AEPD (Spain) - PS/00240/2019: Difference between revisions
m (Ar moved page AEPD - PS/00240/2019 to AEPD (Spain) - PS/00240/2019) |
|||
(15 intermediate revisions by 2 users not shown) | |||
Line 57: | Line 57: | ||
}} | }} | ||
The Spanish DPA fined Equifax, a credit ranking agency, €1,000,000 for failing to comply with | The Spanish DPA fined Equifax, a credit ranking agency, €1,000,000 for failing to comply with Article 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(d) and with Article 14 GDPR. The authority ordered Equifax to stop the processing and to delete the related database. | ||
== English Summary == | == English Summary == | ||
Line 81: | Line 81: | ||
# Some of the erasure requests had already been properly responded to. | # Some of the erasure requests had already been properly responded to. | ||
# Some of the claims regarding rights requests had not been exercised before the controller previously to the claim. | # Some of the claims regarding rights requests had not been exercised before the controller previously to the claim. | ||
# According to the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN former Data Protection Directive], to the [https://www.boe.es/buscar/pdf/1999/BOE-A-1999-23750-consolidado.pdf former Spanish Data Protection Act] (in its Article 29), to the CJEU ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=115205&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6332885 C-468/10 y C-469/10, Asnef, Fecemed]), and to the [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf Article 29 WP], controllers providing services for financial solvency and creditworthiness | # According to the [https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:31995L0046&from=EN former Data Protection Directive], to the [https://www.boe.es/buscar/pdf/1999/BOE-A-1999-23750-consolidado.pdf former Spanish Data Protection Act] (in its Article 29), to the CJEU ([https://curia.europa.eu/juris/document/document.jsf?text=&docid=115205&pageIndex=0&doclang=EN&mode=lst&dir=&occ=first&part=1&cid=6332885 C-468/10 y C-469/10, Asnef, Fecemed]), and to the [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf Article 29 WP], controllers providing services for financial solvency and creditworthiness on legitimate interest. They also cited AEPD resolutions that decided in the same sense. | ||
# Post-GDPR, they accuse the AEPD of changing their previous criterion, while knowing that these behaviour is common and generally permitted (the AEPD was processing recommendations on this matter at the time of the proceeding). | # Post-GDPR, they accuse the AEPD of changing their previous criterion, while knowing that these behaviour is common and generally permitted (the AEPD was processing recommendations on this matter at the time of the proceeding). | ||
# They consider that the initial sanction proposal | # They consider that the initial sanction proposal was disproportionate, what would expel them from the market, benefiting other companies that carry out the same practices. They also alleged that, according to criminal law principles, there should be a concurrence of violations, and that they should not be individually fined for all of them. | ||
# A [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2007-19814 Spanish act] allows for the re-utilization of information from the public sector. | # A [https://www.boe.es/diario_boe/txt.php?id=BOE-A-2007-19814 Spanish act] allows for the re-utilization of information from the public sector. | ||
# The legal concept of "publicly accessible sources" implies the potential knowledge and access by any person. | # The legal concept of "publicly accessible sources" implies the potential knowledge and access by any person. | ||
Line 94: | Line 94: | ||
===== On formal defects ===== | ===== On formal defects ===== | ||
The AEPD dismissed Equifax's arguments regarding the lack of possibility of defence, alleging that | The AEPD dismissed Equifax's arguments regarding the lack of possibility of defence, alleging that they had followed the procedure established by law. | ||
===== On the change of criterion ===== | ===== On the change of criterion ===== | ||
Line 104: | Line 104: | ||
On the purpose limitation principle, the AEPD argues that when data is processed with basis on a legitimate interest, according to Article 6(4) GDPR it must be assessed if the purpose is compatible with the purpose for which the personal data are initially collected. In this case, the reason why the data were initially collected has no connection or similar context to the purpose that Equifax alleges for processing the data. The data were initially collected and published by public institutions for notification purposes, with basis on a national law that pursues a public interest, namely the right to effective legal protection, enclosed in Article 24 of the [https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229 Spanish Constitution]. | On the purpose limitation principle, the AEPD argues that when data is processed with basis on a legitimate interest, according to Article 6(4) GDPR it must be assessed if the purpose is compatible with the purpose for which the personal data are initially collected. In this case, the reason why the data were initially collected has no connection or similar context to the purpose that Equifax alleges for processing the data. The data were initially collected and published by public institutions for notification purposes, with basis on a national law that pursues a public interest, namely the right to effective legal protection, enclosed in Article 24 of the [https://www.boe.es/buscar/act.php?id=BOE-A-1978-31229 Spanish Constitution]. | ||
Therefore, the starting point for the analysis is the origin of the data, and the purposes why such data was collected and later published. There is, | Therefore, the starting point for the analysis is the origin of the data, and the purposes why such data was collected and later published. There is, in view of the AEPD, no connection between one purpose (a public notification, that constitutes a guarantee to preserve a fundamental right of the data subject, and that therefore overrides their right to data protection) and Equifax's purpose (providing potential harmful or negative information about the data subjects to different businesses). There is no similarity between the context of both processing activities, and between the possible consequences of the processing, and there are no additional safeguards to prevent any risks in the processing. Additionally, the AEPD argues that there could not have been any reasonable expectation of the data subjects for their data to be processed in such a way, given the context. | ||
According to the AEPD, it was responsibility of the controller to assess whether the purposes were compatible and to comply with the regulation, as stated in Article 5(2) GDPR. And, they add, Equifax was aware that their purpose was not compatible with the initial purpose, as can be inferred by the allegations made during the investigation, when they allege that they are entitled to carry out subsequent processing for statistical and scientific purposes. | According to the AEPD, it was responsibility of the controller to assess whether the purposes were compatible and to comply with the regulation, as stated in Article 5(2) GDPR. And, they add, Equifax was aware that their purpose was not compatible with the initial purpose, as can be inferred by the allegations made during the investigation, when they allege that they are entitled to carry out subsequent processing for statistical and scientific purposes. | ||
Line 112: | Line 112: | ||
Although the controller alleges, referring again to the change of criterion, that the mentioned text related to the purposes had not changed, the AEPD found that Equifax is intentionally mis-interpreting the content of the norm, interpreting the phrasing of "purpose for which the personal data are initially collected" as the purpose for which Equifax collected the data from the public sources, not as the initial collection of data by the administration in a first place, that is what the regulation refers to. | Although the controller alleges, referring again to the change of criterion, that the mentioned text related to the purposes had not changed, the AEPD found that Equifax is intentionally mis-interpreting the content of the norm, interpreting the phrasing of "purpose for which the personal data are initially collected" as the purpose for which Equifax collected the data from the public sources, not as the initial collection of data by the administration in a first place, that is what the regulation refers to. | ||
Therefore, the AEPD | Therefore, the AEPD concluded that Equifax had violated the purpose limitation principle enclosed in Article 5(1)(b) GDPR. | ||
===== On the lawfulness | ===== On the lawfulness of processing ===== | ||
On this matter, the AEPD | On this matter, the AEPD argued that, according to Article 5(1)(a) GDPR, Recital 39 and Article 6(1)(f), an interest can only be legitimate if it is lawful in the first place. However, as explained in the previous section (and following sections), the processing carried out by Equifax was not lawful, and therefore their interest can never be legitimate. | ||
However, the AEPD decided to anyhow carry out an analysis on the legitimate interest brought forward by Equifax. The legitimate interest alleged by Equifax had a double interest: | |||
* be | * an interest (from the controller and the third parties to be recipients of the data) linked to the assessment of the financial solvency of the data subjects, | ||
* be | * an interest linked to fraud prevention. | ||
To assess whether Equifax could rely on a legitimate interest for the processing, the authority suggests an analysis based on the [https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp217_en.pdf Article 29 WP guidelines on legitimate interest]. | |||
The AEPD concludes, firstly, that the processing is not strictly necessary to achieve the purpose alleged. They argue that such purpose can be achieved by other means, and that the terms "convenience" and "necessity" shall not be mistaken. Nor was the processing adequate, given that the data collected were not updated, inaccurate, and did only represent a little part of the population. And nor was there a balance between the interests of the controller and the negative consequences posed to the data subjects, that additionally could in any way have a reasonable expectation for such processing to happen. | |||
Therefore, the AEPD concludes, the fundamental right to data protection would override the legitimate interests of the controller (and third parties). The convenience of the actors that represent any economic sector is not proportional to the violation that such processing would incur in. | |||
With regards to Article 29 from the [https://www.boe.es/buscar/pdf/1999/BOE-A-1999-23750-consolidado.pdf former Spanish Data Protection Act], that allowed credit reporting agencies to use public data, the AEPD alleges that such law was repelled when the GDPR came into force. Even if the current [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Data Protection Act] has an Article allowing such systems, the norm does not mention public sources anymore, but refers to a scenario in which the creditor communicates the debts to the credit reporting company. These last systems are substantially different from the ones that collect data from public sources, as they deal with accurate information, the data is directly obtained from the creditor (therefore not violating the limitation purpose principle) and use adequate safeguards to ensure compliance with GDPR. | |||
The AEPD also accuses the controller of not being able to demonstrate the alleges compliance, as they considered unnecessary, when the GDPR and the new Data Protection Act entered into force, to carry out a legitimate interest assessment. | |||
Therefore, without being able to rely on legitimate interest, the controller processed data without a legal basis, infringing Article 6(1) GDPR, in relation with the lawfulness principle established by Article 5(1)(a) GDPR. | |||
===== On the accuracy principle ===== | |||
Article 5(1)(d) GDPR establishes that personal data shall be accurate and, where necessary, kept up to date. In addition to this, Recital 39 obliges the controller to undertake any reasonably necessary action to ensure this. Therefore, the AEPD says, a controller shall not process data if it is not able to ensure the accuracy of the data, and that they are kept up to date. | |||
Additionally, the AEPD argues that, if the purposes for which the data was collected are different, it is also possible that the level of accuracy required is different too. In this case, they reason, the level of accuracy necessary to notify a data subject of a debt is not the same as the level of accuracy necessary to assess the financial reliability of a person. | |||
Also, the purpose of a notification is to inform a person of a situation that exists in a particular moment. It is highly probable that such situation will change in the future, for example because the person fulfills their obligation and cancels the debt. The nature of the files created by the collection of data by the controller is completely different: they intend to asses the financial situation of the data subjects in a moment that is different from the moment of the notification. Therefore, it is impossible for the controller to keep the data up to date, as once the precise moment of the notification passes, the data may not already be updated. However, the AEPD found in the database data collected in 2013. | |||
Also, the AEPD says, not all the data collected can be attributed to a person without doubt, given that two persons can have the same name, and ID numbers are not always published, or published only partially. The address, that is also used to distinguish persons, is not always available either. | |||
In this regard, the AEPD remarks that, without properly being able to identify the subjects to which the data belong, it is unlikely that the controller can adequately achieve the interests that they allege. | |||
The importance of these circumstances is confirmed by the fact that some of the complainants had suffered from lack of accuracy, either because they were not the debtors or either because they had already pay such debt, for instance. | |||
Hence, the AEPD found a violation of Article 5(1)(d) GDPR. | |||
===== On the data minimization principle ===== | |||
Regarding the data minimization principle, the AEPD remarks that processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The GDPR requires that the categories of data that are used should be adequate to achieve the purposes of the processing. Additionally, data should be adequate and relevant, meaning that if they constitute an inference on rights and fundamental freedoms, they will be considered excessive. | |||
Here, the AEPD emphasizes the impossibility of complying with the rest of the principles when violating the purpose limitation principle, as the ones are conditioned by the other. | |||
The fact that the purpose of the initial collection differs from the subsequent processing by Equifax means that the data are not accurate anymore, and therefore they are not adequate for the purposes that the processing seeks. This is also related to the fact that the purpose of the initial collection differs from the subsequent processing, so the reason why certain data and categories of data were disclosed in the first place do not match the purpose and interests that Equifax has. | |||
When referring to public notifications, the purpose of the processing is to be able to notify the debtor. For this, only certain categories of data are required. In fact, following the GDPR principles, the Spanish law imposes a minimization of the data that are to be published in order to notify. As of 2019, the address shall not be published, and names and surnames can never be published together with the ID number, that can only include four random chosen numbers. | |||
Therefore, for the purposes of Equifax, this data was not adequate, what led to a violation of Article 5(1)(c). | |||
This, apart from leading to inaccuracy when Equifax collects the data, leads to the impossibility of the controller to notify the data subjects in accordance with Article 14 GDPR, and also spotlights why infringing Article Article 5(1)(b) leads to the violation of other Articles and principles. | |||
===== On the obligation to inform the data subjects ===== | |||
With the entry into force of the GDPR, the controller entered into an obligation to provide certain information to the data subjects when their data is processed. However, it is obvious, the AEPD, that Equifax did not notify all the data subjects which data were processing. While the database contained data of more than 4 million persons, the controller had only notify around 340,000 data subjects. | |||
As previously stated, given that the addresses of the notified persons were not published anymore, the controller was not able to access them and therefore could not notify the data subjects. The AEPD remarks that even the data that were collected before the GDPR entered into forced were also subject to this obligation, given the fact that the data are still being processed. | |||
Therefore, the AEPD found a violation of Article 14 GDPR. | |||
===== Proportionality and concurrence of violations ===== | ===== Proportionality and concurrence of violations ===== | ||
The controller | The controller considered that the initial sanction proposal was disproportionate, since it would have expelled them from the market, benefiting other companies that carry out the same practices. The AEPD disregarded this argument, given that the controller was basing their business activities, on this matter, in the illegal collection of personal data. This was not an occasional behaviour, they alleged, but the core of such activity. | ||
Therefore, the AEPD concluded that the imposed sanctions (namely, the fine, the stop of the processing and the order to erase the data) were appropriate and proportional. | |||
The controller also alleged that, according to criminal law principles, that shall also be applied to administrative sanction proceedings, there should be a concurrence of violations, and that they should not be individually fined for all of them. | |||
In this regard, the controller pleaded that there exists a concurrence of violations, and that they should not be individually fined for all of them. The "concurso medial" figure (that may be translated as "instrumental concurrence") from Spanish criminal law implies that, when an offence is instrumental to another offence (i.e., one offence is committed to be able to commit the second one), the perpetrator will be guilty of both offences but sentenced to the sanction established for the main offence, on its highest level. | |||
This is enclosed in the Spanish administrative legislation in Article 29(5) of the Spanish Act on the legal regime of the Public Sector, that states that when an offence is derived from the perpetration of other offences, only the sanction for the more serious offence will be imposed. | |||
In such a sense, the authority concluded that the main, initial, and more relevant violation was the violation of the purpose limitation principle, from which the other violations derive. Therefore, given that Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR were infringed in connection to Article 5(1)(b), the AEPD considers that they can only sanction the controller for the main violation. | |||
===== Sanction ===== | ===== Sanction ===== | ||
The Spanish DPA fined Equifax €1,000,000 for the violation of Article 5(1)(b), Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR. | In order to define the amount of the fine, the AEPD took into account the fact that the violation did not come from an isolated infringement or the result of a one-off irregularity. The AEPD remarked that the behaviour is a ''modus operandi'' articulated perfectly outside the law which, that takes advantage of official publications containing personal data, and that seeks to obtain an economic benefit by providing a service to third parties related to information on the solvency of the affected data subjects. The scope of this processing operation transcends the affected claimants and extends to all natural persons whose data have been included in official publications in the past or may be included in the future. | ||
It is therefore a structural case of non-compliance with the GDPR and the legislation guaranteeing the fundamental right to data protection derived from Article 18(4) of the Spanish Constitution. Additionally, the personal data of the data subjects may be communicated to third parties, even if its processing clearly violates the GDPR. The extent of the damage that may result from this processing is unpredictable. | |||
The AEPD's initial sanction proposal included higher fines. | |||
* Violation of Article 6(1), in relation with Article 5(1)(a): €3,000,000 fine + prohibition of processing + erasure of the data | |||
* Violation of Article 5(1)(d): €3,000,000 fine + prohibition of processing + erasure of the data | |||
* Violation of Article 5(1)(b): €1,000,000 fine + prohibition of processing + erasure of the data | |||
* Violation of Article 5(1)(c): €1,000,000 fine | |||
* Violation of Article 14: €1,000,000 fine | |||
The AEPD finally reduced both €3,000,000 fines to €1,000,000 fines, and applied the figure of concurrence of offences, which led to an only sanction for the main violation of Article 5(1)(b). | |||
Therefore, the Spanish DPA fined Equifax €1,000,000 for the violation of Article 5(1)(b), in relation with the violations of Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR. | |||
The DPA also ordered Equifax to stop the processing and to delete all the personal data in their File on Judicial Complaints and Public Bodies, obtained through public sources, that were being subject to such processing, with grounds on Article 58(2)(f) and Article 58(2)(g), respectively. | The DPA also ordered Equifax to stop the processing and to delete all the personal data in their File on Judicial Complaints and Public Bodies, obtained through public sources, that were being subject to such processing, with grounds on Article 58(2)(f) and Article 58(2)(g), respectively. |
Latest revision as of 14:21, 13 December 2023
AEPD - PS/00240/2019 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(b) GDPR Article 5(1)(a) GDPR Article 6(1) GDPR Article 14 GDPR Article 5(1)(c) GDPR Article 5(1)(d) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | 26.04.2021 |
Fine: | 1000000 EUR |
Parties: | EQUIFAX IBÉRICA, S.L. |
National Case Number/Name: | PS/00240/2019 |
European Case Law Identifier: | n/a |
Appeal: | n/a |
Original Language(s): | Spanish |
Original Source: | AEPD decision (in ES) |
Initial Contributor: | n/a |
The Spanish DPA fined Equifax, a credit ranking agency, €1,000,000 for failing to comply with Article 5(1)(a), 5(1)(b), 5(1)(c), 5(1)(d) and with Article 14 GDPR. The authority ordered Equifax to stop the processing and to delete the related database.
English Summary
Facts
96 data subjects lodged a complaint with the Spanish DPA (AEPD) against Equifax regarding its File on Judicial Complaints and Public Bodies (FIJ). Their data had been included in such file without consent after being scrapped from the Spanish Official State Gazette, and different releases and debtors lists from other public bodies, such as the General Tax Administration and city councils' gazettes.
Some of this information was inaccurate or was not even related to the claimants. Additionally, the controller refused to delete the data when some data subjects made an erasure request, while sometimes asking for them to justify the request, or to prove their identity with a copy of their ID card.
Equifax denied the erasure requests of the complainant using a template for the letter they sent in response to the data subjects that included the following statements:
- The data has been collected from publicly accessible sources.
- The data will be erased when the data subject has payed the amounts due and sends proper justification about it.
- The data will be stored for 6 years.
In another different letter, they added that Equifax relied on the legitimate interest of the entities that use their services, that need to have information about the debts and monetary claims regarding their clients or persons with which they intend to engage in bushiness operations for business certainty purposes, to prevent late payments and to evaluate their reliability.
They also pointed that such data was accessible via entities from the financial, insurance, telecommunications, energy supply, deferred or recurrent payment services sectors that may engage in a contract with or assess an application from the data subjects.
The controller alleged:
- They did not have a proper opportunity to defend themselves, as the deadline for allegations was too short.
- Some of the erasure requests had already been properly responded to.
- Some of the claims regarding rights requests had not been exercised before the controller previously to the claim.
- According to the former Data Protection Directive, to the former Spanish Data Protection Act (in its Article 29), to the CJEU (C-468/10 y C-469/10, Asnef, Fecemed), and to the Article 29 WP, controllers providing services for financial solvency and creditworthiness on legitimate interest. They also cited AEPD resolutions that decided in the same sense.
- Post-GDPR, they accuse the AEPD of changing their previous criterion, while knowing that these behaviour is common and generally permitted (the AEPD was processing recommendations on this matter at the time of the proceeding).
- They consider that the initial sanction proposal was disproportionate, what would expel them from the market, benefiting other companies that carry out the same practices. They also alleged that, according to criminal law principles, there should be a concurrence of violations, and that they should not be individually fined for all of them.
- A Spanish act allows for the re-utilization of information from the public sector.
- The legal concept of "publicly accessible sources" implies the potential knowledge and access by any person.
- They rely on the legitimate interest, according to the the Article 29 WP, that requires a link between the interest and the purpose of the processing, a necessity assessment and a favourable balancing test. Also, they allege that the data subject has a reasonable expectation for their data to be processed in such a way.
- Regarding the accuracy principle, they argue that accuracy of data released by public bodies must be presumed to be accurate. In addition, the Spanish Data Protection Act (Article 4(2)) states that the obligation of ensuring accuracy is not attributable to the controller when data are collected from public sources if the controller ensures that they are rectified in due time when requested.
The Spanish DPA found that the data of 282.037 persons had been included in the files since the entry into force of the GDPR. It also found that, despite Equifax alleging the contrary, there was no proof of notification to the data subjects in accordance to Article 14.
Holding
On formal defects
The AEPD dismissed Equifax's arguments regarding the lack of possibility of defence, alleging that they had followed the procedure established by law.
On the change of criterion
Additionally, the authority found that the processing had also taken place after the entry into force of the GDPR, therefore making it irrelevant for these purposes that part of it started while the Directive was still in force.
Regarding the change of criterion, the AEPD argued that, logically, they were entitled to change their criterion, specially when a new regulation had been passed. In this regard, the AEPD noted that the GDPR did not mention publicly accessible sources anymore for this matter, and that such Regulation repelled the former Spanish Data Protection Act, that allowed the processing for financial solvency and creditworthiness purposes when obtained from public sources, thus changing the legal framework existing until the moment for this type of processing.
On the purpose limitation principle
On the purpose limitation principle, the AEPD argues that when data is processed with basis on a legitimate interest, according to Article 6(4) GDPR it must be assessed if the purpose is compatible with the purpose for which the personal data are initially collected. In this case, the reason why the data were initially collected has no connection or similar context to the purpose that Equifax alleges for processing the data. The data were initially collected and published by public institutions for notification purposes, with basis on a national law that pursues a public interest, namely the right to effective legal protection, enclosed in Article 24 of the Spanish Constitution.
Therefore, the starting point for the analysis is the origin of the data, and the purposes why such data was collected and later published. There is, in view of the AEPD, no connection between one purpose (a public notification, that constitutes a guarantee to preserve a fundamental right of the data subject, and that therefore overrides their right to data protection) and Equifax's purpose (providing potential harmful or negative information about the data subjects to different businesses). There is no similarity between the context of both processing activities, and between the possible consequences of the processing, and there are no additional safeguards to prevent any risks in the processing. Additionally, the AEPD argues that there could not have been any reasonable expectation of the data subjects for their data to be processed in such a way, given the context.
According to the AEPD, it was responsibility of the controller to assess whether the purposes were compatible and to comply with the regulation, as stated in Article 5(2) GDPR. And, they add, Equifax was aware that their purpose was not compatible with the initial purpose, as can be inferred by the allegations made during the investigation, when they allege that they are entitled to carry out subsequent processing for statistical and scientific purposes.
The AEPD also notes that their allegation regarding the Spanish act for the re-utilization of information from the public sector explicitly states (in its Article 4) that when personal data are involved, the data protection regulations will apply. This was also clarified by the State Agency of the Official State Gazette, that stated that re-utilization of their data was not lawful when pursuing economic profit. In fact, they say, such information is only available for 3 months.
Although the controller alleges, referring again to the change of criterion, that the mentioned text related to the purposes had not changed, the AEPD found that Equifax is intentionally mis-interpreting the content of the norm, interpreting the phrasing of "purpose for which the personal data are initially collected" as the purpose for which Equifax collected the data from the public sources, not as the initial collection of data by the administration in a first place, that is what the regulation refers to.
Therefore, the AEPD concluded that Equifax had violated the purpose limitation principle enclosed in Article 5(1)(b) GDPR.
On the lawfulness of processing
On this matter, the AEPD argued that, according to Article 5(1)(a) GDPR, Recital 39 and Article 6(1)(f), an interest can only be legitimate if it is lawful in the first place. However, as explained in the previous section (and following sections), the processing carried out by Equifax was not lawful, and therefore their interest can never be legitimate.
However, the AEPD decided to anyhow carry out an analysis on the legitimate interest brought forward by Equifax. The legitimate interest alleged by Equifax had a double interest:
- an interest (from the controller and the third parties to be recipients of the data) linked to the assessment of the financial solvency of the data subjects,
- an interest linked to fraud prevention.
To assess whether Equifax could rely on a legitimate interest for the processing, the authority suggests an analysis based on the Article 29 WP guidelines on legitimate interest.
The AEPD concludes, firstly, that the processing is not strictly necessary to achieve the purpose alleged. They argue that such purpose can be achieved by other means, and that the terms "convenience" and "necessity" shall not be mistaken. Nor was the processing adequate, given that the data collected were not updated, inaccurate, and did only represent a little part of the population. And nor was there a balance between the interests of the controller and the negative consequences posed to the data subjects, that additionally could in any way have a reasonable expectation for such processing to happen.
Therefore, the AEPD concludes, the fundamental right to data protection would override the legitimate interests of the controller (and third parties). The convenience of the actors that represent any economic sector is not proportional to the violation that such processing would incur in.
With regards to Article 29 from the former Spanish Data Protection Act, that allowed credit reporting agencies to use public data, the AEPD alleges that such law was repelled when the GDPR came into force. Even if the current Data Protection Act has an Article allowing such systems, the norm does not mention public sources anymore, but refers to a scenario in which the creditor communicates the debts to the credit reporting company. These last systems are substantially different from the ones that collect data from public sources, as they deal with accurate information, the data is directly obtained from the creditor (therefore not violating the limitation purpose principle) and use adequate safeguards to ensure compliance with GDPR.
The AEPD also accuses the controller of not being able to demonstrate the alleges compliance, as they considered unnecessary, when the GDPR and the new Data Protection Act entered into force, to carry out a legitimate interest assessment.
Therefore, without being able to rely on legitimate interest, the controller processed data without a legal basis, infringing Article 6(1) GDPR, in relation with the lawfulness principle established by Article 5(1)(a) GDPR.
On the accuracy principle
Article 5(1)(d) GDPR establishes that personal data shall be accurate and, where necessary, kept up to date. In addition to this, Recital 39 obliges the controller to undertake any reasonably necessary action to ensure this. Therefore, the AEPD says, a controller shall not process data if it is not able to ensure the accuracy of the data, and that they are kept up to date.
Additionally, the AEPD argues that, if the purposes for which the data was collected are different, it is also possible that the level of accuracy required is different too. In this case, they reason, the level of accuracy necessary to notify a data subject of a debt is not the same as the level of accuracy necessary to assess the financial reliability of a person.
Also, the purpose of a notification is to inform a person of a situation that exists in a particular moment. It is highly probable that such situation will change in the future, for example because the person fulfills their obligation and cancels the debt. The nature of the files created by the collection of data by the controller is completely different: they intend to asses the financial situation of the data subjects in a moment that is different from the moment of the notification. Therefore, it is impossible for the controller to keep the data up to date, as once the precise moment of the notification passes, the data may not already be updated. However, the AEPD found in the database data collected in 2013.
Also, the AEPD says, not all the data collected can be attributed to a person without doubt, given that two persons can have the same name, and ID numbers are not always published, or published only partially. The address, that is also used to distinguish persons, is not always available either.
In this regard, the AEPD remarks that, without properly being able to identify the subjects to which the data belong, it is unlikely that the controller can adequately achieve the interests that they allege.
The importance of these circumstances is confirmed by the fact that some of the complainants had suffered from lack of accuracy, either because they were not the debtors or either because they had already pay such debt, for instance.
Hence, the AEPD found a violation of Article 5(1)(d) GDPR.
On the data minimization principle
Regarding the data minimization principle, the AEPD remarks that processed personal data shall be adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed. The GDPR requires that the categories of data that are used should be adequate to achieve the purposes of the processing. Additionally, data should be adequate and relevant, meaning that if they constitute an inference on rights and fundamental freedoms, they will be considered excessive.
Here, the AEPD emphasizes the impossibility of complying with the rest of the principles when violating the purpose limitation principle, as the ones are conditioned by the other.
The fact that the purpose of the initial collection differs from the subsequent processing by Equifax means that the data are not accurate anymore, and therefore they are not adequate for the purposes that the processing seeks. This is also related to the fact that the purpose of the initial collection differs from the subsequent processing, so the reason why certain data and categories of data were disclosed in the first place do not match the purpose and interests that Equifax has.
When referring to public notifications, the purpose of the processing is to be able to notify the debtor. For this, only certain categories of data are required. In fact, following the GDPR principles, the Spanish law imposes a minimization of the data that are to be published in order to notify. As of 2019, the address shall not be published, and names and surnames can never be published together with the ID number, that can only include four random chosen numbers.
Therefore, for the purposes of Equifax, this data was not adequate, what led to a violation of Article 5(1)(c).
This, apart from leading to inaccuracy when Equifax collects the data, leads to the impossibility of the controller to notify the data subjects in accordance with Article 14 GDPR, and also spotlights why infringing Article Article 5(1)(b) leads to the violation of other Articles and principles.
On the obligation to inform the data subjects
With the entry into force of the GDPR, the controller entered into an obligation to provide certain information to the data subjects when their data is processed. However, it is obvious, the AEPD, that Equifax did not notify all the data subjects which data were processing. While the database contained data of more than 4 million persons, the controller had only notify around 340,000 data subjects.
As previously stated, given that the addresses of the notified persons were not published anymore, the controller was not able to access them and therefore could not notify the data subjects. The AEPD remarks that even the data that were collected before the GDPR entered into forced were also subject to this obligation, given the fact that the data are still being processed.
Therefore, the AEPD found a violation of Article 14 GDPR.
Proportionality and concurrence of violations
The controller considered that the initial sanction proposal was disproportionate, since it would have expelled them from the market, benefiting other companies that carry out the same practices. The AEPD disregarded this argument, given that the controller was basing their business activities, on this matter, in the illegal collection of personal data. This was not an occasional behaviour, they alleged, but the core of such activity.
Therefore, the AEPD concluded that the imposed sanctions (namely, the fine, the stop of the processing and the order to erase the data) were appropriate and proportional.
The controller also alleged that, according to criminal law principles, that shall also be applied to administrative sanction proceedings, there should be a concurrence of violations, and that they should not be individually fined for all of them.
In this regard, the controller pleaded that there exists a concurrence of violations, and that they should not be individually fined for all of them. The "concurso medial" figure (that may be translated as "instrumental concurrence") from Spanish criminal law implies that, when an offence is instrumental to another offence (i.e., one offence is committed to be able to commit the second one), the perpetrator will be guilty of both offences but sentenced to the sanction established for the main offence, on its highest level.
This is enclosed in the Spanish administrative legislation in Article 29(5) of the Spanish Act on the legal regime of the Public Sector, that states that when an offence is derived from the perpetration of other offences, only the sanction for the more serious offence will be imposed.
In such a sense, the authority concluded that the main, initial, and more relevant violation was the violation of the purpose limitation principle, from which the other violations derive. Therefore, given that Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR were infringed in connection to Article 5(1)(b), the AEPD considers that they can only sanction the controller for the main violation.
Sanction
In order to define the amount of the fine, the AEPD took into account the fact that the violation did not come from an isolated infringement or the result of a one-off irregularity. The AEPD remarked that the behaviour is a modus operandi articulated perfectly outside the law which, that takes advantage of official publications containing personal data, and that seeks to obtain an economic benefit by providing a service to third parties related to information on the solvency of the affected data subjects. The scope of this processing operation transcends the affected claimants and extends to all natural persons whose data have been included in official publications in the past or may be included in the future.
It is therefore a structural case of non-compliance with the GDPR and the legislation guaranteeing the fundamental right to data protection derived from Article 18(4) of the Spanish Constitution. Additionally, the personal data of the data subjects may be communicated to third parties, even if its processing clearly violates the GDPR. The extent of the damage that may result from this processing is unpredictable.
The AEPD's initial sanction proposal included higher fines.
- Violation of Article 6(1), in relation with Article 5(1)(a): €3,000,000 fine + prohibition of processing + erasure of the data
- Violation of Article 5(1)(d): €3,000,000 fine + prohibition of processing + erasure of the data
- Violation of Article 5(1)(b): €1,000,000 fine + prohibition of processing + erasure of the data
- Violation of Article 5(1)(c): €1,000,000 fine
- Violation of Article 14: €1,000,000 fine
The AEPD finally reduced both €3,000,000 fines to €1,000,000 fines, and applied the figure of concurrence of offences, which led to an only sanction for the main violation of Article 5(1)(b).
Therefore, the Spanish DPA fined Equifax €1,000,000 for the violation of Article 5(1)(b), in relation with the violations of Article 6(1), Article 5(1)(a), Article 5(1)(d), Article 5(1)(c), and Article 14 GDPR.
The DPA also ordered Equifax to stop the processing and to delete all the personal data in their File on Judicial Complaints and Public Bodies, obtained through public sources, that were being subject to such processing, with grounds on Article 58(2)(f) and Article 58(2)(g), respectively.
Comment
The decision, being 184 pages long, includes many details that are not conveyed in this summary because they are not relevant for the outcome of the case and the interpretation of the GDPR.
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
Page 1 1/184 Procedure No.: PS / 00240/2019 RESOLUTION OF SANCTIONING PROCEDURE Of the procedure instructed by the Spanish Agency for Data Protection and in consideration to the following BACKGROUND FIRST: They have been received by the Spanish Data Protection Agency (AEPD) ninety-six ( 96 ) claims against EQUIFAX IBÉRICA, SL, with NIF B80855398 , (hereinafter, the claimed or EQUIFAX) for alleged violation of the data protection regulations. The claims relate to the processing of the personal data of the claimants made by EQUIFAX and materialized in its incorporation into the File of Judicial Claims and Public Bodies (hereinafter, FIJ) associated with alleged debts mostly contracted, presumably, with Administrations Public. In general, the personal data subject to treatment linked alleged debts appeared in documents of the Public Administrations, the Public Law entities or bodies dependent on them or in resolutions of the jurisdictional bodies that were published through newsletters or newspapers officials, by inserting them on the bulletin boards located at the headquarters of entities or agencies or in the sole judicial notice board, with the purpose of make effective the notification of an administrative or judicial resolution. EQUIFAX IBÉRICA, SL, with NIF B80855398, is responsible for the FIJ. So has recognized in any of the documents in the file, such as the letter sent to complainants number 36 (E / 6174/2019), number 43 (E / 11624/2019) and number 48 (E / 2050/2020) to inform you of the inclusion of your personal data in the FIJ. It should also be remembered that the repealed Organic Law 15/1999, on the Protection of Personal Data (LOPD) regulated in its articles 14 and 39 the Registry General Data Protection, for public consultation, which reported on the data processing, the purposes of these processing and the identity of the responsible for the treatment. In the aforementioned Registry -updated to June 2016- EQUIFAX appeared as responsible for the FIJ, being the purpose of the file and the uses provided for the " provision of credit and capital solvency services ". Although the opening agreement and the motion for a resolution indicated that they were 97 the claims made against EQUIFAX, and this is stated in the list of claimants listed in Annex I and in the description of the claims (First Antecedent), there are actually 96 claims that make up this file, taking into account that claimant 3 and 27 are the same person as has presented different attached documentation at two different times. Taking into consideration that we should not make any rectification in the Second Antecedent, inasmuch as said Antecedent was incorporated into the relationship of proven facts as First Proven Fact, its content is not altered, which C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 2 2/184 remains as it was in the motion for a resolution, limiting ourselves to indicating hereinafter, there are 96 and not 97 claims made against EQUIFAX that have determined the opening of this sanctioning file. SECOND: From the examination of the claims received in the AEPD and its attached documents the following relevant information is extracted for the purposes that we occupy: Claimant 1: Declares that EQUIFAX has included their data in the FIJ, without their authorization, for debts that are not true and without having contrasted with the City Council the reality of the debt. Provides, among others, the following documents: to. Letter from EQUIFAX, dated 10/14/2019, with the result of access to the FIJ. It is associated with the personal data of the claimant (name, surname and NIF) the following information: Under the heading " Claims from public bodies ", there is no data ”Under the heading“ Judicial Claims ”: - An annotation: *** CITY COUNCIL.1 appears as plaintiff; What " tax debt " procedure ; as a means of publication " *** BOLETIN.1" and the date 10/11/2017. b. The letter that the claimant sent to the respondent, dated 10/12/2019, in which requested that their data be deleted from the FIJ, at least on a precautionary basis. The letter of EQUIFAX addressed to the claimant, dated 10/24/2019, in which he denies the requested cancellation and informs you that it is not appropriate to attend it since provided documentation that justifies the deletion of your data. (It is the letter model EQUIFAX denying the cancellation that is reproduced in the Third Event) Claimant 2: Report the inclusion of your data in the FIJ without your consent. It provides, among others, these documents: to. Letter from EQUIFAX, dated 11/04/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: Under the heading " Claims from organizations public ”, there is no data. Under the heading " Judicial Claims ", these annotations: - 1st entry: as plaintiff the *** CITY COUNCIL. 2 , for a tax debt procedure; publication medium, “ *** BOLETIN.2” and the Date of 09/02/2016. - 2nd entry: plaintiff, *** CITY COUNCIL.3 ; by a procedure of Tax debt; publication medium, “ *** BOLETIN.3” and the date of 09/09/2015. - 3rd entry: plaintiff, *** CITY HALL.3; by a procedure of Tax debt; publication medium, “ *** BOLETIN.3” and the date on 07/06/2016. - 4th entry: plaintiff, the *** CITY COUNCIL.3; by a procedure of Tax debt; publication medium, “ *** BOLETIN.3 ” and the date on 03/01/2017. - 5th entry: plaintiff, the State Tax Administration Agency (AEAT); through a tax debt procedure; publication medium, " Tax Agency Headquarters" and the date 10/20/2017. - 6th entry: AEAT plaintiff; through a tax debt procedure; publication medium, " Tax Agency Headquarters " and the date 06/08/2018. - 7th entry: plaintiff the AEAT; through a tax debt procedure; publication medium, " Tax Agency Headquarters " and the date 07/27/2018. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 3 3/184 - 8th entry: AEAT plaintiff; through a tax debt procedure; publication medium, " Tax Agency Headquarters " and the date 08/12/2019. - 9th entry: applicant on *** CITY HALL.4; by a procedure of Tax debt; publication medium, “ *** BOLETIN.3” and the date on 11/30/2015. - 10th entry: plaintiff the AEAT; for a debt procedure tax; publication medium, " Tax Agency Headquarters " and the date of 07/27/2018. - 11th entry: plaintiff the AEAT; for a debt procedure tax; publication medium, " Tax Agency Headquarters " and the date of 08/12/2019. - 12th entry: applicant on *** CITY HALL.4; for a procedure of tax debt; publication medium, “ *** BOLETIN.3 ” and the date 11/30/2015. b. The letter from EQUIFAX, dated 11/12/2019, in which it denies the cancellation that requested on 11/03/2019 and communicates that it is not appropriate to attend to her for not having contributed documentation that justifies the deletion (It is the EQUIFAX letter model denying the cancellation that is reproduced in the Third Event) Claimant 3: States in his claim that Bankia did not respond to the access requested and that, in November 2017, when he was trying to arrange a loan, the Director of the Bankia branch informed him that his NIF was included in the FIJ associated with the name of a third person, who was recorded as being born in *** LOCALIDAD, 1, and that the information came from the Ministry of Development and Housing *** LOCALIDAD.1. The AEPD, prior to the agreement of admission to processing of this claim, He transferred her to Bankia to report on the events denounced. In its In response, Bankia sent the AEPD a copy of the letter sent to the claimant on 02/06/2019 in which he informed him that, with respect to the FIJ, as he was informed in his office, a query would appear associated with his NIF, but not his name and surname. He also added that the FIJ “is a database which has information about legal proceedings and claims of public bodies that is obtained of the Official State Gazette and similar bulletins of the Autonomous Communities. The information contained therein, therefore, is not reported by Bankia so to know what data is processed in it, you should go to. ... " Claimant 4: States that their data, associated with alleged debts with the Public Administrations, have been included in the FIJ without their authorization and without the creditor has informed you of the possibility of being included in those systems. Add that EQUIFAX has not verified the data with the Administrations. Provides, between others, these documents: to. Letter from EQUIFAX, dated 11/05/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: Under the heading " Claims from public bodies ": C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 4 4/184 - An entry: claiming entity Social Security; for a debt corresponding to the period “06/2016 - 06/2016”; being the “Medium of Publication ”*** BULLETIN.1 and the date of publication 02/22/2018. Under the heading " Judicial Claims " the following are included in the document annotations: - 1st entry: applicant the *** CITY COUNCIL.1 ; debt procedure tax; means of publication *** BULLETIN.1 and the date 03/23/2015. - 2nd entry: *** ORGANISMO.1 is the plaintiff ; process Tax debt; publication medium, *** BULLETIN.5 and the date of 02/23/2018. - 3rd entry: plaintiff the AEAT; tax debt procedure; source of publication, " Tax Agency Headquarters " and the date of 08/08/2019. - 4th entry: plaintiff the AEAT; tax debt procedure; source of publication, “ Tax Agency Headquarters ” and the date 10/26/2018. - 5th entry: plaintiff the General Treasury of the Social Security; Urgency procedure; publication medium “ *** BOLETIN.1” and the date 07/19/2018. b. The letter received from EQUIFAX, dated 11/05/2019, in which it denies the cancellation that She requested on 11/04/2019 and informs her that it is not appropriate to attend her since she has not provided the documentation that justifies the deletion. (It is the EQUIFAX letter model denying the cancellation that is reproduced in the Third Fact) Claimant 5: States that their data, associated with alleged debts with the Public Administrations, have been included in files without their authorization and that EQUIFAX has not verified the data with the Administrations. It provides, among others, this documents: to. Letter from EQUIFAX, dated 11/14/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: Under the heading " Claims from organizations public ”“ No data ”. Under the heading " Judicial Claims" the following annotations: - 1st entry: applicant the *** CITY COUNCIL.1; debt procedure tax; means of publication *** BULLETIN.1 and the date of 04/22/2014. - 2nd entry: applicant on *** CITY HALL.4; procedure the indication of tax debt; means of publication *** BULLETIN.1 and the date of 05/20/2015. b. The letter received from EQUIFAX, dated 11/25/2019, in which they deny the cancellation requested on 11/14/2019 and they inform you that since you have not contributed documentation that justifies the deletion, it is not necessary to attend to your request (It is the EQUIFAX model letter denying the cancellation that is reproduced in the Fact Third) Claimant 6: Report the inclusion of your personal data in delinquent files obtained from public listings such as the BOE despite not having any debt with the Public administrations. It provides, among others, these documents: to. Letter from EQUIFAX, dated 11/11/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 5 5/184 provides the following information: Under the heading " Claims from organizations public ”, there are no data. Under the heading " Judicial Claims " are the following six annotations: - 1st to 6th: as plaintiff the AEAT; as a procedure, tax debt; as a means of publication, " Tax Agency Headquarters" and the dates, respectively, on 10/26/2018, 01/18/2019, 02/22/2019, 07/22/2019, 10/10/2019 and 05/24/2019. b. The letter received from EQUIFAX, dated 10/21/2019, in which it responds to the access requested. In it they inform you that they send “ the information associated with your identifier or in your name and at the address provided by you. " (It is the EQUIFAX letter model of response to the requested access that is transcribed in the Third Fact) Claimant 7: You report the inclusion of your data in the FIJ without your consent, Obtained from publications in official journals and without having verified their accuracy. It provides, among others, these documents: to. Letter from EQUIFAX, dated 12/13/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from organizations public ”there are no data. In the section “ Legal claims ” five inclusions: - 1st entry: applicant on *** CITY COUNCIL.3; procedure, debt tax; publication medium, *** BULLETIN. 3 and the date 08/09/2017. - 2nd entry: plaintiff the AEAT; procedure, tax debt; source of publication, " Tax Agency Headquarters " and the date 01/16/2014. - 3rd entry: AEAT plaintiff; tax debt procedure; source of publication, " Tax Agency Headquarters " and the date 02/04/2019. - 4th entry: applicant on *** CITY COUNCIL.5; debt procedure tax; publication medium, *** BOLETIN.3 and the date 02/26/2016. - 5th entry: applicant on *** CITY HALL.3; debt procedure tax ; publication medium, *** BOLETIN.3 and the date 11/24/2017. b. The letter from EQUIFAX, dated 12/20/2019, in which it denies the request for cancellation of your FIJ data “ since you have not provided documentation that justify the deletion, it is not necessary to attend to your request ”. (Equifax letter model denying cancellation transcribed in the Third Fact) Claimant 8: Report the inclusion of your data in the FIJ without your consent obtained from the publication in official gazettes, without having contracted their veracity and accuracy. It provides, among others, these documents: to. Letter from EQUIFAX, dated 12/11/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from organizations public ”no data. In the section " Legal claims ": - An entry: applicant the *** CITY HALL.3 ; procedure, debt tax; publication medium, *** BULLETIN.6 and the date 06/23/2017. b. The letter from EQUIFAX, dated 12/11/2019, in which it denies the cancellation of your FIJ data. (EQUIFAX model letter denying the cancellation reproduced in the Third Antecedent) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 6 6/184 Claimant 9: Report the inclusion of your personal data in the FIJ without your consent for debts that you do not recognize as yours. It provides, among others, the following documents: to. Letter from EQUIFAX, dated 12/27/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from organizations public ”no data. In the section " Legal claims " it appears: - 1st entry: applicant the *** CITY COUNCIL.1; debt procedure tax; means of publication *** BULLETIN.1 and the date 05/01/2014 - 2nd entry: plaintiff the AEAT; tax debt procedure; source of publication " Tax Agency Headquarters " and the date 02/01/2019. - 3rd entry: applicant on *** CITY HALL.6; debt procedure tax; means of publication *** BULLETIN.1 and the date 11/22/2019. b. The letter received from EQUIFAX, dated 12/27/2019, in which it responds to your acce request so their data the IJF held on 26.12.2019 and refer " the information associated with your identifier or your name and at the address provided by you". (Model letter of response to the requested access, see Third Fact) Claimant 10: Report the inclusion of your data in the FIJ for debts that are not recognize. Provides, among others, the following documents: to. Letter from EQUIFAX, dated 11/22/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from organizations public ”no data. In the section " Legal claims ": - An annotation: applicant the *** ORGANISMO.2; debt procedure tax; means of publication *** BULLETIN. 7 and the date of 07/10/2019. b. The letter that EQUIFAX sends you, dated 11/22/2019, in which you respond to the access requested on that same date and provides “ the information associated with your identifier or your name and the address provided by you. " (Model letter of response to access requested, see Third Fact. Claimant 11: Report the publication of your personal data in files of solvency without your authorization obtained from public files. It provides, among others, the following documents: to. Letter from EQUIFAX, dated 09/26/2019, with the result of access to the FIJ, in the that associated with your personal data (name, surname and NIF) the following is provided information: In the section " Claims from public bodies ", there is no data. In the section " Legal claims ": - An annotation: applicant the *** CITY COUNCIL.7; procedure, debt tax; publication medium, *** BULLETIN. 8 and the date 12/22/2017. b. The letter that EQUIFAX sends you, dated 09/26/2019, in which you respond to the access requested and sends you “ the information associated with your identifier or your name and in the address provided by you. ”. (Model letter of response to the requested access, see Third Fact) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 7 7/184 Claimant 12: Report the publication of your data in solvency files without your authorization from public files. It provides, among others, the following documents: to. Letter from EQUIFAX, dated 09/27/2019, with the result of access to the FIJ, in the that, associated with the personal data of the claimant (name, surname and NIF), provides the following information: In the section " Claims from organizations public ”no data. In the section " Legal claims ": - An annotation: plaintiff the AEAT; procedure, tax debt; half of publication, "Tax Agency headquarters " and the date 02/10/2017. b. The letter that EQUIFAX sends you, dated 09/27/2019, in which you respond to the access requested and sends you “ the information associated with your identifier or your name and in the address provided by you ”. (Model letter of response to the requested access, see Third Fact) Claimant 13: Denounces the publication of your data in solvency files patrimonial, without your authorization, obtained from public files. It provides, among others, the following documents: to. Letter from EQUIFAX, dated 11/29/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from organizations public ”, there is no data. In the section " Legal claims ": - An annotation: *** CITY COUNCIL.8; What procedure, tax debt; as a means of publication, *** BULLETIN.9 and the date 05/31/2019. b. The letter that EQUIFAX sends you, dated 11/29/2019, in which you respond to the access requested and sends you “ the information associated with your identifier or your name and in the address provided by you ”. (Model letter of response to the requested access, see Third Fact) Claimant 14: You report the publication of your data in the FIJ, without your authorization, obtained from public files. Provides, among others, the following documents: to. Letter from EQUIFAX, dated 10/17/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from organizations public ”, there is no data. In the section " Legal claims ": - 1st entry: plaintiff the *** ORGANISMO.3; procedure, debt tax; publication medium, *** BULLETIN.1 and as of the date 10/02/2019. - 2nd entry: plaintiff the AEAT; procedure, tax debt; half of publication, " Tax Agency Headquarters " and as of 01/24/2018. b. The letter from EQUIFAX, dated 10/17/2019, in which it responds to the access requested and sends you “ the information associated with your identifier or your name and in the address provided by you ”. (Model letter of response to the requested access, see Third Fact) Claimant 15: Report the publication of your data in the FIJ, without your authorization, from public files. Provides, among others, the following documents: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 8 8/184 to. Letter from EQUIFAX, dated 11/26/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from organizations public ”no data. In the section " Legal claims ": - An annotation: applicant the *** CITY COUNCIL.7; for a procedure of tax debt; medium of publication, *** BULLETIN.8 and the date 02/20/2019. b. The letter that EQUIFAX sends you, dated 11/26/2019, in which you respond to the access requested and sends you “ the information associated with your identifier or your name and in the address provided by you ”. (Model letter of response to the requested access, see Third Fact) Claimant 16: You report the inclusion of your data in the FIJ, without your consent, for debts that are not true. Provides, among others, the following documents: to. Written with the EQUIFAX anagram, dated 10/14/2019, with the result of the access to the FIJ, in which associated with the claimant's personal data (name, surnames and NIF) this information is offered: In the section " Claims from public bodies ": - 23 annotations in which, in all of them, the claiming entity appears as the Social Security. The annotations are for debts corresponding to periods monthly and correlative, the first being September 2016 and the last July 2018. The means of publication of the 23 inclusions in which it appears as creditor Social Security is always *** BOLETIN.3, being the dates of publication those included between 12/01/2016 (that of the first annotated debt) and the from 09/20/2018 (that of the last debt included) In the section " Legal claims ": -An entry: as plaintiff the General Treasury of the Social Security; What procedure "constraint"; the medium of publication is *** BOLETIN.3 and the date 01/24/2017. b. A letter from EQUIFAX, dated 10/14/2019, in which it responds to the access request to your data that appear in the FIJ and sends you “ the information associated with your identifier or your name and address provided by you. " (Model letter of response to the requested access, see Third Fact) c. A letter from EQUIFAX, dated 7/01/2020, in which you respond to the cancellation requested by the claimant on 01/03/2020 and informs him that they do not include inclusions associated with your data for debts with public bodies. The claimant provides the document that he received from EQUIFAX on that same date, 01/07/2020, with the information included in the FIJ associated with your name, surname and NIF. In this document no longer appear annotations in the section " Claims of organizations public ” that did appear (24 entries) on 10/14/2019. It is only reflected in the section " Legal claims" the aforementioned incident. Claimant 17: Complaint that EQUIFAX has not attended to the cancellation of your data of the FIJ despite having passed " the stipulated period of six years ." It contributes, among others documents, the following: to. Letter from EQUIFAX, dated 02/21/2019, with the result of access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 9 9/184 following information: In the section " Claims from public bodies " there is no data. In the section " Legal claims " it appears: - 1st entry: as plaintiff, *** CITY COUNCIL.2; What procedure, tax debt; as “Court and Order No. ” “1408387/0 Local Administration ”; as a means of publication, *** BULLETIN.2 and the date on 08/25/2017. - 2nd entry: as plaintiff, *** CITY COUNCIL.9; What procedure, tax debt; as " Auto and Court No." " 29553/000 Local Administration ”; as a means of publication, *** BULLETIN.2 and the date on 10/03/2013. - 3rd entry: as plaintiff, *** CITY COUNCIL.9; What procedure, tax debt; as "Court and Order No. " "3892245/0 Local Administration ”; as a means of publication, *** BULLETIN.2 and the date on 11/30/2015. - 4th entry: as plaintiff, the *** CITY COUNCIL.8; What procedure, tax debt; as "No. of Order and Court " "239/0000 Local Administration ”; as a means of publication, *** BULLETIN.9 and the date on 09/05/2013. b. The letter from EQUIFAX to the claimant, dated 02/21/2019, in which he denies the cancellation of your FIJ data for not having provided documentation that justifies deletion . ( Model letter of response to the cancellation request, see Fact Third) c. The AEPD, prior to the admission for processing of the claim, gave transfer of her to EQUIFAX on 03/27/2019 and asked her to report the facts reported. The respondent responds on 04/02/2019 and explains that she could not access the cancellation requested because the payment of the debts was not credited. Claimant 18: Complaint that on 02/05/2019 requested EQUIFAX to cancel its FIJ data, since they appeared associated with debts with Social Security and the Non-existent AEAT. It adds that it provided EQUIFAX with the certificates issued by the General Treasury of the SS and by the AEAT that certify that it has no debts pending and after a month, has not received a response. Provide a copy, among others, of the following documents: to. Letter from EQUIFAX, dated 01/03/2019, 02/21/2019 addressed to the claimant, in the that responds to the requested access and with which it transfers a document with the information that works in the FIJ. The document contains your personal data (name, surname and NIF) associated with this information: In the section " Claims from public bodies ", an annotation in which Social Security appears as the creditor entity; for a period of time between 4/13 to 4/13; as a means of publication it is indicated "SSS ELECTR (...) " and as Date 07/19/2013. In the section " Legal claims ", an annotation: as plaintiff the AEAT; as a tax debt procedure; as Auto and Court number “ 59300188/0 Local Manager ”; as a means of publication, " Tax Agency headquarters " and the date on 09/08/2017. b. Written document that the claimant sends by burofax dated 02/05/2019 to EQUIFAX and through which you exercise the right of cancellation. The claimant referred EQUIFAX C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 10 10/184 with said writing, two certificates issued by the General Treasury of the SS and by the AEAT, Special Delegation, which certifies that it has no outstanding debts to date 01/19/19. Both documents identify the person of the claimant by his name, surname and by the NIF. In addition, the document issued by the TGSS incorporates this data: " *** DATA.1". c. In the absence of a response from EQUIFAX to your cancellation request, the claimant filed a claim with the AEPD of which this Agency gave transfer to EQUIFAX to report on the facts set forth therein. The claimed responds to the AEPD on 04/12/2019 and states: “ As of 04/12/2019, no registered data appears that could be associated with your Name and address. An incident is registered in the name of AAA, but associated with a totally different address to those that the affected person has provided in his claim". " If you want to be consulted in other addresses where you have been able to have previously resided, and thus verify with certainty whether or not it is data associated with their identity, must facilitate a relationship of them " “ However, we inform that the identifiers that the owner provides in the certificates of being up to date with Social Security obligations (NAF) nor do they correspond to those associated with the incidence discharged from our files, so it is not possible for us to proceed with the cancellation " (The underlined is from the AEPD) Later, it adds that after receiving on 02/06/2019 through burofax the request for cancellation of the claimant and " the necessary documentation" " is verifies that there is no registered data associated with your name and address or your DNI. There is an incident in the name of AAA , but associated with an address different from those that the owner has provided us in his request, Therefore, the answer issued is that “there is no registered data associated with your identifier / name and in the address provided and that if you had resided in other addresses where you would like to be consulted can send us a request expressly mentioning them ". (The underlined is from the AEPD) EQUIFAX sends the AEPD a document with the information that is in the FIJ associated with the name and two surnames of the claimant, but not his / her NIF, since no The NIF is provided as the section for this information is empty. In that document, in the Claims from Public Bodies section there is no information and in the In the Judicial Claims section, this annotation appears: as plaintiff the TGSS; as a procedure, Urgency; as Auto and Court number “ 192987/20 UNIT. REC. EXECU. ”; publication medium, " SS S ELECTR ASTURIAS " and the date 04/28/2013. Claimant 19: Report the inclusion of your data in solvency files by a Non-existent debt with the *** CITY COUNCIL. 2. He claims to have addressed the aforementioned City Council in which they inform you that there are hundreds of cases like yours by debts that are not true. Provides, among others, the following documents: to. Letter from EQUIFAX, dated 03/18/2019, with the result of accessing the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the Next information: In the section " Claims from public bodies ", there is no data. In the section " Legal claims" there is an annotation: As a plaintiff, the *** CITY COUNCIL. 2; as a procedure, tax debt; as Car Number and Court, “ *** REFERENCE.1”; as a means of publication, *** BULLETIN.2 and the date 12/05/2016. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 11 11/184 b. A certificate issued by the *** CITY COUNCIL.2 on 03/21/2019, indicating the Claimant, identified by his name, surname and NIF, does not appear as a debtor of the Municipal Public Finance for tax concepts that as of the date are They are in the executive collection period. Claimant 20: Report the inclusion of your data in a file of defaulters associated with a non-existent debt with the Tax Agency. Refer to EQUIFAX Negative certificate from the AEAT that certifies that you are up to date with payment. Received the claim in this Agency, before agreeing its admission to processing, He transferred it to the respondent so that she could provide information. The following documents are in the file, among others: to. Letter from EQUIFAX, dated 02/22/2019, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF) is offered this information: In the section " Claims from public bodies ", there is no data. In the section “ Legal claims ” there is an annotation: as a plaintiff, the AEAT; as a procedure, tax debt; as No. of Order and Court, 4472761/0 ADMON. LOCAL ; as a means of publication , "Tax Agency headquarters" and the date 05/09/2016. b. EQUIFAX responded to the AEPD's request for information on 05/14/2019. Explained that the claimant had requested access to his FIJ data on 02/22/2019. That he 03/04/2019, the claimant requested the cancellation of his FIJ data and provided “ the corresponding supporting documentation for said cancellation "therefore, adds, " On 03/13/2019 the data is canceled." Claimant 21: Report the inclusion in the FIJ of your personal data associated with information that has been obtained from the BOE regarding alleged debts with Public Administrations, as well as EQUIFAX's refusal to cancel the data. It provides, among others, these documents: to. Letter from EQUIFAX, dated 01/13/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the following information: In the section " Claims from public bodies ", there is no data. In the section " Legal claims " it is stated: - 1st entry: name of the plaintiff, *** CITY COUNCIL.2 ; What procedure, tax debt; as a means of publication, " *** BOLETIN.2 " and the date 02/12/2016. - 2nd entry: name of the plaintiff, State Administration Agency Tax; as a procedure, tax debt; publication medium, " Tax Agency Headquarters " and the date 12/02/2015. - 3rd entry: name of the applicant, State Administration Agency Tax; as a procedure, tax debt; publication medium “Headquarters Tax Agency ”and the date 01/28/2019. b. Written written by EQUIFAX to the claimant, dated 01/13/2020, denying the request cancellation of your FIJ data " since you have not provided documentation that justify the deletion, it is not appropriate to attend to your request ” (Model of response letter to the cancellation request, see Third Fact) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 12 12/184 c. Report of the General Secretariat of the State Agency Official State Gazette, signed on 07/31/2019, in response to the query raised by the representative of the complainant about the legality of collecting personal data that publishes the BOE to create a database for profit. SG report of the Data Protection Registry of the AEPD, dated 10/03/2019, responding to the query raised by the claimant's representative (reference number 037917/2019) Claimant 22: Report the inclusion of your personal data in the FIJ for a debt with the *** ORGANISM. 