AEPD (Spain) - EXP202105693: Difference between revisions
No edit summary |
m (Ar moved page AEPD (Spain) - PS/00275/2022 to AEPD (Spain) - EXP202105693) |
||
(3 intermediate revisions by 2 users not shown) | |||
Line 70: | Line 70: | ||
=== Facts === | === Facts === | ||
The data subject submitted a claim against an insurance company (the controller) for allowing changes to their health insurance policy. | The data subject submitted a claim against an insurance company (the controller) for allowing changes to their health insurance policy. The insurance policy was initially signed in 2016 and linked to the data subject as policyholder as well as the owner of the bank account from which the insurance premiums were paid. However, the insured person was their former partner. | ||
In June 2021, the data subject’s former partner submitted a request to change the health insurance policy data, which was done by the bank (the processor). The data changed were the policyholder name and the bank account to which the insurance premiums were associated, allowing the data subject’s former partner to pay the insurance fees themselves. These changes were made without the consent of the data subject. | |||
After a first complaint by the data subject to the processor, the data subject was included as the insurance holder again. After a further complaint, their bank account number was restored. | |||
In August 2022, the Spanish DPA started a sanctioning proceeding against the controller, which allowed to hear the claims from the involved parties. Both the controller and the processor claimed to have obtained implicit consent from the data subject since their initial wish was to cover their partner and that, by losing their status as insurance holder, their obligations were lifted, which was considered a presumed benefit for the data subject. | |||
In August 2022, the Spanish DPA started a sanctioning proceeding against the controller, which allowed to hear the claims | |||
Both the controller and the processor claimed to have obtained implicit consent from the data subject since their initial wish was to cover their partner and that, by losing their status as insurance holder their obligations were lifted, which was considered a presumed benefit for the data subject. | |||
=== Holding === | === Holding === |
Latest revision as of 13:15, 13 December 2023
AEPD - PS-00275-2022 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 83(1) GDPR Article 83(2) GDPR §72.1(b) LOPDGDD |
Type: | Investigation |
Outcome: | Violation Found |
Started: | 26.10.2021 |
Decided: | |
Published: | 04.10.2022 |
Fine: | 24.000 EUR |
Parties: | n/a |
National Case Number/Name: | PS-00275-2022 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined an insurance company €24,000 for violating Article 6(1) GDPR due to the processing of personal data without a legal basis. The company claimed to have implied consent of the data subject.
English Summary
Facts
The data subject submitted a claim against an insurance company (the controller) for allowing changes to their health insurance policy. The insurance policy was initially signed in 2016 and linked to the data subject as policyholder as well as the owner of the bank account from which the insurance premiums were paid. However, the insured person was their former partner.
In June 2021, the data subject’s former partner submitted a request to change the health insurance policy data, which was done by the bank (the processor). The data changed were the policyholder name and the bank account to which the insurance premiums were associated, allowing the data subject’s former partner to pay the insurance fees themselves. These changes were made without the consent of the data subject.
After a first complaint by the data subject to the processor, the data subject was included as the insurance holder again. After a further complaint, their bank account number was restored.
In August 2022, the Spanish DPA started a sanctioning proceeding against the controller, which allowed to hear the claims from the involved parties. Both the controller and the processor claimed to have obtained implicit consent from the data subject since their initial wish was to cover their partner and that, by losing their status as insurance holder, their obligations were lifted, which was considered a presumed benefit for the data subject.
Holding
The DPA started by noting that changes to the insurance policy were not authorised by the data subject and none of the legal basis under Article 6 GDPR could be observed. Meanwhile, the principle of legal processing of data required an accreditation of the consent for the processing as well as a reasonable diligence to prove it. Simply implying that a data subject would consent to a change in the policy cannot in any way be regarded as a valid legal basis. The Spanish DPA found a violation of Article 6(1) GDPR for illegal processing of personal data by the controller.
The DPA decided on appropriate measures against the controller. Based on Article 72(1)(b) of the national data protection law, and Articles 83(1) and 83(2) GDPR, the DPA considered aggravating circumstances. Firstly, there was a lack of legal basis for the processing affecting the fundamental right to data protection. Secondly, the controller was one of the main insurance companies in the country whose activity was directly linked to the processing of personal data from clients and from third parties. Finally, the controller showed grievous lack of due care and diligence. The two latter factors were associated with the Supreme Court’s case law regarding the higher due care attributed to companies whose activity involves abundant processing of personal data.
