AEPD (Spain) - EXP202105363: Difference between revisions
mNo edit summary |
mNo edit summary |
||
(4 intermediate revisions by the same user not shown) | |||
Line 65: | Line 65: | ||
}} | }} | ||
The DPA | The DPA confirmed its previous fine of €70,000 on a bank, finding that it lacked a legal basis to process personal data that was stolen and that the controller was negligent in verifying the identity of the data subject for a credit application. | ||
== English Summary == | == English Summary == | ||
=== Facts === | === Facts === | ||
On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card | On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her. | ||
Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to | Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to €690.25. The debt was recorded with ASNEF, a credit default reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a debt portfolio, who later sold it to InvestCapital, Ltd. | ||
On 14 December 2023, the AEPD issued a decision finding that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the processing began with the fraudulent contracting of the Ikea credit card | On 14 December 2023, the AEPD issued a decision finding that the controller violated [[Article 6 GDPR#1|Article 6(1) GDPR]] when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the controller's processing began with the fraudulent contracting of the Ikea credit card which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 20 LOPDGDD] (Spain’s national implementation of the GDPR), which articulates a presumption of legal basis where data refers to debts which are certain, due and payable, because the debt in this case did not correspond to the data subject and thus did not meet these requirements. The AEPD also dismissed the applicability of [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] as a legal basis because the controller did not establish that its legitimate interests prevailed over the rights and interests of the data subject. Finally, the AEPD rejected the controller’s attempts to pass culpability onto KRUK and InvestCapital, noting that they acquired a debt portfolio from the controller and relied on the appearance of the accuracy of the assigned credits. Thus, their obtaining of the debt could not constitute a violation of [[Article 6 GDPR#1|Article 6(1) GDPR]]. | ||
On 14 November 2023, the controller filed an internal appeal with the AEPD. It restated the arguments it made in response to the initial complaint. It also raised arguments of non bis in idem and absence of guilt, claiming that at the time of the debt’s transfer it had no knowledge of the fraudulent use of the claimant’s data and thus could not bear responsibility for the theft. | On 14 November 2023, the controller filed an internal appeal with the AEPD. It restated the arguments it made in response to the initial complaint. It also raised arguments of non bis in idem and absence of guilt, claiming that at the time of the debt’s transfer it had no knowledge of the fraudulent use of the claimant’s data and thus could not bear responsibility for the theft. | ||
Line 81: | Line 81: | ||
The AEPD dismissed the appeal and upheld its finding of an Article 6(1) GDPR violation and €70,000 fine. | The AEPD dismissed the appeal and upheld its finding of an Article 6(1) GDPR violation and €70,000 fine. | ||
It reiterated that because the debt in this case did not correspond to the claimant, it was not certain, due or payable, meaning that the presumption of legality provided in Article 20 LOPGDGDD cannot apply in this case. Legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] is also not a valid legal basis in this case, as there is no evidence that the controller considered the balance between its legitimate interests and the rights and interests of the data subject. | It reiterated that because the debt in this case did not correspond to the claimant, it was not certain, due or payable, meaning that the presumption of legality provided in [https://www.boe.es/buscar/act.php?id=BOE-A-2018-16673 Article 20 LOPGDGDD] cannot apply in this case. Legitimate interest under [[Article 6 GDPR#1f|Article 6(1)(f) GDPR]] is also not a valid legal basis in this case, as there is no evidence that the controller considered the balance between its legitimate interests and the rights and interests of the data subject. | ||
The AEPD | The AEPD emphasised that the data subject’s data continued to be processed without legal basis until its effective deletion. It rejected the controller’s arguments that it deleted the data as soon as it became aware of an alleged fraud or forgery, noting that in fact the data was removed from the controller’s systems as a result of the sale of the debt, not as a result of a deletion request. | ||
The AEPD rejected the controller’s argument that none could be sanctioned without fault, | The AEPD rejected the controller’s argument that none could be sanctioned without fault, finding that the controller was at fault in this case. It considered the controller negligent in failing to carry out an appropriate verification of the contracting data subject’s identity. Indeed, in this case, the majority of the information provided by the identity thief was false and not attributable to the data subject. The AEPD found that none of the measures adopted to verify accuracy of the information provided were aimed at verifying the data subject’s identity. Instead, the controller's focus was on ensuring the loan would go to an existing bank account – whosoever’s that may be. The AEPD clarified that this does not mean that a controller is responsible for preventing an illegal or criminal act such as identity theft from occurring. However, where it is a necessary diligence for the controller to comply with its obligations concerning protections of personal data, both with regard to the requirement of consent as well as the principle of truthfulness and accuracy of data, then a controller must implement measures aimed at verifying that the person the controller is contracting with is in fact the holder of the identity documentation provided. | ||
Finally, the AEPD reiterated that the fault in this case lay with the controller and not with any of the debt buyers because they purchased the data as an acquirer in ‘good faith’ and thus cannot be found to have violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. | Finally, the AEPD reiterated that the fault in this case lay with the controller and not with any of the debt buyers because they purchased the data as an acquirer in ‘good faith’ and thus cannot be found to have violated [[Article 6 GDPR#1|Article 6(1) GDPR]]. |
Latest revision as of 14:32, 15 May 2024
AEPD - EXP202105363 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 6(1) GDPR Article 6(1)(f) GDPR Ley 39/2015, de 1 de octubre, del Procedimiento Administrativo Común de las Administraciones Públicas |
Type: | Other |
Outcome: | n/a |
Started: | 24.11.2021 |
Decided: | 06.05.2024 |
Published: | |
Fine: | 70,000 |
Parties: | Caixabank Payments & Consumer EFC, EP, S.A.U. |
National Case Number/Name: | EXP202105363 |
European Case Law Identifier: | n/a |
Appeal: | Appealed - Confirmed |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | lm |
The DPA confirmed its previous fine of €70,000 on a bank, finding that it lacked a legal basis to process personal data that was stolen and that the controller was negligent in verifying the identity of the data subject for a credit application.
English Summary
Facts
On 24 November 2021, a data subject filed a complaint with the Spanish DPA (AEPD) after she attempted to obtain a loan from Caixabank Payments & Consumer EFC, EP, S.A.U. (the controller) but was denied because credit reporters noted a debt related to an application for an Ikea credit card, which is credited by the controller. However, the data subject was a victim of identity theft -- she did not contract for an Ikea credit card and the contract supposedly executed for the card in fact contained personal data (phone number, email address, home address, bank account, business name and signature) that did not correspond to her.
Ikea Ibérica, S.A. provides documentation for applying for credit at the request of its customers. The contract and processing of the data is instructed by the controller, which acts as the creditor and ultimately processes the data subject’s personal data. The Ikea credit card at issue in this case was activated by an Ikea vendor on 13 January 2020. By June of 2020, the debt on the card amounted to €690.25. The debt was recorded with ASNEF, a credit default reporter. The debt was then discharged by the controller and sold to Kruk España S.L. as part of a debt portfolio, who later sold it to InvestCapital, Ltd.
On 14 December 2023, the AEPD issued a decision finding that the controller violated Article 6(1) GDPR when it processed the data subject’s personal data without any legal basis and issued a fine of €70,000. It noted that the controller's processing began with the fraudulent contracting of the Ikea credit card which it assigned to the data subject, continued with the transfer of the data subject’s personal data to ASNEF as part of a credit report for a debt that did not correspond to her, and ended with the sale of the debt to Kruk. The AEPD rejected the applicability of Article 20 LOPDGDD (Spain’s national implementation of the GDPR), which articulates a presumption of legal basis where data refers to debts which are certain, due and payable, because the debt in this case did not correspond to the data subject and thus did not meet these requirements. The AEPD also dismissed the applicability of Article 6(1)(f) GDPR as a legal basis because the controller did not establish that its legitimate interests prevailed over the rights and interests of the data subject. Finally, the AEPD rejected the controller’s attempts to pass culpability onto KRUK and InvestCapital, noting that they acquired a debt portfolio from the controller and relied on the appearance of the accuracy of the assigned credits. Thus, their obtaining of the debt could not constitute a violation of Article 6(1) GDPR.
On 14 November 2023, the controller filed an internal appeal with the AEPD. It restated the arguments it made in response to the initial complaint. It also raised arguments of non bis in idem and absence of guilt, claiming that at the time of the debt’s transfer it had no knowledge of the fraudulent use of the claimant’s data and thus could not bear responsibility for the theft.
Holding
The AEPD dismissed the appeal and upheld its finding of an Article 6(1) GDPR violation and €70,000 fine.
It reiterated that because the debt in this case did not correspond to the claimant, it was not certain, due or payable, meaning that the presumption of legality provided in Article 20 LOPGDGDD cannot apply in this case. Legitimate interest under Article 6(1)(f) GDPR is also not a valid legal basis in this case, as there is no evidence that the controller considered the balance between its legitimate interests and the rights and interests of the data subject.
The AEPD emphasised that the data subject’s data continued to be processed without legal basis until its effective deletion. It rejected the controller’s arguments that it deleted the data as soon as it became aware of an alleged fraud or forgery, noting that in fact the data was removed from the controller’s systems as a result of the sale of the debt, not as a result of a deletion request.
