AEPD (Spain) - PS/00388/2022: Difference between revisions
(Created page with "{{DPAdecisionBOX |Jurisdiction=Spain |DPA-BG-Color=background-color:#ffffff; |DPAlogo=LogoES.jpg |DPA_Abbrevation=AEPD |DPA_With_Country=AEPD (Spain) |Case_Number_Name=PS/00388/2022 |ECLI= |Original_Source_Name_1=AEPD |Original_Source_Link_1=https://www.aepd.es/es/documento/ps-00388-2022.pdf |Original_Source_Language_1=Spanish |Original_Source_Language__Code_1=ES |Original_Source_Name_2= |Original_Source_Link_2= |Original_Source_Language_2= |Original_Source_Language__...") |
(I made edits just to improve the text, but it was well written.) |
||
Line 61: | Line 61: | ||
}} | }} | ||
The Spanish DPA fined Caixabank €25,000 | The Spanish DPA fined Caixabank €25,000 for failing to take appropriate technical and organisational measures to verify the identity of the costumer before granting access to personal data, in violation of [[Article 32 GDPR|Article 32(1) GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
The | The data subject was a minor represented by a mother who was trying to obtain information regarding her child's bank account. | ||
However, caixabank, the controller, informed that it could not process the requests because the e-mail address from which she was writing was not registered in the bank's database. The mother insisted and finally the controller told her that the information on her daughter's bank account was blocked. The controller also told her that they would contact her again to provide more information. | |||
That same day, the controller | That same day, the controller called her and, without any identity verification, provided information related the bank account of her other daughter, about which she had not asked anything. After clarifying the mistake, the controller told the mother that the bank account about which she had initially requested information had been cancelled and that she would have to go to a physical branch to learn why. | ||
Finally, the mother managed to get the information she wanted. After that, she filed a complaint with the Spanish DPA for the lack of response to her request and the for lack of appropriate security measures in relation to the verification of the identity of the holder of the bank account. | |||
=== Holding === | === Holding === | ||
While recognizing that the complainant had to insist several times to obtain information about her daughter's bank account, the DPA concluded that the controller provided the requested information, including the transcript of two telephone calls. Therefore, it did not find any breach of the right of access. | |||
However, the DPA did hold that the controller failed to comply with its obligation to have adequate technical and organisational measures in place, since it provided information about the second daughter's bank account without first carrying out any the identity authentication. | |||
The DPA rejected the controller's arguments in the sense that it was a mere human error and that the information was only disclosed to the actual mother of the child. In the DPA's view, the controller's protocol did fail, allowing access to the data of third parties. | |||
Therefore, the DPA imposed a fine of €25,000 for a violation of [[Article 32 GDPR|Article 32(1) GDPR]]. | |||
== Comment == | == Comment == |
Revision as of 10:17, 18 July 2023
AEPD - PS/00388/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 32(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 04.07.2023 |
Fine: | 25,000 EUR |
Parties: | Caixabank, S.A. |
National Case Number/Name: | PS/00388/2022 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | CSO |
The Spanish DPA fined Caixabank €25,000 for failing to take appropriate technical and organisational measures to verify the identity of the costumer before granting access to personal data, in violation of Article 32(1) GDPR.
English Summary
Facts
The data subject was a minor represented by a mother who was trying to obtain information regarding her child's bank account.
However, caixabank, the controller, informed that it could not process the requests because the e-mail address from which she was writing was not registered in the bank's database. The mother insisted and finally the controller told her that the information on her daughter's bank account was blocked. The controller also told her that they would contact her again to provide more information.
That same day, the controller called her and, without any identity verification, provided information related the bank account of her other daughter, about which she had not asked anything. After clarifying the mistake, the controller told the mother that the bank account about which she had initially requested information had been cancelled and that she would have to go to a physical branch to learn why.
Finally, the mother managed to get the information she wanted. After that, she filed a complaint with the Spanish DPA for the lack of response to her request and the for lack of appropriate security measures in relation to the verification of the identity of the holder of the bank account.
Holding
While recognizing that the complainant had to insist several times to obtain information about her daughter's bank account, the DPA concluded that the controller provided the requested information, including the transcript of two telephone calls. Therefore, it did not find any breach of the right of access.
However, the DPA did hold that the controller failed to comply with its obligation to have adequate technical and organisational measures in place, since it provided information about the second daughter's bank account without first carrying out any the identity authentication.
The DPA rejected the controller's arguments in the sense that it was a mere human error and that the information was only disclosed to the actual mother of the child. In the DPA's view, the controller's protocol did fail, allowing access to the data of third parties.
