDD states: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, as long as they do not contradict them, subsidiarily, by the general rules on administrative procedures."
II. Termination of the Procedure
Article 85 of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations (hereinafter, LPACAP), under the heading "Termination in sanctioning procedures," provides the following:
“1. Once a sanctioning procedure has been initiated, if the offender acknowledges their responsibility, the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary or when both a pecuniary and a non-pecuniary sanction can be imposed but the latter is deemed inappropriate, voluntary payment by the alleged offender at any time prior to the resolution will result in the termination of the procedure, except in relation to the restoration of the altered situation or the determination of compensation for damages caused by the commission of the infraction.
3. In both cases, when the sanction is solely pecuniary, the competent body to resolve the procedure will apply reductions of at least 20% on the proposed sanction amount, which can be cumulative. These reductions must be determined in the initiation notification of the procedure, and their effectiveness will be conditional on the waiver of any action or appeal in administrative proceedings against the sanction. The percentage of reduction provided for in this section may be increased by regulation.”
In accordance with the aforementioned,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure EXP202317282, in accordance with Article 85 of the LPACAP.
SECOND: TO ORDER BANCO CETELEM, S.A. to, within 3 months from the date this resolution becomes final and enforceable, notify the Agency of the adoption of the measures described in the legal grounds of the Initiation Agreement transcribed in this resolution.
THIRD: TO NOTIFY this resolution to BANCO CETELEM, S.A.
In accordance with Article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative process as stipulated in Article 114.1.c) of Law 39/2015, of October 1, on the Common Administrative Procedure of Public Administrations, the interested parties may file a contentious-administrative appeal before the Contentious-Administrative Chamber of the National Court, in accordance with the provisions of Article 25 and Section 5 of the Fourth Additional Provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within two months from the day following the notification of this act, as provided in Article 46.1 of the aforementioned Law.
Mar España Martí
Director of the Spanish Data Protection Agency