Therefore, the Spanish DPA proposed a fine of €40,000 which was reduced to €24,000 with the application of two reductions: the acceptance of guilt, and the voluntary payment of the fine.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/16 File No.: EXP202105693 RESOLUTION OF TERMINATION OF THE PROCEDURE FOR PAYMENT VOLUNTEER Of the procedure instructed by the Spanish Agency for Data Protection and based on to the following BACKGROUND FIRST: On August 8, 2022, the Director of the Spanish Agency for Data Protection agreed to initiate a sanctioning procedure against CAJA DE SEGUROS REUNIDOS, INSURANCE AND REASEGUROS COMPANY, S.A. (CASER) (in hereinafter, the claimed party), through the Agreement that is transcribed: << File No.: EXP202105693 AGREEMENT TO START A SANCTION PROCEDURE Of the actions carried out by the Spanish Data Protection Agency and in based on the following FACTS FIRST: D.A.A.A. (hereinafter, the complaining party) dated October 26, 2021 filed a claim with the Spanish Data Protection Agency. The claim is directed against CAJA DE SEGUROS REUNIDOS, COMPANY OF INSURANCE AND REINSURANCE, S.A. (CASER) with NIF A28013050 (hereinafter, the claimed party). The grounds on which the claim is based are as follows: month of May 2016, the claimant subscribed with BANCO IBERCAJA (hereinafter IBERCAJA) a mortgage loan at a certain interest rate and, for maintain that interest rate, one of the conditions of the loan was to contract a health insurance with the claimed insurer. The claimant purchased the insurance policy health, appearing as the policyholder and being the only holder of the open charge account with the claimed financial institution. His partner was listed as the beneficiary of the policy at that time and from which he is currently separated from the 04/14/2021; Since 06/08/2021, the claimed insurer has made various modifications in the data of the policy, without your consent, in particular, modified the policyholder and the premium charge account, disappearing the claimant and your bank account, appearing instead your ex-partner as a policyholder and the account of is; days later, on 06/16/2021, the claimant was included again as a policyholder, but the charge account was still that of his ex-partner; Finally, and after claims made by the claimant, on 06/17/2021, the account of charge, becoming the private account of the claimant. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/16 As a result of what happened, on 07/05/2021, he filed a claim with the insurer claimed, receiving a response on 07/22/2021, apologizing and indicating that the modifications in the policy were made at the request of the financial entity and how they soon became aware of the claimant's disagreement, they rectified the incident. Likewise, on 07/21/2021, I file a claim with the financial institution, in relation to with the unilateral modification of the policy linked to your loan contract, receiving a response on 07/27/2021, indicating that the modifications were requested from your management office by the insured person (your ex-partner) and that, however, the loan discounts have been maintained. The claimant states that the brother of her ex-partner works in the office from which the Non-consensual modifications in the contractual data. Provides admission for processing of the divorce application, copy of the claims made and the responses received, as well as a claim addressed to the Management General Insurance and Pension Funds, of 10/20/2021. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, of Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), said claim was transferred to the claimed party/, to to proceed with its analysis and inform this Agency within a month of the actions carried out to adapt to the requirements set forth in the regulations of Data Protection. The transfer, which was carried out in accordance with the regulations established in Law 39/2015, of October 1, of the Common Administrative Procedure of the Administrations Public (hereinafter, LPACAP), was collected on 12/20/2021 as recorded in the acknowledgment of receipt that works in the file. On 01/14/2022, the respondent responded to the request made, indicating that the 05/31/2016 the claimant formalized a guaranteed loan with IBERCAJA mortgage agreement at a fixed interest rate of 3.25% (interest rate not met bonuses), unless it was actually verified that the requirements were met. Bonus conditions as indicated in the section of the deed mortgage "LINKS AND OTHER COSTS", in which case it would apply referred to therein with a minimum applicable interest rate of 1.750% in the event that all the agreed bonuses are fulfilled, among which is the contracting with CASER of the "Ibercaja Salud" insurance. The interest rate agreed in the deed is the interest rate agreed in the mortgage loan operation and that the agreed bonuses are optional and voluntary for the borrower, not being mandatory, so, if you wish, you can cancel and not maintain the indicated health insurance or contract another of those mentioned in the annex to bonus conditions. On the effective date of 01/01/2017, the claimant signs the policy with CASER group "Caser Salud Integral" in which he appears as policyholder and includes as only insured to Ms. B.B.B., contracting made in the offices of IBERCAJA, in its capacity as the distribution network of the banking insurance operator of the Ibercaja Group (the entity IBERCAJA MEDIACION DE SEGUROS, S.A.U. (hereinafter IBERCAJA MEDIATION) and that maintains an agency contract with CASER. insurance premiums were debited from