Therefore, the DPA imposed a fine of €25,000 for a violation of Article 32(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/23 File No.: PS/00388/2022 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: Ms. A.A.A. (hereinafter the claimant) on 06/01/2021 filed claim before the Spanish Data Protection Agency. The claim is directed against CAIXABANK S.A. with NIF A08663619 (hereinafter, the claimed party). The reasons on which the claim is based are the following: that since 02/11/2021, has requested on several occasions from the respondent entity information about a account of his youngest daughter, of whom he has exclusive guardianship and custody, appearing in said account as legal representatives the father and mother of the minor. manifest that, after receiving a response indicating that they could not provide said information to a email address that was not registered in its database, in dated 02/25/2021 calls the claimed entity reiterating its request for information and the operator indicates that said information is blocked, although it sends a e-mail to the coordination department so that they can contact the claimant and provide more information about it. That same day he receives a call from the director from a different office to provide you with information about another of your daughters, so that the claimant transmits the error and indicates that, in addition, it had not been previously identified with your ID. Finally, the aforementioned director confirms that the account of the daughter for whom, if she asked, it was canceled and that she had to Go to the corresponding office for more information. As of 02/26/2021 goes to said office, where the father of the minor works and who is in divorce proceedings and, after several reluctances, they finally tell him that the account was canceled by the father of the minor and that a transfer was made to one of the accounts of this. On 03/03/2021, you request access to certain documentation related to the account, as well as the recordings of the calls made on said matter to the SAC, without having been provided with the recordings. It also presents several claims (on 03/23, 24 and 31/2021) showing their disagreement with the cancellation of your daughter's account, stating only the signature of the father for it, as well as as for the obstruction when requesting information, without having received answer. Provide the following documentation: - DNI of the claimant's youngest daughter - Copy of various emails between 02/11 and 23/2021 requesting information about the canceled bank account addressed to the director of the branch of BANKIA, S.A. Where was this account opened? - Copy of the email from the claimant's lawyer sent to the director of the branch of BANKIA, S.A. where this account had been opened requesting various information, including recordings of the claimant dated 02/25/2021. This document states that the requested information has been provided by the entity except for recordings. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/23 - Copy of the email dated 04/23/2021 with a claim addressed to BANKIA, S.A. - Forwarding a copy of the previous email to the entity CAIXABANK, S.A. behind the merger by acquisition of BANKIA, S.A. by CAIXABANK, S.A. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in forward LOPDGDD), on 07/01/2021 the claim was transferred to the party claimed, so that it proceeds to its analysis and informs this Agency within the term of one month, of the actions carried out to adapt to the foreseen requirements in the data protection regulations. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on 07/01/2021 as stated in the acknowledgment of receipt in the file. On 07/30/2021, this Agency received a letter from the defendant stating that in The bank account in question was listed as the owner of the claimant's daughter, a minor age, appearing as authorized in it, in their capacity as parents of the minor their parents. Regarding the recording of the calls, it was made available to the claimant through the office if desired a transcript of the same. Regarding the fact of receiving a call from CaixaBank office ***OFFICE.1 to inform him about another of his minor daughters, of which he had not requested in no information, it was an involuntary error of the service operator telephone customer service, who referred the instruction to the office where it is opened an account in the name of another of his daughters. There is the mail sent by the operator to the office ***OFFICE.1 in which you request this office to contact contact with the claimant regarding the account opened in the name of her other daughter being the interest of the client information related to the account opened in the name of the youngest daughter. The error in any case is involuntary and does not imply any type of transfer of data to third parties, in addition to the fact that the recipient of the information, the claimant, has the right to the information in her capacity as mother as legal representative. In no case will has caused harm to the affected party. After the response to the transfer of the claim, it again requests the recordings and they are not provided. According to her, the recordings show that she He never identified himself with his ID but with that of his daughter who is the owner of the account in controversy. He suspects that the request for information on the your daughter's account (and which has been canceled by the father of the one you are in the process of divorce) tries to hide this information by giving you the account information of the another daughter (which they attribute to a mistake) THIRD: On 10/25/2021, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/23 FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in matter, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: It is confirmed, according to the DNI, that the daughter of the claimant and whose account was canceled only by one of the parents, is under 14 years of age. Regarding access to the information requested by the claimant from the entity, this was provided with the exception of the recordings, about which the respondent party informed the claimant that they made it available at the ***OFFICE.2 branch of BANKIA, S.A., at ***ADDRESS.1, ***LOCATION.1, in which the account was located of the minor, according to the response of the Customer Service (in hereinafter, SAC) that appears in the documentation presented by the claimed party. No there is evidence that the claimant has appeared at this office for pickup. Copies of the recordings of the calls were requested from the claimed party telephone calls made by the claimant to the SAC, dated 03/16/2022 and numbers log REGAGE22e00007574995, REGAGE22e00007575005, REGAGE22e00007575017, REGAGE22e00007575028 and REGAGE22e00007843841 response brief sent by the claimed party presenting the recordings requested. After analyzing the recordings, the following conclusions can be drawn: - Call from 02/25/2021 at 10:27 a.m.: It is verified that in the first call to Customer Service The claimant only provided the DNI of her youngest daughter. The check This daughter's bank account was blocked, so the customer service agent could not access the data of this account. The agent indicates that he will forward the incidence to "coordination" by email and that you would receive a call with the information they can provide. - Call of 02/25/2021 at 12:38 p.m.: In the second recording, the claimant states that they have been called by the SAC (one hour after the call from the previous paragraph) to inform you, incomprehensibly, about your daughter's data elderly. Regarding the access to the data of the account of his minor daughter, it is verified that the account no longer exists and the personal data relating to this account are blocked since the customer service agent is no longer aware of data of any account with the DNI of the claimant, nor of her youngest daughter. Requested from the claimed party the possible active products of the eldest daughter of the claimant and to confirm the cancellation date of the products that are no longer were active, on 06/01/2022 a letter sent by C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/23 CAIXABANK informing that the only product of this claimant's daughter was canceled on 01/10/2020. A copy of the cancellation document is attached. Regarding the association of his other daughter with the claimant according to the call received Customer Service on 02/25/2021 (after your first call), and that the claimant finds it incomprehensible, it has not been possible to determine the cause of the identification error that the claimed party attributes to an inadvertent error on the