AEPD (Spain) - EXP202105693: Difference between revisions
From GDPRhub
No edit summary |
(simplified the facts a bit to make it easier for the reader) |
||
| Line 72: | Line 72: | ||
The data subject submitted a claim against an insurance company (the controller) for allowing changes to their health insurance policy. | The data subject submitted a claim against an insurance company (the controller) for allowing changes to their health insurance policy. | ||
The insurance policy was initially signed in 2016 and linked to | The insurance policy was initially signed in 2016 and linked to the data subject as policyholder as well as the owner of the bank account from which the insurance premiums were paid. However, the insured person was their former partner. | ||
In June 2021, the data subject’s former partner submitted a request to change the health insurance policy data | In June 2021, the data subject’s former partner submitted a request to change the health insurance policy data, which was done by the bank (the processor). The data changed were the policyholder name and the bank account to which the insurance premiums were associated, allowing the data subject’s former partner to pay the insurance fees themselves. These changes were made without the consent of the data subject. | ||
After a first complaint by the data subject to the processor, the data subject was included as the insurance holder again. After a further complaint, their bank account was restored | After a first complaint by the data subject to the processor, the data subject was included as the insurance holder again. After a further complaint, their bank account number was restored. | ||
In August 2022, the Spanish DPA started a sanctioning proceeding against the controller, which allowed to hear the claims | In August 2022, the Spanish DPA started a sanctioning proceeding against the controller, which allowed to hear the claims from the involved parties. Both the controller and the processor claimed to have obtained implicit consent from the data subject since their initial wish was to cover their partner and that, by losing their status as insurance holder, their obligations were lifted, which was considered a presumed benefit for the data subject. | ||
Both the controller and the processor claimed to have obtained implicit consent from the data subject since their initial wish was to cover their partner and that, by losing their status as insurance holder their obligations were lifted, which was considered a presumed benefit for the data subject. | |||
=== Holding === | === Holding === | ||
Revision as of 07:21, 20 October 2022
| AEPD - PS-00275-2022 | |
|---|---|
 | |
| Authority: | AEPD (Spain) |
| Jurisdiction: | Spain |
| Relevant Law: | Article 6(1) GDPR Article 83(1) GDPR Article 83(2) GDPR §72.1(b) LOPDGDD |
| Type: | Investigation |
| Outcome: | Violation Found |
| Started: | 26.10.2021 |
| Decided: | |
| Published: | 04.10.2022 |
| Fine: | 24.000 EUR |
| Parties: | n/a |
| National Case Number/Name: | PS-00275-2022 |
| European Case Law Identifier: | n/a |
| Appeal: | n/a |
| Original Language(s): | Spanish |
| Original Source: | AEPD (in ES) |
| Initial Contributor: | n/a |
The Spanish DPA fined an insurance company €24,000 for violating Article 6(1) GDPR due to the processing of personal data without a legal basis. The company claimed to have implied consent of the data subject.
English Summary
Facts
The data subject submitted a claim against an insurance company (the controller) for allowing changes to their health insurance policy.
The insurance policy was initially signed in 2016 and linked to the data subject as policyholder as well as the owner of the bank account from which the insurance premiums were paid. However, the insured person was their former partner.
In June 2021, the data subject’s former partner submitted a request to change the health insurance policy data, which was done by the bank (the processor). The data changed were the policyholder name and the bank account to which the insurance premiums were associated, allowing the data subject’s former partner to pay the insurance fees themselves. These changes were made without the consent of the data subject.
After a first complaint by the data subject to the processor, the data subject was included as the insurance holder again. After a further complaint, their bank account number was restored.
In August 2022, the Spanish DPA started a sanctioning proceeding against the controller, which allowed to hear the claims from the involved parties. Both the controller and the processor claimed to have obtained implicit consent from the data subject since their initial wish was to cover their partner and that, by losing their status as insurance holder, their obligations were lifted, which was considered a presumed benefit for the data subject.
Holding
The DPA started by noting that changes to the insurance policy were not authorised by the data subject and none of the legal basis under Article 6 GDPR could be observed. Meanwhile, the principle of legal processing of data required an accreditation of the consent for the processing as well as a reasonable diligence to prove it. Simply implying that a data subject would consent to a change in the policy cannot in any way be regarded as a valid legal basis. The Spanish DPA found a violation of Article 6(1) GDPR for illegal processing of personal data by the controller.
The DPA decided on appropriate measures against the controller. Based on Article 72(1)(b) of the national data protection law, and Articles 83(1) and 83(2) GDPR, the DPA considered aggravating circumstances. Firstly, there was a lack of legal basis for the processing affecting the fundamental right to data protection. Secondly, the controller was one of the main insurance companies in the country whose activity was directly linked to the processing of personal data from clients and from third parties. Finally, the controller showed grievous lack of due care and diligence. The two latter factors were associated with the Supreme Court’s case law regarding the higher due care attributed to companies whose activity involves abundant processing of personal data.
