AEPD (Spain) - EXP202301519: Difference between revisions
mNo edit summary |
mNo edit summary |
||
Line 68: | Line 68: | ||
=== Facts === | === Facts === | ||
On 31 March 2005, a data subject bought a house through a mortgage loan granted by Banco Santander (the controller). This mortgage loan was guaranteed by a lien on the purchased house | On 31 March 2005, a data subject bought a house through a mortgage loan granted by Banco Santander (the controller). This mortgage loan was guaranteed by two liens: a lien on the purchased house, and a lien on another house owned by a company, Gardeblock S.L. | ||
On 27 June 2011, Gardeblock sold the house which partially guaranteed the data subject's mortgage. On 5 October 2021, the data subject received a request from Gardeblock asking them to pay the mortgage loan back. Gardeblock attached a certificate issued by the controller, which contained an amortisation table of the data subject's mortgage loan with the bank. | On 27 June 2011, Gardeblock sold the house which partially guaranteed the data subject's mortgage. On 5 October 2021, the data subject received a request from Gardeblock asking them to pay the mortgage loan back. Gardeblock attached a certificate issued by the controller, which contained an amortisation table of the data subject's mortgage loan with the bank. |
Revision as of 13:53, 13 August 2024
AEPD - EXP202301519 | |
---|---|
Authority: | AEPD (Spain) |
Jurisdiction: | Spain |
Relevant Law: | Article 5(1)(f) GDPR Article 32(1) GDPR |
Type: | Complaint |
Outcome: | Upheld |
Started: | |
Decided: | |
Published: | |
Fine: | 70,000 EUR |
Parties: | Banco Santander S.A. |
National Case Number/Name: | EXP202301519 |
European Case Law Identifier: | n/a |
Appeal: | Unknown |
Original Language(s): | Spanish |
Original Source: | AEPD (in ES) |
Initial Contributor: | fb |
The DPA fined Banco Santander €70,000 after it disclosed excessive information about a data subject to a third party due to a lack of appropriate security measures.
English Summary
Facts
On 31 March 2005, a data subject bought a house through a mortgage loan granted by Banco Santander (the controller). This mortgage loan was guaranteed by two liens: a lien on the purchased house, and a lien on another house owned by a company, Gardeblock S.L.
On 27 June 2011, Gardeblock sold the house which partially guaranteed the data subject's mortgage. On 5 October 2021, the data subject received a request from Gardeblock asking them to pay the mortgage loan back. Gardeblock attached a certificate issued by the controller, which contained an amortisation table of the data subject's mortgage loan with the bank.
However, the data subject's completed payment was not due until 2040 and Gardeblock sold the house voluntarily, not due to a default on the loan. The data subject asked for clarification about the requested payment given that the debt was not yet due. The data subject also wondered why the controller had transmitted additional information about their loan situation to Gardeblock after it had sold the house.
The data subject ultimately filed a complaint with the Spanish DPA (AEPD) arguing that the controller had improperly facilitated his banking data to a third party.
The controller apologized to the data subject, noting that the mistaken sharing of the bank certificate resulted from an employee's error. It claimed that it had already adopted security measures in order to avoid these kinds of incidents.
Holding
The AEPD found that the controller infringed Articles 5(1)(f) and 32(1) GDPR, and issued a fine of €20,000.
First of all, the AEPD found that the controller provided the certificate to the company, a third party, even though no money was owed to it by the data subject at the moment. The AEPD held that this transfer of data was excessive and should not have occurred. Therefore, it found a violation of Article 5(1)(f) GDPR and issued a fine of €50,000.
Moreover, the AEPD noted that the controller failed to implement appropriate security measures. This led to a security incident since the controller, in its communication to the third party, attached additional information that the third party did not need to know. The AEPD did not uphold the controller’s argument regarding human error. It ruled that it is not enough to just have appropriate measures, but it is also necessary to appropriately enforce them. Therefore, the DPA found a violation of Article 32(1) GDPR.
Comment
Share your comments here!
Further Resources
Share blogs or news articles here!
English Machine Translation of the Decision
The decision below is a machine translation of the Spanish original. Please refer to the Spanish original for more details.
1/24 File No.: EXP202301519 RESOLUTION OF SANCTIONING PROCEDURE From the procedure instructed by the Spanish Data Protection Agency and based to the following BACKGROUND FIRST: D. A.A.A. and B.B.B. (hereinafter the complaining party) dated 12/29/2022 filed a claim with the Spanish Data Protection Agency. The claim is directed against BANCO SANTANDER, S.A. with NIF A39000013 (in forward, the claimed part). The grounds on which the claim is based are: following: On 03/31/2005, he acquired a home through a mortgage guarantee loan signed with the defendant whose duration was 35 years. In the loan deed, in addition to the mortgage guarantee of the property itself and personal liability of the purchasing borrowers, by the company Gardeblock, S.L. (as added guarantee of repayment of the mortgage loan granted) was established also a mortgage guarantee on a single-family home owned by said trade. On 06/27/2011 and voluntarily, the company Gardeblock, S.L. sold the single-family home that guaranteed the loan transaction to a third party of the claiming party, with part of the amount obtained from the sale being allocated to release the outstanding mortgage liability on the party's home claimant. On 10/05/2021, the complaining party receives a judicial demand from the mentioned commercial company, demanding payment of the amount that had been paid, despite the fact that the sale was voluntary and the debt did not mature until the year 2040. Among the documentation Accompanying the complaint was a bank certificate issued by the party claimed, dated 06/25/2021, which contained a list with the amortization table of the mortgage-backed loan signed by the claimant, which covered from 06/21/2011 until the end of the loan, that is, the entire period after the release of liability of Gardeblock, S.L. As a result of what happened, the complaining party filed a claim with the claimed party, on ***DATE.1, by provide bank details to third parties unrelated to the operation, receiving a response in date ***DATE.2, in which the claimed party apologizes for what happened and indicates the following: "We have opened an independent investigation to clarify the facts and, if necessary, take the necessary measures (both disciplinary and procedural) to prevent events like this from occurring again. After reviewing the reported facts, unfortunately we have confirmed that, after a request formal information on payments made by the company Gardeblock, S.L. about a mortgage loan, the branch attached information due to human error additional movements subsequent to the amortization finally carried out by said company". Along with the claim, provide accreditation of the representation, a copy of the deed of the mortgage loan, copy of the certificate and the documentation attached to it (amortization table), copy of the claim made and the response received, documentation relating to communications maintained with the party C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 2/24 claimed requesting financial compensation for what happened and the corresponding responses rejecting any type of compensation. SECOND: In accordance with article 65.4 of Organic Law 3/2018, of 5 December, Protection of Personal Data and guarantee of digital rights (in hereinafter LOPDGDD), on 02/08/2023 said claim was communicated to the party claimed, so that it could proceed with its analysis and inform this Agency within the period of one month, of the actions carried out to adapt to the planned requirements in data protection regulations. The transfer, which was carried out in accordance with the rules established in the Law 39/2015, of October 1, of the Common Administrative Procedure of the Public Administrations (hereinafter, LPACAP), was collected on 02/09/2023 as stated in the acknowledgment of receipt in the file. The person complained about in writing dated 03/14/2023 stated: That at the time a loan was granted to the claimant, guaranteed with a mortgage on the home that was the object of acquisition and that was to finance; that the aforementioned mortgage loan, in addition to being guaranteed by the aforementioned housing was also guaranteed