AEPD (Spain) - EXP202201721: Difference between revisions
No edit summary |
No edit summary |
||
Line 67: | Line 67: | ||
}} | }} | ||
The Spanish DPA fined €70,000 | The Spanish DPA fined BBVA €70,000 for not securely verifying the data subject's identity. A third party who had stolen the data subject's identity was therefore, able to withdraw money, violating [[Article 6 GDPR|Article 6]] and [[Article 32 GDPR|Article 32 GDPR]]. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
In July 2021, the data subject lost his ID card. A third party went to his bank with the ID card and withdrew all the money available in the account, a total of €9,400, without his authorization or consent. The withdrawn request was made in person at the | In July 2021, the data subject lost his ID card. A third party went to his bank with the ID card and withdrew all the money available in the account, a total of €9,400, without his authorization or consent. The withdrawn request was made in person at the local bank branch. | ||
The | The withdrawal required the signature of the third party. The third party was able to withdraw the money despite their signature not corresponding to the signature on the data subject's ID card. | ||
=== Holding === | === Holding === | ||
Line 84: | Line 84: | ||
== Comment == | == Comment == | ||
The DPA seems to consider the authentication procedure itself as "processing" and therefore Article 32 GDPR applies even if the damage is only monetary in nature. | |||
== Further Resources == | == Further Resources == |
Revision as of 13:50, 4 October 2023
AEPD - PS/00456/2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 32(1) GDPR Article 83(4)(a) GDPR Article 83(5)(a) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | 28.12.2021 |
Decided: | 12.09.2023 |
Published: | 12.09.2023 |
Fine: | 70,000 EUR |
Parties: | Banco Bilbao Vizcaya Argentaria, S.A. |
National Case Number/Name: | PS/00456/2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | Mgrd |
The Spanish DPA fined BBVA €70,000 for not securely verifying the data subject's identity. A third party who had stolen the data subject's identity was therefore, able to withdraw money, violating Article 6 and Article 32 GDPR.
English Summary
Facts
In July 2021, the data subject lost his ID card. A third party went to his bank with the ID card and withdrew all the money available in the account, a total of €9,400, without his authorization or consent. The withdrawn request was made in person at the local bank branch.
The withdrawal required the signature of the third party. The third party was able to withdraw the money despite their signature not corresponding to the signature on the data subject's ID card.
Holding
The Spanish DPA considered that the bank did not adopt security measures by not verifying the data subject identity reliably. In the case, the employee of the bank did not correctly identify the person who made the withdrawal, since it was carried out by a person other than the data subject, with the documentation stolen from the data subject.
As highlighted by AEPD, it was a serious lack of negligence that would have been overcome if the procedures and protocols implemented had been correctly followed, correctly comparing and verifying both the photograph and the signature of the document that was presented in the request.
By not having implemented and not using appropriate technical and organizational measures to ensure a level of security appropriate to the risk in this treatment, the controller violated Article 6 and Article 32 GDPR.
Comment
The DPA seems to consider the authentication procedure itself as "processing" and therefore Article 32 GDPR applies even if the damage is only monetary in nature.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/26 File No.: EXP202201721 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: Ms. A.A.A. (hereinafter the claimant) on 12/28/2021 filed claim before the Spanish Data Protection Agency. The claim is directs against BANCO BILBAO VIZCAYA ARGENTARIA, S.A. with NIF A48265169 (in hereinafter the claimed). The reasons on which the claim is based are the following: The affected party states that, after losing her ID and filing the corresponding complaint On 07/29/2021, a third party went to a branch of the defendant in ***LOCALIDAD.1, impersonating your identity and providing you with banking information, in addition to giving him all of the money that was deposited in the account, without your authorization or consent; considers that the claimed entity does not adopted the measures required by diligence as it had not reliably verified your identity (in relation to physical resemblance and signature). Provides: - Copy of complaint presented to the squad boys. It points out that the day of the request for the extract and refund was 07/26/2021 and the day of withdrawal of funds on 07/29/2021, in branch number ***SUCURSAL.1, as indicated, of information collected from the entity's Customer Service. - Unsigned bank document (a copy for the client), dated 09/23/2021, which indicates that you have received an amount of money corresponding to the amount that was arranged without his consent, and the commitment not to claim said amount in the future, waiving any right or action about such provision. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on 02/11/2022 said claim was communicated to the party claimed, so that it could proceed with its analysis and inform this Agency within the period of one month, of the actions carried out to adapt to the planned requirements in data protection regulations. The transfer, which was carried out in accordance with the rules established in the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), was collected on 02/14/2022 as stated in the acknowledgment of receipt in the file. The defendant responded on 02/23/2022 in writing in which he did not provide any information about the claim that was sent to you. THIRD: On 03/22/2022, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/26 FOURTH: The General Subdirectorate of Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in issue, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter GDPR), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following points: The respondent responded on 04/07/2022 providing the following information: - On 08/23/2021 the claimant requested the defendant to return a charge in her account stating that she had not authorized it. They provide a copy of the writing presented. - The defendant resolved to annul the fraudulent movement made against the balance of the claimant's account assuming the defrauded amount of 9,400 euros. - On 09/22/2021, the defendant responded to the claimant indicating that proceeded to process the corresponding credit into his checking account. They provide a copy of the document. - On 11/25/2021, the claimant submitted a new statement of claim to the claimed, as evidenced by providing a copy thereof, requesting the refund of the amount of the fraudulent charge and an additional 20% as a consequence of “the negligent action of the branch that fails to comply with the regulations regarding data protection, by not verifying my identity for the purposes of providing consent lawful for the delivery of funds and transfer of data of a sensitive nature.” The claimant indicated in his writing “this action of the financial entity represents a violation of my right to data protection, since it acted without the due diligence, given that it did not correctly validate my identity (physical as well as as its own identifying signature) nor did it adopt the necessary security measures to verify my consent for the withdrawal of funds and delivery of documentation that contains data of a sensitive nature.” - On 12/16/2021, the defendant informed the claimant, by email electronic, which proceeded to make the payment of the charge made against your account and, regarding the request for compensation for damages, informed him that had to prove them in order to be evaluated. Provide a copy of the email electronic. - The representatives of the defendant state that the claimant did not put into knowledge of the banking entity that had been lost on 06/05/2021 (almost two months before disposal) your DNI, not following the recommendation of the Bank of Spain for these cases (they provide a copy of the aforementioned recommendation titled “Have you Lost or stolen your ID? Inform your bank as soon as possible and report it.” The representatives of the defendant state that alerting them of the loss of the DNI would have resulted in the activation of the protocol available in the office network in these cases. For these purposes, they provide a copy of the aforementioned protocol, which the offices must follow when a client informs them of the theft or loss of the identification document. In the protocol it is verified that it indicates that “in the case for the client to report the theft or loss of their identification document, it is mandatory to add this information in the teleprocess by blocking the account (of free text) including the message “ATTENTION: stolen/lost document”, restricting operation 0001 Refunds so that it serves as an alert for the Network.