Therefore, the Spanish DPA proposed a fine of €40,000 which was reduced to €24,000 with the application of two reductions: the acceptance of guilt, and the voluntary payment of the fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16
File No.: EXP202105693
RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT
VOLUNTEER
Of the procedure instructed by the Spanish Agency for Data Protection and based on
to the following
BACKGROUND
FIRST: On August 8, 2022, the Director of the Spanish Agency for
Data Protection agreed to initiate a sanctioning procedure against CAJA DE SEGUROS
REUNIDOS, INSURANCE AND REASEGUROS COMPANY, S.A. (CASER) (in
hereinafter, the claimed party), through the Agreement that is transcribed:
<<
File No.: EXP202105693
AGREEMENT TO START A SANCTION PROCEDURE
Of the actions carried out by the Spanish Data Protection Agency and in
based on the following
FACTS
FIRST: D.A.A.A. (hereinafter, the complaining party) dated October 26,
2021 filed a claim with the Spanish Data Protection Agency. The
claim is directed against CAJA DE SEGUROS REUNIDOS, COMPANY OF
INSURANCE AND REINSURANCE, S.A. (CASER) with NIF A28013050 (hereinafter, the
claimed party). The grounds on which the claim is based are as follows:
month of May 2016, the claimant subscribed with BANCO IBERCAJA (hereinafter
IBERCAJA) a mortgage loan at a certain interest rate and, for
maintain that interest rate, one of the conditions of the loan was to contract a
health insurance with the claimed insurer. The claimant purchased the insurance policy
health, appearing as the policyholder and being the only holder of the open charge account
with the claimed financial institution. His partner was listed as the beneficiary of the policy
at that time and from which he is currently separated from the
04/14/2021; Since 06/08/2021, the claimed insurer has made various
modifications in the data of the policy, without your consent, in particular,
modified the policyholder and the premium charge account, disappearing the claimant and
your bank account, appearing instead your ex-partner as a policyholder and the account of
is; days later, on 06/16/2021, the claimant was included again as a policyholder,
but the charge account was still that of his ex-partner; Finally, and after
claims made by the claimant, on 06/17/2021, the account of
charge, becoming the private account of the claimant.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 2/16
As a result of what happened, on 07/05/2021, he filed a claim with the insurer
claimed, receiving a response on 07/22/2021, apologizing and indicating that the
modifications in the policy were made at the request of the financial entity and how
they soon became aware of the claimant's disagreement, they rectified the incident.
Likewise, on 07/21/2021, I file a claim with the financial institution, in relation to
with the unilateral modification of the policy linked to your loan contract,
receiving a response on 07/27/2021, indicating that the modifications were requested
from your management office by the insured person (your ex-partner) and that, however,
the loan discounts have been maintained. The claimant states that the
brother of her ex-partner works in the office from which the
Non-consensual modifications in the contractual data.
Provides admission for processing of the divorce application, copy of the claims
made and the responses received, as well as a claim addressed to the Management
General Insurance and Pension Funds, of 10/20/2021.
SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5
December, of Protection of Personal Data and guarantee of digital rights (in
hereinafter LOPDGDD), said claim was transferred to the claimed party/, to
to proceed with its analysis and inform this Agency within a month of the
actions carried out to adapt to the requirements set forth in the regulations of
Data Protection.
The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of
October 1, of the Common Administrative Procedure of the Administrations
Public (hereinafter, LPACAP), was collected on 12/20/2021 as recorded in the
acknowledgment of receipt that works in the file.
On 01/14/2022, the respondent responded to the request made, indicating that the
05/31/2016 the claimant formalized a guaranteed loan with IBERCAJA
mortgage agreement at a fixed interest rate of 3.25% (interest rate not met
bonuses), unless it was actually verified that the requirements were met.
Bonus conditions as indicated in the section of the deed
mortgage "LINKS AND OTHER COSTS", in which case it would apply
referred to therein with a minimum applicable interest rate of 1.750% in the event that
all the agreed bonuses are fulfilled, among which is the
contracting with CASER of the "Ibercaja Salud" insurance. The interest rate agreed in the
deed is the interest rate agreed in the mortgage loan operation and that
the agreed bonuses are optional and voluntary for the borrower, not
being mandatory, so, if you wish, you can cancel and not
maintain the indicated health insurance or contract another of those mentioned in the annex to
bonus conditions.
On the effective date of 01/01/2017, the claimant signs the policy with CASER
group "Caser Salud Integral" in which he appears as policyholder and includes as
only insured to Ms. B.B.B., contracting made in the offices of IBERCAJA,
in its capacity as the distribution network of the banking insurance operator of the Ibercaja Group
(the entity IBERCAJA MEDIACION DE SEGUROS, S.A.U. (hereinafter IBERCAJA
MEDIATION) and that maintains an agency contract with CASER. insurance premiums
were debited from the IBERCAJA account owned by the claimant.