The AEPD rejected the controller’s argument that none could be sanctioned without fault, finding that the controller was at fault in this case. It considered the controller negligent in failing to carry out an appropriate verification of the contracting data subject’s identity. Indeed, in this case, the majority of the information provided by the identity thief was false and not attributable to the data subject. The AEPD found that none of the measures adopted to verify accuracy of the information provided were aimed at verifying the data subject’s identity. Instead, the controller's focus was on ensuring the loan would go to an existing bank account – whosoever’s that may be. The AEPD clarified that this does not mean that a controller is responsible for preventing an illegal or criminal act such as identity theft from occurring. However, where it is a necessary diligence for the controller to comply with its obligations concerning protections of personal data, both with regard to the requirement of consent as well as the principle of truthfulness and accuracy of data, then a controller must implement measures aimed at verifying that the person the controller is contracting with is in fact the holder of the identity documentation provided.
Finally, the AEPD reiterated that the fault in this case lay with the controller and not with any of the debt buyers because they purchased the data as an acquirer in ‘good faith’ and thus cannot be found to have violated Article 6(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/31 File no.: EXP202105363 RESOLUTION OF REPLACEMENT APPEAL Examined the appeal for reconsideration filed by CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. (hereinafter referred to as the appellant) against the resolution dictated by the Director of the Spanish Data Protection Agency dated 11/13/2023, and based on the following FACTS FIRST: On 11/13/2023, a resolution was issued by the Director of the Agency Spanish Data Protection in file EXP202105363, by virtue of the which was imposed on CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U., for (…) violation of article 6.1 of the RGPD, typified in article 83.5.a) of the RGPD, a penalty of 70,000 euros (seventy thousand euros). Said resolution, which was notified to the appellant on 11/14/2023, was dictated prior to the processing of the corresponding sanctioning procedure, in accordance with the provisions of Organic Law 3/2018, of December 5, of Protection of Personal Data and guarantee of digital rights (LOPDGDD), and additionally in Law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations (hereinafter, LPACAP), in matters of processing of sanctioning procedures. SECOND: As proven facts of the aforementioned sanctioning procedure, PS/00603/2022, the following were recorded: FIRST. On 11/24/2021, the claimant's letter was entered into the AEPD. expressing his surprise when when he goes to apply for a loan he is denied because Your personal data appears in common credit information systems Asnef and Badexcug, at the request of the defendant, as a consequence of a debt related to an Ikea credit card linked to the claimed entity. SECOND. A copy of the claimant's DNI is provided. THIRD. Ikea credit application-contract number ***NUMBER.1, of 01/13/2020, subscribed through the establishment lkea Iberica, S.A., ***ADDRESS.1; The personal data of the claimant appears: name and surname, address, DNI number, date of birth, sex, marital status; data is also included professionals. The signature that appears does not match that of the claimant. ROOM. The complaint made by the claimant before the Command of the Civil Guard in Pinto (Madrid), extension of the one carried out in Puente de Vallecas before the Commissioner of the National Police motivated by the facts claimed and in which The defendants also state that the Ikea card contract, the mobile number, email account, address, bank account number, name of The company and the signature that appears in the aforementioned contract do not correspond to it. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/31 FIFTH. There is evidence provided by the claimed “detail of the file that was sent to ASNEF, on June 29, 2020” that “The next day, he was discharged effective in ASNEF; Therefore, the discharge took place on June 30, 2020. The claimant's data was included in the weekly files that were sent to ASNEF until August 8, 2020.” SIXTH. A copy of the payment requirements, dates 06/13/2020 and 06/21/2020, which were sent to the claimant by the claimant in relation to the existing debt, as a prior step to the inclusion of your personal data in the ASNEF file. SEVENTH. The respondent in writing dated 12/31/2021 has stated that “Therefore, As stated previously, CaixaBank Payments & Consumer, as soon as he became aware of alleged fraud/forgery in the procurement, proceeded to delete/block the personal data of the interested party, proceeding, likewise, to immediately cancel it in the security systems. credit information”. However, the respondent in writing dated 06/14/2022 has indicated that “The previous statement was erroneous since the data of the affected party and claimant, referring to the credit contract with Ikea Visa card mentioned above, had been given deregistration from credit information systems on August 11, 2021, as consequence of the aforementioned purchase and sale contract and assignment of credits dated July 29, 2021.” EIGHTH. It is clear that CaixaBank Payments & Consumer and the company InvestCapital Ltd. (assignee), formalized the contract by elevating it to a public deed granted before the notary of Madrid Don A.A.A., on 09/16/2021 the assignment of certain credits between in which the debt derived from the credit agreement with the Ikea Visa card of date 01/13/2020. NINETH. On 02/08/2022, the claimant sent an email to the CPC Customer Service, subject: identity theft and in which it stated: “I am contacting you because a few months ago I had a problem with your identity for a debt that you claimed in my name, this being a a demonstrable identity theft. Someone applied for an IKEA credit card using my name and ID, the contract request number is ***NUMBER.1, with That card withdrew money and that debt was claimed from me. After this event I put a complaint for identity theft and a claim to the AEPD. After several procedures, in the end my name was removed from the list of Equifax defaulters. Today another debt collection company has tried to contact with me and demanding said payment for a card, which I repeat, I did not request and They acquired it with my name and ID. This company is called KRUK ESPAÑA S.L.U and already Not only is he asking me for a fee that does not correspond to me, but even so harasses people around me to request my information when that is not allowed. The reference number is (...). Please, I request that my identity be removed from KRUK ESPAÑA so stop claim a debt that does not belong to me, and if my identity belongs to anyone other collection company I also request that it be removed, since this matter is bothering me causing many personal and work injuries. Below, I attach the complaint and the claim made at the time." On 2/10/2022, the claimant sent the defendant's Customer Service e-mail email, Subject: [EXTERNAL] REQUEST FOR PROOF OF DEBT (URGENT), indicating: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/31 “Due to previous identity theft issues regarding the request for a credit card without my consent or permission, Caixabank Payment&Consumer He claimed a debt from me that today has already been resolved and eliminated. Therefore, I I would like to have a letter from Caixabank Payment&Consumer where Please note that my person, B.B.B. with DNI ***NIF.1 does not have any unpaid debt or pending with you. I attach my ID below.” Which caused a series of cross emails sent from the account: ***EMAIL.1 for ***EMAIL.2 Subject: REQUEST FOR PROOF OF DEBT (URGENT): Re: RV: [EXTERNAL] IDENTITY FRAUD In the penultimate of which, dated 05/17/2022, the following appears: (…) Please, we need to respond to the complaint that was communicated to you ago. a few days from the Wallet Sales mailbox. Could you tell us if you have carried out any action regarding this file? to be coordinated? We would need a response between today and tomorrow to be able to respond within the deadline. (…)” And on that same date the response email appears: From: ***EMAIL.3 Sent on: Tuesday, May 17, 2022 12:11 For: (…) CC: (…) Subject: RE: [External Mail] RE: Rv: REQUEST FOR PROOF OF DEBT (URGENT): Re: RV: [EXTERNAL] IDENTITY PHYSING “(…) As I conveyed to you this morning, the actions that have taken place in relation to The file (…), Ms. B.B.B., proceeds as follows: • On February 3 and 8, 2022, the client contacted us by email requesting that it be removed from the delinquency file and informing that the present debt is due to identity theft and that he has gone to file a complaint with the commissioner and the AEPD. On those dates we proceeded to give you a response requesting send us the fraud report to be able to paralyze the recovery actions. • On March 16, 2022, you provided us with the client's email address at where you request documentation and information about the case, attaching a fraud report. We responded to the client on 03/09/2022 with said information and documentation of the case and we indicate that the recovery actions are paralyzed, to the Waiting for the court ruling to confirm the fact that you have suffered fraud. • Therefore, as of today, the file is paralyzed due to alleged fraud. awaiting sentencing. • Finally, on 04/28/2022 we received a burofax with a claim from the AEPD, which we have notified our DPO so that he can manage it. (…)” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/31 TENTH. The graphological image of the signature of the applicant for the Ikea card that does not match the complainant's signature. ELEVENTH. Ikea in writing dated 01/07/2021 stated that “…the functions of IKEA and IKEA staff are limited to the fulfillment of the function of assistant to “CAIXABANK P&C” for the administrative processing of documentation regarding applications for financing” (…) For these purposes, and as can be seen in the documentation on file file, specifically in the aforementioned, application-credit contract, the entity responsible for contracting the credit and, where applicable, the entity responsible for the processing of personal data of clients who request financing is CAIXABANK P&C. In this sense, we must point out that there is a framework collaboration agreement between CAIXABANK and IKEA held on December 16, 2020 by which: IKEA will process the personal data to which it has access as Processor. Treatment only in accordance with the instructions of CAIXABANK PAYMENTS & CONSUMER. These instructions include the following tasks: • Assistance in the administrative processing of documentation related to the applications for financing and subscription to insurance offered by CAIXABANK PAYMENTS & CONSUMER consisting of: • The delivery of the pre-contractual information required by credit regulations to the consumption • The management of the paper documentation necessary for the formalization of the financing request and its digitalization for sending to the Responsible for the treatment through this equipment.” (…)“ TWELFTH. CGI in relation to the CPC SHIPPING CERTIFICATE matter, has stated in writing dated 03/01/2023: That the letter dated 06/21/2020, a copy of which is attached, was generated with the information provided by the claimed party..., for printing (File: (...); Envelope: XXXX) and subsequent making available to the postal distributor who was in charge of its shipping to address: ***ADDRESS.2 Once the established process has been carried out and since it has been made available in CORREOS, it is clear that there has been no incident and no refund of any said letter to date.” THIRTEENTH. In the computer systems of the defendant there are registered the claimant's data: name and surname, address, DNI number, mobile number, address email, bank account number, date of birth, length of service company, monthly income (figure without payroll), etc. FOURTEENTH. In relation to the account provided by the contracting party ING BANK NV SUCURSAL IN SPAIN in writing dated 07/23/2023 has indicated that “The account ***ACCOUNTA.1 was hired over the telephone by Mrs. C.C.C. on date 06 September 2018. ING sent a courier to your postal address to verify the identity of the owner and to deliver the “Welcome Pack” that contained the Conditions particular contracts for the opening of the aforementioned Payroll account, as as shown in the following screenshot (…) The ratification of the contract was received by ING on September 20, 2018. The Particular Conditions of hiring of a Payroll Account and the delivery note are attached…” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/31 FIFTEENTH. In relation to the address