4 without its authorization and without this Administration Public has communicated their data. It provides, among others, these documents: to. Letter from EQUIFAX, dated 12/16/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF) consists of the Next information: In the section " Claims from Public Organizations ", there is no data. In the section " Judicial Claims " there is an incident: the name of the plaintiff is *** ORGANISMO.4; as a procedure, tax debt; as a medium of publication, “ *** BOLETIN.2 ” and the date 08/14/2015. b. A letter with the rubric " Report of judicial information of EQUIFAX ", relative to a query dated 12/11/2019 associated with the claimant's personal data in The one that appears as the debtor, the *** ORGANISMO.4 as the plaintiff; What status, “ embargo ” and the date of 08/14/2015. c. Two documents with the anagram of *** ORGANISMO.4, in which under the heading " Debt situation report " of the taxpayer -the claimant- is made record the full payment on 12/12/2019 of two debts corresponding to the IVTM. Complainant 23: Complaint that EQUIFAX has published in a solvency file its data, without your authorization, obtained from public files. It provides, among others, these documents: to. Letter from EQUIFAX, dated 01/14/2020, with the result of access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF) the following information is provided: In the section " Claims Public Organizations ”, there is no data. In the section " Claims Judicial ” figure: - 1st entry: name of the plaintiff, *** CITY COUNCIL.5; What procedure, tax debt; as a means of publication, “*** BOLETIN.10” and the date 11/06/2015. - 2nd entry: name of the plaintiff, *** CITY COUNCIL.5; What procedure, tax debt; as a means of publication, “*** BOLETIN.10” and the date 05/08/2017. b. Letter from EQUIFAX to the claimant responding to access to the FIJ. He says that he refers you " The information associated with your identifier or your name and at the address provided for you ” . (Sample letter of response to the request for access, see Third Fact) Complainant 24: Complaint that EQUIFAX publishes in the FIJ personal data that has obtained, without authorization, from public files. Provides, among others, the documents following: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 13 13/184 to. Letter from EQUIFAX, dated 12/19/2020, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) the following information is provided. In the section " Claims for Public Organizations ”, there is no data. In the section " Claims Judicial "consists of: - 1st entry: name of the applicant, *** CITY COUNCIL.10 ; What procedure, tax debt; as a means of publication, *** BOLETIN.10 and the date 05/05/2014. - 2nd entry: as the plaintiff's name appears *** CITY HALL.10; as a procedure, tax debt; as a means of publication, *** BULLETIN. 10 and the date 05/20/2015. - 3rd entry: as plaintiff the AEAT; for a debt procedure tax; as a means of publication " Tax Agency Headquarters " and the date 07/04/2016. - 4th entry: as plaintiff the AEAT; for a debt procedure tax; as a means of publication " Tax Agency Headquarters " and the date 10/24/2015. - 5th entry: as plaintiff the AEAT; for a debt procedure tax; as a means of publication " Tax Agency Headquarters " and the date 03/31/2017. b. Letter from EQUIFAX to the claimant, dated 01/19/2020 in which he responds to the requested access and sends you “ the information associated with your identifier or your name and at the address provided by you ” (Sample letter of response to the request for access, see Third Fact) Claimant 25: Report the publication in the FIJ of information associated with your data personal data that was published in the BOE, data processing that is not authorized by the RGPD. They are in the file, among others, these documents: to. Letter from EQUIFAX, dated 03/25/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: In the section " Claims from Public Bodies ": - 14 annotations in which the complaining entity is, in all, the Security Social; for debts related to the following periods of time, correlative to each of the 14 incidents: The first, from 03 / 2016-03 / 2017. The following, for periods monthly: 07/2016; 08/2016; 09/2016; 10/2016; 11/2016; 12/2016; 01/2017; 02/2017; 03/2017: 04/2017; 05 / 2017; 06/2017 and 07/2017. As a means of publication, in the 14 incidents consists of "*** BOLETIN.3", being the publication dates from 05/23/2016, the Oldest, as of 03/14/2017, the most recent. In the section "Judicial Claims " an annotation: As the name of the plaintiff, General Treasury of the Social Security. As a procedure, I urge. As " No. of Order and Court ", 140021/20 Unid Recau Ejec " ; as a means of publication “ *** BOLETIN.3 ” and the date 09/09/2016. b. The AEPD, receiving the claim and before agreeing on its admission for processing, gives transfer of it to EQUIFAX and request information. The respondent responds on C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 14 14/184 05/21/2019 and states that after consulting the FIJ with the data of the claimant (name, surname and NIF), there are 15 inclusions and provides the result of the access to your data in the aforementioned file. It adds that the claim of the affected "It lacks supporting documentation that allows the cancellation of the data in the FIJ ”. And it says: “ The headline refers only to the fact that the new Legal regulations in this regard do not allow the collection of this type of data from the BOE. Consequently, the data is kept registered in the file ”. (The underline is from the AEPD) Claimant 26: Complaint that in the FIJ there are 12 annotations for debts with the Social Security associated with your name whose inclusion you have not authorized and of which has not been informed. In addition, some are older than 6 years. They are in the file, among others, these documents: to. Letter from EQUIFAX, dated 12/19/2018, in which it responds to the access requested by the claimant and with which he sends the information that appears in the FIJ “ associated with his identifier or in your name and at the address provided by you ”. b. Letter from EQUIFAX, dated 12/19/2018, with the result of the access to the FIJ, in which the The information provided is exclusively associated with the name and two surnames of the claimant, but not his NIF, since the space for that data appears in White. In the section " Claims Public Organizations": - 12 entries in which the " complaining entity " is, in all, Security Social; for debts corresponding to the following periods of time: 10/2012; 01/2013; 07/2013; 11/2013; 12/2013 and from January to July 2014 by monthly periods. As a means of publication, in the 12 incidents there is "SSS ELECTR (...)", being the publication dates from 05/23/2016, the Oldest, as of 03/14/2017, the most recent. In the section " Judicial Claims " there is no information. c. Claimant's email addressed to EQUIFAX, dated 01/28/2019, through the that exercises the right of opposition to the publication of their data in the FIJ. d. The AEPD, once received on 04/03/2019 the claim of the affected, before agreeing to its admission for processing, transfer it to EQUIFAX requesting information on the facts denounced. The respondent responds on 05/29/2019 and states: That " After consulting the file [FIJ] of the data of Mr. [name and two surnames of the claimant] on 05/29/2019 there are 10 registered incidents associated with the owner's address *** ADDRESS.1. Access to the file with said information is provided as document two ”. EQUIFAX says that in the aforementioned document it can be verified that the incidents older than 6 years referred to by the claimant (The underlined is from the AEPD) In the result of the access to the FIJ that the claimed -document two-, as was the case with the access provided on 12/19/2018 to the claimant, the claimant's NIF does not appear, but only his name and two surnames. Regarding the request for opposition / cancellation made by the claimant, the 01/28/2019 and the refusal of the claimed to cancel the annotations, responds to the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 15 15/184 AEPD that “ lacked supporting documentation that would allow carrying out the cancellation of data in the ... ” FIJ. It adds that “ The owner alleges only some aspects of the legal regulations to prove its cancellation. Consequently, data is kept registered in the file. It is necessary that you contribute documentation proving payment or certificate issued by the body claimant, in this case the General Treasury of the Social Security, in which the specify to be up to date with the payment ”. Complainant 27: Complaint that in 2017 BANKIA informed him of the inclusion of your data in the FIJ denying you the requested financial operation. He then exercised the right of access to EQUIFAX, which replied that there were no data your personals included in the aforementioned file. However, in February 2019 his financial entity BANKIA continues to view your data as a debtor through the information provided by the FIJ. In particular, there is your NIF associated with the name and Last name of a person with this name: BBB. They work in the file, between others, the following documents: to. Letter from the SAC of BANKIA, dated 11/29/2018, addressed to the claimant in which informs that the data contained in the "BIJ" are not included by that entity. b. EQUIFAX's response, dated 05/29/2019, to the information request that directed the AEPD prior to the admission for processing of this claim. The respondent responds with respect to the facts presented by the claimant: -That on that date no data is registered that could be associated “ to your Name and address". It adds that “there are several incidents registered on behalf of [name and two surnames of the claimant], two of them associated with other DNIs that do not correspond to Mr. CCC and another associated with a totally different address than those that the affected person facilitates in their claim ”He adds that “ if you wish to be consulted in other addresses in which he may have previously resided, and thus verify with whether or not it is data associated with your identity, you must facilitate a relationship of the same ”. (The underlining is from the AEPD) -There are in their systems two files managed for the claimant (which identifies by name, two surnames and the NIF) with the references 2018/54322 and 2019/40848. Regarding the first of them, he indicates, among other questions, that in the letter issued by INFORMA that the claimant sent him was also communicated that " they had no data associated with their name and address in the FIJ." With respect to second of the files processed, from 2019, EQUIFAX says: “ In the latter in Specifically, he was told that there was no data associated with his name and address, and that if he had resided in other addresses where he wanted to be consulted, he should to send us a request expressly mentioning them ”. He adds : "As I know you can check in the searches carried out for the [FIJ] there are incidents listed in the name of " CCC " but are associated with identifiers and / or addresses that do not correspond to those provided by the owner ”. -Provides a screenshot showing six name records and surnames and no NIF or NIE linked to them. Of the six records, the first three fully coincide with the data of the name and surname of the claimant and for one of the three registries also provides an address that is located in *** LOCALITY . 2. The remaining three records differ from the data of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 16 16/184 claimant, exclusively, in that they incorporate a middle name - thus, in addition to X , given name is XV, XY , or XZ -One of these three records includes an address in *** LOCALITY. 3. Claimant 28: Report the inclusion of their data in the FIJ and the refusal of the claimed to attend the requested cancellation, despite the fact that it documented the absence of debt. The AEPD, once the affected party's claim has been received on 04/04/2019, before agree to its admission for processing, transferred it to EQUIFAX and requested information on the facts denounced. The respondent responds on 05/30/2019. They work in the file, among others, these documents: to. Written with the EQUIFAX anagram, dated 04/01/2019, with the result of access to the FIJ, in which associated with the claimant's personal data (name, surname and NIF) this information is provided: In the section " Claims from Public Bodies ": - 13 annotations in which the claiming entity is Social Security; in the first 6 annotations for debts corresponding to periods monthly and correlative between 5/2013 and 10/2013; in the remaining, for non-correlative monthly periods, the oldest of 12/2013 and the most recent from 8/2017. As a means of publication in the top 10 annotations figure " SSS ELECTR (...)" and in the last 3 "*** BOLETIN.3". The oldest publication date is 08/19/2013 and the most modern of 11/03/2017. In the section "Judicial Claims" are included: - 1st entry: as plaintiff appears the TGSS; as a procedure, Urgency; as a means of publication " SSS ELECTR (...) " and the date 02/05/2014. - 2nd entry: as plaintiff the TGSS appears; as a procedure, Urgency; as a means of publication *** BULLETIN.3 and the date 08/21/2018. b. Letter from EQUIFAX to the claimant, dated 04/01/2019, informing him that no can attend your request to cancel FIJ data " because you have not provided documentation justifying the deletion ”. c. Three certificates issued by the TGSS and electronically signed on 03/26/2019; 04/01/2019 and 04/02/2019, which state that the claimant, identified by his name, surname, NIF and NAF, is up to date with Security obligations Social. These three certificates were sent by the claimant to EQUIFAX in order to that your FIJ data was canceled and your copy has been provided to this Agency by EQUIFAX with the response to the information request made by the AEPD. d. Several emails sent by the claimant to EQUIFAX, dated 04/01/2019, 04/02/2019 and 04/09/2019, in which you requested the cancellation of your data of the FIJ and a letter sent by the claimant to EQUIFAX by postal mail, with identical purpose that bears entry stamp at the headquarters of the claimed entity on 04/01/2019. and. Document provided by EQUIFAX in which the name and surname of the claimant in two sections: in one of them, the data is associated with your NIF and your postal address. In another section, your name and surname are not linked to the NIF C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 17 17/184 some, but yes to an address in the town of *** LOCALIDAD.4 in the province of *** PROVINCE . 1. F. Letter from EQUIFAX dated 05/30/2019 addressed to this AEPD responding to their request of information. It says that the claimant provided supporting documentation, issued by Social Security, for said cancellation and that " After consulting the registered data in the [FIJ] it is verified that there are two annotations in the name of [the claimant], one of them associated with their DNI and another associated with an address and a NAF number that does not corresponds to those provided by the owner in his request. Therefore, we proceed to cancel only the entry associated with your ID dated 04/10/2019. " (The underlined is from the AEPD) Claimant 29: Denounces the publication in the FIJ of their associated personal data to debts with Public Administrations. It highlights that the information had published in the BOE; that the file sets a period of 6 years to cancel the annotations and that many of the debts attributed to him are from the years 2012 and 2014, some are prescribed and others appealed. They work in the file, among others, this documents: to. Letter from EQUIFAX, dated 03/07/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF), provide this information: In the section " Claims from Public Bodies ": - 3 entries in which the claiming entity is Social Security; for debts corresponding to the following periods, respectively, 4/2014, 5/2014 and from 07/25/2014 to 10/21/2014. The means of publication is, for the three incidents, "SS S ELECTR (...) " and the publication dates 07/25/2014, 08/26/2014 and 10/21/2014. In the " Judicial Claims " section: - 1st entry: *** ORGANISMO.1 appears as plaintiff ; What procedure, tax debt; as a means of publication, “*** BOLETIN.5 ” and the date 07/21/2014. - 2nd entry: applicant the *** CITY COUNCIL.1; procedure, debt tax; means of publication *** BULLETIN.1 and the date 11/20/2013. - 3rd entry: applicant the *** ORGANISMO.1 ; tax debt procedure; publication medium “ *** BOLETIN.5 ” and the date 01/13/2014. - 4th entry: plaintiff the General Treasury of the Social Security; Urgency procedure; publication medium *** BULLETIN.1 and date 02/13/2016. - 5th entry: applicant on *** CITY COUNCIL.10; procedure, debt tax; means of publication *** BULLETIN.11 and the date 04/13/2018. b. Written by EQUIFAX dated 03/07/2019 in which it denies the claimant the cancellation of your FIJ data “ because you have not provided documentation that justify the deletion ”. (Sample letter denying cancellation, see Antecedent Third) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 18 18/184 c. The AEPD, receiving the claim and before agreeing on its admission for processing, gives transfer of it to EQUIFAX and request information. The respondent responds on date 06/14/2019 and states: “ Currently, and after consulting the [FIJ] of the data [name and two surnames of the claimant], holder of the DNI [the claimant's NIF], we indicate that as of 06/14/2019 we have not registered any incident associated with your name and surname and your address ”. (The underlining is from the AEPD) In this sense provides screenshots of your files in which there are no incidents linked to the claimant. EQUIFAX does not explain the reason why it is now dealing with the cancellation. The entity states that the claimant made five requests for cancellation of its FIJ personal data that led to the processing of the corresponding files. Provide a copy of the cancellation requests, dated 03/06/2019, 03/07/2019, 03/08/2019, 03/14/2019 and 03/17/2019, and the files managed. It warns that in all of them the owner exercised the right of cancellation without providing any type of supporting documentation that justifies the cancellation of the data registered in said file, " hence the data was kept registered". Complainant 30: Complaint that you have requested EQUIFAX to cancel your data of the IJF on dates 02/25/2019 and 03/12/2019 responding on both occasions the claimed -on dates 02/26/2019 and 03/12/2019- that there are no data in his name. However, your financial institution continues to view through the FIJ that they consist debts associated with your personal data. It provides, among others, these documents: to. Screenshot obtained on 02/27/2019 from the monitor of the banking agent who denied the funding requested. In the screenshot, under the heading “ Summary of judicial information ”, the consultation date is 02/27/2019; in section "NIF / CIF" contains the NIF of the claimant; in the " Name / Company name " section, " EEE" ; in the section " No. of judicial incidents " " 3 ". These three are referred to incidents: As " Procedure " appears " Tax Debt "; as " Status" "Embargo" ; as "Plaintiff" the " State Tax Administration Agency" and, respectively, the dates 07/23/2013, 10/23/2017 and 11/25/2015. It also provides a screenshot obtained from the monitor of the banking agent that denied the requested financing in 2018. The information on this page is identical to the above with the exception that the date of the consultation appears on 08/21/2018. b. Certificate issued by the AEAT at the request of the claimant -identified by his NIF, name and two surnames, DDD - electronically signed on 08/24/2018, which leaves proof that the applicant is up to date with his obligations tributary. The validity of the certificate is twelve months from the date of its expedition. c. Letter from EQUIFAX dated 02/26/2019 in which it responds to the cancellation requested by the claimant on 02/25/2019 and informs him that "there is no data registered persons associated with your identifier / name and at the address provided by you ”. d. Letter from BANCO SANTANDER, SA, which bears the stamp of the entity with indication of the branch number and the date 10/03/2018, which indicates that no been able to grant credit facilities to the EEE client , with NIF [the NIF of the claimant] upon finding in his name 3 judicial incidents pertaining to the State Tax Administration Agency between 2013 and 2017. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 19 19/184 and. The AEPD, received the claim and before agreeing on its admission for processing, gave transfer of her to EQUIFAX and requested information. The respondent responds on 07/01/2019 that “ the result of the search in the [FIJ] of D. EEE data is negative ”. It acknowledges that the claimant's NIF was associated with a name - EEE - that it was not yours - DDD - and that, due to this incident, “ and since the searches of the judicial file are managed by name and surname ”were not located data associated with the claimant in the files processed by virtue of their cancellation requests. It adds that on 07/01/2019 the claimant data. Claimant 31: Report the inclusion of your data in the FIJ for alleged debts with the *** CITY COUNCIL. 3, of which it has received news through its bank caria, without the inclusion having been notified by EQUIFAX or the City Council the creditor has informed you of its existence. They work in the file, in- Among others, the following documents: to. Two writings from EQUIFAX, dated 11/05/2018 and 12/12/2018, respectively, with the information that appears in the FIJ, associated with the NIF, name and two surnames of the claimant. The information is identical in both writings. In the section “ Claim- tions of Public Organizations ” there are no data. (In the section " Judicial Claims" : - 2 annotations: Name of the plaintiff, *** CITY HALL. 3 ; process, Tax debt; publication medium, *** BULLETIN. 3. The publication date is on 04/05/2013 and 05/20/2014, respectively. b. Letters from EQUIFAX, dated 11/05/2018 (file reference number 2018/251714) and of 12/20/2018 (file number 2018/285508) in which res- ponder the claimant's requests so that, respectively, proceed to cancel your FIJ data and provide you with information about the annotations that appear in the fi- le associated with your data. EQUIFAX denies the requested cancellation " since it has not provided documentation to justify the deletion ”. (Model letter transcribed in Third Fact) c. The AEPD, upon receipt of the claim and before agreeing on its admission for processing, gives next to her to the claimed one and asks for information. EQUIFAX responds on 06/18/2019 that there were two files in which the claimant had exercised the right to cancellation on the FIJ, but without providing any type of supporting documentation that justifies the cancellation of the data recorded in it, hence the data is kept registered, and then communicates that on that same date, 06/18/2019, has proceeded to cancel the information that appeared in the FIJ associated with the claimant therefore, he says, “ there is no other data registered in the [FIJ] associated with the name / identifier and address of the claimant ”. Claimant 32: Denounces the publication of your personal data in the associated FIJ to debts with Social Security that are already satisfied. It provides, among others, these documents: to. Certificate from the General Treasury of Social Security, signed electronically on 04/08/2019, which states that the identified person C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 20 20/184 with name, two surnames and tax identification number of the claimant and the NAF *** DATO.2 is find up to date with payment. No documentation is provided of the annotations that work in the FIJ linked to your data. The claimant provides as address one located at *** ADDRESS. 2. b. The AEPD, receiving the claim and before agreeing on its admission for processing, gives transfer of it to EQUIFAX and request information. The respondent responds on 06/19/2019 and makes these statements that we transcribe: “(...) After consulting the file of ... [FIJ] of the data of Ms. [the claimant], owner of the DNI [that of the claimant], indicate that as of 06/19/2019 there were two registered annotations, one of them associated with the address of *** ADDRESS.3 and the NAF [the same digits of the claimant's NAF] with debts to Social Security, and another of them associated with the NIF of the holder, with debts of the Provincial Council and the *** CITY COUNCIL. 1. We provide the result of access to the file with the data of reference to date 06/19/2019. " The result of access to the FIJ that EQUIFAX sends to this Agency has, on the date 06/19/2019, the following characteristics: (i) Annotations for debts with Social Security are associated, exclusively, the name and two surnames of the claimant. The space for NIF is empty. The following annotations appear exclusively linked to the Name and two surnames of the claimant: In the section " Claims from Public Bodies" : - 5 entries in which the claiming entity is, in all, the Social Security; for debts, respectively for each entry and monthly, from January to May 2018, inclusive. The medium of publication, in all of them, is “ *** BOLETIN.1 ” in the months of April, May and June 2018. In the " Judicial Claims " section: - 1 entry: TGSS appears as the applicant's name; What procedure, constraint; as a means of publication, *** BOLETIN.1 ”and the date 04/18/2018. (ii) EQUIFAX provides another document with the information that appears in the FIJ to date 06/19/2019. In this case, it is associated, in addition to the name and surname of the claimant, also to your NIF. In the section " Claims from Public Bodies" there are no data. In the " Judicial Claims" section there are 2 annotations: - 1st entry: Name of the applicant, *** ORGANISMO.3 ; process, Tax debt; means of publication *** BULLETIN.1 and the date 05/27/2019. - 2nd entry: Name of the plaintiff, *** CITY COUNCIL.1; process, Tax debt; as a means of publication, *** BULLETIN.1 and the date 04/27/2017. EQUIFAX states in the letter it addressed to the AEPD on 06/19/2019, responding to the informative request, that “ On 06/19/2019, all the data registered in the file of Legal Incidents and Claims of Public Bodies associated with the owner, Ms. [claimant] ... ” And it provides captures of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 21 21/184 screen of their systems in which it reflects the cancellation of all data. Attached also a copy of the letter sent to the complainant in which he stated: " Le We inform you that we have proceeded to delete the data related to your claim, associated with your identifier / name and at the address provided by you ” (The underlined is from the AEPD) Complainant 33: Complaint that he has paid the outstanding fines to the *** CITY COUNCIL. 3 ; that in the internal files of the City Council already appears without debts and that, despite this, your data continues to be included in the FIJ "so that either the The City Council or EQUIFAX is responsible for not having updated data confidential information about my creditworthiness ”. Provide as address one located in *** ADDRESS. 4. to. The AEPD, receiving the claim and before agreeing on its admission for processing, gives transfer of it to EQUIFAX and request information. The respondent responds on 06/19/2019 in the following terms that are transcribed: “... after consulting the [FIJ] of the data of [the claimant ] holder of the DNI [that of the complainant ] we indicate that as of 06/19/2019 there is no registered incident associated with your name / identifier and your address. However, if the owner would have resided in other addresses where he would like to be consulted, since in the file contains annotations in the name of [the name and two surnames of the claimant] associated with addresses other than those provided for this claim, you can send us a request expressly mentioning them ”. (The underline is of the AEPD) Claimant 34: Report the inclusion of your personal data in the FIJ. Provides, between others, these documents: to. EQUIFAX's letter dated 04/08/2019 containing your personal data (name, surname and NIF) associated with the following information. In section "Claims from Public Organizations " no data. In section " Judicial Claims ": - 1st entry: applicant the *** ORGANISMO.5; as procedure, debt tax; as a means of publication, “*** BOLETIN.10” and the date 03/28/2016. - 2nd note: State Tax Administration Agency; procedure, debt tax; publication medium, " Tax Agency Headquarters" and the date 02/03/2017. - 3rd entry: State Tax Administration Agency; procedure, debt tax; publication medium, " Tax Agency Headquarters " and the date 02/24/2017. b. Letter from EQUIFAX to the claimant, dated 04/08/2019, in which he responds to the requested access. (Model letter response to request for access, transcribed in Fact Third) c. The AEPD, receiving the claim and before agreeing on its admission for processing, gives transfer of it to EQUIFAX and request information. The respondent responds on 07/01/2019 and confirms that, in the FIJ, associated with the name, surname and NIF of the Claimant listed several incidents. They are the same as reflected in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 22 22/184 EQUIFAX information dated 04/08/2019. Complainant 35: Complaints that the inclusion of their data in the FIJ violates both the LOPD as the RGPD. He states that he was not informed of the inclusion of his data in the file; that there has not been a mandate from the creditor for their data to be included in the FIJ; that the debt is non-existent, since it is paid; that according to information provided by the SAC of AEBOE may only consult your data in the BOE if have been published in the preceding three months, otherwise requesting the information prior accreditation of your identity. He adds that EQUIFAX did not attend to his cancellation request. It provides, among others, these documents: to. Writings from EQUIFAX dated 04/05/2019 and 09/0472019 with the information associated with your name, surname and NIF -identical in both documents- that appears in the FIJ. In the section " Claims Public Organizations": - 2 annotations in which the Social Security claimant is recorded, for debts corresponding to the periods 09/2014 and 10/2014, respectively; as publication medium, “ SS S CTR (...)” and as publication date, for both entries on 01/13/2015. In the "Judicial Claims" section: - An annotation: as plaintiff the TGSS; as a procedure, Urgency; What medium of publication, *** BOLETIN.3 and as of publication date 05/23/2016. b. TGSS Certificate of " Being up to date on Security obligations Social ” , signed electronically on 04/09/2019 and associated with the data of the claimant (name, two surnames, NIF and NAEF). c. Letter from EQUIFAX, dated 04/09/2019, in which he responds to a request for cancellation of FIJ data, dated 04/05/2019, which denies inasmuch as, it says, the claimed has not proven to be up to date with the payment. EQUIFAX letter, dated 04/22/2019, in which it informs the claimant that it has responded to her request for cancellation dated 04/09/2019 and it has proceeded to cancel the FIJ "the data associated with your identifier / your name and the address provided by you ”. d. AEBOE Customer Service email sent to the claimant. On 01/18/2019 informs you in the following terms: “If your notification has been published in the last three months, you can consult it using the seeker of BOE: https // www.boe.es / tablon_edictal_unico / notifications.php. " "To check your previous notifications, you can access with a digital certificate, to the service "My advertisements from notification" https // www.boe.es / tablón_edictal_unico / Notifications_historico.php. " This service will allows access without time limit, to the notification announcements that incorporate your NIF, whether it is a natural person or a legal person or entity. To do this, you must first identify yourself through the CL @ VE system (...) " “Another option is to recover you. your notifications with a digital certificate to through the citizen folder ... " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 23 23/184 “If you want the Citizen Attention Service to process your request, and since Notification data is of a personal nature, we need you to request it at Citizen Attention Service (www.boe.es/info) making the request and Attaching a photocopy of your ID, the date of publication and the body that sent you the notification if you know them. If you are acting on behalf of a notified person, you must send us, in addition, the authorization of the affected person " Claimant 36: Report the inclusion of your personal data in the FIJ for debts that are not true and the entity's refusal to comply with the right to delete your data. They are in the file, among others, these documents: to. Letter from EQUIFAX dated 10/18/2018 addressed to the claimant with the following text: “ Le We inform you that on that date we have proceeded to register in the Incidents file Judicial and Public Bodies Claims the information that a then we point out: " Court / Agency" "TGSS"; "Subject- DSS"; "Source of the information Official State Gazette ”; "Date 10/18/2018 ". The letter is addressed to the same address that the claimant has provided to this Agency if either the data of the block number of the house is missing in it. The letter identifies the claimant by name and two surnames, but there is no NIF, NIE or NAF. b. TGSS certificate, electronically signed on 10/30/2018, called " Report of being up to date with Social Security obligations " regarding the claimant, identified by his name, two surnames, NIF and NAF. c. Claimant's letter to EQUIFAX, whereby he exercises the right to deletion of your data, with which you attach the certificate issued by the TGSS, and Proof of shipment addressed to the claimed person through certified mail on 11/21/2018. d. The AEDP, received the claim and before agreeing on its admission for processing, gave Transfer of her to the claimed one on 06/27/2019 and requested information. EQUIFAX Respond on 07/02/2019. You acknowledge that you received the request for deletion from the claimant on 11/21/2018 as well as the TGSS Report that accredited that it was at the current payment in Social Security obligations. It states that “ Said request was attended, proceeding to cancel the data registered in said files on December 7, 2018 ”. Nevertheless, EQUIFAX, in the same document, makes other claims - that the documentation which it annexes confirms that they radically contradict the previous one. In the same Written statement states that it responded to the claimant's request for cancellation of 11/27/2018 " Indicating that it was necessary for him to send a copy of his ID to attend to his request." Provide a letter dated 12/07/2018 addressed to the claimant - sent by mail from 12/10 / 2018- in which it says: “We regret to inform you that it has not been possible to accredit the identity of the interested party. We ask that you provide additional documentation that can confirm your identity, as a legible photocopy on both sides of the DNI / NIF / CIF and proceed to attend to your cancellation request " Provide a document with the result of access to the FIJ on 11/27/2018. Call the Attention that the annotations (two incidents for claims of the Security Social) are exclusively associated with the name and two surnames of the claimant. The The space for the NIF is empty. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 24 24/184 Claimant 37: Complaint that EQUIFAX attributes a debt to the Security Social that is non-existent, extreme that has been accredited through a certificate of the TGSS. The following documents are in the file: to. TGSS certificate, electronically signed on 05/23/2019, certifying that the person identified with the name, surname and NIF of the claimant is aware of payment in Social Security obligations. b. The AEPD, having received the claim, before agreeing on its admission for processing, gave Transfer of her to EQUIFAX on 06/19/2019 and requested information. The The complainant responds on 06/21/2019 and states: “ Currently, after consulting the [FIJ] of the data of Mr. [the claimant] holder of the DNI [the claimant's NIF], we indicate that as of 06/21/2019 there are no incidents associated with your name / identifier and your address ”. (The underlining is from the AEPD) EQUIFAX claimed to have received two access / cancellation requests from the claimant. One, which led to expediten 2019/119599, which was rejected for not having provided supporting documentation for the deletion of the data. Another, received on 05/25/2019, with which he provided a certificate issued by the TGSS, and as Consequently, he proceeded to cancel the data on 06/04/2019. c. They work in the file, provided by EQUIFAX, the copy of various emails electronic messages that the claimant sent to the respondent requesting the deletion of their data. In all of them, he states that he sends him a Social Security certificate that it would prove that the debts attributed to it do not exist. They are all aimed at sac@equifax.es on 05/17/2019; 05/20/2019 and 05/25/2019. d. EQUIFAX document with the result of access to the FIJ associated with the name, surname and NIF of the claimant. The documents, identical to each other, are of different dates, 05/21/2019 and 05/27/2019, and contain this information: In the section " Claims from Public Bodies ": - 17 annotations in which the complaining entity is, in all, the Security Social; for monthly periods -from 08/2014; 11/2016; and the remaining fifteen by successive months between 01/2017 and 03 / 2018-; the middle of publication is, in all cases, *** BULLETIN. 8 and the publication dates the 11/17/2014 the first and 05/28/2018 the last. In the " Judicial Claims " section there is an annotation: As plaintiff figure the TGSS; as a procedure, Urgency; as a means of publication, “SS S ELECTR (...) ”and the date of publication 03/30/2015. Claimant 38: Complaint that EQUIFAX has included it in a file of defaulters for debts that are not true because they have already been paid. They work in the file, between others, these documents: to. Report issued by the *** ORGANISM . 6. , signed on 05/17/2019, which certifies that The taxpayer -the claimant, identified by her name, two surnames and NIF- does not has outstanding debts with the *** CITY COUNCIL. 11. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 25 25/184 b. Written with the EQUIFAX anagram, dated 05/17/2019, with the information that It appears in the FIJ on that date associated with the name, two surnames and NIF of the claimant. In the section " Claims from Public Organizations ", there is no data. In the " Judicial Claims " section there is an annotation: As an entity plaintiff figure *** CITY HALL. 11 ; as a procedure, tax debt; As a means of publication, *** BULLETIN. 12. and the date of publication 06/18/2018. c. Letter from EQUIFAX addressed to the claimant, dated 05/27/2019, in which responds to the cancellation of your FIJ data that you had requested and informs you that “ After the pertinent checks, we have proceeded to remove the file [FIJ] of the data related to your claim, associated with your identifier / your name and the address provided by you ”. d. The AEPD, having received the claim, and before agreeing on its admission for processing, gave Transfer of her to EQUIFAX and requested information on 06/19/2019. The claimed responds on 06/21/2019 and states that on 05/16/2019 he received a request for cancellation of the claimant with whom he provided supporting documentation of the non-existence of debt, therefore, on 05/27/2019, the cancellation of the the annotation. Complainant 39: Complaints that EQUIFAX has included their data in the FIJ without their consent with information obtained from the BOE, in breach of both the LOPD and the GDPR. It provides, among others, these documents: to. Letter from EQUIFAX addressed to the claimant, dated 05/14/2017, in which he responds to the request for cancellation of your FIJ data, which was registered in its offices on 05/13/2019, in which he communicates that “since he has not provided documentation that justify the deletion, it is not appropriate to attend to your request ”. b. Letter from EQUIFAX, dated 05/14/2019, with the information contained in the FIJ associated with the name, two surnames and NIF of the claimant. In section " Claims of Public Organizations", there is no data. In section " Judicial Claims " two annotations are collected: - 1st entry: Name of the plaintiff, *** CITY COUNCIL.3; process, Tax debt; Publication medium, *** BULLETIN. 3 and the date 08/30/2017. - 2nd entry: Plaintiff, AEAT; procedure, tax debt; source of publication, " Tax Agency Headquarters " and the date 06/08/2016. Complainant 40: Report that your personal data has been included in a file of capital solvency for a debt with the City Council that was paid in time and form. It accredits that it has no outstanding debts with the City Council. The Claimant provides, among others, these documents: to. Written with the EQUIFAX anagram, dated 05/30/2019, with the information that It appears in the FIJ associated with your name, two surnames and NIF. In section " Claims of Public Organizations ", there is no data. In section " Judicial Claims ": C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 26 26/184 - An annotation: Plaintiff the *** CITY COUNCIL.12; procedure, debt tax; medium of publication, *** BULLETIN.3 and the date of publication 01/08/2016. In the " History of Queries " it is reported that queries were made in the following dates: 05/29/2019; 05/28/2019; 12/13/2019; 12/10/2018 and 12/09/2018. b. Letter from EQUIFAX, dated 06/10/2019, responding to the opposition exercised by the claimant to have their data published in the FIJ. EQUIFAX claims that there are no registered data associated with your identifier / name and at the address provided by the claimant and that “ we are not aware that your data has been consulted by any entity in the last six months ”. (The underlining is from the AEPD) Claimant 41: You report the inclusion of your data in the FIJ without your consent and that, despite having requested EQUIFAX to cancel the entry and having provided for this purpose the copy of the judicial resolution that accredited the extinction of the debt, has refused to attend the cancellation. It provides, among others, these documents: to. Order of the Court of First Instance No. 3 of (...), of 06/02/2017, issued in the Ordinary Bankruptcy procedure 115/2017, section B, which declares the claimant -identified by his name, two surnames and NIF- in " contest of consecutive creditors ” and provides for the“ publication of this resolution (...) in the Public Insolvency Registry and in the Official State Gazette and, for this purpose, they will send the corresponding edicts with the indispensable mentions that establishes article 23.1 of the LC (...) In addition, an edict will be posted on the notice board. announcements of this judicial body ”. c. Order of the Court of First Instance No. 3 of (…), relapsed in the procedure of Consecutive Contest 115/2017 B, dated 04/09/2019, which "Agrees to the conclusion of the bankruptcy proceeding with respect to Ms [the claimant] and the granting of the bankrupt of the benefit of definitive exoneration of the unsatisfied liability, proceeding to file the cars ". (The underlining is from the AEPD) d. Letter from EQUIFAX, dated 05/30/2019, with the information that appears in the FIJ associated with the data of the claimant -name, two surnames and NIF-. In section " Claims of Public Organizations ", there is no data. In section "Judicial Claims " consists of: - An annotation: The identity of the plaintiff does not appear; as a procedure indicates " voluntary contest"; “No. of Order and Court” 115/2017, First Instance; means of publication, Official State Gazette and date 11/06/2017. and. Letter from EQUIFAX to the claimant, dated 06/08/2019, responding to her request for cancellation of your FIJ data, dated 05/30/2019, in which you are notified that “no It is appropriate to attend to your request "" since you have not provided documentation that justifies the suppression ”. Complainant 42: Report the violation of your right to data protection. Ha been included in the FIJ delinquent file and the requested cancellation has been denied. These documents are in the file: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 27 27/184 to. Letter from EQUIFAX, dated 03/18/2019, with the information that appears on that date in the FIJ associated with the claimant's personal data (name, two surnames and NIF). In the section " Claims from Public Organizations ", there is no data. In the section " Judicial Claims": - 3 annotations: In all of them the name of the plaintiff is the *** CITY COUNCIL. 13; as a procedure, tax debt; as " No. of Auto and Judged ”, it appears, respectively for each entry,“ 2743575/0 Local Administration ", " 3129072/0 Local Administration " and "826/000 Local Management". The publication medium is, for all annotations, *** BULLETIN. 13 and publication dates are, respectively, 10/15/2014, 03/25/2015 and 04/16/2014. b. Letter from EQUIFAX to the claimant dated 03/18/2019 in which he responds to the request for access to your data in the FIJ according to the usual letter model used by the entity. c. Certificate issued by the Secretary of the *** CITY COUNCIL. 13, signed on 03/08/2019, which attests that the claimant -identified by his name, two surnames and NIF- is up to date with the payment of its tax obligations. d. The AEPD, having received the claim, and before agreeing on its admission for processing, gave Transfer of her to EQUIFAX and requested information on 08/12/2019. The claimed responds on 08/14/2019 and states that on 06/30/2019 the claimant requested the cancellation of your FIJ data and that on 07/09/2019 we proceeded to give download your data from the file and answer you. Attach a copy of the claimant's email from date 06/30/2019 with which he provided a copy of the certificate issued by the Allegedly creditor city council. Complainant 43: Complaint that he received in August 2019 a letter from EQUIFAX -with the reference number 740 / JU1908006269- informing you that your personal data had been included in the FIJ. It adds that, after having exercised the "ARCO" rights and having sent the required documentation to the respondent, has not received a response despite more than a month has passed since your request. It provides, among others, these documents: to. Letter from EQUIFAX with reference number 740 / JU1908006269, sent by mail postal address to the same address that appears in the copy of the claimant's DNI. The letter goes addressed to Mr. GGG ., is dated 08/22/2019 and in it informs him that in that date, this information associated with your data has been registered in the FIJ: as " Court / Body " " Provincial Council "; as " Subject " tax debt; What " Origin of the information " Official State Gazette and the date 08/21/2019. b. The copy of three emails that the claimant sent to the EQUIFAX SAC, dated 09/05/2019, 09/16/2019 and 09/27/2019. In the first of them, with which he annexed a A copy of your ID, requested access to your FIJ data. In the other two, it was limited to remind the respondent of the request made and the time that had elapsed without receive reply. Claimant 44: Report the inclusion of your personal data in the FIJ linked to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 28 28/184 an alleged debt with the AEAT without EQUIFAX having verified the certainty of the debt with the Public Administration and without being notified of the inclusion. Add that you refuse to cancel your data from the FIJ. It provides, among others, the following documents: to. Written with the EQUIFAX anagram, dated 10/09/2019, with the information that appears in the FIJ associated with your name, two surnames and NIF. In the section " Claims of Public Organizations ”, there is no data. In the " Judicial Claims " section: - An annotation: The name of the plaintiff is the AEAT; the procedure, debt tax; the publication medium, " Tax Agency Headquarters " and the date 01/27/2017. b. Letter from EQUIFAX to the claimant dated 10/09/2019 (file with reference 2019/225056), in which it denies the requested cancellation “ since it has not provided documentation that justifies the deletion ”. c. Email sent by the claimant to the EQUIFAX SAC on 10/09/2019 requesting the exclusion of your data from the files of the claimed with which you send copy of your residence permit. Complainant 45: Complaint that EQUIFAX has included their data in the FIJ linked to alleged debts with the *** CITY COUNCIL. 12. Explain that you heard about your inclusion on 10/19/2019 and that previously did not receive any communication informing you of its inclusion. Provide these documents: to. Written with the EQUIFAX anagram, dated 11/19/2019, with the information that It appears in the FIJ associated with your name, two surnames and NIF. In section " Claims of Public Organizations", there is no data. In section " Judicial Claims ": - 3 entries: The name of the plaintiff is, in the first entry, the *** CITY COUNCIL.14 and in the second and third the *** CITY COUNCIL.12; As a procedure, the three entries include " tax debt "; the middle of publication is, respectively *** BULLETIN.14 and *** BULLETIN.15 and the dates 02/09/2015 for the first and 12/05/2018 for the second and third. b. Letter from EQUIFAX to the claimant, dated 11/19/2018, (file with reference 2019/257542) in which it responds to the request for access (Sample letter of response to the requested access, transcribed in the Third Fact) Complainant 46: Complaint that EQUIFAX has published their personal data in the FIJ violating data protection regulations, so he requests that they be canceled. It provides, among others, these documents: to. Letter from EQUIFAX, dated 10/21/2019, with the information contained in the FIJ, on that date, associated with your personal data -name, two surnames and NIF-. In the section " Claims from Public Bodies ", there is no data. In section " Judicial Claims ": - 2 entries: In both, the plaintiff's name is AEAT; The procedure, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 29 29/184 Tax debt; the means of publication, " Tax Agency Headquarters " and the date, respectively, on 12/02/2014 and 03/05/2014. b. Letter from EQUIFAX addressed to the claimant, dated 10/21/2019 (number of file of the claimed 2019/235237), in which it responds to the access to the data listed in the FIJ. (Sample letter of response to the requested access, transcribed in the Third Fact) Complainant 47: Complaint that EQUIFAX has published their personal data in the FIJ violating data protection regulations, so he requests that they be canceled. Provides, among others, the following documents: to. Letter from EQUIFAX, dated 10/21/2019, with the information that, associated with the personal data of the claimant -name, two surnames and NIF- appears in the FIJ in That date. In the section " Claims from Public Organizations ", there is no data. On the section " Judicial Claims ": - 5 inclusions: In all of them the applicant appears as *** CITY COUNCIL. 3; as a procedure, tax debt; as a means of publication, “ Tax Agency Headquarters ” and the date, respectively, 12/02/2014 and 03/05/2014. b. Letter from EQUIFAX, dated 10/21/2019 (file number of the claimed 2019/235205), in which it responds to the access requested by the claimant to the data listed in the FIJ. (Sample letter of response to the requested access, transcribed in the Third Fact) Complainant 48: Complaint that EQUIFAX has included your personal data in the FIJ, linked to an alleged debt with the *** CITY COUNCIL . 7. The City Council has certificate that there are no debts in your name. Provide these documents: to. Letter from EQUIFAX, dated 08/24/2019, bearing the reference 740 / JU1908006464, in which it informs you that on 08/23/2019 the to register the following information in the FIJ: " Court / Agency ", *** CITY COUNCIL. 7; " Subject", tax debt; " Origin of the information ", Bulletin Official of the State; " Date ", 08/23/2019. b. Certificate of *** CITY COUNCIL. 7 , signed on 01/20/2020, in which the to state that as of the date there are no outstanding debts in the name of the claimant. c. Claimant's letter to EQUIFAX, dated 01/27/2020, in which he requests the cancellation of your FIJ data and with which you send the certificate issued by the Town hall. Complainant 49: Report that EQUIFAX has included your personal data in the FIJ associated with a non-existent debt. He states that on 08/14/2019 he received from EQUIFAX a letter, with the reference 740 / JU1905009652, informing him that he had given high in a file of defaulters. Add in your writing; that the debt that EQUIFAX C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 30 30/184 attributed corresponds to the rustic IBI of the *** ORGANISMO.5 ; that was published in the BOE and that such debt was paid in the past through a bank account, so it is non-existent. The claimant has not provided any document attached to his brief of claim. Claimant 50: Report the inclusion of your personal data as delinquent in the FIJ for debts with various Public Administrations that are not true and that EQUIFAX continues to keep these annotations despite having sent you documents that they prove the non-existence of debts. He explains that the AEAT has informed him that no It has nothing to do with the treatment that the person in charge of the FIJ makes of your data personal and that he is up to date in the payment of the deferral agreed in the year 2014 of which " there are two letters left to pay, for the months of July and August." It adds that the debt with the *** CITY COUNCIL, which it contracted in the year 2012 and that he paid, by garnishment of his payroll, in the year 2014. He contributes, among others, these documents: to. Letter from EQUIFAX, dated 05/27/2019, with the information contained in the FIJ associated with your personal data -name, surname and NIF-: In the section "Claims of Public Organizations ", there is no data. In section "Judicial Claims ": - 1st entry: as plaintiff the AEAT; as a procedure, tax debt; as a means of publication, " Tax Agency Headquarters " and the date 04/15/2014. - 2nd entry: as plaintiff the *** CITY COUNCIL. 11, as a procedure, Tax debt; as a means of publication, *** BULLETIN.8 and the date 02/05/2014. b. Certificate issued by the *** CITY COUNCIL. 11, electronically signed on 05/22/2019, stating that there are no outstanding debts in the name of the claimant. c. Documents issued by the AEAT: (i) From the Regional Revenue Unit of the Special Delegation of (...) , addressed to the claimant, in which they notify a wage garnishment diligence: diligence number 081421339376V, dated 09/13/2014. In it, the seizure of the liquid amount of salaries or wages that were paid to the obligor in a sufficient amount to cover the amount of the debt not paid in voluntary period, the ordinary compulsory surcharge and the interests and costs of the ordinary procedure, for a total amount of 229.47 euros. The document identifies the “ obligated ”, who coincides with the claimant and the “ Payer ”, the company *** COMPANY.1 . (ii) Document from the AEAT, Special Delegation of (...); Annex II, with the heading " Settlement of default interest resulting from the granting of the postponement." On the document, which contains the personal data of the claimant and the reference “ Nº file 081440369344S " , this legend is included: " ... As a consequence of the authorization of deferred or installment payment of the debt / s, proceeds to the corresponding settlement of default interest ”. It is dated 03/31/2014. (The underlined is from the AEPD) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 31 31/184 Claimant 51: The claim is directed against the *** CITY COUNCIL. 1 to understand the claimant who has been this Public Administration who has included in the FIJ its personal data associated with debts that are not true. In the claimant's opinion the Annotations in the file correspond to fines imposed by the Local Police of the *** CITY COUNCIL. 1. The claimant provides among other documents: to. Abundant documentation regarding the remedies for replacement and extraordinary review filed against resolutions of the aforementioned City Council relapsed in disciplinary proceedings for traffic and parking offenses regulated. Among the documents that the claimant provides several resolutions dictated by that local entity, estimating some of the replacement resources filed against the seizure of assets decreed by the City Council before the non-payment of fines. The estimated resolution of the remedies for replacement is based on that the City Council had not notified the claimant of the initiation of the pressure to collect the amount of the fines. b. Letter from EQUIFAX, dated 02/05/2019, with the information that appears in the FIJ associated with your personal data -name, surname and NIF-: In the section "Claims of Public Organizations ", there is no data. In section "Judicial Claims ": - An annotation: the *** CITY COUNCIL.1 ; process, Tax debt; Auto and Court number, an illegible reference number followed of the Local Administration indication; publication medium, *** BULLETIN.1 and the date 01/17/2019. Claimant 52: Report the inclusion of your data in the FIJ associated with a debt non-existent. It states that on 05/03/2019, in the bank where you request a financial product, they verify that there is an annotation for debts from November 2017 linked to your data. It provides, among others, these documents: to. Letter from EQUIFAX, dated 05/22/2019, with the information that appears in the FIJ associated with your name, surname and NIF: In the section "Claims for Public Organizations ”, there is no data. In the "Judicial Claims " section: - An annotation: as plaintiff appears the *** CITY COUNCIL.12; What procedure, tax debt; as publication medium, "TEU-BOE" and the date 24 // 11/2017. b. Printing a screenshot with economic information regarding the claimant bearing the seal of Banco Santander, SA and the date 06/25/2019. In one of the lines, under the heading " Negative files (06/24/2019) " read: " Incl. Judicial; 1st incidence 11/24/2017; last incident 11/24/2017; Worse situation, Normal ”. c. Certificate issued by the *** CITY COUNCIL. 12 in which it is indicated that on the date 06/24/2019 “ there is no ... debt due in the name [of the claimant] with DNI [ the NIF of the claimant] for taxes, fees or municipal public prices managed by this collection unit ” . d. Several emails that the claimant sent to the EQUIFAX SAC: Dated 05/04/2019, in which in addition to requesting that they cancel that entry, it explains the information that you have learned through the Banco de Santander entity and that after C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 32 32/184 consult the *** CITY COUNCIL. 12 and the DGT to find out if it exists in your name any pending debt or traffic fines the result has been negative. Of dates 05/13/2019 and 05/15/2019 in which he informs them that he continues to wait for you clarify " what this is about that is in your records ." and. EQUIFAX letter dated 05/22/2019 in which you respond to the requested cancellation denying it for not having accredited the payment of the pending debt. (Sample letter denying cancellation transcribed in the Third Fact) Complainant 53: Report the inclusion of your personal data in the FIJ for a non-existent debt, as it was paid long ago. Highlight the consequences negative that their inclusion in the FIJ has caused. It provides, among others, these documents: to. Letter from EQUIFAX, dated 07/17/2019, with the information contained in the FIJ associated with name, two surnames and NIF: In the section "Judicial Claims ": - An entry: as plaintiff, the *** CITY COUNCIL.12; What procedure, tax debt; as a means of publication, *** BOLETIN.15 and the date 04/06/2018. It is striking that the IJF Consultation History does not include any. Without However, in the History of consultation of the ASNEF and ASNEF Companies files - Despite the fact that there are no incidents associated with the claimant, they do include four consultations carried out in the last six months. b. Certificate from the Tax Management Body of *** CITY COUNCIL. 12, signed electronically on 05/16/2019, which certifies that the claimant, identified by his name, two surnames and NIF, is up to date with the payment of its obligations tax with that City Council. Claimant 54: Report the inclusion of their data in the FIJ, obtained from the BOE, associated with non-existent debts. He claims to have sent the demanded proof of the payment of debts and has not canceled its data from the file. Provide a copy, among others, of these documents: to. Letter from EQUIFAX, dated 05/13/2019, with the information that appears in the FIJ associated with your name, two surnames and NIF. In the section " Judicial Claims" consists of: - 3 entries in which it appears, as the name of the plaintiff, *** CITY COUNCIL. 5; as a procedure, tax debt; as a means of publication, “*** BOLETIN.6 ” and the following dates, respectively, 10/21/2015; 06/22/2018 and 08/23/2017. - An annotation in which the name of the plaintiff, AEAT; What procedure, tax debt; as a means of publication, Agency Headquarters Tax and the date 08/07/2017. b . "Certificate of being up to date with Social Security obligations ", issued by the TGSS and electronically signed on 05/08/2019. The document indicates that the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 33 33/184 person identified with the name, two surnames and NIF of the claimant “ does not have pending income no claim for debts already overdue with the security Social". c. Certificate issued by the AEAT -Special Delegation of (...) - signed electronically on 05/10/2019, in which he declares that the claimant -identified by your name, two surnames and NIF- you are up to date with your obligations tributary. d. Letter from EQUIFAX to the claimant, dated 05/22/2019, in which he responds to the cancellation of data requested on 05/10/2019 and informs you that " after the Relevant checks we have proceeded to download the data in the [FIJ] related to your claim, associated with your identifier / name and address contributed by you ”. Complainant 55: Complaint that EQUIFAX has included and maintains data in the FIJ Claimant's personal data obtained from the BOE, treatment that is illegal. Provides, between others, these documents: to. Letter from EQUIFAX, dated 08/13/2019, with the information that appears on that date in the FIJ, associated with your name, two surnames and NIF. In the section " Claims for Public Organizations ”, there is no data. In the " Judicial Claims " section: - An entry: as a plaintiff it appears *** CITY COUNCIL.2 ; as " No. of Writ and Court ”, tax debt; as a means of publication, *** BULLETIN.2 and the date 05/04/2016. b. Letter from EQUIFAX to the claimant, dated 08/13/2019, (file of the claimed reference 2019/181735) in which it responds to the request received at its offices on 08/12/2019 in which -according to EQUIFAX- the claimant requested access to your FIJ data. c. Copy of the brief, dated 08/08/2019, that the claimant sent to EQUIFAX through email. The company "E-Guarantor" certifies the dispatch to the respondent of the letter of the claimant and the attached documents -copies of the claimant's DNI and their representative and the report issued at the request of the claimant by AEBOE- to the address electronic sac@Equifax.es, as well as the receipt of the letter and documentation by the claimed. In the letter, the claimant requests EQUIFAX " the urgent suppression " of your personal data from FIJ and does not mention access at all. d. Report issued by the State Agency Official State Gazette (AEBOE), signed electronically on 07/31/2019, in which he responds to the query made by the complainant about “if it is legal, if I obtain personal data published by the BOE, "name, surname and DNI" to create a database for profit ". Claimant 56: Report the inclusion of your personal data in the file of defaulters of EQUIFAX for an alleged debt with the AEAT that is unknown totally. He states that if the debt were true, he would have paid it, that they have not payment is required and that the delinquency file does not specify the amount of the alleged debt. The only document provided is the copy of the DNI. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 34 34/184 Claimant 57: Address your complaint to EQUIFAX. The only document that provides It is the copy of the DNI. In the claim form, identify the “ alleged creditor ”, *** CITY COUNCIL. 10, and includes a single sentence: “We are not aware of a debt for being paid with City Hall. Monthly partial payments ”. Claimant 58: Report the inclusion of your data in the FIJ for alleged debts with Public Administrations of which he has heard when trying, without success, to carry out a financial transaction. He adds that EQUIFAX has denied him the cancellation of his data and that allegedly creditor public entities have confirmed that has no outstanding debts. Provide a copy of the following documents. to. Letter from EQUIFAX, dated 10/09/2019, with the information included on that date in the FIJ associated with the name, two surnames and NIF of the claimant. In section " Judicial Claims" are reflected 8 annotations: - Two annotations in which the applicant appears *** CITY HALL.3; the procedure is tax debt; the means of publication, *** BOLETIN.3 and the dates, respectively, 04/13/2016 and 09/19/2019. - Two annotations in which the AEAT appears as plaintiff; as a means of publication, " Tax Agency Headquarters " and the dates, respectively, 11/26/2013 and 12/30/2014. - Three annotations in which the *** CITY COUNCIL.12 appears as the plaintiff; as a procedure, tax debt; as a means of publication, *** BULLETIN.3 and, respectively, the dates 01/22/2018, 02/07/2018 and 06/12/2018. - An entry in which the name of the plaintiff is *** CITY COUNCIL.15 ; the procedure indicated tax debt; the publication medium, *** BULLETIN. 3 and the date 05/09/2016. b. Letter from EQUIFAX to the claimant, dated 10/09/2019, file number of the claimed 2019/225276, in which it responds in the following terms to the request cancellation of the FIJ data that had entry into that entity on 10/09/2019: " Since it has not provided documentation to justify the deletion, it is not appropriate attend to your request ”. Claimant 59: Report the inclusion of your personal data in the FIJ associated with debts with Social Security and various municipalities. He adds that the debt with the Social Security is non-existent, as it was paid in 2016; that referred to EQUIFAX supporting documentation of being up to date with payments and that, despite having answered that they canceled the annotations, the alleged debt continues to be included in the FIX. Provide the following documents: to. Letter from EQUIFAX, dated 09/24/2019, with the information that on that date was Include in the FIJ associated with the name, two surnames and NIF of the claimant. In the In the “ Judicial Claims” section, there are five annotations: - 1st entry: name of the plaintiff, *** CITY COUNCIL. 7; process, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 35 35/184 Tax debt; publication means *** BULLETIN.8 and the date 09/04/2015. - 2nd entry: plaintiff, the *** ORGANISMO.7; procedure, tax debt; publication medium, *** BULLETIN. 8 and the date 08/14/2019. - 3rd entry: plaintiff, *** CITY COUNCIL.16; procedure, debt tax; medium of publication, *** BULLETIN. 8 and the date 03/28/2018. - 4th entry: plaintiff, *** CITY COUNCIL.16; procedure, debt tax; publication medium, *** BULLETIN. 8 and the date 04/16/2018 - 5th entry: plaintiff, AEAT; procedure, tax debt; source of publication, Tax Agency Headquarters and the date 07/08/2016. In the section " Claims from Public Bodies": - 10 entries: in all of them, the complaining entity is the TGSS; by periods monthly and correlative between 07/2014 (the first entry) until 03/2015 (the ninth entry). The tenth entry corresponds to October 2015. The means of publication is in all cases, *** BULLETIN.8 and the publication date of 09/10/2015 for the first nine entries and the 12/21/2015 for the tenth. b. Copy of the email that the claimant sent to the EQUIFAX SAC on 09/24/2019 in the which states that the debts with Social Security attributed to him were paid several years before, provide a copy of the negative certificate issued by the TGSS and request cancellation of the annotation. c. Letter that EQUIFAX addresses to the claimant, dated 10/03/2019, responding to the cancellation requested. It informs you that after the relevant checks have proceeded to unsubscribe from the FIJ the data related to your claim associated with your identifier, name and address provided by the claimant. Claimant 60: Complaint through two writings (from the years 2019 and 2020 respectively) the inclusion of your personal data in the FIJ, without your consent nor knowledge, associated with a debt with the *** CITY COUNCIL. 17., of the year 2014, of which it ignores its existence, amount and what it corresponds to. It contributes the following documents: to. Letter from EQUIFAX, dated 06/12/2019, with the information included on that date in the FIJ associated with your name, two surnames and NIF. In the section " Claims of Public Organizations ” there is no data. In the section "Judicial Claims" there is an annotation: - Plaintiff, *** CITY COUNCIL. 17 ; procedure, tax debt; source of publication, *** BULLETIN. 16 and the date 07/05/2014. b. Written statement that declares to have sent to the address sac@equifax.es in which it exposes that in the EQUIFAX report dated 11/27/2019 there is an incident of non-payment associated with your personal data for "claims from public bodies" that are would have been made by *** CITY COUNCIL. 17., *** PROVINCE. 2 , on the date 07/07/2014 . C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 36 36/184 Complainant 61: Report the use that EQUIFAX has made of your personal data, without your consent and without any notification, for inclusion in your delinquent file for non-existent debts. Provide a copy, among others, of these documents: to. Letter from EQUIFAX, dated 10/17/2019, with the information included on that date in the FIJ associated with your name, two surnames and NIF. In the section " Claims of Public Organizations ” there is no data. In the section " Judicial Claims " consists of: - 1st entry: as plaintiff, *** CITY COUNCIL.2; procedure, debt tax; publication medium, *** BOLETIN.2 and the date 10/10/2016. - 2nd entry: applicant on *** CITY COUNCIL.16; procedure, debt tax; means of publication *** BULLETIN.3 and date 11/05/2014. b. Letter from EQUIFAX dated 10/17/2019 in which it responds to the requested access according to model (see Third Antecedent) c. Certificate issued by the *** CITY COUNCIL. 2 - Municipal Executive Collection -, of 10/21/2019, which indicates that the claimant -identified by name, surnames and NIF- does not appear as a debtor in the Municipal Public Treasury for Tax concepts that, to date, are in the executive period of payment. d. Certificate issued by the *** CITY COUNCIL. 16 on 10/21/2019 stating that the claimant -identified by name, two surnames and NIF- is at the current payment of the Tax on Mechanical Traction Vehicles with respect to the vehicle -It is identified by the license plate, frame, make, model and type- whose owner is the claimant. Complainant 62: Complaint to EQUIFAX for inclusion of their personal data in the FIJ linked to an alleged debt with the *** CITY COUNCIL.11 with which it has not had do any relationship. Provide, in addition to the DNI, a copy of these documents: to. Letter from EQUIFAX, dated 05/21/2019, with the information included on that date in the FIJ associated with your name, two surnames and NIF. In the section " Claims of Public Organizations ” there is no data. In the section " Judicial Claims " consists of an annotation: - Plaintiff, the *** CITY COUNCIL.11; procedure, tax debt; half of publication, *** BULLETIN. 16 and the date 06/13/2017. b. A screenshot accessed from the Administration.Gob.es page, Citizen Folder, open in the name of the claimant. The epigraph that appears on the size is the one related to the announcements in the Single Edictal Board (TEU) in which you can Consult the list of notification announcements published in the BOE supplement. There is the following legend: " No announcements have been found on the Single Board with your identifier (NIF or NIE) ”. Complainant 63: Report that EQUIFAX has included your personal data in the FIJ for debts with the *** CITY COUNCIL. 2 and with the non-existent AEAT. Underline the fact C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 37 37/184 that these Administrations have not been the ones that have included it in the file, but that the IJF itself has done it “motu proprio”. He adds that the respondent has denied him- do the requested cancellation. It provides, among other documents: to. Copy of the email sent on 10/08/2019, at 12:12 pm, to the EQUIFAX SAC, with the one that sends them a copy of their ID and their signed application, and requests that their data be ex- cluyan from the file. b. Letter from EQUIFAX addressed to the claimant, dated 10/08/2018, in which he responds to the request for cancellation of your FIJ data in these terms: " In relation to your petition registered in our offices dated October 8, 2019, in which requests us cancellation of the data that appear registered in the file of [FIJ] with the documentation provided by you, we inform you that there is no registered some incidence. However, we hereby send you your current situation in the cited file ”. c. Written by EQUIFAX, of 10/08/2019 at 1:30:30 p.m., with the information that in that date is included in the FIJ associated with your name, two surnames and NIF. In the apartment c “ Claims from Public Bodies” there are no data. In the section “ Claim- Judicial decisions ”consists of: - 1st entry: applicant the *** CITY COUNCIL.2; procedure, tax debt taria; publication medium, *** BULLETIN. 2 and the date 05/09/2016. - 2nd to 7th annotations: in all of them the plaintiff is the AEAT; The procedure, tax debt, the publication medium "Tax Agency headquarters" and, the dates, respectively, 12/05/2016; 01/20/2017; 02/24/2017; 01/05/2018; 01/22/2018 and 05/18/2018. Claimant 64: Report the inclusion of their data in the FIJ without their authorization, data which, he says, come from a public file. Request that the entire information related to debts obtained from public files. Provides, among others, these documents: to. Letter from EQUIFAX, dated 02/13/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the Next information: Under the heading " Legal claims " there is an annotation: As plaintiff appears *** CITY COUNCIL.10; as a procedure, tax debt; medium of publication, *** BULLETIN.11 and the date of publication 05/20/2015. b. A letter from EQUIFAX, dated 02/13/2020, responding to the requested access according to letter model (see Third Fact) Claimant 65: Report the inclusion of your data in the FIJ by EQUIFAX. Provides, among others, these documents: to. Letter from EQUIFAX, dated 12/18/2019, with the result of accessing the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the following information: Under the heading " Judicial claims " it consists of: - 1st entry: As plaintiff the *** CITY COUNCIL.10; What procedure, tax debt; publication medium, *** BOLETIN.10 and the Publication date 03/28/2016. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 38 38/184 - 2nd entry: As plaintiff the *** CITY COUNCIL.7; What procedure, tax debt; publication medium, *** BULLETIN.10 and publication date 08/05/2015. b. A letter from EQUIFAX, dated 12/18/2019, responding to the requested access according to letter model (see Third Fact) Claimant 66: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. He claims that he exercised the right to object. Request that all information related to debts that may have been obtained from public files. It provides, among others, these documents: to. Letter from EQUIFAX, dated 01/10/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the following information: Under the heading " Legal claims " include: - Six annotations in which the plaintiff is the AEAT; The procedure, Tax debt; the publication medium, "Tax Agency Headquarters", and the following publication dates, respectively: 06/09/2015; 10/16/2015; 02/17/2016; 09/23/2016; 12/02/2016 and 11/11/2014. b. A letter from EQUIFAX, dated 01/10/2020, in which you respond to the requested access according to letter model (see Third Fact) Claimant 67: Among the various questions raised, he states that he had knowledge, when he was trying to arrange a loan, that his data had been included in the FIJ associated with debts with the *** CITY COUNCIL. 10 and with the AEAT and that immediately proceeded to resolve the outstanding debts and sent EQUIFAX the documentation that proved it. It provides, among others, these documents: to. Certificate issued by the *** CITY COUNCIL. 10, electronically signed on 02/05/2020, stating that as of 02/04/2020 it does not exist, linked to the data of the claimant, no outstanding debt in the executive way of collection of the aforementioned Town hall. b. AEAT certificate, electronically signed on 02/06/2020, of being up to date in the payment of tax obligations. Claimant 68: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. He claims that he exercised the right to object. Request that all information related to debts that may have been obtained from public files. It provides, among others, these documents: to. Letter from EQUIFAX, dated 10/18/2019, with the result of the access to the FIJ, in which Associated with your data (name, surname and NIF) the following information is provided: Under the heading " Judicial claims " it consists of: - 1st entry: Plaintiff the *** CITY COUNCIL.12 ; procedure, debt tax; medium of publication, *** BULLETIN.15, and date of publication 04/29/2016. - 2nd entry: Plaintiff the *** CITY COUNCIL.12; procedure, debt tax; medium of publication, *** BULLETIN.15 , and date of publication 04/21/2014. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 39 39/184 b. A letter from EQUIFAX, dated 10/16/2019, in which you respond to the requested access according to letter model (see Third Fact) Claimant 69: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. He claims that he exercised the right to object. Request that all information related to debts that may have been obtained from public files. It provides, among others, these documents: to. Letter from EQUIFAX, dated 10/18/2019, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF) is provided the following information: Under the heading " Legal claims " include: - 1st entry: Plaintiff the *** CITY COUNCIL.12 ; procedure, debt tax; medium of publication, *** BULLETIN.15, and date of publication 04/29/2016. - 2nd entry: Plaintiff the *** CITY COUNCIL.12; procedure, debt tax; medium of publication, *** BULLETIN.15 , and date of publication 04/21/2014. b. A letter from EQUIFAX, dated 10/16/2019, in which you respond to the requested access according to letter model (see Third Fact) Claimant 70: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. Request that the entire information related to debts obtained from public files. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/20/20, with the result of accessing the FIJ, in which associated with the personal data of the claimant (name, surname and NIF) is provided the following information: Under the heading " Legal claims " include: - 1st entry: Plaintiff the *** CITY COUNCIL.1 ; procedure, debt tax; medium of publication, *** BULLETIN.17 , and date of publication 11/04/2015. - 2nd entry: Plaintiff AEAT procedure, tax debt; source of publication, "Tax Agency Headquarters" and publication date 08/08/2018 Claimant 71: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. Denies the certainty of the debt. Provides, between others, these documents: to. Letter from EQUIFAX, dated 02/20/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the following information: Under the heading " Legal claims " there is an annotation: Plaintiff, the *** ORGANISMO.5; procedure, tax debt; source of publication *** BULLETIN. 10 and the date 01/11/19. Claimant 72: Report the inclusion of your data in a list of defaulters without your consent or knowledge for non-existent debts since they had already been paid. Learn the facts when managing a loan application. Provides, between others, these documents: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 40 40/184 to. Letter from EQUIFAX, dated 02/20/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF) is provided this information: Under the heading " Legal claims " it consists of: -1st entry: plaintiff, *** CITY COUNCIL.18; procedure, debt tax; publication medium, *** BULLETIN.18; publication date 01/27/2017. -2nd entry: plaintiff " Mancomunidad de Servic Provinc ."; process, Tax debt; means of publication *** BULLETIN. 18 and date 03/11/2016. -3rd annotation: plaintiff *** CITY COUNCIL.18; procedure, debt tax; means of publication *** BULLETIN. 18 and date 05/05/2015. b. A letter from EQUIFAX, dated 02/21/2020, in which you respond to the requested access according to letter model (see Third Fact) Complainant 73: Report the inclusion of your personal data in a list of defaulters of EQUIFAX without their consent or knowledge due to a debt non-existent. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/21/2020, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: Under the heading " Judicial Claims " an annotation: plaintiff, the *** CITY COUNCIL. 6; procedure, tax debt; publication medium, *** BULLETIN. 11 and date 12/11/2017. b. Letter from EQUIFAX, dated 02/21/2020, in which it responds to the request for deletion of your FIJ data, denying it for not having provided documentation that justifies the deletion (see sample letter denying the deletion, Third Fact). Claimant 74: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. Denies the certainty of the debt. Provides, between others, these documents: to. Letter from EQUIFAX, dated 01/09/2020, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: Under the heading " Judicial Claims " there is an annotation: as applicant the *** CITY COUNCIL.5 ; procedure, tax debt; source of publication *** BULLETIN.6 and date 12/16/2019. b. Letter from EQUIFAX, dated 01/20/2020, in which it responds to the request for deletion of your FIJ data, denying it for not having provided documentation that justifies the deletion (see sample letter denying the deletion, Third Fact). Claimant 75: Report the inclusion of your data in the FIJ for debts that are not certain. It provides, among others, the following documents: to. Letter from EQUIFAX, dated 10/25/2019, with the result of access to the FIJ, in the that associated with the personal data of the claimant (name, surname and NIF) are provides the following information: Under the heading " Judicial Claims " there is an annotation: as plaintiff the *** ORGANISMO.8 ; procedure, tax debt; source of publication *** BULLETIN.3 and date 02/10/2017. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 41 41/184 b. Certificate issued by the General Directorate of Taxes of the Autonomous Community, electronically signed on 11/26/2019, indicating that “ with the data obtained in the Executive Collection of the Autonomous Community of (...) has no debts in executive period, and if it has them, they are postponed, divided or their suspension, or there are credits in their favor that guarantee their collection ”. c. Letter from EQUIFAX, dated 10/25/2019 responding to the request for access to the FIJ (depending on model, see Third Fact) Claimant 76: Report the inclusion of your data in the FIJ associated with a debt with a City Council. It rejects that it was that Administration who had communicated your data to the file. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/17/2020, with the result of access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the Next information: Under the heading " Judicial Claims " there is an annotation: as applicant the *** CITY COUNCIL.11 ; procedure, tax debt; source of publication *** BULLETIN. 16 and date 11/08/2017. b. Documentation accrediting having requested the cancellation of the FIJ data on 01/16/2020 and EQUIFAX's response of 02/25/2020 in which he denies the Suppression requested for not having provided documentation that justifies it (according to sample letter denying cancellation, see Third Fact) Claimant 77: Report the inclusion of your data in the FIJ made by EQUIFAX, associated with alleged debts with public bodies. It provides, among others, these documents: to. Letter from EQUIFAX, dated 12/11/2019, with the result of the access to the FIJ, in which associated with your personal data (name, surname and NIF) the following is provided information: Under the heading " Judicial Claims ": - 1st entry: plaintiff, the *** ORGANISMO.9 ; procedure, debt tax; publication medium, *** BULLETIN. 19 and date 07/15/2019. - 2nd entry: plaintiff, *** CITY COUNCIL.19 ; procedure, debt tax; publication medium, *** BULLETIN. 19 and date 04/13/2018. b. Certificate signed by the head of the Tax Management and Inspection Office of the *** ORGANISM. 9, signed on 02/13/2020, indicating that there are no receipts pending collection and that two installments are in force for the payment of debts that are detailed in the document. Claimant 78: Complaint that a financial entity with which it intended to contract a mortgage loan has provided you with information from, as you have been informed, of a non-existent file - "ASNEF JUDICIAL" - referring to various debts in your name contracted with Public Administrations that are not true because they are already settled. It provides, among others, these documents: to. Screenshot provided by the financial institution regarding the debts associated with his person. At the top is " Summary judicial information"; the date of the consultation is 02/20/2020; the search criteria used are the NIF, name and two surnames of the claimant. Three annotations are reflected for " Incidents Judicial "being the date of the last update on 05/14/2018. They consist of these annotations: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 42 42/184 - 1st entry: plaintiff the AEAT; procedure, tax debt; condition, embargo; date 05/17/2017. - -2nd and 3rd annotation: applicant on *** CITY COUNCIL.12 ; process Tax debt; status, embargo and dates, respectively, 11/03/2017 and 05/09/2018. b. Copy of the email received from *** EMAIL.1 , dated 02/24/2020 in which you they report that there is no outstanding debt in executive situation as of today associated with his person. Claimant 79: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. He claims that he exercised the right to object before the claimed. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/27/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the Next information: Under the heading " Judicial Claims " there are 2 annotations. In both, as plaintiff, appears the AEAT ; as a procedure, tax debt; as a medium of publication "Tax Agency Headquarters" and the dates, respectively, 09/07/2015 and 03/04/2019. b. Response from EQUIFAX, 02/27/2020 to access the FIJ (according to the letter model, see Third Fact) Claimant 80: Report the inclusion of their data in the FIJ at the request of EQUIFAX for a debt with Social Security that is not true, as it is appealed in the ad- nistrative. He adds that he was not informed of the inclusion of his data in the FIJ and that EQUIFAX denied the requested cancellation despite having sent him a copy of the appeal. appeal filed against the Social Security resolution. Provides, between others, these documents: to. Letter from EQUIFAX, dated 12/14/2018, with the result of access to the FIJ, in the that associated with your personal data (name, surname and NIF) the following is provided information: Under the heading " Claims from public bodies ": - 33 annotations being in all of them the complaining entity, the Security So- cial; the means of publication, *** BULLETIN.8; the date of publication 09/18/2017. The 33 entries correspond to debts accrued by pe- monthly cycles being the oldest dated 12/2014 and the most recent cient of 04/2017. Under the heading " Judicial Claims", there is an annotation: as plaintiff the TGSS; means of publication *** BULLETIN.8 and the date of publication 04/18/2018. b. EQUIFAX's letter of 11/29/2018 in which it responds, denying it, to the request cancellation of the claimant for not having provided documents that justify their suppression. (letter according to the model included in the Third Event) c. The AEPD, prior to the admission for processing of this claim, gave transfer of her to EQUIFAX. The respondent responds in writing dated 02/18/2019, in which after acknowledging that the incidents that have been detailed in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 43 43/184 point a. above, states the following: "In response to the cancellation request of the owner, we proceed on 02/18/2019 to the cancellation of said data, in such Therefore, after canceling, there is no other incident associated with D. [the re claimant] in the file .. [FIJ] ” (The underlining is from the AEPD). Claimant 81: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/10/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the Next information: Under the heading " Judicial Claims " there is an annotation: as a demand from the *** CITY COUNCIL. 7 ; procedure, tax debt; publication medium *** BULLETIN. 8 and date 08/16/2018. b. Response from EQUIFAX, dated 02/18/2020, in which it denies the requested deletion for not having provided documentation that justifies it (according to the model of the letter gaining cancellation, see Third Fact) Claimant 82: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/25/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the Next information: Under the heading "Judicial Claims" there is an annotation: as a demand dante AEAT ; procedure, tax debt; means of publication “Headquarters of the Tri- butaria ”and date 10/1/2018. Under the heading " Claims of Public Organizations " there are 7 annotations: In all of them the claimant is Social Security; the publication medium *** BOLE- TIN.15; the publication dates between 04/24/2018 and 02/01/2019; for debts- sold for monthly and consecutive periods between 01/2018 and 04/2018 and the 10/2018. b. EQUIFAX's response, dated 03/05/2020, in which it denies the requested cancellation for not having provided documentation that justifies it (according to the model of the letter gaining cancellation, see Third Fact) Claimant 83: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/27/2020, with the result of the access to the FIJ, in which associated with the personal data of the claimant (name, surname and NIF), the Next information: Under the heading " Judicial Claims " there are 3 annotations. In all they appear as plaintiff the AEAT ; as a procedure, tax debt; What publication medium, "Tax Agency Headquarters" and the dates, respectively, 05/20/2014; 01/08/2016 and 06/28/2019. b. Letter from EQUIFAX, 03/06/2020, addressed to the claimant in which it says: “Agree with your request for opposition / cancellation, since you have not provided documentation that justifies the deletion, it is not appropriate to attend to your request ... " (continues according to model of letter denying cancellation, see Third Fact. The underlining is from the AEPD) c. The AEPD, prior to the admission for processing of the claim, requested EQUIFAX information on the facts presented by the claimant. The claimed responded in writing dated 02/18/2019 in which he acknowledges the existence of the an- C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 44 44/184 statements in the FIJ associated with the claimant's personal data and pronounces in the following terms: " In response to the cancellation request of the holder, the dated 02/18/2019 to the cancellation of said data, in such a way that, after making the withdrawal, there is no other in the name of Mr. [the claimant] in the [FIJ] ”(The underlining do is from the AEPD) Claimant 84: Report the inclusion of their data in the FIJ, without their authorization, data which, he says, come from a public file. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/27/30/01/2020, with the result of access to the FIJ, in the that associated with your data (name, surname and NIF) the following information is provided tion: Under the heading " Judicial Claims " they include: - 14 entries in which the applicant is the AEAT ; procedure, debt tax; the publication medium, " Tax Agency Headquarters " and the dates of publication are between 01/06/2015 (the oldest) and the 05/11/2018 (most recent) - An entry in which the plaintiff is the *** CITY COUNCIL. 3; pro- assignment of tax debt; the means of publication *** BULLETIN.3 and the date of publication 02/20/2017. b. Letter from EQUIFAX, dated 01/30/2020 in which it responds to your request for access to the FIJ (according to letter model, see Third Fact) Claimant 85: Report the inclusion of your personal data in the FIJ linked to debts with Public Administrations without your consent and the transfer of your data by EQUIFAX to third parties. It adds that it exercised the right of deletion on 02/20/2020 that it was denied without justification. It provides, among others, these documents: to. Letter from EQUIFAX, dated 02/20/2020, with the result of the access to the FIJ, in which associated with your data (name, two surnames and NIF) the following information is provided tion: Under the heading " Judicial Claims " include: - 4 entries in which the applicant is the AEAT ; procedure, debt tax; the publication medium, " Tax Agency Headquarters " and the dates of publication are between 07/09/2015 (the oldest) and the 01/23/2017 (most recent) - An entry in which the plaintiff is the *** CITY COUNCIL. 20 the pro- assignment of tax debt; the means of publication *** BOLETIN.11 and the fe- Publication cha 30/09/2016. b. Letter from EQUIFAX, dated 03/02/2020, in which he denies the cancellation of his da- cough requested on 02/20/2020 (according to letter model, see Third Fact) Claimant 86: Report the inclusion of your data in the list of defaulters FIJ by debts older than five years, so they would be prescribed. Add that EQUIFAX has denied the cancellation of the annotations due to lack of evidence. Provides, among others, these documents: to. Letter from EQUIFAX, dated 03/16/2020, in which the claim data is associated mante (name, two surnames and NIF) the following information is provided: Under the heading " Judicial Claims" they include: - 2 annotations: as plaintiff the AEAT appears; as procedure, debt tax; means of publication " Tax Agency Headquarters " and the dates, res- pectively, 12/11/2015 and 02/12/2016. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 45 45/184 - 2 annotations: as plaintiff the TGSS; publication medium SS S ELECTR. (...) and the dates 11/17/2014 and 06/19/2014. Under the heading "Claims of Public Organizations": - Two annotations: as claimant the SS; publication medium, respective- mind, SS S ELECTR. (...) and *** BULLETIN. 8. It is noted that this second annotation is for an amount of 2.50 euros. The publication dates are, respectively, on 11/17/2014 and 04/04/2016. b. Letter from EQUIFAX, dated 03/16/2020, in which it responds to the request to cancel the claim of the claimant denying it, since he has not provided documents that justify deletion. Claimant 87: The Catalan Data Protection Authority sends documentation relating to the claimant, in particular, the following: to. Negative certificate issued by the *** CITY COUNCIL. 7 and signed on 05/05/2020 in which it appears that the claimant, identified by his name, first surname and NIF, does not have debts pending payment in the executive period according to the databases of municipal collection. b. Letter from EQUIFAX, dated 05/04/2020, in which the claim data is associated mante (name, two surnames and NIF) the following information is provided: Under the heading " Judicial Claims" appears an annotation: as plaintiff appears the *** CITY COUNCIL. 7 ; the procedure is tax debt; the publication medium *** BULLETIN. 8 and the date of publication 02/20/2019. . Claimant 88: Claims to have previously filed claims with " DPS @ AEPD" and PTFP@correo.Gob.es from which you are waiting for a response and with which attached 28 files. In this letter of claim, it sets out, among other issues, that EQUIFAX informed him of the existence of an annotation in the FIJ associated with his data and linked to debts with Social Security, without the information being provide the amount of the debt pending payment. Add that you have requested the TGSS on several occasions - the last one on 03/28/20 - a debt deferral. Complainant 89: Report the inclusion of your personal data without your consent in the FIJ related to alleged debts with Public Administrations. Provides, between others, these documents: to. Letter from EQUIFAX, dated 05/20/2020, in which associated with the data of the Claimant (name, two surnames and NIF) the following information is provided: Under the heading " Judicial Claims" they include: - 3 annotations: plaintiff the AEAT; procedure, tax debt; half of publication " Tax Agency Headquarters " and the dates, respectively, 04/09/2019; 05/06/2019 and 05/27/2019. - 1 entry: applicant on *** CITY COUNCIL.5; publication medium *** BULLETIN. 8 and the date 11/27/2015 - 1 entry: applicant the *** CITY HALL. 7; publication medium *** BULLETIN. 8 and the date 02/05/2015. - 1 entry: applicant (…); publication medium *** BULLETIN.8 and date 11/11/2017. Claimant 90: Report the inclusion of your personal data in the FIJ associated with debts with Public Administrations that, it says, " are inaccurate or non-existent ". Apor- ta, among others, these documents: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 46 46/184 to. Written document from EQUIFAX, dated 03/11/2020, in which associated with the data of the Claimant (name, two surnames and NIF) the following information is provided: Under the heading " Judicial Claims" they include: - 1st note: plaintiff the AEAT; procedure, tax debt; source of publication " Tax Agency Headquarters " and the date 09/10/2018. - 1 entry: applicant the *** CITY COUNCIL.1; publication medium *** BULLETIN. 1 and the date 02/20/2018. Claimant 91: Denounces the inclusion of your personal data in the FIJ for a preliminary sunta debt with a City Council and for the transfer of your data to third parties without him or the City Council have authorized such communication. It provides, among others: to. Letter from EQUIFAX, dated 03/04/2020, in which it is associated with the claimant's data (name, two surnames and NIF) contains this information: Under the heading " Claims Judicial ” an annotation, the plaintiff being the *** CITY COUNCIL.21; the procedure lie, tax debt; the medium of publication, *** BULLETIN.15 and the date 03/09/2018. b. Letter from EQUIFAX dated 03/13/2020 denying the requested cancellation for not having- documentation that justifies the deletion has been provided (model transcribed in Antece- dente Third) Complainant 92: Report that your personal data has been included in the FIJ by alleged debts with the TGSS and the AEAT without their knowledge. Add that EQUIFAX probably obtained the data from the Official Gazettes, but, he says, has not contrasted the veracity of the information since the debts are either inaccurate or do not exist. Provides, among others, these documents: to. Letter sent by EQUIFAX on 03/10/2020 in which he responds to the request for can- custody of your FIJ data, denying it for not having provided documentation that justify the deletion (model transcribed in Third Antecedent) Complainant 93: Report that EQUIFAX has included your personal data in the FIJ linked to debts with the AEAT without your authorization or that of the AEAT. Provides, between others: to. Letter from EQUIFAX, dated 03/04/2020, in which associated with your data (name, two surnames and NIF) there is an annotation under the heading " Judicial Claims" . As plaintiff appears the AEAT; procedure, tax debt; publication medium tion, "Tax Agency Headquarters " and the date 07/20/2015. b. EQUIFAX's letter, dated 03/12/2020, in which it responds, denying it, to the request of deletion of your data from the FIJ for not having provided documentation that justifies such deletion (model transcribed in Third Antecedent) Claimant 94: Report the inclusion of your personal data in the FIJ for a alleged debt with the *** ORGANISM.10 , without its consent or that of the Deputation. He adds that he requested the deletion of his data to EQUIFAX on 03/02/2020 and was denied. It provides, among other documents: to. Letter from EQUIFAX, dated 03/03/2020, with the information contained in the FIJ associa- gives his name and two surnames, but not his NIF, since in the document of EQUIFAX is missing this information. In the section “ Judicial Claims” there is an annotation tion. As plaintiff the *** ORGANISMO.10; procedure, tax debt; half of publication, *** BULLETIN. 20 and the date 10/06/2017 . C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 47 47/184 b. Letter from EQUIFAX, dated 03/11/2020, in which it denies the request for cancellation cited for not having provided documents to justify the deletion. Complainant 95: Complaint that EQUIFAX has included your personal data in the FIJ for an alleged debt with the TGSS that is non-existent. Add that you have requested the claimed, unsuccessfully, to proceed to correct the mistake made. to. Provides, among others, a copy of the letter addressed to EQUIFAX, sent by mail. tified on 04/04/2019, in which you request the cancellation of your file data. Certifi- negative result of the TGSS, electronically signed on 11/30/2018, which certifies that is up to date with payment. b. The AEPD, before agreeing on the admission for processing of this claim, will address He turned to EQUIFAX requesting information on the facts presented by the claimant. The respondent responded in writing dated 06/14/2019 in which she stated that, in the date of receipt of the informative request from the AEPD, 06/13/2019, “it consisted of registered an incident with the *** CITY COUNCIL. 22 and that on 06/13/2019 has proceeded to cancel said entry ". (The underlining is from the AEPD) Claimant 96: Denounces the inclusion of your data in the FIJ which, it says, comes causing that in recent years the banking entities deny the financing that he is requesting, since they receive a report from EQUIFAX with data that he has not facilitated and whose existence I did not know. to. The claimant provides, among other documents, a letter from EQUIFAX, dated 02/14/2019, in which associated with your personal data (name, two surnames and NIF) This information consists of: Under the heading " Judicial Claims" an annotation, the plaintiff being the *** CITY COUNCIL.22; the procedure, tax debt; the publication medium, *** BULLETIN.6 and the date 07/26/2017. b. The AEPD, before agreeing to admit this claim for processing, addressed to EQUIFAX requesting information on the facts presented by the claimant. The re- Clamada responded in writing dated 06/14/2019 in which it stated that, on the letter of receipt of the informative request from the AEPD, on 06/13/2019, “consisted of registered an incident with the *** CITY COUNCIL. 22 and that on 06/13/2019 has proceeded to cancel said entry ". (The underlining is from the AEPD) Claimant 97: Report the incorporation of your personal data to the FIJ made, as stated, by the *** CITY COUNCIL.23 for a non-existent debt. THIRD: The letter model used by EQUIFAX when the RGPD was already effective application -from 05/25 / 2018- to deny claimants the deletion of your personal data from the FIJ, of which there are numerous examples in the file administrative, included these paragraphs that we reproduce below: “ (...) Said data have been obtained from PUBLIC ACCESS SOURCES. Yes You would like to expand the information provided here, you can do so by contacting the Agency Public included in the abbreviated report. The entities that use this file will be able to compare their name, surname and NIF / NIE with that of the person requesting an operation and in the event that there is a discrepancy (same NIF / NIE with another name and surname) may prevent use your NIF / NIE in said application. To help entities that consult the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 48 48/184 file to prevent delinquencies and analyze their solvency, as well as to help to the prevention of fraud and prevent them from impersonating your identity in operations, products or services not requested by you. The data included in this file They may also be treated anonymously for analysis statistics. The data included will be canceled or removed once you have made the payment of the debts and we justify said payment by means of a certificate issued by the Public Body in question or with a ruling in its favor, and in all case, 6 years from the date your data was published (origin of the information) ” (The underlining is from the AEPD) The letter model used by EQUIFAX to respond to requests for access to the data included in the FIJ after the GDPR was effectively applied (since 05/25/2018), of which numerous examples are in the file, has the following text: It begins by communicating to the affected person that they send “ the information associated with their identifier or your name and address provided by you. " "Attached we send formal access to the file so that you can check the data that is are currently registered. We also attach the History of Queries, which consists of all the information related to the entities that, where appropriate, have consulted your data in the last six months. " “Said data has been obtained from PUBLIC ACCESS SOURCES. If i wished expand the information provided here, you can do so by contacting the Public Agency contained in the abbreviated report. The entities that use this file will be able to compare their name, surname and NIF / NIE with that of the person requesting an operation and in the event that there is a discrepancy (same NIF / NIE with another name and surname) may prevent use your NIF / NIE in said application. To help entities that consult the file to prevent delinquencies and analyze their solvency, as well as to help to the prevention of fraud and prevent them from impersonating your identity in operations, products or services not requested by you. The data included in this file They may also be treated anonymously for analysis statistics. The data included will be canceled or removed once you have made the payment of the debts and we justify said payment by means of a certificate issued by the Public Body in question or with a ruling in its favor, and in all case, 6 years from the date your data was published (origin of the information)." (The underlining is from the AEPD) In both letters, EQUIFAX affirms that the personal data of those affected included in the FIJ they were obtained from publicly accessible sources; relates the purposes of data processing carried out; demands as a condition for ending the treatment of the data that their holders certify the payment of the debt through document issued by the corresponding official body or through a ruling and informs that the data thus obtained will be processed for 6 years computed from the date they were published, " origin of the information". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 49 49/184 At the same time, they are also on the record -exclusively linked to the claimants 36, 43 and 48- the letters that EQUIFAX sent them on 10/18/2018, 08/22/2019 and 08/24/2019, respectively, informing them of the inclusion of their data in the FIJ. In this model letter, the respondent provided the following information: << What is the file of legal claims and Public Bodies? It is a file owned by the company EQUIFAX IBÉRICA, SL, with CIF ..., which contains data on legal claims, in which you appear as defendant, and claims from public bodies in which you are listed as debtor with organizations such as the General Treasury of Social Security (TGSS), Town councils or the Tax Agency, and which are published on the website of the TGSS, Public Registries, Official Provincial Gazettes, of the Communities Autonomous, of the State, in the annexes published in said Bulletins and media social comunication. This file has its legal basis in the legitimate interest of the entities, which need to know the debts or claims of a natural person or legal to give security to commercial traffic, prevent delinquency and assess the financial solvency of said people, with whom they have or will have relationships commercial, credit and periodic or deferred payment. What is my data used for? To help the entities that consult the file to prevent delinquency and analyze the solvency of these, as well as to help prevent fraud and prevent them from impersonating your identity in operations, products or services not requested by you. The entities that use this file will be able to compare their name, surname and NIF / NIE with that of the person requesting an operation and in the in case there is a discrepancy (same NIF / NIE with another name and surname) may prevent their NIF / NIE from being used in said application. The data included in this file may also be treated anonymously for analysis statistics. How long can I be included in the Judicial Information file and Claims from Public Organizations? The data included will be canceled or removed once you have made the payment of the debts and we justify said payment by means of a certificate issued by the Public Body in question or with a ruling in its favor, and in all case, 6 years from the date your data was published (origin of the information) Who can see my data? In general, entities in the financial sector, insurance, telecommunications, supplies of energy or that provide deferred or periodic payment services with which it has any contract in force or if they need to consult your data to study any request that you have made. How do I exercise my rights of access, rectification, cancellation, limitation and opposition for free? You can send us an email to the address sac@equifax.es or by sending us a letter to the Post Office 10546, 28080 in Madrid. Please do not forget to read the back of this letter "Requirements for the exercise of rights". (...) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 50 50/184 Can I file an official claim? You can contact the Spanish Data Protection Agency and submit a claim if www.agpd.es considers it so. Likewise, we provide you with the data of contact of the Data Protection Delegate dpo@equifax.es >> (The underlined is of the AEPD) FOURTH: Initiation agreement. On 07/24/2020 the Director of the Spanish Data Protection Agency agrees to initiate a sanctioning procedure for the claimed, in accordance with the provisions in articles 63 and 64 of Law 39/2015, of October 1, on the Procedure Common Administration of Public Administrations (hereinafter, LPACAP), by the alleged infringement of articles 6.1 and 5.1.d) of the RGPD, both typified in the Article 83.5.a) of the RGPD. The initiation agreement indicates that, without prejudice to what results from the instruction, the sanctions that could be imposed would be the following: For the violation of article 6.1 RGPD, in accordance with article 58.2.i) RGPD, fine administration of three million euros. In accordance with article 58.2.f) RGPD, the prohibition of continuing the data processing carried out through the FIJ, which would imply closing the file. It is also indicated that, pursuant to article 58.2.g) RGPD, the respondent could be ordered to proceed to the suppression of all personal data associated with the alleged debts that are subject to treatment through the FIJ. For the violation of article 5.1.d) RGPD, in accordance with article 58.2.i) of the RGPD, fine administration of three million euros. In accordance with article 58.2.f) RGPD, the prohibition of continuing the data processing carried out through the FIJ, which would imply closing the file. It is also indicated that, pursuant to article 58.2.g) RGPD, the respondent could be ordered to proceed to the suppression of all personal data associated with the alleged debts that are subject to treatment through the FIJ. FIFTH: Notification of the initiation agreement. The initiation agreement is notified to the claimed by electronic means on the date 07/24/2020. The notification is accepted on 07/30/2020. Both ends remain Accredited by the Notification Service Support service certificate Electronic and Authorized Electronic Address issued by the FNMT-RCM (as successive, FNMT) that is in the file. SIXTH: Allegations to the initiation agreement: Request for extension of the term of allegations and a copy of the file. On 08/04/2020, a letter from the complained party has entered the Agency in which requests, under the protection of articles 32.1 and 53.1.a) of the LPACAP, the extension of the term to formulate allegations to the agreement to initiate the sanctioning procedure and the delivery of a copy of the administrative file. Provide with your writing a copy of the notarial public deed granted on 05/04/2012 in which the claimed one confers power of attorney to D. DPR . so that, acting in his name and representation, he can make use, among other powers, those necessary to intervene in such condition in all procedures of the sanctioning file that concerns us. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 51 51/184 The AEPD, in writing dated 08/12/2020, agrees to extend, by the maximum allowed legally, the period initially set to present allegations and refers to the claimed a copy of the administrative file. Notification of the writing and delivery of the copy of the file was made by postal courier since the The volume of the file makes it impossible to send it by electronic means. Work in the procedure the proof of the MRW company proving that the documents They were received by the respondent on 08/12/2020. SEVENTH: Allegations to the initiation agreement: Brief of allegations. On 08/19/2020 the brief of allegations to the commencement agreement presented by the respondent requesting the issuance of resolution declaring the nullity of the procedure. In the alternative, that the filing of the procedure be agreed. And subsidiarily Regarding the previous request, that a warning or warning be imposed or that the amount of the sanction provided for in the agreement of beginning. He uses the following arguments in support of his claims: The first allegation concerns the defenselessness generated to EQUIFAX as consequence of having fixed in the agreement to open the procedure the amount of the sanction instead of expressing in said agreement, only, the limits of the possible sanction to impose. Other circumstances that in his opinion would have caused him defenselessness, invalidating the procedure, are the following: not having had the opportunity to state your opinion on the circumstances that could result applicable to the case; the summary motivation of the aggravating circumstances that is made in the initiation agreement and the one that has been substantially affected instructor impartiality in clear break with the principle of phase separation instructor and sanction. The second allegation has the rubric “ Of the defenselessness of EQUIFAX due to the access late to the administrative file and its content ”. In it he explains the helplessness suffered as a result of having seen limited and reduced ostensibly its ability to formulate allegations " complete and informed ” . In this regard, it highlights two facts: the late delivery of the copy of the file, which was transmitted on 08/12/2020, one business day before the the ordinary period of ten business days will end, so that, although the Body Sanctioner agreed to extend the term until 08/20/2020, the period of time in which that has been able to access the documentation was only 6 business days. Second, it highlights that the copy of the file suffers from various defects that imply, at least, the need to “ proceed to the suppression of a large part of the Background of the agreement itself ”. These deficiencies would be the following: (i) The file forwarded refers to a limited number of the claims that are mentioned in the commencement agreement, as there is no such claim file or any document related to 43 claimants. (ii) It include in the file, at least three claims that are not related to the object of the file. Regarding the claims that do appear in the documentation of the file administrative authority that the AEPD sent her, the respondent draws the conclusion that these C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 52 52/184 are not related to the substantive issues contained in the foundations of the initiation agreement “ since practically all of them referred to the exercise by the interested parties of their rights of access and deletion ”Classify the claims formulated, on which documentation was provided in the copy of the file that was referred, in the following groups: (i) Those in which the interested party exercises before the AEPD a right that has not previously exercised before EQUIFAX. (ii) Those in which the claimant has You requested the deletion of your FIJ data and EQUIFAX has responded to your request. (iii) AND others in which the interested parties exercise their right of access before EQUIFAX, which is attended, and without addressing EQUIFAX, they request the exercise of the right of deletion directly before the AEPD “ alleging issues such as that the treatment is not found based on their prior consent, that the collection of the data from bulletins and official journals or even that the Administration author of the publication expressed its disagreement with the very existence of the FIJ ”. A) Yes, qualifies in bad faith the actions of the representative of several claimants who, with regardless of whether the respondent had complied with the right of access exercised, did not hesitate to refer a claim to the AEPD that had nothing to do with the right initially exercised. The entity concludes that of the 47 claims that appear in the file, it gave full satisfaction of the right that the claimant exercised before her, although, in On occasions, the interested party addressed a claim to the AEPD that was not related to with what was requested before EQUIFAX. The third claim deals with the pre-existing regulations to the RGPD and the actions of the AEPD in relation to the FIJ. The defendant says that “[..] as recognized by the Agreement itself, the material norms whose violation is attributed to my client do not have varied in terms of their content as a consequence of the reform carried out by the GDPR ”. Analyze the similarities and differences between the text of article 6.1.f) of the RGPD and that of article 7.f) of Directive 95/46; indicates that the reasoning contained in the recitals of the RGPD about the requirements of legitimate interest and how carry out the necessary weighting to verify your application derives directly of the jurisprudence emanating from the CJEU in its judgment of 10/24/2011 (matters accumulated C-468/10 and C-469/10, Asnef, Fecemed) that declares the direct effect of the Article 7.f) of Directive 95/46. It also refers to the Group's document of Article 29 (hereinafter, GT29) “ Opinion 6/2014 on the concept of legitimate interest of the data controller under article 7 of Directive 95/46 / CE ”. It considers that the data processing carried out by the FIJ was lawful in accordance with the previous regulations and that “ based on the similarity, if not identity, between the regulations previously in force and the collection in the text of the RGPD, it is necessary to have taking into account that systems such as the FIJ were expressly recognized in the Article 29.1 of the ”LOPD. "[...] that the alleged treatment carried out by me principal [...] not only was not contrary, but expressly protected in the regulatory framework in force prior to the entry into force of the RGPD [...] ” . He adds that the normative framework has not been altered, but on the contrary reiterated, with the entry in force of the RGPD. Regarding the performance of the AEPD, he says that “ This lawfulness was not only known by that AEPD, but that it came repeatedly to highlight it, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 53 53/184 dictating numerous resolutions in which he considered perfectly consistent with the data protection regulations the behavior of Equifax ”in conducts totally similar to those that are now the subject of the disciplinary proceedings. mentions the resolutions issued in TD / 00724/2015 and TD / 02085/2016. It indicates that the data processing carried out through the FIJ “has not only been been carrying out during the validity of all the low data protection regulations the sight, science and patience of the AEPD, but it has blessed in repeated Sometimes the legality of said treatment is now anatemized by the own institution". “ If this is the case and the AEPD declared the legality of a treatment that now is considered radically contrary to data protection regulations, it would be possible conclude, with the utmost respect, that this institution collaborated necessarily in the perpetration of that radically illicit conduct with the consequent damage to the fundamental right [...] that it has as its mission essential to guarantee and protect ”. Regarding the action of the AEPD after the entry into force of the RGPD, it states that this Agency is perfectly aware of “ the existence of the information similar to the FIJ ”since the Code of Conduct presented by the Multisectoral Information Association (ASEDIE) to the which belongs to EQUIFAX and whose first version was presented on 05/24/2018 and the last in May 2020. It invokes the bankruptcy of the principle of legitimate confidence in which the AEPD has incurred, that he now considers illegal behaviors that he previously considered fully legal. Bankruptcy of legitimate expectations would determine the absence of a culpable element in the conduct of the claimed party, and consequently, proceed to file the proceedings. Specifies that, this is so because, even when the change of criterion merges In a normative change, the normative reform has left the precepts unchanged in which previously the Agency founded the lawfulness of the FIJ. Consider that they are fulfilled all the necessary requirements to assess the violation of the principle of trust legitimate under the terms described in STS 02/22/2016 (appeal 1354/2014) It invokes the SAN of 02/04/2009 (resource 304/2007) which maintains that the breach of the principle of legitimate expectations should lead to the nullity of the resolution sanctioning object of the appeal. It also denounces the disproportionate nature of the measures that the AEPD intends adopt: “ excessive sanctions” and “completely irreversible ” measures. Y explains that the imposition of a penalty in the amount set in the initiation agreement of the procedure would imply that this company would exit the market “ for the benefit of other competing companies that handle the same information ”. Draws attention on the fact that the AEPD has decided to " adopt the most appropriate measures severity provided for in the data protection regulations ”when the RGPD offers control authorities a wide range of corrective measures (Article 58). To what which adds that article 83 RGPD expressly provides, in the event of a breach normative, the possibility of not imposing an administrative fine and sanctioning any other corrective measures of article 58 RGPD. The fourth claim is entitled "On the legal basis of the treatment of the FIJ" . C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 54 54/184 The claim refers, first of all, to the implications that derive from the regulations for the reuse of public sector information, Law 37/2007, of 16 November, on the reuse of information from the Public Sector (LRISP) and indicates that “ the sources from which you have collected the data to which the claims refer formulated and, in general, the data incorporated into the FIJ, expressly enable the reuse of said information ”. Therefore, it concludes, the aforementioned LRISP, without prejudice of the application of its article 4.6, does not constitute an obstacle to the collection of data that she carries out. Mention for this purpose the general conditions of reuse of the BOE website and adds that, in the remaining sources used, the conditions of each one allow reuse as long as the current legislative framework and, in particular, the RGPD and the Intellectual Property Law. It reiterates that there is a legal concept of public access sources -as evidence, says the defendant, the mention made of them in the STJUE of 11/24/2011 and in the ASEDIE Code of Conduct project presented to the AEPD in May 2020- which “ imply the possible knowledge and access by any person to the information they contain and that the fact that this information is available to anyone makes the data processing that they could include affect the private and family life of the interested parties those that the data refer to an enormously lower degree than would occur when the data does not come from such sources, allowing the weighting required by article 6.1.f) RGPD can operate more easily for the benefit of the legitimate interest of the person in charge that treats this publicly accessible data ”. On the principle of necessity, he shows his disapproval with the reference that the starting agreement made to the STJUE of 12/16/2008 (case C-524/2016) and to the judgment of the ECHR of 03/25/1983 and proposes, for the interpretation of the concept of necessity, use the criterion followed by the TC to analyze the proportionality of a measure restrictive of a fundamental right. Regarding the requirements to apply the legal basis of article 6.1.f) RGPD, In accordance with the doctrine of GT29 in Opinion 6/2014, it mentions the following: 1.Existence of a legitimate interest of the person in charge of the treatment or of any third. 2. Compliance with the principle of necessity linked to the principle of suitability. 3. The favorable result of the weighting. Only when it is worth considering that the affectation of the rights of the interested parties is tolerable in view of the result obtained by the treatment, it can be carried out. Then comments on the characteristics of each of the terms of the weighting and the factors that should be taken into account in the mandatory weighting. Remember the link that exists between the concepts of purpose and legitimate interest and criticizes the considerations that the initiation agreement makes on the basis of the comment of Opinion 6/2014 of the GT29. He then goes on to describe the legitimate interest satisfies with the treatment of the data carried out by the FIJ. Distinguish a double interest legitimate: an interest linked to the assessment of the solvency of those affected - of which would be EQUIFAX owners, the third parties who access the data and the borrowers and consumers- and a legitimate interest linked to fraud prevention. Summons legal norms, opinions, circulars and reports on which it considers is based the legitimate interest that each one of them holds. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 55 55/184 It dedicates a section to “ the weighting of the prevalence of the legitimate interest in the present case ”. It affirms that there are multiple elements that lead to conclude that the “ legitimate interest of Equifax, its user companies and society itself in the treatment of FIJ data prevails over the rights and interests of the debtors to which the data refer ” . Mention for these purposes the following elements: to. That the LOPD included a rule that determined the prevalence of the aforementioned interest legitimate, therefore, “ Article 29.1 of the aforementioned law expressly referred to the legality of the data processing in these systems ” . And remember that, regarding the treatment of that we refer to, there has not been a substantial change in the applicable regulations, but rather that “the legal bases and principles applicable to the treatment remain unalterable as a result of the entry into force of the RGPD ”. b. The regulation of the LOPDGDD itself. In this sense, it indicates that the aforementioned Law recognizes the prevalence of legitimate interest by establishing a presumption in favor of the credit information systems and adds that in these systems " the legitimate interest that justifies the treatment is identical to that pursued by the FIJ ” from which it concludes that is an indication of the weighting in favor of the legitimate interest that we examine, “even when there is no regulation in the new Law similar to the old article 29.1 of the LOPD. " It goes on to affirm that “ the fact that the impact on the rights and Interests of the interested parties as a result of the processing of their data in the FIJ is substantially similar to the one generated by the processing of your data in the systems credit information , with respect to which the prevalence of interest is presumed legitimate, should be considered an obvious indication of the prevalence of interest legitimate in this case. " c. The jurisprudence of the CJEU, which is specified in the aforementioned STJUE of 11/24/2011. d. The attitude of the AEPD, which, it says, has been “ until now recognizing the legality of these systems without having carried out a request, warning or warning one addressed to my client, as has been analyzed in the third claim of this writing. " It also adds that through the draft Code of Conduct that promoted by ASEDIE, the AEPD has learned that an examination of the prevalence of the legitimate interest of the entities that manage these systems of information. In the opinion of the respondent, the evidence cited, together with the fact that their understanding of the requirements established by the GT29 in its Opinion 6/2014, sufficiently legitimate interest whose prevalence it defends. Therefore, it explains the entity, continued with the treatment through the FIJ and considered unnecessary an analysis of the specific legitimate interest for the FIJ, since “[...] the regulation itself carry out the weighting of interests applicable to the treatment regulated in article 20 of the LOPDGDD was already sufficient to supply the adoption of this measure ”. AND In order to reinforce his argument, he invokes the quote from article 35.10 of the RGPD: “[...] when the treatment in accordance with article 6, paragraph 1, letters c) or e), has its basis in Union law or in the law of the Member State that applies to the person responsible for the treatment, such Law regulates the specific operation of treatment or set of operations in question, and a impact assessment relating to data protection as part of an assessment C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 56 56/184 of general impact in the context of the adoption of said legal basis, the sections " It states that in 2019 it prepared a " weighting report" in order to “ Minimize the impact of treatment below the standards required by treatment by adopting measures in addition to those that would be sufficient to consider applicable the provisions of article 6.1.f of the RGPD. ”Specifies that some of these measures have already been implemented, others are in the implementation phase and others they are under development for future adoption. Between updates that he claims to have entered is the “notification of inclusion of the data to the interested parties , in the same terms established for the information systems credit in article 20.1 c), second paragraph of the LOPDGDD ”since, it states, that the approval of the LOPDGDD “ meant the disappearance of the exemption from the duty of inform that the jurisprudence had already expressly recognized in relation to the information systems contained in article 29.1 of the LOPD. " Regarding the concurrence of " reasonable expectations of the interested party " it shows its discrepancy with what is indicated in the initiation agreement and states that " the interested party not only has the reasonable expectation that your data may be consulted, but that reasonably expects to be fortunate that access to the themselves so that whoever contracts with him does not have a real knowledge of his patrimonial solvency and credit ”. The last question commented on in the framework of its fourth claim - “ From the base legal treatment of the FIJ ” - refers to the exercise by the interested parties of their rights of deletion and opposition. In this sense, criticize the following paragraph included in the inception agreement: “There are very many communications that the complainants addressed to EQUIFAX in which they requested the cancellation of their personal data. If it had been consistent with the alleged legitimate interest in which, in his opinion, the data processing carried out, EQUIFAX should have qualified those requests as an exercise of the right of opposition ”. The claimed claim states that such a surprising statement would lead, as the only logical conclusion, to deprive the interested party of the possibility of exercising the right to deletion in any manifestation of those provided for in article 17.1 of the RGPD that differs from the right of opposition, thus forcing you to invoke the reasons related to your particular situation that justify your request. Therefore, says the entity, "having reached the conclusion that the right of deletion is not repealed in the different modalities of the right of opposition ”, it complied with the requirements established in the data protection regulations, so that “ when the requests demanded the deletion on the mere basis that the interested party did not had given his consent Equifax could not comply with the request, since Said consent is not required in this case, as has been stated repeatedly". “Similarly, when the alleged falsehood or data inaccuracy, Equifax was merely complying with the requirements of the data protection regulations when requesting the contribution by the applicant of the information that proves the inaccuracy, given that, otherwise, proceeding the data of an official newspaper, it was not possible without more to conclude in the illegality of the data ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 57 57/184 In the fifth allegation of the brief of allegations to the commencement agreement, “ On the compliance by Equifax with the principle of data accuracy ”, reiterates, firstly term, which, with respect to this principle, the RGPD has not introduced modifications in relationship with what the Directive established, neither in the enunciation of the principle nor in its consequences, and that the AEPD, until the publication of this initiation agreement, “ At all times considered the FIJ fully respectful of the provisions of the regulations for the protection of personal data, in which it already appeared clearly the aforementioned principle of accuracy (articles 6.1.d) of the Directive and 4 d) of the the LOPD) ” Therefore, it considers that the initiation agreement implies that the Agency has adopted a “ new criterion ” which concludes that the action of the AEPD is contrary to the principles of legal certainty and legitimate expectations. It states that, since the data come from public sources, it should be presumed its accuracy, so that no liability can be derived for EQUIFAX from the inaccuracy of which they suffer or the absence of any of them in the source original. He claims to have acted with full respect for the rules of reuse of the information established in each case and having incorporated into the FIJ the data “as and as they appear in the cited sources ”. Insists that the data is collected in the terms in which it is published and accessible by anyone and " to the extent that such publication allows identify the interested party. ”“ Therefore, if any of the mentioned data in the FIJ this is due [...] to the pure and simple fact that this data is not included in the official gazette or in the edict from which the information." It considers article 4.2 fully applicable to the case. LOPDGDD, in particular the section d), provision that provides: "two. For the purposes provided in article 5.1.d) of Regulation (EU) 2016/679, it will not be attributable to the person responsible for the treatment, provided that he has adopted all the reasonable measures to remove or rectify without delay, the inaccuracy of personal data, with respect to the purposes for which they are processed, when the data inaccurate: [...] d) They were obtained from a public registry by the person in charge. " It claims to have adopted the “ necessary measures to guarantee the accuracy of the information collected ”, since, within a period of one month from the moment of the collection of the information, proceeds to notify the interested party of its inclusion in the FIJ. On the reversal of the burden of proof invoked in the initiation agreement, party to its exposition of the assertion that the data that EQUIFAX obtains from the newsletters and official newspapers enjoy a " presumption of accuracy " " given the very nature of the source from which it is obtained ” . Therefore, such a presumption can only be destroyed if the The interested party accredits the inaccuracy of the information or the source itself proceeds to its rectification. Thus, the conclusion is that no reversal of the burden of the proof exists, since the published information is accurate as long as it is not prove otherwise. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 58 58/184 It also cites article 14 of the LOPDGDD that, on the occasion of the regulation of the right of rectification states “ By exercising the right of rectification recognized in the Article 16 of Regulation (EU) 2016/679, the affected party must indicate in their request to what data it refers to and the correction to be made. It must accompany, when necessary, the supporting documentation for the inaccuracy or character incomplete of the data object of treatment. Finally, it refers to the cases in which the interested party has requested additional documentation to link with it the existence of a certain edict publication. For example, he has asked the interested party to indicate the possible addresses to which the publication of a certain edict that affected him. In that regard, it says the following: "This request, [...] is carried out, [...] but to guarantee full compliance and exercise of their rights, in order to proceed to the suppression of any data that should not appear included in the FIJ. " And he explains the following: "In this In this sense, that AEPD is fully aware that, until the entry into force of the LOPDGDD, the regime of editorial publications carried out by the different bulletins, newspapers and bulletin boards from which Equifax lawfully collects the information was characterized by dispersion, so that the scope of the data published by each of them differed substantially, including some of them, but not all, the identification document of the interested party or their address. Thus, my client cannot be blamed for the fact that sometimes identification data of the interested party are not linked to a document identification, but rather that said absence of connection comes directly from the source from which the data are collected, endowed with the presumption of accuracy to which reference has been made repeatedly throughout this allegation. " The sixth claim refers to the modifying circumstances of liability in accordance with the initiation agreement. Exposes the entity that, assuming that should it be appropriate to adopt “a coercive measure against Equifax ”, this should be limited to In addition, to the warning and to the requirement to adopt the measures that the AEPD deemed necessary. The defendant justifies this statement in the " qualified mitigating factors "that in his opinion concur in the present case, to which is added" the own conduct of the AEPD that would have generated in Equifax the full conviction of the legality of the data processing in the FIJ ”. It invokes the following as mitigations: (i) That since the approval of the LOPDGDD and the RGPD measures have been implemented “ Aimed at minimizing even more the impact that the treatment [...] could produce in the private sphere of the interested parties ”. Refers to the measures provided for in the LIA provided -examination of the prevailing legitimate interest- which it affirms are additional measures that they would not in principle be necessary to achieve a favorable weighting. (ii) What EQUIFAX has never been sanctioned by the AEPD in relation to the treatment carried out by the FIJ. (iii) That it has repeatedly met the requirements or Information requests from the AEPD. (iv) That as an entity associated with ASEDIE it is automatically adhered to the Code of Conduct promoted by that association. The claimed does not specify the precept of the RGPD in which the mitigating factors that it invokes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 59 59/184 On the other hand, in relation to the aggravations appreciated in the initiation agreement, comments that “ It cannot be considered as fraudulent to carry out a conduct that the AEPD itself had been recognizing it as lawful ”; that “it is not possible to appreciate the existence of a lawful benefit ”in which it has obtained with a conduct that the AEPD was knowledgeable ” as well as the circumstances surrounding the treatment. So what, even less, can be considered a continuing infringement that "carried out with the approval of the supervisory authority ”. Provides, annexes to the brief of allegations to the initiation agreement, the documents following: -Copy of the Code of Conduct of ASEDIE, Infomediary Sector. -LIA, Judicial File. Legal analysis. December 2019. EIGHTH: Brief from the instructor addressed to the complained party: The copy of the file administrative that was delivered was incomplete; delivery of a complete copy; new deadline for allegations. In writing signed by the instructor on 12/23/2020, notified electronically and accepted by the claimed on the same date, it is brought to their knowledge that, a After analyzing the documentation that makes up the copy of the electronic file that is It was sent to you on 08/12/2020, it has been verified that the application did not get to dump it all of the documentation that made up the electronic administrative file that served as the basis for the preparation of the initiation agreement, so the copy that then provided to EQUIFAX it was incomplete. The AEPD has implemented the electronic file, in such a way that it is the application that generates automatic copy of said file. In addition, in the aforementioned brief, the respondent is informed that on that date the proceeds to send you, through postal courier, an encrypted CD containing the copy complete administrative file and you are provided with the password that will allow you to access the CD content. In the letter it is also communicated to him, so that he can formulate new allegations in view of the full file, the following: “In order to guarantee that EQUIFAX can, once it has at its disposal all the documentation that served as the basis for this Agency for the adoption of the agreement initiation of the sanctioning file PS / 000240/2019, make the allegations and provide the documentation that it deems pertinent, the investigator of the file will not proceed to the opening of the trial phase until at least ten business days have elapsed computed from the date of notification of this writing, if the notification were after December 28, 2020. If the notification of this communication were prior to December 28, the ten business days will be counted from that date, for be on this date that, ultimately, the courier company has guaranteed to deliver the shipment containing the CD with the documentation alluded to. " The documents provided by the courier company are in the file MRW that certify that the shipment with reference 2625 / A014103, sent by the AEPD, It was delivered to the recipient's post office on 12/24/2020. NINTH: Complementary allegations or second allegations to the initiation agreement: Request for extension of the term. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 60 60/184 On 12/28/2020 a letter from EQUIFAX has entered the AEPD in which states that they have received in their offices on 12/28/2020 the encrypted CD that contains the copy of the file and requests that the period initially set in the letter dated 12/23/2020 to formulate the second allegations and provide documents. In writing, signed and notified electronically on 01/13/2021, accepted by the claimed on 01/14/2021, the investigator of the file informs you that: "Without prejudice to the provisions of article 76.1 of Law 39/2015, of the Procedure Common Administration of Public Administrations (LPACAP), with the same purpose of guaranteeing the legitimate right of defense of EQUIFAX that inspired the writing that was sent to that entity by the investigator of the file on 12/23/2020, you are informed that the evidentiary phase of the procedure until expired on 01/15/2021. " TENTH: Complementary allegations of the claimed to the agreement to initiate the proceedings. (I) Presentation of their allegations in the AEPD. (II) Allegations complementary formulations. I. On 01/20/2021 a " Receipt of presentation at the Registry office " is generated , issued by GEISER (Integrated Management of Registry Services), registration number O00007128e2100001973, referring to the alleged presentation by the defendant of a brief of complementary allegations to the PS / 240/2019, without with the aforementioned receipt no writing or document will be attached . The receipt issued by GEISER includes, among others, these indications: "Date presentation: 01/20/2021 10:38:13 (peninsular time) ”; " Type of documentation: Attached digitized documentation ”; "Interested: Equifax Ibérica, SL". Also, under the heading " Registry Information " is indicated: " Type of subject: entry "; " Summary / subject: Complementary allegations to PS 240/2020"; "Unit of processing destination / Management Center: Data Inspection- XXXXXXXXX / Agency Spanish Data Protection ”. Given that with the presentation receipt of GEISER it did not enter the registry of the AEPD or the aforementioned document, “ Complementary allegations to the PS 240/2019 ”, nor any other, on 01/21/2021, the examiner of the file, by means of communication notified electronically to EQUIFAX, informs you of this incident and that, having made the relevant technical checks, the IT services of The Agency considered that the issuer of the shipment - the one claimed - did not go up to the found no document or, if it did, made an error that determined that the shipping out unfeasible. Also on 01/21/2021 there is evidence of another " Receipt of presentation in Registry Office ”, issued by GEISER, in which the filing date appears on 01/20/2021 at 9:34:58 PM (Peninsular Time); the reference O00007128e2100002152 and as interested Equifax Ibérica, SL, in which it appears as " Summary / subject" " Request for extension of the deadline for the presentation of evidence." C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 61 61/184 Given this fact - that on 01/21/2021 there were two GEISER entries from EQUIFAX, referring to " Complementary allegations to PS / 240/2019 " and " Request extension of the term to present evidence ”, with which neither the document that the entity claimed to contribute or any other - and, since, according to the information that our computer application offered us, the one claimed had not yet accepted the electronic communication that was sent to him on 01/21/2021 for inform you of what happened regarding the first entry, the instructor of the file send an email to the EQUIFAX representative, at the email address contained in the form used for the submission of documents relating to this procedure, in which both incidents are brought to your attention. The email sent on 01/21/2021 at 1:12 PM, has been incorporated into the file through diligence of the instructor signed on 01/21/2021. EQUIFAX responded to the email on 21/021/2021 at 8:48 p.m. and explained that they had submitted electronically, again, the two documents, Supplementary arguments to the initiation agreement and request for extension of the term for the provision of evidence. On 01/22/2021 the EQUIFAX documentation, which is communicated to the entity through another email Instructor's email sent at 9:59 a.m. 01/24/2021 at 1:51 PM the EQUIFAX representative sends an email stating that have sent both letters again through the headquarters of the AEPD and attached the supporting document. All these communications exchanged through email have been incorporated into the file by means of a diligence signed by the instructor on 01/25/2021. II. On 01/24/2021, the letter of Complementary arguments to the agreement to initiate the sanctioning procedure presented by the claimed. In said letter, after requesting that “allegations be made in relation to with the content of the administrative file of which he did not know until his remission on December 28, 2020, and they must be considered complementary to those formulated in its day to the Initiation Agreement ... ”, makes these requests: That the nullity of the procedure be declared for the reasons that details in the first allegation of the brief of allegations; subsidiarily, the file of the procedure and, in the alternative with respect to this last claim, the imposition of a warning or warning or a significant reduction of the amount of the fine established in the initiation agreement. Also, as it did in its first brief of allegations to the commencement agreement, it requests " [...] the opening, [...] of a trial period in which it can contribute to that AEPD the documents that it considers necessary in case it does not give truth to what is stated by my client in section 2 of the allegation third of this writing. " The arguments that he uses in support of his requests are structured in three allegations: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 62 62/184 The first allegation has the heading “ Of the exceptional affectation of the right to effective judicial protection derived from the situation that occurred in the file administrative in the present proceeding ”. In this section he states that “ the administrative file forwarded by the AEPD was, in the words of the Control Authority itself, cut into no less than 1,345 pages ” and that it lacked of information on said circumstance because, “having processed the same [the file] by that AEPD without his knowledge ”, he had not been able to know the scope real of the submitted administrative file . It highlights that, of the complainants "now incorporated into the file ”, the AEPD had only transferred it, for the purposes of articles 37 and 65.4 LOPDGDD, of three of them. In this line of argument, he recalls that, in his allegations to the agreement to initiate 08/19/2020, requested “to limit the prosecution of this case to claims actually pending in the administrative file, resulting in that said file did not contain any information on 43 of the relationships referred to the initiation agreement ”. However, more than four months after formulate such allegations, the AEPD informs you that the file was " Amputated" in more than 30 percent of its length; sends you a new copy of the file and does not give you the possibility of alleging what is appropriate to your right, "Limiting itself to agreeing on a delay in the beginning of the probationary period." The defendant affirms that this way of acting is contrary to the regulatory regulations of the administrative procedure, articles 65.2.f) LPACAP and 89.1 of the same text legal, in respect of which he comments that “ the hearing process of the interested parties and the right of the accused to formulate allegations, in view of the administrative file, are configured as an essential guarantee of the procedure, being the reflection in the administrative sanctioning procedure of the Right to effective judicial protection that assists the accused. " It concludes from the above that “the action of the AEPD in the present case, [...] supposes an infringement of their right to defense, which makes the procedure incur in the nullity defect established in article 47.1 e) of the LPACAP, given that it has dispensed with a procedure as essential as that of hearing the accused in a sanctioning procedure. And this vice cannot be remedied by the fact that my principal issue these allegations. " Regarding the alleged omission of the hearing process, he makes these considerations: On the one hand, the principles applicable to the procedure have not been respected sanctioner “as he was unable [...] to have a real knowledge of the file, except with the scope of which you were notified prior to the formulation of your allegations to the Initiation Agreement . " It explains that “ The AEPD affirms that said file must be completed until the one that was the subject of referral and registration in the offices of my client on December 26, 2021, despite the fact that said file does not correspond to the one previously submitted for allegations, on the sole basis to affirm, in the written notification to my client, that said file is the complete and that must replace the previously notified. " That, “despite ignoring the reasons why he was not referred at the appropriate time of the procedure the complete administrative file, as it is recorded in a formal act issued by the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 63 63/184 instructor ”is not going to question such a statement. Add that we are in this case "in the absence of more than 30 percent of the file and that" There is not even correlation between the indices of the two files submitted. I mean, I don't just know produces an addition of 1,435 pages to the file, but also that supplement is interspersed throughout the procedure, making it even more difficult to properly exercise by my principal of his right to defense. " It points out that the violation that has occurred throughout the processing of this procedure, “ is even more aggravated when in his brief of December 23, 2020, the AEPD not only does not grant any term to my client for the issuance of the cited allegations, but rather more fully seems to grant it the concession or grace consisting of delaying the initiation of the trial period for within ten days from the delivery of the aforementioned "completed" file or "Supplemented". Through the second allegation of the brief of supplementary allegations to the The initiation agreement is ratified in the allegations that he made in his brief of allegations to the starting agreement of 08/19/2020. As for “ what constitutes the merits ” of the sanctioning procedure, ratifies what is stated in the allegations third to sixth of his brief and reiterates " the full legality" of his action in relation to with the FIJ. He reiterates what was stated in his first allegations about "the scarce, when not non-existent, link ” between the issues discussed in the sanctioning procedure and the claims that were formulated. The third allegation of the supplementary allegations brief is entitled “ On the claims not incorporated into the file in its additional referral and which are included in the nine version sent on December 26, 2020 ”. It begins by stating that, in general, the claims incorporated in what is that she calls " this new version of the administrative file" have characteristics largely similar to those of the claims in the copy of the file initially provided by the AEPD, but, unlike those, In this group, it is exceptional that the AEPD transferred the claim to the effects provided for in articles 37 and 65.4 LOPDGDD. The complainant understands that the AEPD issued the admission agreements for processing without know or assess any point related to the claim, except the reference to the " treatment of data in the file of judicial and administrative incidents ", and who decided to admit them for processing even when the documentation provided by the claimants, it was inferred that the claims were formulated “ with respect to requests that were still pending response by EQUIFAX, made reference to the treatment of the claimants' data in files other than the FIJ or that even [...] were not accompanied in some cases by the slightest information regarding the formulation of such claims ”. Regarding the period between the date on which the claim was filed before the AEPD and the date on which the Agency agreed to its admission for processing highlights that “It is extremely long, sometimes reaching a duration close to the eighteen months". C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 64 64/184 It maintains that, from the content of the file, it is concluded that “ the AEPD considers that Admission for processing is nothing more than a formality that must be fulfilled, regardless of account for the legally foreseen term or for the mere presentation of a claim when, probably, it has already been decided, without carrying out an inspection action any, initiate a sanctioning procedure and with the sole objective of increasing even plus the file. " Next, the respondent analyzes the claims and groups them into the following categories: A first group formed by the cases in which the entity responded to the claims of the interested parties and, in addition, it proceeded to the deletion of the data with respect to which the owner had exercised this right. It includes the claimants identified with the numbers 22; 47; 48; fifty; 67; 80; 87 and 96. Regarding this group of claims, he comments that “ in practically all of the enumerated assumptions, the claims were formulated before the AEPD when the period of one month legally established to give response to the request of the claimant ”. And he adds that even in some case, like that of claimant 87, the terms were not longer than one week. mentions the case of claimant 80, in which the claim before the AEPD was formulated after that the complained party had attended to the right of deletion, as a consequence of have provided the documentation that accredited the payment of the debt included in the FIJ, and in which the AEPD agreed to admit the claim for one year and two months after the date it should have been, 06/11/2020, fifteen months after the date of the claim and fourteen months after the response of the claimed to the AEPD. A second group made up of those claims in which the interested parties exercised before the claimed the right of access to their data working in the FIJ, which was attended by her in a timely manner, and, without having addressed a request to her in In this sense, the interested parties complained to the AEPD “the lack of attention of the right of deletion ”; right that either had not been exercised before the claimed “ Either it was done simultaneously or even later before [the respondent], claiming issues such as that the treatment was not based on its previous consent, that the collection of data from newsletters and newspapers was not lawful officials or even that the Authoring Administration of the publication expressed its disagreement with the very existence of the FIJ. " Cite claims as an example presented through the representation of Inzertia regarding the claimants 23; 24; 46; 47; 64; 66; 68; 69; 70; 71; 74; 79; 81; 82; 83 and 84. It also highlights that, Regarding claimant 47, the data was deleted despite the fact that it was not that's your initial request. And regarding claimant 80, despite having exercised the right access, he was informed that there was no data in the FIJ. A third group of claims that would include those in which the interested parties exercised the rights of "access, rectification, cancellation and opposition ", " Which makes the response from my client extremely complicated." In this of course there would be the claimants 76; 85; 90; 91; 92; 93 and 94. The defendant declares that, with respect to the claims framed in this category, since the cancellation was requested, its origin was analyzed, but not it was possible to grant it “by not providing information about the satisfaction of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 65 65/184 debt. "He says that it was not possible to attend to the request for opposition " by not provide by the interested party any information about the special circumstances derived from her personal situation that protected her. For this reason, it was requested in in all cases, the provision of additional information. " Another group would be made up of those claims in which the claimed the deletion of a certain data included in the FIJ but in which the The interested party did not provide the information to prove that the debt had been satisfied. Claimants 21 would be in this case; 49; 73; 86 and 89. In addition, the entity indicates, that “ these assumptions, as reasoned in the allegations to the Initiation Agreement, are exercises of the right of deletion and not of the right of opposition, since what is affirms is that the treatment is not lawful because the debt is paid (article 17.1 d) of the GDPR). " . Finally, it refers to a group formed by various claims: That of the claimant 78, of which it states that it does not refer at any time to the FIJ or the reference to it can be found in the administrative file, so there is no is related to the present proceeding. That of number 97, which was answered informing that there was no data associated with his name, surname and document identifying. Or that of claimant 95, who entered the AEPD on 05/06/2019 and did not it was admitted for processing until 06/11/2020. EQUIFAX maintains, after analyzing the 43 claims that "now appear in the administrative file and of which this party was not aware ”, that his action was respectful with data protection regulations and that, as already stated in its allegations to the initial agreement, “it is not possible to appreciate the existence of a real relationship between the claims made and the legal basis of the I agree, appearing, with all due respect, that the aforementioned claims rather they act as an excuse to justify the opening of a file of the magnitude of the present that as the foundation of what he later considers the sanctioning body attributable to my principal ”. ELEVENTH: Test phase. (I) Opening of the test phase. (II) Notification to the claimed and first request for evidence. (III) Request for extension of the term for respond to the requested evidence. (IV). Respondent's response I. In accordance with the provisions of article 77 of the LPACAP, on the date 01/19/2021 it is agreed to open in the sanctioning procedure a test phase for a maximum period of fifteen business days. This is stated in the diligence signed in that date on file. II. In writing signed on 01/19/2021, electronically notified and accepted by the claimed on 01/20/2021, you are notified of the opening of the test phase and the evidentiary proceedings to be carried out. In said letter it is also agreed to consider reproduced, for the purposes of evidence, (i) the ninety-seven claims mentioned in the Background of the settlement agreement of PS / 00240/2019 and its attached documentation; (ii) the documents generated and obtained by the Inspection Sub-Directorate in the information request prior to the admission for processing of claims and the corresponding admission agreements C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 66 66/184 processing of the aforementioned claims; (iii) the allegations to the agreement to initiate the PS / 00240/2019 presented by EQUIFAX) and its attached documentation; (iv) the writing that the instructor of the file addressed to EQUIFAX on 12/23/2020, communicating the sending a full copy of the administrative file that served as the basis for the opening of the sanctioning procedure; (v) the brief dated 12/28/2020 of EQUIFAX, in which it requests the extension of the term for the second allegations to the initiation agreement and (vi) the response brief from the instructor of the procedure that The respondent was notified on 01/13/2021. It is convenient to review here - even if this means altering the chronological order followed in the account of the actions carried out - which, after the writing notification of the opening of the test phase, through diligence dated 02/11/2021, the investigator of the file recorded that there were incorporated into the procedure, for testing purposes, the second allegations / allegations complementary to the one claimed to the initiation agreement, which had entered this Agency on 01/24/2021. This was requested by the complainant in a letter dated 02/09/2021 that was intended to request an extension of the term for respond to the new evidence (additional evidence) that is given to you required. Well, in the written document signed on 01/19/2021 and notified to the complainant on 01/20/2021, you are required to provide the Agency with documentation and / or following information: "4.1. The copy of the record of the personal data processing activities, provided for in article 30 of Regulation (EU) 2016/679, regarding the treatment that EQUIFAX carries out through the File of Judicial Claims and Public Organizations (hereinafter, FIJ). You must state in your answer the date on which the activity record was prepared and provide the initial version of the document together with any additions, modifications or exclusion made on its content later. 4.2. In the event that EQUIFAX does not have a record of the activities of treatment carried out through the FIJ, you must provide the following information: (i) The reasons why, in his opinion, the dispensation of the article is accepted 30.5 GDPR. (ii) The information indicated in sections a) to g) of article 30.1 RGPD. 4.3. The copy of the impact assessment on the protection of personal data, provided for in article 35 of the RGPD, relating to processing operations that EQUIFAX carries out through the FIJ. You must provide the initial version of the impact assessment and, where appropriate, details of the modifications or updates that may have been made. In the event that EQUIFAX does not have an impact assessment on data protection personal data referred to in article 35.1 RGPD, which informs of the reasons For which, in his opinion, the treatment carried out through the FIJ does not involve a high risk and the arguments on which the non-application of the precept is based of article 35.3. GDPR. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 67 67/184 4.4. Regarding the personal data processing operations that EQUIFAX carries out through the FIJ, the weighting that on the interests in game would have been carried out by the entity to conclude that the interests or the fundamental rights and freedoms of the data subjects vis-à-vis the interests pursued by that claimed entity or by a third party. 4.5 . The criterion or criteria that the FIJ uses to organize in its systems the personal data object of treatment so that their holders are duly identified. If such criterion had undergone variations since the entry into operation of the FIJ, must report both the criteria used initially and those adopted later, with an indication of the date the variance was implemented. Your answer should be properly documented. 4.6. Number of natural persons with respect to whom they existed in the FIJ active data records. You must indicate the number of people affected by the processing of your data through the FIJ during the last six years and provide the information broken down by years. 4.7. The total global annual business volume of EQUIFAX IBÉRICA, SL, during the financial year 2019. Your response must be duly documented 4.8. The economic result obtained by EQUIFAX IBÉRICA, SL, derived, exclusively, of the activity that it has developed through the FIJ. Shall provide the information corresponding to the last six years, broken down by annuity or, where appropriate, exercise. Your answer must be duly documented. 4.9. Information on the number of associates that EQUIFAX has and has had for receive information from the FIJ. You must provide the number of associates that the entity had in each fiscal year during the last six years. 4.10. Identify the documents in which - according to statements by the representative of the claimed made in the brief of allegations, folio 63- la AEPD, with its action, “had unequivocally concluded the action of EQUIFAX ”. This, without prejudice to the resolutions of Protection of rights to referenced in the pleadings brief to the initiation agreement. III. The complained party, by writing that has entry in the electronic headquarters of the AEPD on 01/24/2021, requests that the period initially set be extended by five days in order to respond. The instructor of the file, in writing signed on 01/25/2021, communicates that the period initially set for evacuate the process. The letter is electronically notified to the complainant on 01/25/2021 that you accept the notification on the same date. IV. Respondent's response to the first requested evidence. On 02/10/2021, the petitioner's written response to the requested evidence with which it attaches nineteen documents. It begins by invoking the “ confidentiality and business secrecy of documents C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 68 68/184 provided together with this document and requests that they be [...] treated without dissemination of the elements that affect its business configuration or the secrecy of its performance commercial and without them being used or disseminated ” . He cites for this purpose the Law 1/2019, of February 20, on Business Secrets. 1.- To the question formulated in point 4.1., In which you were required to provide a copy of the record of data processing activities (hereinafter, RAT) personal information relating to the FIJ and was expressly requested to provide the date on which the prepared the document, responds by providing five documents of which four correspond to the initial version of the FIJ RAT and the fifth to the final version. Without However, it does not report the date on which the initial version was produced and the version final; This information is not offered in the written response to the tests. requested nor does it appear in any of the five documents provided. The initial version of the RAT is included in documents 1 to 4. All of them carry in the first folio the legend “ Record of treatment activities. Article 30 GPDR. V 01 ". They have, respectively, this " Registry Name ": " Downloading information from public sources"; "Generation and sending of files to other platforms ”; "Integration of information in BD" and "Access to the judicial file" . The fifth document contains the final version. The first folio indicates: “ Registration of Treatment Activities. Article 30 GPDR. V. Final ". “ Name of the Registry. Download, generation and integration of information from public sources by EQUIFAX and access to the file by clients ”. In the RAT, final version, Section 3, “ Purposes of the treatment ”, the phases of the processing are shown schematically. treatment and its purposes. The first, the "information download", "in pdf format from the BOE page and of the TGSS. The purpose of this activity is to generate the following files main: BORME, Administrative Notifications, Claims and Judicial ". Once the loading and updating of the information in Pick is finished, the lists are saved in database (additions, modifications and deletions of records in Pick) that serve as a source of information to other environments, platforms and products, guaranteeing the integrity of the shared information. “ Once the files have been downloaded in the directories corresponding data and having processed the information and prepared the loading, the information is integrated into the database . " And finally, “ Once the information is integrated, the entities that have contracted the service access (for name and surname or DNI) to the Equifax database to be able to do the analysis of solvency on the interested parties. " Point 8 of the RAT, final version, which has the heading " Deadlines for deletion of the information ”, it reads like this:“ The information is accessible for 3 months and then it is saved in a Linux directory in order to be able to work later with the data. Said information, saved in “PDF” format, will be available for a period of 10 years from the date of publication, and this with the sole purpose of being able to respond to possible claims and respond to requests for information by the competent administrative body, as well as the courts and courts. " In the initial version, document 4, there is a clause 8 identical to the one that we have transcribed. (The underlining is ours) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 69 69/184 2.- To the question that was formulated in point 4.4., Regarding the weighting of the interests and rights opposed in the data processing that the entity performs at through the FIJ and in which it had concluded that the interests or fundamental rights and freedoms of the data subjects vis-à-vis the interests persecuted by her or by third parties, responds that she has already provided this document with the allegations to the initial agreement but which, nevertheless, facilitates it again. The document number 8 that for this purpose provides in this process - “ LIA Judicial File. Legal Analysis. December 2019 ”- it is the same that he sent to the AEPD as an annex to the allegations to the agreement to initiate the sanctioning procedure. In their allegations to the commencement agreement and in its response to the test procedure the claimed has warned of the confidential nature of the documentation and, what is more, the document number 8 bears the indication “ Internal use only ” on its first page . The Document called LIA Judicial File, very extensive and whose content It consists, in essence, in a reiteration of the arguments put forward by the claimed in its pleadings; in reflections on the action that would be It is desirable that the AEPD adopt in this matter and in the description of the measures plan to adopt, but without specifying the dates, it is structured in the following sections from which we extract the most relevant content: 1. Scope of this report. Indicates that the purpose is to determine whether the treatment carried out as a result of the capture of public access sources would be legitimized in accordance with the personal data protection regulations. 2. Regulatory evolution in Spain of sources accessible to the public and evaluation of solvency. Organic Law 5/1992, of October 29, regulating the automated processing of personal data (LORTAD); the law Organic 15/1999, on the protection of personal data (LOPD), in particular articles 3.j; 6.2 .; 28 and 29.1 and the Development Regulation of the LOPD, approved by Royal Decree 1720/2007 (RLOPD). It alludes to the GDPR and the fact that the The term public access sources appears only in Recital 61 and in article 14.2.f. Cite Organic Law 3/2018, of December 5, on Data Protection and Guarantee of digital rights (LOPDGDD) and refers in particular to the articles 11.3.b) and article 4.2.d) 3.General considerations on the legitimate interest as a legitimate cause of the treatment of personal data. It indicates that this legal basis of the treatment does not allows to provide a documentary justification for which it will be necessary to adopt the measures aimed at proving their attendance. This requires proper analysis of the requirements demanded in the precept to be able to conclude that an operation of treatment is covered by it. Mention here the Opinion 6/2014 of the WG29 and the methodology that describes to verify the origin of the application of the database provided for in article 7.f) of the Directive as well as the STJUE of 11/24/2011. 4.Concurrence of the prevailing legitimate interest in the treatment of the information of public access sources. In the analysis it distinguishes: 1. The legitimate interest of Equifax; two. The legitimate interest of the credit system; 3. The legitimate interest of the insurance sector; Y 4. The legitimate interest of the insurance sector for the prevention of fraud. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 70 70/184 Regarding section 1, (the legitimate interest of EQUIFAX) it says that the RGPD does not contains a provision such as article 29.1 of the LOPD on which, it says, “ legitimized the credit bureaus to the treatment of personal data obtained from records and sources accessible to the public ”. He adds that the fact of not having these defined concepts (that of publicly accessible sources) “by itself would not simply exclude the legality of the processing of data from these sources, and in particular from the Official Gazettes and Newspapers, taking into account their universal accessibility by any person, although the presumption of prevalence of the legitimate interest established by the previous regulations. " and cites in support of his thesis the judgment of the CJEU of October 24, 2011, paragraphs 44 and 45: Regarding judicial notifications, it indicates that Equifax only integrates in its judicial information files procedures processed by the Courts of First Instance, First Instance and Instruction (excluding in any case the trials of misdemeanors), of the Mercantile and the Social. In this way, the processing of data related to criminal jurisdiction. Regarding administrative offenses, the RGPD does not contain a provision with respect to them, so it does not establish any limitation or specialty in relation to with your treatment. However, the first two paragraphs of article 27 of the LOPDGDD establish a special regime for this type of treatment, although, judgment of the claimed, the precept is exceeded in relation to the powers that the GDPR recognizes Member States. Then add: “ Given this situation and, specifically, taking as an interpretive criterion the Judgment of the Superior Court of Justice of the European Union, (Second Chamber) of May 4 of 2017, we consider that the AEPD should follow the same line interpretative than that followed by jurisprudence, insofar as the data manifestly public or from public sources should be framed within the legitimate interest in its subsequent use, when the purpose pursued is to provide the operators in the market the most reliable information possible in order to assist the correct functioning of the market in our country, because in this case there is no They would be violating fundamental rights, as is the case with the SICs of art. 20 LOPDGDD (purpose and corporate purpose of Equifax in both treatments) ”. (The underlined is ours) Remember the general conditions of reuse of the BOE website and that Equifax extracts from it information related to liens, auctions, claims administrative, published by the General Treasury of Social Security and the Agency Understand that there may be a reasonable expectation, on the part of the interested parties (whose data have been published in the BOE, BORME or TGSS) of use of your data for the purpose of evaluating your solvency in a credit application, when Previously, you have proceeded to claim the payment of a tax debt or the Social Security that is still pending payment, the purpose for which, said data, they would be integrated into the Equifax Judicial file. He concludes by saying: “we consider that the legitimate interest of Equifax in the treatment of such information for the purpose of judging the solvency of the potential borrowers, prevent fraud in the contracting of financial products and insurance company, whose data on debt with public administrations appear in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 71 71/184 sources accessible to the public whose information is expected to be reused. " (The underlined is ours) 5. Refers to the " suitability " and " necessity " of the treatment of information from sources of public access for the fulfillment of the legitimate interest. They are collected in this epigraph the following considerations: “ Regarding the suitability of access to information from sources of access public for the achievement of the purposes that have been described in the previous section and, consequently, for the satisfaction of the legitimate interest pursued by the entity manager of the system, the entities participating in it and the consumers in their capacity as potential beneficiaries of the financing, it has already been indicated that the knowledge of delinquency information from sources such as the BOE or the page of the Social Security Treasury is a measure ideal for the achievement of the objective pursued. " 6. Impact of the treatment of sources accessible to the public on the rights and freedoms of those affected. It says that the processing of data related to the downloading of judicial information such as (CIF / NIF / NIE, name of the defendants / bankrupt and plaintiffs, addresses, amounts of seized personal property, names and bankruptcy administrator's email, social security number, name and address to whom claims the debt) implies an affectation to the privacy of consumers. However, the fact that this limitation occurs would not impose necessarily a weighting of the aforementioned right on the legitimate interests that have been described as long as the due guarantees are adopted that allow the legitimate interest to prevail over the limitation of privacy that involves treatment. And he warns: " In any case, it should be taken into account that the treatment being making reference does not affect more than breaches of obligations money, financial or credit of the applicant for credit or insurance, as happens with the SIC of art. 20 of the LOPDGDD. This means that the system in no case is intended to disclose additional information that refers to said subject or other data other than those published by public access sources. Therefore, the level of interference of the treatment in the private sphere of the affected should be modulated taking into account this objective condition and the fact that it is not revealed additional information to the credit default situation of the interested party. " 7. Operation of EQUIFAX files with information obtained from sources public access. At this point in the document it is indicated: “ Through the process of Loads of Judicial and BORME information, it is possible to import information that is very useful for Equifax on natural and legal persons that is published in free access media such as the BOE or the page of the Social Security Treasury. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 72 72/184 The database in which this information is integrated and consolidated is managed by the Operations area and is called Pick It should be noted that there are additionally enrichment processes of the data contained in Pick by importing of files from information providers and other public sources. (The underlining is ours) From this Pick database, the information is exploited to generate products for Equifax customers and is also used to feed through files other company databases and platforms: Host (IT), EDEN (UK), SAS (D&A) and Oracle. The document includes a table that “ describes the complete flow of the process, starting with downloading and obtaining information from external sources, continuing with the treatment of this information and ending with the load or integration in the Pick database, generating the files: BORME, Notifications Administrative (Pre-judicial), Claims and Judicial. The result obtained is a complete and complete Pick database with quality information and that serves the source data for many Equifax products and processes. It is important know that the key field of the records contained in Pick is the identifier of person (physical or legal). This identifier can be the CIF, NIF, NIE, Number of the Social Security or a provisional number assigned to you. This identifier is relates to the rest of the registry information, each data being associated directly to the data source from which it was obtained . " (The underlining is ours) The products that are currently generated with this information are the following: Judicial Consultations (Batch); Consult Bankruptcy Situations (Batch); Queries File ASNEF Companies by Third Parties (Batch); Consultations File ASNEF Companies (Online); Consultations File ASNEF Companies (Online) Resellers; Queries Judicial APPC (Online); Judicial Consultations (Online); ID Verifier; ; IdentityRisk; Reputational Risk Monitoring; Active companies enrichment; Collection Matrix; Proactive alerts for ASNEF Companies; SVCNM ASNEF Companies; Daily alerts Bankruptcy; Judicial Alerts. 7.1. Downloading and obtaining data from external sources and processing of files. It is the process by which Equifax downloads and obtains all the necessary information to incorporate into the Pick database. In the table in Annex I that includes the document describes, among other issues, the main data obtained, the data sources and the download website so that, later, it can be carried out correctly its integration in the Pick database. The files that are downloaded automatically are initially stored in the Directories on the production machine and those downloaded manually are initially downloaded to a network repository that is the same as the one where they deposit the downloaded files automatically already processed. " IT generates backups of this network directory, but the original files will be kept according to the retention periods defined according to GDPR. This solves the problem access to historical information since according to regulations the files can only be be in BOE for your consultation for 3 months. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 73 73/184 7.2. Recording criteria for defendants, plaintiffs or debtors. Every record that is going to be integrated into the database must comply with the following requirements, distinguishing between natural and legal persons. Regarding natural persons: It must be a person who can be reached, by full name or by full address, we will have to take into account several concepts • When only DNI / NIE appears, we will check the database. On If you have a history of this DNI / NIE, we can incorporate it, otherwise we cannot incorporate it. • If the name and surname with full address were published we would search the database, in the event that all the data matched the we would select, otherwise we would assign it a provisional number. • If the name and surname appear published but without address and without DNI / NIE we could not integrate them. • If the initials of the name and surname appear published, or simply a surname or a name (a word) we could not integrate it. Next, the document jumps from point "7" to point "IV" which is headed " Description of the guarantees and rules of operation of the file of judicial information ”. In this section IV it indicates that, “ Once the existence of a legitimate interest sufficient that it could be considered as a legal basis for the treatment ” and having keep in mind that this treatment implies a limitation of the right to privacy of the affected, the “ guarantees that the system is going to establish in order to reinforce the protection of the rights of the interested party ” following constitutional jurisprudence cited. And adds: “ At this point, it should be indicated that, as has been said previously, the forecasts enabling legal systems to create these systems would allow the same could be considered covered by the rule of article 6.1 f) of the RGPD through the compliance with guarantees merely equivalent to those required for the systems of credit information regulated by the LOPDGDD . " The document does not specify the date on which these guarantees are to be adopted. 1. Guarantee of data protection principles: 1.1 Principle of purpose It indicates among other things: “On the other hand, the principle of finality includes the limitation of the subsequent uses of the data, since the RGPD prohibits in its article 5.1 a) the subsequent processing of the data for purposes incompatible with those that motivated its collection, although it exempts from this limitation the use of data for archiving purposes public interest or scientific or statistical research. The statistical treatment of the data contained in the file, once there is after the period that is set for its conservation, to which we subsequently we will refer, it is undoubtedly useful to have an adequate knowledge of the behavior of society in relation to credit, being able to analyze the evolution of citizens' habits in this matter or of the level of indebtedness, particularly if it is confronted with the evolution of the economic cycle. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 74 74/184 For this reason, Equifax anticipates further use of the data for statistical purposes. Not However, in order to fully guarantee the rights of those affected, so that the information cannot be associated with identified or identifiable persons, will submit that data to an aggregation process, so that the data can no longer singled out for a given subject. In addition, this operation will be developed with a minimum level of aggregation of twenty subjects per category, so that no Nor can it be inferred from the aggregated data the singularization of the affected. Therefore, although it could be possible to use the data, even pseudonymised, for statistical purposes, only that prior use will be carried out aggregation of the same, so as to prevent their singularization in the future. " 1.2 Principle of minimization. The full guarantee of the principle of minimization is intended, so that the systems do not include any information that is not absolutely essential for being able to assess the solvency of customers. The data whose inclusion in the system would be essential for the proper fulfillment of the purpose thereof, without incorporate any other additional information, even if it could be relevant for the achievement of said purpose, are those that appear in Annex I as data of. "source". 1.3 Conservation principle It considers that the term of five years, counted from the expiration date of the corresponding period is adequate for the purpose pursued by the file of judicial information, also taking into account that this is the period set out in the Article 20.1 d) of the LOPDGDD. 1.4. Accuracy principle In compliance with this principle and given that the edict publication only recognizes the existence of the obligation to pay what is owed, but there is no of additional information that allows knowing effectively if that amount is owed at the time of listing notification, a possible solution to this The problem would be the limitation of very short deadlines referring to the aforementioned communications, and in the analyzed system this requirement is met, by reducing the deadline for publications that have occurred in the last five months. However, this reduction does not allow the risk derived from the treatment of these data, being able to see the qualification of an interested party negatively by the fact of incorporating an edict notice referring to a debt already paid from the In the same way that the subject who had been subjected to it could be favorably affected. made a notification with an antiquity of more than five months and there was no proceeded to pay the amount owed. 1.5 Guarantee of the Principles of purpose and minimization in access to the file. Enabling assumptions and uses of the data. Data that can be accessed. The application of the principles of purpose and minimization will be reinforced as soon as access to data with the application of the following guarantees: - Only entities that maintain an account with their clients will be able to access the data. relationship that determines the inclusion of your data in a SIC or to which those affected have requested the conclusion of a contract whose execution would determine the inclusion of such data. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 75 75/184 - Measures will be adopted to punish or even expel from the system the entities that carry out unauthorized access to data. - The data related to the previous consultations of the file, which will not include the entity that had accessed it will only refer to the accesses produced in the last six months. In any case, the entities could not use the information collected from the public sources in order to know the operation of the sector nor in order to send any type of commercial offer to those who do not have the condition of clients of the same. 2. Transparency and information to interested parties In the cases of processing based on the prevailing legitimate interest, reinforce the mechanisms of information to the interested party about the treatment of data, in the terms established in article 14 of the RGPD. 2.1 Information after the collection of data from public sources Equifax must inform the interested party about the inclusion of their data in the file. in compliance with art. 14 of the GDPR: It will be up to Equifax to prove the compliance with the duty to inform, regardless of the means used for it. It says that the data contained in the public sources file will not be accessible by the adhered entities as long as the term of thirty days established for SICs in art. 20 LOPDGDD. In addition, the information referred the notification made is incorporated into the database of notifications, in order to prove its compliance with the AEPD. The data referring to the cases in which there has been The notification has been returned for reasons other than its rejection, unless that it had been sent to the debtor's contractual address and the debtor appeared as unknown, in accordance with the provisions of article 4.2 d) of the LOPDGDD, according to which: "For the purposes provided for in article 5.1.d) of Regulation (EU) 2016/679, will not be attributable to the person responsible for the treatment, as long as he has taken all reasonable measures so that they are suppressed or rectified without delay, the inaccuracy of personal data, with respect to the purposes for which are processed, when inaccurate data: d ) They were obtained from a public registry by the person in charge ”. In this way, sufficient guarantees are established to determine that there is no risk in the treatment of this information. 2.2 Material impossibility of information in case of not having the address of the interested party There are cases in which the information published in publicly accessible sources does not include a postal address to which to make the notification of inclusion in the terms of art. 14 GDPR. In these cases, and following the Working Group interpretations of Article 29, in the Transparency Guide under the RGPD regulatory regime, of 11/29/2017, revised and adopted on 04/11/2018, it is limited to transcribing the following: “ 59. The situation in which it is" impossible "under Article 14.5 (b) to provide information is an all or nothing situation because something is impossible or it is not; Not there are degrees of impossibility. Therefore, if a controller seeks relying on this exemption, you must show the reasons that actually prevent you provide the information in question to interested parties. Yes, after a certain C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 76 76/184 period of time, the reasons that caused the "impossibility" no longer exist and is possible to provide the information to the interested parties, then the person responsible for the treatment should be done immediately. In practice, there will be very few situations in which a controller can demonstrate that in In reality it is impossible to provide the information to the interested parties. 3. Rights of those affected Specific protocols are envisaged to address the rights of articles 15 to 22 of the RGPD, whose requests, in general, will be attended within the period of fifteen business days from receipt by the person responsible for the file. 3.1 Remote and permanent access to system information 3.2 Rights of rectification, deletion and limitation of treatment a) Rectification The request for rectification must indicate the data that is erroneous and the correction to be made and must be accompanied by documentation justification of the requested rectification. b) Deletion The interested party may exercise the right of deletion with respect to the data that should not appear in the system, either because they do not correspond to the reality, either as a consequence of the expiration of the conservation period to which the has been referenced in a previous place. When the right of deletion entails the Exercise of the right of opposition will be as indicated in section 3.3 below. c) Limitation of treatment. Article 18 of the RGPD lists the assumptions legitimating the exercise of the right to limit the treatment. result especially relevant those related to the cases in which the affected party exercise the right as a consequence of the invocation of letters a), b) and c) of the article 18.1; that is, when “the interested party disputes the accuracy of the data personal, for a period that allows the controller to verify the accuracy of the themselves ", when" the treatment is illegal and the interested party opposes the deletion of personal data and request instead the limitation of its use "or when" the responsible no longer needs the personal data for the purposes of the treatment, but the interested party needs them for the formulation, exercise or defense of claims ”. In these cases, the problem arises that the exercise of the right at the time immediately prior to the request for a financial credit operation could imply that the query of the system produced an image of the interested party not adjusted to reality, subtracting from said image certain data that were being object of assessment and, during that period, have their limited treatment. It foresees that in the files of public sources a rule equivalent to the one provided for in article 20.1.e) of the LOPDGDD, in order to guarantee the adequate fulfillment by them of the purpose that justifies the treatment of the information and ensure the accuracy of inquiries, but internally at Equifax we poses within a phase II of development. of limitation of the treatment when invoking the inaccuracy or non-existence of the data or its illicit treatment, it will be treated as a cancellation proceeding to the erasure of the data in the system. 3.3 Right of opposition. In order to protect and be a guarantee with the consumer invoking your right to object by being included in a database whose information has been obtained from a public source, interested parties may exercise their C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 77 77/184 right of opposition to appear in the Judicial file at your simple request, without the need to require you to justify said request with specific reasons , except for proof of your identity or current payment certificates in AEAT or SS. In this case, will proceed to the exclusion of all your data from the file automatically. 3.4 Automated personal decisions and information to those affected Article 22 of the RGPD recognizes the right of the affected person not to be subject to a decision based solely on the automated processing of your data, including the profiling, which produces legal effects or significantly affects you similarly. The document says that the adoption by the entities will not be possible adhered to the SIC of an automated personal decision regarding the hiring of a consumer financial product requested by the interested party, the information being contained in the public sources file only one of the elements to be taken in consideration for the adoption of the final decision about said hiring. 4. Active liability measures 4.1 Technical and organizational measures and data protection officer 4.2 Requirements for access: limitation, traceability and security 4.3. Audit of the entities participating in the system 4.4 Reaction to security breaches 8. List of additional guarantees to be adopted after the RGPD and the LOPDGDD. Provides for the implementation of the following guarantees, in addition to those established in the data protection regulations, in order to guarantee an adequate weighting of the rights and interests of those affected with the legitimate interest that justifies the existence of these Files. The files will only incorporate the minimum data necessary for the identification of the interested parties (DNI / NIF, name and surname, address) and their Posted associated debts (eg, repossession cases). In the process of Judicial and BORME information uploads, temporary files in Pick that will only be kept for 15 days. Data capture in accordance with the publication criteria of the Provision Additional 7th of the LOPDGDD and its interpretation by the AEPD, with the additional guarantee of not capturing asterisked data. Only the name and surname data of an interested party will be captured when the They are accompanied by a postal address and / or complete ID. Quality control in the capture and subsequent inclusion of all addresses Postcards published, relating to the interested parties, prior to loading in the Judicial DB. Information will only be kept regarding non-compliances, produced in the last 5 years (by analogy with negative, as regulated in art. 29.1 of the LOPD adapted to the current term of art. 20.1 d) of the LOPDGDD of five years). Once the aforementioned deadlines have been met, the entity that manages the file You can only keep the data for statistical purposes and exclusively if it proceeds to a previous data aggregation process, so that the They cannot refer to a group of people of less than twenty. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 78 78/184 Interested parties are always informed about the inclusion of their data in the Judicial File at the time of the same by sending a letter informative that meets all the requirements of art. 14 GDPR, specifically in compliance with art. 14.2 f) of said standard. Management of returned letters: The letters whose reason for return is: "rejection by the consumer" or "a stranger". (document accrediting the protocol that is followed is attached, auditable and traceable). Data blocking: Data will remain blocked for thirty days following the inclusion of the debt in the Judicial file, after said term the data may be visible by all consulting entities. The system will have specific protocols aimed at attending to the rights enshrined in articles 15 to 22 of the RGPD. With personality In general, these requests will be answered within a period of fifteen business days. from its reception by the person responsible for the file (Equifax Ibérica, SL). In order to strengthen the right of access, Equifax will establish a mechanism for remote, direct and secure access to the personal data incorporated in the itself, thus guaranteeing its permanent access by the interested parties. In case of exercise by an interested party of their right of access, the person responsible for the file will refer you to the aforementioned system, thus accepting your request. The interested party may, without prejudice to the foregoing, freely exercise their right of access to the data contained in the system maximum 5 times per month, being provided by the person responsible for the file a copy of the data incorporated into it. In case of exercise of the right in more than one occasion must proceed to the payment of a fee oriented to costs that in no case will exceed five euros. The interested party may exercise the right of rectification before the entity responsible for the file. These rights will be taken care of in a maximum period fifteen days. When the right of limitation of the treatment is exercised when invoking the inaccuracy or non-existence of the data or its illicit treatment, it will be treated the same as a cancellation or deletion of data, that is, it will be a cancellation, with indication the reason for the cancellation. Interested parties may exercise their right of opposition to appear in the file Judicial at the simple request of the consumer without the need to demand that justify your request with specific reasons unless proof of identity or certificates of current of payment in AEAT or SS. In this case, proceed to the exclusion of all your data from the file automatically. In no case will the adoption by the consulting entities of the Judicial file of an automated personal decision regarding the contracting a financial credit product requested by the interested party, being the information contained in the judicial file only one of the elements to be taken into consideration for the adoption of the final decision about said contracting, unless the consent of the interested. In any case, the interested party will be informed if the information contained in the judicial file it has been taken into account for the denial of the loan or credit. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 79 79/184 A prior evaluation of the impact on data protection will be carried out in the terms established in article 35 of the RGPD. In accordance with article 34.1 j) of the LOPDGDD, the responsible entity of the common system will have a Data Protection Delegate The staff of the member entities with access to the information will be limited of the file, The system will guarantee the traceability of the accesses to it, producing the exchange of the data through secure protocols that prevent access by third parties during your communication. Equifax will periodically audit, through sampling techniques, the access to the system, collecting when necessary the information that accredit the legality of the same and in particular the use of the data for the exclusive solvency assessment purposes that justify access to the file. A response protocol will be adopted in the event of security breaches that guarantee its immediate communication to the AEPD and, when appropriate, to the interested. Annex I to the document: The information that appears in the columns with these is reproduced below. headings: "Type of information" and the correlative of the columns " Data source " and " Download website ". 1.Administrative Notifications of the AEAT (Pre-judicial). Data source: BOE. Download website: Daily BOE Notifications supplement -> 2. Administrative Notifications of the AEAT (Judicial) Data source: BOE. Web Download: Daily BOE Notifications Supplement -> 3. Administration of Justice. Courts of 1st Instance and Instruction and Courts of the Commercial (Judicial-Contests) Data source: BOE. Download website: Provisions and Announcements of the daily BOE -> Section IV. Justice administration 4.Administration of Justice. Social Courts (Judicial) Data source: BOE. Download website: Dispositions and Announcements of the daily BOE -> Section IV. Justice administration 5. Administrative Notifications of the TGSS (judicial) Data source: BOE. Web Download: Daily BOE Notifications Supplement -> 6. Administrative Notifications of the TGSS (claims) (Last day that there was publications in the BOE was on May 24, 2019) Data source: BOE. Web of download: Daily BOE Notifications Supplement -> 7.Administrative Notifications of the Autonomous Communities Data source: BOE. Download website: Daily BOE Notifications supplement -> 8. I. Registered Acts (Judicial-Contests) Data source: BORME. Web of download: from the daily boe / Borme 9. Section I. Registered Acts Data source: BORME. Download website: boe / Borme daily 10. Administration of Justice. Courts of 1st Instance and Instruction and Courts of Lo Mercantil (Judicial-Bankruptcies) Source: BOCAM or BOP. Download website: boe. Autonomous Bulletins and Provincial Bulletins 11.Administration of Justice. Social Courts (Judicial) Data source: BOCAM or BOP. Download website: boe. Autonomous Bulletins and Provincial Bulletins. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 80 80/184 12. Administrative Notifications of the Autonomous Communities (judicial) Source data: BOCAM or BOP. Download website: boe. Autonomous Newsletters and Bulletins Provincial. 13. TGSS Notification Announcements (judicial) Data source: TGSS. Web Download: sede.seg-social.gob.es Notice Board (TANUSS) 14. SECTION I - Bankruptcy Edicts: www.publicidadconcursal.es (Judicial- Contests) SECTION II - Registration Publicity (Judicial-Contests) SECTION III - Agreements Data source: Public bankruptcy registry. Download website: www.publicidadconcursal.es 4.- The question formulated in point 4.5 of the brief requesting evidence was about the criteria that the FIJ uses to organize personal data in its systems treated so that their holders are duly identified. I know requested information on both the criteria used initially and the changes adopted with indication of dates . The defendant explains that the integration criteria in the FIJ of the data it captures referring to natural persons is a function of the sources from which they come since, he says, “ The way in which the different public bodies have come publishing the information, it has varied over time ”, so it has had to adapt to such changes, “ in order that the holders may be due and unequivocally identified . " He adds that the last variation in the form of Publication of the data derives from the seventh additional provision of the LOPDGDD. It should be noted that the respondent has not provided the information that was requested, referring to the dates on which the different criteria were adopted. Offers us the following information without specifying on what date you implemented these criteria: a) If only the NIF / NIE is published: then “it is verified whether on the date of publication, the NIF / NIE in question, is registered in the active information of the FIJ (excluding therefore the one that is blocked). Depending on the result obtained, different actions are carried out : " a´) If the identifier is already included in the FIJ associated with a name and surname, registers in the FIJ the new published information. a´´) If that identifier is not included in the FIJ, the recording of the registry is discarded . b) In the event that the name and surname and incomplete NIF / CIF are published: d saves the recording of the data in the FIX file. c) Cases in which name + surname + address is published: It proceeds to the recording of the record in the FIJ file, associating both data. d) Cases in which only name + surname appears published: In this Of course, the recording of the data in the FIJ file is discarded . And he added: “ Consequently, it can be concluded from what has been described that only those notifications that either contain the name and surnames associated either with a complete DNI or NIF (which no longer happens as consequence of the application of the seventh AD of the LOPDGDD), or to a determined address. Outside of these cases, only those C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 81 81/184 data in the event that the information referring to a DNI is already in it complete and associated with its owner. " 4.- The question in point 4.6. dealt with the number of natural persons of whom there were active data records in the FIJ during the last six years, having to provide the information broken down by years and provide the documentation that serves as rationale for your answer. The claimed one provides two tables with this information. On the one hand, a table with the “ Average number ” of natural persons that in the period 2016-2021 appeared in the FIJ. Year 2016: 4,624,312; year 2017: 4,879,391; year 2018: 4,940,225; year 2019: 4,657,196; year 2020: 4,183,445; year 2021: 3,826,436. On the other, it provides a table with the number of natural persons that have been included in the IJF since 05/25/2018: In the year 2018: 196,653; in 2019: 62,113; in 2020: 20,193 and in the year 2021: 2,358. The respondent, despite being expressly required, does not provide any document that certifies the veracity of the information offered. In addition, it does the following comments: That since 05/25/2018 a total of 282,037 individuals have been included and produced “ a systematic reduction in the number of people included ” which is due to “ the progressive implementation of the rules established in the provision additional 7th of the LOPGDD. That most of the records that remain in the file are prior to the entry into force of the RGPD, when article 29.1 of the repealed LOPD established a period of conservation of the data in the file of 6 years. And concludes by saying that “[...] most of the records that remain in the FIJ were collected before the entry into force of the RGPD, when it had not existed by the AEPD no objection or questioning of any kind about the sufficiency of the legitimate basis of the treatment in the file had not been discussed at any time compliance with the principles established in the regulations of data protection . " 5.- In point 4.7. asked about the total annual global business volume during the financial year 2019. Respond by providing your individual annual accounts (document 19) as of 12/31/21019 that include a turnover for an amount net of 42,259,655 euros. 6.- The question in section 4.8 was about the economic result obtained by the claimed during the last six years derived exclusively from the activity that has developed through the FIJ, broken down the result by annuity or, where appropriate, exercise and documenting your response. The defendant has provided a table with the amounts of the “ direct income in relationship with the FIJ access service provided to customers directly since 2015 ” . These revenues range between € 316,204 in 2015 and € 1,734,763 in 2020. However, the complainant states “that the contracting of other services by clients may include, [...] in addition, the possibility of consulting the FIJ, agreeing with the clients a joint price for the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 82 82/184 entire service. In these cases , [the respondent] has no information accounting that allows determining which imputation of the price satisfied by customers it could be done [sic] to IJF. ”. (The underlining is ours) Extreme from which it is concluded that, necessarily, the figure is much higher since the most entities - we could affirm that, at least, all those in the sector financial - they have access to the two files whose services the claimed provides. This means that the figures provided do not provide a true picture of the result. economic referring to the FIJ. On the other hand, the respondent has warned that the information offered does not allow break down how much of this direct income comes from access to information related to natural persons and which of the access to information related to legal persons, to which data protection regulations do not apply, therefore that, he says, the figures he has provided should be considered reduced. Accurate also that the economic information it provides refers to the amount of income obtained, without taking into account the costs, since it does not have a system of allocation of costs linked to each of the files it manages. 7.- The question formulated in point 4.9. dealt with the number of associates “who has and has had the claimed one ”with access to the information offered by the FIJ. The defendant clarifies again that there are cases of direct hiring of the FIJ and others in which access to the FIJ is produced as a complementary service to the hired by customers. Indicates that the number of entities that have contracted the direct access to FIJ information is 18 but another 310 Entities can access the FIJ as a complementary service to those contracted with her. 8.- The question in section 4.10. dealt with the documents - to which he alluded in their allegations to the initiation agreement- in which the AEPD, with its actions, “ had unequivocally lawful conclusion of the actions of EQUIFAX ”. This, without prejudice to the resolutions of Protection of rights referred to in the brief of allegations to the initiation agreement. The defendant responds that “ The actions of the AEPD that this party is aware of that have come to ratify both the legitimacy of the data processing carried out by my represented in the FIJ [...] and which are reflected in specific documents are the resolutions of the Guardianship of Law that have estimated and confirmed, even after the entry into force of the RGPD and the LOPDGDD the criteria followed by EQUIFAX to deny the requested deletion in those cases in that the interested party did not accredit the payment of the debt that was registered in the FIJ. " He adds that “[...] he respectfully understands that the behavior of the AEPD (a through resolutions that even appear in the administrative file) did not but to show the conclusion that the treatment was lawful and covered by data protection regulations. For this purpose, it is necessary to I manifest that if in a procedure in which an interested party invokes that a data object treatment should be deleted the Control Authority concludes in the inadmissibility of carrying out this deletion, does nothing but validate the legality C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 83 83/184 of the treatment, since otherwise this deletion would proceed, according to to the provisions of article 17.1 d) of the RGPD. If the AEPD considered the treatment illicit, as appears to be derived from this file, had to first agree to delete the data and, then, require EQUIFAX to carry out the necessary actions to adapt the treatment of current legislation on the matter. However, the AEPD did not take none of these decisions, but confirmed that the data whose deletion was requested they should remain in the FIJ. (The underlining is ours) In this way, the conduct of the AEPD reveals its opinion that the treatment carried out by EQUIFAX was completely in accordance with the regulations data protection (we insist that also after the full application of the RGPD, as it appears in the file), so that such resolution is a unequivocal statement of the AEPD on compliance with the regulations of data protection by EUIFAX, embodied in an administrative act endowed with full enforceability. " TWELFTH: Test phase. (I) Second request for evidence to the respondent. (II) Request for extension of the deadline to respond (III) Response of the claimed to the tests. I. In writing signed by the instructor on 02/01/2021, whose electronic notification it is accepted by the recipient on 02/02/2021, new tests (second tests or additional tests ) . The entity is required to, within ten days, provide the following documents and / or explanations: "1.-That, with respect to the File of Judicial Incidents and Public Bodies (FIJ), detail the protocol that EQUIFAX has implemented during the six previous years aimed at guaranteeing that the personal data that are incorporated into said file were at all times duly updated. You must provide the documentation that accredits your demonstrations. 2.- Given that EQUIFAX has alleged that when the data personnel are incorporated into the FIJ directs communications to those affected in order to to inform them of their inclusion in that file, which detail what are the means that you use and have been using for the past six years to carry out the communications that you have alluded to. You must provide the documentation that credit your statements. 3.- That detail what percentage of the incidents incorporated to the FIJ during each of the six preceding years were communicated by EQUIFAX to the affected. You must provide the documentation that proves your statements. 4.- Regarding the communications that EQUIFAX has sent to the affected by notifying them the inclusion of their personal data in the FIJ, which detail what percentage of those sent were returned to EQUIFAX or were unsuccessful for other reasons. You must provide the documentation that proves its manifestations. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 84 84/184 5.- To send a copy of the document that EQUIFAX makes available to your associates / clients regarding the use they may make of the data personal data accessed through the FIJ (exclusively that part of the document dealing with such issue). You must provide the document / s provided during the last six years in case they have been modified during this time. If you provide several versions, you must specify the date during which each one was in force. " II. On 02/09/2021, this Agency receives a letter from the claimed in the that, in addition to requesting that, by virtue of the provisions of article 76 of the LPACAP, consider to be reproduced for the purposes of evidence the supplementary allegations that filed on 01/24/2021, requests that the period initially set be extended by five days to answer additional tests. The term extension is agreed requested, a fact that is communicated to the complained party in writing dated 02/11/2021, notified electronically on the same date, which was accepted by the recipient on 02/12/2021. III. Respondent's response to the second request for evidence. On 02/23/2021 the response is received at the electronic headquarters of this body from the one claimed to the additional tests requested; written that bears like title " Response to the request for additional information made by the Agency Spanish Data Protection. February 23, 2021 ” and consisting of 6 pages. He begins his answer by invoking the “ confidentiality and business secret of the documents provided together with this brief [...] ” with respect to which he requests that are treated without dissemination of the elements that affect their business configuration nor to the secret of its commercial performance. However, the respondent has not provided an annex to the brief with any document or Nor has this Agency received any document at a later date with the purpose of accrediting the veracity of what was stated in their response to the tests complementary requested. Extreme of relevance because it was required expressly to provide the documentation that accredits its demonstrations. The acknowledgment of receipt from GEISER dated 02/23/2021, certifies that the claimed filed on that date, at 22:20:48 (Peninsular Time), exclusively, the written reply to the second request for evidence. Nothing says about assumptions attached documents. The respondent's response to the additional tests requested is the following: 1.-To the first question, he answers: “To guarantee that the data captured in the FIJ are up-to-date, Equifax relies primarily on: 1) Limitation of the sources from which the FIJ file is fed: as already reported in our previous writings, Equifax collects the information that is registered in the FIJ of the Official Gazettes published by the State, the Autonomous Communities, Provincial Councils. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 85 85/184 The exclusive use of this source guarantees that all the information that is collect is considered official and authentic as indicated in article 3.1 of the Royal Decree 181/2008, of February 8, on the organization of the official gazette << Bulletin Official of the State >>. Therefore, the use of this source is, in our opinion, a guarantee that there are no doubts about the updating and veracity of the information incorporated into the FIJ. Newsletters are downloaded the same day they are published, so the information of the FIJ is updated on a daily basis with the information contained in the Bulletins. 2) Automatic information capture processes: downloading the newsletters and the subsequent registration of the data in the FIJ is done through automated processes thus avoiding possible errors from manual processes. For reading the data of the newsletters are used OCR reading processes that guarantee the correct reading and recording of the data published in the bulletins 3) Recording criteria: as we have indicated in the answer to the first request for information from the AEPD, Equifax has implemented criteria of specific recording and already detailed previously to that AEPD, in order to ensure that the holders are unequivocally identified for their inclusion in the FIX. These criteria guarantee that there is only data of holders duly identified 4) Notification of inclusion: this part has been making to the holders whose data have been collected since May 25, 2018, a specific notification of your inclusion in the FIJ, as a measure to guarantee the updating of the data. Said communications allow interested parties, in a free and simple way, check if indeed the data that have been published by the different Official bulletins that have been collected by my client contain some error. 5) Attention to Exercise of rights: by attending to claims of the holders in the exercise of their rights, the interested parties may, in accordance with provided for in the data protection regulations, know what data is included in the FIJ, for what purpose they are used, and, at all times, rectify, cancel, oppose and limit the processing of your personal data ”. 2.- To the second question, he answers, first of all, recalling that the Hearing Nacional reiterated through its Judgments -SSAN of 06/29/2001 (Rec. 1012/1999); 11/29/2001 (Rec. 531/2000) and of 02/27/2008 (Rec. 358/2006) - that the data protection contained in the already repealed LOPD did not contemplate a Obligation to notify the interested parties of the inclusion of their personal data in the FIJ. Transcribe the following excerpt from the SAN of 02/27/2008: "[...], it must be concluded that the notification of the inclusion is only required in the event in which two notes concur: that the data refer to compliance or breach of monetary obligations; and that they are provided by the creditor or who acts on their behalf or interest. From which it follows that, having taken the personal data, in the case now prosecuted, from the Official Gazette of the Community of Madrid, there was no obligation to notify its inclusion in the File of Judicial Incidents to the holder of the same. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 86 86/184 The respondent acknowledges that until the entry into force of the RGPD it did not carry out any notification to those affected; which justifies that there was " an express endorsement in this sense by the National Court ”. It indicates that, after the entry into force of the RGPD, “within the framework of its obligations to established pro-active responsibility [...] and even when the doctrine [...] of the National Court had not been affected ”, has considered appropriate to notify the inclusion of those affected whose data were recorded in the FIJ. However, he cautions continuation that " the question of whether or not to carry out said notification has not has been definitively adopted within the framework of the relationship between that AEPD and ASEDÍS within the process of preparation and approval of the Code of Conduct to that Equifax has already made repeated reference in its brief of allegations to the Start." It adds that the notifications to the interested parties of the inclusion of their data in the FIJ are carried out through an independent third party, which carries them out through a auditable procedure. 3.- Answer the third question indicating that, in congruence with the above, You can only provide notification data from 05/25/2018, the date on which you have considered appropriate to carry them out. It states that in its computer files it appears that, Since 05/25/2018, they have sent a total of 509,470 notifications. From here, the defendant breaks down the total number of notifications that says having effected. He does the same when answering question number 4. It is reproduced then the information you have provided in your response to the tests complementary requested. Breakdown by years of the notifications sent: 2018: 339,436; 2019: 116,236; 2020: 47.3888; 2021: 6,407. 4.- Answer question number 4 by providing some data -without documentary support some- on the notifications that were unsuccessful broken down by years and for return reasons. The reasons for return considered are: 01, details incorrect; 02, deceased; 03, unknown; 04, absent; 05, refused; 06, others; 07, Insufficient address; 08, wrong address. Provide the following information about unsuccessful notifications: 1. Year 2018. Total unsuccessful claims: 66,418. Reason 01: 13,299; reason 02: 312; motif 03: 47,883; motif 04: 1,563; motif 05: 68; motif 06: 3,293. 2. Year 2019 . Total unsuccessful claims: 24,812. Reason 01: 5,498; reason 02: 139; motif 03: 17,299; motif 04: 462; motif 5:25; motif 06: 1.229. 3.Year 2020. Total unsuccessful claims: 9,673. Reason 01: 2,928; reason 02: 24; motif 03: 5,945; motif 04: 150; motif 5:23; reason 06: 603. 4. Year 2021. Total unsuccessful claims: 1. Reason 01: 1. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 87 87/184 5.- The evidence required in point 5 of the brief requesting evidence The complementary purpose was for the respondent to provide a copy of the document requested and its modifications, if any. However, the respondent has not provided no document and has limited itself to answering that entities can access the information registered in the FIJ as well as a contracted service from independently or as a complementary service with other services provided by EQUIFAX. Below, he has reproduced a few short excerpts that supposedly come from the service contract signed with the entities that access the FIJ, both of the contract model that was celebrated before the entry into validity of the RGPD as of the model used after the entry into force of the Regulation (EU) 2016/679. Provide these texts for this purpose: With the heading “Section of stipulations / definitions of the contract ”, reproduces a fragment that corresponds to the identification of the claimed as a party to the contract. Between both contract models the text varies, exclusively, at the domicile and in the mention of the inscription in the Registry of the AEPD that is only included in the model used before the validity of the GDPR. " EQUIFAX: EQUIFAX IBERICA SL residing in [...], owner of the File of Judicial Incidents and Claims of Public Organizations, whose information comes from sources accessible to the public [...] (hereinafter THE JUDICIAL FILE), its purpose being the provision of solvency information services equity and credit ... " Provide this other fragment with the heading "Clause of obligations and responsibility: "" Of the fulfillment of the obligations that correspond to them according [reference is made to the RGPD or the LOPD depending on the model contract] and in the applicable national regulations. " “Of the responsibilities that for each one could be derived before the AGENCY SPANISH OF DATA PROTECTION (hereinafter AEPD). " "Of the responsibilities that each one may be required by third parties derived from their breaches of this contract. ". THIRTEENTH: Test phase. Request for evidence to the Subdirectorate of the General Registry of Data Protection of the AEPD. In writing signed by the instructor on 02/04/2021, notified on 02/05/2021 that it consists received on 02/09/2021, the Deputy Director General of the General Registry of Data Protection of the AEPD, the following test procedures: 1.- To report if the AEPD code is currently approved conduct of the Infomediary Sector that ASEDIE promotes. If so, please to provide us with the date it was approved and send us a copy of the document. 2. If the aforementioned code of conduct has not been approved, please provide the following documentation and information: 2.1. The copy of the draft code of conduct that ASEDIE presented to the AEPD in May 2020. 2.2. To report if that Sub-Directorate has sent ASEDIE any assessment or report regarding the project that you submitted in May 2020. If so, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 88 88/184 Please provide a copy of this report and provide us with the date on which it was had transferred to the Association -date of making available- as well as the date in the one that the latter has agreed to the notification. By writing signed and notified on 02/10/2021, the Deputy Director General of the General Registry of the AEPD responds in the following terms: “1.