On 06/08/2021, IBERCAJA MEDIACION, in its capacity as mediator of the insurance policy
insurance and, therefore, in charge of processing the data responsibility of
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 3/16
CASER, processes a request formulated in the offices of IBERCAJA, in which
requests the modification of the account associated with said policy to proceed itself
to premium payments, since it is the only insured, and in turn, modify its
contractual position of insured by the policy holder and insured by the
same policy, not making any changes to the policy, limited to
transfer the request of the insured to the insurance company.
On 06/09/2021 CASER proceeds, with effect from June 8, to replace the
policyholder (claimant) for which until then was the insured of the
policy (Mrs. B.B.B.), presupposing by the principle of commercial good faith that
said substitution was known to the claimant, who would have granted his
consent, at least tacitly. The fact that by losing the condition of
policyholder, the claimant was released from the obligations and duties that
derived from the insurance contract, led to think that the policyholder knew and
accepted its substitution in the policy.
Following communications from the claimant to the Customer Relations Center of
CASER in which it stated that it had not accepted or consented to the change of policyholder
of the insurance, once it was verified that there was no document in the files
signed by the policyholder (claimant) requesting or authorizing said
change, dated 06/16/2021, the policy was reverted to the previous situation,
reinstating the claimant as the policy holder and, on June 17, it was returned to
include your account number for purposes of paying premium receipts.
As for the mortgage loan contract formalized by the claimant with
IBERCAJA, the changes made to the health insurance policy by the entity
insurer, object of this claim, did not modify the interest rate that came
being applied to it.
Likewise, the respondent in his response of 01/14/2022 stated, among other things,
aspects, the following:
“ The treatment of the data of the claimant by the insurer is
legitimized by the content of article 6.1.b) of the RGPD that establishes that the
Processing of personal data will be lawful if it is necessary for the execution of a
contract to which the insured is a party.
Additionally, the treatment of the data of the policyholders by the
Insurers are legitimized by article 99.1 of Law 20/2015, of 14
of July, of Management, Supervision and Solvency of the Insurance Entities and
Reinsurers, which empowers insurance companies to process the data of the
policyholders, without the need to obtain their consent, for the
development of the insurance contract; It must be taken into consideration that, as
As soon as Caser learned of the absence of consent granted by the
claimant rectified the policyholder change.
With regard to access to data that is the responsibility of Caser by Ibercaja Mediación,
this is legitimized by assuming this last society the condition of
in charge of the treatment in accordance with the provisions of article 203.1.a) of the
Royal Decree-Law 3/2020, as well as the fact that both parties have signed a
comprehensive contract of the obligations established in article 28 of the RGPD.
- That the claim made by the claimant is based on the occurrence of some
facts that, when included by the claimant in his brief filed with the AEPD,
recognize as authentic.
- And part of the information that was transferred to the claimant is also reproduced:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 4/16
o All references made by this party to the IBERCAJA entity come
referred to Ibercaja Mediación de Seguros, S.A.U., which is the mediation company of the
insurance subscribed by you and, therefore, in charge of data processing
Caser's responsibility.
o That as soon as Caser heard that you had not requested the change
as the policyholder, he proceeded to restore the contract to the previous situation”.
THIRD: On 01/26/2022, in accordance with article 65 of the LOPDGDD,
the claim filed by the claimant was admitted for processing.
FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out
of previous investigative actions to clarify the facts in
question, by virtue of the functions assigned to the control authorities in the
article 57.1 and the powers granted in article 58.1 of the Regulation (EU)
2016/679 (General Data Protection Regulation, hereinafter RGPD), and
in accordance with the provisions of Title VII, Chapter I, Second Section, of the
LOPDGDD, having knowledge of the following extremes:
In order to investigate the occurrence of the events described, on 03/09/2022 a
a request for information to the respondent, IBERCAJA and IBERCAJA MEDIACION.
The responses to these requirements were entered in the electronic headquarters of the
AEPD on 03/24/2022 (the claimed one), and on 03/29/2022 (IBERCAJA and IBERCAJA
MEDIATION).
The documentation collected describes the actions of the different entities
to manage changes to a health insurance policy, and then
reproduces an extract of the content provided in order to introduce the applications
computers that are referenced:
“[…]
The process to modify the data of a health insurance policy, on a general basis.
In general, it starts at the IBERCAJA offices, since that is where the
clients for it.
[…]
The management of the modifications of a claimed health policy, in the majority
of the cases can be done directly from the offices of IBERCAJA through
of the computer application of the defendant “Portal Bancassurance.
[…]
The modification of the policyholder of a health insurance policy, that is, the substitution
of the person of the initial policyholder by another person supposes a modification of the
intervening in the contract, exceeding their personal data, and must be executed
for the claimed.