provided by the contracting party, the Madrid City Council, Cartography Department, Street Map Technical Unit, In writing dated 08/07/2023, he stated that “Currently there are no roads in the municipal street map of the city of Madrid with the name of Street (...) and therefore nor is number 75 on this road.” SIXTEENTH. The respondent in writing dated 03/14/2023 has confirmed the impersonation of the claimant stating that “only the use of a system created with the intention of defrauding the Entity, prevented it from detecting the falsification of the documentation delivered by the credit applicant, who, in his or her case, supplanted the personality of today's claimant, causing the events that motivated, at the time, the claim presented by it before that Agency and the opening of these proceedings.” THIRD: The appellant has presented on 12/14/2023, in this Agency Spanish Data Protection, appeal for reconsideration substantiating it, basically, in the allegations made during the procedure and, furthermore, their disagreement with the resolution issued since the debt that accessed the file was certain due and due for non-payment, being required for payment; that when assigned the debt, there was no knowledge of the fraudulent use of the data of the claimant by third party and that responsibility cannot be placed on the claimed identity theft; violation of the non bis in idem principle and the absence of guilt of the defendant. FOUNDATIONS OF LAW Yo The Director of the Agency is competent to resolve this appeal. Spanish Data Protection, in accordance with the provisions of article 123 of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP) and article 48.1 of the Law Organic 3/2018, of December 5, Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD). II In relation to the statements made by the appellant, basically reiterating the allegations already presented throughout the sanctioning procedure, it should be noted that all of them have already been analyzed and rejected in the Fundamentals of Law II to VII, of the appealed Resolution, as as transcribed below: “II The reported facts materialize in the inclusion of the data of personal character of the claimant in common credit information systems instances of the defendant, in relation to a debt related to the request for a IKEA credit card linked to the defendant, which the claimant states does not have subscribed, as well as the assignment of the debt to the company InvestCapital Ltd., who In turn, I include the data in delinquency files. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/31 The RGPD in its article 5 establishes the principles that must govern the processing of personal data, and in section 1 it states that: "1. The personal data will be: a) treated in a lawful, loyal and transparent manner with the interested party (<<legality, loyalty and transparency>>). (…)” And in section 2, it establishes that: "2. The person responsible for the treatment will be responsible for compliance with the provided in section 1 and capable of demonstrating it (<<proactive responsibility>>).” On the other hand, article 6, Lawfulness of processing, of the RGPD in section 1, states that: "1. Treatment will only be legal if at least one of the following is met conditions: a) the interested party gave his consent for the processing of his data personal for one or more specific purposes; b) the processing is necessary for the performance of a contract in which the interested party is part or for the application at his request of measures pre-contractual; c) the processing is necessary for compliance with a legal obligation applicable to the data controller; d) the processing is necessary to protect the vital interests of the interested party or from another natural person; e) the processing is necessary for the fulfillment of a mission carried out in public interest or in the exercise of public powers conferred on the person responsible of the treatment; f) the processing is necessary for the satisfaction of legitimate interests pursued by the person responsible for the treatment or by a third party, provided that The interests or rights and freedoms do not prevail over said interests. fundamentals of the interested party that require the protection of personal data, particularly when the interested party is a child. The provisions of letter f) of the first paragraph will not apply to the processing carried out by public authorities in the exercise of their functions. On the other hand, article 4 of the RGPD, Definitions, in sections 1, 2 and 11, notes that: “1) “personal data”: any information about an identified natural person or identifiable ("the interested party"); Any identifiable natural person will be considered person whose identity can be determined, directly or indirectly, in particular by means of an identifier, such as a name, an identification number, location data, an online identifier or one or more elements of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/31 physical, physiological, genetic, mental, economic, cultural or social identity of said person; “2) “treatment”: any operation or set of operations performed on personal data or sets of personal data, whether by procedures automated or not, such as the collection, registration, organization, structuring, conservation, adaptation or modification, extraction, consultation, use, communication by transmission, broadcast or any other form of enabling access, collation or interconnection, limitation, deletion or destruction; “11) “consent of the interested party”: any manifestation of free will, specific, informed and unequivocal by which the interested party accepts, either through a statement or a clear affirmative action, the processing of personal data that concern him.” And article 20 of the LOPDGDD, Credit information systems, establishes that: "1. Unless proven otherwise, data processing will be presumed lawful. personal data relating to non-compliance with monetary, financial or legal obligations. credit through common credit information systems when the following requirements: a) That the data have been provided by the creditor or by someone acting on their behalf. account or interest. b) That the data refer to certain debts, due and payable, whose existence or amount had not been the subject of an administrative claim or judicial by the debtor or through an alternative dispute resolution procedure binding disputes between the parties. c) That the creditor has informed the affected party in the contract or at the time to require payment regarding the possibility of inclusion in said systems, with indication of those in which it participates. The entity that maintains the credit information system with data relating to non-compliance with monetary, financial or credit obligations must notify the affected party of the inclusion of such data and inform them about the possibility of exercising the rights established in articles 15 to 22 of the Regulation (EU) 2016/679 within thirty days following the notification of the debt to the system, the data remaining blocked during that period. d) That the data is only kept in the system as long as the data persists. non-compliance, with a maximum limit of five years from the date of expiration of the monetary, financial or credit obligation. e) That the data referring to a specific debtor can only be consulted when whoever consults the system maintains a relationship contractual with the affected party that involves the payment of a pecuniary amount or he would have requested the execution of a contract that entails financing, deferred payment or periodic billing, as happens, among others assumptions, in those provided for in the legislation of consumer credit contracts and real estate credit contracts. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 8/31 When the right to limit the amount of money has been exercised before the system processing of the data challenging its accuracy in accordance with the provisions of the article 18.1.a) of Regulation (EU) 2016/679, the system will inform those who could consult it in accordance with the previous paragraph about the mere existence of said circumstance, without providing specific data regarding those in which the right had been exercised, while the request is resolved of the affected person. f) That, in the event that the request to conclude the contract is denied, or this will not be held, as a consequence of the consultation carried out, whoever consulted the system informs the affected person of the result of said consultation. 2. The entities that maintain the system and the creditors, with respect to the processing of data referring to their debtors, will have the status of co-responsible for the processing of the data, the provisions established by Article 26 of Regulation (EU) 2016/679. It will be up to the creditor to guarantee that the required requirements are met. for inclusion in the debt system, responding for its non-existence or inaccuracy. 3. The presumption referred to in section 1 of this article does not cover the cases in which the credit information was associated by the entity that maintain the system with information additional to that contemplated in said section, related to the debtor and obtained from other sources, in order to carry out outlining it, in particular through the application of techniques of credit rating”. III Article 58 of the GDPR, Powers, states: "2. Each supervisory authority will have all of the following powers corrective measures indicated below: (…) d) order the person responsible or in charge of the treatment that the operations of treatment comply with the provisions of this Regulation, when appropriate, in a certain manner and within a specified period; (…) i) impose an administrative fine in accordance with Article 83, in addition to or in instead of the measures mentioned in this section, according to the circumstances of each particular case; (…)” IV The infraction attributed to the person complained of is classified in the article 83.5 a) of the GDPR, which considers that the violation of “the basic principles for the treatment, including the conditions for consent under the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/31 articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article 83 of the aforementioned Regulation, “with administrative fines of €20,000,000 as maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total global annual turnover of the previous financial year, opting for the highest amount.” The LOPDGDD in its article 71, Infractions, states that: “They constitute infractions the acts and conduct referred to in sections 4, 5 and 6 of the article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law.” And in its article 72, it considers for the purposes of prescription, which are: “Infringements considered very serious: 1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in in particular, the following: (…) b) The processing of personal data without any of the conditions of legality of the treatment established in article 6 of the Regulation (EU) 2016/679. (…) V 1. It should be noted that data processing requires the existence of a legal basis that legitimizes it. In accordance with article 6.1 of the GDPR, in addition to consent, There are other possible bases that legitimize the processing of data without the need for have the authorization of its owner, in particular, when necessary for the execution of a contract to which the affected party is a party or for the application, at the request of this, pre-contractual measures, or when necessary for the satisfaction of legitimate interests pursued by the data controller or by a third party, provided that the interests or rights do not prevail over said interests and fundamental freedoms of the affected party that require the protection of such data. He Treatment is also considered lawful when it is necessary for the fulfillment of a legal obligation applicable to the data controller, to protect interests vital of the affected person or of another natural person or for the fulfillment of a mission carried out in the public interest or in the exercise of public powers conferred on the responsible for the treatment. In the present case, the defendant is accused of violating article 6.1 of the RGPD when the illegality of the treatment carried out is evident without stating accredited none of the bases of legitimation provided for in the aforementioned article in in relation to the processing related to the claimant's data. 2. The defendant carried out the processing of the claimant's data without any legitimation since the guarantees provided for in article 20 of C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/31 the LOPDGDD, given that the debt was not certain, due or payable, a debt that was not corresponded to the claimant as it arose from a fraudulent contract. Opinion 757/2017 of the Council of State, issued in the