the IBERCAJA account owned by the claimant. On 06/08/2021, IBERCAJA MEDIACION, in its capacity as mediator of the insurance policy insurance and, therefore, in charge of processing the data responsibility of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/16 CASER, processes a request formulated in the offices of IBERCAJA, in which requests the modification of the account associated with said policy to proceed itself to premium payments, since it is the only insured, and in turn, modify its contractual position of insured by the policy holder and insured by the same policy, not making any changes to the policy, limited to transfer the request of the insured to the insurance company. On 06/09/2021 CASER proceeds, with effect from June 8, to replace the policyholder (claimant) for which until then was the insured of the policy (Mrs. B.B.B.), presupposing by the principle of commercial good faith that said substitution was known to the claimant, who would have granted his consent, at least tacitly. The fact that by losing the condition of policyholder, the claimant was released from the obligations and duties that derived from the insurance contract, led to think that the policyholder knew and accepted its substitution in the policy. Following communications from the claimant to the Customer Relations Center of CASER in which it stated that it had not accepted or consented to the change of policyholder of the insurance, once it was verified that there was no document in the files signed by the policyholder (claimant) requesting or authorizing said change, dated 06/16/2021, the policy was reverted to the previous situation, reinstating the claimant as the policy holder and, on June 17, it was returned to include your account number for purposes of paying premium receipts. As for the mortgage loan contract formalized by the claimant with IBERCAJA, the changes made to the health insurance policy by the entity insurer, object of this claim, did not modify the interest rate that came being applied to it. Likewise, the respondent in his response of 01/14/2022 stated, among other things, aspects, the following: “ The treatment of the data of the claimant by the insurer is legitimized by the content of article 6.1.b) of the RGPD that establishes that the Processing of personal data will be lawful if it is necessary for the execution of a contract to which the insured is a party. Additionally, the treatment of the data of the policyholders by the Insurers are legitimized by article 99.1 of Law 20/2015, of 14 of July, of Management, Supervision and Solvency of the Insurance Entities and Reinsurers, which empowers insurance companies to process the data of the policyholders, without the need to obtain their consent, for the development of the insurance contract; It must be taken into consideration that, as As soon as Caser learned of the absence of consent granted by the claimant rectified the policyholder change. With regard to access to data that is the responsibility of Caser by Ibercaja Mediación, this is legitimized by assuming this last society the condition of in charge of the treatment in accordance with the provisions of article 203.1.a) of the Royal Decree-Law 3/2020, as well as the fact that both parties have signed a comprehensive contract of the obligations established in article 28 of the RGPD. - That the claim made by the claimant is based on the occurrence of some facts that, when included by the claimant in his brief filed with the AEPD, recognize as authentic. - And part of the information that was transferred to the claimant is also reproduced: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/16 o All references made by this party to the IBERCAJA entity come referred to Ibercaja Mediación de Seguros, S.A.U., which is the mediation company of the insurance subscribed by you and, therefore, in charge of data processing Caser's responsibility. o That as soon as Caser heard that you had not requested the change as the policyholder, he proceeded to restore the contract to the previous situation”. THIRD: On 01/26/2022, in accordance with article 65 of the LOPDGDD, the claim filed by the claimant was admitted for processing. FOURTH: The General Subdirectorate for Data Inspection proceeded to carry out of previous investigative actions to clarify the facts in question, by virtue of the functions assigned to the control authorities in the article 57.1 and the powers granted in article 58.1 of the Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), and in accordance with the provisions of Title VII, Chapter I, Second Section, of the LOPDGDD, having knowledge of the following extremes: In order to investigate the occurrence of the events described, on 03/09/2022 a a request for information to the respondent, IBERCAJA and IBERCAJA MEDIACION. The responses to these requirements were entered in the electronic headquarters of the AEPD on 03/24/2022 (the claimed one), and on 03/29/2022 (IBERCAJA and IBERCAJA MEDIATION). The documentation collected describes the actions of the different entities to manage changes to a health insurance policy, and then reproduces an extract of the content provided in order to introduce the applications computers that are referenced: “[…] The process to modify the data of a health insurance policy, on a general basis. In general, it starts at the IBERCAJA offices, since that is where the clients for it. […] The management of the modifications of a claimed health policy, in the majority of the cases can be done directly from the offices of IBERCAJA through of the computer application