by a property that was owned by the company Gardeblock, SL, which appeared in the loan deed as mortgagee, did not debtor. The company Gardeblock, S.L. sold the single-family home to a third party, which guaranteed according to that Ninth Clause of the mortgage deed the loan of the claiming party for up to 94,000 euros of principal, plus ordinary interest, late payment interest and costs, and proceeded to release the mortgage liability pending on the home of Gardeblock, S.L., through payment to me represented of the amount of 85,344.01 euros, for which it was granted in favor of that entity the deed of cancellation of the mortgage established, according to the certificate issued by the bank attached to the claim. That the claimant party received a judicial claim from that party entity, among the documentation that accompanied the demand, there is a certificate bank issued by the defendant, which contains a list with the table of amortization of the loan with mortgage guarantee signed by the claiming party, which spanned from June 21, 2011 until the end of the loan. For this reason, the claimant filed a claim with the defendant for provide bank details to third parties unrelated to the operation. The Privacy Office responded to this complaint by apologizing, stating that measures were taken to prevent it from happening again, all of this as a consequence of having produced information by mistake that extends to movements after the amortization of the loan by the aforementioned company. The claimants have provided to the Agency, in addition to the certificate of the cancellation of the mortgage of the Gardeblock company, two types of documents different: one, which is identified as a Payment Schedule and another, as a Payment Schedule. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 3/24 issued operations; this second document in which the payments are reflected of each of the amortization and interest installments should not have been delivered. THIRD: On 03/29/2023, in accordance with article 65 of the LOPDGDD, The claim presented by the complaining party was admitted for processing. FOURTH: On 06/05/2023, the Director of the Spanish Protection Agency of Data agreed to initiate sanctioning proceedings against the person complained of for the alleged infringement for the alleged violation of articles 5.1.f) and 32.1 of the RGPD, classified in articles 83.5.a) and 83.4.a) of the aforementioned RGPD. FIFTH: Once the initiation agreement was notified, the defendant presented a written statement of allegations on 06/22/2023 stating, in summary: that when the incident the internal gap management procedure was put into operation security and the review of the actions taken and the facts show that the office employee who finally delivers the list of start and end amortizations concluded the consultation process with the Department that was supposed to advise him, human error occurring in the interpretation of the instructions received; that The delivery of the certificate occurs due to a defective understanding by the employee, even when advised, and this for the fact that it is not a simple operation, but rather complex due to the presence in the loan contract of a non-debtor mortgagee who is a party to the contract, an error that It is understood that it may occur within the framework of legal relationships in this type of contract; that we are faced with an excusable error and not a lack of diligence. SIXTH: On 07/07/2023, the procedure instructor agreed to open a period of test practice, agreeing to the following: - Consider reproduced for evidentiary purposes the claims filed by the claimants and their documentation, the documents obtained and generated by the Inspection Services that are part of the file. - Consider reproduced for evidentiary purposes, the allegations to the agreement of initiation presented by the claimant and the accompanying documentation. SEVENTH: On 04/04/2024, a Proposed Resolution was issued in the sense that the Director of the AEPD would sanction the party complained of for infringement of articles 5.1.f) and 32.1 of the RGPD, typified in articles 83.5.a) and 83.4.a) of the GDPR, with fines of €50,000 (fifty thousand euros) and €20,000 (twenty thousand euros), respectively. The aforementioned Proposal was notified, accessing its content on 04/08/2024, as recorded In acknowledgment of receipt, the claimed party in writing dated 04/22/2024 indicated that there had been opted to proceed with the voluntary payment of sanctions in response to the reductions is provided for in article 85 of the LPACAP, with waiver of any appeal administrative, recognizing its responsibility in relation to the events that have given rise to the procedure. The claimed party attached proof of having paid the sanctions with the double reduction, in response, first, to the recognition of responsibility and, C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 4/24 second, by voluntary payment before the resolution of the procedure, reduced to 42,000 euros. In writing dated 05/03/2024, the instructor of the procedure informed the claimed party that the recognition of responsibility had to be expressed initiated the procedure, during the period to formulate allegations at the opening of the procedure in accordance with the provisions of article 85 of Law 39/2015, so that the planned reduction of 20% on the sanction would be applicable, unlike in relation to the discount for voluntary payment of the penalty, which could be applied when such payment occurs at any time prior to resolution; that he Article 85.2 of the LPACAP refers expressly and solely to voluntary payment, and not to the recognition of liability, determining that said payment may be occur at any time prior to resolution. And that article 85.3 indicates that “In both cases, when the sanction has only a pecuniary nature, the body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed penalty, these being cumulative with each other. The aforementioned reductions must be determined in the initiation notification. of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction”, which would mean that both must be in the initial agreement, so it does not contemplate that both reductions are in the resolution proposal or can be paid cumulatively at any time prior to resolution; that based on everything This was granted a period of three days in order for them to express whether or not they accepted the the only reduction to which they are entitled, indicated in the Resolution Proposal, reduction by voluntary payment of the proposed sanctions before relapse Resolution, making the corresponding deposit. On 05/14/2024, the claimed party presented a written statement of allegations in response to the instructor of the procedure stating in a single allegation that not even in the article 85 of the LPACAP, nor in any other precept is there justification for the limitation that is intended to be applied under section 1 of the aforementioned article, which ruling of the TS of 06/10/2022 already indicates that article 85 effectively establishes and distinguishes two ways of finishing the procedure, however these ways are not distinguished by the existence of unknown time frames for their exercise but for its subsequent effects and, finally, that the diction of article 85.3 LPACAP supports the interpretation postulated by the claimed party. EIGHTH: Of the actions carried out in this procedure, they have been accredited the following, PROVEN FACTS FIRST. On 12/29/2022, the AEPD has a written entry from the complaining party in who states that on 03/31/2005 he acquired a home through a loan with mortgage guarantee signed with the claimed party. In the loan deed, He also established with the company Gardeblock, S.L. mortgage guarantee on a single-family home owned by said company. On date 06/27/2011 and in voluntarily, the company Gardeblock, S.L. released his mortgage liability pending payment on the claimant's home. On 10/05/2021, the The complaining party receives a lawsuit from the aforementioned company, demanding payment of the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 5/24 amount that had been paid, even though the sale was voluntary and the debt did not mature until the year 2040. Among the documentation that accompanied the lawsuit, there was a bank certificate issued by the claimed party, dated 06/25/2021, which contained a list with the amortization table of the loan with mortgage guarantee signed by the claiming party, which covered from the release of the responsibility of Gardeblock, S.L. until the end of the loan. The part claimant filed a claim with the claimed party for providing bank details to third parties unrelated to the operation, receiving a response in which he apologizes for the occurred and states the following: "We have opened an