relative file to the draft Organic Law on the Protection of Personal Data, provides as to the legality of a weighing of legitimate interest made in a normative text the following: “Without prejudice to what has just been observed, given the undoubted convenience to guarantee the maximum degree of legal security possible by offering the operators certain guidelines in their actions, without prejudice to respecting the applicability directly from the European Regulation and, in any case, with the aim of ensuring its effect useful, the Council of State wishes to point out, as an alternative solution, the possibility of introduce by legislative means, in specific cases, simple iuris tantum presumptions favorable to the prevalence of the legitimate interest of the data controller when certain requirements or conditions are met. This solution could be in accordance with the flexibility in the weighting of interests and the principle of proactive responsibility of the data controller which, as indicated, pursues the new community regulation. Likewise, the forecast of simple presumptions unless proven otherwise would have a place in jurisprudence analyzed, which prohibits establishing in a national standard the result of the aforementioned weighing "definitively (...), without allowing a different result", obstacle which the alternative solution proposed here would allow, in principle, to be avoided.” Following this provision, the LOPDGDD introduces a presumption «iuris tantum" of prevalence of the legitimate interest of the data controller in some certain assumptions, among them, that relating to the processing of data in systems of credit information. Thus, when the guarantees that art. 20 of the LOPDGDD provides, the treatment may be presumed lawful under the article 6.1.f) of the RGPD, without prejudice to the fact that legitimacy must be assessed case by case and without prejudice to the fact that the person responsible can carry out the legally required weighing when the aforementioned guarantees are not met, as the preamble of the law clarifies when collect: “Title IV includes “Provisions applicable to treatments specific conditions", incorporating a series of assumptions that in no case should be considered exhaustive of all lawful treatments. Within them there is appreciate, first of all, those with respect to which the legislator establishes a “iuris tantum” presumption of prevalence of the legitimate interest of the person responsible when are carried out with a series of requirements, which does not exclude the legality of this type of treatments when the conditions provided for in the text, although in this case the person responsible must carry out the weighting legally enforceable, as the prevalence of its legitimate interest is not presumed.” Among the aforementioned guarantees, article 20 of the LOPDGG contemplates the consisting of “the data refer to certain debts, due and payable, whose existence or amount had not been the subject of an administrative or judicial claim by the debtor or through an alternative dispute resolution procedure binding between the parties” (art. 20.1.b) RGPD). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/31 And as has been stated, in this case, the debt did not correspond to the claimant, so it was not true, nor expired nor enforceable as it turned out to be non-existent, therefore that the presumption of legality provided for in the aforementioned article 20 cannot be applicable, The claimed party must carry out its own weighing as the weighing done legally. However, in this case it is not clear that the party claimed has made such a weighting and consequently that its interests legitimate interests prevail over the interests, rights and freedoms of the party claimed. Thus, in this case, on 12/16/2020, the defendant and IKEA formalized Collaboration agreement under which “IKEA will process personal data to the who has access as Data Processor only in accordance with the instructions of the defendant.” The necessary documentation is listed on the Ikea website. present to apply for the Ikea Visa card: identification document, a receipt original bank account with the name of the owner, account number for the direct debit and original proof of income. The person responsible for contracting the credit and processing the data personal data of the clients requesting financing is the one claimed, in the established procedure for the formalization of a credit contract to obtain the Ikea card, the Ikea employee/seller uses an application installed on the digital tablet that is connected to the defendant's computer systems; this In this way, the data obtained is immediately sent to the systems computer data of the claimed party for verification, analysis and processing before said commercial, Ikea not retaining in compliance with the agreement signed any documentation in this regard or any personal data. Well, the signature that appears on the DNI and the one that appears on the contract provided do not match; Furthermore, the defendant has a series of socioeconomic data that does not It is known that they will be provided to you during the contract; As stated in the report of actions “The defendant has not provided documentation that proves the previous socioeconomic information contained in their systems.” Among that documentation The account number in which the payments were direct debited appears; according to the FAQs (Frequently Asked Questions) financing: What requirements exist to request my Card? You just have to present: An identification document such as a DNI or passport An original bank receipt with your name and account number for the domiciliation. Original proof of income: • Last payroll • Self-employed workers, managers and administrators: last personal income tax or quarter • Pensioners: pension revaluation sheet If you are a CaixaBank customer, you only need your DNI/NIE and your credit card or debit to process your request. However, said documentation that the applicant must provide neither appears nor appears to the one claimed, that is, it was not provided since we must not forget that the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/31 claimant was not the owner of the bank account according to the facts tested. The Ikea salesperson, having the applicant physically present in the commercial establishment must proceed to identify the client through their identification document. Subsequently, having the client in front of him, he takes a photograph of his identity document with the digitizing tablet and requests personal data additional, socioeconomic data (employment status, monthly income, pay, position, Profession, company, etc.) and enter the information into the system. Finally, the application has a signing process through the tablet digitizing machine and the data obtained are immediately sent to the systems computer data of the claimed party for verification, analysis and processing before said trade. Well, as the claimant states both in her claim before the AEPD as in its complaint before the Civil Guard Command in Pinto (Madrid), extension of the one carried out in Puente de Vallecas before the Commissioner of the National Police, was never in the aforementioned shopping center so it could never sign the Ikea card contract and not provide the data contained therein; such This is how the mobile number, email account, address, telephone number bank account, company and signature that appear in the aforementioned contract do not correspond to you. From the above, the negligent action of the defendant who did not proceed to carry out the appropriate verifications or verify that the necessary documentation for the recruitment had been sent by the IKEA establishment. In relation to the account number provided, ING BANK NV SUCURSAL EN SPAIN, in writing dated 07/23/2023, has indicated that the aforementioned account was contracted telephoned by a person who is not the claimant on 09/06/2018. And in relation to the signature stamped on the contract, it does not correspond to the signature of the claimant. In this regard, the T.S. in ruling of 12/13/2021, No. 1,456/2021 and in regarding the contracting of a microcredit and the diligence displayed, he pointed out in its Second Reason “Regarding the first question (lack of diligence in the action) in the appeal the allegations that the then plaintiff made in the trial process, in the sense that Dineo Crédito, S.L. adopted all necessary and appropriate measures, from the point of view of the protection of personal data, to process the microcredit application (registration in the platform; DNI validation: with double-factor verification of 2 algorithms that guarantee both the veracity of the number and letter of the document and that the applicant has in his possession the DNI, original or copy; validation of the number of mobile phone via a PIN code, bank details validation and validation of the credit/debit card provided by the applicant); and despite the adoption of such measures, the crime of identity theft, fraud could have been committed and/or improper use of a true document. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/31 Well, we have seen that the fourth legal basis of the ruling instance gives a complete response to such allegations. He points there to the Hall of the National Court that is analyzed in detail in the sanctioning resolution the identity verification mechanism of the credit applicant that Dineo Crédito, S.L. had established and its insufficiency is evident. Thus, with the so-called "registration on the platform", a procedure in which certain information is collected from the client data (including ID number, two telephone numbers and email) it is only demonstrated that from that moment on there has been data processing personal, but it is unknown whether the data provided by the client and collected by Money, they belong to the person who provides them as their own or to a third party. Refering to phase that the appellant calls "DNI validation" (an algorithm that allows determine whether or not the DNI provided by the client corresponds to a real DNI or valid), such a measure only demonstrates that it is a document number that it exists and that "someone" is the owner of that DNI. For its part, the so-called "validation of the mobile number", which consists of sending to the contracting party's mobile terminal a four-digit key or pin that the customer must subsequently enter into the form that you access from the Dineo website, only certifies that Whoever intends to contract with Dineo has access to that mobile number, but nothing says about the identity of the contracting party. The phase of the loan contracting procedure called "validation of bank details", which consists of verifying whether the bank account "is real" and is effectively associated with a bank account, is also irrelevant from the point of view of respect for the obligations imposed by the regulations of data protection, as it only ensures the good outcome of the loan, that is, that the amount borrowed will be directed to an open and active account, but it contributes nothing in terms of that the owner of that account is precisely the person who appears on the DNI used. And finally, the phase called validation of the "credit card", consisting of a cent being loaded into it that automatically turns out to be reinstated, there is no evidence that in the case at hand it was carried out, as no in the appellant's computer records. In short, none of the measures adopted by the appellant are intended to prove that the person requesting the microcredit matches the owner of the DNI provided. And, in effect, it continues explaining the appealed sentence, the evidence practiced in the administrative process came to show that, with respect to the telephone line provided when the credit was requested, nor the name, surname and NIF of the owner of the line coincide with the personal data of the complainant (owner of the DNI); and in relation to the bank account that appears in Dineo's records, to the that the amount of the micro loan would have been transferred, the data of the owner of the account on the date of contracting the credit do not match the data personal details of the complainant. Not even the owner of the mobile phone and the owner of the bank account they are the same person. These assessments of the trial court regarding the insufficiency of the measures adopted in the online contracting procedure, and, ultimately, on lack of diligence in the action by the appellant, in no way have they been distorted in cassation, where the representation of Dineo Crédito, S.L. has reiterated the statements he made in the trial process but nothing has contributed that serve to refute the conclusions of the sentencing Chamber. In short, we share the opinion of the National Court Chamber regarding the insufficiency of the measures applied by the appellant in the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/31 