[…]
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 5/16
The requests that the IBERCAJA offices cannot make directly in the
application of the claimant are communicated to IBERCAJA MEDIACION, for their transfer
to the claimant, as follows:
- Internal Consultation Application "Remedy-Ibersic"
- Email mailbox ***EMAIL.1
IBERCAJA MEDIACION transfers the request to the person claimed through the tool
“SGO Requests” section that is available in the “Bancassurance Portal” of the
called, to which the IBERCAJA offices do not have access.
[…]
Once the introduction has been made, the result is displayed for each investigated entity.
of the investigative actions.
THE CLAIMED:
In the documentation provided, in the Data Processing Activity Register
Personal “General Insurance Production Treatment”, identifies the
claimed as the entity responsible for data processing activities
personal.
On 06/08/2021, IBERCAJA MEDIATION opens the file
***FILE.1 through the “Requests for Operations (SGO)” function that is
is available in the computer application "Portal Bancassurance" and transfers you to the
claimed request for change of policyholder of the Comprehensive Health insurance policy of the
claimant.
The claimed party does not collect the "writings signed by the assigning policyholder and the
that you accept”, the necessary documentation according to the procedure for the modification of
a health insurance policy by issuing a supplement that the
claimed has described in the framework of the preliminary investigation actions.
Below is an excerpt from the description of the "Procedure
established for the modification of a health insurance policy by issuing
of a supplement” of the claimed:
Due to its importance, it should be noted that in the Insurance Issuance Procedure
General, the documentation that must be provided together with the request for
modification of insurance conditions. Specifically, with regard to the
necessary documentation to request the substitution of the policyholder, it is established
literally:
“Change of Policyholder.
A writing or writings signed by the assigning policyholder and the policyholder who
you accept. In addition, the document must provide the personal data of the
new policyholder: name, surnames, document, direct debit, address of
provision, etc.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 6/16
The policyholder must be over 18 years of age, or in case of being under 18 years of age and over
16, declared legally of legal age by a judge.”
On 06/09/2021 the claimant makes the change in the insurance policy effective
Comprehensive Health of the claimant in the terms requested by IBERCAJA
MEDIATION: the Health Production Area, changes the account number and the
policyholder, understanding that the policyholder consented, at least
tacitly its substitution.
On 06/16/2021 and as a result of the claims made by the
claimant to the claimed, the claimed urges IBERCAJA MEDIACION to open a
file requesting that the Comprehensive Health insurance policy of the
claimant to the previous situation, including as policyholder the claimant and his account
current address for the payment of the premium receipt.
On 06/16/2021, the claimant retrotracts the Comprehensive Health insurance policy of the
claimant to the situation prior to June 9, 2021.
IBERCAJA MEDIATION
It is noted that IBERCAJA MEDIACION, a company owned by IBERCAJA, acts
as the person in charge of the Treatment with respect to the data treatments necessary to
distribute the insurance of the claimed party, which is the entity responsible for the Treatment, and
that IBERCAJA acts as sub-processor.
It is indicated that the staff of IBERCAJA MEDIACION does not have a physical presence in
any office of the IBERCAJA distribution network and that any management regarding
health insurance policies made at the IBERCAJA offices are
made by employees of said entity.
On 06/08/2021, IBERCAJA MEDIATION receives from IBERCAJA, through the
"Remedy-Ibersic" application, a change of policyholder query in the insurance policy
Comprehensive health insurance of the claimant; requesting that the insured become the
policyholder and additionally facilitating a new home account for the
insurance premium payment; for transfer to the claimant.
On 06/08/2021, IBERCAJA MEDIATION transfers the claimant, through the
“Requests for Operations (SGO)” function of the “Portal Bancassurance” application,
request to change the policyholder of the claimant's Comprehensive Health insurance policy.
A screenshot of the "Portal Bancassurance" application is provided with the details of
the petition transferred to the respondent. The petition includes the following information:
Change of policyholder in Comprehensive Health insurance: [...]
“The insured is going to be the policyholder and insured and who is going to pay the insurance.
Currently, he was already the one who really paid for the insurance.”
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 7/16
On 06/09/2021, IBERCAJA MEDIACION is informed by the respondent, to
via email, that the request has been processed.
On 06/10/2021, IBERCAJA MEDIACION transfers to IBERCAJA, through the
“Remedy-Ibersis” application, that the petition has been processed by the respondent.
On 06/16/2021 IBERCAJA MEDIACION, due to the claim of the
claimant before the respondent and at the request of the respondent, initiates a request for
rectification to restore the claimant's Comprehensive Health insurance policy to his
last situation.
On 06/16/2021, IBERCAJA MEDIACION is informed by the respondent, to
via email, that the policy has been returned to the initial situation.
IBERCAJA
IBERCAJA indicates that it is the insured who requests to become a policyholder and
insured of the Comprehensive Health insurance policy whose policyholder is the claimant.
On 06/08/2021, IBERCAJA communicated to IBERCAJA MEDIACION, through the
“Remedy-Ibersic” application, request to change the policyholder of the insurance policy
Comprehensive health of the claimant; requesting that the insured become the policyholder of the
insurance and additionally facilitating a new domiciliary account for the payment of the
secure prime; for transfer to the claimant.