part of of the SAC agent, but what is verified, according to the information reflected in the previous paragraph, is that once the contractual relationship with the party claimant of the claimant's eldest daughter in January 2020, her personal data were not blocked and have continued to be processed by the SAC, at least until the 02/25/2021, the day you receive a phone call from the SAC to inform you of the data of this daughter, instead of what is related to the checking account of the youngest daughter for which had interested. Regarding the cancellation of the bank account of the claimant's youngest daughter, in Annex number four included in the claim filed with this Agency, consists the reply from the director of the branch ***OFFICE.2 of BANKIA, S.A., in the ***ADDRESS.1, ***LOCATION.1, dated 03/03/2021, in which it informs the claimant that the checking account of her youngest daughter was canceled with date of 01/28/2020 by the other parent, being transferred the outstanding balance in that account to his checking account. Regarding this cancellation, it is verified that, although for the opening of the account current originally in the entity Banco Mare Nostrum-Caja Murcia (acquired subsequently by Bankia and finally by CaixaBank) the signatures were requested of both parents, for the cancellation order requested from CaixaBank only the father's, a worker at the CaixaBank branch where the account of the claimant's youngest daughter. Therefore, it is found that the part The defendant canceled the checking account of the claimant's youngest daughter only with the consent of the minor's father and without the knowledge of the claimant. FIFTH: Notified of the initiation agreement, the defendant requested the extension on 09/08/2022 of the term to answer; extension that was granted by writing dated 09/09/2022. The defendant on 09/15/2022 submitted a written statement stating, in summary: the defenselessness that caused the amount of the sanction to be set in the start; the non-existence of infringement of article 15 of the RGPD considering that the right of access was attended in accordance with the regulations for the protection of Personal data; the non-existence of infringement of article 32.1 of the GDPR and that in his capacity as legal representative of minors, access to information of said accounts, by the claimant, is absolutely legitimate; that Agency pronounces itself on civil issues, when it is itself the one that has established that these issues do not fall within its sphere of competence; that the aggravating factors that, improperly and inappropriately, this Agency considers concurrent are not applicable and, on the contrary, there are extenuating circumstances that have not been considered. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/23 SIXTH: On 03/21/2023, it was agreed to open an internship period for tests, remembering the following: - Consider reproduced for evidentiary purposes the claims filed by the claimants and their documentation, the documents obtained and generated by the Inspection Services that are part of the file. - Consider reproduced for evidentiary purposes, the allegations to the agreement of start presented by the defendant. SEVENTH: On 04/05/2023, a Resolution Proposal was issued in the sense of that the Director of the Spanish Data Protection Agency sanction the claimed for violation of article 15 of the GDPR, typified in article 83.5.a) of the GDPR, with a fine of 35,000 euros (thirty-five thousand euros) and, for a violation of the Article 32.1 of the GDPR typified in Article 83.4.a) of the GDPR, with a fine of €25,000 (twenty-five thousand euros). An Annex with the documents was attached members of the administrative file. The defendant requested on 04/11/2023 a copy of the file, which was sent to him by writing on 04/13/2023. I also request the 04/19/2023 extension of the deadline for allegations that was granted by writing of the instructor dated 04/21/2023. The defendant on 04/27/2023 submitted a brief of allegations in which he considered reproduced those formulated throughout the procedure and, in addition, reiterated that it did not there was a violation of article 15 of the GDPR, nor any infringement of article 32 of the aforementioned Regulation, requesting the file of the procedure. EIGHTH: Of the actions carried out in this procedure, there have been the following accredited: PROVEN FACTS FIRST. On 06/01/2022 there is a written entry from the claimant in the AEPD stating that he had requested information from the defendant on several occasions an account of his daughter B.B.B., a minor, of whom he has guardianship and custody exclusive and both parents being representatives; after receiving an answer that could not provide such information to an email address by not be registered in the database, he addresses the defendant reiterating his request of information and the operator indicates that said information is blocked, although he sends an email to the coordination department so that they can contact the claimant and offer more information in this regard; that day he receives a call from director of a different branch providing him with information about another of his daughters, warning you of the mistake made; Finally, the director confirms that the account of the daughter for whom he was asking was canceled and that he had to go to the branch appropriate for more information; The father of the woman works in said office. minor of the one who is in divorce proceedings; finally they inform him that the The account was canceled by the father and the funds were transferred to one of the accounts of it; has requested access to documentation relating to the account, as well as to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/23 the recordings of the calls made on said matter to the SAC, without being have provided the recordings; He has also filed briefs showing his disagreement with the cancellation of his daughter's account, as only the signature of the father to do so, as well as for the obstruction when requesting information, without that you have received a response. SECOND. There is evidence of emails exchanged with the Director of the branch of the defendant requesting information on the minor's account. In the e-mail of 02/11/2021 it is indicated: "(...) Through this e-mail I request information about the bank account of my daughter B.B.B...., with DNI..., since I was listed as the Holder of it together with C.C.C. and I do not know both the account number and other information and/or incidents that may have occurred. (…)” On 02/18/2021, the claimant addressed the Director of the branch again, stating: "(...) By means of this e-mail I inform you that I am still waiting for you to reports… (…)” On 02/23/2021, he obtained a response from the Director of the branch with the following tenor: "I beg your pardon, but we cannot give information through this channel to a email address that we do not know in our database…” On 02/23/2021, the claimant addressed the previous one again: “In response to your previous email and, however, understanding that it remains credited my personal information so much that I already included you in my previous email with regarding my National Identity Document, as well as that of my daughter, please reports as soon as possible if I have to make the request attaching and scanning a signed letter with all my information and my request for information (given the situation in prevention due to COVID infections is usually the usual practice), or if on the contrary, you grant me an appointment in your office to discuss this matter in the schedule that best suits you, however, I would appreciate, given the situation, my great concern, as well as the delay in your negative answer to obtain said information, as soon as possible. THIRD. On 02/23/2021, the claimant sent an e-mail to the Service of Customer Service in relation to the cancellation of the contract my first account of your daughter, contract no. ***CONTRACT.1, indicating: "By means of this e-mail, I the claimant, with DNI..., send you the Written of the Claim that I present as a claimant as of today duly signed, as well as the annexed documents that accompany it…” ROOM. The Complaint Document of 03/23/2021 has been provided, informing the claimed the incidents produced that are included in the first and also copies of the DNIs of the claimant and of her youngest daughter B.B.B.. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/23 FIFTH. The Order of the Court for Violence against Women No. 1 of *** LOCALIDAD.1, procedure for preliminary provisional measures in which part device it is collected that: "(...) - The guardianship and custody of the daughter is attributed to the mother, being the parental authority shared by both parents. (…)” SIXTH. On 03/01/2021, the legal representation of the claimant sent, in its name and representation, email to the claimant requesting all the documentation related to the cancellation of the contract My first account no. *** CONTRACT.1, whose owner is the minor. He also requested a copy of the recordings of the telephone calls of 02/25/2021. SEVENTH. There is a response from the defendant dated 03/03/2021 stating: "That in response to the claimant's request in which she requests information about current and/or canceled bank accounts of your daughter B.B.B.… in our entity and Having consulted the records held by this branch, I inform you that: There is only one registered Child Savings Book open in the Entity Banco Mare Nostrum dated October 19, 2017 with customer account code no. ***CONTRACT.2 being the owner B.B.B. ..., with ID ... and as legal representatives D.C.C.C. with DNI... and the claimant, with DNI... Said account was canceled while already in Bankia with an account number ***CONTRACT.1, dated January 28, 2020 by the legal representative D.C.C.C. That the balance resulting from the cancellation amounted to €480.00, an amount that was transferred to a checking account opened in this entity whose ownership corresponds to D.C.C.C.”. EIGHTH. The Child Savings Booklet contract No. ***CONTRATO.2 where The minor B.B.B. and as representatives of the parents, signed in ***LOCATION.1 on 10/19/2017. NINETH. Contributed contract cancellation My first account, from 01/28/2020 signed by the father of the minor and which states: "In accordance with the agreed in contract no. *** CONTRACT.1 My first Account dated October 19 2017 the client has requested on January 28, 2020 the cancellation of the same”. TENTH. There is a letter from the claimant dated 03/11/2021 addressed to the claimant requesting a copy of the recordings of the calls made to the customer service on 02/25/2021. ELEVENTH. There is a written response offered by the defendant to the claimant dated 04/09/2021, in which he states: "(...) With regard to a possible breach of the data protection regulations in the call you received from the office ***OFFICE.1, we have requested a report from the Center Telephone Service and they tell us that in the call of 02/25/2021 at 10:27 hours, the operator, after asking for the minor's ID number, let him know that he was not C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/23 there were open products in his name, so he did not see any information, but that the managing office would call her to provide it. Apparently, said operator carried out a query of canceled accounts to name of B.B.B. to find out the identification of all the participants, verifying that you were the holder of accounts in the office ***OFFICE.1, therefore asked this to get in touch with you, although making a mistake in regarding the identification of the minor. In the file of this claim there is a transcript of the calls that the office ***OFFICE.2 can be delivered, if desired. (…)” TWELFTH. There is a response offered by the defendant to the claimant in writing dated 07/29/2021, in which he states: "In relation to your request, we reiterate the content of the reply made by he Customer Service on April 9, 2021, which answers your application. In the part related to data and their interest in knowing if there had been "a possible crime of data protection", as indicated by the aforementioned Service of Customer Service, no type of crime has been committed, given that being you the mother of both minors in her capacity as legal representative has the right to know the information of both, being an involuntary error on the part of the operator who attended you, by providing the notice for them to contact you, to the office where you appear opened the account of his daughter D.D.D. and not to the office of his other daughter B.B.B., in which I was interested. THIRTEENTH. Figure provided by the claimed the email sent by the operator to the office ***OFFICE.1, without date, in which he requests that they contact with the claimant in relation to the account opened in the name of her daughter D.D.D.. FOURTEENTH. The claimant in writing of 11/09/2021 reiterates "her REQUEST for require the AEPD to CaixaBank the recordings and transcription of the calls of date 02/25/2021. The AEPD will check the telephone recordings and the transcription thereof, which in my call to Caixabank Customer Service of that day at 10:27 a.m. at no time did I identify myself with my personal ID and just provide the name and ID of my youngest daughter with ID .., so it turns out the response provided by Caixabank is totally inconsistent, since in no way moment the operator was able to link my ID with that of my other daughter, since in I had never made it easier…” FIFTEENTH. On 03/15/2022, the claimant at the request of the AEPD provided copies of recordings of telephone calls made to Customer Service of Bankia to the number *** TELEPHONE.1 dated 02.25.2021 made from the Mobile number ***PHONE.2 of the claimant. They do not mention any request from the account of D.D.D., daughter of the claimant, but information regarding to B.B.B., the claimant's youngest daughter. SIXTEENTH. Contract cancellation is also provided My first account, of 01/10/2020 signed by the mother and whose owner was D.D.D. and in which it is stated: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/23 "In accordance with what was agreed in contract no. ***CONTRACT.3 My first account dated January 8, 2015 the client has requested on January 10, 2020 the cancellation of the same. SEVENTEENTH. And in a letter dated 05/31/2022, the defendant reported that: “D.D.D. with DNI ***NIF.1 does not currently have any valid product in this Entity. In our systems it appears that he was the owner of a single product, contract number ***CONTRACT.3 (My first account), which was canceled on January 10, 2020”. . FUNDAMENTALS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, for the regulatory provisions dictated in its development and, as soon as they are not contradict, on a subsidiary basis, by the general rules on the administrative procedures." II The denounced facts materialize in the absence of a response to the request for access to the data and account information of the minor daughter requested by his mother, with breach of the security measures to determine the owner of the requested data (since the data of his other daughter's account is provided), which could violate data protection regulations. Article 58 of the GDPR, Powers, states: "2. Each supervisory authority shall have all the following powers corrections listed below: (…) i) impose an administrative fine in accordance with article 83, in addition to or in instead of the measures mentioned in this paragraph, according to the circumstances of each particular case; (…)” In the first place, article 15, Right of access of the interested party, establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/23 "1. The interested party shall have the right to obtain from the data controller confirmation of whether or not personal data concerning you is being processed and, in such case, right of access to personal data and the following information: a) the purposes of the treatment; b) the categories of personal data concerned; c) the recipients or categories of recipients to whom they were communicated o personal data will be communicated, in particular recipients in third countries or international organizations; d) if possible, the expected period of conservation of personal data or, if not possible, the criteria used to determine this term; e) the existence of the right to request from the controller the rectification or deletion of personal data or limitation of data processing personal information relating to the interested party, or to oppose said treatment; f) the right to file a claim with a control authority; g) when the personal data has not been obtained from the interested party, any available information on its origin; h) the existence of automated decisions, including the elaboration of profiles, referred to in article 22, sections 1 and 4, and, at least in such cases, significant information about the logic applied, as well as the importance and the expected consequences of such processing for the interested. 2. When personal data is transferred to a third country or to a international organization, the interested party shall have the right to be informed of the adequate guarantees under article 46 relating to the transfer. 