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/26 Request for information was made, the respondent responded on 05/30/2022 with the following information and documentation: - Documentary accreditation of the procedure followed for the identification of people who request procedures in person at the offices, where all the established controls on identity accreditation are recorded of the applicants, and a copy of the instructions provided to the managers of the procedures in this regard. In particular, it has been requested to provide the procedure for identification for processing requests for information and withdrawal of cash in person in the office. The claimed party provides a copy of the procedure (internal standard) of cash provisions. The internal standard is available to employees of the entity on the intranet. They have also stated that they communicate changes daily or updates that may affect the rules via email, providing a copy of the image of an email as an example. They also declare that the employees have a consultation portal, providing as an example impression of a question about customer identification, a link to the aforementioned standard is included internal. They provide a copy of the aforementioned internal standard, entitled “Cash provisions against personal accounts within the scope of universal care”, highlighting the following aspects: “- In the case of natural persons, to verify the signature the comparison with the client's digital signature (provided it is available). - Universal Attention: Clients may go to any office in the Network […] to carry out their operations in Cash and we will be able to serve them without needing to be the office that owns the contract. For this it will be very important to remember that to verify the client's signature, we must have the identification document digitized and the signature digitized, not being necessary in this case, request verification from the owner office. […] - The only valid documents for correct identification are: Spanish DNI (NIF), passport, […] - Only originals will be valid, never photocopies, and only if are in force. Under no circumstances will expired documents be accepted. - Both the old and the current Spanish model of circulation permit (also called driving license) are NOT valid as identification documents. […] How to correctly identify: Determine if the person carrying the document is the same person who appears on the photograph of the identification document. Verify that the document presented is valid, that it is original (never a photocopy) and that is not expired. Observe if there could be any manipulation or simple alteration (essential the use of ultraviolet light lamp) Any document that presents anomalies in its format as a result of Possible manipulation should lead to suspicion. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/26 Observe the owner himself physically and determine if his appearance and age match the of the photograph and date of birth that appear on the document. Finally, it is mandatory to use the ultraviolet light lamp for validation. of the identification document.” - A printout has been requested that certifies the details of the procedures carried out results from the request for information on the banking data and products of the claimant made on 07/26/2021 in the office, as well as the information and documents that were provided to the applicant, and documentation accrediting the details of the specific checks on the identity of the applicant that were carried out in this case. The claimed party has not provided documentation on the procedures carried out nor about the information and documents that were provided to the applicant, nor about the documentary accreditation of the identity checks carried out in the case concrete. - A printout has been requested that certifies the details of the procedures carried out as a result of the refund request made on 07/29/2021 (office ***BRANCH.1), as well as supporting documentation of the details of the specific checks on the identity of the applicant that were made in this case. About the checks carried out on the identity of the representatives of the party claimed indicate that “In the case being analyzed and in accordance with the aforementioned rule, the paying office did not correctly identify the person who ordered, since the refund was carried out by a person other than the owner with the documentation stolen from the client.” They provide proof of the disposal request digitized with the signature of the applicant, a signature that consists of the name and the first last name of the claimant. They provide a capture of the copy of the claimant's DNI with her signature (document digitized) indicating that it is on which the verification prior to the cash provision (they indicate that the DNI is updated since it has been provided a copy of the one issued on the occasion of the incident). They indicate that as a measure of Security Once document fraud is detected, the office receives the following instructions: “You must digitize the current version of your identity document, We recommend maintaining the blockage until you either recover it or it is no longer available. current". FIFTH: On 11/25/2022, the Director of the Spanish Agency for the Protection of Data agreed to initiate sanctioning proceedings against the person complained of for the alleged infringement of article 6.1 of the RGPD, sanctioned in accordance with the provisions of article 83.5.a) of the aforementioned RGPD and article 32.1 of the RGPD, typified in article 83.4.a) of the cited GDPR. SIXTH: The initiation agreement was notified, the one claimed in writing dated 12/12/2022 requested an extension of the deadline to make allegations, which was granted by the procedure instructor. On 12/23/2022, the defendant presented a written statement of allegations stating, in summary: that the accusation directed against the defendant and its legal basis is erroneous since article 6.1 of the RGPD has not been violated and with respect to the violation of article 32.1, the interpretation that is made is equally erroneous, without C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/26 make any reference to the procedures established by the defendant to ensure the validity of cash provisions and existing case law; the existence of medial competition; that in the imputation of article 32 of the RGPD no takes into account the ruling of the Supreme Court of February 15, 2022 nor the diligence displayed by the defendant. Subsequently, a copy of the audio of the call made to the Service is provided. Customer Service for the complainant. SEVENTH: On 04/19/2023, the procedure instructor agreed to open of a period of practice tests, remembering the following: - Consider the claim filed reproduced for evidentiary purposes. by the claimant and her documentation, the documents obtained and generated by the Inspection Services that are part of the file. - Consider reproduced for evidentiary purposes, the allegations to the agreement of initiation presented by the claimant and the accompanying documentation. -Request the claimant: Protocol, Procedure or Instructions, etc., established by the entity to combat and prevent fraud or scam as in the present case, as well as security measures or opinions for