AEPD (Spain) - EXP202307696
AEPD - EXP202307696 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(2) GDPR Article 6(1) GDPR Article 8 GDPR Article 21 GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 26.04.2024 |
Decided: | 22.08.2024 |
Published: | 11.10.2024 |
Fine: | 50,000 EUR |
Parties: | Santander Consumer Finance S.A. |
National Case Number/Name: | EXP202307696 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | ao |
A DPA fined Santander €50,000 for a breach of Article 6(1) GDPR relating to the disregard of the data subjects request to object to receiving advertisements.
English Summary
Facts
On the 26 April 2023, the data subject filed a complaint with the AEPD for receiving postal advertising material despite having exercised their right to object to this. The data subject had sent a letter to the controller on the 27 February 2023, requesting that his personal data exclusively be used to manage his credit card. On the 07 March 2023, the controller responded to the data subject confirming the receipt of the request stating that in accordance with Article 21 and 18 GDPR, the controller has proceeded to give effect to the request to object to the postal advertising. However, on the 23 April 2023, the data subject received advertising relating to the granting of a loan contrary to his request.
Following the data subject’s complaint, the AEPD requested information from the controller. On the 06 July 2023, the controller confirmed that the data subject had received another advertisement in the post after having objected to this form of processing of his personal data. The controller argued that an involuntary human error of an employee caused the data breach. The employee responsible for manually unticking the boxes relevant to the processing had failed to untick three boxes which is why the advertisement reached the data subject. It argued that the mistake had then been corrected on the 9 June 2023 and that therefore the breach had been remedied. Further, the controller argued that the processor was responsible for the data breach and therefore requested the suspension of the proceedings.
Holding
1. Controller responsibility
With reference to Article 8 GDPR, the AEPD points out that the processor carries out their function on the instructions of the controller and that therefore violations of the GDPR are attributable to the controller. As Articles 5(2), 24, 28 and 32 GDPR set out, compliance monitoring of the processing is attributable to the controller regardless of the involvement of a processor. The AEPD established that the processor was acting on the instructions of the controller in sending the advertisements.
2. Gravity of the breach and setting the fine The AEPD highlights that Article 5(2) GDPR entails a proactive responsibility on the controller to not just comply with the GDPR but to be able to demonstrate this compliance. It held that the controller did not adopt the required diligence as it did not prevent the processing after the request had been made.
On the 12 April 2024, the controller was fined €50,000 under Article 83(5)(a) GDPR for violating Article 6(1) GDPR. In setting the fine, the AEPD purported that the violation of Article 6(1) GDPR is of sufficient gravity to warrant the fine of €50,000 in light of the controller’s annual turnover.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1 / 19 File No.: EXP202317578 (PS/00546/2023) RESOLUTION OF THE SANCTIONING PROCEDURE From the actions carried out by the Spanish Data Protection Agency and based on the following: BACKGROUND FIRST: On 09/26/23, A.A.A., (hereinafter, the complaining party)...