A screenshot of the "Remedy-Ibersic" application is provided with the communication to
the IBERCAJA MEDIATION, New Relationship, where the user and the office are identified
of origin and the details of the request are described:
- New Relationship: brother of the insured (Office Deputy Director)
- Office: ***OFFICE.1
- Detail of the Relationship: the new domiciliary account is provided for the payment of the
insurance premium and includes the following information:
“The insured is going to be the policyholder and insured and who is going to pay the insurance.
Currently, he was the one who actually paid the insurance.”
Information that is contrary to what the claimant states in their claim and the
IBERCAJA corroborates in its response to the complainant dated July 27, 2021:
“All Comprehensive Health insurance fees have been charged to the associated account
[…]”
Referring to the account associated with that of the policyholder of the Comprehensive Health insurance policy
of the claimant (Doc-4 of the Claim, entry – ***ENTRY.1).
On 06/10/2021, IBERCAJA is informed by IBERCAJA MEDIACION, to
through the "Remedy-Ibersic" application, that your request has been processed.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 8/16
FOUNDATIONS OF LAW
Yo
In accordance with [Insert the text corresponding to [Basic text I
PS].] and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of the Organic Law
3/2018, of December 5, on the Protection of Personal Data and guarantee of the
digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve
this procedure the Director of the Spanish Data Protection Agency.
Likewise, article 63.2 of the LOPDGDD determines that: "The
procedures processed by the Spanish Agency for Data Protection will be governed
by the provisions of Regulation (EU) 2016/679, in this organic law, by the
regulatory provisions issued in its development and, insofar as they are not
contradict, in the alternative, by the general rules on the
administrative procedures."
II
The facts denounced materialize in the fact that the defendant carried out
various changes in the data of the health policy, linked to the loan
contracted with a financial institution, without their consent, specifically, the
policyholder and the premium charge account, appearing in his place his ex-partner both
as a policyholder and as your personal account; it was later re-modified to include
the claimant as policyholder, although the charge account continued to be that of his former partner
and, finally, after the claims made by the claimant, the
charge account, becoming the claimant's account, which could lead to the
Violation of the regulations on the protection of personal data.
Article 58 of the RGPD, Powers, states:
"two. Each supervisory authority will have all of the following powers
corrections listed below:
(…)
i) impose an administrative fine under article 83, in addition to or in
Instead of the measures mentioned in this section, according to the
circumstances of each particular case;
(…)”
Article 6, Legality of the treatment, of the RGPD in its section 1, establishes
that:
1. The treatment will only be lawful if at least one of the following is met
conditions:
a) the interested party gave their consent for the processing of their data
personal for one or more specific purposes;
b) the treatment is necessary for the execution of a contract in which the
interested party is a party or for the application at the request of the latter of measures
pre-contractual;
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 9/16
c) the treatment is necessary for the fulfillment of a legal obligation
applicable to the data controller;
d) the processing is necessary to protect the vital interests of the data subject or
of another natural person;
e) the treatment is necessary for the fulfillment of a mission carried out in
public interest or in the exercise of public powers vested in the controller
of the treatment;
f) the treatment is necessary for the satisfaction of legitimate interests
pursued by the data controller or by a third party, provided that
over said interests do not prevail the interests or the rights and freedoms
fundamental data of the interested party that require the protection of personal data,
in particular when the interested party is a child.
The provisions of letter f) of the first paragraph shall not apply to
treatment carried out by public authorities in the exercise of their functions”.
On the other hand, article 4 of the RGPD, Definitions, in its sections 1, 2 and 11,
notes that:
“1) «personal data»: any information about an identified natural person
or identifiable ("the interested party"); An identifiable natural person shall be considered any
person whose identity can be determined, directly or indirectly, in particular
by means of an identifier, such as a name, an identification number,
location data, an online identifier or one or more elements of the
physical, physiological, genetic, mental, economic, cultural or social identity of said
person;
“2) «processing»: any operation or set of operations carried out
about personal data or sets of personal data, either by procedures
automated or not, such as the collection, registration, organization, structuring,
conservation, adaptation or modification, extraction, consultation, use,
communication by transmission, broadcast or any other form of enabling of
access, collation or interconnection, limitation, suppression or destruction;
“11) «consent of the interested party»: any manifestation of free will,
specific, informed and unequivocal by which the interested party accepts, either through
a statement or a clear affirmative action, the processing of personal data that
concern him”.
III
Data processing requires the existence of a legal basis that legitimizes it,
as the consent of the interested party for the processing of personal data
for one or more specific purposes.