cases of fraud and fraud prevention and to proceed with correct identification of the clientele. Accreditation that said regulation together with the measures of a technical or organizational were known to the office where the incidence and were known by their employees. On 05/09/2023, the defendant responded to the practical test whose content of work in the file. EIGHTH: On 06/29/2023, a Proposed Resolution was issued in the sense of that the Director of the Spanish Data Protection Agency sanctioned the claimed for violation of article 6.1 and 32.1 of the RGPD, typified in the article 83.5.a) and article 83.4.a) of the aforementioned RGPD, with a penalty of €50,000 (fifty thousand euros) and €20,000 (twenty thousand euros), respectively. The aforementioned Proposal was notified to the respondent on 07/03/2023, giving a response to the allegations put forward in the document presented to the initiation agreement. After the legally established period has elapsed, the defendant presented a written allegations on 07/25/2023 reiterating the arguments put forward throughout the procedure: that there was no violation of articles 6.1 and 32.1 of the RGPD and the existence of medial competition of infractions, requesting the archive of the procedure. NINTH: Of the actions carried out in this procedure, they have been accredited the following, PROVEN FACTS C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/26 FIRST. On 10/12/2020, the AEPD has written from the claimant. stating that he has been the subject of identity theft; after losing your ID and file the corresponding complaint, a third party went to a branch of your entity bank, being given all of the money that was deposited in your account, without your authorization or consent, considering that the entity claimed did not adopt the corresponding measures by not reliably verifying his identity. SECOND. The claimant has provided a copy of the complaint dated 08/16/2021 before the squad boys, diligence number ***DILIGENCIA.1 at Usccorts. In the same, The claimant states: “(…) Who has been on vacation, away in Europe... That, upon returning to national territory, he opened the mobile application of his banking entity and observed that they had made a refund, over the counter and in person, of 9,400 euros, without your consent or authorization. That the complainant states that said amount of money was taken from the entity BBVA, located in LOCALIDAD.2 (***LOCALIDAD.1), specifically the office ***BRANCH.1. That Mrs. A.A.A. Contact the Customer Service of your bank and the reported that new documentation had been uploaded to their personal profile, which she has not done nor has any proof of. What customer service provided information related to the event, such as the day on which requested statement and refund and the day on which they withdrew the money. That the day of the request was 07/26/2021 and the day they withdrew the money was day 07/29/2021, both carried out in person at the banking entity of LOCALITY.2., That the complainants do not know who, how and in what way they have been able to access their personal data and, especially, how they have been able to obtain money, in person, from the bank if they supposedly make the identity verification. (…)” THIRD. The claimant provides a copy of the complaint made in Italy, station Venice-San Marcos in relation to the loss of your DNI. ROOM. The defendant has provided a document signed by the claimant, without date, in the that requests the return of those stolen from your account. FIFTH. The defendant in writing dated 05/30/2022 has stated that: “In the event that is analyzed and in accordance with the aforementioned standard, the payable office did not carry out a correct identification of the person who disposed of it, since the refund led to carried out by a person other than the owner with the documentation stolen from the client”, and provides proof of the disposal request whose signature does not match the one appears in the claimant's DNI. Likewise, it indicated that “…has resolved to annul the movement of the provision fraud carried out against the balance of the claimant's current account BBVA therefore assumes the defrauded amount of 9,400 euros…” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/26 SIXTH. There is a written document dated 08/23/2021 in response to the request of the claimant requesting the refund of the amount of the fraudulent charge in his account, in which indicates that: “The request is being managed with the reference number ***REFERENCE.1, indicating this number you can make any query to the regarding”, and the response offered by the respondent on 09/22/2021 stating that: ”We have received the letter that you presented to us, dated August 23, 2021. Your reference number is ***REFERENCE.1. The purpose of the claim, stated in your communication, is to request a refund of the money (€9,400) that was stolen from one of the BBVA offices, without his consent or authorization, as explained in the complaint attached to your written. In this sense, after having reviewed the facts that you describe to us and the documentation collected in this regard, we inform you that we have transferred this matter to the appropriate departments of our entity that are in charge of analyze and resolve the facts that you detail in your writing. Once your case has been reviewed and all the necessary checks have been made, we will inform that their request has been attended to favorably, so in the In the next few days we will proceed to process the credit to your account of the amount subject to your claim. (…)” SEVENTH. As indicated in the fifth fact, a document of BBVA Cash Drawdown, dated 07/29/2021 against Account: ES00 0000 0000 0000 0000 0000, belonging to the claimant, which states: I have received from the Bank Bilbao Vizcaya Argentaria S.A., charged to the indicated account, the amount of: 9,400.00 EUROS. At the bottom of the document appears the Signature of the Intervener, whose signature does not match with that of the claimant. EIGHTH. It is clear that the claimant sent the defendant a new claim requesting, together with the refund of the amount of the fraudulent charge, 20% additional as a consequence of “the negligent actions of the branch that fails to comply with the data protection regulations, by not verifying my identity for the purposes to provide lawful consent for the delivery of funds and transfer of data sensitive nature.” The respondent responded on 12/12/2021 that: “…With regard to your request for compensation for damages caused, we inform you that It is the burden of the claimant to prove the alleged damages, through documentation timely, which proves the damage and the causal relationship with the action or omission of the Bank. It must be taken into account that to evaluate the damages caused, not it is sufficient that these have been effectively caused but it is necessary also that they have caused damage or damages and that these can be proven by objective means and are quantifiable on objective bases. The accreditation of these extremes corresponds to the person who alleges them and, in many cases, require the development of an evidentiary phase that only in a judicial procedure can develop..." NINETH. The response offered on 02/21/2022 is carried by the defendant. pointing out that: “We are writing to you regarding the new letter that you sent to this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/26 entity, through the Spanish Data Protection Agency, on the amount stolen from your account at a BBVA office without your consent and the violation of your right to the protection of your data. In this regard, we inform you that, having once again analyzed the facts that are the subject of your claim, the specific conditions of the obligations assumed by the parties and its particular circumstances, this Entity considers the response appropriate provided to the claim ***CLAIM.1, a copy of which we attach, so We ratify ourselves in it. Likewise, we have been able to verify that on December 16, 2022 it was credited to your account the amount claimed by you, amounting to €9,400. However, as we informed you in our previous response, if you do not agrees with this resolution has the power to go to the Department of Conduct