hiring. To the considerations set forth in the appealed ruling, which We share and make our own, we will only add two observations: Firstly, the verification measures applied by the appellant seem entirely aimed at ensuring the good outcome of the loan, but, in Instead, they completely ignore the objective of verifying the veracity and accuracy of the data, and, in particular, to verify that the person requesting the credit is precisely who he says he is. Thus, in any case in which a third party improperly use a stolen or lost DNI to make a purchase or apply for a credit online, the non-consensual treatment of the personal data of the holder of the document, even if he had reported at the time before the authorities the loss or theft of your DNI, since none of the measures stated by the appellant appears minimally oriented to prevent or hinder for that result to occur. Secondly, the above does not mean that it falls on the company contracting party the responsibility of preventing an illegal or criminal act from occurring such as the fraudulent use of a DNI by someone who is not its owner. But if is required from said contracting company, as a necessary diligence so that it is not may be accused of non-compliance with its obligations regarding the protection of personal data - both with regard to the requirement of consent of the interested party as well as with regard to the principle of truthfulness and accuracy of the data - the implementation of control measures aimed at verifying that the person who intends to hiring is who they say they are, that is, they coincide with the holder of the DNI provided. For the rest, in accordance with what we have exposed, also We share the opinion of the National Court Chamber (legal basis fifth of the appealed sentence) regarding the violation of the requirement accuracy and veracity of the data (principle of data quality included in the article 4.3 LOPD in relation to article 29 of the same Organic Law and the article 38 of the Regulation approved by Royal Decree 1,720/2007, of 21 December), having incorporated the appellant into its computer systems, giving then transfer it to the Asnef asset solvency file, personal data of the complainant associated with a debt that was not true, due or payable since the “the complainant had not contracted the microcredit.” And as occurs in the case analyzed by the aforementioned ruling, in this case The defendant also did not diligently verify the veracity and accuracy of the data, and, in particular, that the person requesting the credit was precisely who he said he was. Furthermore, the proven facts show that the CGI company in written of 03/01/2023 and in relation to the sending of the payment request to the complainant that “the letter dated 06/21/2020, a copy of which is attached, was generated with the information provided by the defendant..., for printing (File: RECINFENV20200620.PDF; Envelope: 1347) and subsequent making available to the postal distributor who was in charge of sending it to the address: ***ADDRESS.2 Once the established process has been carried out and since it has been made available in CORREOS, it is clear that there has been no incident and no refund of any said letter to date”, that is, it is considered good that the letter reached its recipient when the Madrid City Council itself, through the Technical Unit del Callejero in writing dated 08/07/2023 has indicated that “Currently there is no C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/31 road in the municipal street map of the city of Madrid with the name of Street (...) and by Therefore neither does number 75 on this road. So it is another element that should have been taken into account by the claimant when verifying the certainty of the information provided at the time of contracting. 3. The defendant states that given the possibility that there had been impersonation of the identity of the claimant and the consequent treatment of her data illegitimately, deleted them blocking their data. In this way, in writing dated 03/14/2023, the defendant confirmed that “only the use of a system created with the intention of defrauding the Entity prevented it from could detect the falsification of the documentation submitted by the applicant for the credit, who, in his case, supplanted the personality of the current claimant, causing the facts that motivated, at the time, the claim presented by it before that Agency and the opening of these proceedings.” However, in its response dated 06/14/2022 to the request made by this management center indicated that the Ikea Visa card debt amounted to €690.25 and that on 06/29/2020 he sent the pertinent information to the ASNEF file and that, The next day, 06/30/2020, the claimant's data was registered in the ASNEF equity solvency file effectively by being included in the weekly files that were sent until 08/20/2020. And that “In accordance with the communication procedure for registrations and cancellations to credit information systems, the data was deleted from the ASNEF file effective on August 11, 2021.” That is, the claimant's data was included in the files called commonly delinquent on 06/30/2020 and effectively written off on the date 08/11/2021. Therefore, the claimant's data during the period in which were contained in the aforementioned file, they continued to be processed until they were deleted. effective by the person claimed illegitimately, as there is no proven legal basis any for its treatment, since the presumption of legality is not applicable contemplated in article 20.1 since the debt was neither certain, nor due nor required since the contracting of the Ikea card with the claimant is not proven. 4. For greater completeness, it appears from the proven facts that the person claimed in writing dated 12/31/2021 stated “CaixaBank Payments & Consumer, as soon as it had knowledge of alleged fraud/forgery in the contracting, proceeded to deletion/blocking of the personal data of the interested party, proceeding, likewise, to immediately cancel it in the credit information systems.” But, in a subsequent letter dated 06/14/2022, it stated “The previous statement was erroneous since the data of the affected party and claimant, referring to the credit contract with Ikea Visa card mentioned above, had been given deregistration from credit information systems on August 11, 2021, as consequence of the aforementioned purchase and sale contract and assignment of credits dated July 29, 2021.” C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/31 Therefore, the defendant did not proceed to delete the data in the data files. defaulters or to block the data because they had knowledge of the alleged impersonation of the claimant and alleged fraud in the contracting, but the deletion in the files was motivated because the credit was object of transfer through a purchase and sale contract formalized in Madrid, before the notary Don A.A.A. with the company Invest Capital Ltd., on 09/16/2021, commercial which in turn includes the data in the file. Therefore, as previously noted, the actions of the defendant represents a violation of article 6.1 of the RGPD, in relation to article 20.1 of the LOPDGDD, violation of the principle of legality in the processing of data that requires the existence of a legal basis that legitimizes it; violation that caused the claimant's data were included in the credit information systems without the debt being certain, due and payable and without the claimant having proven to have carried out the legally established weighting, and consequently without stating that their legitimate interests prevail over the interests, rights and freedoms of the claimant, an infringement classified in article 83.5.a) of the RGPD. SAW In allegations to the Proposed Resolution, the defendant has alleged his disagreement with it, alleging that: 1. The lack of violation of article 6.1 of the RGPD, since the alleged infringement has as its origin the deception exercised on the person of the seller by maliciously impersonating the identity of the claimant at the time of validate your identity as an applicant physically present at the establishment commercial. Article 8.1 of the LOPSC establishes that the DNI “is the only document with sufficient value on its own to accredit, for all purposes, the identity and the personal data of its owner” and that verification by the person in charge of the claimed the identity of the interested party at the time of the application-contracting of The card is considered legal and necessary to contract. According to the dictionary of the Royal Academy of the Spanish Language (RAE), it defines the term “identification” as “action and effect of identifying or identifying oneself” and the term “identify” as “Recognize whether a person or thing is the same as supposed or sought.” The term “identity” (in its second meaning) as a “set of traits specific to an individual or a community that characterize them versus others" In short, the obligation to “identify” that falls on the seller of the prescriber translates into “recognize” whether the identity data, that is, the elements or traits that characterize the person who intends to sign the application-contract of the card (name, surname, identification document number and nature of the document and even its physical image) are those that appear in the “document” “accreditation of personality.” As noted in point 2 of foundation V, in accordance with the Agreement signed between the defendant and IKEA, the seller having the applicant C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/31 physically present in the commercial establishment proceeds to identify it through of your identity document. Well, it is surprising that the defendant indicates that he acted with diligence necessary since it has implemented security measures in its contracting processes. verification of identity based on the DNI, resulting paradoxically that the seller having the applicant in front of him and requiring his DNI in order to verify his identity through visual verification of the elements and features that characterize The person he intended to hire did not realize that it was not the same person. Therefore, This is not, as the defendant tries to argue, an invincible error, but rather a fault. of negligence that would have been overcome if the measures had been adopted necessary and opportune that would have led to the conclusion that the person who went to the commercial establishment was not the one it claimed to be and whose document it carried, which which is also shocking in light of the facts established in the procedure: The signature did not correspond to the one existing on the DNI and even so the employee, as stated indicated previously, proceeded to record the graphological image of the signature in the entity's systems, the affirmation of the entity itself that has indicated that a correct identification of the person was not made, so we are facing a behavior of serious negligence, easily overcome if they had been adopted the appropriate protocols and precautions, since neither the signatures coincided, nor was there the address provided, nor was the necessary documentation presented to prove that the The bank account number provided corresponded to the contracting party. It is not that the people involved in the identification of the potential clients have difficulties due to the fact that they are not specialists in detecting said impersonations; The rational thing is that appropriate measures be adopted and adequate and necessary precautions so that such incidents do not take place. The A.N. In a ruling dated 01/10/2012, it states that: “Applying the previous regulations to the alleged defendant, it turns out that it has been proven, and not distorted through proof to the contrary, that a commercial distribution contract was signed, by the plaintiff entity and in which personal data of the complainant, specifically his name, surname and ID, but without correspond to it neither its supposed address, nor its supposed phone number. phone number and not your email address either. Contract that lacks any signature and whose formalization has been denied by such complainant. Having also been proven that, once the invoice generated was unpaid for the services derived from the aforementioned contract, Avon Cosmetics included the name and DNI number of the aforementioned complainant in the Asnef delinquency file. In short, it is that the plaintiff entity began a commercial relationship with a third person without sufficient control or supervision insofar as he was not able to detect that really, the person who was expressing his willingness to hire, He wasn't who he said he was. As derived from the aforementioned RGPD, AVON, as responsible for the treatment, and despite its extensive arguments of the lawsuit, has not been able to demonstrate that the complainant had given her consent to the