- The draft code of conduct presented for approval by the Agency Spanish Data Protection by the Multisectoral Information Association (ASEDIE), is in process, currently pending the report of the Legal Office of this Agency. 2.-In the processing of the draft codes of conduct, successive versions, in which the improvements resulting from the contacts that are usually keep up with the promoters. In this case, in the month of May 2020, it was contributed by ASEDIE a version of the draft code of conduct, a copy of which is attached, which it was not the last. 3.- ASEDIE has not been notified of any report issued on the draft code of conduct presented by ASEDIE. " FOURTEENTH: Proposal for a resolution. On 03/26/2021, the investigator of the file formulates a proposal for resolution in the following terms: "FIRST: That the Director of the Spanish Data Protection Agency impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the article 6.1 RGPD, in relation to article 5.1.a) of the RGPD, typified in article 83.5.a) of the RGPD, the following sanctions: Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 3,000,000 (three millions of euros). Pursuant to article 58.2.f) of the RGPD, the prohibition to continue the treatment of personal data that you make through the File of Judicial Claims and Public Organizations (FIJ) of which it is the owner. In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data personal that, associated with alleged debts, are subject to treatment through the of the File of Claims and Public Bodies (FIJ) of which it is the owner. SECOND: That the Director of the Spanish Agency for Data Protection impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the article 5.1.d) of the RGPD, typified in article 83.5.a) of the RGPD, the following sanctions: Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 3,000,000 (three millions of euros). Pursuant to article 58.2.f) RGPD, the prohibition to continue the treatment of personal data made through the FIJ, of which it is the owner. In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data personal that, associated with alleged debts, are subject to treatment through the FIX. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 89 89/184 THIRD: That the Director of the Spanish Data Protection Agency impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the article 5.1.b) of the RGPD, typified in article 83.5.a) of the RGPD, the following sanctions: Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 1,000,000 (one million euros). Pursuant to article 58.2.f) of the RGPD, the prohibition to continue the treatment of personal data that you make through the File of Judicial Claims and Public Organizations (FIJ) of which it is the owner. In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data personal that, associated with alleged debts, are subject to treatment through the File of Judicial Claims and Public Organizations (FIJ) of which it is the owner. FOURTH: That the Director of the Spanish Agency for Data Protection impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the article 5.1.c) of the RGPD, typified in article 83.5.a) of the RGPD, this sanction: Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 1,000,000 (one million euros). FIFTH: That the Director of the Spanish Data Protection Agency impose on EQUIFAX IBÉRICA, SL, with NIF B80855398, for an infringement of the Article 14 of the RGPD, typified in article 83.5.b) of the RGPD, this sanction: Pursuant to article 58.2.i) of the RGPD, an administrative fine of € 1,000,000 (one million euros). " The proposal was notified to the respondent on the same date of signature -26 / 03 / 2021-, that accepts the notification on 03/29/2021, as evidenced by the certificate of the FNMT that is in the file. FIFTEENTH: Writings addressed to EQUIFAX and sending documentation to the claimed. In writing signed by the investigator of the file on 03/29/2021, notified in the same date and whose notification was accepted by the claimed on 03/30/2021, you were informs that the documentation regarding the latest actions carried out in the procedure and it is requested that, if it appreciates that it has incorporated into the proposal writing reserved information of a business nature, communicate to this Agency in order to proceed to anonymize the information, whenever that the AEPD is obliged to make its resolutions public. In writing signed by the Deputy Director of Inspection on 03/29/2021, informs EQUIFAX that a CD is being sent via postal courier encryption with the documents of the file relating to the latest actions practiced. The access code and the Hash are also provided. Notification of writing is practiced and accepted by the recipient on 03/31/2021. SIXTEENTH: Request for an extension of the term to make allegations to the motion for a resolution. Response of the AEPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 90 90/184 On 03/30/2021, a letter from the claimed in which you request that the extension of the initially set period be agreed to formulate allegations to the proposal for the maximum legally allowed. The AEPD responds to the request for extension in writing dated 03/30/2021, whose notification is accepted on 03/31/2021, in which, pursuant to article 32.1 LPACAP, agrees to extend by one business day the initial period set for making allegations to the motion for a resolution. SEVENTEENTH: Allegations of EQUIFAX to the proposed resolution: On 04/15/2021 the writing has entered the electronic registry of the AEPD, sent by EQUIFAX, through which it makes its allegations to the proposal of resolution of the PS / 240/2019 that the entity received on 03/29/2021. The defendant requests that a resolution be issued declaring the nullity of full right of the procedure or, where appropriate, its expiration, for the reasons detailed in the third claim. Alternatively, that the filing of the procedure be agreed upon constitute the conduct object of assessment any violation of the regulations of personal data protection. Subsidiarily with respect to the previous requests that a warning sanction is imposed provided for in article 58.2 b) of the RGPD or, failing that, a significant reduction in the amount established in the resolution proposal in response to “ the numerous concurrent circumstances in the assumption of fact prosecuted, which would entail a highly qualified reduction of the Equifax's unlawfulness and culpability. " In support of these claims he invokes the following arguments: 1.In the first claim, it “ratifies and reiterates” in its entirety the content of the allegations made to the commencement agreement since, in his opinion, the proposal for resolution does not contest in any way what is stated in said allegations. 2. The second claim deals with the existence of a “ media contest between the all the infractions referred to in the proposed resolution that prevents accumulate potential sanctions ”. It states that the proposal identifies a plurality of infractions that, supposedly, he would have committed EQUIFAX “when in fact all They are subsumed and embedded in other offenses for which the AEPD wishes sanction [it], giving rise to various cases of media competition in the terms provided in article 29.5. of Law 40/2015 [...] " It states that the AEPD cannot sanction EQUIFAX for all of the infractions to which the proposal refers, since they are clear assumptions of bankruptcy medial, so that only a single sanction can be imposed, in his opinion, the one "Without success" , is imputed with respect to article 6.1.f), in relation to article 5.1.a) GDPR. It states that, according to article 29.5 of the LRJSP, infractions must be subsumed in the most serious “ we understand that the one that the AEPD imputes with respect to art. 6.1.f) (in relation to article 5.1.a) RGPD ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 91 91/184 It considers that, according to what was stated by the AEPD in the proposal, the offenses attributed to EQUIFAX “[...] the offenses cannot be understood to have been one without the other, requiring between them that some be executed to appreciate the execution of the others ”,“ [...] to the extent that all the infractions allegedly committed keep a direct connection and bring cause of each other, it is inappropriate and contrary to the law to consider them as independent offenses ”. Through six sections it details the existence of six cases of medial contest that justify with references to the draft resolution proposal, which reproduces several fragments. These assumptions are as follows: to. Appreciates the existence of a first media contest between the infractions of art. 6.1 (in relation to article 5.1.a) of the RGPD, 5.1.b) and 5.1.d) of the RGPD. It says to this effect: “ In this way, the supposed lack of compatibility of the purposes together with the alleged infringement of the principle of accuracy constitute the infringement of the principle of legality of the treatment, by which it is also intended to sanction Equifax. As can be seen, there is already a first medial contest with regarding the infractions of art. 6.1 (in relation to article 5.1.a) of the RGPD, 5.1.b) and 5.1.d) of the RGPD. " It argues that, “ regarding the alleged violation of the principle of limitation of purpose, the AEPD considers, which will be refuted later, that the purpose of the original treatment and that of subsequent treatment by Equifax are incompatible ”. That the AEPD, to determine if further treatment is compatible with the The original treatment mentions, among other aspects, “(i) that it does not exist among the complainants and Equifax no relationship linked to context, so that the affected have not been able to have any reasonable expectation that their data would be object of this treatment -quod non- (being the nonexistence of expectation of treatment one of the criteria to determine the alleged violation of the principle of legality); and that (ii) the File of Judicial Incidents (“FIJ”) violates the principle of accuracy in its manifestation of updating the data (quod non), which, from From the point of view of the AEPD, it aggravates the adverse consequences for claimants whose data have been incorporated into the FIJ. " It adds that, “ Likewise, the AEPD indicates that the judgment of suitability is not met [...] since, for the treatment carried out by the FIJ could really satisfy the interests that it invokes, it would be essential that the information on the alleged debts attributed to claimants were up-to-date -accuracy principle-. " b. Appreciates the existence of " a second medial manual contest [...]" between the alleged infringements of articles 5.1.b), 5.1.c) 5.1.d) and 14 RGPD, of which derives the alleged infringement of article 6.1.f) of the RGPD. The respondent transcribes these paragraphs of the proposed resolution that lead her to affirm that the AEPD subsumes within the infringement of the principle of legality all and each of the other offenses that it also imputes: “As has been stated in the preceding foundation, it is proven that the treatment that EQUIFAX has been doing of the personal data of the claimants violates the principle of purpose limitation provided in article 5.1.b) of the RGPD. This breach has the consequence of causing the legitimate interest invoked C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 92 92/184 by EQUIFAX, on whose alleged prevalence supports the legal basis of the data processing carried out (article 6.1.f, RGPD), cannot meet the requirement of legality. (…) The illegality of the interest pursued by EQUIFAX is reinforced by the fact that the data processing carried out by the FIJ not only violates the principle of limitation of the purpose (article 5.1.b RGPD), but, as will be explained later, we consider that violates other provisions of the RGPD: the principle of data accuracy (article 5.1.d); Article 14 of the RGPD in relation to Article 5.1.a) and the principle of data minimization (article 5.1.c) ” (Emphasis added) c. Appreciates the existence of a third medial contest between the infractions of the Articles 6.1., in relation to Article 5.1.a) RGPD, 5.1.b) and 5.1.d) of the RGPD . He argues the following: “Regarding the alleged violation of the principle of accuracy, in the opinion of the AEPD, the alleged disparity and incompatibility between the purpose of the treatment originating and the one pursued by the FIJ determines that the information that this file collects is fragmentary and, furthermore, is disconnected from the future of the debt. On the other hand, among other considerations, the Proposal indicates (a point of view that we share) that the FIJ violates the principle of accuracy also with regard to the identification of the holders of the debts and the conclusion that can be drawn is that it can hardly serve the legitimate interest that it wants to serve linked to the fraud prevention (which, in case there are doubts, would be related to the alleged violation of the principle of legality). " (The underlining is ours) d. In point 4 he mentions the existence of two new media contests: The fourth, between articles 6.1, in relation to article 5.1.a) RGPD, 5.1.b), 5.1.c) and 5.1.d) GDPR. The fifth between the violation of article 5.1.c) and 14 of the RGPD. It states that " the AEPD considers " that " the alleged violation of the principle of Minimization is nothing but the sum of the alleged infringements of the principles of limitation of the purpose, accuracy and legality and, in turn, results in the breach of the art. 14 of the GDPR. " To substantiate his argument, he reproduces the following excerpt from the brief of proposal: " Compliance with this principle by the claimed, as happens with other principles already examined, such as legality or accuracy, is conditioned by the infringement of the principle of limitation of the purpose in which the entity incurs with the collection of data from official newspapers and gazettes that pursue a purpose incompatible with that of the FIJ. As a result of the illicit nature of the subsequent processing of the data collected -that is, the one that the claimed carries out through the FIJ- it is shown that the responsible for the treatment is in a situation of practical impossibility of Respect the rest of the principles that according to the RGPD govern the treatment. (…) As a first point, it should be noted that, as has been shown when examining other principles, particularly that of accuracy, the data that EQUIFAX obtains through of bulletins and official journals that feed the FIJ are not adequate for the purpose that pursues the file, thus violating the principle of data minimization. The reason fundamental is that they do not allow an update of the information regarding the solvency of the debtor. It is added to the above that, while the publication of the data does not include the address of the owner of the data, the claimed is not in a position to to be able to comply with the information obligation set forth in article 14 RGPD ”. and. It alludes to the existence of a fifth media contest -which was already announced in the section precedent- between the principle of data minimization and article 14 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 93 93/184 It states that in the opinion of the AEPD “ it is not possible to carry out the informative notification to the interested in lacking the address information and that the attempt to link the number identification of an interested party that is published in an official newspaper with the information that is recorded in the FIJ, constitutes in turn an infringement of the principle of data minimization (which this part denies). " In support of this conclusion, he transcribes this excerpt from the resolution: "On the other hand, there is no doubt that EQUIFAX is obliged to inform interested parties in the terms of article 14 RGPD each time you add your data to the FIJ personal. In line with this obligation, we must reiterate what has already been stated regarding the violation of other provisions of the RGPD. In the behavior analyzed we start from a Illegal processing of personal data, as data that were processed is collected initially with a purpose that is incompatible with the purpose pursued by the subsequent treatment, that is, the IJF, which conditions, how could it be otherwise, compliance with the obligations that the RGPD imposes on the controller to the point that these are impossible to comply with if not by infringing for this, other provisions of the RGPD ”. F. The defendant is limited to mentioning the existence of a sixth medial contest that would occur between the infractions of articles 5.1.b), 6.1. and 14 of the GDPR. It should be added that the respondent, when analyzing in its brief of allegations each one of the infractions of the RGPD attributed to it, again affects the existence of a media contest between the different imputed infractions. 3. The third allegation of the brief of allegations to the proposed resolution carries the heading "Of the vices of nullity concurrent in the present procedure". The defendant appreciates the existence of the causes of absolute nullity provided for in the sections a) and e) of article 47.1 of the LPACAP. He affirms that these vices of nullity they have generated a material and real defenselessness ; that we are not facing a violation merely formal, but in the face of vices from which a material effect of defenselessness and a real and effective impairment of the right of defense, with the consequent damage. The grounds for invalidity invoked are appraised in relation to the following behaviors: to. The inclusion of the amount of the sanctions in the initiation agreement, which in his opinion constitutes a defect of absolute nullity provided for in article 47.1.a) LPACAP: It reiterates what is alleged in the commencement agreement in the sense that the fixation in it of the amount of the sanctions that would proceed to impose, without having previously heard the allegedly infringing party, violates their right to effective judicial protection, generates absolute helplessness and implies a breakdown of the principle of separation between the investigative and resolution phases of the procedure, thus incurring the vice of radical nullity of article 47.1.a) LPACAP. It rejects the interpretation that the AEPD makes of article 85 LPACAP, in accordance with the which “the determination of the amount of the sanction and the consequent evaluation of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 94 94/184 concurrent circumstances in the case derives from [...] what is established in article 85 LPACAP. " It considers that this interpretation is contrary to the Spanish Constitution to violate the protection of fundamental rights that is granted through it and that the “ efficiency that could be pursued by determining the amount of the sanction in the initiation agreement could never justify the violation of rights fundamental of the insert that such action entails ”. b. The violation by the AEPD of the rules that regulate the procedure sanctioner regarding the protection of personal data and " the consequent expiration at the end of the procedure ” , which constitutes a defect of nullity of the article 47.1.e) LPACAP. It states that the AEPD has completely and completely dispensed with the procedure legally established in articles 64 and 67 of the LOPDGDD and has incurred in a abandonment of the powers attributed to it by the LOPDGDD and the RGPD. Abandonment that has caused damage " because it has been considered by the AEPD as aggravating circumstance of the type the continuing nature of the alleged infringement during the period in which that AEPD declined to carry out any infringement against Equifax ”. Regarding the procedure, it transcribes articles 64.2 and 67 of the LOPDGDD and says that from these provisions it is unequivocally deduced that the LOPDGDD, for reasons of legal certainty for the company, has established a procedure regulated and with clearly marked time limits ”. Therefore, according to the foregoing, considers that the admission should follow without a solution of continuity processing of the claim within a period of three months; the optional realization of investigation actions for a maximum period of twelve months and the opening of a sanctioning procedure. Thus, he affirms that the admission for processing of a claim by the AEPD implies the recognition of the existence of indications of violation of data protection regulations and this must imply -argues EQUIFAX- that preliminary investigation actions are carried out or, if considers that the infringement is manifest, as appears to be the case in the present case, to proceed immediately to the opening of the sanctioning procedure. In view of the foregoing, the respondent reaches the " obvious consequence " that if the first claim was admitted on May 30, 2019 and the AEPD decided not to carry out carry out investigative actions "the Agreement to initiate this procedure should be from that date, so, being the maximum duration of the procedure of nine months, the resolution [...] should have been issued on March 2, 2020 ”. Y adds: “ In this way, the AEPD issued the Initiation Agreement long after the date on which it should have issued a resolution if it had met the requirements established in the data protection regulations, with which all actions they should be considered expired. " (The underlining is ours) It also refers to the situation of "inactivity" in which the AEPD estimates incurred in in relation to the claims that were filed against EQUIFAX related to the FIJ. He supports this conclusion in that of the 97 claims admitted against EQUIFAX only some of them were transferred to the DPD; in that although all were admitted to Some were processed " without a minimum legal reasoning "; in which the first claim (claimant 25) entered the AEPD on 05/30/2019 and in which the AEPD did not C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 95 95/184 carried out preliminary investigation actions, for which, he affirms, from the admission processing of claims until the Agency issues the agreement to initiate the sanctioning procedure that concerns us, on 07/24/2020, did not perform any other action. c. It mentions the “ main circumstances ” that have occurred during the processing of the procedure whose overview shows that the procedure has been processed with a complete and repeated impairment of the rights that in the framework of the administrative sanctioning procedure is granted by sections 1 and 2 of the Article 53 of the LPACAP. It refers to the following circumstances: 1 No investigative actions were carried out prior to the opening of the agreement to initiate the sanctioning procedure. 2.Delay in sending the copy of the administrative file: it is received by the entity on the penultimate day of the ordinary period granted to allege, although it is granted by the AEPD the extension of the term for the maximum legally allowed, five days, and Consequently, he receives it with only six days remaining to issue his letter of allegations. Remember that the file forwarded had an extension of 2,974 pages. 3.On 12/23/2020, the AEPD sends you a letter stating that “ it has been found that, unfortunately, an incident of a technical nature cut off part of of the documentation that made up the administrative file ” . It says that in the aforementioned In writing, it is not granted a period of allegations since it was limited to indicating that the The instructor would not proceed to the opening of the test phase until after the least ten business days computed from the date of notification of the letter. Add: " All this without any reference to the principle of integrity of the administrative file electronic consecrated by article 70.3 of the LPACAP ”. 4. “ The aforementioned file turned out to be increased to 4,319 (that is, a extension more than 45% greater than that of the file originally submitted), which which motivated my client to expressly request the granting of a period for the issuance of allegations and that the term for this be extended. The AEPD was limited to Respond to said request indicating the specific date on which the opening of the trial period, but without expressly granting my client any period to allegations. " (The underlining is ours) 5.The test phase does not start until 01/20/2021, when almost six months from the opening of the initiation agreement. 6.The proposed resolution is notified to EQUIFAX on 03/29/2021. In it, the two initial accusations, contained in the initiation agreement, are expanded with three new infractions “ without any of them having resulted from obtaining information any additional charge that could have justified this triple charge ”. Warn no we are before a new legal classification of the infractions but before three new infractions added by the AEPD “ [...] in the last step of the procedure, three new accusations on a legal basis that could have been used in his integrity at the time the Initiation Agreement is issued ”. 7.That, in accordance with the changes introduced with the proposed resolution, it was requested, under the protection of article 32.1 LPACAP, the extension of the period of allegations by the maximum legally allowed (five days). However, “ the AEPD limits said extension to the term of a single day in view of the evident risk of expiration of the process". It states that “ In this way, it seems to deny my client a right that the law grants as a consequence of the delay in the processing of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 96 96/184 procedure solely attributable to the performance of that AEPD, which in no case it should be detrimental to the Managed. " (The underlining is ours) d. The inclusion of new infractions in the proposed resolution constitutes another of the reasons that - in the opinion of the defendant - cause the radical nullity of the procedure under article 47.1.a) of the LPACAP. It explains that the new infractions that are attributed to it in the proposed resolution have generated an undoubted defenselessness by having deprived him of the “right to know the specific accusations aimed at limine against her and her rights of defense and provision of means of proof relevant to their right, enshrined in article 24.2 of the Constitution as a manifestation of the right to effective judicial protection. " (The underlined is ours) In his opinion, the determination in the resolution proposal of new infractions It is not covered or in the regulations governing the administrative procedure in general nor, in particular, in that of the procedure in matters of data protection. In accordance with articles 89.3 LPACAP and 90.2 that it transcribes, it formulates the following conclusions: (i) That it is the initiation agreement that will establish the limits on which it may to carry out the final qualification in the resolution proposal. (ii) That the resolution proposal cannot make new charges. Can modify the initial qualification made in the initiation agreement by making an imputation or imposing a more serious sanction than that established in the opening agreement, all of this in accordance with article 64 of the LPACAP. It indicates that not even the Royal Decree 1398/1993, of August 4, which approved the Rules of Procedure for the Exercise of Sanctioning Power (REPEPOS), repealed by the LPACAP, provided for the realization of new charges but, solely and exclusively, the modification of the classification of infractions that have already been communicated to the inserted in the initiation agreement. (iii) That the LPACAP does not allow the proposed resolution to make new additional imputations to those included in the commencement agreement as this is would cause an irreparable impairment of the rights granted to the accused (iv) That the additional charges would require the processing of a new process. (v) That any action that is not “the referral of the file to the body sanctioner in order to decide on the opening of the procedure sanctioner in case of coinciding with the instructor's assessment of the concurrence of new infractions ”would violate the rights of EQUIFAX by depriving it of the guarantees that the company has recognized in the procedure sanctioner, in particular in article 53.2 a) of the LPACAP ( right to “ be notified of the facts attributed to him, of the infractions that such facts may constitute and the sanctions that, where appropriate, may be imposed, as well as well as the identity of the instructor, of the competent authority to impose the sanction and the norm that attributes such competence ”). 4. Through its fourth claim, under the heading “ On the assessments made by the AEPD on the basis of law IV of the proposed resolution ", he says, on the one hand, that the AEPD has violated the principle of legitimate expectations and on the other C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 97 97/184 that the subjective element of the offense is missing in this case, in such a way that no any sanction could be imposed by virtue of the principle of culpability recognized in Article 28 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRJSP) The first section of this fourth claim refers to the pre-existing regime to the GDPR and maintains that until the full application of the GDPR, and even later, Until the entry into force of the LOPDGDD “there was an express legal provision that recognized the legality of information systems that collect information obtained with the consent of the interested party or from sources accessible to the public for the purpose to evaluate the solvency of the interested parties ”. (The underlining is ours) He mentions alleged reflections made in the motion for a resolution, which in no case were made, and indicates that article 29.1 of the LOPD was not repealed neither totally nor partially by the STJUE of 11/24/2011 or by the STS of 02/08/2012 “ nor the same represented a limitation to the application of the precept that legitimized the treatment of the personal data of the interested parties that were incorporated into sources accessible to the public . " It says that “ For this reason, the statement contained in the Proposal for a Resolution, which aims to indicate that the treatment carried out by Equifax in the FIJ did not find protection in a legal presumption of prevalence of legitimate interest, it simply lacks the reality of the provisions of jurisprudence and the cited standards ". Once again he affirms that the AEPD was fully aware of the existence and operation of these information systems; that, even after the STJUE, has considered sufficient to assess its legality the fact that the data came from the aforementioned sources accessible to the public and that despite this the AEPD did not direct any action against the FIJ to reproach the breach of the data protection regulations. In proof of these manifestations, it brings up the following actions of the AEPD: -The resolution issued in E / 04639/2013, in which -said- the basis for agree the file was that the file (from Axesor, Database of incidents judicial) was covered by article 29.1 and 4 of the LOPD. -The inspection actions referred to in the resolution issued in the PS / 104/2004, directed against a financial institution that claimed to have collected the FIJ data. Law Foundation III of the resolution mentions the practice of an exhaustive inspection in EQUIFAX “ in which it was verified, examining the historical records of the file of Judicial Incidents, that indeed there were annotations related to the complainant but that do not coincide with those registered in Bank of Madrid. Therefore, there is no evidence of violation of the regulations of data protection by Equifax Ibérica, SL . " - The SAN of 03/29/2012 (appeal 525/2010), filed by EQUIFAX in front of the sanctioning resolution of the AEPD of 05/05/2010, PS / 368/2009, of which Fourth Law Foundation “it is clear the legality of the treatment carried out by my client ”. The Basis of Law that is transcribed by the entity is the following: "In the brief of conclusions the appellant details his legal reasoning and states that it is not that he obtained the complainant's data outside of a source of public access and that has treated them without having their consent, but rather obtaining the data from a legal source (such as Newsletters) has added Information from the Bulletins that did not correspond to him. "" C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 98 98/184 -The numerous procedures processed in front of EQUIFAX by the alleged breach of the obligation to inform the affected party. In this regard, it states that sanctioning resolutions were annulled by the AN in its sentence of 02/27/2008 (Resource 358/2006). -The internal report of the Subdirectorate General of the General Registry of Protection of Data issued on 01/252019 that -states- “ evidence that there is a formal criterion emanated from a body integrated into the AEPD [...] that pronounces clearly and declares in favor of the legality of information systems similar to the FIJ, that collect relevant information on the solvency of the interested parties from the sources accessible to the public ”. Explain that the report, regarding information systems similar to the FIJ, it says the following: "In general, the code regulates the collection of personal data, in particular when it is done through web pages, for which the obligations to those to which associates are subject (article 6), as well as public sources (article 8). A consideration is made on the sources accessible to the public, of which the infomediary sector is a traditional user, like those that can be consulted by any person without general restriction of access to certain categories of users, even when a consideration is required (article 8), which is online with the interpretation that is made of this type of sources, and the principle of accuracy of the data when collected from them, also in line with what is collected in article 4 of the LOPDGDD. In addition, in Annex III corresponding to the marketing activity, a list of the sources of access is included public." It qualifies as " fallacious " the following argument made in the proposal, since the AEPD does not require the complaint of an affected person to carry out actions of previous research: " So that the AEPD could have ruled on the legality of the data processing carried out by the FIJ, as the claim made by this Agency maintains, it would have been essential that the Agency had previously carried out an analysis on the aspects that have been indicated in the preceding paragraph. And that analysis only could have been carried out well in the framework of a sanctioning procedure that had as its object the alleged violation of the principles that according to the LOPD presided over the treatment of the data through the treatment carried out by the FIJ, or in the response to a query from the Legal Cabinet that the entity had estimated It is appropriate to ask about the legality of the treatment that has been carried out. " And it highlights the inaccuracy of the comments made in the proposal about TDs. invoked by EQUIFAX because the assessment made in it is incorrect on the scope of the procedure for the protection of rights. It concludes from the preceding exposition that the arguments are distorted set forth in Law Foundation IV of the proposed resolution. It also concludes that the FIJ was fully known to the AEPD and that the treatment has been carried out under the sight, science and patience of this Control authority that at no time decided to carry out actions of official letter or adopted any decision in terms similar to those that appear in the motion for a resolution. Therefore, the AEPD, says the complainant, fails to comply with the principles of legitimate confidence and legal certainty in the terms described in the jurisprudence cited in the allegations to the initiation agreement. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 99 99/184 Starting from the consideration that there has been a bankruptcy of the principle of legitimate confidence with the processing of this sanctioning file, the claimed understands that the conduct under examination in this proceeding is absent of guilt. His performance, he says, “ is situated in a field alien to that of the will infringer ” and that“ His performance had been known and recognized (if not consented) by the AEPD itself (and even if the latter differs from this opinion, it is undeniable that Equifax had reasonable evidence, set out above, to support consider that it was so). " In line with the foregoing, it states that “ all the sanctions referred to in the Proposal for a resolution must be annulled ”. 5. The fifth claim deals with the breach of the principle of limitation of purpose. It states that this principle has not undergone any modification in the RGPD, since reproduces almost entirely what Directive 95/46 / EC established on it, and, then, it goes on to state that “ within the transposition regime of the Directive to our Right [...] ” article 29.1. of the LOPD “did not appreciate that [...] it was contrary to the principle of purpose limitation enshrined in Directive 96/46 / EC, " the processing of personal data carried out by those who are dedicated to the provision of information services on financial solvency and credit consisting of the collection of personal data obtained from the records and the sources accessible to the public established for this purpose. It also affirms that “ the legal basis that justified the collection of the data object of publication [was] obtain information on the capital solvency and credit of the interested parties based on the available information related to them ”, and that "This legal basis was expressly included in the LOPD, and should its article 29.1 be interpreted in the sense that [...] the treatment was covered in the prevailing legitimate interest of those who proceed, as my principal, to treatment of the data, since there is an unequivocal legal authorization for said treatment could take place ”. (The underlining is ours) The defendant concludes her argument regarding the " breach of the principle of purpose ” with the paragraph that we reproduce: " In short, the data is not processed in this case contained in the FIJ for a purpose other than the one that motivated its collection, since this was precisely what justified the maintenance of the data in the system and its access by the entities that are adhered to the FIJ in order to know the solvency and credit of its debtors or potential debtors, on the basis of a prevailing legitimate interest that, at least until entry into validity of the LOPDGDD was expressly authorized by the regulations of personal data protection." (The underlining is ours) In the same line of argument it says that " this compatibility (or that character" does not different ”from the purpose) was appreciated even after the entry into force of Royal Decree 181/2008, of February 8, on the organization of the official gazette «Boletín Official of the State »(hereinafter,“ RDBOE ”), to which the Proposal". Also, after the entry into force of Law 37/2007, of 16 December November, on reuse of public sector information and Law 19/2013, of C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 100 100/184 December 9, transparency, access to information and good governance . (The underlined is ours) He also makes another equally surprising statement: “[...] it must be remembered that measures adopted by RDBOE, which would reflect the restrictions that subsequently, with regard to open data, the Group revealed of Article 29 (hereinafter GT29) in its Opinion 3/2013 on the limitation of purpose, [...] do not refer to data processing such as that carried out carried out by my client through the FIJ, in which access to information is limited to creditors or potential creditors of the interested party. These measures, by the On the contrary, they try to avoid not an access subject to the condition of creditor, real or potential, but an indiscriminate access to the data that is the subject of publication in the official newspapers. " (The underlining is ours) Insisting on erroneous statements he says: “ If one takes into account that since 2008, and Until December 7, 2018, the RDBOE coexisted with the regime contained in the Article 29.1 of the LOPD, it is not possible to reach any other conclusion than to consider that the limitations to which the first cited rule refers cannot be applicable to the case provided for in the second, which has a legal basis specific and proper that legitimizes it. " (The underlining is ours) 6. The sixth claim deals with “the legality of the data processing in the FIJ and the application of the weighting rule of article 6.1.f) of the RGPD. " It states that none of the arguments contained in the motion for a resolution is enough to refute what was stated in their allegations to the initiation agreement; allegations that it takes for reproduced and complemented with what it now states: That EQUIFAX has an “ evident legal basis, the concurrence of an interest legitimate prevailing, for the treatment of the data in the FIJ. " Thus, it says that “[...] These information systems were expressly equipped with a presumption of prevalence of the aforementioned legitimate interest ”. (The underlining is ours) Later he adds: “Obviously, article 29.1 of the LOPD did not regulate the basic principles or the legal bases of the treatment, but determined that, on the basis of principles and legal bases identical to those contained in the RGPD, data processing collected in it was lawful. That is, either article 29.1 of the LOPD is exceeded the regime contained in the Directive, enabling nothing less that a treatment that violated its articles 6 and 7 in the terms assumed by the Proposal for a Resolution, something that no Court or the Institutions of the Union European (and even less the AEPD itself) even hinted at any time or, the principles and legal bases remaining unchanged, this treatment is so according to the RGPD as it was to the Directive. This fact is undoubted, by far that it is a question of forcing the argumentation in another sense. " (The underlining is ours) It also states that in its previous allegations it proved that, in the this case, concurred triple -idoneidad judgment, necessity and proportionality strictu sensu - required by constitutional jurisprudence for the treatment carried out by the FIJ it will be in accordance with the RGPD; weighting that, he affirms, is favorable to legitimate interest that justifies it. Regarding the aforementioned triple judgment, it is limited to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 101 101/184 make various considerations in relation to what was argued in the proposal of resolution. Considerations that, for the most part, do not conform to the truth or not they respect the context in which they were made. We reproduce some of them: “[...] the Proposal for a Resolution: [considers] that the legitimate interest underlying the processing of data in the FIJ is nothing more than a mere "convenience" for "Perpetrate" what is called "intrusions a la carte" in the rights of the interested parties (the expressions used are from the Proposed Resolution, not from my represented). " “[...] in the opinion of the AEPD the [CIRBE is] the only information system that contributes to the purpose pursued by the treatment carried out by the FIJ. " “[..] making the AEPD the principle of reasonable expectation (derived from nothing less the fact that these systems exist in our law and have been expressly regulated by it since 1992 and that the debtor must reasonably expect that your creditworthiness will be assessed before obtaining a loan) in the “reasonable expectation” of the delinquent debtor that their debt is not known and the financing is granted, even when this damages the principles of responsible credit enshrined by the legislator". 7. The seventh claim refers to “ compliance by Equifax with the principle of accuracy " He places the starting point of his argument in the necessary clarification of “ what is the purpose of the FIJ ", since" article 5.1.d) of the RGPD links "accuracy" with "the purposes for which "the data" is processed. He then states that the " purpose of the FIJ" is "to reflect the existence of a debt as stated in the announcement and at the time of its publication in the official source correspondent". (The underlining is ours) From the foregoing, it follows that the circumstance that the FIJ cannot show which is the debt situation at the time of consultation does not allow rating the information inaccurate in the terms provided in article 5.1.d) RGPD. It is not inaccurate, he says. the one claimed - because it correctly collects the information that is necessary for the purpose sought by the FIJ, "to help Equifax clients assess their solvency ." Therefore, he clarifies, the information would be inaccurate if, " contrary to what the file ” , will not correctly reflect the information that appears in the published announcement. Conjecture that the AEPD, in order to qualify the contained data as inaccurate in the FIJ, has proceeded in the resolution proposal, incorrectly, to associate the " Assessment of the solvency of those affected" with information about the "situation current "at the time of the consultation of the debt of the people." It goes on to refer to the suitability of the information contained in the FIJ to assess the creditworthiness of a person; suitability which, he affirms exhaustively, is out of all doubt as has been confirmed for twenty-five years by the “ enormous number of entities that have been resorting to the FIJ to assess solvency "He warns that a judgment of suitability requires a thorough knowledge of the subject and that to what extent know the AEPD is not an entity that carries out analysis in its day-to-day activities solvency. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 102 102/184 It states that the FIJ “ covers an undeniable need of the creditor market and the fights against delinquency and fraud ”and then states: “ [...] it is clear that The FIJ information constitutes a complement to the files referring to the debts contracted with in the private sector [...]. It is obvious that "in an ideal world" it would be preferable if the FIJ could be updated as completely as it happens with the credit information systems of article 20 of the LOPDGDD. Unfortunately, this is not possible since the Administrations do not publish information in this regard, without such circumstance being considered in any case as a case of "inaccuracy" of the information, for the reasons already stated. " (The underlining is ours) It also argues, as it had already done in the brief of allegations to the commencement agreement, that article 4.2 d) LOPDGDD establishes a presumption of accuracy that cannot be misrepresented “ by the result of the AEPD investigation, not even by the provision of evidence by the interested party ”and“ contains an imperative mandate of disclaimer to the person who has collected the data under their content ”. It indicates that this provision - 4.2.d) LOPDGDD- has to be connected with the BOE regulatory regulation that “ establishes a presumption of veracity and authenticity of the information contained therein, which guarantees the principle of accuracy " and concludes that" the accuracy of the information referred to the notifications incorporated into the FIJ [...] derives directly from said publication [in the BOE] and the LOPDGDD ”. Finally, invoke two more arguments: That until the repeal of the LOPD EQUIFAX “was [...] protected by the express legal authorization contained in the Article 29.1 LOPD and the action of the AEPD for which documentation was required accrediting the payment so that it could proceed to its deletion ”. And, regarding the accuracy of the identification data of the alleged debtors, affirms that "he accredited during the trial period that only proceeds to the processing of those data regarding of which it has sufficient means to guarantee the accuracy of the information treated . " It adds in this regard that, as a consequence of the entry into force of the LOPDGDD, adopted measures so that only the data of stakeholders of which there are sufficient elements to guarantee their full identification, which has been reflected in a decrease in the number of inclusions in the file. 8. The eighth claim analyzes the “ compliance by Equifax with the principle of data minimization. " The defendant states that the statement made in the proposed resolution in relation to the infringement of the principle of minimization of data that is imputed to him does not allows us to discern its connection with the aforementioned principle. He adds that “ nowhere in The Proposal indicates that the collection of data referring to the name, surname, identification document, address and characteristics of the debt contracted are not adjusted to the aforementioned purpose nor is a trial or proportionality assessment carried out some about it. " It concludes that the aforementioned offense appears to have been included in the resolution with “ a mere intention to increase, [...] in a completely the reproach directed against ” EQUIFAX. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 103 103/184 It indicates that the reasoning of the AEPD in the proposed resolution leads to, when it is considered that a certain treatment violates the principle of limitation of the purpose (which the defendant denies) “ would also breach the minimization principle, since more data would be processed from those legally enforceable in the opinion of the Agency. This argument, by definition it would be inadmissible, [...] " Finally, it adds that, as a consequence of the entry into force of the LOPDGDD, “ Has put into practice measures aimed at making the data processing result adjusted to the principles of accuracy and minimization and that only the treatment in the event that compliance with such principles is guaranteed, for which is not enough to understand the effect that the entry into force of said provision can lead to the alleged violation of the principle of minimization. " 9. Ninth claim, relative to the non-existence of infringement of article 14 of the RGPD. Regarding this violation, the respondent analyzes three different scenarios. (i) The regime prior to the entry into force of the LOPDGDD, in which, it affirms, it is waived the obligation to inform interested parties of the processing of their data personal activities carried out at the FIJ, as confirmed by a “very reiterated jurisprudence ”that determined that as of the SAN of 02/27/2008 the AEPD did not issue any sanctioning resolution for breach of the obligation to notify. (ii) The existing regime during the validity of the LOPD, as of the date on which the dictates the judgment of the CJEU of 11/24/2011. He considers that the situation was identical to the above and that it was the motion for a resolution that " creates ex novo " a line argumentation that understands that the previous criterion was modified from the aforementioned STJUE. In the opinion of the complainant, the proposal eliminates “ the possibility of founding the base of the FIJ in the provision of article 29.1 LOPD ”. Therefore, it requires that the exclusion from the duty to inform did not derive from the nature of the sources obtained the information, but from article 29.1, in relation to 29.4 and in relation to article 5.5. LOPD. (iii) The system after the effective application of the RGPD, in which EQUIFAX has considered " necessary to comply with the duty to inform." After which, add that, “ although he could have considered that the causes that exonerated him from said obligation under the LOPD that, do not forget, remained in force until 7 December 2018, they continued to protect him. " This commitment made as a result of the effective application of the RGPD has materialized in the “ notification to all interested in the inclusion of their data in the FIJ ", which constitutes a" commitment additional entity with the guarantee of the right to data protection ”. The respondent affirms that the proposal considers that “ this duty of information is not has complied with the data included in the FIJ prior to entry into validity of the LOPDGDD, that is, when there was a rule that excluded the duty of information." It also states that after the entry into force of the LOPDGDD it could be distinguished " Two types of data" : C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 104 104/184 (i) Those introduced prior to the entry into force of the RGPD, with respect to the which says that “[...] the principle of minimization and the cited interpretation of Article 11 excluded the possibility of obtaining additional information with the sole protection of giving compliance with the duty to inform ”. Regarding article 11 of the RGPD, it indicates that interpret by analogy, as it affects the processing of data additional to those required for the fulfillment of the purpose of the treatment, the provisions of that precept, according to which “[s] i the purposes for which a controller processes data personal data do not require or no longer require the identification of a data subject by the responsible, it will not be obliged to maintain, obtain or process information additional in order to identify the interested party with the sole purpose of complying with the these Regulations ”. It therefore considers that it could be concluded that, if the purposes of the treatment does not justify the processing of additional data, could not hide behind the compliance with the RGPD to collect such data. (ii) Those incorporated into the FIJ after said entry into force, with respect to the that Equifax chose, compared to the other entities in the sector, to comply with the Article 14, proceeding to notify all interested parties of the incorporation of their data to FIJ. It concludes that it has fully complied with the duty of information regarding all those treatments carried out since the entry into force of the RGPD, therefore, “Under the previous regulation (LOPD) was exempt from complying with this obligation. " and after " The entry into force of the RGPD, the provisions in article 14.5 a) of the RGPD, as the information is impossible or requires efforts disproportionate, something that the Proposal itself explicitly recognizes. " EIGHTEENTH: Letter from EQUIFAX requesting that reports be sent to it internal SGRGPD and the suspension of the term to formulate allegations to the motion for a resolution. On 04/07/2021 a letter from EQUIFAX addressed to the Sub-Directorate was received at the AEPD of Inspection of the AEPD in which it states that, through the Cabinet Report Legal 89/2020, has been made aware of the existence of two reports issued by the General Subdirectorate of the General Data Protection Registry of dates 01/25/2019 and 09/18/2020. It indicates that, since they are relevant to the defense of their rights within the framework of the PS / 240/2019, requests that this Sub-Directorate be sent copy of both documents. It requests that “ the suspension of the deadline for the issuance of the allegations to the Proposal for Resolution during the period between the present request and the referral of the reports to it requested. " The Deputy Director General of Inspection addresses the Deputy Director of the RGPD in writing signed on 04/08/2021 and gives you transfer of the letter sent by EQUIFAX for the purposes timely. On 04/09/2021, the written Inspection Sub-Directorate of the Deputy Director of the RGPD informing that on that date he has proceeded to transfer to EQUIFAX of the requested reports. Of the actions carried out in this procedure and of the documentation Obrante in the file, the following have been accredited: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 105 105/184 PROVEN FACTS FIRST: The documents that the claimants sent to this Agency with their claim or in a subsequent process, informing of the annotations for debts that appear in the FIJ on the date that appears in the corresponding document, linked to your personal data (name, surname and NIF; Name and surname; only NIF or, sometimes, some of those data combined with address). The information provided by the documents provided by the claimants on the annotations for debts linked to your personal data has been collected in the Second antecedent of this proposal. To said Second Antecedent, the information from the documents provided, indicating the date that appears on the informative document of EQUIFAX, the personal data that identifies the claimant, the date of registration of each entry, the source from which the information, the creditor Administration and, where appropriate, the amount of the debt and the concept of non-payment. Therefore, such information collected in the second Antecedent relative to the claimants constitutes a proven fact integrated into this First Proven Fact in which it is considered reproduced. SECOND: According to the documents in the administrative file related to the result of access to the FIJ that the claimants contributed to this Agency it has been verified that, after the date of entry into force of the LOPDGDD, on 12/07/2018, being the origin of the TEU-BOE information, they were given high annotations for alleged debts. These cases include those of claimants 9; 10; 15; 31; 77; 83; 87 and 89. THIRD According to the documents in the administrative file, the evidence that the identification of the interested parties carried out by the FIJ takes into consideration of the address data for lack of NIF. We refer to the assumptions raised by the complainants 18; 27; 27; 30 and 33, among others. Likewise, there are annotations for debts in which the date of registration of the annotation -in which EQUIFAX places the initial term for the computation of the maximum time of permanence of the data in the file, which is six years - it is after the date expiration date of the obligation. This is the case of claimant 18; 26; 29 among others. FOURTH: That, according to the documentation in the file, the FIJ reflected non-existent debts with respect to the claimants identified with the numbers 37; 38; 40; 41; 42; 48; 50; 52; 53; 54; 59; 62; 75 and 95. There are very many claimants that without providing documentation that proves it, they deny the existence of the debt that it appears in the FIJ. FIFTH: EQUIFAX affirms that the number of natural persons of those who existed in The FIJ data records active during the last six years is shown in the following two tables that it provides: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 106 106/184 -A table with the " average number " of natural persons who, in the period 2016-2021, featured in the FIJ: Year 2016: 4,624,312; year 2017: 4,879,391; year 2018: 4,940,225; year 2019: 4,657,196; year 2020: 4,183,445; year 2021: 3,826,436. - A table with the number of natural persons that have been included in the FIJ since on 05/25/2018: In the year 2018: 196,653; in 2019: 62,113; in 2020: 20,193 and in 2021: 2,358. The entity states that since 05/25/2018 a total of 282,037 natural persons and that most of the records that remain in the file are prior to the entry into force of the RGPD. SIXTH: EQUIFAX affirms, in response to the requested test, that the criteria that uses the FIJ to organize the personal data that are subject to treatment with the The purpose of their holders being duly identified, are the following: a) If only the NIF / NIE is published: then “it is verified whether on the date of publication, the NIF / NIE in question, is registered in the active information of the FIJ (excluding therefore the one that is blocked). Depending on the result obtained, different actions are carried out : " a´) If the identifier is already included in the FIJ associated with a name and surname, registers in the FIJ the new published information. a´´) If that identifier is not included in the FIJ, the recording of the registry is discarded . b) In the event that the name and surname and incomplete NIF / CIF are published: d skip the recording of the data in the FIX file c) Cases in which name + surname + address is published: It proceeds to the recording of the record in the FIJ file, associating both data. d) Cases in which only name + surname appears published: In this Of course, the recording of the data in the FIJ file is discarded . (The underlining is ours) " SEVENTH: EQUIFAX, in response to the question asked regarding the protocol that has been in place for the past six years to ensure that data personnel that incorporated the FIJ were duly updated, in all moment, it states the following: “To ensure that the data captured in the FIJ is up-to-date, Equifax is mainly based on: 1) Limitation of the sources from which the FIJ file is fed: as already reported in our previous writings, Equifax collects the information that is registered in the FIJ of the Official Gazettes published by the State, the Autonomous Communities, Provincial Councils. The exclusive use of this source guarantees that all the information that is collect is considered official and authentic as indicated in article 3.1 of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 107 107/184 Royal Decree 181/2008, of February 8, on the organization of the official gazette << Bulletin Official of the State >>. Therefore, the use of this source is, in our opinion, a guarantee that there are no doubts about the updating and veracity of the information incorporated into the FIJ. Newsletters are downloaded the same day they are published, so the information of the FIJ is updated on a daily basis with the information contained in the Bulletins. 2) Automatic information capture processes: downloading the newsletters and the subsequent registration of the data in the FIJ is done through automated processes thus avoiding possible errors from manual processes. For reading the data of the newsletters are used OCR reading processes that guarantee the correct reading and recording of the data published in the bulletins 3) Recording criteria: as we have indicated in the answer to the first request for information from the AEPD, Equifax has implemented criteria of specific recording and already detailed previously to that AEPD, in order to ensure that the holders are unequivocally identified for their inclusion in the FIX. These criteria guarantee that there is only data of holders duly identified 4) Notification of inclusion: this part has been making to the holders whose data have been collected since May 25, 2018, a specific notification of your inclusion in the FIJ, as a measure to guarantee the updating of the data. Said communications allow interested parties, in a free and simple way, check if indeed the data that have been published by the different Official bulletins that have been collected by my client contain some error. 5) Attention to Exercise of rights: by attending to claims of the holders in the exercise of their rights, the interested parties may, in accordance with provided for in the data protection regulations, know what data is included in the FIJ, for what purpose they are used, and, at all times, rectify, cancel, oppose and limit the processing of your personal data. " (The underlining is ours) EIGHTH: EQUIFAX affirms that during the validity of the LOPD it did not notify the affected the inclusion of their data in the FIJ, conduct that justifies the existence of " An express endorsement in this regard by the National High Court" that in numerous judgments -SSAN of 06/29/2001 (Rec. 1012/1999); 11/29/2001 (Rec. 531/2000) and of 02/27/2008 (Rec. 358/2006) - declared that the data protection contained in the LOPD, article 29.1., did not impose an obligation to notify the interested parties of the inclusion of their personal data in the FIJ. NINTH: EQUIFAX states that, after the entry into force of the RGPD, it has considered It is appropriate to notify the inclusion to those affected whose data were recorded in the FIJ. It also affirms that, since 05/25/2018, the sending out of a total of 509,470 notifications, which is broken down as follows (year / notifications sent): 2018: 339,436; 2019: 116,236; 2020: 47.3888; 2021: 6,407. It does not provide documentation that proves its manifestations, despite having requested expressly. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 108 108/184 TENTH: Regarding the total of notifications of inclusion that EQUIFAX claims to have sent to those affected, has reported those that were unsuccessful, broken down for the following return reasons: 01, wrong signs; 02, deceased; 03, unknown; 04, absent; 05, refused; 06, others; 07, insufficient address; 08, wrong address. Unsuccessful notifications for years: -. Year 2018 Total unsuccessful claims: 66,418. Of them, for reasons 01 and 03 a total of 61,182. -. Year 2019 . Total unsuccessful claims: 24,812. Of them, for reasons 01 and 03 a total of 22,797. -. Year 2020 Total unsuccessful claims: 9,673. Of them, for reasons 01 and 03 a total of 8,873. -. Year 2021. Total unsuccessful claims: 1. Reason 01: 1. It is found that reasons 01 and 03 represent more than 90% of the notifications unsuccessful. ELEVENTH: In the final version of the RAT corresponding to the FIJ that EQUIFAX has provided, point 8, "Information deletion periods ", reads as follows: " The information is accessible for 3 months and then is stored in a directory Linux in order to be able to work later with the data. Bliss The information, saved in “PDF” format, will be available for a period of 10 years from the date of publication, and this with the sole purpose of being able to attend the possible claims and respond to requests for information by the competent administrative body, as well as the courts and tribunals. " TWELFTH: In the document provided by EQUIFAX regarding the interest analysis prevalent (LIA, judicial file, 2019), in point 7, and in the section dedicated to the measures that it is proposed to implement, specifically regarding the guarantees of the principles of data protection, consists of the following: "1.1 Principle of purpose" "On the other hand, the principle of purpose includes the limitation of the subsequent uses of the data, since the RGPD prohibits in its article 5.1 a) the subsequent processing of the data for purposes incompatible with those that motivated its collection, although it exempts from this limitation the use of data for archiving purposes public interest or scientific or statistical research. " (The underlining is ours) "1.4. Principle of accuracy ”“ In compliance with this principle and given that the Edict publication only recognizes the existence of the obligation to satisfy the owed, but there is no additional information that allows to know effectively if that amount is owed at the time of notification of inclusion, a possible solution to this problem would be the limitation of very brief references to the aforementioned communications, and in the analyzed system this This requirement is met, as the term is reduced to the publications that have occurred in the last five months. However, this reduction does not allow us to fully bypass the risk derived from the treatment of these data, being able to see the qualification of a negatively interested by the fact of incorporating an edict notice referred to a debt already paid in the same way that it could be affected favorably the subject to whom a notification had been made with a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 109 109/184 seniority of more than five months and had not proceeded to pay the amount owed. " (The underlining is ours) THIRTEENTH: The Deputy Director General of the General Registry of the AEPD, in the Written response to the requested test, dated 02/10/2021, states that, in that date, the draft code of conduct presented by ASEDIE for its approval by the AEPD was in process, pending the report of the Legal Office of the AEPD, and that the aforementioned Association had not been transferred of any report issued on the draft code of conduct. FOURTEENTH: Work in the administrative file the response of the Secretariat General of AEBOE to the consultation of several claimants (among others the claimant 55) about whether it is lawful for your personal data to be collected, which appears in the notifications inserted in the BOE Notification Supplement, to incorporate them into a profit-making database in which it concludes: "In accordance with the foregoing, this State Agency considers that the reuse of personal data such as names, surnames, ID associated with debts, published in the BOE, that you. requests, it would not be a lawful treatment of personal data of those provided for in art. 6 of RGPD and, therefore, in accordance with the regulations both in Regulation (EU) 2016/679 as in Organic Law 3/2018, of December 5, they should not be subject to reuse by third parties. " FIFTEENTH: The defendant affirms that the net amount of the turnover of EQUIFAX IBÉRICA, as of 12/31/2019, amounted to € 42,259,655. Regarding the “ direct income in relation to the service of access to the FIJ provided to customers directly since 2015 ” reports these amounts: € 316,204 in 2015; € 291,950, in 2016; 289,854 in 2017; € 290,256 in 2018; € 269,415 in 2019 and € 1,734,763 in 2020. He makes three qualifications that affect the amounts he has provided. That can not determine what part of the price that customers who hire globally satisfy other services together with the FIJ should be imputed to the FIJ. That neither can break down of the direct income obtained which part corresponds to access to the FIJ to obtain information from legal entities. And that the direct income figure does not takes into account costs, as the entity lacks a system for allocating costs linked to each of the files it manages. FOUNDATIONS OF LAW I Competence The Director of the Spanish Agency is competent to resolve this procedure of Data Protection, in accordance with the provisions of article 58.2 of the RGPD and in articles 47 and 48.1 of the LOPDGDD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 110 110/184 II Applicable provisions The RGPD dedicates its article 5 to the principles that govern the processing of data personal, precept that provides: "1. The personal data will be: a) treated in a lawful, loyal and transparent manner in relation to the interested party ("lawfulness, loyalty and transparency ”); b) collected for specific, explicit and legitimate purposes, and will not be processed subsequently in a manner incompatible with said purposes; in accordance with article 89, section 1, the subsequent processing of personal data for archiving purposes in public interest, scientific and historical research purposes or statistical purposes are not deemed incompatible with the original purposes ("purpose limitation"); c) adequate, relevant and limited to what is necessary in relation to the purposes for which that they are processed ("data minimization"); d) accurate and, if necessary, up-to-date; all measures will be taken reasonable so that the personal data that are inaccurate with respect to the purposes for which they are processed ("accuracy"); e) maintained in a way that allows the identification of the interested parties during the longer than necessary for the purposes of processing personal data; the Personal data may be kept for longer periods provided that treat exclusively for archival purposes in the public interest, research purposes scientific or historical or statistical purposes, in accordance with article 89, paragraph 1, without prejudice to the application of the appropriate technical and organizational measures that imposes these Regulations in order to protect the rights and freedoms of the data subject ("limitation of the conservation period"); f) treated in such a way as to guarantee adequate data security personal data, including protection against unauthorized or illegal processing and against its loss, destruction or accidental damage, through the application of technical measures or appropriate organizational ("integrity and confidentiality"). Article 5 of the RGPD adds in its section 2 that " The person responsible for the treatment will be responsible for compliance with the provisions of section 1 and capable of prove it ("proactive responsibility") " Article 6.1. of the RGPD, under the heading " Legality of the treatment ", specifies the cases in which data processing is considered lawful: "1. The treatment will only be lawful if it complies with at least one of the following terms: a) the interested party gave their consent for the processing of their personal data for one or more specific purposes; b) the treatment is necessary for the execution of a contract in which the interested party is part of or for the application at his request of pre-contractual measures; c) the treatment is necessary for the fulfillment of a legal obligation applicable to the responsible for the treatment; d) the treatment is necessary to protect vital interests of the interested party or of another Physical person. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 111 111/184 e) the treatment is necessary for the fulfillment of a mission carried out in the interest public or in the exercise of public powers conferred on the data controller; f) the treatment is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that on said interests do not override the interests or fundamental rights and freedoms of the interested party who require the protection of personal data, in particular when the interested is a child. The provisions of letter f) of the first paragraph will not apply to the treatment carried out by public authorities in the exercise of their functions. [....] 4. When the treatment for a purpose other than that for which the data were collected personal data is not based on the consent of the interested party or on the Law of the Union or of the Member States that constitutes a necessary measure and proportional in a democratic society to safeguard the stated objectives in article 23, paragraph 1, the data controller, in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected initially personal data, will take into account, among other things: a) any relationship between the purposes for which the data was collected personal and the purposes of the planned further processing; b) the context in which the personal data was collected, in particular for what Regarding the relationship between the interested parties and the person responsible for the treatment; c) the nature of the personal data, specifically when categories are processed special personal data, in accordance with article 9, or personal data relating to convictions or criminal offenses, in accordance with article 10; d) the possible consequences for the data subjects of the planned further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymization. " III Of the alleged nullity of this procedure. It is necessary to examine, first, the question relating to the invalidity of the sanctioning procedure that the respondent has repeatedly invoked, both in its two briefs of allegations to the commencement agreement - dated 02/19/2018 or earlier allegations to the commencement agreement and the one dated 01/24/2021 or allegations Complementary - as in the allegations to the proposed resolution. In particular, in the brief of allegations to the proposed resolution, it uses the concurrence of the causes of absolute nullity provided for in sections a) and e) of the Article 47.1 of the LPACAP and affirms that these defects of nullity have generated a material and real defenselessness since in addition to not being a violation merely formal has suffered a real and effective impairment of the right of defense, with the consequent damage. The following behaviors that relate in the letter your allegations to the proposal would have caused, in his opinion, the defects of nullity that he claims: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 112 112/184 to. The inclusion of the amount of the sanctions in the initiation agreement, which constitutes a defect of absolute nullity provided for in article 47.1.a) LPACAP. With this, it reiterates its allegations to the agreement to open the procedure in which argued that the procedure was invalid due to the defenselessness generated by having fixed in it the amount of the sanction instead of expressing only the limits of the possible sanction. That, due to this circumstance, the initiation agreement exceeded of the legally foreseen content, violated article 68 of the LOPDGDD, and it was seen affected the impartiality of the investigating body, which it knew before starting the procedure the criterion of the body to which the file must be submitted, in clear breach of the principle of separation of the investigation and sanction phase (article 63.1 of LPACAP). It also considered in these allegations that the rules of article 85 of the LPACAP were not applicable to the present case but to the cases in which the norm sanctioning system imposes a fine of a fixed and objective nature and that the application had made this precept in the initial agreement did not respect its literal wording, according to which the amount of the pecuniary sanction may be determined “ beginning on sanctioning procedure ”, for which, he affirms, it would be assimilating“ the act itself of initiation with the fact that the procedure is initiated ”. As stated in the proposed resolution, this Agency cannot share the position of the defendant that the sanctions have been included in the initiation agreement that could correspond for the imputed infractions is determinant of defenselessness or supposes a breakdown of the principle of separation of the instruction and resolution; on the contrary, this fulfills the requirements provided for in articles 64.2 and 68 LPACAP. It cannot be ignored either that article 85 of the LPACAP -which contemplates the possibility of applying reductions on the amount of the sanction in the event that the offender recognizes his responsibility and in case of voluntary payment of the sanction- obliges to determine these reductions in the notification of the agreement to initiate the procedure, which necessarily implies that the amount of the sanction corresponding to the imputed facts. On the other hand, compared to what was expressed by the complainant, article 85 of the LPACAP does not It provides that the amount of the sanction will be determined once the procedure has begun . Rather, it is the recognition of responsibility and voluntary payment of the sanction what has to occur after that moment and not the fixation of the amount of the penalty. EQUIFAX considers that this interpretation of the AEPD - according to which "the determination of the amount of the sanction and the consequent evaluation of the circumstances the case comes from [...] what is established in article 85 LPACAP ”- it is contrary to the Spanish Constitution since, it says, violates the protection of the rights of fundamental factors that are granted through it and that the “ efficiency that could be followed with the determination of the amount of the sanction in the initiation agreement never could justify the violation of the fundamental rights of the accused that such an act situation entails ”. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 113 113/184 In addition to what has already been stated in the proposal phase, the AEPD understands that the interpretation The literal interpretation of the precept that he has been doing is congruent with the provisions of the different sections of the article and that it is not up to this body to rule on on the alleged unconstitutionality of this legal provision. On the other hand, the Chamber of the Administrative Litigation of the National High Court has resolved numerous courses against AEPD resolutions issued in procedures whose agreement to The beginning set, as in this one, the amount of the penalties, without having been raised by the appellants or by the Court the controversy over the interpretation and application of the rule that the claimed raises. On the alleged breach of the principle of separation of the phases of investigation and resolution derived from having established the adjudicatory body in the agreement to initiate the size of the sanction, thus conditioning the independence of the instructor, it does not seem that In the assumption that concerns us, the conditioning of the insti- tructor referred to by the claimed. b. The violation by the AEPD of the rules that regulate the procedure sanctioner regarding the protection of personal data and " the consequent expiration at the end of the procedure ” , which entails a defect of nullity of the article 47.1.e) LPACAP. EQUIFAX maintains that the AEPD has totally and completely dispensed with the procedure to legally established in articles 64 and 67 of the LOPDGDD and has incurred a abandonment of the powers attributed to it by the LOPDGDD and the RGPD. Let- tion that has caused damage " because it has been considered by the AEPD as an aggravating circumstance of the type the continuing nature of the alleged infringement during the period in which that AEPD declined to carry out any infringement against Equifax ”. Regarding the procedure, it transcribes articles 64.2 and 67 of the LOPDGDD and says that from these provisions it is unequivocally deduced that the LOPDGDD, by ra- areas of legal security for the company, has established a procedure for frozen and with clearly marked time limits ”. Consider, therefore, that The admission for processing of the claim must be followed without solution of continuity within three months; the optional performance of investigative actions for a maximum period of twelve months and the opening of a sanctioning procedure. dor. It thus affirms that the admission for processing of a claim by the AEPD su- recognizes the existence of indications of violation of the regulations of data protection and this should imply - argues EQUIFAX - that they are carried out prior investigation actions or, if you consider that the infringement is manifest, as appears to be the case in the present case, that it proceed immediately to the opening of the sanctioning procedure. In view of the foregoing, the respondent draws the “ obvious consequence ” that if the first claim was admitted on May 30, 2019 and the AEPD decided not to carry out carry out investigative actions "the Agreement to initiate this procedure should be from that date, so, being the maximum duration of the procedure of nine months, the resolution [...] should have been issued on March 2, 2020 ”. Y C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 114 114/184 adds: “ In this way, the AEPD issued the Initiation Agreement long after the date on which it should have issued a resolution if it had complied with the specific requirements established in the data protection regulations, with which all actions they should be considered expired. " (The underlining is ours) It also refers to the situation of "inactivity" in which the AEPD estimates incurred in in relation to the claims that were filed against EQUIFAX related to the FIJ. He supports this conclusion in that of the 97 claims (96, since the claims are repeated 3 and 27) admitted to EQUIFAX, only some of the they; in which, although all were admitted for processing, some were “ without a minimum legal reasoning ”; in which the first claim (claimant 25) entered the AEPD on 05/30/2019 and in which the AEPD did not carry out investigative actions prior, for which, he affirms, from the admission to processing of the claims until the the Agency dictates the agreement to initiate the sanctioning procedure that concerns us, the 07/24/2020, did not take any other action. The procedures carried out by this Agency to which the complainant refers must see with the process of admission of the claims received, which included to some of them the transfer of the claim letter to the person in charge prior to the agreement of the AEPD of its admission for processing. In accordance with the provisions of article 55 of the RGPD, the AEPD is competent to perform the functions assigned to it in its article 57, including that of enforce the Regulation and promote the awareness of those responsible and processors about their obligations, as well as deal with claims submitted by an interested party and make the necessary relevant research. Correlatively, article 31 of the RGPD establishes the obligation of those responsible and those in charge of the treatment to cooperate with the control authority that requests it in the performance of their duties. In the event that they have designated a data protection officer, article 39 of the RGPD attributes to him the function of cooperate with said authority. Article 65.4 of the LOPDGDD has provided a mechanism prior to admission to processing of claims made before the AEPD which consists of giving transfer of them to the data protection delegates designated by the responsible or in charge of the treatment, for the purposes provided in article 37 of the aforementioned norm, or to these when they have not been designated, so that they analysis of said claims and to respond to them within a month. It is about of an optional procedure , so that this transfer is carried out if the AEPD so esteem. In accordance with these regulations, prior to the admission for processing of the claims that give rise to the present procedure, the defendant was notified of some of the claims received so that it could proceed to its analysis, give response to this Agency within a month and will certify having provided the complainant the proper response. The result of said transfer was not satisfactory, therefore, for the intended purposes C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 115 115/184 In its article 64.2 of the LOPDGDD, it was agreed to admit the claims for processing presented through agreements that were duly notified to the claimants and not the one claimed, in accordance with the provisions of article 65.5 of the LOPDGDD. The defendant affirmed in her allegations to the initial agreement that the preliminary phase of investigation remained open for more than sixteen months without conducting any activity. In this regard, we must emphasize that the opening of a preliminary phase of The investigation is optional in accordance with article 67 of the LOPDGDD. No legal consequence can be attributed to the time elapsed between the admission to processing of claims and the opening of the procedure, as there is no no rule that limits the time available to the Administration to initiate this type of procedures beyond the prescription rule and the effects attribute. The defendant draws attention to the inactivity of the AEPD which, in her opinion, is reveals in the time elapsed between the receipt of a claim and the opening of the sanctioning procedure. In relation to claimant 25, whose claim entered the AEPD on 05/30/2019, considers that, since it was decided not to transfer the claim or open preliminary investigation proceedings, it should the agreement to open the sanctioning file has been issued in that same date, 05/30/2019, so the resolution should have fallen on 03/02/2020, several months before the Agency agreed to open the sanctioning procedure that occupies us. EQUIFAX understands that this unjustified inactivity results in the expiration of the present procedure , given that the term to resolve would be expired in the same date the initiation agreement was issued. In this sense, it considers that Articles 64.2 and 67 of the LOPDGDD establish three successive phases without solution of continuity (admission for processing, preliminary investigation actions and opening of the sanctioning procedure), each of them with marked time limits, so that, if you choose not to carry out prior investigative actions, once admitted for processing the claim must proceed immediately to the opening of the sanctioning procedure. This approach of the defendant is not admissible. It should be noted that no There is no rule applicable to the sanctioning procedure in matters of protection of personal data that establishes a preclusive period to agree to its opening. What the expiration period of this procedure, established in nine months, is computed from the date on which its start is agreed, so it is inappropriate to add to that computation, in order to measure the duration of the administrative file, another period, such such as the time of the preliminary investigation actions, in the event that had agreed to carry it out, or, in this case, the time corresponding to the phase of admission to processing of the presented claims. This has been repeatedly stated by our Supreme Court. In Judgment of 10/21/2015 cites the Judgment of 12/26/2007 (appeal 1907/2005), which declares the following: “[…] The term of the procedure […] is counted from the initiation of the file sanctioner, which obviously excludes information time from the computation C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 116 116/184 reserved ";" […] The longer or shorter duration of the preliminary phase does not entail the expiration of the subsequent procedure ". Also in Judgment of the Supreme Court of 10/13/2011 (resource 3987/2008) that examines a ground of appeal relating to the computation of the expiration period of the procedure, the following is declared: “We cannot share the reasoning presented by the Court of Instance to establish a dies a quo different from that established by law, indicating as the initial date of the computed the day after the completion of the preliminary information proceedings. […] Well, once these previous actions have been carried out, the time it takes for the Administration in agreeing to initiate the procedure […] may have the Consequences that proceed as regards the calculation of the prescription (extinction of the right); but it cannot be taken into consideration for expiration purposes, since This figure is intended to ensure that once the procedure has begun, the Administration does not exceed the time available to resolve. On the foundation third of the sentence under appeal, the Court of Instance makes an interpretation of the norm that is not in accordance with the nature of the institution of expiration, since difference from the prescription, which is cause of extinction of the right or of the responsibility in question, expiration is a mode of termination of the procedure for the course of the period set in the norm, so its appreciation does not prevent, if the period established for the prescription of the action has not elapsed of restoration of urban legality by the Administration, the initiation of a new procedure ”. Explaining the alleged inactivity of the AEPD, it cannot even be considered that that period to which the claimed refers, which includes the time elapsed between the admission for processing of the claimant's claim 25 and the opening of the procedure that concerns us, is a period of inactivity of this Agency, given that during that time the admission procedures of the rest of the claims. c. Among the conducts that would have vitiated the radical nullity of the procedure that We are concerned with the claim mentioned the " main circumstances " that have been produced during the processing, the overview of which shows that the procedure has been processed with a complete and repeated undermining of the rights granted within the framework of the administrative sanctioning procedure paragraphs 1 and 2 of article 53 of the LPACAP and for this purpose it refers to the following circumstances: 1 No investigative actions were carried out prior to the opening of the agreement to initiate the sanctioning procedure. 2.Delay in the submission of the copy of the administrative file: it is received by the the penultimate day of the ordinary period granted to allege, although it is granted for the AEPD the extension of the term for the maximum legally allowed, five days, and in Consequently, he receives it with only six days remaining to issue his pleading brief. tions. Remember that the file forwarded had an extension of 2,974 pages. 3.On 12/23/2020, the AEPD sends you a letter stating that “ it has been verified that that, unfortunately, an incident of a technical nature curtailed part of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 117 117/184 documentation that was part of the administrative file ” . It says that in the aforementioned writing It is not granted a period of allegations since it was limited to indicating that the instructor did not would proceed to the opening of the test phase until at least ten days have elapsed working hours computed from the date of notification of the writing. He adds: “ All this without any reference to the principle of integrity of the electronic administrative file sacred by article 70.3 of the LPACAP ”. 4. “ The aforementioned file turned out to be increased to 4,319 (that is, an ex- voltage higher by more than 45% than that of the file originally submitted), which which motivated my client to expressly request the granting of a period for the issuance of allegations and that the term for this be extended. The AEPD was limited to res- ponder said request indicating the specific date on which it would agree to open the petition. trial period, but without expressly granting my client any period to allegations. " (The underlining is ours) 5.The test phase does not start until 01/20/2021, when almost six months from the opening of the initiation agreement. 6.The proposed resolution is notified to EQUIFAX on 03/29/2021. In it, the two im- initial putations, contained in the initiation agreement, are expanded with three new fractions “ without any of them having resulted from obtaining information any additional charge that could have justified this triple charge ”. Warn no we are before a new legal classification of the infractions but before three new infractions added by the AEPD “ [...] in the last step of the procedure, three new accusations on a legal basis that could have been used in his integrity at the time the Initiation Agreement is issued ”. 7.That, in accordance with the changes introduced with the proposed resolution, it was requested, under the protection of article 32.1 LPACAP, the extension of the period of allegations by the maximum legally allowed (five days). However, " the AEPD limits said expansion within a single day in view of the evident risk of expiration of the procedure ”. It states that “ In this way, it seems to deny my client a right that the law granted as a consequence of the delay in the processing of the sole procedure- attributable to the actions of that AEPD, which in no case should result in to the detriment of the Administrator. " (The underlining is ours) Regarding what was indicated by the complainant in point 1, we refer to the considerations made in section b) above. Regarding the statement contained in point 4, according to which the documentation that it was not sent to EQUIFAX on 08/12/2020 it represented “ more than 45%” of the file It should be noted that it incurs a numerical error, since the folios that the file not incorporated into the requested copy accounted for slightly less than 33% of the documentation that integrated it. For the rest, the circumstances that the respondent details in her allegations to the motion for a resolution, in particular what is indicated in points 2, 3 and 4, were also raised in its two briefs of allegations to the initiation agreement. Invoked then the helplessness suffered as a result of having seen limited and ostensibly reduced their ability to make “ complete and informed ” against the agreement to initiate the disciplinary proceedings. In its second brief of allegations to the opening agreement, it requested that it be declared the nullity of full right of the administrative sanctioning procedure whenever C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 118 118/184 the actions of the AEPD violated his right of defense. He then stated that had violated articles 65.2.f) and 89.1 of the LPACAP because “ the process of hearing of the interested parties and the right of the applicant to formulate allegations, in view of the administrative file, are configured as a guarantee essential of the procedure, being the reflection in the administrative procedure sanctioner of the right to effective judicial protection that assists the accused. " The omission of the hearing process would have materialized, in his opinion, in these behaviors: On the one hand, in that he could not have a real knowledge of the file except with the scope of which he was notified before he made his allegations to the agreement of beginning. That four months after submitting his allegations to the initiation agreement, the AEPD sent him a full copy of the file that stated manifest that in the first copy received, more than 30 percent of the file, without there being any correlation between the indices of the two copies. For other, The omission of the hearing process was specified in his understanding that the AEPD, in the writing that notified him on 12/23/2020, did not give him a period to make allegations to the starting agreement but, says the entity, "[...] the concession or grace consisting of delay the start of the trial period for a period of ten days from the date of delivery of the aforementioned "completed" or "supplemented" file. On the questions then raised by EQUIFAX, various Clarifications in the motion for a resolution regarding certain factual elements to which the entity alluded when it based its request for the radical nullity of the administrative Procedure. One of the clarifications was about the electronic file that the AEPD has implemented, which guarantees the authenticity and integrity of the documentation and that reflects all the actions carried out in a given procedure and all the documentation that integrates it. In the electronic file, the computer system orders the documents and procedures carried out exclusively following a chronological criterion. It's own system that generates or makes the copy of the file, so that this This circumstance, together with the extraordinary volume of the file, made that, in the generated to respond to the transfer requested by the claimed on 08/03/2020, no would have detected that not all of the documentation that integrated. The fact that the 1,435 documents omitted in the first copy appear in the copy transferred to the one claimed in December 2020 interspersed with the previous ones, with the consequence that the index initially provided looked also altered, it was the result, exclusively, of the chronological criterion that the computer system to order documentation. The second precision was related to the statement made by EQUIFAX of that the AEPD did not grant him a period to formulate additional allegations to the initiation agreement once she had access to the full copy of the file administrative. We refer in this regard to Background Eight, Ninth and Tenth in which the " iter" of the events is detailed . The Eighth Antecedent refers to the letter that the instructor sent to the complainant on 12/23/2020 in the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 119 119/184 that, in addition to informing you that on that date a CD, encrypted, with the complete copy of the administrative file, he communicated the following: “In order to guarantee that EQUIFAX can, once it has at its disposal all the documentation that served as the basis for this Agency for the adoption of the agreement initiation of the sanctioning file PS / 000240/2019, make the allegations and provide the documentation that it deems pertinent, the investigator of the file will not proceed to the opening of the trial phase until at least ten business days have elapsed computed from the date of notification of this writing, if the notification were after December 28, 2020. If the notification of this communication were prior to December 28, the ten business days will be counted from that date, for be on this date that, ultimately, the courier company has guaranteed to deliver the shipment containing the CD with the documentation alluded to. " (The underlining is ours) The letter dated 12/23/2020 that was notified to the respondent emphasized that, once that he had in his possession the complete copy of the administrative file, the procedure to To continue was "to make allegations and provide the documentation that it deems pertinent", to what was necessary a period of time in which the procedure did not You will advance to the next phase, the testing phase. Materially what was granted to the claimed in the aforementioned brief was a deadline to allege, regardless of whether the expression was formally inappropriate. The same conviction of respect for the right of the respondent to make allegations, is reflected in the response to his request that the opening of the trial phase of the sanctioning procedure. In the writing of the instructor of response to your request for an extension of the term to allege, dated 01/13/2021, received by the complainant on 01/14/2021, it was indicated: "Without prejudice to the provisions of article 76.1 of Law 39/2015, of the Procedure Common Administration of Public Administrations (LPACAP), with the same purpose of guaranteeing the legitimate right of defense of EQUIFAX that inspired the writing that was sent to that entity by the investigator of the file on 12/23/2020, you are informed that the evidentiary phase of the procedure until expired on 01/15/2021. " (The underlining is ours) It was also recalled - we refer to Antecedent Tenth, section I - that, having note that GEISER's acknowledgment, regarding the presentation by EQUIFAX in the electronic headquarters of the AEPD on 01/20/2021 of a document of allegations complementary to the initiation agreement PS 240/2019, indicated that no incorporated neither that document nor any other, various steps were taken to alert the respondent of what happened and prevent the presentation of their complementary allegations to the commencement agreement, until finally, on the date 01/24/2021, it was recorded in the acknowledgment of presentation of GEISER that the The claim was attached to the aforementioned brief of allegations. The legal effect that the respondent attributed then (in its allegations to the agreement of beginning) and continues to attribute to the facts presented, is the absolute nullity of the administrative procedure, under article 47.1. LPACAP, precept that has: "The acts of the Public Administrations are null and void in the cases following: [...] C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 120 120/184 a) Those that infringe rights and freedoms subject to constitutional protection [...] e) The dictates totally and absolutely disregarding the legal procedure established or the norms that contain the essential rules for the formation of the will of the collegiate bodies. " As stated in the proposal brief, taking into consideration the formalities followed in the procedure, procedures described in the Background and, in particular, For what is of interest here, in the Fifth to Tenth Background, it is necessary to reject the thesis of the respondent that there had been a " total " and " absolute " omission of the procedural rules. If there was a delay by the AEPD in delivering the copy of the file that, in words of the defendant, assumed that the period for allegations would be reduced to six business days, it was due to the volume of the file that prevented a notification electronics; but this circumstance cannot make us forget that the entity left one business day has elapsed since the initiation agreement was notified, on 07/30/2020, and until he requested the Agency, on 08/03/2020, to send a copy of the file. Nor can it be forgotten that both with respect to his initial allegations, 08/19/2020, as with the complementary allegations, the Agency has always agreed the extension of term requested. On the other hand, although the entity argues that, as As a consequence of the reduction in available time, it has been ostensibly limited their ability to make “ complete and informed” allegations against the agreement to initiate the sanctioning file, nothing prevented him from having completed his allegations in what it deems appropriate after the expiration of such term, according to to the provisions of article 76 of the LPCAP, which it did not do. It was added that EQUIFAX could have formulated in the second brief of allegations to the commencement agreement, dated 01/24/2021, those " complete and informed " allegations of which, she says, she was forced to do without due to lack of time, especially when she herself had recognized that there were no substantial differences between claims that made up the copy of the file initially sent and the 42 Omitted claims whose documentation could be accessed on 12/24/2020 -if We abide by what is indicated in the acknowledgment of receipt from the MRV company that works in the file- or on 12/28/2020 -according to one of the entity's versions- or in date 12/26/2020 -according to another of its versions-. As indicated then, it was enough to go to the supplementary allegations brief of EQUIFAX to verify that in it the entity was limited to ratifying its allegations to the initiation agreement presented on 08/19/2020; to do an analysis of the 42 claims omitted based on the same categories that he had differentiated in his first brief of allegations and, mainly, to argue his claim that The nullity of the procedure will be declared for being flawed of absolute nullity. Ultimately, the claim of the defendant that there had been produced a total and absolute omission of the legally established procedure -which is the presupposition of the rule of article 47.1.e) LPACAP whose application invokes consequently, the procedure was flawed with radical nullity. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 121 121/184 This Agency responded with a mention of the SAN, Contentious Chamber Administrative, Section 1, of 03/08/2019 (resource 20/2018), FJ Fourth, which reflects the position that the Supreme Court maintains on the matter: "[...] When a procedural step has been omitted, but it has not been totally dispensed with and absolutely of the legally foreseen procedure, we find the possibility that the act may be voidable in accordance with art. 48.2 of the Law 39/2015, of October 1, although in this case only the declaration of voidability if the act lacks the formal requirements essential to achieve its end or if it has produced helplessness to the interested parties, as already noted. However, there is no defenselessness for these purposes, as stated in the Judgment of the Supreme Court of October 11, 2012 - appeal no. 408/2010 -, "yes the interested party has been able to allege and prove in the file how much he has considered timely in defense of their rights and position assumed, as well as appeal in replacement, doctrine that is based on article 24.1 CE, if it was done within the file the allegations it deemed appropriate "(STS February 27, 1991)," if it exercised, in purpose, all proceeding resources, both administrative and jurisdictional " (S.TS. of July 20, 1992). (The underlining is ours) Therefore, "if the interested party in an administrative or contentious-administrative appeal you have had the opportunity to defend yourself and assert your views, you can It should be understood that the omission has been corrected and becomes irrelevant for the real interests of the appellant and for the objectivity of the control of the Administration, reconciling the constitutional prohibition of defenselessness with the advantages of principle of procedural economy that complements the first without opposing it at all to the same and that excludes useless procedural actions for the purposes of the procedure " (SS.TS. of July 6, 1988 and June 17, 1991). In addition, the judgment of the High Court of October 11, 2012 also declares that "If despite the procedural omission, the trial Court has the sufficient evidence to form a conviction that serves to decide correctly the contest, must go on to analyze and judge the merits of the matter "; and This is so "because the theory of the nullity of administrative acts has to be applied with parsimony, being necessary always to weigh the effect produced by the cause determinant of disability and the consequences that would have followed from the correct governing procedure of the actions that are declared void "(S.TS. of July 20 of 1992), since "it is evident that if the guarantee of the administered Indeed, it is not necessary to decree nullities if they only serve to delay the resolution of the substantive issue "(SS.TS. of June 14, 1985, July and November 16, 1987 and July 22, 1988). In summary, the Supreme Court concludes that "the vice of form or procedure does not is invalidating in itself, but insofar as the assumptions that the act lacks the essential requirements to achieve its purpose or gives rise to the defenselessness of the interested parties [...] ”. Regarding the claim to declare the nullity of the procedure to the protection of article 47.1.a) LPACAP, for violation of the right of the right to defense and the procedural guarantees that the jurisprudence frames in the article 24.2 of the Constitution, based on the factual clarifications that have been made C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 122 122/184 to what is invoked by EQUIFAX, we must adhere to the criteria set by the jurisprudence when interpreting the scope of the aforementioned LPACAP provision. The jurisprudential doctrine on the matter requires that, in any case, produced an effective and real injury to the right whose violation is invoked. Although the defendant affirms that she has suffered a real and effective impairment of her right defense, the truth is that this injury is not proven every time it has been exercise your right of defense by formulating your pleadings within the terms granted for this purpose. We refer on the matter to STC 78/1999, of 26 April, in which Legal Basis 2, states: “Thus, according to reiterated constitutional doctrine that is synthesized in the foundation legal 3 of the STC 62/1998, "the estimation of an appeal for protection by the existence of infractions of the procedural norms' does not simply result from the appreciation of the possible violation of the right due to the existence of a defect procedural more or less serious, but it is necessary to prove the effective concurrence of a state of material or real defenselessness' (STC 126/1991, legal basis 5; STC 290/1993, legal basis 4). So that helplessness can be estimated with constitutional relevance, which places the interested party outside of any possibility of allege and defend your rights in the process, a violation is not enough merely formal, it being necessary that a formal offense derive an effect defenseless material, an effective and real impairment of the right of defense (STC 149/1998, legal basis 3), with the consequent real and effective damage to the affected stakeholders (SSTC 155/1988, 4th legal basis, and 112/1989, 2nd legal basis) ". (The underlining is ours) Finally, it remains to respond to the two behaviors outlined by the claimed in the points 6 and 7 as determinants of the nullity of the procedure. The first one, the extension of the object of the sanctioning procedure in the motion for a resolution - every time three new infractions, of articles 5.1. b), 5.1.c) and 14 of the RGPD, which were added to the two provided for in the opening agreement, article 6.1., in relation to 5.1.a, RGPD and the 5.1.d) RGPD- which will be the subject of an independent analysis in the following section. Regarding the behavior described in point 7, the following is indicated. The claimed has stated that, in accordance with the changes introduced with the motion for a resolution, requested, under article 32.1 LPACAP, the extension of the period of allegations for the maximum legally allowed (five days), but the Agency limited such broad- within a single day, in view of the obvious risk of expiration of the procedure. ment, so that “ In this way, it seems to deny my client a right that law grants it as a consequence of the delay in the processing of the single procedure attributable to the actions of that AEPD, which in no case should result in to the detriment of the Administrator. " (The underlining is ours). Article 32 LPACAP provides that “ 1. The Administration, unless otherwise provided, may grant ex officio or at the request of the interested parties, an extension of the deadlines established, which does not exceed half of them, if the circumstances advise and with this third party rights are not impaired. The extension agreement it must be notified to the interested parties. " (The underlining is ours). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 123 123/184 This Agency estimates that, while Article 32 LPACAP specifies the power of attorney vo that the Administration has to agree on the extension of the procedural deadlines, the not having granted EQUIFAX the requested extension of the term, taking into account that their request was responded to, denying it, before the end of the period to formulate allegations awards granted initially, may not entail an infringement of the right to defend sa of the claimed or an infringement of the rules of administrative procedure, even less can it imply that this decision would have completely dispensed with and absolute (article 47.1.e) of the rules that regulate the procedure. d. The fourth reason that in the opinion of the claimed defect of radical nullity the sanctioning procedure is the defenselessness that has been generated by being deprived of the “Right to know the specific accusations directed against her and her defense rights and provision of evidence pertinent to their right, enshrined in article 24.2 of the Constitution as a manifestation of the right to effective judicial protection. " Void of nullity that would be a consequence of the motion for a resolution expanding the object of the procedure and in it the defendant was imputed, in addition to the two fractions of the RGPD established in the initiation agreement (articles 6.1 and 5.1.d) three new infractions, of articles 5.1. b), 5.1.c) and 14 of the RGPD. In his opinion, such conduct is not covered by the regulations governing the procedure. administrative procedure in general or, in particular, in that of the procedure in matters of data protection. Considers that, in light of articles 89.3 and 90.2 LPACAP, it is concluded that it is exclusive sively the initiation agreement, which establishes the limits on which it may be carried out the final qualification in the resolution proposal. That the proposed re The solution cannot make new imputations, but only modify the initial qualification cial made in the initiation agreement, making an imputation or imposing a sanction more serious than that established in the opening agreement. And that the additional charges they would require the processing of a new procedure. In the matter at hand, the facts prosecuted were classified in the agreement of initiation of the sanctioning proceedings as constituting both infractions of the Articles 6.1, in relation to 5.1.a) of the RGPD and 5.1.d) RGPD, infractions both typified in article 83.5 RGPD and qualified by the LOPDGDD, for the purposes of prescription, of very serious infractions. At the resolution proposal phase, it was considered necessary to broaden the purpose of the procedure on the basis of the facts that had been detailed in the agreement of opening and impute to EQUIFAX, in addition to the infractions of the Regulation established in said agreement, each infringement of articles 5.1.b) RGPD, 5.1.c) RGPD and 14 RGPD, all typified in article 83.5 of the Regulation and qualified by the LOPDGDD, for prescription purposes, of very serious offenses. Regarding whether or not it is appropriate to extend the legal qualification in the proposal phase of the facts set forth in the Initiation agreement and the incidence that such a change may have in the right of defense of the denounced entity, it should be noted that nothing C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 124 124/184 prevents this modification as long as, as is now the case, it remains The facts on which the allegation made is based can invariable. The first of the rights that article 53.2 of the LPACAP recognizes in favor of the responsible subject in the sanctioning procedure is the one who is notified of the facts that are imputed to him; the infractions that such facts may constitute and the sanctions that, if applicable, could be imposed on them. The Constitutional Court has been stating that “ the essential content of the right to be informed of the accusation refers to the facts considered punishable by the accused ” (STC 95/1995). Unlike what happens With the facts, the Constitutional Court (TC) in Sentence 145/1993 warns that the communication to the alleged offender of the legal qualification and the eventual sanction to imposing does not integrate the essential content of the right to be informed of the accusation. To such an extent it is important to make known the facts constituting the administrative offense, which the TC has declared that the requirements of article 24.2 of the EC are basically satisfied with the mere communication of the facts accused to be able to defend themselves against them (STC 2/1987 and 190/1987). In this line the Supreme Court, Judgment of March 3, 2004, indicates that “ the purpose The primary part of the initiation agreement is to report on the alleged facts and not on the legal qualification, which will be in charge of the resolution proposal ”. (The underline is from the AEPD). The respondent considers it legally inadmissible that in the proposed resolution the object of the procedure could be broadened and affirms that this possibility is proscribed in the LPACAP and not even allowed during the term of REPEPOS that only allowed to change the qualification in the resolution proposal process legal of the facts. For these purposes we have to bring up the SAN of 03/12/2016 (resource 312/2014). The second Law Foundation begins by reflecting the questions raised by the plaintiff that affect the sanctioning procedure, among which alleges “ the infringement of the principles that inform the sanctioning law and, specifically, of the principle of "reformatio in peius", alluding to the fact that although the procedure was on the occasion of an infringement of art. 5.1 of the LOPD, classified as mild, and another of the art. 6 of said norm, considered serious, the proposed resolution altered the legal qualification, appreciating two infractions of art. 6 of the LOPD, qualified as serious, and an infringement of art. 5.4 of the indicated standard, also qualified as serious. [...] " The SAN responds to the question raised by the plaintiff in the following terms: “As a result of what was raised by the plaintiff, it is convenient to reflect the cons- constitutional law and jurisprudence on the scope of the right of those sanctioned to be formed from the accusation during the processing of the administrative sanction procedure. the sanctioning body and the limits to be respected by the sanctioning body in the exercise of its sanctioning power to safeguard the right of defense of the former. The inspiring principles of the criminal order are applicable, with certain nuances, to the Administrative sanctioning law, since both are manifestations of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 125 125/184 punitive order of the State, as reflected in the Constitution, a repeated jurisprudence of our Supreme Court and the doctrine of the Constitutional Court (In this sense, Judgments of the Supreme Court of April 28, 2014 -recourse no. 364/2013 -, and of April 9, 2014 - appeal no. 212/2013 -, among others) [... For its part, the Supreme Court has also established that some of the guarantees applicable to the administrative sanctioning procedure derived from the right to defense recognized in art. 24 of the Constitution is to be informed of the accusation to be able to defend itself adequately, as established in the Judgment of the Supreme Court of November 3, 2003 - appeal no. 4,896 / 2000 -, whose doctrine is reiterated in the Judgments of said Court of May 21, 2014 -resource n. 492/2013 -, and of October 30, 2013 - appeal no. 2,184 / 2012-, in the following terms: "Well, from the doctrine of the Constitutional Court and the The jurisprudence of this Chamber should highlight the following principles: a) [...] In relation to this transfer operation of the guarantees of art. 24 CE to administrative sanctioning procedure [...], has been progressively elaborated in numerous resolutions a consolidated constitutional doctrine, which cites as applicable, without the intention of being exhaustive, the right of defense, which proscribes any helplessness; the right to be informed of the accusation, with the inescapable consequence of the inalterability of the imputed facts; the right to presumption of innocence, [...] b) Among the guarantees applicable to the administrative sanctioning procedure are: he finds, of course, that of being informed of the accusation in order to be able to defend himself adequately; and such information includes the attributed facts, the qualification legal status of the same and the sanction that is proposed. Now the strict correlation between accusation and decision refers to the facts and not so much to the legal qualification, inasmuch as the facts being charged remain unaltered, the proposal of resolution and, ultimately, the sanctioning decision may use another title of sentence with two limits: the impossibility of including it in said resolution of the procedure a legal qualification of greater gravity than that reflected in the communication of charges addressed to whoever is subjected to the sanctioning file, and the impossibility of assessing in the resolution a legal qualification different from the communicated if there is heterogeneity in the protected legal assets or if the definitely considered infraction incorporates some element of the type that does not corresponds to the one that was notified and about which the sanctioned person has not had, in consequence, defense opportunity. And there is no variation of the facts between the statement of charges, the proposed resolution and the sanctioning decision when, Although the terms used are not exactly the same, they are similar and what There is a different technical-legal assessment of them (Cf. SSTC 98/1989 and 145/1993). " (The underlining is from the AEPD) This same criterion has been maintained by the AN after the entry into force of the LPACAP. This is confirmed by the SAN of 02/07/2020 (resource 915/2018) in which the resolution of the The contested AEPD had been issued during the validity of that regulation of process. Finally, in line with what was stated by the defendant who states that the expansion of the object of the procedure at the proposal stage has impaired their right to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 126 126/184 defense, having been deprived of the possibility of providing the evidence that considered appropriate for the legitimate exercise of their right, it should be remembered that the Article 82 LPACAP, which regulates the hearing procedure, provides in section 2: "The interested parties, within a period of no less than ten days or more than fifteen, may allege and present the documents and justifications that they deem pertinent. " Therefore, in view of what has been stated in sections a) to d) precedents, in which the reasons that in the opinion of the claimed would determine the radical nullity of the present procedure by concurring the circumstances of article 47.1.a) and e) LPACAP, we consider that such a claim must be be rejected. IV Of the presumed recognition by the AEPD of the legality of the FIJ during the validity of the legal regime prior to the RGPD and the legal effects that in the opinion of the claimed stem from him. 1. Reference to the legal regime prior to the RGPD. Organic Law 15/1999, of December 13, on the protection of personal data (LOPD), which transposed Directive 95/46 / CE, of the European Parliament and of the Council, of 10/24/1995, established in article 6: " 1. The processing of personal data will require consent unequivocal of the affected, unless the law provides otherwise. 2. Consent will not be required when personal data is collected for the exercise of the functions of public administrations in the field of its powers; [...] or when the data appear in sources accessible to the public and its treatment is necessary for the satisfaction of the legitimate interest pursued by the responsible for the file or that of the third party to whom the data is communicated, always that the fundamental rights and freedoms of the interested party are not violated. " In turn, article 3 of the LOPD defined the sources of public access as follows: " J) Sources accessible to the public: those files whose consultation can be made, by any person, not impeded by a limiting norm or without further requirement than, where appropriate, the payment of a consideration. " The judgment of the Court of Justice of the European Union of 11/24/2011 (cases C-468/10 and C-469/10), which resolved the question referred by the Supreme Court and whose pronouncement was collected in the STS of 02/08/2012 (appeal 25/2008) states (paragraph 36) that Member States cannot introduce, pursuant to the provisions of Article 5 of Directive 95/46, principles relating to the legitimacy of the processing of personal data other than those set forth in Article 7 of that Directive or modify, by means of requirements additional, the scope of the six principles established in said article 7. It added in paragraphs 38 and 39 that Article 7, letter f), establishes two requirements accumulative so that a processing of personal data is lawful, that is, by a party, that such processing of personal data is necessary for the satisfaction of the legitimate interest pursued by the person responsible for the treatment or by the third party or C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 127 127/184 third parties to whom the data is communicated, and, secondly, that the fundamental rights and freedoms of the interested party. And he concluded that it follows that, with regard to the processing of personal data, article 7, letter f), of the Directive 95/46 opposes any national regulation that, in the event that there is no consent of the interested party, impose additional requirements that are added to the two cumulative requirements mentioned in the previous section. Given the incorrect transposition that was made in the national law of said precept, the CJEU (paragraphs 51 and 55) recognizes the direct effect of Article 7.f) of the Directive 95/46 with the consequence that from then on she had to be understood as displaced (that not annulled) the rule of article 6.2 LOPD in favor of the aforementioned precept. Until the publication of the judgments of the CJEU and the Supreme Court, the AEPD and the Courts of justice applied article 6.2. LOPD in connection with article 3.j) and concluded without further ado than the processing of data obtained from these access sources the public was considered lawful. As a result of the judgments of the CJEU and the Supreme Court, the circumstance that the data personal data would have been obtained from a publicly accessible source defined in the Article 3. j) LOPD could no longer, by that mere fact , constitute the legal basis of a processing of personal data. The relevance that from then on could be attributed to the circumstance that the data object of treatment came from sources of such a nature is the aforementioned in paragraph 44 of the STJUE which indicates that with regard to the weighting required by Article 7, f) of Directive 95/46 “it is necessary to take into consideration the fact that the seriousness of the violation of the fundamental rights of the person affected by said treatment may vary depending on whether the data already appears, or no, in sources accessible to the public. " After the STJE the National High Court, in a judgment of 05/31/2012, upheld the contentious appeal filed against the resolution issued by the AEPD that sanctioned for violation of article 6.1 LOPD, as a consequence of the treatment of the data of those affected without their consent to whom you sent emails electronic advertising their candidacy in the elections of a professional Association. The sanctioning resolution had rejected the legitimate interest invoked by the sanctioned as the basis of the treatment on the premise that the data Treaties did not come from publicly accessible sources. The judgment of the Hearing National says: “[...] It is possible, in short, and in accordance with said Community Jurisprudence, that there are personal data processing that does not appear in one of those that our internal legislation called "public access sources" (article 3.f) LOPD and article 7 RLOPD) but that, however, do not require the consent of the holders of such data because its treatment is necessary to satisfy a legitimate interest of the responsable of the same, or of the assignee, provided that the rights and freedoms of the interested [...] "And he adds:" [...] Weighting of interests in conflict [...] will depend on the specific circumstances of each case and in which, however, it can be taken under consideration, in order to determine the possible infringement of the rights data of the affected party, the fact that the data already appears, or not, in sources C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 128 128/184 accessible to the public. More this, simply, as one more element of weighting. " (The underlining is ours) In the regulatory framework of the RGPD, the position of the AEPD regarding calls public access sources is reflected in Report 136/2018, which recalls: “[...] already in the 10th annual session it was stated that with the RGPD it is not possible to speak of a legal concept of source of public access as the existing one with the previous LOPD. The Article 14.1 f) of the RGPD only mentions this concept to establish the obligation of the data controller to provide the interested party with information on whether their personal data come from publicly accessible sources, but without defining these ”. In the same sense, the Report of 10/03/2019, (Entry record 045824/2019) noted that “[...] as of the entry into force of the RGPD, it is not possible to speak of a legal concept of "sources accessible to the public" such as the one that existed in the previous Law Organic 15/1993 [...] The RGPD only talks about public access sources when regulating the right to information if the data has not been collected from the interested party ”. 2. In the brief of allegations to the proposed resolution, through your allegation fourth - "On the assessments made by the AEPD on the basis of law IV of the motion for a resolution ”- the defendant argues, as it did in its allegations to the initiation agreement, that the AEPD has violated the principle of trust legitimate and therefore does not concur in the performance of EQUIFAX the subjective element of the offense, in such a way that no sanction could be imposed by virtue of the principle of guilt recognized in article 28 of Law 40/2015, of 1 October, of the Legal Regime of the Public Sector (LRJSP) The first allegation of the brief of allegations to the proposal ratifies in its entirety the allegations that the defendant made against the agreement to open the process. As reflected in the proposed resolution, the respondent alleged that, in the present In this case, all the elements required to assess that the Agency had violated the principle of legitimate confidence and mentioned for this purpose the STS of 02/22/2016 (resource 1354/2014) according to which the failure of this principle would require the concurrence of these elements: (i) that is based on undeniable and external signs; (ii) that the expectations generated in the administered must be legitimate; (iii) that the final conduct of the Administration is contradictory to the previous acts, is surprising and incoherent. In EQUIFAX's opinion, this breach of the legitimate confidence of the AEPD would oblige the filing of the procedure due to the absence of the guilty element of the offense. He invoked in this sense, in defense of his thesis that the AEPD had broken the principle of legitimate confidence, the SAN of 02/04/2009 (appeal 304/2007) which declares that the breach of this principle should lead to the nullity of the sanctioning resolution object of the appeal. The judgment indicates that it is true that the reasons for the resolutions administrative procedures required by article 54 of Law 30/1992 must allow the change of criteria in decision-making “ but this change of criteria cannot C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 129 129/184 have retroactive effects, especially in cases in which there had been previous exculpatory pronouncements in the face of identical behaviors . " This SAN appointment, to his time, another from the same Court on 06/13/2008 (appeal 55/2005) in which it indicates that “In sanctioning matter, the new criteria, no matter how reasonable they may be, [...] have to unfold their effects into the future, but never be projected into past actions that will accommodate existing criteria ”. In turn, in the allegations that EQUIFAX made to the opening agreement, among others many considerations, specifically stated that the existing legal framework before of the effective application of the RGPD and after the STJUE of 11/24/2011, no had been altered if not reiterated, both in relation to the principle of legality and the principle of accuracy (remember that the opening agreement attributed to the the infringement of both principles). Thus, on page 18 of the brief of allegations to the opening agreement says the following: “ This also leads to the conclusion that the alleged treatment carried out carried out by my client [...] was not only not contrary, but expressly covered by the regulatory framework in force prior to the entry into force of the RGPD, It is also necessary to add that said framework has not been altered, but rather by the reiterated contrary with said entry into force, both in what affects the principle of legality (which was also included in article 6.1.a) of the Directive as well as in what concerns the principle of accuracy [...] ” (Emphasis is ours) On page 22 of the allegations to the opening agreement, the respondent stressed that the tenor of the rules allegedly violated had not been modified. It says in that sense: “ Everything that has been indicated there is no doubt that it implies the existence of a manifest change of legal criterion on the part of that AEPD, which now considers radically illicit the treatment that had been understood to be lawful (without having modified the tenor of the rules allegedly violated [...] " At the same time, the respondent set out in her allegations the opening agreement (which remember, it has expressly reiterated in its allegations to the proposal) that the agreement to initiate PS / 240/2019 represented a change in legal criteria, from way that the Agency violated the principle of legitimate expectations and security legal, principles that should govern the actions of Public Administrations in accordance with article 3.1.e, of Law 40/2015, of October 1, on the Legal Regime of the Public Sector, (LRJSP). If indeed the AEPD had violated the principles of legitimate expectations and legal certainty - which evidently has not happened - the consequence could be the file of the file due to the absence of the guilty element of the offense. Now, in order to show a violation of the principle of legitimate confidence, the change of legal criterion must be arbitrary and, therefore, cannot be motivated by a normative change. At this point, it should be noted that, in the assumption we are analyzing, that normative change exists , so that in no case is it possible to conclude, as the complainant claims that the AEPD has arbitrarily modified its criteria thereby violating the principle of legitimate expectations. Regulatory change is specified in the repeal by the LOPDGDD of article 29.1 of the LOPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 130 130/184 EQUIFAX, repeatedly suggests that, to the extent that the standards that regulate the principles of legality and accuracy in the RGPD and in Directive 95/46 they have not varied in essence, there is no other normative change that justifies the criterion followed in the present procedure before her. The truth is, however, that EQUIFAX uses in its various writings of allegations, as a legal basis for the data processing carried out by the FIJ, an " express legal provision" that, says that entity, recognized the legality of systems like the FIJ: article 29.1 LOPD. The controversy therefore arises around the legal framework in force before the effective application of the RGPD and after the STJUE so many times cited and if said legal framework considered or not in accordance with the regulations governing the right to protection of personal data the treatment that the FIJ carried out. In the brief of allegations to the commencement agreement, the respondent tried to corroborate her particular conception of the scope of article 29.1 LOPD with what is indicated in the agreement opening of the procedure. Thus, the motion for a resolution stated the following: " The third allegation of the brief of allegations to the agreement to open the The procedure is dedicated to the “[...] pre-existing regulations to the RGPD and the performance of the AEPD in relation to the File of Judicial Incidents ”. Allegations that the respondent expressly reiterated in her second brief of allegations to the opening agreement or complementary allegations. The entity stated in that third allegation of its brief that “[..] as recognizes the Agreement itself, the material norms whose violation is attributed to my constituent have not changed in terms of their content as a result of the reform operated by the GDPR. " “[..] based on the similarity, if not identity, between the regulations previously in force and the collection in the text of the RGPD, it is necessary to take into account that the systems such as the FIJ were expressly recognized in article 29.1 of the " LOPD. And that, in light of the jurisprudence emanating from the CJEU, the conclusion is reached of “ that the data processing carried out by the FIJ was based on the provided for in Article 7 f) of the Directive [...] ”. (The underlining is ours) He added “[...] that the alleged treatment carried out by my client [...] not only It was not contrary, but expressly protected in the current regulatory framework prior to the entry into force of the RGPD [...] ” And that said framework has not been seen altered, but on the contrary reiterated with said entry into force, both in what it affects the principle of legality as well as the principle of accuracy. (The underlined is ours) These considerations of EQUIFAX forced to warn in the proposal of resolution that "the opening agreement referred, solely and exclusively, to the similarity that exists between article 6.1.f) of the RGPD and article 7.f) of Directive 95/46. The manifestations of the claimed may imply that the reference to the article 7.f) of Directive 95/46 that was made in the initiation agreement is the same as the reference that she does to the regime provided for in the previous regulations, in which it is included, among other provisions, article 29.1 of the LOPD. Question that would lack all importance if it were not because after establishing such equivalence the claimed C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 131 131/184 goes on to affirm that the FIJ was recognized in article 29.1 of the LOPD and from there to affirm that the "data processing" carried out through the FIJ in the legal regime prior to the GDPR, it was lawful. " Well, in the brief of allegations to the proposed resolution, the claimed -in its fourth claim, which has the heading “On the assessments made by the AEPD on the basis of law IV of the motion for a resolution ”- continues affirming that, until the full application of the GDPR, and even later, until the entry into force of the LOPDGDD “there was an express legal provision that recognized the legality of information systems that collect information obtained with the consent of the interested party or sources accessible to the public in order to evaluate the solvency of the interested parties ”. (The underlining is ours) The defendant expresses the thesis that it defends with greater clarity not in this allegation fourth of the brief of allegations to the proposal but in the sixth allegation related to the principle of legality. Notwithstanding that we return to the issue when analyzing the infringement of article 6.1 RGPD, we anticipate that the respondent affirms, after saying that has an “ evident legal basis, the concurrence of a legitimate interest prevalent, for the treatment of the data in the FIJ. " He adds that “Obviously, the Article 29.1 of the LOPD did not regulate the basic principles or legal bases of the treatment, but determined that, on the basis of principles and legal bases identical to those contained in the RGPD, the treatment of the data collected in the itself was lawful. That is, either article 29.1 of the LOPD exceeded the of the regime contained in the Directive, enabling nothing less than a treatment that violated its articles 6 and 7 in the terms assumed by the Proposal for Resolution, something that no Court or the Institutions of the European Union (and even less the own AEPD) even hinted at any time or, remaining unchanged the principles and legal bases, this treatment is as consistent with the RGPD as it was with Directive. This fact is undoubted, no matter how much it tries to force the argumentation in another sense. " (The underlining is ours Given the continuous references of EQUIFAX in its allegations to the initiation agreement that intended to protect the treatment carried out by the FIJ in article 29.1 LOPD, in the proposed resolution it was noted that the aforementioned file would have a place in the category or file system provided for in that precept as long as it respects the principles that governed the data protection regulations provided for in article 4 of the LOPD, data quality , and, in particular, the principle of limitation of the purpose of the treatment. And that, being the FIJ a credit information system that does not obtain the data from the information provided by the interested party, nor does he provide his consent to the treatment, but obtains the data from " records and sources accessible to the public ”, the legal basis for this treatment could only be the provided for in article 7.f) of the Directive. It should be remembered, for this purpose, that article 37.1 of the RLOPD established that “The processing of personal data on financial solvency and credit, provided for in section 1 of article 29 of Organic Law 15/1999, of 13 December, will be subject to the provisions, in general, in said organic law and in these regulations. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 132 132/184 The change in the legal criteria of the AEPD, which in EQUIFAX's opinion represents the procedure followed in front of it is not elicited -as he wants to imply the claimed- regarding the legal bases of the data processing or the principles governing the latter provided for, respectively, in the Directive and the RGPD. On the contrary, the change in the criterion attributed to the AEPD and that, supposedly, reflected in the procedure that concerns us revolves around article 29.1 LOPD. More exactly, the intended change of criterion is nothing but the disparate interpretation of the norm, of its meaning and scope, that make, respectively, this Agency and EQUIFAX. In any case, article 29.1 LOPD is not in force. It was repealed by the LOPDGDD, which entered into force on 12/07/2018, and neither in the RGPD nor in the LOPDGDD there is an equivalent rule. For the aforementioned reasons, the thesis that the AEPD has violated the principle of legitimate expectations. The proceeding against EQUIFAX is congruent as has been indicated with the meaning of the STJUE and with the repeal of article 29.1 LOPD in which that entity intends to protect the treatment carried out through the FIJ. V Of the infringement of the principle of limitation of the purpose 1. The behaviors that are the object of assessment in this sanctioning procedure are related to the treatment carried out by the claimed through the FIJ of personal data of those affected who obtained, for the most part, from the BOE, plus exactly from the Official Board of the BOE (TEU-BOE); of the official newspapers of the autonomous communities; of the Provincial Bulletins (BOP) and through the Electronic or physical headquarters of Public Law bodies or entities. So certify the documents in the file relating to the response to the access to the FIJ requested by those affected. In light of these documents exist in the FIJ annotations of alleged debts attributed to the claimants who were given registered in the file on very different dates, some of them in 2013. The RGPD dedicates to the principles that govern the processing of data of character personal article 5. Among them, it refers to the limitation of the purpose in article 5.1.b) according to which personal data will be “ collected for specific purposes, explicit and legitimate, and will not be further processed in a manner incompatible with said purposes; in accordance with article 89 (1), the further processing of personal data for archival purposes in the public interest, research purposes scientific and historical or statistical purposes shall not be considered incompatible with the purposes initials ” (The underlining is ours) Recital 50 of the GDPR helps to clarify the scope of this principle and He says: "The processing of personal data for purposes other than those for which they have initially collected should only be allowed where compatible with the purposes of your initial collection. In such a case, no separate legal basis is required, other than the one that allowed the obtaining of personal data. If treatment is necessary C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 133 133/184 for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the person responsible for the treatment, the tasks and the purposes for which the subsequent treatment should be considered compatible and lawful can be determine and specify in accordance with the law of the Union or of the States members. Subsequent processing operations for archival purposes in the interest public, scientific and historical research purposes or statistical purposes should considered compatible lawful processing operations. The legal basis established in the law of the Union or the Member States for the treatment personal data can also serve as a legal basis for further processing. In order to determine whether the purpose of the further processing is compatible with the purpose of the initial collection of personal data, the controller, after having Once all the requirements for the legality of the original treatment have been fulfilled, you must take into account, among other things, any relationship between these purposes and the purposes of the planned further processing, the context in which the data were collected, in particular the reasonable expectations of the interested party based on their relationship with the responsible for its subsequent use, the nature of the personal data, the consequences for the interested parties of the planned further processing and the existence of adequate guarantees both in the original treatment operation and in the planned further processing operation. If the interested party gave their consent or the treatment is based on the law of the Union or of the Member States that constitutes a necessary and proportionate measure in a democratic society to safeguard, in particular, important objectives of general public interest, the responsible must be empowered to further process personal data, regardless of the compatibility of the purposes. In any case, it must be guaranteed the application of the principles established by this Regulation and, in particular, the information of the interested party about those other purposes and about their rights, including the right of opposition. The indication of possible criminal acts or threats to the public safety by the person responsible for the treatment and transmission to the competent authority of the data regarding individual cases or diverse cases related to the same criminal act or threat to public safety must be considered to be in the legitimate interest of the person responsible. Still, it should be forbidden that transmission in the legitimate interest of the controller or the subsequent processing of data personal if the treatment is not compatible with an obligation of legal secrecy, professional or binding for another reason. " The principle of limitation of the purpose prevents that a treatment can be carried out subsequent personal data if the purposes of this treatment and those pursued by the original treatment are not supported. Article 6 RGPD, relative to the “ Legality of the treatment ”, dedicates its section 4 to list the elements that allow determining if a treatment for another purpose is compatible with the initial purpose for which they were collected the data: "When the treatment for a purpose other than that for which the personal data is not based on the consent of the interested party or on the Law of the Union or of the Member States that constitutes a necessary measure and proportional in a democratic society to safeguard the stated objectives in article 23, paragraph 1, the data controller, in order to determine if the treatment for another purpose is compatible with the purpose for which they were collected initially personal data, will take into account, among other things: C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 134 134/184 a) any relationship between the purposes for which the data was collected personal and the purposes of the planned further processing; b) the context in which the personal data was collected, in particular for what Regarding the relationship between the interested parties and the person responsible for the treatment; c) the nature of the personal data, specifically when categories are processed special personal data, in accordance with article 9, or personal data relating to convictions and criminal offenses, in accordance with article 10; d) the possible consequences for the data subjects of the planned further processing; e) the existence of adequate guarantees, which may include encryption or pseudonymization " 2. In order to determine whether the treatment of the data of the claimants who has carried out EQUIFAX through the FIJ is or is not respectful of the principle provided in article 5.1.b) RGPD, the starting point must be the origin of the processed data. As has already been indicated, the data of the claimants were obtained, in their great majority, from the BOE, more precisely from the Official Board of the BOE (TEU-BOE); from the official newspapers of the Autonomous Communities; of the Provincial Bulletins (BOP) and through the electronic or physical headquarters of bodies or entities of Law Public. The fact that the data of the complainants come from public sources, basically from official newspapers and gazettes, evidence that these had been subject to a previous treatment with a specific purpose. Article 44 of the LPACAP under the heading "Unsuccessful notification" states: "When those interested in a procedure are unknown, the place is ignored of the notification or, if it was attempted, it could not have been carried out, the notification It will be done by means of an announcement published in the "Official State Gazette". Likewise, previously and on an optional basis, the Administrations may publish an announcement in the official bulletin of the Autonomous Community or the Province, on the notice board of the City Council of the last domicile of the interested party or of the Consulate or Consular Section of the corresponding Embassy. Public Administrations may establish other forms of notification complementary through the other means of diffusion, which will not exclude the Obligation to publish the corresponding announcement in the "Official State Gazette." Article 45 of the LPACAP, " Publication", provides: "1. Administrative acts will be published when so established by the regulatory standards of each procedure or when advisable for reasons of interest public appreciated by the competent body. In any case, the administrative acts will be published, the latter supplying the effects of the notification, in the following cases: a) When the act is intended for an indeterminate plurality of people or when the Administration considers that the notification made to a single interested party is insufficient to guarantee notification to all, being, in the latter case, additional to the individually performed. b) In the case of acts that are part of a selective procedure or of competitive competition of any kind. In this case, the convocation of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 135 135/184 The procedure must indicate the medium where the successive publications, lacking validity those carried out in different places. 