of Bank of Spain Entities since receipt of this letter…“ TENTH. The claimant provides a copy of the document issued by BBVA, dated 09/23/2021 without signature, which indicates that the claimant has been paid the amount of 9,400 euros, committing not to claim any amount from BBVA in the future, renouncing any action. ELEVENTH. The defendant has provided a copy of the audio of the call made to customer service of the defendant on the occasion of the withdrawal of funds from your account. TWELFTH. The defendant has provided documents related to the Provisions of cash against personal accounts within the scope of universal care in which The instructions that regulate the provisions against current accounts are included, of credit and savings books, as well as issues of bank checks and cash transfers; for the prevention of Fraud and Scam in which contain instructions for fraud prevention as well as procedures specific according to the type of fraud, security opinions and other considerations on fraud and the criteria and guidelines for action Customer Identification. THIRTEENTH. The defendant has provided documents Fraud due to provisions of cash with stolen DNIs and false identification documents in which describes the modus operandi and how to act if such operations are identified. FOURTEENTH. The defendant has provided emails dated 01/25/2021 sent to the offices where the incident occurred, subject: Security alert 0121-January-2021 Fraud due to cash withdrawals with DNI stolen (important dissemination to all office colleagues). FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/26 guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The Procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions dictated in its development and, as far as they are not contradict, on a subsidiary basis, by the general rules on the administrative procedures." II The reported events materialize in the impersonation of the claimant by a third party who went to a branch of the claimed entity, being provided with banking information and the delivery of all the money that was was deposited in the account without your authorization or consent, considering that the regulations on data protection of personal character. Article 58 of the GDPR, Powers, states: "2. Each supervisory authority will have all of the following powers corrective measures indicated below: (…) i) impose an administrative fine in accordance with Article 83, in addition to or in instead of the measures mentioned in this section, according to the circumstances of each particular case; (…)” Firstly, article 6, Lawfulness of processing, of the RGPD in its section 1, establishes that: "1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party is part or for the application at his request of measures pre-contractual; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the interested party or from another natural person; e) the processing is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/26 f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that The interests or rights and freedoms do not prevail over said interests. fundamentals of the interested party that require the protection of personal data, particularly when the interested party is a child. The provisions of letter f) of the first paragraph will not apply to the processing carried out by public authorities in the exercise of their functions. On the other hand, article 4 of the RGPD, Definitions, in sections 1, 2 and 11, notes that: “1) “personal data”: any information about an identified natural person or identifiable ("the interested party"); Any identifiable natural person will be considered person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of said person; “2) “treatment”: any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction; “11) “consent of the interested party”: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that concern him.” III 1. Data processing requires the existence of a legal basis that legitimate In accordance with article 6.1 of the GDPR, in addition to consent, There are other possible bases that legitimize the processing of data without the need for have the authorization of its owner, in particular, when necessary for the execution of a contract to which the affected party is a party or for the application, at the request of this, pre-contractual measures, or when necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that the interests or rights do not prevail over said interests and fundamental freedoms of the affected party that require the protection of such data. He Treatment is also considered lawful when it is necessary for the fulfillment of a legal obligation applicable to the data controller, to protect interests vital of the affected person or of another natural person or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the responsible for the treatment. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/26 In accordance with what is stated in article 6.1, there is no proven basis of legitimation of any of those contemplated in the aforementioned precept for the treatment of the claimant's data and whose personality was impersonated to empty the account of which he was the owner, without the defendant displaying the diligence that was necessary to avoid incidents such as the one that gave rise to the claim and therefore the present procedure. 2. In the present case, the claimant's data has been used to carry out carry out an operation, disposition of cash contained in an account, by a third party that he was not the owner of the same but an impersonator of the identity of the claimant and although, in general terms, the credit institution has the legitimacy to process the data of the affected party under the contract signed between both, for this operation I did not have it specifically since the person who was using the data was a person outside the contractual relationship having to have verified the photograph and the signature of the document presented to him, verify that the appearance of the holder of said document and the person in front of him coincided. The claimant has stated that she does not know who the person was who went to the branch of your banking entity, being given all of the money that was was deposited in your account, without your authorization or consent and without adopt the corresponding measures if you do not reliably verify your identity. It should be noted that, as appears in the proven facts, the defendant himself has stated in his response to the Agency's information request of 04/07/2021 that “In the case being analyzed and in accordance with the aforementioned rule, the paying office did not correctly identify the person who ordered, since the refund was carried out by a person other than the owner with the documentation stolen from the client.” Furthermore, the defendant himself has provided proof of the request for provision whose signature does not match the one that appears on the claimant's DNI. Furthermore, he points out that “…he has resolved to annul the movement of the fraudulent disposition made against the balance of the current account of the claimant therefore assuming BBVA the defrauded amount of 9,400 euros…” (the Underlined correspond to the AEPD. Therefore, it is not treated as claimed by the respondent in the response to the Proposal. Resolution of an invincible error in the identification of the holder of the DNI of the claimant but of a serious lack of negligence that would have been defeated if had correctly followed the procedures and protocols implemented, correctly collating and verifying both the photograph and the signature of the document that was presented to him together with the Cash Disposal, and that he does not sympathize with what was indicated by the defendant himself, pointing out that a correct identification of the person who disposed of it. On the other hand, it is unnecessary to point out that the state of the art would allow perhaps the adoption of more effective identification measures such as biometrics, but that these are considered illegal by the AEPD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/26 In accordance with the foregoing, it is estimated that the defendant would be responsible for the violation