3. The controller will provide a copy of the personal data treatment object. The person in charge may receive for any other copy requested by the interested party a reasonable fee based on administrative costs. when the The interested party submits the application by electronic means, and unless he requests otherwise provided, the information will be provided in an electronic format of Common use. 4. The right to obtain a copy mentioned in section 3 will not affect negatively to the rights and freedoms of others”. While, in the LOPDGDD, regarding the right of access, in its article 13 provides that: "1. The right of access of the affected party will be exercised in accordance with the established in article 15 of Regulation (EU) 2016/679. When the controller processes a large amount of data relating to the data subject and he exercises his right of access without specifying whether it refers to all or part of the data, the person in charge may request, before providing the information, that the concerned, specify the data or processing activities to which the request refers application. 2. The right of access shall be deemed granted if the person responsible for the treatment will provide the affected party with a system of remote, direct and secure access to the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/23 personal data that guarantees, permanently, access to its entirety. TO such effects, the communication by the person in charge to the affected party of the way in which this will be able to access said system, it will be enough to have the exercise request considered of the right However, the interested party may request the information from the person responsible. referring to the points provided for in article 15.1 of Regulation (EU) 2016/679 not included in the remote access system. 3. For the purposes established in article 12.5 of Regulation (EU) 2016/679 The exercise of the right of access may be considered repetitive in more than one occasion during the period of six months, unless there is legitimate cause for it. 4. When the affected party chooses a means other than the one offered that implies a disproportionate cost, the request will be considered excessive, so said affected will assume the excess costs that his choice entails. In this case, just The person responsible for the treatment will be required to satisfy the right of access without undue delays". II 1. In the first place, it alleges the claimed defenselessness derived from the setting of the amount of the sanction in the initiation agreement since the sanctioning body proceeds to ab initio to set the amounts of the imputed sanctions, considering that this implies reprehensible behavior for affecting the exercise of their rights. It should be noted that the National Court in the Judgment of 09/12/2022, How well should the defendant know for being the appellant of the litigation- administrative procedure raised and which was dismissed, ruled on these and other issues such as the incompetence of the person signing the resolution: “FOURTH.- Secondly, it advocates the full nullity of the resolution appealed for violation of the appellant's right to judicial protection effective and defense, having established in the start agreement "in audita parte" the amount of the penalty to be imposed, which ultimately coincides with that contained in the sanctioning resolution. In addition, there is a contamination of the performance inspector by the body competent to resolve, which ab initio shows the examining body the terms to which, in its opinion, the result of the procedure. Points out that Law 29/2015, of October 1, on Procedure Common Administrative of the Public Administrations, does not introduce any novelty in article 64 on the regulatory regime of the agreements to initiate proceedings sanctions and that the literalness of art. 85 does not imply, in his opinion, an authorization to prejudge the case in the initiation agreement, with the consequent bankruptcy of the rights of the defendant in the procedure. Regarding the determination of the sanction ab initio, the start agreement of 7 October 2020- pages 43 and following of the procedure- in addition to the appointment of instructor, the list of facts, qualification of the same, indicates on your device 4 "WHAT for the purposes provided in article 64.2.b) of the law 39/2015, of October 1, Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), the sanction that could C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/23 correspond would be an administrative fine of €50,000, without prejudice to the that results from the instruction. In addition, in its device 5, it is agreed to notify the aforementioned agreement to BANKIA S.A. granting him a hearing period of ten business days to formulate the allegations and propose the evidence that it deems appropriate, and it is indicated that "Of In accordance with the provisions of article 85 of the LPACAP, in the event that the sanction to be imposed outside of the fine, he may acknowledge his responsibility within the term granted for the formulation of allegations to the present initiation agreement; it which will entail a reduction of 20% of the sanction that should be imposed in this procedure (...) In the same way, you can at any time before to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, in accordance with the provisions of article 85.2 of the LPACAP, which will mean a reduction of 20% of its amount (...). The reduction of the voluntary payment of the sanction is cumulative to the one that corresponds to apply for the acknowledgment of responsibility, provided that this acknowledgment of responsibility responsibility is revealed within the period granted to formulate allegations at the opening of the procedure". Well, the aforementioned article 64, establishes in its section 2. that the agreement of initiation into procedures of a sanctioning nature must contain, "at less", so here we are interested: "b) The facts that motivate the initiation of the procedure, its possible rating and sanctions that may correspond, without prejudice to what is of the instruction (...)". d) Competent body for the resolution of the procedure (...), indicating the possibility that the alleged perpetrator can voluntarily acknowledge his responsibility, with the effects provided for in article 85". That is to say, the record in the initiation agreement of, at least, the facts, their possible classification and the possible sanctions to be imposed, as well as inform, from the start, of the possibility of applying the reductions allowed by the Article 85 of the LPACAP, which presupposes an initial provisional determination of the sanctions that may correspond, without prejudice to what results from the instruction. Indication referred to in section d) of the aforementioned article 64.2, which is not contemplated in the initiation agreement regulated in article 13 of the Royal Decree 1398/1993, of August 4, which approves the Rules of Procedure for the Exercise of the Sanctioning Power, repealed by the repealing Provision sole of Law 39/2015. For its part, Article 85 LPACAP determines: 1. Initiated a disciplinary procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the sanction which proceeds 2. When the sanction is solely pecuniary in nature or fits impose a pecuniary penalty and another of a non-pecuniary nature but it has been justified the inadmissibility of the second, the voluntary payment by the presumed perpetrator, in any moment prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the offence. 3. In both cases, when the sanction is solely pecuniary, the body competent to resolve the procedure will apply reductions of, at least least 20% of the amount of the proposed sanction, these being cumulative each other. The aforementioned reductions must be determined in the notification of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/23 initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any action or appeal in administrative proceedings against the sanction". Thus, in view of the aforementioned precepts and following the criteria of the SAN, Sec. 3, of June 19, 2019 (Rec. 447/2018) in a case similar to that present: "There is therefore no legal impediment for the agreement of initiation contains an initial and provisional specification of the sanction(s) that may match the facts investigated within those provided by law, which does not implies a reduction in the rights of the filer, since this is done "without prejudice to what results from the instruction (...) and, this initial and provisional realization, for the sake of the speed and efficiency in administrative work, comes to allow voluntary payment from the very moment of the beginning (...). There is no legal basis for understanding that the concretion of the sanction and the game of the voluntary payment cannot take place until the proposed resolution after the corresponding instruction". That is, the competence to determine the agreement to start the procedure sanctioner determines the obligation that said agreement must contain all of the circumstances provided for by the applicable regulations, including the determination provisional sanction that may correspond, which will be without prejudice to what results from the instruction of the procedure. Instruction of the procedure whose competence corresponds to the instructor and the secretary, who were designated in the device 2 of the aforementioned agreement, indicating that any of them may be challenged, where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of 1 October, of the Legal Regime of the Public Sector (LRJSP). It is therefore up to the interested party, in view of the sanctioning agreement, request the evidence that you deem appropriate, make allegations, etc., without being able to assess the existence of defenselessness and assess the alleged violation; Besides, the plaintiff has at no time shown its willingness to recognize the responsibility for the penalized offense and benefit from the effects provided for in the Article 85 of the LPACAP.” 