2. The publication of an act must contain the same elements as the article 40.2 requires regarding notifications. It will also be applicable to the publication established in section 3 of the same article. In the cases of publication of acts that contain common elements, The coinciding aspects may be published jointly, specifying only the individual aspects of each act. 3. The publication of the acts will be carried out in the corresponding official gazette, according to whichever Administration the act to be notified comes from. 4. Without prejudice to the provisions of article 44, the publication of acts and communications that, due to legal or regulatory provision, must be carried out on a notice board of announcements or edicts, it will be understood as fulfilled by its publication in the Official Gazette correspondent." These precepts detail the cases in which the Administrations Public, in compliance with an obligation imposed by the LPACAP, publish in bulletins and official journals administrative acts and resolutions. The notification, in the words of the Supreme Court (STS 03/07/1997) “ consists of a formal communication of the administrative act in question . " The doctrine explains that is the mechanism through which the interested party is transferred to the content of a act. On the other hand, the notification of acts and resolutions is mandatory for Public Administrations and a requirement to which its effectiveness is subject (article 39 of the LPACAP) Thus, the notification constitutes a guarantee for the company already that through it he knows the acts of the Administration that affect his rights and legitimate interests for it is an instrument that guarantees the right to guardianship effective judicial system (article 24.1 of the EC) Through the publication the same purpose as the notification is intended, that the content of the administrative act reaches the knowledge of those who are interested in an administrative procedure. The LPACAP refers to publication in both article 44 and article 45. Article 44 includes the assumptions that Gamero Casado calls " publication supplementary notice ”. Article 44 LPACAP establishes that the to the publication in the BOE when the notification had been unsuccessful, or the persons interested in the procedure are unknown or their whereabouts are unknown. In addition to the publication through the BOE, article 44 LPACAP empowers the Administrations so that, previously, they publish announcements in the official bulletin of the Autonomous Community or Province, on the notice board of the City Council of the Last address of the interested party or of the Consulate or Consular Section of the Embassy correspondent. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 136 136/184 Likewise, the publication of acts and resolutions will be attended in the cases of Article 45 LPACAP. Assumptions that, following the criteria of Gamero Casado , we can group as follows: (i) Substitute publications for the notification (that is, when the acts are published instead of being notified), which proceeds when the act is addressed to a indeterminate plurality of persons or in the case of acts that make up a selective procedure or competitive competition. (ii) Complementary publication of the notification (in addition to the notification it is mandatory publication), what happens when reasons of interest advise it public; in procedures in which there are several interested parties, when notify only one and fear that it is insufficient to guarantee knowledge of the act by all of them and when the regulatory norms of a specific procedure so establish it. With the exception of the " substitute publications for the notification" provided for in the Article 44 LPACAP, in which, as indicated, it is mandatory to publish in the BOE, in the rest of the cases the publication is made in the official gazette corresponding to the Public Administration from which it comes. The LPACAP, article 45.4 encourages that by means of specific legal or regulatory provisions, impose the publication of acts and communications on bulletin boards or edicts, although it adds that this obligation will be understood to have been fulfilled with the publication in the corresponding official gazette. In terms similar to article 44 of the LPACAP, article 112 of the Law 58/2003, of December 17, General Tax, which provides for the summons, to be notified by appearance, through announcements published in the BOE. Also Article 29.2 of the Consolidated Text of the Real Estate Cadastre Law, approved by the Royal Legislative Decree 1/2004, of March 5, provides for the notification with obligatory character by means of announcement in the BOE. The Consolidated Text of the Law General Social Security, approved by Royal Legislative Decree 8/2015, of October 30, provides in article 132.4 that notifications that have not been able to be done at the electronic headquarters of the Social Security or at the address of the interested, will be practiced exclusively by means of an advertisement published in the Official State Gazette in accordance with the third additional provision of the Law 39/2015. 3. The publication that the Public Administrations make of acts or resolutions administrative that include personal data, implies for the administered a restriction to the fundamental right recognized in article 18.4 of the EC Through the publication of an administrative act or resolution - to which, as has been indicated, article 39 of the LPACAP is subject to its effectiveness - it is intended to guarantee interested parties the exercise of their right of defense -which in turn connects with the right to effective judicial protection recognized in article 24.1 of the EC- and allows to the Public Administrations the exercise of their powers. In such a way that the purpose pursued with this obvious limitation to the right to data protection it is directly connected with a public interest. The publication of the personal data of those affected in these cases is, therefore, oblivious to his will. It is established by a norm with the force of law and is justified by the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 137 137/184 pursuing public interest. Well, it is precisely these personal data, that have been the subject of publication in official gazettes and newspapers without the assistance of the will of its owners in compliance with a legal obligation and with the purpose of satisfy a public interest, the data from which the FIJ draws. Evidently when its content is related to situations of non-compliance with monetary obligations. The subsequent treatment of these data that EQUIFAX carries out pursues a purpose clearly different from the public interest that justified its publication. If we do not follow the legitimate interests that EQUIFAX seeks to satisfy through the FIJ, it is evident that they are for different purposes. While the treatment of the data of the administered by Public Administrations through the publication of acts administrative in the official newspapers and gazettes seeks to satisfy a public interest, the subsequent treatment that EQUIFAX makes of these data through the FIJ -according to declared the claimed in the brief of allegations to the initiation agreement- is linked to the assessment of the solvency of those affected and the prevention of fraud. Article 6.4 RGPD provides some criteria to determine whether further processing of the data of the claimants through the FIJ is compatible with the treatment original. To these are added the indications offered in Recital 50 of the GDPR. In the present case, in light of the guidelines that both offer, it can be stated that the purpose of the original treatment and that of the subsequent treatment by EQUIFAX are clearly incompatible: There is no relationship between the purpose of the treatment made through publications in official gazettes and gazettes that include personal data of those affected - the public interest connected with the right to effective judicial protection of the administered and the effective exercise by the Public Administrations of the powers attributed to them- and the purpose for which EQUIFAX processes the data, which it has specified in the assessment of solvency and in fraud prevention. Neither does there exist between the claimants and the person responsible for the treatment relationship linked to the context in which the data were collected, so that the affected have not been able to have any reasonable expectation that their data would be object of this treatment. The consequences that derive for the claimants whose The data that have been included in the FIJ are clearly adverse, since we are facing a negative file of patrimonial solvency that identifies them as debtors before anyone who makes a query to that file, with the added aggravation that the FIJ clearly breaches the principle of accuracy in its update statement of the data. And, obviously, EQUIFAX has not established additional guarantees for that the treatment does not affect the fundamental right to data protection since that the purpose that the FIJ seeks to satisfy requires having the identity data of the affected. The principle of proactive responsibility of article 5.2 of the GDPR obliges the person responsible of the treatment to be in a position to prove that it complies with the principles that preside over the data processing; so the principle of limitation is of interest here of the purpose. On the other hand, both article 6.4 RGPD and Recital 50 are refer to the person responsible for the treatment as the subject who must determine if the purpose of the further processing that you intend to carry out is compatible with the purpose C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 138 138/184 for which the data were initially collected, which is consistent with the principle of proactive responsibility that must govern the actions of the person responsible for the treatment. It seems obvious that EQUIFAX has been fully aware that the treatment of data carried out through the FIJ violates article 5.1.b) RGPD. In that sense, due to its clear relevance to the element of guilt, we pass to reproduce this fragment of document number 8 of those contributed in response to the proceedings of evidence - “LIA Judicial File. Legal analysis. December 2019 ”-, document that the respondent previously provided to the AEPD attached to the brief of allegations to the initiation agreement. The document, as indicated in point 1, has in order to demonstrate the existence of a prevailing legal interest in the treatment carried out by the FIJ against the rights, freedoms and interests of the holders of the data. Well, point 7 of the document - “ Operation of the files of EQUIFAX with information obtained from publicly accessible sources ”- dedicates a section to analyze the guarantees that the file intends to implement and in point 1.1., under the heading "Principle of purpose ", states the following: “On the other hand, the principle of finality includes the limitation of the subsequent uses of the data, since the RGPD prohibits in its article 5.1 a) the subsequent treatment of the data for purposes incompatible with those that motivated its collection, although exempts from this limitation the use of data for archival purposes of public interest or scientific or statistical research. [...]. " (The underlining is ours) It is striking that the respondent has invoked in her brief of allegations to the initiation agreement that, regarding the implications derived from the regulations of reuse of public sector information, “ [...] the sources from which they have been collected the data to which the claims made refer and in general the data incorporated into the FIJ expressly enables the reuse of said information, so without prejudice to the application of article 4.6 of the LRISP, the Reference to said rule will not be relevant as an obstacle that allows the data collection by the former. " (The underlining is ours) And, then refer to the general conditions of reuse of the website of the Official State Gazette. It is surprising that he invokes the information on the BOE website when the rule that It is applicable with regard to the reuse of public sector information. is article 4.6 of Law 37/2007, of November 16, on “ reuse of the public sector information ”, according to which when the documents contain personal data the applicable legal regime is that of the regulations of data protection and, therefore, respect for the principle of limitation is mandatory of the purpose provided in article 5.1.b) RGPD. Let us also remember that the AEBOE's response to the consultation made by claimants 35 and 55 about whether it was lawful for your personal data included in the notification announcements could be processed in order to integrate a database for profit. The AEBOE answered: "[...] In accordance with the foregoing, this State Agency considers that the reuse of personal data such as names, surnames, ID associated with debts, C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 139 139/184 published in the BOE, that you. requests, it would not be a lawful treatment of data from personal nature of those provided for in art. 6 of the GDPR and, therefore, in accordance with what is regulated in both Regulation (EU) 2016/679 and Organic Law 3/2018, of December 5, they should not be reused by third parties. " 4. The legislator has established various measures that contribute to respecting the principle limitation of the purpose and that seek to reduce the impact on the right to protection of data of the administered that could derive from the obligation that have the Public Administrations to publish through newspapers and bulletins official administrative acts that contain personal data. In this sense, it is worth mentioning, on the one hand, articles 40.5 and 46 of the LPACAP. On the other hand, we must refer to the fact that Law 15/2014, of September 16, on rationalization of the Public Sector and other administrative reform measures, introduced the Twenty-first Additional Provision of Law 30/1992, on the Legal Regime of the Public Administrations (LPAC) from which the implementation of the 06/01/2015 of the Single Edictal Board, where acts of all the Public administrations. The notifications announcements that are published through the BOE are integrated into a document " of an independent nature ", called "Supplement of notifications ”. Royal Decree 181/2008, of February 8, on the organization of the newspaper official Official State Gazette, modified as a result of Law 15/2014, configures for the Notification supplement a different regime from the one provided for by the BOE. Between other specialties, the aforementioned Royal Decree, restricts to three months from its publication the period of time during which the Supplement for notifications will be accessible to the public. In accordance with Royal Decree 181/2008, the official gazette is structured as (i) “ The content of the "Official State Gazette ", which includes sections I to V and the " Section of the Constitutional Court ”, and in (ii)“ a Supplement of notifications of a nature independent ” in which the notification announcements will be inserted. Article 11 of this Royal Decree specifies that “ The State Agency Official Gazette of the The State will guarantee, through open telecommunication networks, access universal and free to the electronic edition of the official state gazette, without prejudice to the provisions of article 14.4. " And article 14.4 says: "4. Notwithstanding the provisions of the previous sections, the Supplement of notifications will remain freely accessible in the electronic headquarters of the Agency State Official State Gazette for a period of three months from its publication, after which the verification code of the corresponding notice of notification, which will be unique and not foreseeable. This code can only be conserved, stored and processed by the interested party. or its representative, as well as by the bodies and Administrations that may specify it for the exercise of the powers that correspond to them. The State Agency Official State Gazette will adopt measures aimed at avoiding the indexing and automatic retrieval of verification codes by subjects other than those contemplated in the previous paragraph. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 140 140/184 Without prejudice to the provisions of the first additional provision, once the period of three months established in the first paragraph, the State Agency Bulletin State official will provide, upon request, the information contained in the announcement of notification only to the interested party or their representative, the Public Prosecutor, the Ombudsman, and to the Judges and Courts. " (The underlining is ours) In the same sense, article 11 of the Royal Decree specifies that " The State Agency Official State Gazette will guarantee, through open telecommunication networks, universal and free access to the electronic edition of the official state gazette, without prejudice to the provisions of article 14.4. " The precautions that Royal Decree 181/2008 adopts regarding the Supplement of notifications, the content of which is notification announcements, are not exhausted here. Article 13 restricts the printed edition of the Supplement to notifications to in the circumstances described in section 1.a). And article 17, which provides that the State Agency Official State Gazette (hereinafter AEBOE) will offer in its electronic headquarters, with a differentiated character from the electronic edition of the BOE " a of free data that allows the search, retrieval and printing of the provisions, acts and announcements published in the "Official State Gazette", it adds: “ However, search, retrieval and printing, through the database service data, of the notification announcements published in the Notification Supplement, it will only be possible during the three-month period provided for in article 14.4. " (The underlined is ours) Any citizen who wishes to do a search for the Notifications Supplement published in a BOE three months after its publication you will not find it. In its Instead, the BOE website offers this message: "In accordance with article 14 of Royal Decree 181/2008, of February 8, on the organization of the official gazette "Boletín Official of the State ", the Supplement of notifications corresponding to this date has no longer freely accessible. More info" Well, while in accordance with article 14.4 of the regulatory norm, after the period of three months, they will only be able to access the information contained in an advertisement, with prior authorization from AEBOE, the interested party or their representative, the Public Prosecutor, the Ombudsman and the Judges and Courts, we find ourselves with the paradoxical situation that EQUIFAX has this information in the FIJ, accessible to its associates for a period of six years in accordance with the documentation that is in the file. The claimed, aware of the time limit imposed by article 14.4 of the Real Decree 181/2008, has adopted the technical measures to store the information and dispose of it beyond the three months following publication. The FIJ RAT, both the final version and document 4 of the first version, which EQUIFAX has contributed in response to the test carried out, as it shows. The section 8 of the RAT, under the heading "Information suppression periods ", says: " The information is accessible for 3 months and then is stored in a directory Linux in order to be able to work later with the data. Bliss The information, saved in “PDF” format, will be available for a period of 10 C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 141 141/184 years from the date of publication, and this with the sole purpose of being able to attend the possible claims and respond to requests for information by the competent administrative body, as well as the courts and tribunals. " (The underlined is ours) 5. In its allegations to the proposed resolution EQUIFAX states that this principle has not undergone any modification in the RGPD, as it reproduces almost in full what was established by Directive 95/46 / EC on it, and then goes on to affirm that " within the regime of transposition of the Directive into our Law [...]" Article 29.1. of the LOPD “did not appreciate that [...] it was contrary to the principle of limitation of purpose enshrined by Directive 96/46 / CE, ” the treatment of personal data carried out by those who are dedicated to the provision of services of information on the capital solvency and credit consisting of the collection of personal data obtained from the records and sources accessible to the public established for this purpose. It also affirms that “ the legal basis that justified the collection of the data object of publication [was] obtain information on the capital solvency and credit of the interested parties based on the available information related to them ”, and that "This legal basis was expressly included in the LOPD, and should its article 29.1 be interpreted in the sense that [...] the treatment was covered in the prevailing legitimate interest of those who proceed, as my principal, to treatment of the data, since there is an unequivocal legal authorization for said treatment could take place ”. (The underlining is ours) The defendant concludes her argument regarding the " breach of the principle of purpose ” with the paragraph that we reproduce: " In short, the data is not processed in this case contained in the FIJ for a purpose other than the one that motivated its collection, since this was precisely what justified the maintenance of the data in the system and its access by the entities that are adhered to the FIJ in order to know the solvency and credit of its debtors or potential debtors, on the basis of a prevailing legitimate interest that, at least until entry into validity of the LOPDGDD was expressly authorized by the regulations of personal data protection." (The underlining is ours) In the same line of argument it says that " this compatibility (or that character" does not different ”from the purpose) was appreciated even after the entry into force of Royal Decree 181/2008, of February 8, on the organization of the official gazette «Boletín Official of the State »(hereinafter,“ RDBOE ”), to which the Proposal". Also, after the entry into force of Law 37/2007, of 16 December November, on reuse of public sector information and Law 19/2013, of December 9, transparency, access to information and good governance . (The underlined is ours) He also makes another equally surprising statement: “[...] it must be remembered that measures adopted by RDBOE, which would reflect the restrictions that subsequently, with regard to open data, the Group revealed of Article 29 (hereinafter GT29) in its Opinion 3/2013 on the limitation of purpose, [...] do not refer to data processing such as that carried out carried out by my client through the FIJ, in which access to information is C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 142 142/184 limited to creditors or potential creditors of the interested party. These measures, by the On the contrary, they try to avoid not an access subject to the condition of creditor, real or potential, but an indiscriminate access to the data that is the subject of publication in the official newspapers. " (The underlining is ours) Indeed, the regulation of the principle of limitation of the purpose contained in the Directive 95/46 / EC is practically the same as that of the text of article 5.1.b) of the GDPR. It is at this point that we can only agree with what is alleged by the claimed in its defense against the infringement of the principle of limitation of purpose attached to it. The respondent denies the violation of article 5.1.b) RGPD and affirms that the proposal has made a forced interpretation of Recital 50 of the GDPR. Interestingly, the The explanation offered is certainly a forced interpretation. Thus, it states that the Treatment of the data contained in the FIJ does not have a purpose other than that that has motivated its collection since, precisely that purpose -the one that motivated the data collection- it is the one that justifies that they remain in the system and that the adhered entities access them. This statement is supported by the consideration that the purpose that gave rise to what called " the collection " of the data is identified with the collection that EQUIFAX makes of the data published in official newspapers and gazettes and not with data collection for the original treatment, which is to which the RGPD, like the Directive, is is referring. Statement that is based, in turn, on the fact that the rule of article 29.1 LOPD established the prevalence of a legitimate interest of those responsible for the equity solvency information systems such as the FIJ “ since there is a unequivocal legal authorization so that said treatment could take place " On this subject, two questions must be specified: the first is that the norm of the Article 29.1 of the LOPD was repealed by the LOPDGDD which entered into force on 12/07/2018. The second, that the interpretation of article 29.1. LOPD that defends would mean that under this precept the person responsible for the treatment of an information system such as the FIJ of compliance with the obligations that imposed by the LOPD, such as those provided for in article 4.2 LOPD. Well, article 37 of the RLOPD, " General Regime ", framed in title IV - Provisions applicable to certain privately owned files - Chapter I -information files on financial solvency and credit-, established: "The processing of personal data on financial solvency and credit, provided for in section 1 of article 29 of Organic Law 15/1999, of 13 December, will be subject to the provisions, in general, in said organic law and in these regulations. " In short, at the same time it argues that the principle of purpose limitation does not has changed its regulation in the Directive and the RGPD -a statement that seeks to support its thesis that there has not been a normative change between the existing legal regime during the validity of the LOPD and the one provided for in the RGPD, so having adjusted its behavior to the same legal regime is the AEPD who, in the face of the identity of standards, is adopting different solutions - and claims that it does not violate the principle C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 143 143/184 of limitation of the purpose foreseen in the Directive -which was transferred to our Law internal law in article 4.2 LOPD - because a rule of internal law, which does not have correlate in Directive 95/46 / EC, article 29.1. LOPD, exempts you from complying with said beginning. And this, supported by its statement that article 29.1 LOPD “ does not I appreciate that the treatment to which you referred was contrary to the principle of limitation of the purpose . Thus, through the interpretation made of article 29.1 LOPD this provision has the scope to establish a legal presumption of prevalence of interest legitimate authority of the entities responsible for files such as the FIJ and to exempt them from compliance with the obligations imposed by the LOPD, in particular by what here interest of article 4.2. LOPD. On the other hand, the claimed party brings up the Royal Decree on several occasions 181/2008, of organization of the official gazette Official State Gazette (RDBOE). Nails times to affirm that “ this compatibility (or that“ not different ”character of the purpose) was appreciated even after the entry into force ” of the RDBOE and others to make inadmissible considerations, such as that the measures adopted by RDBOE , "do not refer to data processing such as that carried out by me principal through the FIJ, in which access to information is limited to creditors or potential creditors of the interested party. " 6. From the preceding exposition, it is concluded that EQUIFAX has been dealing with the personal data of the claimants through the FIJ in violation of the principle of limitation of the purpose provided for in article 5.1.b) of the RGPD. This offense is classified in article 83.5.a) of the RGPD, which establishes: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a ) the basic principles for the treatment, including the conditions for the treatment consent in accordance with articles 5, 6, 7 and 9; [...] " On the other hand, for the purposes of prescription, the LOPDGDD qualifies in its article 72.1.a) the violation of article 5.1.b) of a very serious offense. SAW Of the infringement of the principle of legality 1.The RGPD deals in article 5 with the principles that govern the treatment of personal data and in section 1.a) provides that personal data They will be treated in a " lawful, loyal and transparent manner in relation to the interested party ". On In the same sense, Recital 39 says that “ All processing of personal data it must be lawful [...] " In accordance with article 6.1 of the RGPD so that the processing of personal data is lawful must be based on at least one of the circumstances that this precept relates. Letter f) of article 6.1. provides that the processing of personal data C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 144 144/184 It will be lawful when “ the treatment is necessary for the satisfaction of interests pursued by the person responsible for the treatment or by a third party, provided that the interests or the rights and freedoms do not prevail over said interests fundamental data of the interested party that require the protection of personal data, in particularly when the interested party is a child. " The STJUE of 11/24/2011, cited so many times, which declared the direct effect of the provision of article 7.f) of Directives 95/46, regarding the legal basis of the prevalence of legitimate interest, indicated that the aforementioned provision establishes two requirements accumulative so that a processing of personal data is lawful, that is, by a party, that such processing of personal data is necessary for the satisfaction of the legitimate interest pursued by the person responsible for the treatment or by the third party or third parties to whom the data is communicated, and, on the other hand, that the fundamental rights and freedoms of the interested party ( section 38). Also add, to purpose of the weighting, which will depend, in principle, on the circumstances specific to the particular case in question and in the framework of which the person or institution who makes the weighting must take into account the importance of the rights that Articles 7 and 8 of the Charter of Fundamental Rights of the European Union conferred on the interested party (section 40). Recital 47 of Regulation (EU) 2016/679 contributes to the task of clarifying the content and scope of the legitimizing circumstance of article 6.1.f) RGPD. The Opinion 6/2014 prepared by the Article 29 Working Group (hereinafter, GT29) related to the “ Concept of legitimate interest of the person responsible for the treatment of data pursuant to Article 7 of Directive 95/46 / EC ”, dated 04/09/2014, facilitates the interpretation of Article 7.1.f) of the Directive and offers guidelines for the mandatory weighting of competing interests and rights. The application of article 6.1.f) RGP requires that there is a legitimate interest of the responsible for the treatment or the third party; that the treatment is necessary for the satisfaction of the legitimate interest pursued; and that in the weighting of interest legitimate party of the data controller or third parties on the one hand and the impact that about the interests, fundamental rights and freedoms of the interested party causes the Data processing that is intended to be carried out, on the other hand, the former prevails. Now, in order to conclude that a certain processing of personal data is based on the prevalence of the legitimate interest of the person in charge or of third parties against to the interests or fundamental rights of the owners of the data -as and as argues EQUIFAX regarding the FIJ-, following the guidelines of the Opinion of the GT29 6/2014, The analysis must begin by examining whether the legitimate interest invoked (i) is lawful, it is that is, in accordance with applicable national and EU legislation; (ii) sufficiently that is, it is articulated clearly enough to allow the balancing test is carried out against the interests and fundamental rights of the interested party and (iii) represent a real and current interest, not speculative. Therefore, the first element to examine is the legality of the legitimate interest invoked; that is, if the treatment necessary to satisfy such interest is adapted to the legislation national and EU Opinion 6/2014 of the WG29 says that an interest can be considered legitimate " provided that the person responsible for the treatment can pursue C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 145 145/184 this interest in accordance with the laws relating to data protection and with the rest of the legislation ” .” (The underlining is ours) The defendant has specified in her brief of allegations to the initiation agreement what is the legitimate interest that the FIJ seeks to satisfy with the data processing carried out and states that it is a double interest: (i) An interest linked to the assessment of the solvency of those affected and (ii) an interest linked to fraud prevention. Regarding the first one - linked to the evaluation of solvency - considers that they hold it themselves, EQUIFAX; the third parties that they consult the information contained in the file and the borrowers and consumers. It justifies the interest linked to the assessment of the solvency of which she is the holder in that information systems related to information on solvency are a necessary tool to understand the risk that may be incurred by borrowers in their operations and, it states, that the legislator implicitly acknowledges that function of information systems related to information on solvency by having articulated in article 20 of the LOPDGDD an iuris presumption tantum of legality of the treatment in relation to the files to which that precept. It also invokes the STJUE OF 12/18/2014 (case C-449/13) which recognizes the possibility for the lender to go to these sources to assess the creditworthiness of the consumer. Regarding the interest associated with the assessment of the solvency that the third parties that consult the information contained in the FIJ explains that, through the file, obtain complete information on the circumstances that occur in the potential borrower by joining the one that the credit institution obtains from the information regulated in article 20 of the LOPDGDD. In his opinion, the recognition of this legitimate interest of third parties is reflected in the Preamble of the Circular 1/2013, of May 24, of the Bank of Spain, on the Information Center of Risks and obligations that, in order to make the principle of granting the responsible credit, impose Law 16/2011, of June 24, on credit agreements to the consumption and Law 5/2019, of March 15, regulating credit contracts real estate. It also preaches a legitimate interest related to the assessment of the creditworthiness of borrowers and consumers, which justifies that a more correct valuation of the Risk in granting credit will allow better conditions in granting it and will benefit all consumers, which leads him to conclude that therefore " the legitimate interest pursued by the treatment also has a dimension of interest social ”. Regarding the legitimate interest linked to the prevention of fraud, it says that through of the data processing carried out through the FIJ facilitates the borrowing entities information that allows them to verify if the information they have and that they associate with certain data is consistent or inconsistent with that contained in bulletins and official newspapers and adds that the AEPD revealed the existence of an interest legitimate in the common fraud prevention systems that is reflected in the Legal Cabinet reports 318/2013, 105/14, 106/14, 103/16 and 256/16. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 146 146/184 2. Thus, the interest of the data controller will be legitimate if it is "lawful", it is that is, if the treatment necessary to satisfy it is respectful with the legislation applicable national and EU Therefore, from the point of view of the GDPR It will be necessary to determine if the data processing that the complainant carries out through of the FIJ complies with the rules that regulate the fundamental right to the protection of data and, in particular, the principles that govern the treatment. As has been stated in the preceding foundation, it is proven that the treatment that EQUIFAX has been doing of the personal data of the claimants violates the principle of purpose limitation provided in article 5.1.b) of the RGPD. This breach has the consequence of causing the legitimate interest invoked by EQUIFAX, on whose alleged prevalence supports the foundation legal data processing carried out (article 6.1.f, RGPD), cannot comply with the legality requirement. Ultimately, the interest defended by the claimed is incompatible with compliance of the law that regulates and guarantees the fundamental right to data protection personal. That interest requires for your satisfaction a data processing that clearly violates the RGPD and, as stated in Opinion 6/2014, “[...] the data controller […] can pursue any interest, as long as it does not is illegitimate. " The illegality of the interest pursued by EQUIFAX is reinforced by the fact that the data processing carried out by the FIJ not only violates the principle of limitation of the purpose (article 5.1.b RGPD), but, as will be explained later, We believe that it violates other provisions of the RGPD: the principle of accuracy of the data (article 5.1.d); article 14 of the RGPD in relation to article 5.1.a) and the data minimization principle (article 5.1.c). Based on this circumstance, it would not be necessary to carry out the balancing or balancing between the interest invoked by EQUIFAX and the impact that the treatment supposes on the fundamental right of the administered ones, by the simple reason that the first of the conditions for applying the legal basis of article 6.1.f) RGPD following the system offered by the Opinion 6/2014 of the GT29. However, we now make such a weighting between the interest defended by EQUIFAX and the rights and interests of those affected. In the first place, article 6.1.f) requires that the treatment be " necessary", in the sense in which the concept of necessity is interpreted by the European Court of Human Rights (ECHR). Without prejudice to the fact that the treatment of the data of the claimants is "useful", "desirable" or "reasonable", as specified by the ECHR in its Judgment of 3/25/1983 the term "necessary" does not have the flexibility that is implicit in those expressions. What EQUIFAX qualifies as a legal interest pursued through of the processing of personal data incorporated into the FIJ - know the debts and claims of natural persons to give " security to commercial traffic", “Prevent delinquency” and “assess the financial solvency” of these people - you can obtained by means of other instruments that do not suppose such a resounding attack on the fundamental right protected by the GDPR. For this reason, the media should be consulted less invasive to serve the same purpose. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 147 147/184 At this point we refer to the report of the Legal Office of the AEPD 372/2016 that, on the occasion of the evaluation of a processing of personal data obtained from public sources with the purpose of analyzing the solvency of their holders, pointed out that “ Need is not to be confused with convenience. The prosecution of solvency economic could be considered, in accordance with the terms of the consultation, convenient, but in no case necessary [...]. Credit or solvency risk debtor's economic risk is a risk that is not at all exclusive to a company of insurance, but typical of any commercial or financial relationship . " (The underline is our) Focused on weighing the interests and rights faced, we have to go to the criterion repeatedly followed by the Constitutional Court on the constitutionality of a restrictive measure of a fundamental right (SSTC 66/1995, of May 8, FJ 5; 55/1996, of March 28, FFJJ 6, 7, 8 and 9; 207/1996, of December 16, FJ 4 e), and 37/1998, of February 17, FJ 8) To check if a restrictive measure of a fundamental right exceeds the judgment proportionality, it will be necessary to verify that it meets the three requirements or following conditions: if that measure is likely to achieve the objective proposed (suitability judgment); if, furthermore, it is necessary, in the sense that it is not there is another more moderate measure to achieve this purpose with the same efficacy (judgment of necessity); and, finally, if it is weighted or balanced, for deriving from it more benefits or advantages for the general interest than damages on other goods or values in conflict (judgment of proportionality in the sense strict). In the present case, it cannot be admitted that the judgment of necessity is fulfilled, therefore indicated and because there are other alternatives to obtain the information on the economic solvency. The suitability judgment is not met either, since, for the treatment that carried out by the IJF could really satisfy the interests it invokes - linked to the information on the financial solvency and the prevention of fraud-, it would be It is essential that the information on the alleged debts attributed to the claimants were up-to-date - the principle of accuracy that the FIJ does not comply with - and, in addition, have data of those affected that fully identify them. In the wake of the entry into force of the LOPDGDD and by virtue of the provision of its provision additional seventh, in the case of publications of administrative acts - in which no The complete DNI / NIF information will appear - unequivocal identification will be impossible of the owners of the data. It is added for the purpose of suitability that the information that is provided represents a small part of the people who have debts pending with Public Administrations, only to the reduced group that does not has been notified personally and has forced the Administration to carry out the relevant notification through the publication of announcements or edicts. And, finally and fundamentally, there is no balance between the interests that EQUIFAX pursues through the FIJ and the damages suffered by the holders of the data. To the absolute inexistence of an expectation of the owner of the data to which produces a treatment of them, collected from an official newspaper, by a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 148 148/184 private company that prepares and operates a file with solvency information negative, the obvious negative impact that this treatment produces on the owner of the data. In the matter we are examining, the fundamental right that empowers its owner to dispose of the personal data that concerns them must prevail over what EQUIFAX considers your legitimate interest. The obvious convenience that it can represent for a certain sector of the commercial activity to see the risk inherent in their activity diminished is not proportional the clear violation of the fundamental right recognized in the EC (Article 18.4) and in the Charter of Fundamental Rights of the EU (Article 8) that is perpetrated with the data processing carried out by the FIJ. Following the same criteria, it would be necessary to allow future intrusions " à la carte" when other sectors of the activity they also consider it very convenient for their interests. With total clarity has ruled on this issue the STS of 06/20/2020 (R. cassation 1074/2019), whose sixth Legal Basis says, regarding one of the issues of appeal raised in the writ of admission of the appeal, which “The commercial interests of a company responsible for a data file have to yield before the legitimate interest of the owner of the data to the protection of the same ”. Nor is it admissible to justify this interference with fundamental law in the function that the claimed claims are attributed: that of being a necessary tool for know the risk that borrowers may incur in their operations that affects the proper functioning of the economic activity related to the creditworthiness. On the other hand, the different legal norms that refer to the consultation of the solvency information systems to comply with the principle of credit responsible - cited in detail by the claimed in its brief of allegations- always make a very clear precision: that information systems on solvency and the measures adopted must fully respect the regulations of Personal data protection. As a complement to the above, another element to be assessed in this weighting but not related to the fundamental right guaranteed in article 18.4 EC, is the relative to the "interests" of those affected by this treatment; interests (without the adjective of “legitimate”) that article 6.1 f) of the RGPD also takes into consideration in the confrontation with the legitimate interest of the data controller or third parties to whom the data is communicated. Thus, it would be appreciated - following the report of the Legal Cabinet 372 / 2016- an interest in favor of the claimants in knowing and giving their consent to carry out a processing of your personal data that influence your future relationships with credit institutions. Ultimately, the conclusion of the weighing trial could in no case be favorable to the prevalence of interest that EQUIFAX intends to satisfy through the FIX. This conclusion is not altered in light of the arguments that EQUIFAX has wielded in its brief of allegations to the initial agreement in favor of the prevalence C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 149 149/184 of the legitimate interest that it invokes. On the contrary, the arguments adduced - "evidence" in the terminology used - confirms the illegality of the data processing carried out by the FIJ, since the circumstances alleged must be rejected for obvious reasons derived from what has been argued up to moment. However, we now analyze the arguments or "evidence" alleged in favor of the prevalence of the “ legitimate interest of Equifax, its user companies and the company itself ” on the rights and interests of the data subjects: to. The recognition that the LOPD made, through article 29.1, of the prevalence of the legitimate interest that she invokes. It adds that the currently applicable regulations do not has changed substantially with respect to the previous one, but rather that “the legal bases and principles applicable to the treatment remain unchanged as a consequence of the entry into force of the RGPD ”. b. The fact that the LOPDGDD, article 20, establishes a presumption iuris tantum of prevalence of the legitimate interest of credit information systems. It states that, since “ the legitimate interest that justifies the treatment [of the credit information of article 20 LOPDGDD] is identical to that pursued by the FIJ ” and that “ the impact on the rights and interests of the interested parties as a consequence the processing of your data in the FIJ is [is] substantially similar to that generated the processing of your data in credit information systems ", article 20 LOPDGDD constitutes an evident indication of the prevalence of the legitimate interest that the FIJ aims to satisfy. c. The reference to the jurisprudence of the CJEU, which is specified in the aforementioned STJUE of 11/24/2011. d. The attitude of the AEPD, which, in its opinion, has been “ recognizing up to now the legality of these systems without having carried out a requirement, warning or any warning addressed to my client, as has been analyzed in the third claim of this writing. " To which was added the knowledge that the AEPD had noted that ASEDIE's draft Code of Conduct included an examination of the prevalence of the legitimate interest of the entities that manage these systems of information without having made any statement contrary to such matter. Well, all the elements, considerations or evidences - in the words of the claimed- favorable to the prevalence of the legitimate interest that EQUIFAX seeks satisfy through the FIJ must be rejected. Regarding the first factor that he argues, this clarification should be made: Even though article 29.1 LOPD supposedly established a presumption iuris tantum of prevalence of the legitimate interest defended in favor of the information on financial solvency and credit characterized only, so that here it is of interest, because of the source or origin from which they obtained the information, as a result of the STJUE so often cited, which declares the direct effect of article 7.f) of the Directive 95/46, it could not be ignored that these information systems on patrimonial solvency referred to in article 29.1 LOPD were obliged to comply with the principles that governed the processing of data in the LOPD, the principle quality of the data and specifically the limitation of the purpose or the accuracy (articles 4.2. and 4.3 LOPD), with the consequences that this entailed Regarding the legality of the treatment carried out by EQUIFAX through the FIJ. Deny this objective reality with the argument that “the legal bases and principles applicable to the treatment remain unchanged as a result of the entry C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 150 150/184 in force of the RGPD ”, is to mix interestingly what is comparable with what is not. The principles that govern the treatment of the data and the legal bases of the treatment, but article 29.1 LOPD was neither one thing or the other. The claim to extend the iuris presumption must also be rejected. tantum that the LOPDGDD has established in favor of information systems credit of article 20 with information systems such as the FIJ. It, for the reason fundamental that, in the system designed by article 20 LOPDGDD, it is the creditor, who obviously maintains a relationship with the debtor, who communicates the personal data to the file, so the principle of limitation of the purpose and, from that point of view, the treatment necessary to satisfy that interest is respectful of the principle of limitation of purpose. Second, because these files are surrounded by guarantees to comply with the principle of accuracy. In them, it is the creditor, in general, who communicates the debt to the file. Nothing to do with the information that is collected from an advertisement published in a official diary. On the other hand, the holders of financial solvency files, with the purpose of respect the principle of accuracy, articulate rigorous mechanisms of their own accord and effective for updating the data and thus avoid incurring in an infringement of the data protection regulations. Thus, in this type of files the associates that report an unpaid debt must confirm with a certain periodicity the information reported to the file. So the reported incidents are not maintained in these systems sine die, but their permanence is subject to the confirmation to the system. When reiterated by the creditor, the information must have been verify that the default situation continues - which you can perfectly do now that it is he who knows first-hand if the debt has been extinguished or not- and At the same time, if the creditor does not repeat the communication of the debt, the system of Credit information automatically proceeds to remove that entry. If this were not enough, the legislator of the LOPDGDD attributes to the reporting creditor the obligation to guarantee the accuracy of the debt, without prejudice to the fact that the RGPD, Article 26, grants the reporting creditor the status of co-responsible together with the entity that maintains the credit information system. Third, for the remaining guarantees that are established in favor of the holders of the data: guarantees of transparency and limitation of the time during which the information will be available. The inclusion of a debtor's data in one of these systems provided for in article 20 LOPDGDD has been preceded by the information on the adverse consequences that would arise for him if he did not pay the Debt. In addition, the LOPDGDD in article 20 has doubled the guarantees in favor of the debtor regarding the system provided for in article 29.2 LOPD and 38 and following of the RLOPD: the maximum inclusion time has been reduced to 5 years from the expiration of the obligation (article 20.1.d, LOPDGDD) and the entity The person responsible for the information system is obliged to keep the data of the affected party during the thirty days following the notification of the debt to the system (article 20.1.c, LOPDGDD) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 151 151/184 The two remaining factors cited by the complainant to support the prevalence of the interests that it defends are equally unacceptable and with respect to them, we refer to the considerations made in other sections of this proposed resolution. 3. The principle of proactive responsibility obliges the data controller to be in a position to demonstrate that the treatment carried out is covered on the legal basis that it invokes. Regarding the analysis that the respondent should have carried out before the effective application of the GDPR to verify the existence of a legitimate interest prevailing under article 6.1.f) which, as it has been stating, constitutes the legal basis for the data processing carried out through the FIJ, is worth mentioning, due to its obvious importance in the valuation of the element culpabilistic of the offense, the claim that he has made that with the application effective GDPR did not consider it necessary to carry out an analysis that indeed The legitimate interest that defends. It has stated in its brief of allegations in this regard that the " Evidence cited together with the fact that, in his opinion, the requirements were met established by the GT29 in its Opinion 6/2014 ”sufficiently accredited the interest legitimate whose prevalence it defends. Thus, it states that it considered unnecessary to carry out a legitimate interest analysis specific to the FIJ since “[...] the regulation itself when weighing interests applicable to the treatment regulated in article 20 of the LOPDGDD already it was enough to supplement the adoption of this measure " It should be added that the document on the analysis of the prevailing legal interest prepared in December 2019 that has provided both in the test phase and in annex to your brief of allegations to the initiation agreement, (LIA Judicial File, Legal Analysis, December 2019), to which we have referred in the Legal Basis above and will be done in the following Legal Basis, highlights its perfect knowledge that the treatment carried out violated principles of treatment provided for in the RGPD and that, therefore, the application of the Article 6.1.f) RGPD as the legal basis for the treatment. 4. The respondent states in its allegations to the proposed resolution that collected in the proposal is enough to refute what was stated in their allegations to the initiation agreement; allegations that he considers reproduced and complemented with what which now exposes: That EQUIFAX has an “ evident legal basis, the concurrence of an interest legitimate prevailing, for the treatment of the data in the FIJ. " Thus, it says that “[...] These information systems were expressly equipped with a presumption of prevalence of the aforementioned legitimate interest ”. (The underlining is ours) Later he adds: “Obviously, article 29.1 of the LOPD did not regulate the basic principles or the legal bases of the treatment, but determined that, on the basis of principles and legal bases identical to those contained in the RGPD, data processing collected in it was lawful. That is, either article 29.1 of the LOPD is C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 152 152/184 exceeded the regime contained in the Directive, enabling nothing less that a treatment that violated its articles 6 and 7 in the terms assumed by the Proposal for a Resolution, something that no Court or the Institutions of the Union European (and even less the AEPD itself) even hinted at any time or, the principles and legal bases remaining unchanged, this treatment is so according to the RGPD as it was to the Directive. This fact is undoubted, by far that it is a question of forcing the argumentation in another sense. " (The underlining is ours) It also states that in its previous allegations it proved that, in the this case, concurred triple -idoneidad judgment, necessity and proportionality strictu sensu - required by constitutional jurisprudence for the treatment carried out by the FIJ it will be in accordance with the RGPD; weighting that, he affirms, is favorable to legitimate interest that justifies it. Regarding the aforementioned triple judgment, it is limited to make various considerations in relation to what was argued in the proposal of resolution. Considerations that, for the most part, do not conform to the truth or not they respect the context in which they were made. We reproduce some of them: “[...] the Proposal for a Resolution: [considers] that the legitimate interest underlying the processing of data in the FIJ is nothing more than a mere "convenience" for "Perpetrate" what is called "intrusions a la carte" in the rights of the interested parties (the expressions used are from the Proposed Resolution, not from my represented). " “[...] in the opinion of the AEPD the [CIRBE is] the only information system that contributes to the purpose pursued by the treatment carried out by the FIJ. " “[..] making the AEPD the principle of reasonable expectation (derived from nothing less the fact that these systems exist in our law and have been expressly regulated by it since 1992 and that the debtor must reasonably expect that your creditworthiness will be assessed before obtaining a loan) in the “reasonable expectation” of the delinquent debtor that their debt is not known and the financing is granted, even when this damages the principles of responsible credit enshrined by the legislator". From what is alleged by the claimed in that brief in defense of the alleged non-existence of the violation of article 6.1. GDPR two relevant conclusions are drawn: The first, that, in the opinion of the entity, the legal basis for data processing made by the FIJ during the validity of the LOPD and after the CJEU of 11/24/2011 was based on a presumption of prevalence of interest legitimate established in article 29.1 LOPD. I precept that, otherwise, no contained no guarantee or safeguards in favor of the data subjects. This despite the fact that this interpretation of article 29.1 LOPD defended by EQUIFAX included in contradiction with the principle of limitation of the purpose contained in article 4.2. LOPD. The second consequence is that, to the extent that the respondent constructs the basis of the data processing carried out by the FIJ during the validity of the LOPD in a rule of internal law, namely, in article 29.1 of the LOPD -because It is on this article that he bases the dispensation of respecting the imposed obligation by article 4.2. LOPD- cannot continue to maintain that there has not been a substantial change between the legal regime established by the LOPD and the legal introduced by the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 153 153/184 The direct consequence of his allegation regarding the non-existence of a violation of the Article 6.1 RGPD is that it invalidates its own argument that the AEPD, With the opening of this sanctioning file, it has violated the principle of legitimate confidence. Pursuant to the alleged violation of the principle of legitimate confidence attributed to The AEPD has been holding that, according to the doctrine of the Contentious Chamber Administrative of the National Court, taking into account that it is not admissible introduce a change of criterion in a sanctioning procedure and that in the In this case, the change in criteria could not be covered by the existence of a change normative between the Directive and the RGPD since the principles and legal bases of the RGPD are essentially those established by the Directive, the file of the file and also the element of the guilt, which would also lead to the filing of the absence procedure of sanctioning responsibility These assertions of the defendant, which are examined in the Fundamentals Previous legal, start from a premise exposed by that entity with reiteration: that there has been no regulatory change between the Directive and the RGPD that could support the change of position of the AEPD since the principles and bases GDPR legal regulations are almost identical to those established by the Directive In light of the exposition that the defendant makes to deny the infringement of the principle of legality that is imputed to him as well as of the manifested to deny the infraction of the purpose limitation principle, it is obvious that the basis of his allegation is not the rules of the Directive (that is, the principles and legal bases contained in it establish) but the reference to a rule of domestic law, article 29.1 LOPD, which is neither in force at present, nor does it derive from the transposition of the Directive 95/46 / CE, nor does it exist in the GDPR. Ultimately, as noted in the motion for a resolution, the respondent claims that it is not possible to justify the change of criteria of the AEPD -materialized in the sanctioning file that concerns us- in an alleged regulatory change every time that said regulatory change has not entailed a change in the legal bases of the treatment and the principles that govern said treatment, setting the terms of the comparison in the Directive and the GDPR. And at the same time, in parallel, the claimed, argues as a basis for the treatment that it had been carrying out during the Regime of the LOPD article 29.1 LOPD, provision that, as indicated in the does not contain a legal basis for the treatment or a guiding principle for the treatment provided for in Directive 95/46 / EC and which, furthermore, is not a consequence of the transposition of Directive 95/46 / CE into Spanish law. 5.Of the preceding exposition and the documentation that is in the file regarding the claimants, it is proven that EQUIFAX has been dealing with the personal data of those affected included in the FIJ violating the principle of legality, since the treatment was not based on any of the legal bases that relate Article 6.1 GDPR. The conducts in which the data processing carried out by the claimed violating article 6.1 RGPD, in relation to article 5.1.a) of the same rule, consisted of collecting data published in bulletins and official journals and, also occasionally, on bulletin boards or electronic headquarters of Public Law entities; in the storage of that information and in the eventual transfer of these data to third parties, associates or clients of EQUIFAX. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 154 154/184 The infringement of article 6.1 RGPD is typified in article 83.5.a) RGPD that establishes: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a ) the basic principles for the treatment, including the conditions for the treatment consent in accordance with articles 5, 6, 7 and 9; [...] " On the other hand, for the purposes of prescription, the LOPDGDD qualifies in its article 72.1. as a very serious infringement “ b) The processing of personal data without concurring any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679 ”. VII Of the infringement of the principle of accuracy 1. Article 5.1.d) of the RGPD, regarding the principle of accuracy, provides that the data personal data subject to treatment will be “ accurate and, if necessary, updated; I know will take all reasonable measures so that they are suppressed or rectified without delay personal data that are inaccurate with respect to the purposes for which are treated ('accuracy') " Recital 39 adds that all reasonable measures must be taken to ensure that inaccurate personal data is rectified or deleted The principle of accuracy implies that the data controller who has the personal information will not use such information without taking steps that guarantee, with reasonable certainty, that the data is accurate and is updated. In turn, the obligation to guarantee the accuracy of the data must considered in the context of the purpose of the treatment. The GDPR imposes the responsible for the treatment the obligation to keep the data updated since says that the data will be accurate "and, if necessary, updated"; need that is connected with the purpose of the treatment. EQUIFAX has stated that the purpose of the treatment it carries out through the FIJ is linked to the " assessment of the solvency of those affected ". Therefore, only If the data included in the file reflect the current situation, they will be suitable for the Intended purpose of evaluating the creditworthiness of borrowers. The sources from which the FIJ draws are official newspapers and gazettes. The The information contained therein, and accessed by the FIJ, is pertinent to that the Public Administration can fulfill the purpose it seeks to satisfy and that has justified that personal data of the administered ones were made public. Without However, this information is not adequate for the purpose of a file such as the FIX. The disparity and incompatibility between the purpose of the original treatment and the pursued by the FIJ determines that the information that this file collects is fragmentary - it has only part of the information related to the debt and in C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 155 155/184 sometimes only a part of the identifying data of the alleged debtors- and it is also disconnected from the future of debt. The debt is linked to a natural person in an act of notification that sees the light public at a specific time. The avatars that from that moment can affect the existence of the debt and its link to the alleged debtor are countless. Among them, to mention a few, the payment by the debtor or the execution of the debt by the Administration, of which EQUIFAX will not have news if the notification of the acts of the execution procedure is carried out personally and it is not necessary to go to the notification by publishing edicts. In this way, the information collected by the FIJ is kept without updating, unalterable in the file for a maximum period of six years computed from the date of date of publication, unless the affected party exercises the right of deletion or rectification. In the present case, with respect to the claimants, there are annotations of non-payment published in 2013, although the vast majority of the announcements were published between 2016 and 2019. The answer that EQUIFAX has given to the question asked in the test phase about the mechanisms for updating the information incorporated into the FIJ is a implicit acknowledgment that it lacks the means to verify its accuracy. So that the information that the FIJ collects was up-to-date, and thus be able to guarantee the principle of accuracy, it would need the collaboration of the holders of the data or the creditor Administration, which obviously does not happen. It is enough to remember how the entities that maintain information systems credit established in article 20 of the LOPDGDD act to comply with the principle of accuracy in order to appreciate the absurdity involved in maintaining a file for up to six years debts that one day were published in an official gazette and which nothing else is known from that date. The mechanics of internal functioning of such systems that their managers have designed with the purpose of complying with the principle of data accuracy. A proof that the FIJ cannot guarantee the accuracy of the information that offers is that more than 25% of the claimants, before going to the AEPD, had already provided to EQUIFAX documents that demonstrated that the FIJ was publishing inaccurate information associated with your data. In the file were linking extinguished debts to your personal data. We refer to documents of the claimants identified with the numbers 19,22,27,30, 37,38,40,41,42,50,52,53,54,59,61,62,72,73,75,77,80,83 and 87. The violation of the principle of accuracy incurred by the FIJ has another manifestation, which concerns the identity of the presumed debtors. The Publications from which the FIJ collects information do not always allow the identification of undoubtedly to the alleged owner of the debt. As evidenced by the documentation in the file of the presumed owners of the debts that are registered in the FIJ are frequently identified not by the NIF, but by name and two surnames combined with an address. It should be noted in this regard that the great Most of the incidents that appear in the FIJ associated with the claimants are C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 156 156/184 prior to 2018 and that, as of 12/07/2018 (date of entry into force of the LOPDGDD) in accordance with the provisions of the seventh Additional Provision of the LOPDGDD the address information is not included in the notifications by means of announcements and publications of administrative acts carried out by any Public administration. The seriousness of this fact is evident when the EQUIFAX associate has access to information that does not unequivocally identify the person to whom it refers your query and then tries to identify it "by approximation"; this is, once searches the FIJ for the data that identifies the person you want contract with him, if the FIJ does not have the NIF of that person registered, it will provide the associate of EQUIFAX the information available from people who have names and matching surnames for the associate, on the basis of verifying if any of the addresses coincide with that of the person you want to hire, you can determine if this meets the required solvency conditions. Situation that gives rise to that, when the alleged debtor exercises access to EQUIFAX -as long as the claimed party does not has your NIF included in the FIJ- requires, for identification purposes, the addresses that he has had over the years as a way to determine whether or not he is the debtor. This absolute indeterminacy of the person of the debtor, in other words, inaccuracy of the data, has not been an obstacle so that, previously, the associate EQUIFAX has verified that in the FIJ there are one or more people with a name and last name coinciding with that of the person who intends to contract with him and, when in doubt as to Not him to whom the FIJ refers, I granted him the initial presumption of insolvency. Situation This is clearly reflected in the case of claimants 18, 26, 27, 32, 36 and 94. Thus, the file owned by the claimed party violates the principle of accuracy. also with regard to the identification of the holders of the debts. The conclusion that we can extract is that it can hardly serve the legitimate interest that wants to attend linked to " fraud prevention ". On the other hand, in view of the particular circumstances that determine that the Administration is forced to notify a managed by publishing of advertisements (assumptions of article 44 LPACAP), a rigorous application of the accuracy should lead to not admit, without further verification, as a datum exact information regarding the address that until the entry into force of the LOPDGDD appeared published in the official newspaper or gazette. This, despite the fact that the reason for notifying by posting ads is not at all cases where the address is wrong or the interested party is unknown. If the information provided by EQUIFAX in the testing phase regarding notifications practiced, of the total of those that were unsuccessful, just over 90% were unsuccessful because the address was incorrect or the recipient was unknown. (Done tested tenth) 2. The position held by the respondent both in its response to the evidence and in the allegations to the initial agreement it is obviously the opposite. First of all, regarding the infringement of the principle of accuracy, the claimed has stated in its allegations that the RGPD has not introduced modifications or in the enunciation of the principle nor in its consequences, in comparison with what established by the Directive, therefore, it understands that through the initiation agreement the AEPD C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 157 157/184 has adopted a “ new criterion ” that violates the principles of legal certainty and legitimate confidence. On this matter we limit ourselves to making a reference to what set forth in the corresponding Legal Basis IV of this resolution. The respondent asserts that the FIJ fully respects the principle of accuracy. That the published data enjoy the presumption of accuracy recognized in article 4.2.d) of the LOPDGDD, so it is not responsible for the inaccuracies of which could suffer. It states that it has made available to those affected the mechanisms to correct or delete inaccurate or incomplete data, respecting in In any case, the requirements set forth in the LOPDGDD and the RGPD, such as providing the documentation that proves the inaccuracy of a data whose deletion is requested. For This means that there is no reversal of the burden of proof when the claimants who request the deletion of their data from the FIJ provided by the documents certifying the payment of the debt but only compliance with the requirements set forth in current regulations (article 14 LOPDGDD) Regarding the presumption of accuracy contemplated in article 4.2.d) LOPDGDD, it is necessary to indicate that article 4 begins by referring in paragraph 1 to the principle of accuracy of article 5.1.d) RGPD, which says, among other things, that the data must be updated when necessary for the purposes of the treatment. There are situations in which is absolutely necessary to check and even update periodically the accuracy of the data due to the damage that could be caused by interested if the data were inaccurate. So the starting point is a situation in which the respondent seeks a information that you know you cannot update, and this, despite being the update of the information a requirement for the FIJ to fulfill its purpose. EQUIFAX knows this fact perfectly and freely chooses to collect that information, so She must assume the responsibility derived from the inaccuracy of the data that she treats. On the other hand, regarding article 4.2.d) LOPDGDD, the presumption that invokes -if applicable to the case, an extreme that is not shared- it could operate exclusively Regarding the information that comes from the Public Bankruptcy Registry. In no case of the official newspapers and gazettes that do not have the status of public registry. Regarding the mechanisms that the respondent affirms that it makes available to the affected to rectify or delete their data, it is enough to point out that it does nothing but fulfill an obligation imposed by the GDPR. Chapter III " Rights of the interested party " regulates these rights in articles 16 to 19 and article 14 LOPDGDD provides that, when necessary, the affected party provides the documentation proving the inaccuracy. In response to the question that was asked in the test phase about what was the protocol you had had for the past six years to ensure that the data personnel that incorporated the FIJ were duly updated, in all At the moment, EQUIFAX responded that the protocol is based mainly on the "Limitation of the sources from which the FIJ file is fed", the information that is obtained from the Official Gazettes published by the State, the Communities Autonomous and Provincial Councils . Which, in his opinion, guarantees that all the information collected is considered " official and authentic" in accordance with the Article 3.1 of Royal Decree 181/2008, of February 8, on the organization of the official gazette State official newsletter. He considers this to be " a guarantee that there are no C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 158 158/184 doubts about the updating and veracity of the information incorporated into the FIJ. " Y adds that “ the newsletters are downloaded the same day they are published, so the FIJ information is updated on a daily basis with the information contained in the Newsletters. " Regarding the respondent's response, it should be noted that, indeed, the Information published in the Notifications Supplement and in the BOE is guaranteed of " authenticity" , that is, the guarantee that it actually comes from the authority who signs the act or provision. The respondent's comment that “ the FIJ information is updated accordingly. daily with the information contained in the Bulletins ” is absolutely true if by updating we mean "enriching". Indeed the FIJ is getting richer every day with the new information you collect from the newsletters; but that has nothing to do with the updating or updating of the annotations for debts that already appear in the file linked to natural persons. The respondent has also referred in her response to the questions formulated in the test phase to the “ Automatic information capture processes: the downloading of the bulletins and the subsequent registration of the data in the FIJ ” and says that it has specific recording criteria implemented “in order to ensure that the headlines are unequivocally identified for their inclusion in the FIJ, ” from which concludes without more than " These criteria guarantee that there is only data from owners duly identified ”. It is not in doubt that the information regarding the personal data contained in the newsletters and newspapers it is accurately transferred to the IJF. But, as more than enough the respondent knows, that is not the question to which the violation of the principle refers of exactitude so that, in this sense, his assertion that " These criteria guarantee that there is only data of holders duly identified " The respondent referred in her response to a new measure implemented that, in its opinion, would guarantee the accuracy and updating of the data: “4) Notification of inclusion: this part has been making the holders whose data has been collected from May 25, 2018, a specific notification of its inclusion in the FIJ, as a measure to guarantee the updating of the data. Said communications allow interested parties, in a free and simple way, to check whether effectively the data that have been published by the different official gazettes and that have been collected by my client contain some error. " Question to which We will refer to another Legal Basis for the resolution. 