In accordance with article 6.1 of the RGPD, in addition to the consent,
There are other possible bases that legitimize the processing of data without the need for
have the authorization of its owner, in particular, when it is necessary for the
execution of a contract in which the affected party is a party or for the application, at the request
of this, of pre-contractual measures, or when necessary for the satisfaction of
legitimate interests pursued by the data controller or by a third party,
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 10/16
provided that said interests do not prevail the interests or rights and
fundamental freedoms of the affected party that require the protection of such data. The
treatment is also considered lawful when it is necessary for the fulfillment of
a legal obligation applicable to the controller, to protect interests
vital data of the affected party or of another natural person or for the fulfillment of a mission
carried out in the public interest or in the exercise of public powers vested in the
responsible for the treatment.
In the present case, the defendant is charged with the violation of article 6.1 of the
RGPD when evidencing the illegality of the treatment carried out, because as
pointed out in the previous foundation, it allows various modifications in the data of
the health policy, linked to the mortgage loan contracted with a financial entity,
without your consent or authorization without your consent or authorization or any
another cause of legitimation of those provided for in art. 6.1 of the GDPR.
.
The same defendant has acknowledged having made the change of policyholder effective
insurance and associated charge account number without having followed the procedure
established for the modification of a health insurance policy, that is, without having
collected the "writings signed by the assigning policyholder and the accepting policyholder".
It should be noted that respect for the principle of legality of the data requires that
accredited evidence that the owner of the data consented to the processing of their data
personal character and display a reasonable diligence essential to prove
that end. If he does not act in this way, or if there is any other cause of legitimation, the
The result would be to empty the content of the principle of legality.
IV
The infraction that is attributed to the claimed one is typified in the
article 83.5 a) of the RGPD, which considers that the infringement of “the basic principles
for processing, including the conditions for consent under the
articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned
Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as
maximum or, in the case of a company, an amount equivalent to 4% as
maximum of the overall annual total turnover of the previous financial year,
opting for the highest amount.
The LOPDGDD in its article 71, Violations, states that: "They constitute
infractions the acts and behaviors referred to in sections 4, 5 and 6 of the
Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the
present organic law”.
And in its article 72, it considers for prescription purposes, which are: "Infringements
considered very serious:
1. Based on the provisions of article 83.5 of the Regulation (EU)
2016/679 are considered very serious and the infractions that
suppose a substantial violation of the articles mentioned in that and, in
particularly the following:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 11/16
(…)
b) The processing of personal data without the concurrence of any of the
conditions of legality of the treatment established in article 6 of the
Regulation (EU) 2016/679.
(…)”
v
In order to establish the administrative fine to be imposed,
observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which
point out:
"1. Each control authority will guarantee that the imposition of fines
administrative actions under this article for violations of this
Regulation indicated in sections 4, 5 and 6 are in each individual case
effective, proportionate and dissuasive.
2. Administrative fines will be imposed, depending on the circumstances
of each individual case, in addition to or as a substitute for the measures contemplated
in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine
administration and its amount in each individual case will be duly taken into account:
a) the nature, seriousness and duration of the offence, taking into account the
nature, scope or purpose of the processing operation in question
as well as the number of stakeholders affected and the level of damage and
damages they have suffered;
b) intentionality or negligence in the infringement;
c) any measure taken by the controller or processor
to alleviate the damages suffered by the interested parties;
d) the degree of responsibility of the person in charge or of the person in charge of the
treatment, taking into account the technical or organizational measures that have
applied under articles 25 and 32;
e) any previous infraction committed by the person in charge or the person in charge of the
treatment;
f) the degree of cooperation with the supervisory authority in order to put
remedying the breach and mitigating the possible adverse effects of the breach;
g) the categories of personal data affected by the infringement;
h) the way in which the supervisory authority became aware of the infringement, in
particular if the person in charge or the person in charge notified the infringement and, in such case,
what extent;
i) when the measures indicated in article 58, paragraph 2, have been
previously ordered against the person in charge or the person in charge in question
in relation to the same matter, compliance with said measures;
j) adherence to codes of conduct under article 40 or mechanisms
certificates approved in accordance with article 42, and
k) any other aggravating or mitigating factor applicable to the circumstances of the
case, such as financial benefits realized or losses avoided, direct
or indirectly, through infringement.
In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its
Article 76, “Sanctions and corrective measures”, establishes that:
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 12/16
"two. In accordance with the provisions of article 83.2.k) of the Regulation (EU)
2016/679 may also be taken into account:
a) The continuing nature of the offence.
b) The link between the activity of the offender and the performance of treatments
of personal data.
c) The profits obtained as a result of committing the offence.
d) The possibility that the conduct of the affected party could have induced the
commission of the offence.
e) The existence of a merger by absorption process after the commission
of the infringement, which cannot be attributed to the absorbing entity.
f) Affectation of the rights of minors.
g) Have, when it is not mandatory, a delegate for the protection of
data.
h) The submission by the person in charge or person in charge, with
voluntary, to alternative conflict resolution mechanisms, in those
assumptions in which there are controversies between those and any
interested."