of the GDPR: violation of article 6.1, violation typified in its article 83.5.a). IV Secondly, article 32 of the GDPR “Security of processing”, states that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to take into account the risks presented by data processing, in particular as consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the controller or manager and has access to personal data can only process said data following instructions from the person responsible, unless obliged to do so by virtue of the Law of the Union or of the Member States”. The violation of article 32 of the RGPD is classified in the article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following provisions will be sanctioned, according to with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/26 a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43. (…)” For its part, the LOPDGDD in its article 73, for the purposes of prescription, qualifies of “Infringements considered serious”: Based on what is established in article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) g) The bankruptcy, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance as required by article 32.1 of Regulation (EU) 2016/679.” (…)” V 1. The GDPR defines personal data security breaches as “all those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, preserved or processed otherwise, or unauthorized communication or access to said data.” The documentation in the file shows that the defendant has violated article 32 of the RGPD, by not having implemented and not using measures appropriate technical and organizational measures to guarantee a level of security appropriate to the risk in this treatment. This is independent of the fact that, in this specific case, In addition, a third party may have been able to impersonate the identity of the claimant when it was provided to them. not only the totality of the money that existed in the account, but information related to the same. It should be noted that the RGPD in the aforementioned provision does not establish a list of the security measures that are applicable in accordance with the data that are object of treatment, but rather establishes that the person responsible and the person in charge of the treatment will apply technical and organizational measures that are appropriate to the risk that the treatment entails, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, the risks of probability and seriousness for the rights and freedoms of the persons concerned. Likewise, security measures must be adequate and proportionate to the risk detected, pointing out that the determination of the measures technical and organizational measures must be carried out taking into account: pseudonymization and encryption, the ability to guarantee the confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after a incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, the particularly taking into account the risks presented by data processing, such as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/26 consequence of the accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages and losses physical, material or immaterial. In this same sense, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent the treatment from infringing the provided in this Regulation, the person responsible or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must guarantee an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application regarding the risks and the nature of the personal data that must be protect yourself. When assessing risk in relation to data security, take into account the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or the communication or access is not authorized to such data, which may in particular cause damage and harm physical, material or immaterial.” 2. In the present case, as stated in the facts and within the framework of the investigation file, the AEPD transferred the claim presented to the defendant for analysis requesting the contribution of information related to the incident claimed without initially providing any information about the claim transferred. However, as stated previously in a letter dated 04/07/2021 the defendant has acknowledged that in this specific case that “the office payable did not correctly identify the person who provided it, since the The refund was carried out by a person other than the owner with the stolen documentation. client”, having repaid the amount provided to the claimant, assuming the loss. The defendant provides proof of the disposition request in which the the signature of the disposer, as well as the capture of the copy of DNI and signature (digitized) which must be verified prior to the provision of cash. The signature that appears on the receipt of the disposal request is not does not correspond nor does it appear to coincide with what appears on the DNI. 3. As it appears in the proven facts, the defendant provided the document “Cash withdrawals against personal accounts within the scope of care “universal” in which the instructions that regulate the provisions against checking accounts, credit accounts and savings accounts, both in the office where the counts as in a different office. In point 2, Risk aspects, it is stated: “The main aspect of risk in a provision is the incorrect identification of the person who is going to dispose of it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/26 The identification process is regulated in standard 80.00.116 “Identification of the clientele”: If the person does not identify themselves appropriately (whether or not they are a client), when they are identification is mandatory, the operation you request can and should be denied. This is allowed by Law 10/2010 and various sentences that speak of the “pattern of distrust” by which those who are in charge must be governed assets of third parties, such as employees of financial institutions. Next, point 3.2, Document control measures identification, the following: “How to correctly identify: Determine if the person carrying the document is the same person who appears on the document. the photograph of the identification document. Verify that the document presented is valid, that it is original (never photocopy) and that it is not expired. Observe if there could be any manipulation or simple alteration (the use of the ultraviolet light lamp is essential) Any document that presents anomalies in its format such as consequence of possible manipulation should lead to suspicion. Observe the owner himself physically and determine if his appearance and age matches the photograph and date of birth that appear on the document. Finally, it is mandatory to use the ultraviolet light lamp for validation of the identification document.” Also in the document Prevention of fraud and scam, it contains instructions to avoid this type of crime. In this regard, it is pointed out procedure to carry out correct identification of the client, valid documents, the way to verify the person and the document, etc., similar to the above. This document already states that “The correct identification of the client, whether It is an individual natural person, as if he is an attorney-in-fact of a legal entity, “It is essential for the early prevention of fraud.” Likewise, it indicates that: “The only valid documents for correct identification are: * National Identity Document. * Passport. * Foreigner Identification Number (NIE), with its different modalities Cards (residence, asylum, student, etc.). * National identification document from a country of the European Union with Photography. Only originals will be valid, never photocopies, and only if they are in force. In no case will expired documents be accepted.” And: “In terms of carrying out a correct identification, the first thing is determine if the person carrying the document is the same person who appears on the photograph of the identification document, then we will verify that the document C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/26 presented is valid. That is, it is included among those that the bank estimates as appropriate for correct identification, that it is original (never a photocopy) and that is not expired. The second thing is to observe if there