3. In its allegations to the proposed resolution EQUIFAX places the starting point of his argument in the necessary clarification of " what is the purpose of the FIJ", since " Article 5.1.d) of the RGPD links" accuracy "with" the purposes for which they are processed " the data". It then states that the " purpose of the FIJ" is "to reflect the existence of a debt as stated in the advertisement and at the time of its publication in the source corresponding official ”. (The underlining is ours) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 159 159/184 From the foregoing, it follows that the circumstance that the FIJ cannot show which is the debt situation at the time of consultation does not allow rating the information inaccurate in the terms provided in article 5.1.d) RGPD. It is not inaccurate, he says. the one claimed - because it correctly collects the information that is necessary for the purpose sought by the FIJ, "to help Equifax clients assess their solvency ." Therefore, he clarifies, the information would be inaccurate if, " contrary to what the file ” , will not correctly reflect the information that appears in the published announcement. Conjecture that the AEPD, in order to qualify the contained data as inaccurate in the FIJ, has proceeded in the resolution proposal, incorrectly, to associate the " Assessment of the solvency of those affected" with information about the "situation current "at the time of the consultation of the debt of the people." It goes on to refer to the suitability of the information contained in the FIJ to assess the creditworthiness of a person; suitability which, he affirms exhaustively, is out of all doubts as has been confirmed for twenty-five years by the “ enormous number of entities that have been resorting to the FIJ to assess solvency "He warns that a judgment of suitability requires a thorough knowledge of the subject and that to what extent know the AEPD is not an entity that carries out analysis in its day-to-day activities solvency. It states that the FIJ “ covers an undeniable need of the creditor market and the fights against delinquency and fraud ”and then states: “ [...] it is clear that The FIJ information constitutes a complement to the files referring to the debts contracted with in the private sector [...]. It is obvious that "in an ideal world" it would be preferable if the FIJ could be updated as completely as it happens with the credit information systems of article 20 of the LOPDGDD. Unfortunately, this is not possible since the Administrations do not publish information in this regard, without such circumstance being considered in any case as a case of "inaccuracy" of the information, for the reasons already stated. " (The underlining is ours) It also argues, as it had already done in the brief of allegations to the commencement agreement, that article 4.2 d) LOPDGDD establishes a presumption of accuracy that cannot be misrepresented “ by the result of the AEPD investigation, not even by the provision of evidence by the interested party ”and“ contains an imperative mandate of disclaimer to the person who has collected the data under their content ”. It indicates that this provision - 4.2.d) LOPDGDD- has to be connected with the BOE regulatory regulation that “ establishes a presumption of veracity and authenticity of the information contained therein, which guarantees the principle of accuracy " and concludes that" the accuracy of the information referred to the notifications incorporated into the FIJ [...] derives directly from said publication [in the BOE] and the LOPDGDD ”. Finally, invoke two more arguments: That until the repeal of the LOPD EQUIFAX “was [...] protected by the express legal authorization contained in the Article 29.1 LOPD and the action of the AEPD for which documentation was required accrediting the payment so that it could proceed to its deletion ”. And, regarding the accuracy of the identification data of the alleged debtors, affirms that "he accredited during the trial period that only proceeds to the processing of those data regarding of which it has sufficient means to guarantee the accuracy of the information treated . " It also affirms that, as a consequence of the entry into force of the LOPDGDD, it has adopted measures so that only the data of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 160 160/184 stakeholders of which there are sufficient elements to guarantee their full identification, which has been reflected in a decrease in the number of inclusions in the file. In view of what is alleged by the defendant, it seems sterile to discuss the novel concept of accuracy of the data intended to inform about the solvency of the affected. Even more so when the entity itself recognizes that “it would be preferable for the FIJ could be updated as completely as it happens with the systems of credit information of article 20 of the LOPDGDD. " 4.Article 5.2, in connection with 5.1.d) RGPD evidences that it is incumbent on the responsible for the treatment the burden of proving the accuracy of the data that are the subject of treatment ; For what is of interest here, EQUIFAX is responsible for proving the accuracy of the debts included in the FIJ associated with exact personal data of the presumed debtors. The obligation imposed by article 5.2. RGPD implies that the person responsible for the treatment must provide, during all the time in which the data processing, mechanisms that guarantee that the information it deals with -the debts that link to personal data- is at all times updated. The defendant completely lacks the means to fulfill this obligation. And before this lack, aims to be recognized as a skillful instrument for compliance of the obligation incumbent upon her, which is nothing but a requirement demanded by law the owner of the data who exercises the rights granted by the RGPD. In short, the claimed is intended to be valued as a means of fulfilling the obligation of accuracy imposed by article 5.2 RGDP in relation to article 5.1.d), the documentation that claimants must provide in order to prove the inaccuracy of the data concerning them when they exercise before it the right to rectification (article 14 RGPD). On the other hand, the respondent is perfectly aware that it does not have means to keep the information processed in the FIJ updated. Proof of this is the text that we reproduce, from document 8 of which it sent in the phase of evidence, called “LIA Judicial File. Legal Analysis. December 2019 ”, in which point 7, “ Operation of Equifax files with information obtained from sources of public access ”, a section is dedicated to the guarantees that implement in the future regarding the principle of accuracy: "1.4. Principle of accuracy ”“ In compliance with this principle and given that the Edict publication only recognizes the existence of the obligation to satisfy the owed, but there is no additional information that allows to know effectively if that amount is owed at the time of notification of inclusion, a possible solution to this problem would be the limitation of very brief references to the aforementioned communications, and in the analyzed system this This requirement is met, as the term is reduced to the publications that have occurred in the last five months. However, this reduction does not allow us to fully bypass the risk derived from the treatment of these data, being able to see the qualification of a negatively interested by the fact of incorporating an edict notice referred to a debt already paid in the same way that it could be affected favorably the subject to whom a notification had been made with a C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 161 161/184 seniority of more than five months and had not proceeded to pay the amount owed. " (The underlining is ours) 5. In accordance with the foregoing and the documentation in the file, the considers that the respondent has violated the principle of accuracy provided in article 5.1.c) RGPD. The violation of article 5.1.c) RGPD that is attributed to EQUIFAX is typified in the Article 83.5. RGPD that states: “Violations of the following provisions are sanctioned, in accordance with section 2, with administrative fines of 20,000,000 Eur maximum or, in the case of a company, an amount equivalent to 4% at most of the total annual global turnover of the financial year above, opting for the one with the highest amount: b) The basic principles for the treatment, including the conditions for the consent in accordance with articles 5,6,7 and 9. " Article 72 of the LOPDGDD qualifies as very serious -being the statute of limitations, in this case, three years - the infractions that suppose a substantial violation of the articles mentioned in article 83.5 RGPD and in particular: "A) The processing of personal data violating the principles and guarantees established in Article 5 of Regulation (EU) 2016/679. " VIII Of the infringement of the principle of data minimization The RGPD establishes in its article 5.1.c) that personal data will be “ adequate, relevant and limited to what is necessary in relation to the purposes for which they are treated (<< data minimization >>) " Therefore, only data that is adequate, relevant and not excessive in relation to the purpose for which they are obtained or processed . This implies, for one part, that the categories of data selected for processing must be necessary to achieve the objective of the treatment operations and that the person responsible of the treatment must strictly limit the collection of data to that information that is directly related to the specific purpose pursued by the treatment. On the other hand, the GDPR requires that the data be relevant , which implies that the data treaties are suitable and proportional to the legitimate aim pursued. Also, that the personal data that is adequate and relevant, but constitutes interference disproportionate in the fundamental rights and freedoms at stake, they must considered excessive . Compliance with this principle by the claimed, as happens with other principles already examined, such as legality or accuracy, is conditioned by the infringement of the principle of limitation of the purpose in which the entity incurs with the collection of data from official newspapers and gazettes that pursue a purpose incompatible with that of the FIJ. As a result of the illegal nature of the subsequent processing of the data collected - that is, the one that the claimed is carried out through the FIJ- it is shown that the person responsible for the treatment is in a situation of practical impossibility of respecting the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 162 162/184 rest of the principles that according to the RGPD govern the treatment. Such is the degree of irregularity that some of the actions with which EQUIFAX intends to comply with the Obligations imposed by respect for the principles that govern the treatment are become in practice an additional violation of the regulations for the protection of data. As a first point, it should be noted that, as has been shown when examining other principles, particularly that of accuracy, the data that EQUIFAX obtains from through bulletins and official journals that feed the FIJ are not suitable for the purpose pursued by the file, so they violate the principle of minimization of data. The fundamental reason is that they do not allow an update of the information regarding the solvency of the debtor. It is added to the above that, while the Publication of the data does not include the address of the owner of the data, the claimed does not is in a position to comply with the information obligation provided for in the Article 14 RGPD. On the other hand, it is necessary to refer to Additional Provision 7 of the LOPDGDD that, under the heading " Identification of those interested in notifications by means of announcements and publications of administrative acts. " establishes: "1. When the publication of an administrative act containing personal data of the affected person, they will be identified by their name and surnames, adding four random numerical figures from the national document of identity, foreigner identity number, passport or equivalent document. When the publication refers to a plurality of affected these random figures they must alternate. In the case of notification by means of advertisements, particularly in the assumptions referred to in article 44 of Law 39/2015, of October 1, of the Common Administrative Procedure of Public Administrations, it will be identified to the affected exclusively through the complete number of his national document Identity number, foreigner identity number, passport or equivalent document. When the affected person lacks any of the documents mentioned in the two previous paragraphs, the affected party will be identified solely by name and surnames. In no case should the name and surname be published jointly with the complete number of the national identity document, identity number of foreigner, passport or equivalent document. " In accordance with the transcribed provision, in the publications and notifications by means of announcements provided for in articles 45 and 44 LPACP will never be published address of the interested parties, nor jointly the name and surname and the number complete identity document. In addition, in the case of notifications of announcements of article 44 LPACAP, identification will be made by the full number of the identity document, regardless of the reference to the name and surname except that the owner lacks this information, in which case the name and surname will be included. And in the publications of administrative acts that contain personal data will be included the name and surname and four random figures of the identity document. This legal provision seeks to minimize the impact caused on the right fundamental to the protection of data of the administered derived from the publication of your data in official newspapers or gazettes. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 163 163/184 EQUIFAX answered the question asked in the test phase regarding the criteria that the FIJ uses to organize the personal data that are subject to treatment in order that their holders are duly identified, (Done tested sixth) in the following terms: a) If only the NIF / NIE is published: then “it is verified whether on the date of publication, the NIF / NIE in question, is registered in the active information of the FIJ (excluding therefore the one that is blocked). Depending on the result obtained, different actions are carried out : " a´) If the identifier is already included in the FIJ associated with a name and surname, registers in the FIJ the new published information. a´´) If that identifier is not included in the FIJ, the recording of the registry is discarded . b) In the event that the name and surname and incomplete NIF / CIF are published: d skip the recording of the data in the FIX file c) Cases in which name + surname + address is published: It proceeds to the recording of the record in the FIJ file, associating both data. d) Cases in which only name + surname appears published: In this Of course, the recording of the data in the FIJ file is discarded . (The underlining is ours) Thus, despite the limitations that the data represent for the processing of data, criteria set in the seventh Additional Provision of the LOPDGDD, the claimed is supports the information that is active in the FIJ on the date of publication of the information; combines both information and proceeds to register in its file the new information published as long as the identifier - the only data that according to The seventh Additional Provision of the LOPDGDD can be made public - already included in the FIJ associated with a name and surname. We believe that this conduct invalidates the measures provided by the legislator for protect the right of the owners of the data that are published for reasons of public interest in official gazettes and gazettes. In the case that concerns us, it is proven that there are numerous claimants that, after 12/07/2018, the date of entry into force of the LOPDGDD, they have annotations in the FIJ. Which means that while the publication of the The information did not contain their names and surnames but exclusively the NIF, EQUIFAX, acting as explained, verified that this identifier was active in its file and, in addition, associated with a name and surname, and proceeded to give high the annotation. In this sense, it is proven that they were included in the FIJ, with after 12/07/2018, annotations linked to the following claimants who In the aforementioned file they are identified by their name, two surnames and NIF: the numbers 2,6,7,9,13,14,15,21,32,43,48,49,58,59,71,74,79,82,83 and 89. 3. In its brief of allegations to the proposed resolution, the complained party states that the statement made by the proposed resolution in relation to the infringement of the principle of minimization of data that is imputed to him does not allow him to discern his link with the aforementioned principle. It adds that “ nowhere in the Proposal is indicates that the collection of data referring to the name, surname, document identification, address and characteristics of the debt contracted are not adjusted to C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 164 164/184 the aforementioned purpose nor is a trial or assessment of any proportionality carried out respect." It concludes that the aforementioned offense appears to have been included in the resolution with “ a mere intention of increasing, [...] in a completely artificial way the reproach directed against ” EQUIFAX. It indicates that the reasoning of the AEPD in the proposed resolution leads to, when it is considered that a certain treatment violates the principle of limitation of the purpose (which the defendant denies) “ would also breach the minimization principle, since more data would be processed from those legally enforceable in the opinion of the Agency. This argument, by definition it would be inadmissible, [...] " Finally, it adds that, as a consequence of the entry into force of the LOPDGDD, “ Has put into practice measures aimed at making the data processing result adjusted to the principles of accuracy and minimization and that only the treatment in the event that compliance with such principles is guaranteed, for which is not enough to understand the effect that the entry into force of said provision can lead to the alleged violation of the principle of minimization. " 4.In accordance with the foregoing and the documentation in the file, we estimate that the behavior of the claimed violates the principle of minimization of data provided in article 5.1.c) RGPD. The infringement of article 5.1.c) RGPD is typified in article 83.5.a) RGPD that establishes: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: a ) the basic principles for the treatment, including the conditions for the treatment consent in accordance with articles 5, 6, 7 and 9; [...] " On the other hand, for the purposes of prescription, the LOPDGDD qualifies in its article 72.1. as a very serious offense "a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679 ”. IX Of the infringement of the obligation imposed in article 14 RGPD 1. The RGPD dedicates chapter III to the rights of the interested parties (articles 12 to 23). Article 14, under the heading "Information to be provided when the data personal data have not been obtained from the interested party ”establishes the following: "1. When the personal data have not been obtained from the interested party, the person in charge of the treatment will provide you with the following information: a) the identity and contact details of the person in charge and, where appropriate, of their representative; b) the contact details of the data protection officer, if applicable; C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 165 165/184 c) the purposes of the treatment to which the personal data are destined, as well as the basis legal treatment; d) the categories of personal data in question; e) the recipients or categories of recipients of personal data, in their case; f) where appropriate, the intention of the person in charge of transferring personal data to a recipient in a third country or international organization and the existence or absence of an adequacy decision of the Commission, or, in the case of transfers indicated in articles 46 or 47 or article 49, paragraph 1, second paragraph, reference to adequate or appropriate guarantees and means of obtaining a a copy of them or the fact that they have been loaned. 2.In addition to the information mentioned in section 1, the person responsible for the treatment will provide the interested party with the following information necessary to guarantee a fair and transparent data processing with respect to the interested party: a) the period during which the personal data will be kept or, when that is not possible, the criteria used to determine this deadline; b) when the treatment is based on article 6, paragraph 1, letter f), the interests the data controller or a third party; c) the existence of the right to request the data controller for access to the personal data relating to the interested party, and its rectification or deletion, or the limitation of its treatment, and to oppose the treatment, as well as the right to portability of the data; d) when the processing is based on article 6, paragraph 1, letter a), or article 9, paragraph 2, letter a), the existence of the right to withdraw consent in at any time, without affecting the legality of the treatment based on the consent before its withdrawal; e) the right to file a claim with a supervisory authority; f) the source from which the personal data come and, where appropriate, if they come from public access sources; g) the existence of automated decisions, including profiling, to which referred to in article 22, paragraphs 1 and 4, and, at least in such cases, information significant on the applied logic, as well as the importance and consequences provided for said treatment for the interested party. 3. The data controller will provide the information indicated in sections 1 and two: a) within a reasonable period of time, once the personal data has been obtained, and more take within a month, taking into account the specific circumstances in which said data is processed; b) if the personal data are to be used for communication with the interested party, to at the latest at the time of the first communication to said interested party, or c) if it is planned to communicate them to another recipient, at the latest at the time that the personal data are communicated for the first time. 4.When the person responsible for the treatment plans the subsequent treatment of the data personal data for a purpose other than that for which they were obtained, will provide the data subject, before said further processing, information on that other purpose and any other relevant information indicated in section 2. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 166 166/184 5.The provisions of paragraphs 1 to 4 shall not apply when and to the extent in what: a) the interested party already has the information; b) the communication of such information is impossible or involves an effort disproportionate, in particular for processing for archival purposes in the interest public, scientific or historical research purposes or statistical purposes, subject to the conditions and guarantees indicated in article 89, paragraph 1, or to the extent that the obligation mentioned in paragraph 1 of this article may make it impossible or seriously impede the achievement of the objectives of such treatment. On such cases, the person in charge will adopt adequate measures to protect the rights, freedoms and legitimate interests of the interested party, including making public the information; c) the obtaining or the communication is expressly established by the Law of the Union or Member States that applies to the controller and that establish adequate measures to protect the legitimate interests of the data subject, or d) when personal data must continue to be confidential about the basis of an obligation of professional secrecy regulated by Union law or of the Member States, including an obligation of secrecy of nature statutory. " Recital 39 also refers to the right of the interested parties to be informed of the processing of your data, in the following terms: “[...] For natural persons it must be totally clear that they are being collected, using, consulting or otherwise processing personal data that concern, as well as the extent to which said data is or will be processed. The beginning transparency requires that all information and communication regarding the treatment of such data is easily accessible and easy to understand, and that a language is used simple and clear. This principle refers in particular to the information of the interested parties about the identity of the person responsible for the treatment and the purposes of the same and to the information added to ensure fair and transparent treatment with regarding the affected natural persons and their right to obtain confirmation and communication of personal data concerning them that are the subject of treatment. [...] " From the effective date of application of the RGPD (05/25/2018) the complainant was obliged to inform, in the terms of article 14 RGPD, all interested parties whose personal data were being processed through the FIJ in that moment. This, because the new transparency regime introduced by the RGPD affected all the treatments that were maintained on that date, with regardless of the regime in force when the data were collected, as established a norm or criterion of the Administrative Litigation Chamber of the National audience. Obligation, on the other hand, was well known to all those responsible for treatments that during the two years prior to the effective application of the RGPD were preparing the adaptation to the new legislation of the treatments of personal data that they carried out. It seems obvious that EQUIFAX did not comply with the obligation imposed by article 14 RGPD to notify the owners of the data that on that date were in the FIJ. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 167 167/184 It is enough to compare the figures provided: in 2018 the people whose data were subject to treatment by the FIJ exceeded four million and, nevertheless, the The number of notifications made that year did not reach three hundred and forty thousand. On In this sense, there is already an infringement of article 14 RGPD in relation to the article 5.1.a) RGPD. On the other hand, there is no doubt that EQUIFAX is obliged to inform the interested in the terms of article 14 RGPD each time they incorporate their personal information. In line with this obligation, we must reiterate what has already been stated regarding the violation of other provisions of the RGPD. In the behavior analyzed we start from an illicit treatment of personal data, inasmuch as data that were initially treated for a purpose that is incompatible with the purpose that pursues further treatment, that is, the FIJ, which conditions, as it could not be otherwise, compliance with the obligations that the RGPD imposes on the responsible for the treatment to the point that these are impossible compliance if it is not in violation of other provisions of the RGPD. As EQUIFAX has repeatedly recognized, the information that the FIJ collects it comes basically from official newspapers and gazettes. It has already been indicated that, as a result of the entry into force of the LOPDGDD and the application of the 7th Additional Provision, The data of the address of the administered whose personal data are subject to publication in accordance with articles 44 and 45 LPACAP. It is, therefore, that EQUIFAX having the obligation to inform the interested parties whose data is included in the file completely lacks the possibility of complying Regarding new registrations, such obligation, to the extent that the announcements published will not provide you with the address information that allows you to inform you in the terms indicated in article 14 RGPD. A circumstance that is obviously not it prevents the violation of article 14 RGPD to be appreciated, particularly with respect to to the annotations that on the date of entry into force of the RGPD already appeared in the FIJ, but to highlight, once again, the absolute irregularity of the FIJ. 2. EQUIFAX has stated in its allegations to the start-up agreement that “it comes making to the holders whose data has been collected since May 25, 2018, a specific notification of its inclusion in the FIJ, as a measure to guarantee the updating of the data. These communications allow the interested parties, in a free and simple way, check whether the data that have been published by the different official gazettes and that have been collected by my representative they contain some error. " As indicated, the notification you announce will not be possible, at least with the only information offered by the newspapers and bulletins in which the data is published. Regarding this new measure that the claimed one announces to us, we must clarify that we are not facing a proactive action of the entity, as it has declared, but before an obligation imposed by the RGPD. On the other hand, it is reiterated that already indicated about the impossibility of practicing this informative notification to the interested in lacking the address information and that the attempt to link the number C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 168 168/184 identification of an interested party that is published in an official newspaper with the information that It is recorded in the FIJ, so the address information is of interest here, it constitutes your Once a violation of the principle of data minimization. Finally, the repeated comment of the entity on the non-existence of an obligation to inform the owner of the data being processed as established in article 5 of the LOPD. The respondent has stated that there was an express endorsement from the National High Court that the fulfillment of such obligation because its action is included in the Article 29.1 LOPD and has cited for this purpose the SSAN of 06/29/2001 (Rec. 1012/1999); 11/29/2001 (Rec. 531/2000) and of 02/27/2008 (Rec. 358/2006) However, the aforementioned judgments seem to show that the regime to which it refers is connected with the prevailing criterion at that time that a treatment of data that had been obtained from public sources defined by article 3.j LOPD was lawful in accordance with article 6.2 LOPD. Therefore, we understand that after the publication of the so many times cited judgments of the CJEU and the Supreme Court there was no reason for EQUIFAX did not comply with the obligation established in article 5 of the LOPD. 3. In its allegations to the proposed resolution, regarding this infraction, the claimed analyzes three different scenarios. (i) The regime prior to the entry into force of the LOPDGDD, in which, it affirms, it is waived the obligation to inform interested parties of the processing of their data personal activities carried out at the FIJ, as confirmed by a “very reiterated jurisprudence ”that determined that as of the SAN of 02/27/2008 the AEPD did not issue any sanctioning resolution for breach of the obligation to notify. (ii) The existing regime during the validity of the LOPD, as of the date on which the dictates the judgment of the CJEU of 11/24/2011. He considers that the situation was identical to the above and that it was the motion for a resolution that " creates ex novo " a line argumentation that understands that the previous criterion was modified from the aforementioned STJUE. In the opinion of the complainant, the proposal eliminates “ the possibility of founding the base of the FIJ in the provision of article 29.1 LOPD ”. Therefore, it requires that the exclusion from the duty to inform did not derive from the nature of the sources obtained the information, but from article 29.1, in relation to 29.4 and in relation to article 5.5. LOPD. (iii) The system after the effective application of the RGPD, in which EQUIFAX has considered " necessary to comply with the duty to inform." After which, add that, “ although he could have considered that the causes that exonerated him from said obligation under the LOPD that, do not forget, remained in force until 7 December 2018, they continued to protect him. " This commitment made as a result of the effective application of the RGPD has materialized in the “ notification to all interested in the inclusion of their data in the FIJ ", which constitutes a" commitment additional entity with the guarantee of the right to data protection ”. The respondent affirms that the proposal considers that “ this duty of information is not has complied with the data included in the FIJ prior to entry into validity of the LOPDGDD, that is, when there was a rule that excluded the duty of information." It also states that after the entry into force of the LOPDGDD could distinguish “ two types of data” : (i) Those introduced prior to the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 169 169/184 entry into force of the RGPD, with respect to which it says that “[...] the principle of minimization and the cited interpretation of Article 11 excluded the possibility of obtaining additional information with the sole protection of complying with the duty to inform ”. TO purpose of article 11 RGPD indicates that it is possible to interpret by analogy, in what affects the processing of data additional to those required for compliance with the purpose of the treatment, the provisions of that precept, according to which “[s] i the purposes for which a controller processes personal data do not require or no longer require the identification of an interested party by the person in charge, this will not be obliged to maintain, obtain or process additional information with a view to identifying the interested party with the only purpose of complying with these Regulations ”. Therefore, consider that it could be concluded that, if the purposes of the treatment do not justify the processing of additional data, no could hide behind GDPR compliance to collect such data. (ii) Those incorporated into the FIJ after said entry into force, with respect to the that Equifax chose, compared to the other entities in the sector, to comply with the Article 14, proceeding to notify all interested parties of the incorporation of their data to FIJ. The entity concludes that it has fully complied with the duty of information regarding all those treatments carried out since the entry into force of the RGPD, therefore, "Under the previous regulations (LOPD) it was exempt from compliance with this obligation." and after “ the entry into force of the RGPD, it was applicable to these treatments provided in article 14.5 a) of the RGPD, since the information is impossible or requires disproportionate efforts, something that the Proposal itself explicitly recognizes. " The respondent affirms that the proposal considers that “this duty of information is not has complied with the data included in the FIJ prior to entry into validity of the LOPDGDD, that is, when there was a rule that excluded the duty of information." However, what the proposal says is that once it went into effect the GDPR, the obligation imposed by article 14 GDPR should be fulfilled in relationship with the data previously included in the FIJ, whose treatment is kept. Forget the claimed that the RGPD, once it is effectively applied, It is applicable in its entirety and that, therefore, EQUIFAX had the obligation from that date of informing in the terms of article 14 RGPD to the owners of the data whose treatment continued to be carried out through the FIJ, even though the data was would have been included in the file under the validity of other regulations. It must be remembered, in addition, that the conduct referred to as constituting an infraction of the The principle of data minimization is what the entity claims to carry out, as a result of the entry into force of the LOPDGDD, since in accordance with the additional provision seventh, the notifications announcements do not include the address information: a crossing of data between the information that already works in the FIJ, in which, as it is inferred from manifested, the address information is included, with which it is published in the advertisements inserted in official gazettes and gazettes. Therefore, compared to what EQUIFAX argues, it was not exempt from the obligation to notify the holders of the data that were still in the FIJ on the date of application of the GDPR. Nor can he be excused from complying with this obligation on the basis of apply article 11 RGPD or on the pretext of avoiding breaching the principle of data minimization, because with respect to the data already included in the FIJ, there is no no data crossover. And the breach is patent. It is enough to compare the number of people who were included in the FIJ on the date of application of the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 170 170/184 RGPD and the number of notifications that in that year and in the following years EQUIFAX. 4. Article 14 RGPD imposes on the respondent an obligation to inform the interested parties when the processed data had not been collected from them, which is consequence of the principle of transparency that governs data processing personal in accordance with article 5.1.a) RGPD. It is a proven fact that EQUIFAX did not notify the interested parties whose data had been dealing with the FIJ as a result of the effective application of the RGPD, the 05/25/2018, this, despite the fact that the interested parties were never informed of the treatment to which your personal data were submitted under an interpretation of the LOPD that the National Court had made before the judgments of the CJEU of 11/24/2011 and TS of 02/25/2012. With regard to the complainants, it is found, as already indicated, that there are numerous inclusions after the date of entry into force of the LOPDGDD. In all cases, these are interested parties of which there were inclusions previous in the FIJ. However, not all of them appear in the FIJ, among the data that they are concerned, the address data. 4. Based on the foregoing and the documentation in the file, we estimate that the conduct of the defendant violates the obligation imposed by article 14 RGPD, in relation to article 5.1.a) RGPD. The infringement of article 14 RGPD is typified in article 83.5 RGPD that establishes: "Violations of the following provisions will be sanctioned, in accordance with the paragraph 2, with administrative fines of a maximum of EUR 20,000,000 or, in the case of a company, an amount equivalent to a maximum of 4% of the total annual global business volume of the previous financial year, opting for the highest amount: to) [...] b) the rights of the interested parties in accordance with articles 12 to 22; " For the purposes of prescription, the LOPDGDD qualifies in its article 72.1. as an offense very serious “h) The omission of the duty to inform the affected person about the treatment of your personal data in accordance with the provisions of articles 13 and 14 of the Regulation (EU) 2016/679 and 12 of this organic law ”. X The defendant revealed in her brief of allegations the non-existent link between the claims made by the claimants and the object of the sanctioning procedure directed against her. It affects that sense in which Claims made are exclusively about the exercise of rights that the RGPD recognizes in articles 16 to 22 and that furthermore this The entity attended, in most cases, the request made by the affected. For this reason, consider that this extreme, the non-existent link between the C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 171 171/184 claims made and the stated object of the procedure, would oblige the file of the procedure. Apart from the fact that in some of the claims the claimants refer to expressly that the inclusion of their data in the FIJ (case of claimants 35, 39, 46 or 55) this allegation must be rejected, since the facts stated manifested in the claims are closely linked to the object of the process. In addition, from the examination of said claims, it appears that the action of the responsible entity transcends the claims submitted. The RGPD has established its own and specific regime regarding procedures before the control authorities regarding data protection. The Chapter VIII of the RGPD is entitled " Resources, responsibility and sanctions ", and the first of the articles of said Chapter VIII, article 77, establishes the right to file a claim with a supervisory authority. Art. 77.1: “Without prejudice to any other administrative resource or legal action, all interested parties will have the right to file a claim with a supervisory authority, in particular in the State member in which you have your habitual residence, place of work or place of alleged infringement, if you consider that the processing of personal data that concern violates these Regulations. " In turn the art. 79 GDPR establishes that “ [S] without prejudice to the administrative or extrajudicial remedies available, including the right to file a claim with a supervisory authority under the Article 77, all interested parties shall have the right to effective judicial protection when consider that your rights under this Regulation have been violated as a result of a processing of your personal data. " We therefore see that a "claim" from a private individual can give rise to two types of procedures, one of them related to infringements of the RGPD, with a character general, and another for violation of their rights. In the LOPDGDD this distinction has been reflected in Title VIII, which regulates jointly the procedures in case of possible violation of the regulations of Data Protection. Thus, its art. 63.1, Legal regime, includes (a) procedures in case of infringement of the RGPD and the LOPDGDD itself and (b) those derived from a possible violation of the rights of the interested parties. The LOPDGDD does not foresee any additional type of procedure in case of possible violation of the regulations of data protection, so that all the functions and powers that the RGPD granted to the control authorities in arts. 57 and 58 RGPD must be exercised at through these procedures in case of possible violation of the regulations of Data Protection. There are no others. It follows from this, also taking into account art. 64 LOPDGDD, which when the procedure is directed exclusively to the lack of attention of a request of the rights articles 15 to 22 RGPD a claim will be necessary, but that (art. 64.2 LOPDGDD) [w] hen the purpose of the procedure is to determine the the possible existence of an infringement of the provisions of Regulation (EU) 2016/679 and in this organic law, it will start by means of an initiation agreement adopted on its own initiative or as a consequence of a claim. That is, both the RGPD like the LOPDGDD consider that a claim from an affected person can be the way or means of bringing to the attention of the supervisory authority a possible C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 172 172/184 infringement of data protection regulations, but in no case restricts the action of the control authority to the specific and concrete complaint of those affected. And this for many reasons, among which stands out, as may be the case in the present procedure, that from the confluence of several claims of persons affected individuals, an action of the person in charge that with general character (that is, not only in the specific cases presented by the claimants) from which it turns out that these specific cases are the reflection of a pattern or common policy applied to all those affected persons who are in the same case that the interested parties. The opposite would be inconsistent with the purpose and will of the community legislator, expressly set forth in the RGPD that the control authorities control and enforce the RGPD, and with the provisions of the RGPD that they can I manifest "infringements" of the data protection regulations through "Claims" that may transcend the individual claims themselves formulated. Consequently, the AEPD has decided to analyze the impact of the treatments that are carried out, resulting in that the deficiencies noted with respect to the regulations of data protection has a general scope, so that all the holders of the personal data registered in it, and not only the claimants, which would result, as has been stated, that the infringement is not It produces exclusively with respect to these, but with a general character. It cannot be said, therefore, that there is no link between the object of the procedure and claims. In any case, no rule prevents the body that exercises the power sanctioning, when it determines the opening of a sanctioning procedure, always ex officio (art. 63.1 law 39/2015, of October 1), determine its scope according to the circumstances revealed, even if they do not adjust strictly to the statements and claims of the complainant. That is, the agreement to initiate the sanctioning procedure is not constrained by the complaint (the "claim") submitted by the individual. This is not the case in the case of procedures processed at the request of the interested party, in which article 88.2 of the LPACAP requires that the resolution be consistent with the requests made by this. Even in this case, the authority of the Administration to initiate ex officio a new procedure. This same article 88 of the LPACAP, referring to the content of the resolution, in its paragraph 1 establishes the obligation to decide all the questions raised by the interested parties and those others that derive from the procedure, including questions related not raised by the interested parties. This article expressly establishes what following: "1. The resolution that puts an end to the procedure will decide all the questions raised by the interested parties and those others derived from it. In the case of related questions that have not been raised by the interested parties, the competent body may rule on them, putting it before manifesting them for a period not exceeding fifteen days, so that C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 173 173/184 formulate the allegations they deem pertinent and provide, where appropriate, the means test". In the sanctioning procedure, even the facts that are revealed during their instruction, which will be determined in the resolution proposal, and may motivate the modification of the imputations contained in the agreement to initiate the procedure or its legal classification. In this sense, when referring to the specialties of the resolution in the sanctioning procedures, article 90 of the LPACAP establishes: "two. In the resolution, events other than those determined in the course of the procedure, regardless of its different legal assessment… ”. XI Of the medial infraction contest Article 29.5 of Law 40/2015, of October 1, on the Legal Regime of the Sector Public (LRSP) provides: "When the commission of an offense necessarily derives from the commission of another or others, only the sanction corresponding to the most infringement must be imposed. serious committed ”. In the opinion of this Agency, as set out in the preceding Fundamentals, the EQUIFAX's conduct in relation to the data processing carried out through the FIJ, constitutes an infringement of articles 5.1.b) RGPD; 6.1, in relation to article 5.1.a GDPR; 5.1.d) GDPR; 5.1.c) RGPD and 14 of the RGPD. The analyzed assumption offers unusual profiles. Based on an initial violation of the RGPD, the violation of the principle of limitation of the purpose provided for in article 5.1.b) RGPD, the conducts in which the remaining infractions of the Regulations for which the entity is responsible are presented as a necessary consequence of the first, undoubtedly the most serious offense. Although the five infractions attributed to EQUIFAX are very serious infractions with according to the LOPDGDD and all of them are typified in article 83.5. of the GDPR, the The most serious offense committed is the violation of the principle of limitation of purpose to the extent that it has led, in this specific case, in light of the particular characteristics of the events analyzed, to which the claimed incur in the remaining four violations of the RGPD for which you are responsible. Taking into consideration the connection between the five infractions of the GDPR committed by EQUIFAX in relation to the FIJ and the extraordinary uniqueness of the case, in which the most serious offense, the violation of the principle of limitation of the purpose provided for in article 5.1.b), entails the commission of the remaining four infractions, this Agency considers that in the specific case that concerns us, taking into account its particularities, there is a medial contest between the infringement of article 5.1.b) RGPD, on the one hand, and infringements of articles 6.1, in relation to 5.1.a; 5.1.d), 5.1.c) and 14 of the RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 174 174/184 XII Of the sanctions and corrective measures imposed on the claimed 1. The powers that the RGPD attributes to the control authorities are detailed in the Article 58, paragraph 2 of which refers, in particular, to the so-called powers "Corrective". The precept establishes: “ Each supervisory authority shall have all the following corrective powers listed below: (...) f) impose a temporary or definitive limitation of the treatment, including its prohibition; g) order the rectification or deletion of personal data or the limitation of the treatment in accordance with articles 16, 17 and 18 and the notification of said measures to the recipients to whom personal data has been communicated in accordance with the article 17, paragraph 2, and article 19; (...) i) impose an administrative fine in accordance with article 83, in addition to or instead of the measures mentioned in this section, according to the circumstances of each case particular; (...) " 2. The respondent stated in her allegations to the initial agreement her total disagreement with the corrective measures and fines that appeared in the agreement to open the file indicating that the imposition of a sanction in the amount established in the aforementioned The agreement would imply that the company would exit the market “for the benefit of other competing companies that handle the same information ” . Draws attention to the fact that the AEPD has decided "to adopt the most serious measures provided for in the data protection regulations ”when the RGPD offers control authorities a wide range of corrective measures (Article 58) and that the Article 83 RGPD expressly provides, in the event of a regulatory breach, the possibility of not imposing an administrative fine and sanctioning with some other the corrective measures of article 58 RGPD. In his allegations to the motion for a resolution, he again affects the nature of disproportionate amount of the proposed administrative fines and requests that the following extenuating circumstances that reflect a qualified reduction of your guilt in the processing of your data in the FIJ: That it has been implementing, since the approval of the RGPD and the LOPDGDD, different measures aimed at further minimizing the impact of data processing carried out by the FIJ could produce in the private sphere of the interested parties. What has never received any sanction from this AEPD in relation to the treatment carried out carried out by the FIJ. That Equifax has repeatedly responded to any requirement or request for information related to the FIJ and the lack of negligence or culpability, as indicated in section 3 of this claim (article 83.2 b) of the GDPR). Circumstances to be rejected. 3. In the present case, it is deemed appropriate, considering the circumstances that concur, impose on the claimed the corrective measures described in the sections C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 175 175/184 f) and g) of article 58.2 RGPD. This, without prejudice to the administrative fines provided in letter i) of the precept, in accordance with the provisions of article 83.5 RGPD. As stated in Recital 129 of the RGPD, “ In particular, any measure must be adequate, necessary and proportionate in order to ensure compliance with the these Regulations, taking into account the circumstances of each specific case ... " Regarding the reasons that justify the adoption of these measures, we must point out that, As has been accredited in the resolution, EQUIFAX incorporates the FIJ file, to through which it pursues, primarily, a purpose linked to the evaluation of the solvency of natural persons, information with personal data of the managed that you get from notification announcements and event postings administrative that are the subject of publication in official gazettes and newspapers for fulfill a purpose related to the public interest. The purpose pursued by the FIJ is different and incompatible with the one that justifies the treatment carried out by the Public Administrations, so that any subsequent treatment of the data with the purpose pursued by the FIJ violates the RGPD. The data processing that the FIJ effect violates the principle of purpose limitation (article 5.1.b, RGPD). Starting hence, it incurs an infringement of the principle of legality (article 6.1 in relation to the 5.1.a). It is added to the foregoing that, the information contained in the FIJ to report on the solvency, the claimed does not have mechanisms to update and keep this information up-to-date or to undoubtedly identify the alleged debtors. To carry out this treatment, the FIJ violates other principles of the RGPD that is obliged to respect, such as the accuracy and minimization of data (articles 5.1.d, and 5.1.c) and, the person in charge of the treatment is not in conditions (for not having the information regarding the address of all the holders whose data are subject to treatment) to fulfill obligations that constitute a right essential of those affected to guarantee the transparency of the treatment (article 14 GDPR). These infringements of the RGPD respond to the IJF modus operandi and are not specific violations of current regulations related exclusively to the claimants of this file. The mechanics of the file's operation are incompatible with respect for the RGPD. These are the reasons that advise adopting the only measures that can guarantee compliance with the regulations governing the fundamental right that This Agency must protect and restore all natural persons who are suffering the Illicit treatment of your personal data through the FIJ in the full disposition of the fundamental right that the Constitution recognizes in article 18.4. Therefore, in accordance with article 58.2 RGPD, it is agreed to adopt the following corrective measures: (i) In accordance with its section f) definitively prohibit EQUIFAX from continue with the processing of personal data that you carry out through of the FIJ, given that the treatment is incompatible with the GDPR compliance. (ii) In accordance with its section g) order the person in charge of the FIJ to proceed to the deletion of all personal data that are subject to treatment C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 176 176/184 in the aforementioned file related to alleged debts, in accordance with the provided for in article 17.1.d) of the RGPD. The corrective measure consisting of definitively prohibiting EQUIFAX from following carrying out the data processing carried out through the FIJ is provided to the situation of non-compliance with current and necessary regulations. Also It is necessary to delete all the personal data of those affected because being the treatment carried out illicit only in this way can it be restored to people affected by that treatment in the enjoyment of their fundamental right. 4. Administrative fines. In order to determine the amount of administrative fines that should be imposed for each one of the infractions of the RGPD for which EQUIFAX is held responsible, You must comply with the provisions of articles 83.1 and 83.2 of the RGPD that establish, respectively: " Each control authority will guarantee that the imposition of administrative fines in accordance with this article for infringements of this Regulation indicated in sections 4, 9 and 6 are in each individual case effective, proportionate and dissuasive. " " Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute title for the measures contemplated in the Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the offense, taking into account the nature, scope or purpose of the processing operation in question, as well as such as the number of interested parties affected and the level of damages that have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the controller or processor to mitigate the damages suffered by the interested parties; d) the degree of responsibility of the person in charge or the person in charge of the treatment, taking into account the technical or organizational measures that have been applied by virtue of of articles 25 and 32; e) any previous infringement committed by the person in charge or the person in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority learned of the infringement, in particular if the person in charge or the person in charge notified the infraction and, in such case, in what measure; i) when the measures indicated in article 58, paragraph 2, have been ordered previously against the person in charge or the person in charge in relation to the same issue, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through the offense. " C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 177 177/184 In relation to section k) of article 83.2 of the RGPD, the LOPDGDD, article 76, " Sanctions and corrective measures ", provides: "2 . In accordance with the provisions of article 83.2.k) of Regulation (EU) 2016/679 The following may also be taken into account: a) The continuing nature of the offense. b) The linking of the activity of the offender with the performance of treatment of personal information. c) The benefits obtained as a result of the commission of the offense. d) The possibility that the affected person's conduct could have induced the commission of the offense. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) Affecting the rights of minors. g) Have, when not mandatory, a data protection officer. h) The submission by the person in charge or in charge, on a voluntary basis, to alternative dispute resolution mechanisms, in those cases in which there are controversies between those and any interested party. " Violations of the RGPD for which EQUIFAX is responsible in this agreement start are typified in article 83.5., a precept that sets the maximum amount of the penalty to be imposed in 20,000,000 euros or, in the case of a company, a amount equivalent to a maximum of 4% of the total global annual turnover of the previous financial year, opting for the highest amount. " Determination of modifying circumstances of responsibility: 4.1. Violation of article 5.1.b) RGPD: The concurrence as aggravating factors of the following factors that reveal greater unlawfulness and / or culpability in the conduct of the respondent. 1.-The circumstance described in article 83.2.a) RGPD, which assesses the seriousness of the infringement taking into account the " scope or purpose" of the processing operation. We are not facing an isolated offending behavior or the result of a specific irregularity. It is a perfectly articulated modus operandi outside the law that Taking advantage of official publications containing personal data, it seeks obtain an economic benefit by providing a service to third parties related to the information on the solvency of those affected. The scope of this operation treatment transcends affected claimants and extends to all people whose data would have been included in official publications in the past or that may be included in the future. We are facing a structured business on the non-compliance with the regulations that guarantee the fundamental right recognized in the Article 18.4 of the EC On the other hand, the data of those affected are called to communicate to third parties, despite the fact that their treatment clearly violates the RGPD. The The extent of harm that may result from this treatment is unpredictable. 2.-The circumstance described in article 83.2.b) RGPD that values “ the intentionality or negligence of the infringement ”. The respondent has not been unaware that her conduct involves a violation of the GDPR. We are facing a very serious lack of diligence in EQUIFAX that, despite being aware at all times that its performance C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 178 178/184 violated a fundamental right of the affected people has maintained the data processing carried out through the FIJ. 3.- The circumstance described in article 83.2.a) RGPD regarding the number of stakeholders affected. The claims that have led to the opening of this disciplinary proceedings affect 96 people. However, the disproportionate number of people potentially affected by the performance of EQUIFAX that violates the RGPD, according to the information provided exceeds four million affected. 4.- The circumstance described in article 83.2.a) RGPD regarding damages suffered by those affected. It is valued for this purpose that, according to the established doctrine by the AN, Administrative Litigation Chamber, the inclusion of a person in a financial solvency file has obvious adverse consequences for affected. 5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the article 83.2.k) RGPD: The total and absolute link between business activity that EQUIFAX develops through the FIJ and the processing of personal data. 6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the article 83.2.k) RGPD. The benefits obtained as a result of the commission of the offense. In view of the circumstances that concur, it is estimated that the amount of the fine administrative authority that must be imposed for the violation of article 5.1.b) RGPD is a million euros (€ 1,000,000). Likewise, pursuant to article 58.2.f) of the RGPD, the prohibition that continue the processing of personal data that you carry out through the File of Judicial Claims and Public Organizations (FIJ) of which it is the owner. In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data personal that are subject to treatment through the FIJ associated with alleged debts and that were obtained by the defendant from the publication of notification inserted in the Single Edictal Board of the Official State Gazette, of bulletins and official journals or the electronic headquarters of agencies and entities of Public Law 4.2. Violation of article 6.1, in relation to 5.1.a) RGPD: The concurrence, as aggravating factors, of the following factors that reveal a greater unlawfulness and / or culpability in the conduct of the defendant in the terms that are detailed for the violation of article 5.1.b) RGPD. 1.-The circumstance described in article 83.2.a) RGPD. 2.-The circumstance described in article 83.2.b) RGPD. 3.- The circumstance described in article 83.2.a) RGPD regarding the number of stakeholders affected. 4.- The circumstance described in article 83.2.a) RGPD regarding damages suffered by those affected. 5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the article 83.2.k) RGPD. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 179 179/184 6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the article 83.2.k) RGPD. The benefits obtained. In view of the circumstances that concur, carefully assessed, it is estimated that, unlike the provisions of the proposed resolution, the amount of the fine administrative procedure that should be imposed for the violation of article 6.1, in relation to the 5.1.a) RGPD is one million euros (€ 1,000,000). Likewise, pursuant to article 58.2.f) of the RGPD, the prohibition that continue the processing of personal data that you carry out through the File of Judicial Claims and Public Organizations (FIJ) of which it is the owner. In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data personal that are subject to treatment through the FIJ associated with alleged debts and that were obtained by the defendant from the publication of notification inserted in the Single Edictal Board of the Official State Gazette, of bulletins and official journals or the electronic headquarters of agencies and entities of Public Law. 4.3. Violation of article 5.1.d) RGPD: The concurrence, as aggravating factors, of the following factors that reveal greater unlawfulness and / or culpability in the conduct of the respondent, all of them in the terms that are detailed for the violation of article 5.1.b) RGPD. 1.-The circumstance described in article 83.2.a) RGPD. 2.-The circumstance described in article 83.2.b) RGPD. 3.- The circumstance described in article 83.2.a) RGPD regarding the number of stakeholders affected. 4.- The circumstance described in article 83.2.a) RGPD regarding damages suffered by those affected. 5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the article 83.2.k) RGPD. 6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the article 83.2.k) RGPD. The benefits obtained. In view of the circumstances that concur, carefully assessed, it is estimated that, unlike the provisions of the proposed resolution, the amount of the fine administrative authority that must be imposed for the violation of article 5.1.d) RGPD is a million euros (€ 1,000,000). Likewise, pursuant to article 58.2.f) of the RGPD, the prohibition that continue the processing of personal data that you carry out through the File of Judicial Claims and Public Organizations (FIJ) of which it is the owner. In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data personal that are subject to treatment through the FIJ associated with alleged debts and that were obtained by the defendant from the publication of notification inserted in the Single Edictal Board of the Official State Gazette, of bulletins and official journals or the electronic headquarters of agencies and entities of Public Law. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 180 180/184 4.4. Violation of article 5.1.c) RGPD The concurrence, as aggravating factors, of the following factors that reveal greater unlawfulness and / or culpability in the conduct of the respondent, all of them in the terms that are detailed for the violation of article 5.1.b) RGPD. 1.-The circumstance described in article 83.2.a) RGPD. 2.-The circumstance described in article 83.2.b) RGPD. 3.- The circumstance described in article 83.2.a) RGPD regarding the number of stakeholders affected. 4.- The circumstance described in article 83.2.a) RGPD regarding damages suffered by those affected. 5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the article 83.2.k) RGPD. 6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the article 83.2.k) RGPD. The benefits obtained. In view of the circumstances that concur, it is estimated that the amount of the fine administrative authority that must be imposed for the violation of article 5.1.c) RGPD is a million euros (€ 1,000,000). 4.5. Infringement of article 14 GDPR The concurrence, as aggravating factors, of the following factors that reveal greater unlawfulness and / or culpability in the conduct of the respondent, all of them in the terms that are detailed for the violation of article 5.1.b) RGPD. 1.-The circumstance described in article 83.2.a) RGPD. 2.-The circumstance described in article 83.2.b) RGPD. 3.- The circumstance described in article 83.2.a) RGPD regarding the number of stakeholders affected. 4.- The circumstance described in article 83.2.a) RGPD regarding damages suffered by those affected. 5.- The circumstance described in article 76.2.b) LOPDGDD in relation to the article 83.2.k) RGPD. 6.- The circumstance described in article 76.2.c) LOPDGDD in relation to the article 83.2.k) RGPD. The benefits obtained. In view of the circumstances that concur, it is estimated that the amount of the fine administrative procedure that should be imposed for the violation of article 14 RGPD is of a million euros (€ 1,000,000). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 181 181/184 Therefore, in accordance with the applicable legislation and assessed the criteria of graduation of sanctions whose existence has been proven, the Director of the Spanish Data Protection Agency, RESOLVES: FIRST: IMPOSE EQUIFAX IBÉRICA, SL , with NIF B80855398 , for a infringement of Article 5.1.b) of the RGPD, typified in Article 83.5 of the RGPD, in media contest, in accordance with the provisions of article 29.5 of Law 40/2015, with the infractions of articles 6.1., in relation to article 5.1.a) RGPD; 5.1.d) GDPR; 5.1.c) RGPD and 14 of the RGPD, the following sanctions: Pursuant to article 58.2.i) of the RGPD, an administrative fine of one million euros (€ 1,000,000). Pursuant to article 58.2.f) of the RGPD, the prohibition to continue the treatment of the personal data that you carry out through the File of Judicial Claims and Public bodies (FIJ) of which it is the owner. In accordance with article 58.2.g) RGPD, to proceed to the deletion of all data personal that are subject to treatment through the FIJ associated with alleged debts and that were obtained by the defendant from the publication of notification inserted in the Single Edictal Board of the Official State Gazette, of bulletins and official journals or the electronic headquarters of agencies and entities of Public Law. SECOND: NOTIFY this resolution to EQUIFAX IBÉRICA, SL . THIRD: Warn the sanctioned person that the sanction imposed by a Once this resolution is enforceable, in accordance with the provisions of the art. 98.1.b) of Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter LPACAP), within the payment period voluntary established in art. 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of December 17, by means of their entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted number ES00 0000 0000 0000 0000 0000 , opened in the name of the Agency Spanish for Data Protection in the banking entity CAIXABANK, SA. In case Otherwise, it will be collected in the executive period. Received the notification and once executive, if the date of execution is found Between the 1st and the 15th of each month, both inclusive, the deadline for making the payment volunteer will be until the 20th of the following or immediately subsequent business month, and if between the 16th and the last day of each month, both inclusive, the payment term it will be until the 5th of the second following or immediate business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 182 182/184 Against this resolution, which ends the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Agency for Data Protection within a month to counting from the day after the notification of this resolution or directly contentious-administrative appeal before the Contentious-Administrative Chamber of the National High Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative jurisdiction, within two months from the day following notification of this act, as provided in article 46.1 of the referred to Law. Finally, it is pointed out that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative channels if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through letter addressed to the Spanish Agency for Data Protection, presenting it through of the Electronic Registry of the Agency [https://sedeagpd.gob.es/sede-electronica- web /], or through any of the other records provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal- administrative. If the Agency is not aware of the filing of the appeal contentious-administrative within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. 938-131120 Mar Spain Martí Director of the Spanish Agency for Data Protection ANNEX I Claimants are identified by a number. This Annex provides the personal data - name, surname and NIF- of each claimant and the reference of the File opened by the AEPD to each one of the presented claims. Complainant 1: E / 104/2020, (…). Claimant 2: E / 59/2020, (…). Claimant 3: E / 36/2019, (…). Claimant 4: E / 727/2020, (…). Claimant 5: E / 728/2020, (…). Claimant 6: E / 736/2020 , (…) Represented by Inzertia Consultores Financieros, SL, CIF B87960472. Claimant 7: E / 743/2020, (…). Claimant 8: E / 745/2020, (…). Claimant 9: E / 954/2020 , (…) , Represented by Inzertia Consultores Financieros, SL Claimant 10: E / 957/2020 , (…) . Represented by Inzertia Consultores Financieros, SL C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 183 183/184 Claimant 11: E / 1206/2020, (…). Represented by Inzertia Consultores Financieros, SL Claimant 12: E / 1207/2020, (…). Represented by Inzertia Consultores Financieros, SL Claimant 13: E / 1209/2020, (…). Represented by Inzertia Consultores Financieros, SL Claimant 14: E / 1210/2020, (…). Represented by Inzertia Consultores Financieros, SL Claimant 15: E / 1211/2020. (…). Represented by Inzertia Consultores Financieros, SL Claimant 16: E / 1262/2020, (…). Represented by Inzertia Consultores Financieros, SL Claimant 17: E / 3321/2019, (…). Claimant 18: E / 3633/2019, (…). Claimant 19 : E / 3912/2019, (…). Claimant 20: E / 4367/2019, (…). Claimant 21: E / 2021/2020, (…) , represented by (…). Claimant 22: E / 2031/2020, (…). Claimant 23: E / 2035/2020, (…), represented by INZERTIA Consultores Financieros, SL Claimant 24: E / 2038/2020, (…), represented by Inzertia Consultores Financieros, SL Claimant 25: E / 04391/2019, (…). Claimant 26: E / 04392/2019, (…) Claimant 27: E / 04839/2019, (…). Claimant 28: E / 04967/2019, (…). Claimant 29: E / 04978/2019, (…). Claimant 30: E / 04992/2019, (…). Claimant 31: E / 05109/2019 , (…). Claimant 32: E / 05447/2019, (…) . Claimant 33: E / 05471/2019, (…) Claimant 34: E / 06161/2019, (…). Claimant 35: E / 06172/2019, (…) . Claimant 36: E / 06174/2019, (…) Claimant 37: E / 06186/2019, (…). Claimant 38: E / 06187/2019, (…) Complainant 39: E / 06848/2019, (…) . Claimant 40: E / 06852/2019, (…) Claimant 41: E / 06853/2019, (…) . Claimant 42: E / 07145/2019, (…) Complainant 43: E / 11624/2019, (…) . Claimant 44: E / 11629/2019, (…) . Claimant 45: E / 11638/2019, (…) . Claimant 46: E / 2047/2020, (…) . Represented by Inzertia Consultores Financieros, SL Claimant 47: E / 2048/2020, (…). Represented by Inzertia Consultores Financieros, SL Claimant 48: E / 2050/2020, (…). Claimant 49: E / 7159/2019, (…) . Claimant 50: E / 07162/2019. (…) C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es Page 184 184/184 Claimant 51: E / 07823/2019. (…) . Claimant 52: E / 07825/2019. (…). Complainant 53: E / 08006/2019. (…) Claimant 54: E / 08008/2019. (…). Claimant 55: E / 08668/2019. (…). Represented by (…) Claimant 56: E / 09912/2019. (…). Claimant 57: E / 10232/2019. (…). Claimant 58: E / 10236/2019 (…). Claimant 59: E / 10367/2019. (…) Claimant 60: E / 10997/2019 and E / 03977/2020. (…). Claimant 61: E / 11032/2019. (…) Claimant 62: E / 11619/2019. (…) Claimant 63: E / 11623/2019. (…) Claimant 64: E / 03261/2020. (…). Represented by INZERTIA. Claimant 65: E / 03262/2020. (…) Claimant 66: E / 03265/2020 (…). Represented by INZERTIA. Claimant 67: E / 03267/2020 (…) Claimant 68: E / 03257/2020. (…). Represented by INZERTIA. Claimant 69: E / 03269/2020. (…). Represented by INZERTIA. Claimant 70: E / 03272/2020. (…). Represented by INZERTIA. Claimant 71: E / 03274/2020. (…). Represented by INZERTIA. Claimant 72: E / 03279/2020 . (…). Complainant 73: E / 03283/2020. (…). Complainant 74: E / 03349/2020. (…) . Represented by INZERTIA. Claimant 75: E / 03550/2020. (…). Claimant 76: E / 03516/2020. (…). Claimant 77: E / 03517/2020. (…). Claimant 78: E / 03547/2020 . (…). Claimant 79: E / 03617/2020. (…) . Represented by INZERTIA. Complainant 80 E / 01366/2019. (…) Claimant 81: E / 03604/2020. (…) . Represented by INZERTIA. Complainant 82: E / 03610/2020. (…) . Represented by INZERTIA. Complainant 83: E / 03613/2020. (…). Represented by INZERTIA Complainant 84: E / 03618/2020. (…) . Claimant 85: E / 03649/2020. (…) . Claimant 86: E / 03729/2020. (…). Represented by (…). Claimant 87: E / 03888/2020. (…) Claimant 88: E / 03852/2020. (…). Complainant 89: E / 04760/2020. (…). Represented by (…) . Claimant 90: E / 05250/2020. (…) Claimant 91: E / 05048/2020. (…) Claimant 92: E / 05045/2020. (…). Complainant 93: E / 05254/2020. (…). Claimant 94: E / 04999/2020. (…). Claimant 95: E / 5454/2019. (…) Claimant 96: E / 5459/2019. (…). Claimant 97: E / 9910/2019. (…). C / Jorge Juan, 6 www.aepd.es 28001 - Madrid sedeagpd.gob.es