In accordance with the transcribed precepts, and without prejudice to what results from the
instruction of the procedure, in order to set the amount of the sanction of fine to
impose in the present case for the infringement typified in article 83.5.a) of the RGPD
for which the defendant is held responsible, in an initial assessment, it is estimated
concurrent the following factors:
Aggravating circumstances are considered:
- The nature, seriousness and duration of the infraction: the facts affect
seriously to a basic principle relating to the processing of personal data
personal, such as legitimacy, whose violation is considered very serious; the damages
and damages caused as a result of the interference in the sphere of privacy
of the claimant because we must not forget that we are facing the infraction of a
fundamental right to the protection of personal data; the claimant was seen
obliged to address both the financial institution and the claimed entity as
consequence of the modifications produced in the policy, as well as the presentation
d claim before the DGSFP and before this body for the same facts (article
83.2, a) of the GDPR). .
- The activity of the claimed party is linked to data processing
both clients and third parties. In its activity the claimed entity is
The processing of personal data is essential, therefore, given the volume
of business of the same (one of the important insurance entities of the country), the
significance of the conduct object of this claim is undeniable
(article 76.2.b) of the LOPDGDD in relation to article 83.2.k).
- Although it cannot be argued that the defendant has acted
intentionally, there is no doubt that there is a serious lack of diligence in
his performance. Connected to the degree of diligence that the data controller
is obliged to deploy in the fulfillment of the obligations imposed by the
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 13/16
data protection regulations, the SAN of 10/17/2007 can be cited. Although it was
dictated before the validity of the RGPD, its pronouncement is perfectly
extrapolated to the case we are analyzing. The ruling, after alluding to the fact that the
entities in which the development of their activity entails a continuous treatment of
customer data and third parties must observe an adequate level of diligence,
specified that “(...) the Supreme Court has understood that there is imprudence
whenever a legal duty of care is disregarded, that is, when the offender fails to
behaves with due diligence. And in assessing the degree of diligence,
especially weigh the professionalism or not of the subject, and there is no doubt that,
in the case now examined, when the appellant's activity is constant and
abundant handling of personal data, it must be insisted on the rigor and
exquisite care to comply with the legal provisions in this regard” (article 83.2,
b) of the RGPD).
Extenuating circumstances are considered:
- Only one person has been affected by the offending conduct.
Therefore, as stated,
By the Director of the Spanish Data Protection Agency,
HE REMEMBERS:
1. INITIATE PUNISHMENT PROCEDURE against CAJA DE SEGUROS REUNIDOS,
INSURANCE AND REASEGUROS COMPANY, S.A. (CASER) with NIF A28013050, for
the alleged infringement of article 6.1 of the RGPD, sanctioned in accordance with the provisions
in article 83.5.a) of the aforementioned RGPD.
2. APPOINT C.C.C. Instructor and Secretary to D.D.D., indicating that any of
them may be challenged, where appropriate, in accordance with the provisions of articles 23 and
24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector
(LRJSP).
3. INCORPORATE to the disciplinary file, for evidentiary purposes, the claim
filed by the claimant and its documentation, as well as the documents
obtained and generated by the General Subdirectorate of Data Inspection in the
actions prior to the start of this sanctioning procedure.
4. THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the
Common Administrative Procedure of Public Administrations (LPACAP), and
article 127 letter b) of the RLOPD, the sanction that could correspond for the infraction
described would be €40,000 (forty thousand euros), without prejudice to what results from the
instruction.
5. NOTIFY this Agreement to CAJA DE SEGUROS REUNIDOS, COMPAÑÍA
INSURANCE AND REINSURANCE, S.A. (CASER) with NIF A28013050, indicating
expressly his right to a hearing in the procedure and granting him a term
of TEN WORKING DAYS to formulate the allegations and propose the evidence that
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 14/16
consider appropriate. In your statement of allegations you must provide your NIF and the
procedure number at the top of this document.
Likewise, in accordance with articles 64.2.f) and 85 of the LPACAP, you are informed
that, if it does not make allegations in time to this initial agreement, it may
be considered a motion for a resolution.
You are also informed that, in accordance with the provisions of article 85.1
LPACAP, may recognize its responsibility within the term granted for the
formulation of allegations to this initial agreement which will entail a
reduction of 20% of the sanction to be imposed in the present
procedure, equivalent in this case to 8,000 euros. With the application of this
reduction, the sanction would be established at 32,000 euros, resolving the
procedure with the imposition of this sanction.
Similarly, you may, at any time prior to the resolution of this
procedure, carry out the voluntary payment of the proposed sanction,
in accordance with the provisions of article 85.2 LPACAP, which will mean a
reduction of 20% of the amount of the same, equivalent in this case to 8,000 euros.
With the application of this reduction, the sanction would be established at 32,000 euros
and its payment will imply the termination of the procedure.