2. Secondly, regarding the possible controversy raised in relation to with the cancellation of the account of the minor exercised by the father without the assistance of the mother, who enjoyed his guardianship and custody, is a matter that exceeds the competencies of this management center. 3. The GDPR allows it to be exercised before the data controller the rights of access, rectification, opposition, deletion (“right to be forgotten”), limitation of treatment, portability and not being subject to decisions individualized. If the person in charge does not process the request, he must inform of the reasons for their non-action and the possibility of claiming before a Control Authority, if they have not got answer. In the present case, although the claimant had to address numerous occasions to the defendant so that the right of access to information could be processed related to the account of his youngest daughter B.B.B., it can be considered considered in the light of the proven facts in which the response offered to the claimant on 03/03/2021: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/23 "That in response to the request of the claimant in which she requests us information about current and/or canceled bank accounts of your daughter B.B.B.… at our entity and having consulted the records held by this branch, we He reported that: There is only one registered Child Savings Book open in the Entity Banco Mare Nostrum dated October 19, 2017 with account code client nº ***CONTRACT.2 being the owner B.B.B. ..., with ID ... and as representatives legal D.C.C.C. with DNI... and the claimant, with DNI... Said account was canceled while already in Bankia with an account number ***CONTRACT.1, dated January 28, 2020 by the legal representative D.C.C.C.. That the balance resulting from the cancellation amounted to €480.00, an amount that was transferred to a checking account opened in this entity whose ownership corresponds to D.C.C.C.”. And also that "The Child Savings Booklet contract No. ***CONTRACT.2 where the minor B.B.B. and as representatives parents, signed in ***LOCATION.1 on 10/19/2017”. On the other hand, as already happened with the bank information related to the minor, the recordings of the two calls made to the SAC by the claimant had to be requested both on 03/01/2021, by the legal representation, and on 03/11/2021 by the claimant, not obtaining a response until 04/09/2021 in writing in the that he was told that the transcription of the same was made available to him: "(...) In the file of this claim there is a transcript of calls that the office ***OFFICE.2 can be delivered, if desired. (…)” Therefore, it has been established that the defendant sent the claimant the information requested in connection with banking information relating to your minor daughter B.B.B. and, regarding the recordings containing the conversations held with the SAC operator, the transcription of the same was made available, Therefore, the exercise of the aforementioned right is considered fulfilled. From the foregoing it can be deduced that the defendant has not violated the article 15 of the GDPR, infringement typified in article 83.5 a) of the GDPR. IV. Secondly, article 32 of the GDPR "Security of treatment", states that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of processing, as well as risks of variable probability and severity for the rights and freedoms of individuals physical, the person in charge and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which may include, among others: a) the pseudonymization and encryption of personal data; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/23 b) the ability to ensure the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness technical and organizational measures to guarantee the safety of the treatment. 2. When evaluating the adequacy of the level of security, particular attention should be paid to take into account the risks presented by data processing, in particular as consequence of the destruction, loss or accidental or illegal alteration of data personal information transmitted, preserved or processed in another way, or the communication or unauthorized access to such data. 3. Adherence to an approved code of conduct pursuant to article 40 or to a certification mechanism approved under article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The person in charge and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the controller or the manager and has access to personal data can only process such data following the instructions of the person in charge, unless it is obliged to do so by virtue of the Law of the Union or of the Member States”. V The violation of article 32 of the GDPR is typified in article 83.4.a) of the aforementioned GDPR in the following terms: "4. Violations of the following provisions will be penalized, according to with paragraph 2, with administrative fines of maximum EUR 10,000,000 or, in the case of a company, an amount equivalent to a maximum of 2% of the total annual global business volume of the previous financial year, opting for the highest amount: a) the obligations of the person in charge and the person in charge according to articles 8, 11, 25 to 39, 42 and 43. (…)” For its part, the LOPDGDD in its article 73, for prescription purposes, qualifies of "Infringements considered serious": "Based on what is established in article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that suppose a substantial violation of the articles mentioned therein and, in particular, the following: (…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/23 g) The breach, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance with to what is required by article 32.1 of Regulation (EU) 2016/679”. (…)” 1. The GDPR defines personal data breaches as all those security violations that cause the destruction, loss or accidental or illegal alteration of personal data transmitted, stored or processed otherwise, or unauthorized disclosure of or access to such data.” From the documentation in the file, there are clear indications of that the defendant has violated article 32 of the GDPR, when an incident of security when providing the account details of a third party (daughter of the claimant), by telephone without first verifying the identity of the person to whom provided the data It should be noted that the GDPR in the aforementioned precept does not establish a list of the security measures that are applicable according to the data that is object of treatment, but it establishes that the person in charge and the person in charge of the treatment will apply technical and organizational measures that are appropriate to the risk that entails the treatment, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the treatment, the risks of probability and seriousness for the rights and freedoms of the persons concerned. In addition, security measures must be adequate and proportionate to the risk detected, noting that the determination of the measures technical and organizational procedures must be carried out taking into account: pseudonymization and encryption, the ability to ensure confidentiality, integrity, availability and resiliency, the ability to restore availability and access to data after a incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, particular account of the risks presented by data processing, such as consequence of the destruction, loss or accidental or illegal alteration of data personal information transmitted, preserved or processed in another way, or the communication or unauthorized access to said data and that could cause damages physical, material or immaterial. In this sense, recital 83 of the GDPR states that: "(83) In order to maintain security and prevent processing from infringing what provided in this Regulation, the person in charge or in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as the encryption. These measures must ensure an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application regarding the risks and nature of the personal data to be protect yourself. When assessing risk in relation to data security, considerations should be take into account the risks arising from the processing of personal data, such as the destruction, loss or accidental or unlawful alteration of personal data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/23 transmitted, stored or processed in another way, or communication or access not authorized to said data, susceptible in particular to cause damages physical, material or immaterial. 