of the defendant “Portal Bancassurance. […] The modification of the policyholder of a health insurance policy, that is, the substitution of the person of the initial policyholder by another person supposes a modification of the intervening in the contract, exceeding their personal data, and must be executed for the claimed. […] C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/16 The requests that the IBERCAJA offices cannot make directly in the application of the claimant are communicated to IBERCAJA MEDIACION, for their transfer to the claimant, as follows: - Internal Consultation Application "Remedy-Ibersic" - Email mailbox ***EMAIL.1 IBERCAJA MEDIACION transfers the request to the person claimed through the tool “SGO Requests” section that is available in the “Bancassurance Portal” of the called, to which the IBERCAJA offices do not have access. […] Once the introduction has been made, the result is displayed for each investigated entity. of the investigative actions. THE CLAIMED: In the documentation provided, in the Data Processing Activity Register Personal “General Insurance Production Treatment”, identifies the claimed as the entity responsible for data processing activities personal. On 06/08/2021, IBERCAJA MEDIATION opens the file ***FILE.1 through the “Requests for Operations (SGO)” function that is is available in the computer application "Portal Bancassurance" and transfers you to the claimed request for change of policyholder of the Comprehensive Health insurance policy of the claimant. The claimed party does not collect the "writings signed by the assigning policyholder and the that you accept”, the necessary documentation according to the procedure for the modification of a health insurance policy by issuing a supplement that the claimed has described in the framework of the preliminary investigation actions. Below is an excerpt from the description of the "Procedure established for the modification of a health insurance policy by issuing of a supplement” of the claimed: Due to its importance, it should be noted that in the Insurance Issuance Procedure General, the documentation that must be provided together with the request for modification of insurance conditions. Specifically, with regard to the necessary documentation to request the substitution of the policyholder, it is established literally: “Change of Policyholder. A writing or writings signed by the assigning policyholder and the policyholder who you accept. In addition, the document must provide the personal data of the new policyholder: name, surnames, document, direct debit, address of provision, etc. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/16 The policyholder must be over 18 years of age, or in case of being under 18 years of age and over 16, declared legally of legal age by a judge.” On 06/09/2021 the claimant makes the change in the insurance policy effective Comprehensive Health of the claimant in the terms requested by IBERCAJA MEDIATION: the Health Production Area, changes the account number and the policyholder, understanding that the policyholder consented, at least tacitly its substitution. On 06/16/2021 and as a result of the claims made by the claimant to the claimed, the claimed urges IBERCAJA MEDIACION to open a file requesting that the Comprehensive Health insurance policy of the claimant to the previous situation, including as policyholder the claimant and his account current address for the payment of the premium receipt. On 06/16/2021, the claimant retrotracts the Comprehensive Health insurance policy of the claimant to the situation prior to June 9, 2021. IBERCAJA MEDIATION It is noted that IBERCAJA MEDIACION, a company owned by IBERCAJA, acts as the person in charge of the Treatment with respect to the data treatments necessary to distribute the insurance of the claimed party, which is the entity responsible for the Treatment, and that IBERCAJA acts as sub-processor. It is indicated that the staff of IBERCAJA MEDIACION does not have a physical presence in any office of the IBERCAJA distribution network and that any management regarding health insurance policies made at the IBERCAJA offices are made by employees of said entity. On 06/08/2021, IBERCAJA MEDIATION receives from IBERCAJA, through the "Remedy-Ibersic" application, a change of policyholder query in the insurance policy Comprehensive health insurance of the claimant; requesting that the insured become the policyholder and additionally facilitating a new home account for the insurance premium payment; for transfer to the claimant. On 06/08/2021, IBERCAJA MEDIATION transfers the claimant, through the “Requests for Operations (SGO)” function of the “Portal Bancassurance” application, request to change the policyholder of the claimant's Comprehensive Health insurance policy. A screenshot of the "Portal Bancassurance" application is provided with the details of the petition transferred to the respondent. The petition includes the following information: Change of policyholder in Comprehensive Health insurance: [...] “The insured is going to be the policyholder and insured and who is going to pay the insurance. Currently, he was already the one who really paid for the insurance.