independent investigation to clarify the facts and, if necessary, take the necessary measures (both disciplinary as well as procedural) to prevent events like this from happening again. occur. After reviewing the reported facts, we have unfortunately confirmed that, following a formal request for information on payments made by the company Gardeblock, S.L. about a mortgage loan, the branch attached by mistake human additional information of movements after amortization finally carried out by said company". SECOND. The DNIs of the claimants are provided. THIRD. A document issued by the claimed party is provided in which MANIFESTS: “(…) That on November 14, 2011, through public deed granted before the Notary D. C.C.C. to the XXX number of your protocol, cancellation of the load was granted mortgage registered on the registered property number XXXX, after amortization extraordinary loan of the previously described loan made in the amount of 85,344.01 euros. The loan amortization table is attached as an annex to this document. since said date. And for the record I issue this document, at the request of D.D.D. in representation of Gardeblock, S.L., in Zaragoza on June 21, 2021.” ROOM. The Table of Transactions Issued and Payment Schedule is provided. of the loan granted. FIFTH. There is a writing dated 11/08/2021 from the lawyer of the claimant addressed to the party claimed in connection with the delivery without consent of documentation confidential financial information to a third party (Gardeblock, S.L.), unrelated to the commercial relationship that they maintain their representation with the claimed party, used to exercise actions judicial proceedings unrelated to their interests. SIXTH. There is a representation of the lawyer of the complaining party and emails emails crossed between the lawyer and the claimed party dated 02/04/2022, 03/18/2022 and 04/27/2022, in which, among others, financial compensation is requested for the damages caused. SEVENTH. There is a document sent by the claimed party to the party's lawyer claimant, dated 01/25/2022, stating that: “(…) C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 6/24 After reviewing the reported facts, we have unfortunately confirmed that after a formal request for information on payments made by the Gardeblock company, S.L., on a mortgage loan, the branch attached due to human error additional information on movements after amortization finally carried out by said company. (…)” EIGHTH. The defendant has provided Circular C.028/2021, the purpose of which is to inform on the operation of the specialized Legal Advice Units that It is provided to the Office Network and other Areas of Santander Spain. NINETH. The defendant has provided Circular C.097-2019 so that the Offices that could not obtain the information through the Santander tools, were created the new Popular historical data service. TENTH. There are screen prints related to the office's actions with the Business Legal Assistance (AJN) department. ELEVENTH. There is an email sent to AJN in which the following appears: “From: E.E.E. <***EMAIL.1> (…) On this matter, tell you that the company Gardeblock S.l. through the lawyer … (the powers were enough before reporting anything), he asked us for a certificate where it was indicated that the company had amortized the mortgage of the part claimant an amount from the sale of the property that had been transferred to them as a guarantee. They provided us with sales deeds, a copy of the check and more. documentation. With all this, internal legal advice was asked to tell us what to do and the answer was that we asked the popular historian for more documentation since we did not have enough information. Everything was requested and we got a discrepancy in the amount they said they had amortized and the one that appeared in popular historical records. We returned to consult with advice legal and told us to certify with the amount that came to us, providing us with the certificate model and the documentation that we had to contribute to them, which was the amortization table from that date. I attach all legal advice queries, as well as all the documentation that we have obtained. (…)”. TWELFTH. The defendant has provided a final report regarding the incident and Risk analysis; The incident is classified as moderate. FOUNDATIONS OF LAW Yo Competence In accordance with the powers that article 58.2 of Regulation (EU) 2016/679 (General Data Protection Regulation, hereinafter RGPD), grants each C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 7/24 control authority and as established in articles 47, 48.1, 64.2 and 6 8.1 of the Organic Law 3/2018, of December 5, on Protection of Personal Data and guarantee of digital rights (hereinafter, LOPDGDD), is competent to initiate and resolve this procedure the Director of the Spanish Protection Agency of data. Likewise, article 63.2 of the LOPDGDD determines that: "The Procedures processed by the Spanish Data Protection Agency will be governed by the provisions of Regulation (EU) 2016/679, in this organic law, by the regulatory provisions dictated in its development and, as far as they are not contradict, on a subsidiary basis, by the general rules on the administrative procedures." II Previous Question The claimed party, notified of the Proposed Resolution dated 04/08/2024, in writing dated 04/22/2024 stated: “That, in accordance with what provided for in the aforementioned Agreement, my client has chosen to proceed, within the period granted, to the voluntary payment of sanctions in response to the reductions provided for in article 85 of the LPACAP, with waiver if accepted any appeal through administrative channels, recognizing their responsibility in relation with the facts that have given rise to this procedure. That as proven by the transfer receipt, which is attached, my represented has made the payment of the penalty, with the double reduction provided for in that precept, in attention, first, to the recognition of responsibility and, second, which proceeds by payment voluntarily before the resolution is issued of the procedure as long as at the same time a sanction has not been imposed pecuniary, as a consequence of which, the penalty has been reduced to 42,000 euros”. On 05/03/2024, the instructor of the procedure informed the party claimed that the double reduction was not possible since the recognition of the responsibility had to be manifested at the beginning of the procedure, during the period for formulate allegations at the opening of the procedure in accordance with the provisions in article 85.1 of Law 39/2015, so that the planned reduction of the 20% of the penalty, differentiating from the reduction for voluntary payment of the penalty, which could apply when said payment occurs at any time prior to the resolution and they were granted a period of three days in order to express whether they accepted or not the only reduction to which they were entitled, indicated in the Proposal of resolution. The claimed party has argued that neither in article 85 of the LPACAP, nor in There is no other precept justification for the limitation that is intended to be applied to the protection of what is stated in article 85.1 of the LPACAP, agreeing that such acknowledgment of responsibility must be made “initiated” by the procedure, because it expressly says so in the aforementioned precept, but what it does not say precept is that such recognition must be made only “at the beginning” of the procedure, reason why this entity cannot accept such an interpretation that it considers C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 8/24 restrictive of his rights and, he goes to strengthen his argument to the ruling of the TS 1260/2022, October 6, 2022. It should be noted that the Proposed Resolution issued on 04/04/2024, In its operative part it stated that: “That by the Director of the Spanish Data Protection Agency, sanction BANCO SANTANDER, S.A., with NIF A39000013, - For the violation of article 5.1.f), typified in article 83.5.a) of the aforementioned GDPR, a fine of €50,000 (fifty thousand euros), and - For the violation of article 32.1 of the RGPD, typified in article 83.4.a) of the aforementioned RGPD, a fine of €20,000 (twenty thousand euros). Likewise, in accordance with the provisions of article 85.2 of the LPACAP, You are informed that you may, at any time prior to the resolution of this procedure, carry out the voluntary payment of the proposed sanction, which It will mean a reduction of 20% of the total amount. With the application of this reduction, the penalty would be established at €56,000 (fifty-six thousand euros) and its payment will imply the termination of the procedure, without prejudice to the imposition of the corresponding measures. The effectiveness of this reduction will be conditioned upon the withdrawal or waiver of any action or appeal pending. administrative against the sanction.” On the other hand, article 85, Termination of sanctioning procedures, of the LPACAP establishes that: "1. A sanctioning procedure has been initiated, if the offender recognizes his responsibility, the procedure may be resolved with the imposition of the sanction that proceeds. 