2. As indicated in previous foundations of the manifestations of the claimant and the documentation provided to the file, it can be deduced that after request access to your daughter's data without being answered, on 02/25/2021 call by telephone to the customer service of the defendant reiterating his request for information, being informed by the acting operator that the account was cancelled, sending an e-mail to the coordination department so that they can contact with the claimant and offer her information in this regard and, that same day, the claimant receives a call from the director of an office other than the one he had assigned the account to provide him with information about another of his daughters, without request any proof of your identity. The infringed precept establishes how the security of the treatment in relation to the specific security measures that must be implement, in such a way that taking into account the state of the art, the costs of application, and the nature, scope, context and purposes of the processing, as well as as risks of variable probability and severity for the rights and freedoms of natural persons, the person in charge and the person in charge of the treatment will apply measures appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk and that includes, among other issues, guaranteeing that requested data relating to a person, access to them coincide and are those relating to the same of those that are the owner and not those corresponding to a third person, although This is also the daughter of the claimant and with an account opened in the same entity. The same claimed in writing of 07/29/2021 acknowledges the infringement committed stating that: "In relation to your request we reiterate the content of the response made by the Customer Service Department on April 9, 2021, which responds to your request. In the part related to data and their interest in know if there had been a "possible data protection crime", as stated indicated to you by the aforementioned Customer Service, no type of crime, since you are the mother of both minors in your condition as legal representative has the right to know the information of both, being an error involuntary on the part of the operator who attended you, by providing the notice so that you contacted, to the office where the account of his daughter D.D.D. and not to the office of her other daughter B.B.B., in which she was interested.” And in the recordings that were finally sent at the request of the inspector plaintiff does not record, in light of hearing them, that the claimant requested nor will he provide any information about his daughter D.D.D. since the information for which I was interested had to do with the account of his other daughter, of whom he had his custody and custody B.B.B.; information that had been requested both in previous and later writings. The defendant has argued that a human error cannot be converted into a security breach since the claimant accessed data that she had legitimate right to access, although they were not what he had requested. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/23 However, it is not about turning a bug into a security incident, rather, the protocol, procedure, system or measures established by the defendant have failed, allowing access to third-party data that had not been requested by the claimant. 3. The liability of the defendant is determined by the bankruptcy of security manifested by the claimant, since he is responsible for taking decisions aimed at effectively implementing the technical and appropriate organizational measures to guarantee a level of security appropriate to the risk to ensure the confidentiality of the data, restoring its availability and preventing access to them in the event of a physical or technical incident. 4. In a brief of allegations to the Proposal, the defendant insists that the has infringed article 32.1 of the GDPR and that it has not occurred in any case filtration or improper access to the data and that in this sense the sentence of the T.S. of 02/15/2022 clearly establishes that the obligation imposed by article 32 of adopt technical and organizational measures aimed at guaranteeing confidentiality it is an obligation of means and not of results. However, the defendant himself in his brief maintains that there was an error in management by giving the claimant documentation different from that requested. On the other hand, it is true that T.S. In its judgment it states that: "The obligation to adopt the necessary measures to guarantee the security of the data cannot be considered an obligation of result, which implies that produced a leak of personal data to a third party there is responsibility with independence of the measures adopted and the activity carried out by the responsible for the file or treatment. In the obligations of result there is a commitment consisting of the fulfillment of a certain objective, ensuring the achievement or proposed result, In this case, guarantee the security of personal data and the absence of security leaks or breaches. In obligations of means, the commitment acquired is to adopt technical and organizational means, as well as deploy diligent activity in its implantation and use that tends to achieve the expected result with that can reasonably be classified as suitable and sufficient for its achievement, for this reason they are called obligations "of diligence" or "of behavior". The difference lies in the responsibility in both cases, because while that the obligation of result responds to a harmful result due to the failure of the security system, whatever its cause and the diligence used. In the obligation of means is enough to establish technically appropriate measures and implement and use them with reasonable care. In the latter, the sufficiency of the security measures that the responsible has to establish has to be related to the state of technology at all times and the level of protection required in relation to the data treated, but a result is not guaranteed.” But it is also true that the Court confirms that the design is not enough of the necessary technical and organizational means, since it is also Its correct implementation and proper use are necessary. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/23 Therefore, in accordance with the foregoing, it is estimated that the defendant would be responsible for the infringement of article 32.1 of the GDPR, an infringement typified in its article 83.4.a). SAW In order to establish the administrative fine that should be imposed, the observe the provisions contained in articles 83.1 and 83.2 of the GDPR, which point out: "1. Each control authority will guarantee that the imposition of fines administrative proceedings under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an addition to or substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case shall be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of stakeholders affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infraction; c) any measure taken by the controller or processor to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the controller or the person in charge of the processing, taking into account the technical or organizational measures that have applied under articles 25 and 32; e) any previous infringement committed by the person in charge or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the breach and mitigate the potential adverse effects of the breach; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particularly if the person in charge or the person in charge notified the infringement and, in