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/16 On 06/09/2021, IBERCAJA MEDIACION is informed by the respondent, to via email, that the request has been processed. On 06/10/2021, IBERCAJA MEDIACION transfers to IBERCAJA, through the “Remedy-Ibersis” application, that the petition has been processed by the respondent. On 06/16/2021 IBERCAJA MEDIACION, due to the claim of the claimant before the respondent and at the request of the respondent, initiates a request for rectification to restore the claimant's Comprehensive Health insurance policy to his last situation. On 06/16/2021, IBERCAJA MEDIACION is informed by the respondent, to via email, that the policy has been returned to the initial situation. IBERCAJA IBERCAJA indicates that it is the insured who requests to become a policyholder and insured of the Comprehensive Health insurance policy whose policyholder is the claimant. On 06/08/2021, IBERCAJA communicated to IBERCAJA MEDIACION, through the “Remedy-Ibersic” application, request to change the policyholder of the insurance policy Comprehensive health of the claimant; requesting that the insured become the policyholder of the insurance and additionally facilitating a new domiciliary account for the payment of the secure prime; for transfer to the claimant. A screenshot of the "Remedy-Ibersic" application is provided with the communication to the IBERCAJA MEDIATION, New Relationship, where the user and the office are identified of origin and the details of the request are described: - New Relationship: brother of the insured (Office Deputy Director) - Office: ***OFFICE.1 - Detail of the Relationship: the new domiciliary account is provided for the payment of the insurance premium and includes the following information: “The insured is going to be the policyholder and insured and who is going to pay the insurance. Currently, he was the one who actually paid the insurance.” Information that is contrary to what the claimant states in their claim and the IBERCAJA corroborates in its response to the complainant dated July 27, 2021: “All Comprehensive Health insurance fees have been charged to the associated account […]” Referring to the account associated with that of the policyholder of the Comprehensive Health insurance policy of the claimant (Doc-4 of the Claim, entry – ***ENTRY.1). On 06/10/2021, IBERCAJA is informed by IBERCAJA MEDIACION, to through the "Remedy-Ibersic" application, that your request has been processed. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/16 FOUNDATIONS OF LAW Yo In accordance with [Insert the text corresponding to [Basic text I PS].] and according to the provisions of articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of the digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Data Protection Agency. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions issued in its development and, insofar as they are not contradict, in the alternative, by the general rules on the administrative procedures." II The facts denounced materialize in the fact that the defendant carried out various changes in the data of the health policy, linked to the loan contracted with a financial institution, without their consent, specifically, the policyholder and the premium charge account, appearing in his place his ex-partner both as a policyholder and as your personal account; it was later re-modified to include the claimant as policyholder, although the charge account continued to be that of his former partner and, finally, after the claims made by the claimant, the charge account, becoming the claimant's account, which could lead to the Violation of the regulations on the protection of personal data. Article 58 of the RGPD, Powers, states: "two. Each supervisory authority will have all of the following powers corrections listed below: (…) i) impose an administrative fine under article 83, in addition to or in Instead of the measures mentioned in this section, according to the circumstances of each particular case; (…)” Article 6, Legality of the treatment, of the RGPD in its section 1, establishes that: 1. The treatment will only be lawful if at least one of the following is met conditions: a) the interested party gave their consent for the processing of their data personal for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is a party or for the application at the request of the latter of measures pre-contractual; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/16 c) the treatment is necessary for the fulfillment of a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the data subject or of another natural person; e) the treatment is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers vested in the controller of the treatment; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that over said interests do not prevail the interests or the rights and freedoms fundamental data of the interested party that require the protection of personal data, in particular when the interested party is a child. The provisions of letter f) of the first paragraph shall not apply to treatment carried out by public authorities in the exercise of their functions”. On the other hand, article 4 of the RGPD, Definitions, in its sections 1, 2 and 11, notes that: “1) «personal data»: any information about an identified natural person or identifiable ("the interested party"); An identifiable natural person shall be considered any person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the physical, physiological, genetic, mental, economic, cultural or social identity of said person; “2) «processing»: any operation or set of operations carried out about personal data or sets of personal data, either by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling of access, collation or interconnection, limitation, suppression or destruction; “11) «consent of the interested party»: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that concern him”. III