2. When the sanction is solely pecuniary in nature or fits impose a pecuniary sanction and another of a non-pecuniary nature but it has been justified the inadmissibility of the second, the voluntary payment by the alleged perpetrator, in Any time prior to the resolution, will imply the termination of the procedure, except in relation to the restoration of the altered situation or the determination of the compensation for damages caused by the commission of the infringement. 3. In both cases, when the sanction has only a pecuniary nature, The body competent to resolve the procedure will apply reductions of, at least, 20% of the amount of the proposed sanction, these being cumulative each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned on the withdrawal or waiver of any administrative action or appeal against the sanction. The reduction percentage provided for in this section may be increased regulations. The recognition of responsibility, as indicated in the Agreement of initiation, the procedure must be declared initiated, during the period to formulate allegations at the opening of the procedure. This is in accordance with the provisions of the aforementioned article 85 of Law 39/2015, according to which the recognition of the responsibility must occur “once the procedure has been initiated” for the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 9/24 planned reduction of 20% on the penalty, unlike what is established expressly in relation to the discount for voluntary payment of the penalty, which may be applied when said payment occurs at any time prior to the resolution. If the aforementioned precept has distinguished the conditions in the two modes of voluntary termination of the indicated procedure, no interpretation should equalize these conditions as if there were no differences in their regulation. Article 85.2 of the LPACAP refers expressly and solely to the payment voluntary, and not to the recognition of responsibility, determining that said payment may occur at any time prior to the resolution. Thus, it does not fit distinguish or oblige where the Law does not distinguish or oblige. Furthermore, the Article 85.3 indicates that “In both cases, when the sanction has only pecuniary nature, the body competent to resolve the procedure will apply reductions of at least 20% on the amount of the proposed penalty, being these can be accumulated with each other. The aforementioned reductions must be determined in the notification of initiation of the procedure and its effectiveness will be conditioned on the withdrawal or resignation of any administrative action or appeal against the sanction”, which means that both must be in the initiation agreement (referral of article 85.1 to 64 of the LPACAP), so it does not contemplate that both reductions are in the proposal resolution or that can be paid cumulatively at any time prior to the resolution. This is also understood by the National Court, Contentious Chamber. administrative, Section 1, which in its Judgment of 02/05/2021, Rec. 41/2019, indicates that voluntary payment can occur at any time prior to the resolution, while the reduction due to recognition of responsibility is linked to the initiation agreement and the provision of article 64.2.d) of Law 39/2015: “In regarding the violation of the provisions of articles 64 and 85 of Law 39/2015, which contemplate the possibility of recognizing responsibility at the time of notification of the resolution to initiate the procedure (art. 64.2.d) and take advantage of the reductions provided for in article 85, in the agreement to initiate the procedure there are an express reference to those articles, indicating that the sections 2 and 3 of article 85; Furthermore, at no time has the plaintiff shown their willingness to recognize responsibility for the sanctioned infraction and take advantage of the possibility established in said articles (voluntary payment can be made at any time prior to the resolution), so it is appropriate to reject also this allegation.” Finally, in relation to STS 1260/2022, of 10/06/2022, although related to what is being elucidated in this sanctioning procedure, the issue submitted for debate in the Fifth Section of the Contentious Chamber- administrative process of the TS was a completely different matter: determining whether the expiration of the procedure had actually occurred because the deadline established for its processing, and linked to the above, if it should be understood that the procedure had ended with the advance payment, with the reduction of the 20%, who had accepted the sanction, without the need for a subsequent resolution express, or if, on the contrary, the termination of the procedure does not occur unless when the express act is issued putting an end to it, that is, with the agreement of the Council of Ministers that is the object of challenge in this process. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 10/24 For greater completeness, the First Foundation, Object of the appeal, is indicated that: “(…) The proposed resolution includes the facts and qualifications already presented above, even when the amount of liability caused to the public domain, being notified to the interested party on April 19, 2021. The The following day, May 14, he presents the sanctioned document in which he accepts the facts accused, taking advantage of the power of voluntary payment of the proposed sanction, with the reduction of 20 percent, being given a payment letter by the Organization of Cuenca, which was attended by the sanctioned one (the emphasis is from the AEPD). (…)”. Therefore, not accepting the allegations made by the claimed party in your letter of 05/14/12024, that the reductions requested be admitted with after the issuance of the Proposed Resolution, it cannot be considered that the interested party has legally taken advantage of neither of the two reductions provided in the aforementioned article 85, with which you must enter the total amount of the fines corresponding to the infractions committed, without any reduction, in accordance with what is stated in the operative part of this Resolution. III First unfulfilled obligation: violation of article 5.1.f) of the RGPD The claimed facts materialize in access to the party's data claimant, as a consequence of the information transmitted to a third party by the claimed in relation to a mortgage loan taken out by the complaining party, which which could lead to the violation of data protection regulations of a personal nature. Article 5 of the GDPR, Principles relating to processing, states that: "1. The personal data will be: (…)” f) treated in such a way as to ensure adequate safety of the personal data, including protection against unauthorized processing or unlawful and against its loss, destruction or accidental damage, through the application of appropriate technical or organizational measures ("integrity and confidentiality»). (…)” Likewise, in Considering 39 it is stated that “All measures must be taken reasonable measures to ensure that data is rectified or deleted personal information that is inaccurate. Personal data must be processed in a way that ensures adequate security and confidentiality of personal data, including to prevent unauthorized access or use of such data and the equipment used in treatment. The documentation in the file offers clear indications that the claimed has violated article 5 of the RGPD, principles relating to processing, in C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 11/24 regarding the principle of data confidentiality contained in section 1, letter f), when communicated to a third party, non-debtor mortgagee, list containing the amortization table of loan with mortgage guarantee signed by the party claimant, violating the duty of confidentiality and integrity of the data. This duty must be understood to have the purpose of preventing data leaks not consented to by the data owners and comes regulated in the aforementioned article with reference to the principle of integrity and Confidentiality as one of the principles of data protection: In the response offered to the request for information made by the AEPD, on 03/13/2023, ratified in the document of allegations to the agreement of At the beginning, the defendant stated: “On October 5, 2021, the complaining party receives a legal demand from the aforementioned company, demanding payment of the amount that had paid, even though the sale was voluntary