could be any simple manipulation. A superficial look at the DNI is not enough for this. You have to observe it with detail". Therefore, in accordance with this last document and the established protocol For the withdrawal of cash, the person requesting the operation is or is not a client of the entity must be appropriately identified and otherwise it must be denied the same. In addition, that person must provide the identification document, which must be valid, the original, which is not a photocopy, which is not manipulated, which is not found expired, that there are no anomalies, checking that the appearance of the holder and the person in front of you coincide, that is, check through the who is the person he says he is. However, in the present case it does not appear that the action carried out by the employee in the office, as confirmed by the claimant himself, will verify reliably and in accordance with the instructions indicated in both the document “Cash withdrawals against personal accounts within the scope of universal care” as in the Prevention of fraud and scam, the personality of the disposer since the amount delivered and that caused the emptying of the account was provided to someone who was not its owner in violation of the measures corresponding. 4. Furthermore, in relation to the provision of cash, the 07/29/2021, a third party goes to the defendant's office located in the ***ADDRESS.1, in ***LOCALITY.2 (***LOCALITY.1) requesting the withdrawal of funds from the claimant's account, failing to comply with the identification protocol established for cash withdrawals. The document provided by the defendant includes the name and surname of the claimant and the signature that bears no similarity to the one contained in the copy of the DNI, despite what was stated by the claimant to the contrary. But what is paradoxical is that the copy of the DNI that was provided at that time moment to perform the operation was subject to digitization by the same person that provided the money to the usurper, that is, that the DNI provided at the time of the provision was scanned and recorded in the entity's database as indicated. informed the claimant by Customer Service in their call dated 08/04/2021, as appears in the copy of the recording provided. Therefore, the above evidence is that on the same day of the delivery of cash, by the branch employee, the digitization was carried out in the the entity of the DNI used in the operation, without realizing that whoever had In front he was not who he said he was, not guaranteeing the security of the data. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/26 In his allegations to the Proposal, the defendant insists on stating that adopted the necessary measures to prove the identity of the applicant, reaching to the conclusion that the person who went to the bank office was the one who claimed to be and corresponded to the claimant, whose document she provided, which is surprising in light of the facts established in the procedure: the signature did not correspond to the one existing in the DNI and even so the employee, as stated indicated previously, the digitization proceeded in the systems of the entity of the DNI used in the operation, the affirmation of the entity itself that has indicated that a correct identification was not made of the person who ordered, for what we are dealing with is truly negligent behavior, easily conquerable if the established protocols and precautions had been adopted. On the other hand, it should be noted that the security measures of the treatment of the financial institution's data are focused on the security of transactions banking and indirectly to guarantee the fundamental right of people affected by the protection of your personal data. 5. Finally, it is true that the Supreme Court in a ruling of 02/15/2022 stated that: “The obligation to adopt the necessary measures to guarantee the security of personal data cannot be considered an obligation of result, that implies that there is a leak of personal data to a third party responsibility regardless of the measures adopted and the activity displayed by the person responsible for the file or processing. In result obligations there is a commitment consisting of the fulfillment of a certain objective, ensuring the proposed achievement or result, In this case, guarantee the security of personal data and the absence of security leaks or breaches. In the obligations of means the commitment that is acquired is to adopt the technical and organizational means, as well as deploying diligent activity in its implementation and use that tends to achieve the expected result with means that can reasonably be classified as suitable and sufficient for its achievement, For this reason, they are called "diligence" or "behavioral" obligations. The difference lies in the responsibility in both cases, because while that in the obligation of result one responds to a harmful result due to the failure of the security system, whatever its cause and the diligence used. In the obligation of means, it is enough to establish technically adequate measures and implement and use them with reasonable diligence. In the latter, the sufficiency of the security measures that the responsible must establish must be put in relation to the state of technology at any given time and the level of protection required in relation to the data treated, but a result is not guaranteed.” However, the Court also confirms that the design is not sufficient of the necessary technical and organizational means, since it is also Its correct implementation and use appropriately are necessary. And the responsibility of the defendant is determined by the incident security manifested by the claimant, since she is responsible for taking decisions aimed at effectively implementing that technical measures and organizational measures are appropriate to guarantee a level of security appropriate to the risk C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/26 to ensure the confidentiality of the data, restoring its availability and preventing access to them. In accordance with the foregoing, it is estimated that the defendant would be allegedly responsible for the violation of the RGPD: the violation of article 32, offense classified in article 83.4.a). SAW 1. The defendant alleges the existence of a medial competition of infractions for the assumption referred to in art. 29.5 of Law 40/2015, of October 1, Therefore, the imposition of only one of the two sanctions would be appropriate, specifically, the regarding the violation of article 6.1 of the RGPD. The art. 29.5 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public, establishes that: "When the commission of an infraction results necessarily the commission of another or others, only the sanction should be imposed corresponding to the most serious infraction committed". However, such an argument cannot be accepted; the specific standard in matter of data protection, that is, the RGPD, establishes in its article 83.3 that: "3. If a controller or a person in charge of the treatment fails to comply intentional or negligent, for the same treatment operations or operations linked, various provisions of this Regulation, the total amount of the administrative fine will not be higher than the amount provided for the most serious violations. serious. We already pointed out in FD IV that the processing of personal data violating the principles and guarantees established in article 6 of the RGPD, considered a very serious infraction, so the only limit would be established by the amount indicated in article 83.5 of the RGPD “€20,000,000 maximum or, In the case of a company, an amount equivalent to a maximum of 4% of the global total annual business volume of the previous financial year, opting for the largest amount.” 