Data processing requires the existence of a legal basis that legitimizes it, as the consent of the interested party for the processing of personal data for one or more specific purposes. In accordance with article 6.1 of the RGPD, in addition to the consent, There are other possible bases that legitimize the processing of data without the need for have the authorization of its owner, in particular, when it is necessary for the execution of a contract in which the affected party is a party or for the application, at the request of this, of pre-contractual measures, or when necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/16 provided that said interests do not prevail the interests or rights and fundamental freedoms of the affected party that require the protection of such data. The treatment is also considered lawful when it is necessary for the fulfillment of a legal obligation applicable to the controller, to protect interests vital data of the affected party or of another natural person or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers vested in the responsible for the treatment. In the present case, the defendant is charged with the violation of article 6.1 of the RGPD when evidencing the illegality of the treatment carried out, because as pointed out in the previous foundation, it allows various modifications in the data of the health policy, linked to the mortgage loan contracted with a financial entity, without your consent or authorization without your consent or authorization or any another cause of legitimation of those provided for in art. 6.1 of the GDPR. . The same defendant has acknowledged having made the change of policyholder effective insurance and associated charge account number without having followed the procedure established for the modification of a health insurance policy, that is, without having collected the "writings signed by the assigning policyholder and the accepting policyholder". It should be noted that respect for the principle of legality of the data requires that accredited evidence that the owner of the data consented to the processing of their data personal character and display a reasonable diligence essential to prove that end. If he does not act in this way, or if there is any other cause of legitimation, the The result would be to empty the content of the principle of legality. IV The infraction that is attributed to the claimed one is typified in the article 83.5 a) of the RGPD, which considers that the infringement of “the basic principles for processing, including the conditions for consent under the articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned Article 83 of the aforementioned Regulation, "with administrative fines of €20,000,000 as maximum or, in the case of a company, an amount equivalent to 4% as maximum of the overall annual total turnover of the previous financial year, opting for the highest amount. The LOPDGDD in its article 71, Violations, states that: "They constitute infractions the acts and behaviors referred to in sections 4, 5 and 6 of the Article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law”. And in its article 72, it considers for prescription purposes, which are: "Infringements considered very serious: 1. Based on the provisions of article 83.5 of the Regulation (EU) 2016/679 are considered very serious and the infractions that suppose a substantial violation of the articles mentioned in that and, in particularly the following: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/16 (…) b) The processing of personal data without the concurrence of any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…)” v In order to establish the administrative fine to be imposed, observe the provisions contained in articles 83.1 and 83.2 of the RGPD, which point out: "1. Each control authority will guarantee that the imposition of fines administrative actions under this article for violations of this Regulation indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, in addition to or as a substitute for the measures contemplated in article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administration and its amount in each individual case will be duly taken into account: a) the nature, seriousness and duration of the offence, taking into account the nature, scope or purpose of the processing operation in question as well as the number of stakeholders affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to alleviate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or of the person in charge of the treatment, taking into account the technical or organizational measures that have applied under articles 25 and 32; e) any previous infraction committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedying the breach and mitigating the possible adverse effects of the breach; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular if the person in charge or the person in charge notified the infringement and, in such case, what extent; i) when the measures indicated in article 58, paragraph 2, have been previously ordered against the person in charge or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under article 40 or mechanisms certificates approved in accordance with article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits realized or losses avoided, direct or indirectly, through infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/16 "two. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuing nature of the offence. b) The link between the activity of the offender and the performance of treatments of personal data. c) The profits obtained as a result of committing the offence. d) The possibility that the conduct of the affected party could have induced the commission of the offence. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affectation of the rights of minors. g) Have, when it is not mandatory, a delegate for the protection of data. h) The submission by the person in charge or person in charge, with voluntary, to alternative conflict resolution mechanisms, in those assumptions in which there are controversies between those and any interested." In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction of fine to impose in the present case for the infringement typified in article 83.5.a) of the RGPD for which the defendant is held responsible, in an initial assessment, it is estimated concurrent the following factors: Aggravating circumstances are considered: - The nature, seriousness and duration of the infraction: the facts affect seriously to a basic principle relating to the processing of personal data personal, such as legitimacy, whose violation is considered very serious; the damages and damages caused as a result of the interference in the sphere of privacy of the claimant because we must not forget that we are facing the infraction of a fundamental right to the protection of personal data; the claimant was seen obliged to address both the financial institution and the claimed entity as consequence of the modifications produced in the policy, as well as the presentation d claim before the DGSFP and before this body for the same facts (article 83.2, a) of the GDPR). . - The activity of the claimed party is linked to data processing both clients and third parties. In its activity the claimed entity is The processing of personal data is essential, therefore, given the volume of business of the same (one of the important insurance entities of the country), the significance of the conduct object of this claim is undeniable (article 76.2.b) of the LOPDGDD in relation to article 83.2.k). - Although it cannot be argued that the defendant has acted intentionally, there is no doubt that there is a serious lack of diligence in his performance. Connected to the degree of diligence that the data controller is obliged to deploy in the fulfillment of the obligations imposed by the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/16 data protection regulations, the SAN of 10/17/2007 can be cited. Although it was dictated before the validity of the RGPD, its pronouncement is perfectly extrapolated to the case we are analyzing. The ruling, after alluding to the fact that the entities in which the development of their activity entails a continuous treatment of customer data and third parties must observe an adequate level of diligence, specified that “(...) the Supreme Court has understood that there is imprudence whenever a legal duty of care is disregarded, that is, when the offender fails to behaves with due diligence. And in assessing the degree of diligence, especially weigh the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of personal data, it must be insisted on the rigor and exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the RGPD). Extenuating circumstances are considered: - Only one person has been affected by the offending conduct. Therefore, as stated, By the Director of the Spanish Data Protection Agency, HE REMEMBERS: 1. INITIATE PUNISHMENT PROCEDURE against CAJA DE SEGUROS REUNIDOS, INSURANCE AND REASEGUROS COMPANY, S.A. (CASER) with NIF A28013050, for the alleged infringement of article 6.1 of the RGPD, sanctioned in accordance with the provisions in article 83.5.a) of the aforementioned RGPD. 2. APPOINT C.C.C. Instructor and Secretary to D.D.D., indicating that any of them may be challenged, where appropriate, in accordance with the provisions of articles 23 and 24 of Law 40/2015, of October 1, on the Legal Regime of the Public Sector (LRJSP). 3. INCORPORATE to the disciplinary file, for evidentiary purposes, the claim filed by the claimant and its documentation, as well as the documents obtained and generated by the General Subdirectorate of Data Inspection in the actions prior to the start of this sanctioning procedure. 4. THAT for the purposes provided in art. 64.2 b) of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations (LPACAP), and article 127 letter b) of the RLOPD, the sanction that could correspond for the infraction described would be €40,000 (forty thousand euros), without prejudice to what results from the instruction. 5. NOTIFY this Agreement to CAJA DE SEGUROS REUNIDOS, COMPAÑÍA INSURANCE AND REINSURANCE, S.A. (CASER) with NIF A28013050, indicating expressly his right to a hearing in the procedure and granting him a term of TEN WORKING DAYS to formulate the allegations and propose the evidence that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/16 consider appropriate. In your statement of allegations you must provide your NIF and the procedure number at the top of this document. Likewise, in accordance with articles 64.2.f) and 85 of the LPACAP, you are informed that, if it does not make allegations in time to this initial agreement, it may be considered a motion for a resolution. You are also informed that, in accordance with the provisions of article 85.1 LPACAP, may recognize its responsibility within the term granted for the formulation of allegations to this initial agreement which will entail a reduction of 20% of the sanction to be imposed in the present procedure, equivalent in this case to 8,000 euros. With the application