such a case, what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or to mechanisms of certification approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as the financial benefits obtained or the losses avoided, direct or indirectly, through the infringement. In relation to letter k) of article 83.2 of the GDPR, the LOPDGDD, in its Article 76, "Sanctions and corrective measures", establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/23 "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) Linking the activity of the offender with the performance of processing of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected party could have led to the commission of the offence. e) The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The affectation of the rights of minors. g) Have, when it is not mandatory, a data protection delegate data. h) The submission by the person in charge or in charge, with character voluntary, alternative conflict resolution mechanisms, in those cases in which there are controversies between them and any interested." - In accordance with the precepts transcribed, for the purpose of setting the amount of the sanction to be imposed in the present case for the infringement of article 32.1 of the GDPR, typified in article 83.4.a) of the GDPR for which the defendant is held responsible, in an initial assessment, the following factors are considered concurrent as aggravating circumstances: The nature, seriousness and duration of the infringement: the facts disclosed manifestly seriously affect a fundamental issue in terms of protection of data such as the establishment of necessary technical and organizational measures and adequate and whose violation is classified as serious; It is obvious that the measures of technical and organizational nature implemented affect the security of the treatment, because data related to a person, a minor, is requested and ends up providing and allowing access to data from a different one, sister of the previous one, of which it does not any information was requested. As previously indicated, the data of minors has been affected. (article 83.2, g) of the GDPR). The activity of the allegedly infringing entity is linked to the data processing of both clients and third parties. In the activity of the entity claimed, the processing of personal data is essential, therefore, Given the company's volume of business, the significance of the conduct that is the object of the This claim is undeniable (article 76.2.b) of the LOPDGDD in relation to the article 83.2.k). The intentionality or negligence in the infraction; since the defendant has acted with serious lack of diligence in their actions by allowing access to data that was not they had requested. Connected with the degree of diligence that the person in charge of the treatment is obliged to deploy in compliance with the obligations that imposed by the data protection regulations, the SAN of 10/17/2007 can be cited. Yeah Although it was issued before the GDPR entered into force, its pronouncement is perfectly C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/23 extrapolated to the assumption that we analyse. The ruling, after alluding to the fact that the entities in which the development of their activity entails a continuous treatment of data of clients and third parties must observe an adequate level of diligence, specified that "(...) the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender does not behaves with the required diligence. And in assessing the degree of diligence must especially the professionalism or not of the subject should be considered, and there is no doubt that, in the case now examined, when the appellant's activity is constant and copious handling of personal data must insist on rigor and exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the GDPR). Volume of business or activity of the entity, since it is one of the three leading financial entities in the national market with a net profit during the financial years of 2021 and 2022 of 4,801 and 3,145 million euros respectively (article 83.2, k) of the GDPR). As extenuating circumstances: - The existence of a merger process by absorption after the commission of the infringement, which cannot be attributed to the absorbing entity. On 03/25/2021 Granted deed of merger by absorption of Bankia (absorbed entity) and Caixabank (absorbing entity) with extinction of the first and block transfer by succession universality of all its assets, liabilities, rights and obligations. In accordance with these factors, it is deemed appropriate to impose on the defendant a penalty of 25,000 euros. IX The corrective powers that the GDPR attributes to the AEPD as authority of control are listed in article 58.2, sections a) to j). Article 83.5 of the GDPR establishes a sanction of an administrative fine (article 58.2.i) for the conducts that are typified therein, without prejudice to the fact that, as provided in the article 83.2 of the GDPR, administrative fines can be imposed together with other corrective measures provided for in article 58.2 of the GDPR. Having confirmed the infringement, it is appropriate to impose on the person responsible the adoption of appropriate measures to adjust its performance to the aforementioned regulations in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the GDPR, according to which each control authority may “d) order the person in charge or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain way and within a certain specified period”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/23 In the present case, the defendant is required so that within a period of one month from the notification of this resolution: - Accredit the adoption of adequate measures to avoid that in the future incidents such as those that have caused the opening of this disciplinary procedure, avoiding security incidents such as the one mentioned in the provide documentation from third parties from which it had not been requested any information. It is noted that not meeting the requirement can be considered as a administrative offense in accordance with the provisions of the GDPR, classified as infraction in its article 83.5 and 83.6, being able to motivate such conduct the opening of a subsequent administrative sanctioning procedure. Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been accredited, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE CAIXABANK S.A., with NIF A08663619, for a violation of the article 32.1 of the GDPR typified in article 83.4.a) of the GDPR, a penalty of €25,000 (twenty-five thousand euros). SECOND: NOTIFY this resolution to CAIXABANK S.A. THIRD: Warn the penalized person that they must make the imposed sanction effective Once this resolution is enforceable, in accordance with the provisions of Article art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of its income, indicating the NIF of the sanctioned and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00-0000-0000-0000-0000-0000 (BIC/SWIFT Code: CAIXESBBXXX), opened on behalf of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A. Otherwise, it will proceed to its collection in executive period. Once the notification has been received and once executed, if the execution date is between the 1st and 15th of each month, both inclusive, the deadline for making the voluntary payment will be until the 20th day of the following or immediately following business month, and if is between the 16th and the last day of each month, both inclusive, the term of the Payment will be until the 5th of the second following or immediate business month. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/23 In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once the interested parties have been notified. Against this resolution, which puts an end to the administrative process in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reversal before the Director of the Spanish Data Protection Agency within a period of one month from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the firm resolution may be temporarily suspended in administrative proceedings If the interested party expresses his intention to file a contentious appeal- administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Agency for Data Protection, presenting it through the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica-web/], or through any of the other records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also must transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency were not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution, would terminate the injunction suspension Mar Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es