2. In allegations to the Proposal, the defendant insists on the existence of a medial contest of violations; Continuing with what has been expressed, it should be noted that the Article 29 of the LRJSP is not applicable to the sanctioning regime imposed by the GDPR. And this is because the GDPR is a closed and complete system. The GDPR is a European standard directly applicable in the States members, which contains a new, closed, complete and global system intended to ensure the protection of personal data uniformly throughout the European Union. In relation, specifically and also, to the sanctioning regime established In it, its provisions are applicable immediately, directly and integral, providing for a complete system without gaps that must be understood, be interpreted and integrated in an absolute, complete, integral manner, thus leaving the Its ultimate purpose is the effective and real guarantee of the fundamental right to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/26 Personal data protection. The opposite determines the loss of guarantees of the rights and freedoms of citizens. In fact, a specific example of the lack of loopholes in the system of the GDPR is Article 83 of the GDPR which determines the circumstances that may operate as aggravating or mitigating circumstances with respect to an infraction (article 83.2 of the RGDP) or that specifies the existing rule regarding a possible medial contest (article 83.3 of the RGPD). To the above we must add that the RGPD does not allow the development or implementation of its provisions by the legislators of the Member States, safe of what the European legislator himself has specifically provided for, delimiting it in a very specific way (for example, the provision of article 83.7 of the RGPD). In this sense, the LOPDGDD only develops or specifies some aspects of the RGPD as far as that it allows and with the scope that it allows. This is so because the intended purpose of the European legislator is to implement a uniform system throughout the European Union that guarantees the rights and freedoms of natural persons, that corrects behavior contrary to the RGPD, that encourages compliance, which enables the free circulation of this data. In this sense, recital 2 of the GDPR determines that: “(2) The principles and rules relating to the protection of natural persons in regarding the processing of your personal data, they must, whatever whatever their nationality or residence, respect their freedoms and rights fundamentals, in particular the right to the protection of personal data staff. This Regulation aims to contribute to the full realization of a space of freedom, security and justice and of an economic union, to progress economic and social, to the reinforcement and convergence of economies within the internal market, as well as the well-being of natural persons.” And recital 13 of the GDPR that: “(13) To ensure a consistent level of protection of natural persons throughout the Union and avoid divergences that hinder the free flow of data within the internal market, a regulation is necessary that provides legal certainty and transparency for economic operators, including micro, small and medium-sized businesses, and offer natural persons of all Member States the same level of rights and obligations enforceable and of responsibilities for those responsible and in charge of the treatment, in order to to ensure consistent supervision of the processing of personal data and equivalent sanctions in all Member States, as well as cooperation effective between the supervisory authorities of the different Member States. The good functioning of the internal market requires that the free circulation of data personal property in the Union is not restricted or prohibited for reasons related to protection of natural persons with regard to data processing personal”. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/26 In this system, the determining factor of the GDPR is not the fines. The powers corrective actions of the control authorities provided for in art. 58.2 of the GDPR conjugate with the provisions of article 83 of the GDPR show the prevalence of measures corrective measures against fines. Thus, article 83.2 of the RGPD establishes that “Administrative fines are will impose, depending on the circumstances of each individual case, additionally or substitute for the measures referred to in Article 58, paragraph 2, letters a) to h) and j). In this way the corrective measures, which are all those provided for in the article 58.2 of the RGPD, except for the fine, have prevalence in this system, leaving relegated the financial fine to cases in which the circumstances of the case specifically determine that a fine is imposed together with corrective measures or in replacement thereof. And all this with the purpose of forcing compliance with the RGPD, avoiding non-compliance, encourage compliance and ensure that infringement is not more profitable than non-compliance. For this reason, article 83.1 of the RGPD prevents that “Each supervisory authority shall ensure that the imposition of administrative fines pursuant to this article for the infringements of this Regulation indicated in paragraphs 4, 5 and 6 be effective, proportionate and dissuasive in each individual case.” Fines must be effective, proportionate and dissuasive for the achievement of the purpose intended by the RGPD. For this system to work with all its guarantees, it is necessary that several elements are deployed in an integral and complete manner. The application of rules unrelated to the RGPD regarding the determination of fines in each of the Member States applying their national law, whether due to circumstances aggravating or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD in the case Spanish as permitted by the RGPD itself-, either by the application of a media contest different from that provided in the RGPD, would reduce the effectiveness of the system that would lose its meaning, its teleological purpose, the will of the legislator, resulting in the fines imposed for different infractions would cease to be effective, proportionate and deterrents. And in this way the interested parties would also be robbed of the guarantee. effective enforcement of their rights and freedoms, weakening the uniform application of the GDPR. HE would diminish the mechanisms for protecting the rights and freedoms of citizens and would be contrary to the spirit of the RGPD. The GDPR is endowed with its own principle of proportionality that must be applied in its strict terms. And this is because there is no legal loophole, there is no supplementary application of article 29. of the LRJSP. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/26 On the other hand, it should be noted that there is no legal loophole regarding the application of the media contest. Neither the RGPD allows nor the LOPDGDD requires the application supplementary provisions of article 29 of the LRJSP. In Title VIII of the LOPDGDD related to “Procedures in case of possible violation of data protection regulations”, article 63 that opens the Title is provides that "The procedures processed by the Spanish Protection Agency of Data will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, in as long as they do not contradict them, on a subsidiary basis, by the general rules on administrative procedures." Although there is a clear reference to the LPACAP, it does not a subsidiary application is established in no way with respect to the LRJSP that does not contains in its articles any provision relating to administrative procedure some. In the same way that the AEPD is not applying the aggravating and mitigating circumstances provided in article 29 of the LRJSP, since the RGPD establishes its own, therefore, there is no legal gap or subsidiary application of the same, nor the application of the section relating to media competition is possible and for identical reasons. VII In order to establish the administrative fine that should be imposed, they must The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which they point out: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the treatment, taking into account the technical or organizational measures that have been applied under articles 25 and 32; e) any previous infraction committed by the person responsible or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/26 h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of processing of personal data. c) The benefits obtained as a consequence of the commission of the infringement. d) The possibility that the conduct of the affected person could have induced to the commission of the infraction. e) The existence of a merger process by absorption subsequent to the commission of the infraction, which cannot be attributed to the entity absorbent. f) The impact on the rights of minors. g) Have, when not mandatory, a protection delegate of data. h) Submission by the person responsible or in charge, with character voluntary, to alternative conflict resolution mechanisms, in those cases in which there are disputes between those and anyone interested.” - In accordance with the transcribed precepts, in order to set the amount of the sanction to be imposed in the present case for the violation of article 6.1 of the RGPD, typified in article 83.5.a) of the RGPD for which the claimed party is responsible, The following factors are considered concurrent as aggravating circumstances: The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation; the facts put manifest affect a basic principle relating to the processing of personal data. personal, such as legitimacy, which the norm sanctions with the greatest severity; is It is evident that the claimant's data was used by a third party who was not the owner or was authorized to carry out the cash withdrawal operation (article 83.2.a) of the RGPD). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/26 Intentionality or negligence in the infringement. There is a serious lack of negligence when the procedures implemented were not followed by not verifying the identity of the third party, without correctly comparing both the photograph and the signature of the document that was presented corresponded to the account holder. Also connected with the degree of diligence that the person responsible for the treatment is obliged to deploy in compliance with the obligations imposed by the data protection regulations, the SAN of 10/17/2007 can be cited. Although it was dictated before the validity of the RGPD, its pronouncement is perfectly extrapolated to the case we analyze. The sentence, after alluding to the fact that the entities in which the development of their activity entails continuous processing of customer and third party data must observe an adequate level of diligence, specified that “(...).the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender fails behaves with the required diligence. And in assessing the degree of diligence it must The professionalism or otherwise of the subject must be especially considered, and there is no doubt that, In the case now examined, when the appellant's activity is constant and abundant handling of personal data, emphasis must be placed on rigor and exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the GDPR). The entity investigated is one of the large companies within its sector with a sales volume of more than €1,000,000,000 according to AXESOR data (article 83.2.k) of the RGPD). Extenuating circumstances are: Any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; once the fraud is detected instructions were issued to avoid such incidents; This is how it is accredited informative alerts sent by email by the Responsible for Security from the Southern Territorial Directorate to the office where the funds were withdrawn (article 83.2. c) RGPD). - In accordance with the transcribed precepts, in order to set the amount of the sanction to be imposed in the present case for the infraction classified in article 83.4.a) and article 32.1 of the RGPD for which the defendant is held responsible, are estimated the following factors concurrently as aggravating circumstances: These are aggravating circumstances: The nature and severity of the infraction since we are dealing with the treatment of economic data, which affect their solvency, in addition to the damages and losses suffered as a consequence of the negligence of the entity The funds in the account were emptied, benefiting someone who was not the owner (article 76.2.b) of the LOPDGDD in relation to article 83.2.k). Intentionality or negligence in the infringement. There is a serious lack of negligence by failing to comply with the procedures implemented and not verifying the identity of the third party, without correctly verifying that both the photograph as the signature of the document presented to him corresponded with the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/26 Account holder. Also connected with the degree of diligence that the person responsible of the treatment is obliged to deploy in compliance with the obligations that imposed by data protection regulations, the SAN of 10/17/2007 can be cited. Yeah well it was dictated before the validity of the RGPD, its pronouncement is perfectly extrapolated to the case we analyze. The sentence, after alluding to the fact that the entities in which the development of their activity entails continuous processing of customer and third party data must observe an adequate level of diligence, specified that “(...).the Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender fails behaves with the required diligence. And in assessing the degree of diligence it must The professionalism or otherwise of the subject must be especially considered, and there is no doubt that, In the case now examined, when the appellant's activity is constant and abundant handling of personal data, emphasis must be placed on rigor and exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the GDPR). Previous infringement committed by the controller or processor; There is recidivism derived from violations in relation to the same facts: There are procedures resolved for violations of the defendant with facts related to articles 32.1 of the RGPD (PS/362/2021 and PS/420/2021) (article 83.2, e) of the GDPR). The entity investigated is one of the large companies within its sector with a sales volume of more than €1,000,000,000 according to AXESOR data (article 83.2.k) of the RGPD). Extenuating circumstances are: Any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; once the fraud is detected instructions were issued to avoid such incidents; This is how it is accredited informative alerts sent by email by the Responsible for Security from the Southern Territorial Directorate to the office where the funds were withdrawn (article 83.2. c) RGPD). Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE BANCO BILBAO VIZCAYA ARGENTARIA, S.A., with NIF A48265169, for violation of articles 6.1 and 32.1 of the RGPD, typified in the articles 83.5.a) and 83.4.a) of the RGPD, fines of €50,000 (fifty thousand euros) and €20,000 (twenty thousand euros), respectively. SECOND: NOTIFY this resolution to BANCO BILBAO VIZCAYA ARGENTARIA, S.A. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/26 THIRD: Warn the sanctioned person that he must make the sanction imposed effective once this resolution is executive, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by entering it, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once enforceable, if the enforceable date is The deadline to carry out the payment is between the 1st and 15th of each month, both inclusive. Voluntary payment will be until the 20th of the following month or the immediately following business month, and if is between the 16th and last day of each month, both inclusive, the term of the Payment will be until the 5th of the second following month or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month counting from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, the final resolution may be provisionally suspended administratively If the interested party expresses his intention to file a contentious appeal. administrative. If this is the case, the interested party must formally communicate this made by writing to the Spanish Data Protection Agency, submitting it through the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica-web/], or through one of the remaining records provided for in art. 16.4 of the aforementioned Law 39/2015, of October 1. Also must transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency was not aware of the filing of the contentious-administrative appeal within a period of two months from the day following the notification of this resolution, the precautionary suspension. Sea Spain Martí C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/26 Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es