processing of your personal data. If AVON has taken the necessary precautions to ensure the identity of the contracting person, for which it would have been enough to verify some type of identification documentation (even by telematic means), the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/31 violation of article 6.1 of the RGPD charged by the AEPD. In short, by not having acted with the necessary diligence, the data of the affected party were processed without have your consent, which represents a violation of such an essential principle of legality, given that none of the circumstances exist in the case. exceptional circumstances that would exempt the need for such consent. Of all of which It follows that the events described are of sufficient importance to be classified as serious violation of article 86.5 of the RGPD. It is not possible to appreciate, on the other hand, the invincible error that insistently is invoked in the lawsuit, since in addition to the fact that it must be demonstrated (STS of June 23, 2014) in short, as already indicated, and without prejudice to fraud committed, the truth is that there was not sufficient diligence on the part of Avon Cosmetics or at the time of including the complainant's data in its computer bases, nor in the moment of notifying them to the asset solvency and credit file. Without being able to take into consideration, finally, the invoked absence of responsibility for having been a victim of fraud, since although in the Currently, article 28 of the LRJPAC only recognizes liability "as a matter of intent or guilt", there is no doubt that the requirement of guilt in the illicit administrative is more flexible than in criminal law, and thus, in accordance with repeated Jurisprudence, in the face of clearly illegal behavior, it is not enough to invoke the absence of fault, but it must be proven that due diligence has been used required (SSTS March 23, 2011 and October 21, 2014, among many others), diligence that, based on everything stated, cannot be seen in Avon's conduct Cosmetics. From all of which it follows that the sanction imposed on the plaintiff entity in such The disputed resolution is legal and proportionate, so the same It has to be confirmed.” On the other hand, regarding the unfavorable opinion of the AEPD to the initiative raised about the possibility of using facial recognition data at the time of registration of clients, it should be noted that any processing of data of a personnel must have a basis of legitimacy, and the case must be attended to specific and the possible interference in the right to data protection, and the compliance with the principles contained in art. 5 of the GDPR, including principles of legality and data minimization. 2. The violation of the doctrine of proper acts when archiving similar claims in which there is identity of facts and subjects to those of the present procedure including EXP2022022936. However, the issue invoked by the defendant has nothing to do with the violation of the doctrine of proper acts and must be dismissed. Firstly, the aforementioned file was directed against KRUK ESPAÑA S.L. to the be claimed from the interested party a debt whose original creditor was the now claimed (CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.), being the claimant the same person who files the claim that gave rise to this procedure for violation of article 6.1 RGPD in relation to article 20 of the LOPDGDD. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/31 As indicated in point 4 of the previous foundation, the defendant and the entity INVESTCAPITAL, LTD formalized a contract for the purchase and sale of a portfolio of credits in Madrid, before the notary Don A.A.A. on 09/16/2021, among which found that of the claimant, referring to this letter informing about said transfer of the credit right. In turn, the KRUK entity, in its capacity as data processor, provided InvestCapital, responsible for the treatment and current creditor, the services debt recovery. As stated in the proven facts, the claimant sent emails emails in which she requested to know if she was listed as a debtor in their systems and that he was not the owner of the aforementioned debt, indicating that he had suffered an impersonation of identity regarding the contracting of the CaixaBank card, for which he requested the deletion of your data. On 03/09/2022 KRUK responded to the claimant confirming the amount Of the debt. Regarding the request to delete the data, KRUK indicated that They could not attend to it since the new creditor (InvestCapital) was aware of the debt, but that, given that he had provided evidence of possible fraud by having reported identity theft to the police, KRUK informed him that agreed to paralyze the file until there was evidence of the impersonation of identity that would allow the file to be definitively closed. And furthermore, the claimant forgets that the processing of the claimant's data carried out by InvestCapital, in its capacity as data controller and, KRUK, in its capacity as the person in charge of the treatment, as it is the result of the acquisition of a package of debts from the defendant (CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U.) trusted in the appearance of veracity of the credits assigned and given that in the treatment carried out it is produced as a good acquirer faith, cannot constitute a violation of article 6.1 of the RGPD. Quite the opposite of the defendant whose actions are contrary to the principle of legality enshrined in article 6.1 of the GDPR; Treatment begins with fraudulent contracting of the Ikea credit card number ***NUMBER.1, dated 01/13/2020, signed at the establishment lkea Iberica, S.A., of ***ADDRESS.1 and which is permanent over time with the subsequent inclusion of the data of the claimant in the Asnef file for a debt that did not correspond to him, since 06/30/2020 until 08/11/2021, leave that is a consequence of the aforementioned contract of sale and assignment of credits dated 07/29/2021. This way of proceeding is contrary to article 6.1 of the RGPD and finds its typification in article 83.5.a) of the RGPD. 3. The defendant also alleges the absence of guilt in his actions and that no one can be condemned or punished except for acts of intent or guilt. Strict liability is proscribed in our legal system. In The scope of administrative sanctioning law governs the principle of guilt, of way that the subjective or culpable element is an indispensable condition for C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/31 that sanctioning responsibility arises. Article 28 of Law 40/2015, of Legal Regime of the Public Sector (LRJSP) regulates the principle of guilt and provides: “1. They may only be sanctioned for acts that constitute an infraction. administrative authority of natural and legal persons, as well as, when a Law recognize the capacity to act, the affected groups, the unions and entities without legal personality and independent or autonomous assets, which are responsible for them by way of fraud or guilt.” In light of this precept, sanctioning responsibility can be demanded from title of fraud or guilt, being sufficient in the latter case the mere non-observance of the duty of care. The Constitutional Court, among others, in its STC 76/1999, has declared that Administrative sanctions are of the same nature as criminal sanctions, as they are one of the manifestations of the ius puniendi of the State, and that, as a requirement derived from the principles of legal certainty and criminal legality enshrined in the Articles 9.3 and 25.1 of the EC, their existence is essential to impose them. Regarding the guilt of the legal entity, the STC should be cited. 246/1991, December 19, 1991 (F.J. 2), according to which, with respect to the legal persons, the subjective element of fault must necessarily be applied differently from what is done with respect to natural persons and adds that “This different construction of the imputability of the authorship of the infraction to the person legal origin arises from the very nature of legal fiction to which these subjects. They lack the volitional element in the strict sense, but not the ability to violate the rules to which they are subject. Violation capacity and, therefore, direct blameworthiness that derives from the legal good protected by the norm that is infringes and the need for said protection to be truly effective […]” In short, the conduct of the defendant, specified in the violation of the principle of legality, in relation to article 20 of the LOPDGDD, by including the data of a personal nature of the claimant in common credit information systems without basis of legitimacy, since the claimant could not be the contracting party of the card Ikea violates article 6.1 of the RGPD, action subsumable in the sanctioning type of article 83.5.a) of the RGPD 4. Finally, the defendant alleges the violation of the principle of proportionality in the imposition of the sanction. Article 83.1 of the RGPD prevents that “Each supervisory authority will guarantee that the imposition of administrative fines pursuant to this article for the infringements of this Regulation indicated in paragraphs 4, 5 and 6 are in each individual case effective, proportionate and dissuasive.” The fines therefore, as deduced from the precept, must be effective, proportionate and dissuasive for the achievement of the purpose intended by the GDPR. It is true that for this system to work with all its guarantees it is It is necessary for several elements to be deployed in an integral and complete manner. The C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 21/31 application of rules other than the RGPD regarding the determination of fines in each of the Member States applying their national law, whether by aggravating or mitigating circumstances not provided for in the RGPD -or in the LOPDGDD In the Spanish case, by allowing it under the RGPD itself, it would reduce the effectiveness of the system that would lose its meaning, its teleological purpose, the will of the legislator, resulting in the fines imposed for different violations would no longer be effective, proportionate and dissuasive. And in this way the interested parties would also be robbed. of the effective guarantee of their rights and freedoms, weakening the uniform application of the GDPR. Mechanisms for the protection of rights and freedoms of citizens and would be contrary to the spirit of the RGPD. The GDPR is endowed with its own principle of proportionality that must be applied in its strict terms. Regarding the principle of proportionality of sanctions, the Court National in numerous sentences has indicated that the principle of proportionality cannot be evaded from jurisdictional control, since the margin of appreciation that is grants the Administration the imposition of sanctions within the limits legally provided, must be developed weighing in any case, the concurrent circumstances, in order to achieve the necessary and due proportion between the alleged facts and the responsibility demanded, given that any sanction must determined in congruence with the entity of the infraction committed and according to a criterion of proportionality in relation to the circumstances of the event. So that Proportionality constitutes a normative principle that is imposed on the Administration and that reduces the scope of its sanctioning powers. Well, in accordance with the circumstances that occur in the present case, this resolution does not violate the principle of proportionality in the determination of the sanctions imposed, being weighted and proportionate to the seriousness of the infraction committed, the importance of the facts, as well as the circumstances taken into account to graduate the sanction, without any reasons being appreciated that further justify the reduction made, especially taking into account the amount to which said sanctions may amount in accordance with art. 83.5 of the RGDP, which provides for the violation of article 6.1 of the RGDP, “with fines administrative fees of €20,000,000 maximum or, in the case of a company, a amount equivalent to a maximum of 4% of the total global annual business volume of the previous financial year, opting for the highest amount.” Well, the entity is a large company within its sector of activity; in In 2021 (last financial year presented) it had sales of more than 750 million euros and a fiscal year result of more than 218 million euros. SAW In order to establish the administrative fine that should be imposed, they must The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which they point out: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/31 Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the processing, taking into account the technical or organizational measures that have been applied under articles 25 and 32; e) any previous infraction committed by the person responsible or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement. In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of treatments of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infraction. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/31 g) Have, when it is not mandatory, a delegate for the protection of data. h) Submission by the person responsible or in charge, with character voluntary, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested." - In accordance with the transcribed precepts, in order to set the amount of the sanction to be imposed in the present case for the infraction classified in article 83.5.a) and article 6.1 of the RGPD (inclusion of debt in defaulter files), of which holds the defendant responsible, in an initial assessment, the following factors: These are aggravating circumstances: The nature and severity of the violation; the facts revealed affect a basic principle regarding the processing of personal data, such as legitimacy, which the norm sanctions with the greatest severity; the level of the damages suffered by the claimant that affect her economic solvency by having been denied a loan as a result of your personal data appeared in common credit information systems at the request of the defendant in relation to a debt arising from an Ikea credit card that amounted to €690.25 linked to the person claimed, being registered on 06/30/2020 and appearing until 08/11/2021, upon being discharged by the claimed party, as a result of the assignment of the debt to the company Invest Capital Ltd (article 83.2.a) of the RGPD). The activity of the allegedly infringing entity is linked to the processing of personal data of both clients and third parties. In the activity of the claimed entity, the processing of data of personal nature so, given its business volume, the significance of the conduct that is the subject of this claim is undeniable (article 76.2.b) of the LOPDGDD in relation to article 83.2.k). The intentionality or negligence in the infringement, since the defendant included the data in defaulter files without the debt meeting the requirements of the article 20.1 of the LOPDGDD and without carrying out the necessary weighting. Also connected with the degree of diligence that the data controller is obliged to display in compliance with the obligations imposed by data protection regulations the SAN of 10/17/2007 can be cited. Although it was issued before the validity of the RGPD, its pronouncement can be perfectly extrapolated to the assumption that we analyze. The ruling, after alluding to the fact that the entities in which the development of its activity entails continuous processing of customer data and Third parties must observe an adequate level of diligence, it stated that “(...). he Supreme Court has been understanding that imprudence exists whenever disregards a legal duty of care, that is, when the offender does not behave with the required diligence. And in assessing the degree of diligence it must be weighed especially the professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant In the handling of personal data, rigor and exquisite care must be insisted upon. for complying with the legal provisions in this regard” (article 83.2, b) of the RGPD). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/31 The investigated entity is a large company within its sector of activity and In 2021 (last financial year presented) it had sales of €752,310,000 and a fiscal year result of €218,701,000 according to Axesor data (article 83.2.k) of the GDPR). VII The corrective powers that the RGPD attributes to the AEPD as a control authority control are listed in article 58.2, sections a) to j). Once the infringement has been confirmed, it is appropriate to impose on the person responsible the adoption of appropriate measures to adjust its actions to the aforementioned regulations in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each control authority may “d) order the person responsible or in charge of the processing that the processing operations comply with the provisions of the this Regulation, where appropriate, in a certain manner and within a specified period.” In the present case, the defendant is required to, within a period of six months from the notification of this resolution: - Accredit the adoption of appropriate measures to prevent future produce incidents such as those that have caused the opening of this sanctioning procedure avoiding incidents such as the one indicated when processing data personal character in credit information systems, without any legitimation of the contemplated in article 6.1 of the RGPD. Please note that failure to comply with the possible order to adopt measures imposed by this body in the sanctioning resolution may be considered as an administrative offense in accordance with the provisions of the RGPD, classified as an infraction in its article 83.5 and 83.6, and such conduct may be motivated by the opening of a subsequent administrative sanctioning procedure. III The appellant in his appeal document expresses his disagreement with what indicated in the Resolution appealed in relation to the violation of article 6.1 of the GDPR and has made the following allegations: Firstly, the defendant insists on the processing of the personal data of the debtor both in the assignment and in the treatment of these by the assignee of the credit (InvestCapital Ltd), finds its legal basis in article 6.1 GDPR and that When the transfer was made, I had no knowledge of the possible fraudulent use of the claimant's data, and after the aforementioned sale she learned of identity theft and that for this reason there is no guilt. However, such an allegation cannot be admitted; The claimed entity is the data controller, who decides on the processing of personal data of the interested parties, the purposes and means of said processing and of applying the measures technical and organizational measures that guarantee the security of personal data with reason for said treatment; In addition, it must be ensured that the treatment responds to C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 25/31 the principles enshrined in article 5 of the GDPR and, as in the present case, of the principle of legality. Well, the defendant has not proven the mechanism or protocol that verify the identity of the credit applicant and the appellant is reminded that he has not distorted any of the issues included in the Resolution with respect to the way to prove identity and the reason why you do not have the documentation that was necessary to carry out the contract. The person responsible for contracting the credit and processing the data personal data of the clients requesting financing is the one claimed, in the established procedure for the formalization of a credit contract to obtain the Ikea card, the Ikea employee/seller uses an application installed on the digital tablet that is connected to the defendant's computer systems; this In this way, the data obtained is immediately sent to the systems computer data of the claimed party for verification, analysis and processing before said commercial, Ikea not retaining in compliance with the agreement signed any documentation in this regard or any personal data. Well, the signature that appears on the DNI and the one that appears on the contract provided do not match; Furthermore, the defendant has a series of socioeconomic data that do not It is known that they will be provided to you during the contract; As stated in the report of actions “The defendant has not provided documentation that proves the previous socioeconomic information contained in their systems.” Among that documentation The account number in which the payments were direct debited appears; according to the FAQs (Frequently Asked Questions) financing: What requirements exist to request my Card? You just have to present: An identification document such as ID or passport An original bank receipt with your name and account number for the domiciliation. Original proof of income: • Last payroll • Self-employed workers, managers and administrators: last personal income tax or quarter • Pensioners: pension revaluation sheet If you are a CaixaBank customer, you only need your DNI/NIE and your credit card or debit to process your request. However, said documentation that the applicant must provide neither appears nor appears to the one claimed, that is, it was not provided since we must not forget that the claimant was not the owner of the bank account according to the facts tested. The Ikea salesperson, having the applicant physically present in the commercial establishment must proceed to identify the client through their identification document. Subsequently, having the client in front of him, he takes a photograph of his identity document with the digitizing tablet and requests personal data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 26/31 additional, socioeconomic data (employment status, monthly income, pay, position, Profession, company, etc.) and enter the information into the system. Finally, the application has a signing process through the tablet digitizing machine and the data obtained are immediately sent to the systems computer data of the claimed party for verification, analysis and processing before said trade. Well, as the claimant states both in her claim before the AEPD as in its complaint before the Civil Guard Command in Pinto (Madrid), extension of the one carried out in Puente de Vallecas before the Commissioner of the National Police, was never in the aforementioned shopping center so it could never sign the Ikea card contract and not provide the data contained therein; such This is how the mobile number, email account, address, telephone number bank account, company and signature that appear in the aforementioned contract do not correspond to you. From the above, the negligent action of the defendant who did not proceed to carry out the appropriate verifications or verify that the necessary documentation for the hiring had been sent by the IKEA establishment. In relation to the account number provided, ING BANK NV SUCURSAL EN SPAIN, in writing dated 07/23/2023, has indicated that the aforementioned account was contracted telephoned by a person who is not the claimant on 09/06/2018. And in relation to the signature stamped on the contract, it does not correspond to the signature of the claimant.” Therefore, the mechanism to verify the identity of the credit applicant, how is it possible that having in front of the credit applicant card, the subscriber will verify its identity without matching, not only the person that he intended to hire, in addition to none of the documents that were necessary to carry out the hiring? Except for the serious negligence in the actions that would have been overcome had the mechanism or protocol that would have been followed concluded that the person who went to the commercial establishment was not the one who he claimed to be and that the document he was carrying was not his and, to make matters worse, proceeded to register the graphological image of the signature in the systems Of the entity; The entity itself has indicated that a correct identification of the person, so we are faced with a behavior absent of any diligence. It is not only about proving that the contract has existed, the responsible person must be able to prove that the contract was made by the person who says he is who he is. - The appellant also alleges that the inclusion of the claimant's data in common credit information systems was due to non-payment of the debt corresponding to the credit contract with an Ikea card and that the payment requirements sent to the claimant as a prior step to the aforementioned inclusion. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 27/31 It is necessary to reiterate again that the debt to which the appellant referred to came from a contract that the claimant had not signed, as is evident accredited in the procedure, so the debt linked to the aforementioned credit card Ikea credit could not be true, due or payable as it did not correspond to the claimant. To make matters worse, and regarding the debt requirements sent to the claimant, appears in the proven facts that have not been distorted by the appellant, that the CGI company by writing of 03/01/2023 sent to the complainant “the letter dated 06/21/2020, a copy of which is attached, was generated with the information provided by the claimed party..., for printing (File:(...); Envelope: XXXX) and subsequent making available to the postal distributor who was in charge of its shipping to address: ***ADDRESS.2 And that the process established for its referral has been carried out and since the launch provision in CORREOS, that no incident had been received and neither return of said letter; It was accepted and admitted that the letter had arrived to its recipient when the Madrid City Council, through the Technical Unit of the Street guide in writing dated 08/07/2023 has established that “Currently there is no road in the municipal street map of the city of Madrid with the name of Street (...) and by Therefore neither does number 75 on this road.” How is it possible to admit that the letter of Did the request reach its recipient if the shipping address did not exist? The appellant carried out the processing of the claimant's data without any legitimation since the guarantees provided for in article 20 of the LOPDGDD, given that the debt was not certain, due or payable, a debt that was not corresponded to the claimant as it arose from a fraudulent contract. Therefore, it included the claimant's data in information systems credit without having proven diligence in the contracting, so it is responsible for the inaccuracy of the data, having included in the file data from a debt that did not correspond to the claimant. In addition, he communicated the data of the claimant when selling a portfolio of credits with the debt non-existent - The claimant also alleges a violation of the non bis in idem principle; points out that the AEPD has already ruled on these events in File 202202936 whose Resolution issued on 06/14/2022 agreed to archive the proceedings. However, the aforementioned allegation cannot be accepted either; in it Exp.202202936 some facts revealed by the claimant were analyzed in February 2022 in a claim directed against KRUK. In the aforementioned file, the claimant stated that “The company KRUK ESPAÑA SL has accessed my personal data, such as address, telephone number and email without me having given any consent for this company process my data. They claim a debt from CaixaBank Payment&Consumer which already has been reported for identity theft more than 6 months ago, as a result of what which this company retired the debt. In the false credit card contract requested from In addition, none of my real information appears, only my name and ID. Therefore this company, KRUK ESPAÑA SL, has had to access my data C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 28/31 personal in some illicit way since I did not give any consent for they agreed. As a result, KRUK ESPAÑA SL is claiming a debt from me that no longer exists with phone calls and harassment to me and my family.” KRUK, provided debt recovery services to InvestCapital, acting as the person in charge of the treatment. The debt claimed, whose original creditor was the recurring, derived from the fraudulent contracting of the credit card with IKEA. We must not forget that on 07/29/2021 InvestCapital, Ltd., acquired the rights of a debt portfolio of the appellant, passing InvestCapital, Ltd., to hold the position of creditor. On 02/3 and 02/08/2022, the interested party sent two emails to KRUK, in the first of which he requested to know if she was listed as a debtor in her systems, and in the second, it indicated that she was not the owner of said debt, that everything It was the result of an impersonation of his identity regarding the contracting of the card with the now appellant requesting the deletion of his data, and also informed him who had reported this circumstance to the police and the AEPD. None of these complaints were directed against KRUK or InvestCapital. KRUK responded to the claimant confirming the amount of the debt and informing of the assignment of the debt, along with a copy of the credit card contract original signed with the appellant and the movements of the card. According to the request to delete the data, KRUK indicated that at the moment it could not be delete since the creditor (InvestCapital) was aware of the debt, but given that he had provided evidence of possible fraud by having reported to the police an identity theft, KRUK informed him that it agreed to paralyze the file temporarily until we obtain evidence of identity theft that allows definitively close the file. Therefore, the archival resolution only examined the performance and legitimacy of KRUK regarding the processing of the complainant's data, but in No case in the aforementioned file was analyzed or questioned the actions of the recurrent. We previously noted that on 07/29/2021 InvestCapital, Ltd., acquired the credit rights of a debt portfolio of the appellant, passing InvestCapital, Ltd., to hold the position of creditor by sending the debtors a letter informing on said assignment of the credit right. The appellant responded to the transfer of the claimant's claim of 11/13/2023 indicating in writing dated 12/31/2021 that "as soon as he had knowledge of the present fraud in the contracting, proceeded to the deletion/blocking of the personal data of the affected party, and also proceeding to cancel their data from common credit information systems". Although, in a subsequent letter dated 06/14/2022 it stated “The previous statement was erroneous since the data of the affected party and claimant, referring to the credit contract with Ikea Visa card mentioned above, had been given deregistration from credit information systems on August 11, 2021, as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 29/31 consequence of the aforementioned purchase and sale contract and assignment of credits dated July 29, 2021.” Therefore, as stated in the appealed Resolution, the defendant does not proceeded to delete the data in the defaulter files or block the data because he had knowledge of the alleged impersonation of the personality of the claimant and an alleged fraud in the contracting, but the deletion in the files It was motivated because the credit was assigned through a contract of sale formalized in Madrid, with the company InvestCapital Ltd., on date 09/16/2021. InvestCapital, as a creditor, never registered the interested party in any credit information system, such responsibility falls solely on the appellant who was the one who reported the inclusion of the personal data of the claimant in the ASNEF and BADEXCUG files, for an illicit debt since he did not meets none of the requirements of article 20.1 of the LOPDGDD. The processing of data carried out by InvestCapital, Ltd., as responsible for the treatment, and by KRUK ESPAÑA S.L., in its capacity as manager of the treatment, is the result of the acquisition of the debt package, credits supposedly unpaid from the appellant and, who, trusting in the appearance of veracity of the assigned credits, they carried out a treatment of data caused as an acquirer in good faith, and said conduct constituting a violation of article 6.1 of the RGPD. Behavior that is not predicable of the appellant whose conduct is contrary to the principle of legality enshrined in article 6.1 of the RGPD; treatment begins with the fraudulent contracting of the Ikea credit card number ***NUMBER.1 and that persists with the subsequent inclusion of the claimant's data in the file Asnef for a debt that did not correspond to it, from 06/30/2020 to 08/11/2021, deregistration that occurs as a consequence of the aforementioned contract for the transfer of credits dated 07/29/2021. Therefore, as previously noted, the actions of the defendant represents a violation of article 6.1 of the RGPD, in relation to article 20.1 of the LOPDGDD, violation of the principle of legality in the processing of data that requires the existence of a legal basis that legitimizes it; violation that caused the claimant's data were included in the credit information systems without the debt being certain, due and payable and without the claimant having proven to have carried out the legally established weighting, and consequently without stating that their legitimate interests prevail over the interests, rights and freedoms of the claimant, an infringement classified in article 83.5.a) of the RGPD. - Finally, the appellant insists on the absence of responsibility and guilt in his actions and that no one can be condemned or punished except for facts by way of fraud or guilt. In the appealed resolution, it was pointed out to the now appellant that the Strict liability is prohibited in our legal system. In the field of sanctioning Administrative Law governs the principle of guilt, so that C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 30/31 The subjective or culpable element is an essential condition for the birth of sanctioning responsibility. Article 28 of Law 40/2015, of Legal Regime of the Public Sector (LRJSP) regulates the principle of culpability and provides: “1. Only may be sanctioned for acts constituting an administrative infraction. natural and legal persons, as well as, when a Law recognizes their capacity to act, the groups of affected people, the unions and entities without legal personality and the independent or autonomous assets, which are responsible for them title of fraud or guilt.” In light of this precept, sanctioning responsibility can be demanded from title of fraud or guilt, being sufficient in the latter case the mere non-observance of the duty of care. The Constitutional Court, among others, in its STC 76/1999, has declared that Administrative sanctions are of the same nature as criminal sanctions, as they are one of the manifestations of the ius puniendi of the State, and that, as a requirement derived from the principles of legal certainty and criminal legality enshrined in the Articles 9.3 and 25.1 of the EC, their existence is essential to impose them. Regarding the guilt of the legal entity, the STC should be cited 246/1991, December 19, 1991 (F.J. 2), according to which, with respect to the legal persons, the subjective element of fault must necessarily be applied differently from what is done with respect to natural persons and adds that “This different construction of the imputability of the authorship of the infraction to the person legal origin arises from the very nature of legal fiction to which these subjects. They lack the volitional element in the strict sense, but not the ability to violate the rules to which they are subject. Violation capacity and, therefore, direct blameworthiness that derives from the legal good protected by the norm that is infringes and the need for said protection to be truly effective […]” In short, the conduct of the defendant, specified in the violation of the principle of legality, in relation to article 20 of the LOPDGDD, violates the article 6.1 of the RGPD, action subsumable in the sanctioning type of article 83.5.a) of the GDPR IV Consequently, in this appeal the appellant has not provided new facts or legal arguments that allow us to reconsider the validity of the contested resolution. Considering the aforementioned precepts and others of general application, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: DISMISS the appeal for reconsideration filed by CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. against the resolution of this Agency Spanish Data Protection Regulation issued on 11/13/2023, in the file EXP202105363. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 31/31 SECOND: NOTIFY this resolution to CAIXABANK PAYMENTS & CONSUMER EFC, EP, S.A.U. THIRD: Warn the sanctioned person that the sanction imposed must be made effective once this resolution is notified, in accordance with the provisions of the article 98.1.b) of law 39/2015, of October 1, on Administrative Procedure Common of Public Administrations, within the voluntary payment period indicated in the Article 68 of the General Collection Regulations, approved by Royal Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, by depositing it into the restricted account number ES00 0000 0000 0000 0000 0000, opened in the name of the Spanish Data Protection Agency in the Bank CAIXABANK, S.A. or otherwise, it will be collected within the period executive. If the date of the notification is between the 1st and 15th of each month, both inclusive, the deadline to make the voluntary payment will be until the 20th of the month next or immediately following business day, and if it is between the 16th and last day of each month, both inclusive, the payment term will be until the 5th of the second month following or immediate subsequent business. In accordance with the provisions of article 50 of the LOPDGDD, the This Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (LPACAP), interested parties may file an appeal contentious-administrative case before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. Finally, it is noted that in accordance with the provisions of art. 90.3 a) LPACAP, may provisionally suspend the final resolution through administrative means if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited LPACAP. You must also transfer to the Agency the documentation that proves the effective filing of the contentious-administrative appeal. If the Agency does not had knowledge of the filing of the contentious-administrative appeal in the period of two months from the day following notification of this resolution, would end the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es