and the debt did not mature until the year 2040. Among the documentation that accompanied the claim, there was a certificate bank issued by the claimed party, on June 25, 2021, which contained a list with the amortization table of the loan with mortgage guarantee signed by the complaining party, which covered from June 21, 2011 until termination of the loan, that is, the entire period after the release of the responsibility of Gardeblock, S.L.” And in writing dated 06/21/2023 it stated that “a delivery has occurred inadequate data by the person in charge of delivering the certificate that originates these actions due to their defective understanding of the advice received in relation to a complex contractual relationship” (the underlinings correspond to the AEPD). Likewise, in the Report prepared as a result of the incident it is indicated that “… from the moment the Bank releases from liability the property owned by Gardeblock, it should be considered excessive to provide information regarding the contract and "its movements since that date, as they have occurred." The duty of confidentiality is an obligation that falls not only on the responsible and in charge of the treatment but to anyone who intervenes in any treatment phase and complementary to the duty of professional secrecy. Therefore, the action carried out by the defendant allowing access to the banking information of the complaining party by a third party constitutes the violation of article 5.1.f) of the RGPD, an infringement classified in article 83.5.a) of the aforementioned GDPR. IV Classification of the violation of article 5.1.f) of the RGPD The infraction attributed to the person complained of is classified in the article 83.5 a) of the GDPR, which considers that the violation of “the basic principles for processing, including the conditions for consent under the C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 12/24 articles 5, 6, 7 and 9” is punishable, in accordance with section 5 of the aforementioned article 83 of the aforementioned Regulation, “with administrative fines of €20,000,000 as maximum or, in the case of a company, an amount equivalent to 4% as maximum of the total global annual turnover of the previous financial year, opting for the highest amount.” The LOPDGDD in its article 71, Infractions, states that: “They constitute infractions the acts and conduct referred to in sections 4, 5 and 6 of the article 83 of Regulation (EU) 2016/679, as well as those that are contrary to the present organic law.” And in its article 72, it considers for the purposes of prescription, which are: “Infringements considered very serious: 1. Based on what is established in article 83.5 of the Regulation (EU) 2016/679 are considered very serious and will prescribe after three years the infractions that involve a substantial violation of the articles mentioned therein and, in in particular, the following: (…) a) The processing of personal data violating the principles and guarantees established in article 5 of Regulation (EU) 2016/679. (…)” V Penalty for violation of article 5.1.f) of the RGPD In order to establish the administrative fine that should be imposed, they must The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which they point out: "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 13/24 d) the degree of responsibility of the person responsible or in charge of the processing, taking into account the technical or organizational measures that have been applied under articles 25 and 32; e) any previous infraction committed by the person responsible or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of treatments of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infraction. e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when it is not mandatory, a delegate for the protection of data. h) Submission by the person responsible or in charge, with character voluntary, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested." - In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction to be imposed in the present case for the violation of article 5.1.f) of the RGPD, typified in the article 83.5.a) of the RGPD for which the defendant is held responsible, in an assessment initial, the following factors are considered concurrent, such as circumstances aggravating factors: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 14/24 The nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question; the The facts revealed affect a basic principle regarding the treatment of personal data, such as their confidentiality, which the norm sanctions with the greatest severity by enabling with its actions access to a third party that was not legitimized with the damages that this may entail since the banking information provided was used by the aforementioned company (the third party), attaching them to the judicial complaint against the claiming party, demanding payment of the amount that had been paid (article 83.2, a) of the RGPD). The activity of the allegedly infringing entity is linked to the processing of data of both clients and third parties. In the activity of the entity claimed, it is essential to process the personal data of your customers so, given its business volume, the significance of the conduct that is the subject of this claim is undeniable (article 76.2.b) of the LOPDGDD in relation to article 83.2.k). The intention or negligence in the infringement; there is a serious lack of diligence in the actions of the defendant since the transfer of the information to a Third, it constitutes an illegal act for which he was not entitled. Also connected with the degree of diligence that the data controller is obliged to display in compliance with the obligations imposed by data protection regulations the SAN of 10/17/2007 can be cited. Although it was issued before the validity of the RGPD, its pronouncement can be perfectly extrapolated to the case we are analyzing. The ruling, after alluding to the fact that the entities in which the development of their activity entails continuous processing of customer data and third parties must observe an adequate level of diligence, specified that “(...). the Supreme Court It is understood that imprudence exists whenever a legal duty is neglected of care, that is, when the offender does not behave with the required diligence. And in When assessing the degree of diligence, special consideration must be given to professionalism or not of the subject, and there is no doubt that, in the case now examined, when the appellant's activity is constant and abundant handling of data personal character, rigor and exquisite care must be insisted on in conforming to the legal preventions in this regard” (article 83.2, b) of the RGPD). The business volume of the defendant since it is one of the entities leading financial institutions within the Spanish market, due to their business purpose (article 83.2, k) of the GDPR). In accordance with the foregoing, it is considered appropriate to establish a sanction of 50,000 euros for violation of article 5.1.f) of the RGPD. SAW Second unfulfilled obligation: violation of article 32.1 of the RGPD Article 32 of the GDPR “Security of processing” establishes that: "1. Taking into account the state of the art, the application costs, and the nature, scope, context and purposes of the processing, as well as risks of variable probability and severity for people's rights and freedoms C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 15/24 physical, the person responsible and the person in charge of the treatment will apply technical and appropriate organizational measures to guarantee a level of security appropriate to the risk, which, if applicable, includes, among others: a) pseudonymization and encryption of personal data; b) the ability to guarantee the confidentiality, integrity, availability and permanent resilience of treatment systems and services; c) the ability to restore availability and access to data personnel quickly in the event of a physical or technical incident; d) a process of regular verification, evaluation and assessment of effectiveness of the technical and organizational measures to guarantee the security of the treatment. 2. When evaluating the adequacy of the security level, particular consideration will be given to take into account the risks presented by data processing, in particular as consequence of accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data. 3. Adherence to a code of conduct approved pursuant to Article 40 or to a certification mechanism approved pursuant to article 42 may serve as an element to demonstrate compliance with the requirements established in section 1 of the present article. 