of this reduction, the sanction would be established at 32,000 euros, resolving the procedure with the imposition of this sanction. Similarly, you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, in accordance with the provisions of article 85.2 LPACAP, which will mean a reduction of 20% of the amount of the same, equivalent in this case to 8,000 euros. With the application of this reduction, the sanction would be established at 32,000 euros and its payment will imply the termination of the procedure. The reduction for the voluntary payment of the penalty is cumulative with the corresponding apply for the acknowledgment of responsibility, provided that this acknowledgment of the responsibility is revealed within the period granted to formulate arguments at the opening of the procedure. The voluntary payment of the referred amount in the previous paragraph may be done at any time prior to the resolution. In In this case, if it were appropriate to apply both reductions, the amount of the penalty would be set at 24,000 euros. In any case, the effectiveness of any of the two reductions mentioned will be conditioned to the abandonment or renunciation of any action or resource in via administrative against the sanction. In case you chose to proceed to the voluntary payment of any of the amounts indicated above (32,000 euros or 24,000 euros), in accordance with the provisions of article 85.2 referred to, we indicate that you must make it effective by entering in the restricted account number ES00 0000 0000 0000 0000 0000 opened in the name of the Spanish Data Protection Agency at Banco CAIXABANK, S.A., indicating in the concept the reference number of the procedure that appears in the heading of this document and the reason for the reduction of the amount to which welcomes Likewise, you must send proof of payment to the General Subdirectorate of Inspection to proceed with the procedure in accordance with the quantity entered. The procedure will have a maximum duration of nine months from the date of the start-up agreement or, where appropriate, of the draft start-up agreement. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/16 Once this period has elapsed, it will expire and, consequently, the file of performances; in accordance with the provisions of article 64 of the LOPDGDD. Finally, it is pointed out that in accordance with the provisions of article 112.1 of the LPACAP, there is no administrative appeal against this act. Sea Spain Marti Director of the Spanish Data Protection Agency >> SECOND: On August 17, 2022, the claimed party has proceeded to pay of the sanction in the amount of 24,000 euros making use of the two reductions provided for in the Start Agreement transcribed above, which implies the acknowledgment of responsibility. THIRD: The payment made, within the period granted to formulate allegations to the opening of the procedure, entails the waiver of any action or resource in via administrative action against the sanction and acknowledgment of responsibility in relation to the facts referred to in the Initiation Agreement. FOUNDATIONS OF LAW Yo In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each control authority and as established in articles 47, 48.1, 64.2 and 68.1 of the Organic Law 3/2018, of December 5, on the Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The procedures processed by the Spanish Agency for Data Protection will be governed by the provisions in Regulation (EU) 2016/679, in this organic law, by the provisions regulations issued in its development and, as long as they do not contradict them, with a subsidiary, by the general rules on administrative procedures." II Article 85 of Law 39/2015, of October 1, on Administrative Procedure Common to Public Administrations (hereinafter, LPACAP), under the rubric "Termination in sanctioning procedures" provides the following: "1. Started a sanctioning procedure, if the offender acknowledges his responsibility, the procedure may be resolved with the imposition of the appropriate sanction. 2. When the sanction is solely pecuniary in nature or it is possible to impose a C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/16 pecuniary sanction and another of a non-pecuniary nature, but the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in any time prior to the resolution, will imply the termination of the procedure, except in relation to the replacement of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction is solely pecuniary in nature, the competent body to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned to the withdrawal or resignation of any administrative action or recourse against the sanction. The reduction percentage provided for in this section may be increased regulations." According to what was stated, the Director of the Spanish Data Protection Agency RESOLVES: FIRST: TO DECLARE the termination of procedure EXP202105693, of in accordance with the provisions of article 85 of the LPACAP. SECOND: NOTIFY this resolution to CAJA DE SEGUROS REUNIDOS, INSURANCE AND REASEGUROS COMPANY, S.A. (CASER). In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure as prescribed by the art. 114.1.c) of Law 39/2015, of October 1, on Administrative Procedure Common of the Public Administrations, the interested parties may file an appeal contentious-administrative before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-Administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided in article 46.1 of the aforementioned Law. 936-040822 Sea Spain Marti Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es