The reduction for the voluntary payment of the penalty is cumulative with the corresponding
apply for the acknowledgment of responsibility, provided that this acknowledgment
of the responsibility is revealed within the period granted to formulate
arguments at the opening of the procedure. The voluntary payment of the referred amount
in the previous paragraph may be done at any time prior to the resolution. In
In this case, if it were appropriate to apply both reductions, the amount of the penalty would be
set at 24,000 euros.
In any case, the effectiveness of any of the two reductions mentioned will be
conditioned to the abandonment or renunciation of any action or resource in via
administrative against the sanction.
In case you chose to proceed to the voluntary payment of any of the amounts
indicated above (32,000 euros or 24,000 euros), in accordance with the provisions of
article 85.2 referred to, we indicate that you must make it effective by entering
in the restricted account number ES00 0000 0000 0000 0000 0000 opened in the name of the
Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating
in the concept the reference number of the procedure that appears in the
heading of this document and the reason for the reduction of the amount to which
welcomes
Likewise, you must send proof of payment to the General Subdirectorate of
Inspection to proceed with the procedure in accordance with the quantity
entered.
The procedure will have a maximum duration of nine months from the
date of the start-up agreement or, where appropriate, of the draft start-up agreement.
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 15/16
Once this period has elapsed, it will expire and, consequently, the file of
performances; in accordance with the provisions of article 64 of the LOPDGDD.
Finally, it is pointed out that in accordance with the provisions of article 112.1 of the
LPACAP, there is no administrative appeal against this act.
Sea Spain Marti
Director of the Spanish Data Protection Agency
>>
SECOND: On August 17, 2022, the claimed party has proceeded to pay
of the sanction in the amount of 24,000 euros making use of the two reductions
provided for in the Start Agreement transcribed above, which implies the
acknowledgment of responsibility.
THIRD: The payment made, within the period granted to formulate allegations to
the opening of the procedure, entails the waiver of any action or resource in via
administrative action against the sanction and acknowledgment of responsibility in relation to
the facts referred to in the Initiation Agreement.
FOUNDATIONS OF LAW
Yo
In accordance with the powers that article 58.2 of Regulation (EU) 2016/679
(General Data Protection Regulation, hereinafter RGPD), grants each
control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the
Organic Law 3/2018, of December 5, on the Protection of Personal Data and
guarantee of digital rights (hereinafter, LOPDGDD), is competent to
initiate and resolve this procedure the Director of the Spanish Protection Agency
of data.
Likewise, article 63.2 of the LOPDGDD determines that: "The procedures
processed by the Spanish Agency for Data Protection will be governed by the provisions
in Regulation (EU) 2016/679, in this organic law, by the provisions
regulations issued in its development and, as long as they do not contradict them, with a
subsidiary, by the general rules on administrative procedures."
II
Article 85 of Law 39/2015, of October 1, on Administrative Procedure
Common to Public Administrations (hereinafter, LPACAP), under the rubric
"Termination in sanctioning procedures" provides the following:
"1. Started a sanctioning procedure, if the offender acknowledges his responsibility,
the procedure may be resolved with the imposition of the appropriate sanction.
2. When the sanction is solely pecuniary in nature or it is possible to impose a
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es 16/16
pecuniary sanction and another of a non-pecuniary nature, but the
inadmissibility of the second, the voluntary payment by the alleged perpetrator, in
any time prior to the resolution, will imply the termination of the procedure,
except in relation to the replacement of the altered situation or the determination of the
compensation for damages caused by the commission of the infringement.
3. In both cases, when the sanction is solely pecuniary in nature, the
competent body to resolve the procedure will apply reductions of, at least,
20% of the amount of the proposed sanction, these being cumulative with each other.
The aforementioned reductions must be determined in the notification of initiation
of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of
any administrative action or recourse against the sanction.
The reduction percentage provided for in this section may be increased
regulations."
According to what was stated,
the Director of the Spanish Data Protection Agency RESOLVES:
FIRST: TO DECLARE the termination of procedure EXP202105693, of
in accordance with the provisions of article 85 of the LPACAP.
SECOND: NOTIFY this resolution to CAJA DE SEGUROS REUNIDOS,
INSURANCE AND REASEGUROS COMPANY, S.A. (CASER).
In accordance with the provisions of article 50 of the LOPDGDD, this
Resolution will be made public once it has been notified to the interested parties.
Against this resolution, which puts an end to the administrative procedure as prescribed by
the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure
Common of the Public Administrations, the interested parties may file an appeal
contentious-administrative before the Contentious-administrative Chamber of the
National Court, in accordance with the provisions of article 25 and section 5 of
the fourth additional provision of Law 29/1998, of July 13, regulating the
Contentious-Administrative Jurisdiction, within a period of two months from the
day following the notification of this act, as provided in article 46.1 of the
aforementioned Law.
936-040822
Sea Spain Marti
Director of the Spanish Data Protection Agency
C/ Jorge Juan, 6 www.aepd.es
28001 – Madrid sedeagpd.gob.es