4. The controller and the person in charge of the treatment will take measures to ensure that any person acting under the authority of the controller or manager and has access to personal data can only process said data following instructions from the person responsible, unless obliged to do so by virtue of the Law of the Union or of the Member States”. The GDPR defines personal data security breaches as “all those security violations that cause the destruction, loss or accidental or illicit alteration of personal data transmitted, preserved or processed otherwise, or unauthorized communication or access to said data.” The documentation in the file offers clear indications that the claimed has violated article 32.1 of the RGPD, when an incident of security, motivated by the absence of diligence in compliance with the measures implemented of a technical and organizational nature. It should be noted that the RGPD in the aforementioned provision does not establish a list of the security measures that are applicable in accordance with the data that are object of treatment, but establishes that the person responsible and the person in charge of the treatment will apply technical and organizational measures that are appropriate to the risk that the treatment entails, taking into account the state of the art, the costs of application, the nature, scope, context and purposes of the processing, the risks of probability and seriousness for the rights and freedoms of the persons concerned. Likewise, security measures must be adequate and proportionate to the risk detected, pointing out that the determination of the measures C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 16/24 technical and organizational measures must be carried out taking into account: pseudonymization and encryption, the ability to guarantee the confidentiality, integrity, availability and resilience, the ability to restore availability and access to data after a incident, verification process (not audit), evaluation and assessment of the effectiveness of the measures. In any case, when evaluating the adequacy of the security level, the particularly taking into account the risks presented by data processing, such as consequence of accidental or unlawful destruction, loss or alteration of data personal data transmitted, preserved or otherwise processed, or the communication or unauthorized access to said data and that could cause damages and losses physical, material or immaterial. In this same sense, recital 83 of the GDPR states that: “(83) In order to maintain security and prevent the treatment from infringing the provided in this Regulation, the person responsible or the person in charge must evaluate the risks inherent to the treatment and apply measures to mitigate them, such as encryption. These measures must guarantee an adequate level of security, including the confidentiality, taking into account the state of the art and the cost of its application regarding the risks and the nature of the personal data that must be protect yourself. When assessing risk in relation to data security, take into account the risks arising from the processing of personal data, such as accidental or unlawful destruction, loss or alteration of personal data transmitted, preserved or otherwise processed, or the communication or access is not authorized to such data, which may in particular cause damage and harm physical, material or immaterial.” - In the case analyzed, as stated in the facts and within the framework of the investigation file, the AEPD transferred the claim presented to the defendant for analysis requesting the contribution of information related to the incident claimed, confirming in your response the transfer of the bank certificate to the third party applicant thereof, non-debtor mortgagee. In this way, the claimed party indicated that “In relation to this, received the claim of the interested parties, after reviewing the reported facts, the response confirming that, unfortunately, the branch has attached by mistake additional information on movements after amortization finally carried out by said company, conveying our most sincere apologies, as as a result of the response of the Privacy Office that the complainants join their claim". He has also stated that “it is evident that the Bank has carried out the actions necessary to fulfill the obligation to implement appropriate measures to ensure a level of security appropriate to the risk of the treatment, although in In this specific case, an unintended result could not have been avoided for reasons alien to the process” It should be noted that the responsibility of the defendant is determined by not having adopted the appropriate care and agility to avoid errors such as C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 17/24 indicated, since he is responsible for making decisions aimed at implementing and effectively adapt appropriate organizational measures in order to guarantee a level of security appropriate to the risk to ensure the confidentiality of the data, restoring its availability and preventing access to it in case of physical or technical incident. In the email dated 11/09/2021 sent to Communications Judicial Adm states that: “(…) With all this, internal legal advice was asked to tell us what to do. and the response was that we requested more documentation from the popular historian since we did not We had enough information. Everything was requested and we got a discrepancy in the amount they said have been amortized and the one that appeared in popular historical records. We consulted again with legal advice and told us to certify with the amount that would cost us us, providing us with the certificate model and the documentation that we had to contribute to them, which was the amortization table from that date. I attach all legal advice queries, as well as all the documentation we have obtained. (…)”. What is not consistent with what was indicated by the party claimed in the Report about the incident produced when it indicates that: “(…) This process is implanted and its normal operation is confirmed, verifying that it is used by the offices appropriately (in the incident we are analyzing the employee has observed the existing procedure), so that it is possible to conclude the existence in Banco Santander of a diligent and risk-appropriate measure that guarantees that in The issuance of this type of certificates does not result in accidental or fortuitous access of personal data to the wrong recipient, so in this incident has produced a regrettable human error, conceptual and specific, in the interpretation of the instructions received and, specifically, about who were the owners of the mortgage loan. However, from the aforementioned communication it appears that when in doubt or discrepancy expressed by not squaring the amortized amount with the amount of the checks received, the acting branch again requested advice from AJN department and they were told the certificate they had to issue, facilitating the model of the same and the documentation that had to be attached with it: the amortization table from that date (the underlinings are from the AEPD). It is true that the certificate delivered did not affect its content from the initial of the amortization schedule, from the beginning of the loan until the moment of the amortization by the company Gardeblock, S.L. to whom the certificate was delivered complete, was therefore entitled to have it and receive it until that date, but not of course, from that date, receive information on the amortization schedule after the moment in which the company had made the payment, releasing its mortgage liability estate. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 18/24 The measures established must be necessary to prevent this type of incidents can occur and rigorously adjust to the procedures that are implemented by the entity to avoid them since it is ultimately about preserving the confidentiality of data in the actions and operations of its clients. The claimed party must have a protocol, procedure, etc., which at the same time implemented can guarantee security in the processing of information and the data and prevent improper access to it, a situation which in the present case has not occurred since the measures adopted have not guaranteed that in the issuance of the certificate there has been no access to the personal data by an improper recipient, the third party, providing information improper. Therefore, the taking of measures must include the impact that the rights and freedoms could have an incident, it occurs accidentally, human, natural or technological and aimed at both reducing the impact and probability of the same, which must be constantly renewed and improved. - The defendant also alleges that the ruling of the T.S. from 02/15/2022 clearly establishes that the obligation to adopt technical and organizational measures aimed at guaranteeing confidentiality is an obligation of means and not of results. The defendant acknowledges that in his actions the existence of the incident of security when additional information on subsequent movements is mistakenly attached to the amortization finally carried out by the company - third in contention -. It is true that the T.S. In its ruling it states that: “The obligation to adopt the measures necessary to ensure the security of personal data cannot be considered an obligation of result, which implies that a leak of personal data to a third party there is liability regardless of the measures adopted and the activity carried out by the person responsible for the file or the treatment. In result obligations there is a commitment consisting of the fulfillment of a certain objective, ensuring the proposed achievement or result, In this case, guarantee the security of personal data and the absence of security leaks or breaches. In the obligations of means the commitment that is acquired is to adopt the technical and organizational means, as well as deploying diligent activity in its implementation and use that tends to achieve the expected result with means that can reasonably be classified as suitable and sufficient for its achievement, For this reason, they are called "diligence" or "behavioral" obligations. The difference lies in the responsibility in both cases, because while that in the obligation of result one responds to a harmful result due to the failure of the security system, whatever its cause and the diligence used. In the obligation of means, it is enough to establish technically adequate measures and implement and use them with reasonable diligence. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 19/24 In the latter, the sufficiency of the security measures that the responsible must establish must be put in relation to the state of technology at any given time and the level of protection required in relation to the data treated, but a result is not guaranteed.” But it is also true that the Court confirms that the design is not sufficient of the necessary technical and organizational means, since it is also Its correct implementation and use in an appropriate manner is necessary, which would We must add diligent action that has not occurred in the present case. Therefore, in accordance with the foregoing, it is estimated that the defendant would be responsible for the violation of article 32.1 of the RGPD, an offense classified in its article 83.4.a). IX Classification of the violation of article 32.1 of the RGPD The violation of article 32 of the RGPD is classified in the article 83.4.a) of the aforementioned RGPD in the following terms: "4. Violations of the following provisions will be sanctioned, according to with paragraph 2, with administrative fines of a maximum of EUR 10 000 000 or, In the case of a company, an amount equivalent to a maximum of 2% of the global total annual business volume of the previous financial year, opting for the largest amount: a) the obligations of the controller and the processor pursuant to Articles 8, 11, 25 to 39, 42 and 43. (…)” For its part, the LOPDGDD in its article 73, for the purposes of prescription, qualifies of “Infringements considered serious”: “Based on what is established in article 83.4 of Regulation (EU) 2016/679 are considered serious and will prescribe after two years the infractions that involve a substantial violation of the articles mentioned therein and, in particular, the following: (…) g) The bankruptcy, as a consequence of the lack of due diligence, of the technical and organizational measures that have been implemented in accordance as required by article 32.1 of Regulation (EU) 2016/679.” (…)” VIII In order to establish the administrative fine that should be imposed, they must The provisions contained in articles 83.1 and 83.2 of the RGPD must be observed, which they point out: C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 20/24 "1. Each supervisory authority will ensure that the imposition of fines administrative sanctions under this article for violations of this Regulations indicated in sections 4, 5 and 6 are in each individual case effective, proportionate and dissuasive. 2. Administrative fines will be imposed, depending on the circumstances of each individual case, as an additional or substitute for the measures contemplated in Article 58, paragraph 2, letters a) to h) and j). When deciding to impose a fine administrative and its amount in each individual case will be duly taken into account: a) the nature, severity and duration of the infringement, taking into account the nature, scope or purpose of the processing operation in question as well as the number of interested parties affected and the level of damage and damages they have suffered; b) intentionality or negligence in the infringement; c) any measure taken by the person responsible or in charge of the treatment to alleviate the damages and losses suffered by the interested parties; d) the degree of responsibility of the person responsible or in charge of the processing, taking into account the technical or organizational measures that have been applied under articles 25 and 32; e) any previous infraction committed by the person responsible or in charge of the treatment; f) the degree of cooperation with the supervisory authority in order to put remedy the infringement and mitigate the possible adverse effects of the infringement; g) the categories of personal data affected by the infringement; h) the way in which the supervisory authority became aware of the infringement, in particular whether the person responsible or the person in charge notified the infringement and, in that case, what extent; i) when the measures indicated in Article 58(2) have been previously ordered against the person responsible or the person in charge in question in relation to the same matter, compliance with said measures; j) adherence to codes of conduct under Article 40 or to mechanisms of certification approved in accordance with Article 42, and k) any other aggravating or mitigating factor applicable to the circumstances of the case, such as financial benefits obtained or losses avoided, direct or indirectly, through infringement.” In relation to letter k) of article 83.2 of the RGPD, the LOPDGDD, in its Article 76, “Sanctions and corrective measures”, establishes that: "2. In accordance with the provisions of article 83.2.k) of the Regulation (EU) 2016/679 may also be taken into account: a) The continuous nature of the infringement. b) The linking of the offender's activity with the performance of treatments of personal data. c) The benefits obtained as a consequence of the commission of the infraction. d) The possibility that the conduct of the affected person could have induced the commission of the infraction. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid Seeagpd.gob.es 21/24 e) The existence of a merger by absorption process after the commission of the infringement, which cannot be attributed to the absorbing entity. f) The impact on the rights of minors. g) Have, when it is not mandatory, a delegate for the protection of data. h) Submission by the person responsible or in charge, with character voluntary, to alternative conflict resolution mechanisms, in those cases in which there are disputes between them and any interested." In accordance with the transcribed precepts, and without prejudice to what results from the instruction of the procedure, in order to set the amount of the sanction to be imposed in the present case for the violation of article 32.1 of the RGPD, typified in article 83.4.a) of the RGPD for which the defendant is held responsible, in an initial assessment, The following factors are considered concurrent, as aggravating circumstances: The nature and severity of the violation; the facts revealed affect a basic principle regarding the processing of personal data, such as their safety, the violation of which the norm punishes serious way; On the other hand, the management and purpose of the treatment is questioned carried out by allowing access to the claimant's data, data of type economic, as a consequence of the communication to a third party of information relating to the mortgage loan signed by the claimant with the entity and that in In no case should it have been transmitted due to the damages it could cause, such as consequence of said delivery and made manifest by the claiming party upon being used by the third party, contributing them to a legal claim against the claiming party (article 83.2, a) of the RGPD). The activity of the allegedly infringing entity is linked to the processing of data of both clients and third parties. In the activity of the entity claimed, it is essential to process the personal data of your customers so, given its business volume, the significance of the conduct that is the subject of this claim is undeniable (article 76.2.b) of the LOPDGDD in relation to article 83.2.k). The intention or negligence in the infringement; there is a serious lack of diligence in the actions of the defendant since the transfer of the information to a third constitutes an illegal act for which he was not entitled, violating the measures organizational. Also connected with the degree of diligence that the person responsible for the treatment is obliged to deploy in compliance with the obligations that imposes data protection regulations, the SAN of 10/17/2007 can be cited. Yeah well it was dictated before the validity of the RGPD, its pronouncement is perfectly extrapolated to the case we analyze. The sentence, after alluding to the fact that the entities in which the development of their activity entails continuous processing of customer and third party data must observe an adequate level of diligence, specified that “(...). The Supreme Court has been understanding that there is imprudence whenever a legal duty of care is neglected, that is, when the offender fails behaves with the required diligence. And in assessing the degree of diligence it must The professionalism or otherwise of the subject must be especially considered, and there is no doubt that, In the case now examined, when the appellant's activity is constant and C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 22/24 abundant handling of personal data, emphasis must be placed on rigor and exquisite care to comply with the legal provisions in this regard” (article 83.2, b) of the GDPR). The business volume of the defendant since it is one of the entities leading financial institutions within the Spanish market, due to their business purpose (article 83.2, k) of the GDPR). In accordance with the foregoing, it is considered appropriate to establish a sanction of 20,000 euros for violation of article 32.1 of the RGPD. x The corrective powers that the RGPD attributes to the AEPD as a control authority control are listed in article 58.2, sections a) to j). Upon confirmation of the infractions committed, it is appropriate to agree to impose on the responsible for adopting appropriate measures to adjust its actions to the regulations mentioned in this act, in accordance with the provisions of the aforementioned article 58.2 d) of the RGPD, according to which each supervisory authority may “order the responsible or in charge of the treatment that the treatment operations are comply with the provisions of this Regulation, where applicable, in a manner certain manner and within a specified period….” The imposition of this measure is compatible with the sanction consisting of an administrative fine, as established provided in art. 83.2 of the GDPR. Therefore, it would be considered appropriate to order that the defendant within the period of six months from the finality of the sanctioning resolution which, in any case, will be dictate that the treatments object of this procedure be adapted to the regulations applicable. The text of this agreement establishes the facts that have given rise to the violation of data protection regulations, which is clearly infers what measures to adopt, without prejudice to the type of specific procedures, mechanisms or instruments to implement them corresponds to the sanctioned party, since it is the one who fully knows its organization and must decide, based on proactive responsibility and a risk approach, how comply with the RGPD and the LOPDGDD. It is true that the interested party states that he has updated the incident log with details relating to the violation of the data security; However, in the present case it is pointed out, among others, as measures to adopt to improve those already implemented to avoid incidents such as produced that guarantee that in the issuance of this type of certificates no cause access to personal data by third parties or improper recipients. Therefore, in accordance with the applicable legislation and evaluated the criteria of graduation of sanctions whose existence has been proven, The Director of the Spanish Data Protection Agency RESOLVES: FIRST: IMPOSE BANCO SANTANDER, S.A., with NIF A39000013, - For a violation of article 5.1.f) of the RGPD, typified in article 83.5.a) of the GDPR, a fine of €50,000 (fifty thousand euros). C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 23/24 - For a violation of article 32.1 of the RGPD, typified in article 83.4.a) of the GDPR, a fine of €20,000 (twenty thousand euros). SECOND: ORDER BANCO SANTANDER, S.A., with NIF A39000013, which in under article 58.2.d) of the RGPD, within a period of six months from when the resolution is firm and executive, proves that it has proceeded to improve the measures implemented to avoid incidents such as the one that occurred that guarantee that in the issuance of certificates, access to personal data does not occur for a third parties or improper recipients, in accordance with the provisions of article 5.1.f) and 32.1 of the RGPD. THIRD: NOTIFY this resolution to BANCO SANTANDER, S.A. FOURTH: This resolution will be enforceable once the deadline to file the optional resource for replacement (one month counting from the day following the notification of this resolution) without the interested party having made use of this power. The sanctioned person is warned that he must make effective the sanction imposed once This resolution is executive, in accordance with the provisions of art. 98.1.b) of Law 39/2015, of October 1, on the Common Administrative Procedure of the Public Administrations (hereinafter LPACAP), within the voluntary payment period established in art. 68 of the General Collection Regulations, approved by Real Decree 939/2005, of July 29, in relation to art. 62 of Law 58/2003, of 17 December, through your entry, indicating the NIF of the sanctioned person and the number of procedure that appears in the heading of this document, in the account restricted IBAN number: ES00 0000 0000 0000 0000 0000 (BIC/SWIFT Code: XXXXXXXXXXXX), opened in the name of the Spanish Data Protection Agency in the banking entity CAIXABANK, S.A.. Otherwise, it will be collection in executive period. Once the notification is received and once enforceable, if the enforceable date is between the 1st and 15th of each month, both inclusive, the deadline to make the payment voluntary will be until the 20th of the following month or immediately following business month, and if The payment period is between the 16th and last day of each month, both inclusive. It will be until the 5th of the second following or immediately following business month. In accordance with the provisions of article 50 of the LOPDGDD, this Resolution will be made public once it has been notified to the interested parties. Against this resolution, which puts an end to the administrative procedure in accordance with art. 48.6 of the LOPDGDD, and in accordance with the provisions of article 123 of the LPACAP, the Interested parties may optionally file an appeal for reconsideration before the Director of the Spanish Data Protection Agency within a period of one month to count from the day following the notification of this resolution or directly contentious-administrative appeal before the Contentious-administrative Chamber of the National Court, in accordance with the provisions of article 25 and section 5 of the fourth additional provision of Law 29/1998, of July 13, regulating the Contentious-administrative Jurisdiction, within a period of two months from the day following the notification of this act, as provided for in article 46.1 of the referred Law. C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es 24/24 Finally, it is noted that in accordance with the provisions of art. 90.3 a) of the LPACAP, may provisionally suspend the final resolution through administrative means if the interested party expresses his intention to file a contentious-administrative appeal. If this is the case, the interested party must formally communicate this fact through writing addressed to the Spanish Data Protection Agency, presenting it through of the Agency's Electronic Registry [https://sedeagpd.gob.es/sede-electronica- web/], or through any of the other registries provided for in art. 16.4 of the cited Law 39/2015, of October 1. You must also transfer to the Agency the documentation that proves the effective filing of the contentious appeal administrative. If the Agency was not aware of the filing of the appeal contentious-administrative procedure within a period of two months from the day following the notification of this resolution would terminate the precautionary suspension. Sea Spain Martí Director of the Spanish Data Protection Agency C/ Jorge Juan, 6 www.aepd.es 28001 – Madrid sedeagpd.gob.es